Forgot your password?
typodupeerror
Windows Operating Systems Software Security Your Rights Online

UK Government Wants a Backdoor Into Windows 598

Posted by CmdrTaco
from the there-are-plenty-of-worms-available dept.
REBloomfield writes "The BBC is reporting that the British Government is working with Microsoft in order to gain backdoor access to hard drives encrypted by the forthcoming Windows Vista file system. Professor Anderson, professor of security engineering at Cambridge University, urged the Government to contact Microsoft over fears that evidence could be lost by suspects claiming to have forgotten their encryption key."
This discussion has been archived. No new comments can be posted.

UK Government Wants a Backdoor Into Windows

Comments Filter:
  • China & PGP (Score:5, Informative)

    by eldavojohn (898314) * <[moc.liamg] [ta] [nhojovadle]> on Wednesday February 15, 2006 @09:52AM (#14723740) Journal
    Well, to be fair, a few people do believe that Microsoft has a backdoor built into their OS [cnn.com] that would allow the United States Government to shut down all Chinese Government PCs running Windows.

    Oh, and there are a few people who also consider encryption a matter of freedom of speech [wikipedia.org].

    Funny the U.S. government targets Phil Zimmermann [philzimmermann.com] for three years but hardly raises so much as an eye when an encryption enabled OS is distributed. From Mr. Zimmermann's homepage:
    Philip R. Zimmermann is the creator of Pretty Good Privacy, an email encryption software package. Originally designed as a human rights tool, PGP was published for free on the Internet in 1991. This made Zimmermann the target of a three-year criminal investigation, because the government held that US export restrictions for cryptographic software were violated when PGP spread worldwide.
    I think that his "criminal activity" was creating an encryption tool that allowed messages to be encrypted beyond what the United States government was capable of deciphering in a timely manner. Does anyone know if this is still enforced? Does anyone know what the max key length is now if it is? I think it was something like 128 bits (that the government could crack) around the time of PGP.
    • Re:China & PGP (Score:5, Insightful)

      by rpjs (126615) on Wednesday February 15, 2006 @09:56AM (#14723777)
      It wouldn't surprise me in the least if the US govt has had a back-door inserted into Vista. The problem for the UK govt is that clearly the US govt doesn't want to share it with them. And would the uS govt want to allow any other govt to have their own back-doors, with the potential to remotely access PCs running Vista in the US? Somehow I doubt it.
      • Re:China & PGP (Score:4, Interesting)

        by iagreewithmichael (927220) on Wednesday February 15, 2006 @10:20AM (#14723944)
        seems we may see the fragmenting of the OS market with each local government insisting that only a domestic version be sold within its borders all in the name of security.
      • Re:China & PGP (Score:3, Insightful)

        by stevey (64018)
        It wouldn't surprise me in the least if the US govt has had a back-door inserted into Vista.

        Frankly I think it sounds insane.

        Think of the number of people who work at Microsoft, even if you limit yourself to the people working upon the OS and not Office, etc, you're talking about literally hundreds of people who can view the source.

        Then there are the people who gain access to the source code under educational licenses, NDAs, etc.

        The idea that all of them could miss something that was a backdoor is a lit

        • Re:China & PGP (Score:3, Insightful)

          by TehDagda (941402)
          "The idea that all of them could miss something that was a backdoor is a little hard to swallow."
          Sure, but at the same time, such a 'backdoor' does not necessaraly need be a huge part of the code base. There could very well be a very small, controlled group working on that specific piece of code and no one else ever needs to see it in order to write their own part of the code. You don't have hundreds of people looking at ALL the code, you have hundreds of people looking at hundreds of pieces of the code.
    • Interesting Points (Score:4, Insightful)

      by millahtime (710421) on Wednesday February 15, 2006 @10:02AM (#14723811) Homepage Journal
      US export restrictions for cryptographic software were violated when PGP spread worldwide.

      This bring up an interesting point on ITAR and the US. Some encryption technologies could violate ITAR if they are done in the US and then exported to other countries. If I remember right, that was part of the reason encryption on OpenBSD was done in Canada.

      Oh, and there are a few people who also consider encryption a matter of freedom of speech.

      Some would, but how many governements and what is protected under the law. That is different everywhere. Others, also, consider it a privilege.

      Some of these laws, in paticualr with the US, are actually there to protect it from other countries. Many people in the country may not want to protect the countires competitive edge but others do and that is part of what our government has been taked with for a long time.
      • by yo_tuco (795102)
        "If I remember right, that was part of the reason encryption on OpenBSD was done in Canada."

        Read about it here: http://www.openbsd.org/crypto.html [openbsd.org]

        From the link:

        "The cryptographic software components which we use currently were written in Argentina, Australia, Canada, Germany, Greece, Norway, and Sweden."

