Vista Security and the NSA
I really was dumbfounded when I read that Microsoft confirmed that the NSA had helped them develop Windows Vista. Not so much because I didn’t think it was possible (I’ve heard it all at this point) but that they admitted it. First of all, most of the reason you have a spy agency help develop something is so it will be better at spying, second of all telling someone how you intend to spy on them pretty much kills the whole concept of it. It’s not like I’m talking out of school here either, Microsoft fully admitted it to the press.
There are two possible backlashes from this. 1) The backdoor will be found and either used against the US government or used against it’s citizens. 2) Foreign governments and security/privacy experts will avoid using Vista for anything sensitive. Either way it could completely defeat the purpose of the collaboration. You’d think after the NSAKEY issue that came up several years back they would have learned how people react to hearing this kind of thing.
The only thing I can say now is if you are concerned that a rogue Microsoft user or the government have access to your computer systems, you probably shouldn’t use Vista. I hate having that opinion without even having tried it, but what else can I say? I guess I can’t really have much of an opinion, seeing as how the details of their cooperation are obviously very guarded, other than I think in this particular case insecurity through obscurity would have been a better option.
January 18th, 2007 at 11:50 am
Yeah I blogged about it a week ago, Same points I had. But problem is, that they had help with XP also, Apple also confirmed NSA help, as well as Novell. Questions questions…
January 18th, 2007 at 12:52 pm
Not many people use XP to host production websites… although certainly that is troubling. No one uses Apple as a percentage. Novell is barely on the map too in comparison.
January 18th, 2007 at 1:19 pm
NSA isn’t just about breaking other countries systems, it’s also about securing the US’ own. To that end, they have their “Information Assurance” mission:
http://www.nsa.gov/ia/index.cfm
They want the US gov’t and millitary to have the best defenses possible, one would assume. Isn’t that why they produced their secure config guidelines?
http://www.nsa.gov/snac/
Granted, the NSA does have a bad wrap, and deservedly so for some of the crap they’ve pulled in the past, but I think this is over-reacting. After-all, otherwise we’re going to have to say linux (selinux) is backdoored too…
http://www.nsa.gov/selinux/
January 18th, 2007 at 1:23 pm
NSA also created AES encryption, and SELinux (used in hardened gentoo and as an option in Red Hat Enterprise). I agree its difficult to tell whether they are trying to prevent security problems in governmental systems, or they are trying to introduce a false sense of security through the installation of back doors. I just assume that Will this stop me from running Vista? No I’ll still use it on the desktop, with the proper safeguards, but I bet there will still be publicly disclosed holes in the os in addition to the secret NSA ones.
January 18th, 2007 at 1:32 pm
NSA didn’t create AES, they just approved of it’s use.
As for SELinux, we can examine the source code, you won’t get that in a MS product.
NSA does a lot of great work (and keep many mathematicians employed!), but you should never trust your government.
January 19th, 2007 at 9:40 am
Current AES is Rijndael (128/256), created by Vincent Rijmen and Joan Daemen. Ineed, not created by the NSA.
but I still find it really hard to trust the NSA, especially like; how are they going to trust eachother at the NSA? it’s a big bee hive. Let’s say insiders works on the security of vista, who says they aint publish the source, or a backdoor someplace else, or sells it. Who knows how many people worked on it. Hard to say who does and who doesn’t. But I question why are popular OS’s audited by the NSA and less popular not? And really, what does the NSA got what a good *nix architect doesn’t got in the case of Novell?
January 19th, 2007 at 11:42 am
> But I question why are popular OS’s audited by the NSA and less
> popular not?
Cost?
January 19th, 2007 at 1:23 pm
What I meant by my earlier post was that their selection of rijndael 128 as AES is suspicious in my mind, thats all. I know they didn’t write it, but they rejected the other forms of rijndael with larger block sizes.
Bruce Schneier, whom I trust more than myself on subjects of this matter, wrote on his blog about the same NSA Vista security review. He’s just as suspicious.
http://www.schneier.com/blog/archives/2007/01/
January 19th, 2007 at 5:28 pm
Alright, this is very easy to break down, Windows in general are all overseen by the government either respectfully or maliciously. The key thing is that the NSA is abusing their power and money for the worst reasons. the fact of the matter is it shouldn’t be allowed. the us government spys more on its own people than it does other countries.
To sum this all up (other an writing a novel) the government, no matter what, will always have their foot in the door one way or another… Unix* unlike windows is open source, we all know that. windows will do what it takes to build revenue and to see who payed who in these situations with the NSA is something that i would like to see in paper!
[quote]
# nEUrOO Says:
January 19th, 2007 at 11:42 am
> But I question why are popular OS’s audited by the NSA and less
> popular not?
Cost?
[quote/]
the reason being open source users (like most of us) are brighter than the general American population combined. The big problem is that Microsoft knows this and takes advantage of it to the fullest to make more money, because that is what truly makes the world go round.
or at least that is my opinion.
January 20th, 2007 at 1:35 pm
[quote]but they rejected the other forms of rijndael with larger block sizes.[/quote]
isn’t there a law in the US that prohibits large keysizes? I guess there is for software export to other non-US contries. so that’s pretty plausible to me. Though, it really woud not matter if you use 128 or 256, if one choose a bad password for it, you can break ‘m both dispite the keysize.
July 4th, 2007 at 7:27 pm
Just discovered this and went to view the article.
Anybody with a brain older than a five year olds will immediately see that all the NSA had to do was simply not tell Microsoft about ALL the ways they discovered to break into Vista. They just Microsoft about some of them to satisfy the requirements of the association.
Gates doesn’t care - security doesn’t make him any money.
Wah-lah! Nobody on the planet other than stupid Americans will ever use Vista now - if they are aware of this, anyway. You can bet the Chinese know about it.
Even if you don’t believe the NSA bugged or compromised Vista, the mere fact that Microsoft admitted their involvement taints the OS forever for foreign government and corporate use. Existing Windows OS were only somewhat tainted - and in any event, for many countries, the alternative of Linux wasn’t feasible until now. For China, though, Linux is a viable alternative - and for many other countries, Linux will definitely be a viable alternative now, since Vista gives them no choice at all.