NSA Built Back Door In All Windows Software by 1999

In researching the stunning pervasiveness of spying by the government (it’s much more wide spread than you’ve heard even now), we ran across the fact that the FBI wants software programmers to install a backdoor in all software.

Digging a little further, we found a 1999 article by leading European computer publication Heise which noted that the NSA had already built a backdoor into all Windows software:

A careless mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors). The discovery comes close on the heels of the revelations earlier this year that another US software giant, Lotus, had built an NSA “help information” trapdoor into its Notes system, and that security functions on other software systems had been deliberately crippled.

The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren [an expert in computer security]. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA.

***

Two weeks ago, a US security company came up with conclusive evidence that the second key belongs to NSA. Like Dr van Someren, Andrew Fernandez, chief scientist with Cryptonym of Morrisville, North Carolina, had been probing the presence and significance of the two keys. Then he checked the latest Service Pack release for Windows NT4, Service Pack 5. He found that Microsoft’s developers had failed to remove or “strip” the debugging symbols used to test this software before they released it. Inside the code were the labels for the two keys. One was called “KEY”. The other was called “NSAKEY”.

Fernandes reported his re-discovery of the two CAPI keys, and their secret meaning, to “Advances in Cryptology, Crypto’99″ conference held in Santa Barbara. According to those present at the conference, Windows developers attending the conference did not deny that the “NSA” key was built into their software. But they refused to talk about what the key did, or why it had been put there without users’ knowledge.

A third key?!

But according to two witnesses attending the conference, even Microsoft’s top crypto programmers were astonished to learn that the version of ADVAPI.DLL shipping with Windows 2000 contains not two, but three keys. Brian LaMachia, head of CAPI development at Microsoft was “stunned” to learn of these discoveries, by outsiders. The latest discovery by Dr van Someren is based on advanced search methods which test and report on the “entropy” of programming code.

Within the Microsoft organisation, access to Windows source code is said to be highly compartmentalized, making it easy for modifications to be inserted without the knowledge of even the respective product managers.

Researchers are divided about whether the NSA key could be intended to let US government users of Windows run classified cryptosystems on their machines or whether it is intended to open up anyone’s and everyone’s Windows computer to intelligence gathering techniques deployed by NSA’s burgeoning corps of “information warriors”.

According to Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system “is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system“. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards.

***

“How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has a ‘back door’ for NSA – making it orders of magnitude easier for the US government to access your computer?” he asked.

We have repeatedly pointed out that widespread spying on Americans began prior to 9/11.

Category: Technology, War/Defense

Please use the comments to demonstrate your own ignorance, unfamiliarity with empirical data and lack of respect for scientific knowledge. Be sure to create straw men and argue against things I have neither said nor implied. If you could repeat previously discredited memes or steer the conversation into irrelevant, off topic discussions, it would be appreciated. Lastly, kindly forgo all civility in your discourse . . . you are, after all, anonymous.

14 Responses to “Government Built Spy-Access Into Most Popular Consumer Program Before 9/11”

  1. ReductiMat says:

    I think it’s prudent to assume they have their hooks in every major closed operating system out there. And given their resources, maybe they even found ways to compromise the the open source ones as well.

    I think it’s also safe to assume that the general consensus amoungst the slack-jawed TeeVee crowd is that, “As long as I ain’t doin’ anythin’ bad, I don’t got to worry.”

    Queue Ben Franklin quote: Liberty, Security, neither, yada, yada, yada.

  2. Iamthe50percent says:

    Indeed, what of MacOS and even FreeBSD and Linux? Sure Linux is open source but have you ever read the source? Some source code is extremely murky.

    • pmorrisonfl says:

      > Some source code is extremely murky.

      True, but it’s even worse than that. The classic on this is Ken Thompson’s Turing Award speech, ‘Reflections on Trusting Trust’, http://cm.bell-labs.com/who/ken/trust.html

      The moral of his story: You can’t trust code that you did not totally create yourself.