        "When we create OpenBSD releases or snapshots we build our release binaries in free countries to assure that the sources and binaries we provide to users are free of tainting."


        And a summary of Canada's expor
    • Re:China & PGP (Score:3, Informative)

      by Your Anus (308149)
      In the mid-to-late 1990's the US Government loosened the rules significantly. They recognized that strong encryption is already available outside the US, so export controls are useless. In fact, there is encryption built into the Linux kernel to handle ipsec among other things. The only requirement now is some sort of notice regarding where the encryption product is stored. I'm not sure about commercial products, but the PGP source is exempt under the same rules.
      • I have a T-shirt around here somewhere that has the RSA encryption algorithm written in Perl in an easily OCR-able font, with a large barcode shown below it that encodes the same text. On the back, it says, "This Shirt is a Munition", and then goes on to list the federal regulations that restrict exporting the shirt.

        At the time I got it, it was fairly geek-chic, but now it's just outdated ;)

    • Re:China & PGP (Score:5, Informative)

      by m50d (797211) on Wednesday February 15, 2006 @10:39AM (#14724093) Homepage Journal
      Funny the U.S. government targets Phil Zimmermann for three years but hardly raises so much as an eye when an encryption enabled OS is distributed.

      Not anymore, they have at last relaxed their restrictions, but they still did for a while - remember Debian nonus mirrors? The weak SSL in versions of IE4 shipped outside the US? OpenSSH having to be developed in Europe? The fact that you still have to download a separate file to get unlimited strength crypto in Java? And officially speaking you still have to notify the US government you're distributing strong encryption.

      I think that his "criminal activity" was creating an encryption tool that allowed messages to be encrypted beyond what the United States government was capable of deciphering in a timely manner.

      He was charged with exporting the munition - the problem wasn't so much that he'd created said encryption tool as that he'd put it on an ftp where $NASTY_REGIME could get it.

      Does anyone know if this is still enforced?

      As I said, officially speaking you have to notify the US government if you are exporting strong crypto from the US, and I think you're not allowed to directly export to anyone on their list of bad guys. In practice I don't think they care any more, crypto is so widely available.

      Does anyone know what the max key length is now if it is? I think it was something like 128 bits (that the government could crack) around the time of PGP.

      You weren't allowed to export more than 40, and AFAIK that hasn't changed.

      • Re:China & PGP (Score:3, Informative)

        by deblau (68023)
        Does anyone know what the max key length is now if it is? I think it was something like 128 bits (that the government could crack) around the time of PGP.

        This information can be found from the Bureau of Export Administration's regulations [gpo.gov], in particular, the Commerce Control List (CCL), 15 C.F.R. 774 [gpo.gov]. The alphabetical index lists "encryption software" as deisgnation "5D002", and the numerical index places 5D002 under "Information Security - Software". A hop over to that section [gpo.gov] says the following:

        Encryptio

  • Truecrypt (Score:5, Informative)

    by ivan kk (917820) on Wednesday February 15, 2006 @09:52AM (#14723741)
    Let them try.
    We have alternatives.
    http://www.truecrypt.org/ [truecrypt.org]
    • by Anonymous Coward on Wednesday February 15, 2006 @10:44AM (#14724126)
      ...the TrueCrypt binaries alone in your possession then every piece of digital media you own that appears to contain random bytes will be accused of holding an encrypted volume and they will torture out of you whatever they want to hear you say.

      Oh wait, I forgot... civilized Western nations never commit torture upon their subjects.
    • by Anonymous Coward on Wednesday February 15, 2006 @11:26AM (#14724479)
      It's worth noting that harm can come not only from data being revealed under coercion, but also from data becoming unavailable.

      If terrorists or an oppressive government take your computer and hard drives away, anyone who depends on that data is very much out of luck.

      For this reason, local encrypted filestores and plausible deniability are only part of the puzzle. Quite a lot more is required, in particular cryptographic online distribution.

      A comprehensive solution will need to use a large population of fixed size raw dataspaces spread across the net, instead of local disks. Quite likely, it would be stored steganographically 1:<large-N>:1 so that (for example) changing webcam images could be used as repositories. And it will need cryptographically-random access for site selection and dataspace selection and to individual bits in the dataspaces. And it'll need huge redundancy since the online storage will be inherently unreliable, yet without laying the scheme open to pretty simple differential cryptoanalysis.

      That's a very tall order.
    • Private Disk (Score:4, Interesting)

      by gr8dude (832945) on Wednesday February 15, 2006 @12:33PM (#14725043) Homepage
      Well, TrueCrypt is freeware and open-source, but there is also another aspect that has to be taken into account - it is NOT a certified product.

      Institutions such as NIST test the implementations of the algorithms, then the program either gets certified or not.

      The problem is that without certification, we do not know whether what they've implemented is what they think they've implemented*.

