Hold it right there, criminal scum! will be the welcoming message of my SSH-server for clients connecting from the PowerShell or with keys generated by Windows - followed by a forced logout.
Please, don't be spreading FUD. This variable was introduced in 1999, in Windows NT4 SP5, and there is totally no evidence that it's a backdoor. This symbol was introduced 16 years ago and since then nobody showed the way how is this "backdoor" supposed to work (in technical sense), there are only suspicions and accusations. Security researchers had freaking SIXTEEN years to show how exactly this backdoor is constructed. The only reason why people say that there's a backdoor is the name of symbol in library, three letters, nothing more.
According to those present at the conference, Windows developers attending the conference did not deny that the "NSA" key was built into their software. But they refused to talk about what the key did, or why it had been put there without users' knowledge.
If you have closed source software that contains hardcoded keys, one of which is labelled as NSAKEY in the debug-build, coming from a company that is factually known to cooperate with the US government under the obligation of NSLs and give at least the FBI and NSA access to their users data. And if those agencies are determined to "collect it all" and have demonstrated disregard to the law they operate under and have claimed in internal documents to be very successful in breaking either crypto or implementation of SSL, TLS and SSH; and if those agencies are part of a government that has been prohibiting export of strong crypto outside the US since the 90s while having interfered with the definition of security standards by standardizing weakened cyphers and curves through NIST. And if there is no explanation or comment from developers of that company in regards to why those keys are hardcoded into a central part of the crypto library of the Windows operating system and there is no good reason for those keys to be there in the first place; then assuming all is fine and you can trust Microsofts implementation of SSH is unreasonable and being sceptical and refusing towards it is not spreading FUD.
I understand that for some people facts aren't that interesting and all that counts is fearmongering and conspiracy theories, but please, do some thinking sometimes.
If you have closed source software that contains hardcoded keys, one of which is labelled as NSAKEY in the debug-build, coming from a company that is factually known to cooperate with the US government under the obligation of NSLs and give at least the FBI and NSA access to their users data.
No, the fact that there are hardcoded keys isn't suspicious at all. How else would you implement digital signing of software? That's what these two keys are, they are public keys for software signing. Why there are two of them, and why one has 'NSA' in its name? Back in the days there were cryptography export restrictions (on request of NSA), you couldn't export strong algorithms outside the USA, so software often had two versions, with stronger and weaker crypto. As you can guess, one of these keys is weaker and one is stronger. Now you understand why this key has 'NSA' in its name, this key was needed because of restrictions required by NSA.
Okay, let's say that Microsoft are dirty liars, and they created second key just as digital signing backdoor for NSA. In that case you should ask yourself, why would they do that? Why would they create second key when they could just give their own key to the NSA and not cause any suspicion? Also, ask yourself why in bloody hell NSA would need backdoor in such uninteresting module of Windows? It's not like it would gain them any way to remotely access the Windows PC.
Please, do some research, don't base your opinions on your feelings and prejudices. Sadly, I don't expect that I will convince you, people with "wake up sheeple!" mentality aren't the ones that like being proven wrong.
Welcome to the 1990's. SSH and variants were available for *nix for a couple of decades.
The command line and related tools have been the weakest link on Windows, specially for those accustomed to the powerful collection of Unix command line tools and interpreters for system administration as well as software development.
The command line and related tools have been the weakest link on Windows
Completely agree. I'm a Linux guy and the company I work for is by and large users of Linux servers. I have had to create a bunch of Powershell scripts for our few Windows servers over the years and I have to say it's a godsend compared to before. It's not perfect, but compared to creating command line batch files, it's a welcome advancement.
Finally, I've been waiting for this for years. Unfortunately, PowerShell still has many problems, it's slow, really verbose and OO shell is totally foreign concept for most users including me. IMHO most users were expecting something simpler, like Hamilton C shell or even TakeCommand.
I actually do not hate PowerShell (not really a whole lot of other options built into Windows Server to choose from instead of it though :) ). It has a somewhat steep learning curve but it's basically a .NET scripting language. Coming from someone who writes C# code for a living, it's not the worst they could have done.
It's really not as much fun discussing something while constantly being insulted. You may notice that I did not do that in my post, there is no hostility from my side. The trait that you are painting on my back, that I would be irrational, opinion based and of a "wake up sheeple" mentality is what you are demonstrating yourself by the means of your expression. Please, if you want me to accept that I only throw around opinions while your perspective is the factually correct one, do show some evidence. Because so far we have both only voiced opinions or conclusions.
You are wrong if you assume me to be too ignorant to admit fault or see the truth when presented to me, I am willing to continue the discussion; but only under the condition that you refrain from defaming me or insinuating things you can't know about me.
15 comments
6 u/glUniform4fv 03 Jun 2015 12:46
Hold it right there, criminal scum! will be the welcoming message of my SSH-server for clients connecting from the PowerShell or with keys generated by Windows - followed by a forced logout.
Why? Because there is a backdoor in the central crypto DLL of all versions of Windows newer than early Win95. A backdoor consisting of two hardcoded keys, one confirmed to be labelled NSAKEY in the debug-symbols. Allowing a closed source SSH-client from Microsoft and under Windows to connect to your server means compromising security.
