Yes, I remember all that. And I'm as paranoid as anyone. But this once, the official MS/NSA explanation may be correct: That it's related to export approval, and does not in any way work as you describe. -Declan At 05:55 PM 1/30/01 -0800, Ray Dillinger wrote:
On Tue, 30 Jan 2001, Declan McCullagh wrote:
On Tue, Jan 30, 2001 at 11:45:43AM -0800, Ray Dillinger wrote:
Windows is also built to be insecure; there are backdoor keys for law-enforcement types to stick "trusted" trojans on the system,
Everything else is true, but I'm not sure about the above. You're talking about the NSA key, I assume.
Yes: Windows has one documented public key that it uses to check software that gets, eg, mailed to it via outlook, or downloads in a webpage via Explorer, or etc, to decide whether it is "trusted" software or not. If it is trusted software (presumably from Microsoft) then it can be run without popping up a dialog box and getting the user's attention/ permission. Otherwise, "normal" security methods apply.
People with debuggers long since discovered that there is more than one key ( though there are conflicting reports about whether there are two or three), but had no idea why there would be more than one unless Microsoft wanted to enable some third party to create "trusted" applications without Microsoft's knowledge or review.
Recently when a windows system was made available in a debug build (ie, with the symbolic names etc still in the code), it was discovered that one of the "extra" keys was named NSA_key, which gives at least a strong hint as to who else is allowed to create "trusted" downloadable software.
Bear