

_NSAKEY (1999) - mcantelon
http://en.wikipedia.org/wiki/NSAKEY

======
tzs
Bruce Schneier's analysis: [http://www.schneier.com/crypto-
gram-9909.html](http://www.schneier.com/crypto-gram-9909.html)

------
kryten
And before someone else says this is bollocks, I've worked at a company with
shared source access to Windows and there are still bits you can't get at like
the CSP implementations so there may still be stuff like that in there.

No open review for any crypto functions in Windows is possible.

That's basically a fucking massive red flag.

~~~
tptacek
The Windows source code is the most comprehensively reverse engineered
codebase in the world. Virtually every software security firm and every
security product company has someone on staff who has the lay of the land for
the kernel, services, and drivers. Even if Microsoft didn't publish most of
the debug symbols for the OS, which they do, it'd still be the best understood
closed source codebase in the world.

The likelihood of them hiding backdoors in software that you don't know about
simply because some company you worked at that had access to some of their
actual source code didn't have _all_ that source code is low.

~~~
kryten
You underestimate the problem.

Look at just chrome for example, which I've posted my rationale for here:

[https://news.ycombinator.com/item?id=6035091](https://news.ycombinator.com/item?id=6035091)

Not a chance in hell.

~~~
tptacek
I don't understand your comment. Mine was a statement of fact. Your assessment
of the information density of Chrome versus that of the human genome was
comprehensively debunked.

~~~
kryten
there are no facts in your comment. Please cite your sources. Not only that,
my hypothesis hasn't been debunked or disproved.

------
PaulAJ
All those conspiracy theories sound a lot more reasonable today than they did
back in 1999.

~~~
tptacek
No. This reframing of the scariness of the NSA is one of the things that
drives me batty about the NSA coverage on HN.

The NSAKEY conspiracy theory wasn't dismissed in the late '90s because people
thought the NSA wouldn't backdoor Windows. The opposite is true; the NSA was
so feared in the '90s that people didn't (and still don't) trust standards
like DSA, for fear that the parameter generation algorithms they use were
backdoored.

No, the reason nobody takes the NSAKEY conspiracy theory seriously is because
if the NSA was going to backdoor Windows, they wouldn't do it with the ASCII
string "NSAKEY".

------
peterwwillis
They could also just send someone in there to steal the keys... Either way is
plausible. But this is just one example of how open source peer-review
improves security over proprietary implementations.