      The point is that they might use some obscure algorithm nobody knows - which has no guaranteed strength; thus one cannot rely on it. They can also implement standard algorithms such as AES or DES - but were they correctly implemented?

      Sure - "why don't you take the sources and look at them yourself?" some might say, but is everybody competent enough to do that?

      On the other hand, implementing something and then certifying it, means that:
      [a] it was done right
      [b] it is as strong as the standard says


      In the case of encryption, the strength is in the key itself and in the mathematical basis of the algorithm, NOT in the obscurity of the mechanisms applied within the software.

      One minor thing - NIST certification is expensive, I doubt TrueCrypt will pass it, unless some company pays for this. Commercial encryption software is a different thing, if they want to be treated seriously, they must go for it. An example is Private Disk [dekart.com].

      * an old saying:
      "The problem with computer programs and programmers is that the program does what the programmer wrote, not what he thought he wrote".
      • Re:Private Disk (Score:4, Insightful)

        by Anonymous Coward on Wednesday February 15, 2006 @12:59PM (#14725282)
        > The point is that they might use some obscure algorithm nobody knows

        But they don't (invalid point).

        > They can also implement standard algorithms such as AES

        Which they did.

        > but were they correctly implemented?

        Yes. Ever heard of test vectors? It's easy to verify if a cipher is correctly implemented using official test vector sets.

        > One minor thing - NIST certification is expensive, I doubt TrueCrypt will pass it, unless some company pays for this.

        Now, I bet you are the developer or seller of the commercial encryption software you mentioned. Your message basically is: "Look, without money they are worse than us. Commercial stuff is better. Free software sucks." You are just a troll.

        The most important point is, however, that being open source is a _premise_ of any security software that is to be trusted by general public. Closed source security is not real security.
      • Re:Private Disk (Score:3, Informative)

        by Anonymous Coward
        "The point is that they might use some obscure algorithm nobody knows - which has no guaranteed strength; thus one cannot rely on it. They can also implement standard algorithms such as AES or DES - but were they correctly implemented?"

        It sounds like you haven't done that much research on Truecrypt. It uses industry standard algorithms like Blowfish, Twofish and AES.

        For relying that a piece of software does what it says, you have to rely on Peer review.

        I understand what your saying and how for business use
      • Re:Private Disk (Score:3, Informative)

        by Kjella (173770)
        Well, TrueCrypt is freeware and open-source, but there is also another aspect that has to be taken into account - [snip]

        Let's try this one more time, closer to how it actually works:

        Lots of people come up with crypto ideas - DES in the US, Rijendael in the EU, GOST in Russia. If this a conspiracy, it's a pretty damn wide one. These are published standards, with reference implementations, test vectors and the works. Crypto analyzers from all over the world are whacking away at them, and if you can find a way
  • Why? (Score:2, Interesting)

    by jjares (141954)
    This simply doesn't make sense. What prevents an user, using a different tool without said backdoor?
    • Re:Why? (Score:3, Interesting)

      by mustafap (452510)
      Simply that the vast majority of users will use Windows defaults.

      You would be surprised how dim some crooks can be, like thinking that swallowing a sim card will destroy the data. Or even snapping it in two - might break the bond pad connections, but not the die. Easy to fix.
    • Re:Why? (Score:5, Insightful)

      by 1u3hr (530656) on Wednesday February 15, 2006 @09:57AM (#14723781)
      This simply doesn't make sense. What prevents an user, using a different tool without said backdoor?

      Laziness, ignorance; the same that prevents them from using encryption now.

    • Re:Why? (Score:4, Insightful)

      by arivanov (12034) on Wednesday February 15, 2006 @10:14AM (#14723902) Homepage
      Err... You did not understand the target.

      The problem UK govt is having and US govt will have the moment they realise what is going on is that any media files on Vista PCs when distributed correctly via the supplied Vista Windows Media frameworks will be immediately encrypted and locked down using the TPM module to the specific machine. On top of that this will be determined by the people who distribute the files, not the users. This makes the current approach of taking disks out and hooking them to a forensic environment unfeasible. They will have to be decrypted on the machine after the user has logged in. It is sufficient for the user to refuse to log in on the machine and the police is stuffed.

      As a result any attempt to collect proof of child pr0n and b00tleg movies/music will run into some serious difficulties as long as the providers of illegal goods have done their job of using Windows Vista right.

      Frankly, the UK govt should whinge elsewhere. MPAA and the TP group is a good start. Whinging at MSFT is not going to get them anywhere because it will be not just MSFT, it will be everyone implementing this on every device in 5 years time.
      • Re:Why? (Score:3, Interesting)

        by CastrTroy (595695)
        Couldn't they just brute force the password? Assuming that the password was under 15 characters (most cases), and the information was valuable enough, they could do it. A lot easier than brute forcing the 256-bit encryption or whatever it is they are using.
        • Re:Why? (Score:3, Informative)

          by arivanov (12034)
          They will still need the original computer to decrypt the media files as they will not have the TPM modules and the hardware keys to their disposal.

