[117516] in Cypherpunks

home help back first fref pref prev next nref lref last post

The alleged NSA key and what to do about it.

daemon@ATHENA.MIT.EDU (Alan Olsen)
Sat Sep 4 19:29:02 1999

Date: Sun, 5 Sep 1999 07:06:20 -0700 (PDT)
From: Alan Olsen <alan@clueserver.org>
To: cypherpunks@algebra.com
Message-ID: <Pine.LNX.4.04.9909050653310.13975-100000@clueserver.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Reply-To: Alan Olsen <alan@clueserver.org>

First of all, let me get a few opinions out of the way...

Do I believe it actually an NSA backdoor.  Maybe.  The third key in Win2k
and the absolute lack of documentation reguarding those keys makes me
believe it is possible.  If it is an NSA backdoor, they must believe
people are more stupid than even I do.

It is a big security problem?  Hell yes!  Replacing the keys on the
machine to bypass the security controls is double-plus ungood.  (BTW, it
is not the only way to do it.  The cert checking can be made to accept
anything by hacking the DLL in one spot, but it is not an easy hack.
Note, you pretty much need to do this to write certain drivers for NT if
Microsoft is unwilling to grant permission.)

If I was more experienced with the CAPI, I would write a scanner that
would look for files signed with the _NSAKEY and report what they are.  It
would be interesting to find out if there are any files signed with that
key and just what they are.  Microsoft claims that they key has not been
used.  I do not trust Microsoft as far as I can throw them.  Only an
exausive search of a number of systems will make me feel better about that
assertion.

A pre-filter for any ActiveX control would also be a good idea.  (I know
it is possible to disable, but there may be ways to sneak past those
off-switches.)  My opinion of ActiveX is another rant.

Now that this has been revealed, it will be interesting to see if the
hidden keys get changed or rehidden.

BTW, this is also a prime example as to why Americans (and everyone else)
need to preserve the right of reverse engineering.

alan@ctrl-alt-del.com | Note to AOL users: for a quick shortcut to reply
Alan Olsen            | to my mail, just hit the ctrl, alt and del keys.
    "In the future, everything will have its 15 minutes of blame."


home help back first fref pref prev next nref lref last post