I generally don't swear, but: Fuck no! Microsoft offering SSH in Windows is not an increase in security, it is precisely the opposite.
0 u/xenu 03 Jun 2015 17:39
Please, don't be spreading FUD. This variable was introduced in 1999, in Windows NT4 SP5, and there is totally no evidence that it's a backdoor. This symbol was introduced 16 years ago and since then nobody showed the way how is this "backdoor" supposed to work (in technical sense), there are only suspicions and accusations. Security researchers had freaking SIXTEEN years to show how exactly this backdoor is constructed. The only reason why people say that there's a backdoor is the name of symbol in library, three letters, nothing more.
1 u/glUniform4fv 04 Jun 2015 00:10
If you have closed source software that contains hardcoded keys, one of which is labelled as NSAKEY in the debug-build, coming from a company that is factually known to cooperate with the US government under the obligation of NSLs and give at least the FBI and NSA access to their users data. And if those agencies are determined to "collect it all" and have demonstrated disregard to the law they operate under and have claimed in internal documents to be very successful in breaking either crypto or implementation of SSL, TLS and SSH; and if those agencies are part of a government that has been prohibiting export of strong crypto outside the US since the 90s while having interfered with the definition of security standards by standardizing weakened cyphers and curves through NIST. And if there is no explanation or comment from developers of that company in regards to why those keys are hardcoded into a central part of the crypto library of the Windows operating system and there is no good reason for those keys to be there in the first place; then assuming all is fine and you can trust Microsofts implementation of SSH is unreasonable and being sceptical and refusing towards it is not spreading FUD.
0 u/xenu 04 Jun 2015 18:13
I understand that for some people facts aren't that interesting and all that counts is fearmongering and conspiracy theories, but please, do some thinking sometimes.
No, the fact that there are hardcoded keys isn't suspicious at all. How else would you implement digital signing of software? That's what these two keys are, they are public keys for software signing. Why there are two of them, and why one has 'NSA' in its name? Back in the days there were cryptography export restrictions (on request of NSA), you couldn't export strong algorithms outside the USA, so software often had two versions, with stronger and weaker crypto. As you can guess, one of these keys is weaker and one is stronger. Now you understand why this key has 'NSA' in its name, this key was needed because of restrictions required by NSA.
Okay, let's say that Microsoft are dirty liars, and they created second key just as digital signing backdoor for NSA. In that case you should ask yourself, why would they do that? Why would they create second key when they could just give their own key to the NSA and not cause any suspicion? Also, ask yourself why in bloody hell NSA would need backdoor in such uninteresting module of Windows? It's not like it would gain them any way to remotely access the Windows PC.
Please, do some research, don't base your opinions on your feelings and prejudices. Sadly, I don't expect that I will convince you, people with "wake up sheeple!" mentality aren't the ones that like being proven wrong.
http://web.archive.org/web/20000520001558/http://www.microsoft.com/security/bulletins/backdoor.asp
https://news.ycombinator.com/item?id=9292749
2 u/beavis 03 Jun 2015 12:30
Welcome to the 1990's. SSH and variants were available for *nix for a couple of decades.
The command line and related tools have been the weakest link on Windows, specially for those accustomed to the powerful collection of Unix command line tools and interpreters for system administration as well as software development.
1 u/luddite 03 Jun 2015 22:54
I came to post the same snark... :) It's a good thing, but at least 10 years too late to announce it without getting some mockery.
0 u/shh_coffee 10 Jun 2015 08:07
Completely agree. I'm a Linux guy and the company I work for is by and large users of Linux servers. I have had to create a bunch of Powershell scripts for our few Windows servers over the years and I have to say it's a godsend compared to before. It's not perfect, but compared to creating command line batch files, it's a welcome advancement.
1 u/xenu 03 Jun 2015 17:45
Finally, I've been waiting for this for years. Unfortunately, PowerShell still has many problems, it's slow, really verbose and OO shell is totally foreign concept for most users including me. IMHO most users were expecting something simpler, like Hamilton C shell or even TakeCommand.
0 u/Xyc0 03 Jun 2015 23:26
ipython? honestly, parsing ascii pipes for data types gets annoying after the first hop
0 u/shh_coffee 10 Jun 2015 08:12
I actually do not hate PowerShell (not really a whole lot of other options built into Windows Server to choose from instead of it though :) ). It has a somewhat steep learning curve but it's basically a .NET scripting language. Coming from someone who writes C# code for a living, it's not the worst they could have done.
0 u/mrzim85 03 Jun 2015 11:28
Oh my god, about bloody time too! That of course means that windows will also have built-in SFTP servers at last. :)
0 u/glUniform4fv 04 Jun 2015 22:51
It's really not as much fun discussing something while constantly being insulted. You may notice that I did not do that in my post, there is no hostility from my side. The trait that you are painting on my back, that I would be irrational, opinion based and of a "wake up sheeple" mentality is what you are demonstrating yourself by the means of your expression. Please, if you want me to accept that I only throw around opinions while your perspective is the factually correct one, do show some evidence. Because so far we have both only voiced opinions or conclusions.
You are wrong if you assume me to be too ignorant to admit fault or see the truth when presented to me, I am willing to continue the discussion; but only under the condition that you refrain from defaming me or insinuating things you can't know about me.