          Even if the password is recoverable they will still have to go through a considerably more complex forensic exercise.

          I am saying if, because TPM can allow any OS (be it Vista, be it Linux with TPM) to lock down access to any data (and even booting) based on a combination of machine keys and credentials. I can bet that this will be used massively in corporate

    • Re:Why? (Score:3, Informative)

      by mikerich (120257)
      This simply doesn't make sense. What prevents an user, using a different tool without said backdoor?

      Nothing, but in the UK it is an offence to refuse to pass encryption keys to the Police if you are requested to do so.

      This TCP idea doesn't give users access to the keys, so it falls outside of the Regulation of Investigatory Powers Act - hence the supposed need for a backdoor into the encryption system.

      Now we just have to wait for the media companies, that lobbied for TCP in the first place, to deman

      • Now we just have to wait for the media companies, that lobbied for TCP in the first place, to demand access to the back door so that they can check machines for illegal movies.

        And so, inevitably, the Powers That Be(TM) competing to dominate the lives of the Minions(TM) come into conflict.

        If the governments get their way, there will be no true encryption permitted, because otherwise they can't spy on people.

        If there is no true encryption, there is no point whatsoever to having the TPM, the entire DRM

  • Suggestion (Score:3, Funny)

    by saboola (655522) on Wednesday February 15, 2006 @09:53AM (#14723749)
    They do a google search for "backdoor" and "windows", then just take their pick. Microsoft if nothing else, offers a variety of backdoors for your every need.
  • IE (Score:4, Funny)

    by hardticket (696737) on Wednesday February 15, 2006 @09:53AM (#14723750)
    Internet Explorer will offer all the back door access they need
  • by Anonymous Coward on Wednesday February 15, 2006 @09:53AM (#14723753)
    What good is encryption if your government can read it - before long half the criminals in the country know how to decrypt your files - especially they way the British Secret Service has been losing laptops lately....
  • Pfff (Score:4, Insightful)

    by Arthur B. (806360) on Wednesday February 15, 2006 @09:54AM (#14723756)
    Let bad guys use deniable encryption schemes and this won't even be a concern... Please, someone in the U.K. gov get a clue about encryption!
    • Re:Pfff (Score:5, Interesting)

      by elrous0 (869638) on Wednesday February 15, 2006 @10:03AM (#14723824)
      What bad guy would be stupid enough to trust any encryption or security scheme introduced by a major corporation to begin with? If you want encryption, you go with open source. With any corp that has to answer to the government, you'd might as well assume there WILL be a backdoor.

      In the end, the bad guys will use real encryption and the backdoor won' effect them. It will only serve as a security risk for legitimate users.

      -Eric

    • Let bad guys use deniable encryption schemes and this won't even be a concern. Please, someone in the U.K. gov get a clue about encryption!

      Doesn't seem likely. IIRC, its the law in Britain that you have to turn over your encryption key if lawfully ordered to. Even if you feed them keys for a RubberHose-type system of deniable encryption, I'm sure they'll detain you until it turns up something good. Law enforcement wouldn't buy that a sophisticated encryption system like that was set up solely for keeping c
  • If someone gets a hold of your whole computer, they can read files. If someone hacks your system, they can read your files.

    About the only thing windows encryption seems to be able to do is prevent you from recovering your files if your PC ever dies.

    Whats the point?
    • by brunes69 (86786) <slashdot&keirstead,org> on Wednesday February 15, 2006 @10:09AM (#14723864) Homepage
      You should not be able to read the files without logging into the computer with your password and/or other identification token.

      After logging in, the files are accessable. But not before. Someone who just swipes your PC would boot into Windows but would be unable to read any data files, even with a seperate boot CD. That's the whole idea.

      But if the government adds a backdoor, you can bet that a hacker (white or black hat) would find it as well, probably within a few weeks of the OS being out. Thus making the encryption useless.

      The whole government complaint is useless anyway because for all they know people can be using deniable encryptionn schemes *today* and they'd never even know about it.
    • If someone gets a hold of your whole computer, they can read files. If someone hacks your system, they can read your files.

      Having needed to break into someone's system to recover encrypted files, I can say it's not that simple.

