Absolutely not a joke.
Declan McCullagh
declan at well.com
Tue Jan 30 17:58:52 PST 2001
Yes, I remember all that. And I'm as paranoid as anyone.
But this once, the official MS/NSA explanation may be correct: That it's
related to export approval, and does not in any way work as you describe.
-Declan
At 05:55 PM 1/30/01 -0800, Ray Dillinger wrote:
>On Tue, 30 Jan 2001, Declan McCullagh wrote:
>
> >On Tue, Jan 30, 2001 at 11:45:43AM -0800, Ray Dillinger wrote:
> >> Windows is also built to be insecure; there are backdoor keys for
> >> law-enforcement types to stick "trusted" trojans on the system,
> >
> >Everything else is true, but I'm not sure about the above.
> >You're talking about the NSA key, I assume.
>
>Yes: Windows has one documented public key that it uses to
>check software that gets, eg, mailed to it via outlook, or
>downloads in a webpage via Explorer, or etc, to decide whether
>it is "trusted" software or not. If it is trusted software
>(presumably from Microsoft) then it can be run without
>popping up a dialog box and getting the user's attention/
>permission. Otherwise, "normal" security methods apply.
>
>People with debuggers long since discovered that there is more
>than one key ( though there are conflicting reports about
>whether there are two or three), but had no idea why there
>would be more than one unless Microsoft wanted to enable
>some third party to create "trusted" applications without
>Microsoft's knowledge or review.
>
>Recently when a windows system was made available in a debug
>build (ie, with the symbolic names etc still in the code), it
>was discovered that one of the "extra" keys was named NSA_key,
>which gives at least a strong hint as to who else is allowed
>to create "trusted" downloadable software.
>
> Bear
More information about the cypherpunks-legacy
mailing list