
_NSAKEY - basicplus2
https://en.wikipedia.org/wiki/NSAKEY
======
londons_explore
20 years on, and nobody has ever found anything signed with this "NSAKEY".

That means either the conspiracy theorists were right, but the NSA only used
it for hyper targeted attacks, or Microsofts explanation was correct.

I doubt anyone will ever know.

~~~
imdsm
They probably decided to rename the variable to something unfamiliar and legit
sounding like _winsysdg or _realtek2100m

------
kstenerud
Everyone loves a good conspiracy. It distracts us from the real world of
carelessness, incompetence, laziness, and lowpriorityness.

~~~
apexalpha
Yes because the NSA snooping in everyone's data turned out to be a
conspiracy...

~~~
parksy
It did though, didn't it? Intelligence organisations worldwide execute their
operations in total secrecy and have hidden agreements with international
counterparts to share information on each others' citizens in a way that
bypasses the laws and constitutions of their host nations. Secret plans that
circumvent the law is pretty much the definition of conspiracy.

~~~
adossi
Just because they didn't need to 'circumvent the law' doesn't mean what they
did was any less than subversive. Thanks to secret courts the law is whatever
they want it to be.

------
jaimex2
If it looks and sounds like a duck then its probably a duck.

I can't see MS admitting to giving out a backdoor key. In any case it's
irrelevant as you should always assume everything you don't have source to is
compromised.

~~~
xg15
Normally, I'd agree with you, but this seems a bit too on-the-nose for me.
When people have to talk about a shady or immoral activity or put mentions of
it in writing, they usually get very creative in finding an inconspicuous name
for it.

As such, if this were really a backdoor, I'd expect it's identifiers to look
maximally boring and no direct reference to the NSA given anywhere.

~~~
filleokus
Well, I would think so as well, but we have at least some anecdata (N=1) in
the other direction [0]:

> In doing this I discovered that the NSA public key had an organizational
> name of "MiniTruth", and a common name of "Big Brother". Specifically what I
> saw in my debugger late one night, which was spooky for a short moment was:

O=MiniTruth CN=Big Brother

[0]: [http://www.cypherspace.org/adam/hacks/lotus-nsa-
key.html](http://www.cypherspace.org/adam/hacks/lotus-nsa-key.html)

~~~
sterlind
That was specifically a key escrow-style system, so you're right there. Lotus
Notes wanted to provide strong encryption abroad, in the bad old days of ITAR.
they used a hybrid of an exportable-sized key (~50 bit encryption) and a
stronger, backdoored key (MiniTruth.)

They were very public about it, though. It sucked they had to water down their
encryption, but that was the reality until PGP challenged ITAR head-on.

------
andy_ppp
Even if this _NSAKEY thing is not to do with an actual NSA backdoor(s) into
Windows, does anyone here really believe the NSA hasn't leveraged their
position to suggest Microsoft (and others) give them ways to access things (or
else)? If not it suggests that through software defects they have complete
access anyway?

~~~
IAmEveryone
This is sort of circular, or tautological: “I believe in it because it’s so
believable “

FWIW, I am rather skeptic. And I even have reasons: if the NSA has the power
to coerce, Apple wouldn’t repeatedly gotten into fights with the US government
to unlock iPhones.

Cooperating with the NSA is also clearly not in the companies’ interests. If
(when) it comes out, they’d be at risk to lose a lot of business in other
countries.

In any case, my usual argument about cynicism applies: spreading such theories
becomes self-fulfilling, because why should MS work for the NSA/every
politician take bribes/every cook spit in your food, if that’s what the people
believe anyway, no matter what you actually do?

~~~
SturgeonsLaw
Microsoft is listed as a provider in the NSA's Prism program in Powerpoint
slides released in the Snowden leak. In fact, the timeline indicates that they
were the first on board.

[https://upload.wikimedia.org/wikipedia/commons/c/c7/Prism_sl...](https://upload.wikimedia.org/wikipedia/commons/c/c7/Prism_slide_5.jpg)

~~~
lern_too_spel
No, they give data for specific accounts being wiretapped to the FBI. The FBI
is a participant in the PRISM program.