      Windows NTFS encryption is certificate based. For installs done by anyone not a professional paranoid, the user has access to the file recovery certificate, and the domain administrator may have access to a file recovery certificate valid domain-wide. To use a certificate stored

  • by Arthur B. (806360) on Wednesday February 15, 2006 @09:56AM (#14723769)
    ... until the crack is published :) (sadly this is more insightful than funny)
  • Let's be fair... (Score:4, Insightful)

    by qwertphobia (825473) on Wednesday February 15, 2006 @09:56AM (#14723770)
    \ They just want to play with the big boys. We all know the NSA, the CIA, and the FBI each have their own key! \
  • Heil Clarke (Score:2, Insightful)

    by Kirth (183)
    What, the Gestapo isn't happy that they might not be able to read the contents of your hard-drive? What a surprise.
  • Eh? (Score:3, Funny)

    by squoozer (730327) on Wednesday February 15, 2006 @09:57AM (#14723779)

    Why don't they just use one of the hundreds of backdoors that everyone else uses? Seems to me M$ are already complying with this request several times over.

  • by johnnywheeze (792148) on Wednesday February 15, 2006 @09:57AM (#14723784)
    Pretty sure that's the point of encryption. Making sure that nobody but you and people you trust can read your data, and anyone else up to and including the government can't. Even if they really really want to.

    When did a healthy mis-trust of government suddenly get you tin-foil hat status, and a visit from the FBI?

    • by Anonymous Brave Guy (457657) on Wednesday February 15, 2006 @03:56PM (#14726593)
      When did a healthy mis-trust of government suddenly get you tin-foil hat status, and a visit from the FBI?

      In the US, 12 September 2001.

      In the UK, 8 July 2005.

      You get the idea.

      After a major terrorist act, the population is angry, not rational. Many are personally affected by the attacks. Thoughts of proportionate responses and civil liberties are overwhelmed by fear and grief.

      This is, of course, the ideal time for a government to try to increase its own power at the expense of the people it should represent. This goes double for governments with only a tenuous hold on power, as is usually the case in the US because of its two-party politics, or for governments whose very mandate is dubious, as is the case of Blair's UK government (which didn't actually win the popular vote in England, and has often relied on the votes of Scottish MPs to push through controversial legislation to which their own constituents will be immune because the Scottish Parliament will decide for them separately).

      Hence it is precisely in the wake of a terrorist atrocity that we should be keenest to protect our civil liberties, for it is at these times that they will naturally come under the gravest threat.

  • by twoshortplanks (124523) on Wednesday February 15, 2006 @09:59AM (#14723799) Homepage
    From TFS:
    Professor of security engineering at Cambridge University, urged the Government to contact Microsoft over fears that evidence could be lost by suspects claiming to have forgotten their encryption key.
    Then lock them up for that. It's a crime to not provide your key under the RIP bill [parliament.uk]. If the government is going to pass stupid legislation like that, then they shouldn't need these backdoors.
    • by kraut (2788)
      > Then lock them up for that. It's a crime to not provide your key under the RIP bill.
      Ah, but according to the article you the user don't actually have access to the key - it's inside a chip. Quoth:
      The system uses BitLocker Drive Encryption through a chip called TPM (Trusted Platform Module) in the computer's motherboard.

      It is partly aimed at preventing people from downloading unlicensed films or media.

      "This means that by default your hard disk is encrypted by using a key that you cannot physically get
    • I don't think that law has as many teeth as you seem to think.

      According to 49(5)(a), the max punishment for not disclosing your key is two years. Compare that to whatever the max punishment is for having kiddie porn on your PC, or plotting to assassinate the PM/Queen/visiting dignitary or whatever. Two years is likely going to be far less, and you'll end up with a much cleaner slate afterwards. Having to tell people "I was put in jail for standing up for privacy rights" sounds a lot better than "convicted s
      • by IIH (33751)
        I don't think that law has as many teeth as you seem to think. According to 49(5)(a), the max punishment for not disclosing your key is two years. Compare that to whatever the max punishment is for having kiddie porn on your PC

        What is the maximum punishment for doing nothing wrong, and simply forgetting a password? TWO YEARS

        That's right - two years might seem a lot less than the punishment for kiddy porn, or whatever, but it's a hell of a lot more than anyone should be imprisioned for without any evidenc

  • Not "lost" (Score:5, Interesting)

    by ajs (35943) <<moc.sja> <ta> <sja>> on Wednesday February 15, 2006 @10:01AM (#14723807) Homepage Journal
    This is that definition of "lost" that appeared in the late 20th century. It's akin to the money that the music industry is "losing" due to file sharing. The evidence is not lost, it is as yet, undiscovered, and in any civilized country, we would not assert that there WAS any evidence unless we could actually see it. In the U.K., however, they actually have a law that says that you have to reveal your secret keys to the authorities with no provision for simply not knowing them. You can be convicted of the crime of having white-noise on your disk that authorities assert is encrypted data to which you are refusing to reveal the key. Heck, you could be convicted of a crime for not divulging the key to /dev/random, which is clearly some secret message channel from an unknown party, since messages arrive from it in small bursts!
  • Contempt of court (Score:4, Interesting)

    by springbox (853816) on Wednesday February 15, 2006 @10:04AM (#14723831)
    I often see arguments like this one [slashdot.org]. What's the point for some people to encrypt their files (other than temporary privacy) if you're going to get in trouble later in court anyway for not revealing your keys? Now this might actually be unlikely, but what if average windows user genuinely forgets their password? Seems kind of unfair.
    • Re:Contempt of court (Score:4, Interesting)

      by geoffspear (692508) on Wednesday February 15, 2006 @12:14PM (#14724886) Homepage
      One would hope that you're not going to be forced to reveal your password unless the Government establishes probable cause that you've committed a crime.

