MS denies giving NSA key
http://zdnet.com.com/2100-11-515610.html?legacy=zdnn
By Lisa Bowman
ZDNet News
September 2, 1999, 5:00 PM PT
Forward in Format for
Updated at 6:20 PM PT
Microsoft is denying claims by a Canadian security company that it has
installed a second key in its Windows programs in order to give the U.S.
government access to users' computers.
Intead, it said it's only following the rules imposed by the U.S. to allow
software exports.
Andrew Fernandes, the chief scientist of Cryptonym, had claimed that a
second key in several versions of the company's Windows operating system
contains coding using the letters "NSA," which he said indicated that Microsoft
(Nasdaq:MSFT) may be providing a key for the National Security Agency.
But Microsoft said it's not, and calls the incident a "tempest in a
teapot."
Instead, Windows NT security product manager Scott Culp said the company
was merely complying with federal rules imposed by the U.S. Commerce Department
and NSA to meet export control requirements. Culp said the keys have been used
for years to verify the digital signatures of partner companies using its crypto
application programming interface (API), and to verify that they're export
approved.
"They're in there because that's how we comply with export controls that
the NSA is overseeing," he said.
Bad name
But he acknowledges the term "NSA" key could arouse suspicion. "It's a
really bad name," he said. "I think we're going to rename it after today."
The keys are in every copy of Windows 95, 98, NT4 and 2000.
The owner of such keys could potentially infiltrate software by using them
to go through a so-called "back door" in the software. Because the U.S.
government limits the export of strong encryption software, some software makers
provide such keys to the government. But Microsoft said it's doing no such
thing. "It's totally against our corporate policy," Culp said.
The NSA faxed a statement deferring specific questions to Microsoft.
Fernandes started his work last year, after two software developers
discovered the presence of a second key, but said they didn't know why it was
created. Fernandes piggy-backed on that research to learn more about the second
key.
The good news, Fernandes said, is that companies can use a security flaw
in the NSA key to add their own strong encryption, in effect overriding the key.
More information is at the Cryptonym site.
However, even Fernandes said he didn't know for sure if the NSA coding in
Windows really refers to the government agency. "I'm in the security business,
and the security business is the business of paranoia," he said.
Security consultant Richard Smith, president of Phar Lap Software, said
the discovery was a minor one. "As in most cases, where there's smoke there's
usually fire," he said. "But in my opinion this isn't a very big fire."
Fernandes' claim came just two weeks after news began circulating that the
U.S. Department of Justice was asking for special legislation that would let
them spy on computers without a warrant or a user's knowledge.