Earlier this week, a senior National Security Agency official told US Congress that the NSA had worked on Microsoft’s latest operating system, Windows 7. This spurred a flurry of rumours about the NSA building backdoors into Windows 7, but Microsoft has today categorically denied these claims.
Richard Schaeffer, information assurance director at the NSA, testified before the Senate’s Subcommittee on Terrorism and Homeland Security, and talked about Windows 7, too.
“Working in partnership with Microsoft and elements of the Department of Defense, NSA leveraged our unique expertise and operational knowledge of system threats and vulnerabilities to enhance Microsoft’s operating system security guide without constraining the user to perform their everyday tasks, whether those tasks are being performed in the public or private sector,” Schaeffer told Congress.
“All this was done in coordination with the product release, not months or years later during the product lifecycle,” Schaeffer added, “This will improve the adoption of security advice, as it can be implemented during installation and then later managed through the emerging SCAP standards.”
This is barely interesting news. The NSA has worked with Microsoft before, and in fact, Microsoft isn’t the only company the NSA works with. Cisco, for instance, has built “lawful intercept” into its products, including its Internetworking Operating System ISO and VoIP products.
Marc Rotenberg, the executive director of the Electronics Privacy Information Center, raised a red flag about the NSA’s involvement in Windows 7. “When NSA offers to help the private sector on computer security, the obvious concern is that it will also build in backdoors that enables tracking users and intercepting user communications,” Rotenberg told ComputerWorld, “And private sector firms are reluctant to oppose these ‘suggestions’ since the US government is also their biggest customer and opposition to the NSA could mean to loss of sales.”
Microsoft responded to Rotenberg’s concerns, categorically denying it would build a backdoor into Windows 7 at the NSA’s request. “Microsoft has not and will not put ‘backdoors’ into Windows,” a Microsoft spokesperson told ComputerWorld in a statement.
Some experts on the matter think it is highly unlikely that Microsoft would build backdoors into Windows. “I can’t imagine NSA and Microsoft would do anything deliberate because the repercussions would be enormous if they got caught,” Roger Thompson, chief research officer at AVG Technologies, said, “Having said that, I think we should understand that there is every likelihood that certain foreign governments are constantly looking for vulnerabilities that they can use for targeted attacks. So if they’re poking at us, I think it’s reasonable to assume that we’re doing something similar. But I seriously doubt an official NSA-Microsoft alliance.”
“Would it be surprising to most people that there was a backdoor? No, not with the political agenda of prior administrations,” said Andrew Storms, the director of security operations at nCircle Security, “My gut, though, tells me that Microsoft, as a business, would not want to do that, at least not in a secretive way.”
I also think it is highly unlikely Microsoft would put secret backdoors in Windows. Windows is probably the most prodded and tested piece of software out there, and the existence of a backdoor would get out quickly – and it would mean a devastating blow to Microsoft, especially in a world where, shall we say, the US isn’t particularly popular.
Still, the rumours will persist, as that is the nature of man.