[117500] in Cypherpunks
Re: NSA key in MSFT Crypto API
daemon@ATHENA.MIT.EDU (William H. Geiger III)
Sat Sep 4 10:25:30 1999
Date: Sat, 4 Sep 1999 10:11:49 -0400
Message-Id: <199909041411.KAA23565@domains.invweb.net>
From: "William H. Geiger III" <whgiii@openpgp.net>
To: Multiple recipients of list <cypherpunks@openpgp.net>
Reply-To: "William H. Geiger III" <whgiii@openpgp.net>
In <3.0.1.32.19990904083230.006cb894@pop3.idt.net>, on 09/04/99
at 08:32 AM, Jay Holovacs <holovacs@idt.net> said:
>Some quotes from:
>http://www.wired.com/news/news/technology/story/21589.html
>>"Windows is compromised!! Microsoft is in bed with the Federal
>Government," wrote one poster to a mailing list addressing privacy and
>crypto issues.
>>
>Not attributed, but that sounds like cypherpunk WG III.
Who, little 'lo me? :)
I wish he had quoted the entire post:
It's very simple, DO NOT USE WINDOWS!!
This is a compromise in only one API. God only knows what they have done
to compromise security in the millions of lines of code that no one
outside of Redmond has ever seen.
Windows is compromised!! Microsoft is in bed with the Federal Government.
There is *no* security on a system running their software. Those who
continue to do so get exactly what they deserve.
>Unfortunately also these quotes from Russ Cooper, moderator of the
>NTBugtraq Windows security resource:
>>He said the lion's share of individuals overreacting to the claims are
>freedom fighters and privacy advocates. "Unfortunately they have a loud
>voice," he said.
>>
>>"I don't think they are representative of the average person, the real
>people that populate the Net," he said.
>>
>>"We give away all kinds of things, every day, that sacrifice our privacy.
>These privacy advocates, I'd put them in the category of the Michigan
>Militia, the Ruby Ridge folks."
>>
>>
>Apparently, according to Cooper, privacy folks are not like "real
>people". His comment not only dismissese the seriousness of the immediate
>issue (which may or may not prove to be valid ultimately) but he seems to
>consider those who raise such questions government intrusion as some form
>of crackpot not to be taken seriously (real people shouldn't mind privacy
>intrusion).
Russ can kiss my pearly white ass. He is a typical Microsoft apologist. Of
anyone he should know what junk NT is when it comes to data security yet
he will gleefully lead his sheeple down the M$ path.
Is the current CAPI debacle a make or break issue for M$ security? I guess
we will never know as I doubt M$ is going to release the source code so we
can know the truth. But when one adds this to all the other *known*
security holes in their products and their corporate attitude that is at
best indifference and at worst openly hostile to use security & privacy
how can anyone in good conscious recommend their products as secure?
While thinking over this issue last night I came up with an interesting
thought:
What if these public keys are used for much more than just signing crypto
modules?
If I was designing a program with a backdoor, but I wanted to be the only
one who could use it, what better way than to use public key encryption
for authentication. It would be quite simple, M$ or NSA send a packet of
data that is signed with the appropriate key to a known port that is
always open and under control of the OS (say port 134), the signature is
verified and full access to the system is provided. Who knows backdoors
into every M$ product could be set up in this or similar ways.
Never forget the golden rule: NO CODE == NO TRUST!!
--
---------------------------------------------------------------
William H. Geiger III http://www.openpgp.net
Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii
Hi Jeff!! :)
---------------------------------------------------------------