> While writing about OS back-doors, I said:
>
> >I'm incredibly skeptical that Microsoft, IBM, or any other vendor
> >intentionally provides back-doors for the NSA or anyone else.
>
> This was too strong, because there is in fact a counterexample that I'd
> forgotten while composing that e-mail.
>
> Jim Gillogy just reminded me of it: the 40-bit key hack in Lotus Notes. In
> order to export strong encryption, Lotus would encrypt all but 40 bits of
> their encryption keys with a public key and include it in the message. The
> corresponding private key was held by NSA. If NSA intercepted an encrypted
> Notes message, they could use their private key to decrypt all but 40 bits
> of the encrypted secret key.
>
> This is an example of NSA using a commercial developer to provide a back
> door in a commercial product. However, this back door was in fact an open
> secret: while Lotus didn't exactly feature it in their sales brochures, the
> information wasn't formally restricted or suppresed.
Actually, not only wasn't it not formally restricted or surpressed, it was
announced ahead of time at the RSA conference (RSA '96, if memory serves).
> But I still don't believe there are secret back-doors in commercial OSes
> because such things are too hard to keep secret. And I think the Lotus
> incident is more evidence that NSA isn't going to try to keep something
> like that secret since they can't depend on it staying secret.
I agree, assuming we're talking about *deliberate* back doors. But,
as we all know all too well, the major commercial OSs have repeatedly
proven to ship with bugs (and default configurations) that make them
vulnerable to all kinds of mischief, secret back doors or not.
But this a problem more believably attributed to the usual software bloat,
bad quality assurance practices, incompetent programming, and overly
aggressive schedules, than to the secret influence of spies.
-matt
>
> Rick.
> [EMAIL PROTECTED]
>
>
