Technology
toolbar
September 4, 1999

A Mysterious Component Roils Microsoft

By JOHN MARKOFF

SAN FRANCISCO -- A cryptographer for a Canadian software firm, dissecting a piece of Microsoft security software, made an unexpected find: an element in the Windows operating system labeled "NSAKey."

When his discovery was made known on his company's Web site Friday, it set off a firestorm of Orwellian visions in Internet discussion groups.


Sidebar
For Programmers, a Link to Spy Agency Seemed Likely
(September 4, 1999)

Was the buried software component, as the cryptographer surmised, a Trojan horse that gave the National Security Agency a hidden back door into the world's computers? Or was it merely a Microsoft programmer's remarkably bad choice of language in a software system designed to protect electronic communications and commerce?

Microsoft executives insisted that there was no Big Brother feature in the software. "The big answer is that these charges are completely false," said Scott Culp, a security product manager at Microsoft.

And the National Security Agency, which gathers electronic signal intelligence worldwide and is responsible for the security of the Government's computers, issued a terse three-sentence news release distancing itself from the controversy, saying, "Questions about specific products should be addressed to the company."

Microsoft officials acknowledged that the episode was in any case a black eye for the world's largest software publisher.

"We're going to pay and pay and pay for this," said one of the company's security experts, who spoke on the grounds that he not be identified.

In recent months Microsoft has become a lightning rod for criticism of its products' security and has had to deal with several gaffes, including the discovery last week of a security flaw that exposed the e-mail of users of its Hotmail service.
Rumors of a door for U.S. access to the world's computers.

The latest uproar was set off by Andrew Fernandes, a mathematician in Research Triangle Park, N.C., who is chief scientist of the Cryptonym Corporation, a small Canadian software firm that is developing computer security products.

Fernandes first presented his findings at a technical meeting last month in Southern California, but word did not spread more broadly until today, when a news release was posted on the Cryptonym Web site.

In a telephone interview, Fernandes said he had made his discovery while exploring and trying to replicate the security software in Microsoft's Windows and Windows NT operating systems.

The operating systems make use of a key -- a large number -- to authenticate software components, providing confidence that a component is correctly identified and has not been tampered with. For example, when new encryption functions are added for security, the key verifies that they comply with Government regulations.

Cryptographers had previously noted the existence of a second key whose use they could not account for. What Fernandes found in the program was an identifying tag, disguised in earlier versions. And the label was "NSAKey."

The discovery shocked him, Fernandes said, adding, "It doesn't make any sense why they would put in a second key."

He concluded that the key represented a serious security flaw that would leave Microsoft's operating system vulnerable to intrusion. "The result is that it is tremendously easier for the N.S.A. to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system," his news release asserted.

But at Microsoft, Culp said the key labeled NSAKey was a backup permitting Microsoft to authenticate encryption components if the first key was damaged. And he said the name was simply unfortunate.


Related Articles
Microsoft Discloses Flaws in Office 2000 Software
(August 20, 1999)

Software Makers Scramble to Address Security Flaw
(August 3, 1999)

Microsoft and Compaq Admit Vulnerability to Security Flaws
(July 31, 1999)

Security Flaw Is Discovered in Several Unix Programs
(July 26, 1999)

Companies That Ignore Online Security Are Risking Customers
(May 3, 1999)

Because the key insures compliance with Federal export laws, and the National Security Agency is the authority responsible for reviewing software and hardware products intended for foreign use, the component has been referred to colloquially at Microsoft as the "NSA key," he said. But Culp insisted that the key was not shared with any outside party, including the N.S.A.

"We protect it with dobermans and barbed wire," he said. "Conspiracy theorists are worked up about this, but real life is more boring."

Security and privacy experts were generally skeptical about the notion that Microsoft was cooperating with the nation's electronic intelligence agency.

Microsoft has vocally opposed proposals by law-enforcement and intelligence agencies that would give them electronic back doors to monitor computer data.

Some security experts said that even if there was no sinister explanation for the NSAKey, Microsoft should not add components to its security software system without publicly identifying them.

"They've debased their currency once again by not disclosing this," said Mark Seiden, chief consultant for the information security group Kroll-Ogara.

Microsoft executives said there had been no reason to publicize the backup key. "It was not something that anyone had expressed any interest in," Culp said.

And in any case, the Big Brother that Fernandes said he had discovered turned out to have an Achilles heel. He said he had been able to develop a small program that strips out the second key.



Home | Site Index | Site Search | Forums | Archives | Marketplace

Quick News | Page One Plus | International | National/N.Y. | Business | Technology | Science | Sports | Weather | Editorial | Op-Ed | Arts | Automobiles | Books | Diversions | Job Market | Real Estate | Travel

Help/Feedback | Classifieds | Services | New York Today

Copyright 1999 The New York Times Company