      It's kind of silly to think that an average user with no incriminating evidence encrypted is going to be randomly ordered to turn over a password, and thrown in jail for legitimately forgetting it. It's a disturbing thought that the law, as written, could lead to that, but it's not a compelling argument against using encryption if you're not a criminal.

      Using this sort of hypothetical scenario to argue against routine use of encryption is a bit like arguing against keeping sharp knives in your kitchen, because you're afraid the police might claim you stabbed someone with one of them and cleverly removed all forensic evidence of the stabbing from the knife.

  • Great! (Score:5, Insightful)

    by 1u3hr (530656) on Wednesday February 15, 2006 @10:05AM (#14723835)
    If governments force a backdoor to be installed, it'll be for sale to crackers before the gold masters are pressed, and common knowledge a few weeks later. So "trusted computing" can be subverted using the govt master key. And anyone who actually wants to keep secrets will install somethng that works while not requiring a magic dongle on the mobo. The govt will be able to read data from clueless suspects as they do now. So a win all round. And who doesn't suspect MS would leave backdoors anyway?
    • Re:Great! (Score:3, Insightful)

      by TobascoKid (82629)
      And who doesn't suspect MS would leave backdoors anyway?

      I don't - seeing as we're talking about TPM/"Trusted Computing" - the hardware level DRM system that only benefits Microsoft, Apple, RIAA, MPAA et al. A backdoor into TPM would break the fancy new DRM that's coming with Vista. Why would Microsoft build back doors into something that's suppossed to protect them ?
  • Inevitable (Score:3, Insightful)

    by BenjyD (316700) on Wednesday February 15, 2006 @10:07AM (#14723850)
    It was inevitable something like this would happen after the whole 90 day detention debacle. Labour kept using the excuse of "needing time to break encryption" for requiring 90 days of detention without trial. Anyone with half a brain told them that any decent encryption is going to take many years to break, so I guess this is their response.
  • by TheEvilOverlord (684773) on Wednesday February 15, 2006 @10:08AM (#14723852) Journal
    I don't really see why the need this anyway.

    The government has the RIP Act [wikipedia.org] (Regulation of Investigatory Powers Act 2000) which allows them to detain you, with a press gagging order if you refuse to hand over the encryption key they need to decrypt your data. If you refuse or claim you have forgotton and they don't believe you, then it's two years in gaol for you sonny jim.

    They only really got this into law because most people don't understand it. Oh and don't forget that since this government came to power the amount of time they can hold you, uncharged, under the terrorism act has gone from 7 to 28 days... and the police want 90! Yes ninety days, 3 months, 2160 hours!
    • If you refuse or claim you have forgotton and they don't believe you, then it's two years in gaol for you sonny jim.

      I'm not saying I like the idea of MS actually intentionally putting a back door in their OS, what with all the ones that are in it by accident. But I can see them trying to justify it. After all, depending on what you're likely to get busted for, two years locked up may be a cakewalk to what you'd get if they could get your data.

      Of course this will only help catch stupid criminals. At le
  • keyloggers (Score:5, Interesting)

    by Barbarian (9467) on Wednesday February 15, 2006 @10:09AM (#14723859)
    How about making governments install a keylogger before they seize the computer? Hardware or software, it would go in the old tradition of installing a telephone tap. It's not that hard either. Did the government demand that paper notebook makers supply a backdoor so they could decipher drug accounts written in code?
  • by seanellis (302682) on Wednesday February 15, 2006 @10:12AM (#14723879) Homepage Journal
    Anyone with something to really hide will use a third-party encryption system, and "lose" the keys to that instead.

    Everyone else* will have a computer with a guaranteed back door, which I am willing to bet will be open to hackers on about Day 3 after Vista's launch.

