Today, at work, one of my bosses approached me and blurted out “Have you heard that SNA are ‘helping’ Microsoft on Vista security?”. I corrected his ‘SNA’ to NSA, and wondered what all the fuss was about - NSA doing security reviews and helping out with security on the OS level isn’t something new - it’s part of an ongoing program that has already benefited GNU/Linux (see: SELinux - first release 2001) and Apple Mac OS X. NSA helped out on both Microsoft Windows XP and Microsoft Windows Server 2003, and have kept close eyes on all widespread software on the marked since the early days of computing. My colleague looked at me with a little tell-you-a-secret look in his eyes, and blurted “But are you really sure they are improving security, not introducing backdoors?” - obviously he’s read one too many blog entry on the subject. I started telling him about PROMIS, the Prosecutor Management Software database program developed by Inslaw during the 1970s, source code stolen by the US DoJ and distributed amongst others to the CIA and Mossad, who according to Gordon Thomas in Gideon’s Spies: the Secret History of the Mossad adapted the software into a Trojan horse, and sold in excess of $500 million worth of that version to foreign intelligence agencies in order to spy on them.

Suspicion that Microsoft Windows might contain a backdoor have been voiced since the early days of Microsoft dominance. Many writers point out the absurd thought of NSA ninja spies sneaking around in the server rooms of Redmond at night, secretly inserting backdoor source code into the winnt kernel, arguing that the programmers at Microsoft would find such code snippets quickly, and wouldn’t keep quit about their findings - programmers being noise and leaky animals. Problems with this assumption:

1. Microsoft development is fragmented, individual teams of programmers don’t keep track of the source of neighboring projects. Windows is deliberately developed modular - and the final product all rolled into one package.
2. Microsoft Windows consists of huge lumps of legacy code that is nearly never touched. It just gets thrown into every new release. No review - no discovery of old sneaky code snippets. It’s a pretty simple task to hide away an effective backdoor in the floppy disk driver, or a legacy SCSI controller driver. Spaghetti ^^
3. Programmers are extremely good at keeping secrets. Especially if they are working for the NSA.
4. European computer scientists have already pointed out potential kernel hooks that are indications of a dedicated Windows backdoor.

The country that’s probably most anxious to secure themselves from eavesdropping would be Germany - left out in the cold from Echelon and with a strategic position in European and international economics. Since the early 2000s Germany have pushed for transparent technology solutions that would assure greater resistance against eavesdropping, Bundeswehr really starting the transition in 2001. The major driving forces behind European endorsement of FLOSS are:

1. Security. Transparent designs, home brew solutions, a comfortable distance between Israeli/American intelligence services and the software developers. Elimination of a single point of failure. The most effective way to combat eventual backdoors built into core software.
2. Economy. FLOSS promotes a healthy local and global free market for software development. Local developers would gain entry into a whole new market, savings on licensing costs would prevent a multi billion bleed of money out of Europe and into the USA. FLOSS creates new jobs in the European market.
3. Culture. FLOSS has traditionally been far better at supporting minority languages, and the philosophy of the GPL promotes cultural coexistence and cooperation. Promotion of the European cultural diversity, and further development in the future of our culture, based on our cultural heritage. Closer pan-European cooperation on FLOSS would also promote closer cultural exchanges, just as closer cooperation in economics and security are mutually beneficial.

My point with all this is simple. Although anyone could sneak a backdoor into GPLd or BSDd source, the weaknesses of closed source foreign software doesn’t exist. The constant changing and reviewing and rewriting of FLOSS by multiple individuals through time assures that there’s no guarantee a backdoor would remain in place for more than a few minutes before being rewritten and destroyed. And this without actively searching for backdoors through regular source reviews.

There’s no significant indications that Microsoft Windows Vista carries a greater chance of containing a NSA appointed backdoor than earlier editions of Microsoft Windows. It’s almost certainly a fact that the cryptology functions in Microsoft Windows carries a backdoor for the NSA. But then again - NSA is appointed with the dual tasks of spying on foreign communications and securing American communications - thus they really can’t responsibly build complete, open root kits into Microsoft Windows - guess if such a gift would be abused by the script kiddies worldwide to wreak havoc?

The story was that NSA just does their job - they are helping to secure Vista - just as they have helped and are still helping to secure OS X (BSD) and GNU/Linux. Nothing really suspicious about it. Apart from the snooping part. Next conspiracy please!