While writing about OS back-doors, I said:
>I'm incredibly skeptical that Microsoft, IBM, or any other vendor
>intentionally provides back-doors for the NSA or anyone else.
This was too strong, because there is in fact a counterexample that I'd
forgotten while composing that e-mail.
Jim Gillogy just reminded me of it: the 40-bit key hack in Lotus Notes. In
order to export strong encryption, Lotus would encrypt all but 40 bits of
their encryption keys with a public key and include it in the message. The
corresponding private key was held by NSA. If NSA intercepted an encrypted
Notes message, they could use their private key to decrypt all but 40 bits
of the encrypted secret key.
This is an example of NSA using a commercial developer to provide a back
door in a commercial product. However, this back door was in fact an open
secret: while Lotus didn't exactly feature it in their sales brochures, the
information wasn't formally restricted or suppressed.
But I still don't believe there are secret back-doors in commercial OSes
because such things are too hard to keep secret. And I think the Lotus
incident is more evidence that NSA isn't going to try to keep something
like that secret since they can't depend on it staying secret.
Rick.
[EMAIL PROTECTED]