    * - Well, everyone else who's not running Linux, of course.
  • Don't attribute.... (Score:3, Interesting)

    by gmuslera (3436) on Wednesday February 15, 2006 @10:14AM (#14723897) Homepage Journal
    to idiocy what can be explained by malice. There are a lot of backdoors around, and Windows had functional ones for years (wmf anyone?) but the intentionality of them could have been in doubt. Now if is known, proved, and by design adding another backdoor, one that will not be removed by any hotfix because is a "feature", well, 2 things will probably happen: the bad guys will find how to exploit it making all backdoored windows a target, and the bad guys find know how to disable it, so the most harmed people will be the good ones that should not have anything to hide (and because of that, removing/disabling the backdoor would make them suspectful)
  • by 1001011010110101 (305349) on Wednesday February 15, 2006 @10:18AM (#14723929)
    Why would anyone consider 'trusted computing' some binary program which you haven't compiled yourself is beyond my understanding.
  • since when... (Score:5, Insightful)

    by revery (456516) * <charles@NoSpAm.cac2.net> on Wednesday February 15, 2006 @10:22AM (#14723955) Homepage
    Since when does the government have a right to all evidence in any case? One aspect of English law that I thought existed, is that the people should be protected from the government (particularly from self-incrimination). One could reasonably argue that the average citizen needs the availability of government-inaccessible encryption, due to the decreased cost (in terms of time and manpower) required to search through computer records vs. paper records. Current computers, and the massive amounts of data that they store (internet cookies, browsing history, cache data, registry entries, etc.) make fishing expeditions much, much, easier on law enforcement than sifting through physical documents and interviewing co-workers and family.
  • by Colin Smith (2679) on Wednesday February 15, 2006 @10:22AM (#14723959)
    Not turning over the key (for any reason) is an offense punishable by a couple of years in prison anyway.

     
  • Time to switch! (Score:4, Interesting)

    by caveat (26803) on Wednesday February 15, 2006 @10:27AM (#14723994)
    OS X FileVault...AES128 encryption of your home directory with no backdoors! (At least not that I know of). Ain't nobody reading your files without your key.
    • If you need security badly enough that you need to encrypt something, then transparency of source code and algorythm level is essential. OSX is no better than Microsoft on this respect ("oh wait, you mean it was in reality an 8 bit XOR encryption instead, what do you mean a company has lied to me?!").
  • Where will it end? (Score:4, Informative)

    by NimbleSquirrel (587564) on Wednesday February 15, 2006 @10:31AM (#14724033)
    Not that I would ever buy Windows Vista, but why would I want Microsoft deciding who gets backdoor keys to my machine?

    I recall some years ago, someone found supposedly secret NSA backdoor keys buried in Windows98. I don't recall if it was actually proven, but I would not be surprised if the NSA already has backdoor keys in 98/ME/XP and now Vista. Now the British Government wants their turn. Where will it end? Once MS bows to the British, surely other governments will also demand backdoor keys. Who decides which of those governments get it?

    Sooner or later, other organisations (like the RIAA and the MPAA) will also want their keys too (if they don't already have them thanks to their DRM chips). Where will MS draw the line? I highly doubt MS would be very open about how many different governments or other organisations really have backdoor keys.

    It is easy for us to say that we'll never use it, or that there are other options out there, but I'm more worried for less computer savvy members of the public who think they are buying a secure system. I know most of those users will never use encryption, but this will set another precident that will further erode all of our rights.

  • by mikerich (120257) on Wednesday February 15, 2006 @10:35AM (#14724066)
    When the front door is wide open?

    Sorry, cheap jibe.

    This is amazing - especially when the idea is being promoted by a 'Professor of Security Engineering' at a reputable university. How can adding a backdoor to security systems be anything other than a massive weakness just waiting to be exploited?

    Imagine if this went ahead - the British government would want access to versions of Windows sold in this country, the American government to US copies of Windows, the German government ... and so on and so on... Would Microsoft allow the Chinese government access to their citizens' disks? The Chinese government are signed-up members of The War Against Terror - so they could claim they need access, and besides recent experience says that big businesses will always accommodate governments no matter how repressive.

    And it gets worse. Microsoft would either have to make a single key that would open every machine in the World; or they would have to issue copies of all the keys to every government - the British government won't accept not being allowed into a suspected terrorist's (and we have a splendidly wide definition of 'terrorist' in this country) computer purely because the suspect happens to be foreign.

    But it will all supposedly remain secure and not fall into the hands of wrong-doers.

    The Home Office, IT and Microsoft - what an unholy trinity we have there. With this level of stupidity the legislation can't be far off.

  • by massysett (910130) on Wednesday February 15, 2006 @10:46AM (#14724133) Homepage
    FTA:

    The system uses BitLocker Drive Encryption through a chip called TPM (Trusted Platform Module) in the computer's motherboard.

    It is partly aimed at preventing people from downloading unlicensed films or media.

    "This means that by default your hard disk is encrypted by using a key that you cannot physically get at...


