Big Brother Eyes You Through Windows
WASHINGTON, DC, U.S.A., 1999 SEP 3 (NB) -- By Robert MacMillan, Newsbytes. Imagine this scenario: While the US Justice Department tries to convince Judge Thomas Penfield Jackson that Microsoft Corp. holds undue sway over the software and Internet market, the National Security Agency (NSA) is begging Justice to cool it because the government's electronic spies are using Microsoft's Windows operating system to watch 90 percent of the nation while they're on their computers.
That's what the NSA is doing - if you buy the line from Cryptonym.
Cryptonym is a North Carolina-based software company that today said the NSA can gain access to users' security functions on most Windows operating systems.
Cryptonym Chief Scientist Andrew Fernandes told Newsbytes that he was working through the coding innards of the security systems for WindowsNT4 when he discovered two security keys within - one for the company's use, and one labeled "_NSAKEY."
"It... begs the question why they used the term `_NSAKEY,'" Fernandes said. "Those three letters only mean one thing to anyone who works in cryptography."
Microsoft, for its part, has said in published news reports that the second key has nothing to do with the NSA, and is not being used to tap into individuals' or business' private affairs. One Microsoft spokesman told the Associated Press that Fernandes's claim is "completely false."
Fernandes said that he also has discovered the second key in Windows 95, 98 and 2000.
"They (may) be telling the truth but all of a sudden my warm fuzzy feeling about them is gone," he said. "I say that's a bald-faced lie."
Microsoft officials did not return telephone calls seeking comment. The NSA, for its part, accepts questions from the press only via fax instead of over the phone, and was unavailable for comment.
"I'm not saying that the key belongs to the NSA," Fernandes added. "I'm saying that the NSA in some way was involved with the key. Microsoft may not have even wanted to do it, but everyone has to tango with the NSA if they want to export their stuff."
One possible result of the situation is that the NSA, at least through Windows, can ensure that exports of strong encryption cannot happen.
Newsbytes notes that the Commerce Department promulgates the rules for exporting technology products, including the rules that limit the export of strong encryption controls. But the NSA, which always has insisted on limiting strong encryption exports, reviews all export applications.
Specifically, Fernandes and Cryptonym said in a statement, Windows uses cryptographic public keys to verify the integrity of a CryptoAPI (application programming interface) component before using it. When Fernandes used the WindowsNT4 Service Pack 5, he debugged the public key number, which revealed that the NSA can load cryptographic API services onto Windows computers without authorization.
Fernandes also said that he has developed a program to disable the key, though he stressed that he is not trying to "reverse engineer" Microsoft source code.
He added that it is unlikely that the NSA would use this potential backdoor to spy on individual users, "but if I'm the Deutsche Bundesbank, even though it doesn't blow a hole open in Windows, it... makes it easier."