Germany Denies Microsoft Ban

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/politics/0,1283,42502,00.html

by Steve Kettmann
11:45 a.m. Mar. 19, 2001 PST

BERLIN -- Microsoft still produces the operating systems of choice to
Germany's Defense Ministry, despite a report in a leading magazine
saying security concerns would lead it to seek an alternative.

A Defense Ministry official flatly denied a report in Der Spiegel that
German officials were banning Microsoft operating systems because they
were concerned about a possible backdoor built into them by the U.S.
National Security Agency.

The possibility of such a backdoor existing was first brought to
international attention in a 1999 Wired News story. That article
reported that leading American cryptographer Andrew Fernandes had
found an "NSA key" in Microsoft software that he believed could give
the NSA such a backdoor.

"This assumption is wrong," the spokesman said. "I can confirm that
the Defense Ministry signed a general licensing contract with
Microsoft half a year ago saying we will use software products of
Microsoft, and we intend to continue to use such systems."

He did not deny, however, that serious security concerns remained.

"We are convinced that we have sufficient firewalls to protect our
sensitive database," he said. "In addition to these firewalls, we have
additional crytographic techniques that have been approved by
Germany's Federal Office for Data Protection. These additional
security measures are independent of Microsoft software."

Andy Mueller-Maguhn, a leader of Berlin's Chaos Computer Club and also
Europe's representative on the board of the Internet Corporation for
Assigned Names and Numbers (ICANN), said he believed the German
government was probably in damage-control mode. In other words: He
thinks the report in Der Spiegel is probably accurate.

"You have to remember we have a new U.S. government to think of and
it's very sure that no one in the German government wants to hurt that
new political relationship," said Mueller-Maguhn, an occasional
adviser to government figures.

"I believe that there's some internal language about this situation
and some public language and the gap between them is quite large," he
said. "I think this is a kind of snafu."

Der Spiegel also reported that Germany's foreign office was acting on
its own security concerns by deciding not to use videoconferencing
software to communicate with personnel in overseas embassies. The
magazine quoted a foreign office employee musing that the risk of
infiltration of such communication was so high, the Germans "might as
well hold our conferences directly in Langley."

A foreign office representative could not be reached for comment.

Fernandes created a major stir in September 1999 when he went public
with his discovery of a secret Microsoft security key labeled
"_NSAKEY" - which he and other experts on security saw as proof of NSA
involvement.

"By adding the NSA's key, they have made it easier -- not easy, but
easier -- for the NSA to install security components on your computer
without your authorization or approval," Fernandes said.

Experts supported Fernandes. "I believe it is an NSA key," said Austin
Hill, president of anonymous Internet service company Zero-Knowledge
Systems.

But Microsoft issued a strong denial.

"The key is a Microsoft key -- it is not shared with any party,
including the NSA," Windows NT security product manager Scott Culp
said. "We don't leave backdoors in any products."

The NSA offered no comment. Since then, the agency has come under fire
internationally as more information has leaked out about its global
eavesdropping network Echelon, which most experts believe has the
potential to tap into e-mail, phone conversations and faxes anywhere
in the world.

The existence of the network has become a hot issue in Europe, where
it has helped engender anti-American sentiment, and launch a series of
hearings on Echelon organized by the European Union.

"We do have people in the German government who know all about
Echelon, but they won't speak about it in public because they are
concerned about what are our American friends would think of that,"
Mueller-Maguhn said.

As for Microsoft, Fernandes believes the onus is on the software giant
to come up with a more convincing explanation for "_NSAKEY" than the
suggestion it originally offered, that the designation merely confirms
that the key satisfies security standards.

Reached Monday by phone, Fernandes was cautious about whether he's
sure the "_NSAKEY" was really put in place by the NSA. But he's also
not about to reject the natural assumption -- backed up by many other
experts -- that it did.

"I don't actually know what it was that I found," he said. "The most
I'm willing to damn Microsoft for was that their public stance about
the key did not make a lot of sense. It would have been easy enough to
show that their story was true. Bring forward a couple of software
developers and a couple of paper documents -- they are low tech, but
they work.

"It would not be that hard. They didn't do that. They took the tack,
'Oh, gee, don't worry about it. Of course we wouldn't do that.' They
gave the used-car salesman approach. People did not like that. Users
are getting more savvy. Europeans, especially, know about data
protection and privacy issues. The 'aw-shucks, just-trust-us' approach
doesn't work any more."

But Fernandes also stressed that regular people should not waste much
time worrying about whether the NSA is spying on them. Huge
corporations and, for example, foreign armies, should worry.

"If you're using Windows NT in a nuclear missile command-and-control
center, yes, you should be concerned," he said. "If you're filing
recipes or e-mails from friends, don't waste any sleep over it."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".