    The government shouldn't be the only folks horrified at this one. MS wants to turn your entire computer against you, encrypting all of its contents and allowing you to read it only if MS wants to allow it. Even if you're okay with that, imagine if something in the scheme goes wrong? I've used the Windows Encrypting File System in XP, and if you lose your encryption key (not that hard--say, if you reformat your hard drive) you are permanently locked out of all the data you've encrypted.

    If this is true, MS really wants a death grip on your computer. I'd never use Vista under those circumstances.
  • by tezza (539307) on Wednesday February 15, 2006 @10:46AM (#14724135)
    Anyone who values their privacy already uses non-OS provided encryption. This will raise public awareness of the need to do the same.

    The pleasant result of all this is that it dispells the whiff of paranoid conspiracy-theory. The government has been advised to ask for the backdoor access. By a british Cambridge expert. There is every reason to think Microsoft will agree.

    There is now simple historical evidence to point the public to. Previously there were more technical , less convincing ones.

    The average person is not going to care if Microsoft accidentally included some debugging code in a patch. Even if that made it look like it had a backdoor key. "Whatever that means?", they'll say.

    A BBC news article about an expert asking for such a backdoor is a lot more convincing.

  • by ABoerma (941672) on Wednesday February 15, 2006 @11:11AM (#14724345)
    The jokes really write themselves.

    Seriously, though, I'd store inciminating stuff on something I could get rid of more easily than my hard disk.
  • by cpu_fusion (705735) on Wednesday February 15, 2006 @11:46AM (#14724649)
    When will the courts realize the bloody obvious fact that bits on a hard drive are evidence of nothing! Until computers are not able to be remotely hijacked with all tracks erased, there's no way to prove who put the bits there!!!

    As more and more traditional forms of evidence (audio tapes, photos, DNA records, VOTES for god sakes) become digitized, the more we need to be skeptical of them.

    And don't bring up digital signatures so long as keyloggers exist.
  • by MBGMorden (803437) on Wednesday February 15, 2006 @11:51AM (#14724685)
    I used to use BestCrypt as a means of keeping encrypted volumes, but I found TrueCrypt a while back and have been very satisfied. It's open source, cross-platform, and generally works very, very well. For something as important as encrypted data I want to be able to look at the code myself (and more importantly, I want a lot of other people looking at it so they can blow the whistle on any inappropriate backdoors and such).
  • USA & 5th amendment (Score:5, Interesting)

    by SnprBoB86 (576143) on Wednesday February 15, 2006 @01:15PM (#14725404) Homepage
    I'm not sure about the UK, but in the USA, wouldn't this be a 5th amendment rights issue?

    The summary states that this black hole is desirable for "fears that evidence could be lost by suspects claiming to have forgotten their encryption key", but why would a suspect have to say they lost their encryption key? Why not just plead the 5th?

    The 5th amendment states: "No person shall [...] nor shall be compelled in any criminal case to be a witness against himself [...]"

    I honestly do not believe that the contents of a person's hard drive falls into the same category of evidence as eye witnesses or DNA. A personal computer's hard drive, particularly one with an encrypted file system, is effectively an extension of that person's memory and hence any data extracted from it seems very much like testifying against oneself.
  • by Deputy Doodah (745441) on Wednesday February 15, 2006 @01:24PM (#14725477)
    Britain has sadly already become a police state. Only criminals and cops have guns, cameras everywhere, illegal to state non-liberal opinions, and now this. Once the control structure is fully in place, most Brits will find themselves being openly persecuted. Anyone want to bet how long it will be before they start implanting RFID chips in everyone? They'll start with the kids and say it's for safety.

    Unfortunately, some in the U.S. want that here. I hope the red states can save us.
  • Well..... (Score:3, Funny)

    by mormop (415983) on Wednesday February 15, 2006 @01:48PM (#14725710)
    "UK Government Wants a Backdoor Into Windows"

    Makes a change, Tony Blair's been making his back door available to Bill Gates since he came to power.
  • by maggard (5579) <michael@michaelmaggard.com> on Wednesday February 15, 2006 @01:58PM (#14725781) Homepage Journal
    Lotus Notes was 'compromised' thus long ago. See http://www.google.com/search?q=Lotus+Notes+Swedish +Parliament [google.com].

  • by lkcl (517947) <lkcl@lkcl.net> on Wednesday February 15, 2006 @02:28PM (#14726010) Homepage
    He said: "From later this year, the encryption landscape is going to change with the release of Microsoft Vista." The system uses BitLocker Drive Encryption through a chip called TPM (Trusted Platform Module) in the computer's motherboard. It is partly aimed at preventing people from downloading unlicensed films or media.

    oh please, yes please. switch on encryption that uses TPM. then all it takes is a virus to overwrite the TPM keys in the BIOS memory and that's it - game over: your entire hard drive rendered useless. mwhahahahah

"Gotcha, you snot-necked weenies!" -- Post Bros. Comics

Working...