      He thought ‘The act of breaking into a computer system has to have the same social stigma as breaking into a neighbor’s house.’

    • Stumps says:

      Re: Linux, just be careful which binary packages you allow and it’s *extremely* unlikely that you’ll run into tainted code like this. I can’t think of anything besides video drivers that would packaged this way so it’s a moot point.

      Also note that although the basis for OSX was BSD, Apple didn’t just build on top of a free-as-in-beer *nix implementation (BSD), they embraced and extended it. So it’s basically the same situation as the Windows rat’s nest. You won’t know what’s going on no matter how many assurances the vendor gives you.

      Bottom line is that if you care about this stuff (most don’t), stick with a BSD or Linux-based platform like FreeBSD or Ubuntu. Plus you get the benefit of a far superior kernel to Microsoft’s NT. Running Windows specific software is as simple as installing it into a virtual machine with the OS operating completely inside it.

      What’s interesting is that the age of proprietary software (the only place where exploits like this can fester) has been eroding everywhere except the corporate server room, where the most sensitive information is stored these days…

      • dsawy says:

        Weeeellll…. let’s be a little more clear about OS X’s origins.

        The upper levels of the OS smell, act and feel like BSD.

        The kernel is more a mash-up of Mach, NeXT OS and Apple-developed code.

        As for the best security in an OS that you can download and run: That would be OpenBSD:

        http://openbsd.org/

        On all the “downloadable Unix” implementations, I have long preferred anything with a BSD flavor over Linux, mostly because the BSD development efforts appear to me to be more stable than Linux.

    • ben smith says:

      @Iamthe50percent
      Nice try at shilling Microsoft F.U.D. as in “Yes Windows is insecure, but (ooh ooh look over here at this other thing) have you seen the Linux code, it’s murky. So windows is really okay then.” Not so.
      While neither you nor I are software developers, literally millions of people world wide are and have read the linux code, it’s published in books – in depth, it’s freely available for all to see, it’s dissected at college universities, and never have any of those actual experts shown an NSA or any other secret back-door built into linux.
      I hope you don’t feel better about using Windows. But there is hope, you can switch to Linux.

  3. stonedwino says:

    I find these revelations beyond disturbing…

  4. idaman says:

    Doesn’t anyone remember the scandal about the software on all US cell phones that exists below the OS and captures all SMS texts?

    http://bits.blogs.nytimes.com/2011/12/01/programmer-raises-concerns-about-phone-monitoring-software/

    http://news.discovery.com/tech/your-android-smartphone-secretly-spying-111201.htm

  5. AtlasRocked says:

    It’s so comforting to see so many people saying nothing has changed, it’s all ok, go back in your houses, close the drapes, and be still.

    The man who has risked a lifetime jail sentence, cut off from his family, and exiled himselft to tell you “No it’s not like it was” is a lunatic, pay him no mind.

  6. Biffah Bacon says:

    PROMIS software scandal during the Reagan administration. Multipronged effort to start big data collection across multiple databases in different computing environments, punish political opponents, place surveillance access into widely used court case management software and possibly other ends.

    This isn’t an Obama thing. Its the logical outcome of events that took place before and during Reagan’s presidency.

  7. rfk says:

    not just software. I was told a few years ago that it’s part of the In tel spec that a space is built in where code can run and not be detected by any means, and that’s the space where rootkits exploit.

  8. [...] Barry Ritholtz picked this up from Washington’s Blog and as part of his journey as a recovering Republican he’s republished this at his own blog…There certainly aren’t any longtime geeks who are surprised to read details of Microsoft putting in backdoors for the NSA. [...]

  9. ben smith says:

    While this is old news, and even if there is still a NSA back-door in current versions of Windows, I’d be more afraid of the front door that actually is Windows. Kind of makes the name “Windows” even more appropriate in terms of security doesn’t it?
    I’d also say that the back-door Steve Gibson found in Windows is now better understood in light of all the new NSA spying.