Does Windows have Government Back Doors?

Retro

Founder
Staff member
Joined
4 Jun 2021
Messages
2,086 (3.77/day)
Well, does it? Watch these two videos by ex-Microsoft developer Dave Plummer and decide for yourself.

Watch first.

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 

Arantor

Well-known member
Staff member
Joined
24 May 2022
Messages
740 (3.72/day)
Re first video; Dave is completely right about the nature of people and reviewers. OpenSSL definitely is a casualty of insufficiently many competent reviewers. The good open source projects do have the domain experts.

If you're doing code review at that level where it's a meaningful journey, it is not surprising to me that this generally works as intended.

I'm not surprised at the layers of defence in depth at MS, at least in Dave's day, but the quality of Windows was demonstrably higher in Dave's day.

Do I believe there are no backdoors in Windows? I believe to the best of their knowledge that's true. Is it objectively true? That's a different question because there are some fascinating white papers on the subject of how you'd achieve that - and let's just say if I wanted to get a backdoor into Windows, I wouldn't target the Windows source code itself, I'd target *the tools that build it* because that's harder to catch even with the layers of protection Dave talks about. And such attacks have been documented, it's not theoretical - but at time of writing it is believed that no backdoors exist in the toolchains for any of the major operating systems. Trouble is, these things are just so massive that it's... difficult to meaningfully audit them anyway.

Re second video: I'd not heard of the NSA key before. As soon as I heard it I was skeptical because that's just not how PKI encryption actually works, there's no ability to create a master key unless you're encrypting everything with that one key.



EDIT: Previously I said OpenSSH; I meant OpenSSL. They seem like the same project but they're really not. OpenSSH is full of competent people; OpenSSL needs more domain experts to vet the code.
 
Last edited:

Tiffany

Pixel Princess
Staff member
Joined
13 Apr 2022
Messages
871 (3.63/day)
Interesting to think about our personal information and where it goes and thanks @Retro and @Arantor for sharing that extra detail. :)

My latest nerd musing is that I'm still processing callbacks in programming and where it's most used? 🤔
 

Retro

Founder
Staff member
Joined
4 Jun 2021
Messages
2,086 (3.77/day)
I found that "vestigial" NSA key interesting. Sure, it could be, but it's odd to leave something like that in there over successive generations of the operating system, even if there are better ways to backdoor the system.
 
Top Bottom