|
NSA Crypto API Key FUD
Mike Hudack
Editor-in-Chief
Some people can claim to have never spread FUD (Fear, Uncertainty and Doubt) in their lives. I guess I can no longer claim such a distinction.
I came home from school on Friday around 2:45 (seven or so hours ago) to more than fifty e-mails asking me about the NSA key included in Windows. I moved fast -- too fast. I wrote a story on it, quoting sources I had already read and referencing those sources.
About half an hour ago I changed the story slightly, making it clear that we had not independantly confirmed the action of this second key in the Microsoft Crypto API. The slightly revised article is still here as NSA Backdoor.
I moved quickly, calling my media contacts to ensure they knew what was going on. CNN was already working on a story and others had already run with it. Some were waiting for more word. Pressed with Internet time, everyone who was publishing on the Web had already gone with the story, some more tentatively than others.
As time went on I began to realize there were a few things wrong with the conclusions being drawn. I didn´t want to reverse my position too soon though, and I kept pushing my opinions -- and my natural distrust for the NSA and Microsoft -- although less strenuously.
It was around seven o´clock in the evening that I realized something was wrong. The second key included in the Crypto API may have been inserted by the NSA (hence the name) as a backup to the Microsoft key -- and intended only for use on NSA machines. There were a dozen possible explanations, some discussed in the article NSA Ramifications on OSAll.
At eight o´clock I began writing this article, double-checking my sources. My NSA contact had called me around nine and told me "I have no idea what´s going on. We use NT for a couple things and install some Crypto API programs for tests." That was part of the last straw for me... That and Russ Cooper´s wonderful posting to NT Bugtraq did it for me (hopefully we´ll get permission from Russ to publish that post here -- it´s pending).
I´m making no excuses for helping to spread FUD through my over-eager analyzation and reporting, but the pressures of Internet time -- and the lost time of school -- were major issues.
Related Articles:
NSA Ramifications
NSA Backdoor?
NSA Colleges
NSA and Kids
MS Security
Microsoft Security |