------
auiya
"Microsoft said that the key's symbol was '_NSAKEY' because the NSA is the
technical review authority for U.S. crypography export controls, and the key
ensures compliance with U.S. export laws"

Occam's Razor.

~~~
mapcars
I'm trying to understand what it means - does it mean your code have to have a
symbol called `_NSAKEY`? Or how does it affect compliance?

~~~
CrazyStat
The entire signing system, of which these keys were part, was required to
comply with US export controls.

------
bb88
This was Bruce Schneier's take on it at the time:

[http://www.cnn.com/TECH/computing/9909/13/backdoor.idg/](http://www.cnn.com/TECH/computing/9909/13/backdoor.idg/)

As he pointed out, Back Orifice didn't need a special key.

------
Jonnax
I remember that part of the Windows 2000 source code leaked years ago.

I'm presuming people looked at it for dubious keys.

~~~
vips7L
[https://github.com/Zer0Mem0ry/ntoskrnl](https://github.com/Zer0Mem0ry/ntoskrnl)

------
an_d_rew
One thing to remember is the fear that surrounded the export of cryptographic
technology from the US and ITAR and all the rest of it at the time. And then
there was the whole key escrow fiasco with Lotus Notes.

So just be careful viewing the incident from 2020 with the purported benefit
of decades of hindsight.

Disclaimer: I’m the guy who first found it and announced it at the rump
session of the Crypto conference in Santa Barbara that year...

------
112
It's only fitting that for recurring posts we have recurring comments.

Oh wow, there's an `nsagate` subdomain on `apple.com`!
[https://www.robtex.com/dns-
lookup/nsagate.apple.com](https://www.robtex.com/dns-lookup/nsagate.apple.com)

~~~
saagarjha
Could be a nameserver.

~~~
cdmckay
[https://www.robtex.com/dns-
lookup/nsbgate.apple.com](https://www.robtex.com/dns-lookup/nsbgate.apple.com)

------
doesnotexist
Well, it does seem remarkable that you never hear the DOJ or Attorney General
complaining loudly about how MSFT refused to decrypt something for them.

------
john37386
Does it have anything to do with today's Windows update and this cryptic
rumbling ahead of time?

[https://krebsonsecurity.com/2020/01/cryptic-rumblings-
ahead-...](https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-
first-2020-patch-tuesday/)

~~~
wolfgke
We will soon see what this Windows update is about - but I seriously doubt
that there exists any relationship.

~~~
alakrit
If you mean the relationship between NSA and the vulnerability, then no, there
actually is: it was NSA who discovered the vulnerability and it has not been
used in the wild (according to NSA themselves; source:
[https://twitter.com/briankrebs/status/1217082363391377408](https://twitter.com/briankrebs/status/1217082363391377408))

~~~
JackRabbitSlim
"we lost the backdoor key and its in the wild" constitutes the NSA
"discovering" and "informing" MS.

------
ryanlol
This seems like a pretty easy conspiracy theory to prove with a debugger.
Nobody has ever been able to do so!

~~~
m12k
How do you mean? The presence of a public key doesn't tell us what has been
encrypted with it or if the private key has been shared with anyone. How will
a debugger tell us any of that?

~~~
xg15
But if it's really the key to a backdoor, it has to be used somewhere in the
code. E.g., some part of Windows had to check something signed with the key or
encrypt something with it.

~~~
CrazyStat
Windows used _NSAKEY (and another key) to check that Cryptographic Service
Providers are signed. Otherwise it wouldn't allow them to be used. This was
explained in the article.

~~~
xg15
Ah, apologies. I didn't catch that part.

~~~
ryanlol
Although, this still fails to explain the mechanism via which such
Cryptographic Service Provider would land on your computer (assuming this is
still supposed to be a backdoor).

