Does Windows have Government Back Doors?
- Thread starter Retro
- Start date
Arantor
Well-known member
- Joined
- 24 May 2022
- Messages
- 968 (1.39/day)
Re first video; Dave is completely right about the nature of people and reviewers. OpenSSL definitely is a casualty of insufficiently many competent reviewers. The good open source projects do have the domain experts.
If you're doing code review at that level where it's a meaningful journey, it is not surprising to me that this generally works as intended.
I'm not surprised at the layers of defence in depth at MS, at least in Dave's day, but the quality of Windows was demonstrably higher in Dave's day.
Do I believe there are no backdoors in Windows? I believe to the best of their knowledge that's true. Is it objectively true? That's a different question because there are some fascinating white papers on the subject of how you'd achieve that - and let's just say if I wanted to get a backdoor into Windows, I wouldn't target the Windows source code itself, I'd target *the tools that build it* because that's harder to catch even with the layers of protection Dave talks about. And such attacks have been documented, it's not theoretical - but at time of writing it is believed that no backdoors exist in the toolchains for any of the major operating systems. Trouble is, these things are just so massive that it's... difficult to meaningfully audit them anyway.
Re second video: I'd not heard of the NSA key before. As soon as I heard it I was skeptical because that's just not how PKI encryption actually works, there's no ability to create a master key unless you're encrypting everything with that one key.
EDIT: Previously I said OpenSSH; I meant OpenSSL. They seem like the same project but they're really not. OpenSSH is full of competent people; OpenSSL needs more domain experts to vet the code.
If you're doing code review at that level where it's a meaningful journey, it is not surprising to me that this generally works as intended.
I'm not surprised at the layers of defence in depth at MS, at least in Dave's day, but the quality of Windows was demonstrably higher in Dave's day.
Do I believe there are no backdoors in Windows? I believe to the best of their knowledge that's true. Is it objectively true? That's a different question because there are some fascinating white papers on the subject of how you'd achieve that - and let's just say if I wanted to get a backdoor into Windows, I wouldn't target the Windows source code itself, I'd target *the tools that build it* because that's harder to catch even with the layers of protection Dave talks about. And such attacks have been documented, it's not theoretical - but at time of writing it is believed that no backdoors exist in the toolchains for any of the major operating systems. Trouble is, these things are just so massive that it's... difficult to meaningfully audit them anyway.
Re second video: I'd not heard of the NSA key before. As soon as I heard it I was skeptical because that's just not how PKI encryption actually works, there's no ability to create a master key unless you're encrypting everything with that one key.
EDIT: Previously I said OpenSSH; I meant OpenSSL. They seem like the same project but they're really not. OpenSSH is full of competent people; OpenSSL needs more domain experts to vet the code.
Last edited:
- Joined
- 13 Apr 2022
- Messages
- 2,099 (2.85/day)
Similar threads
