Security Issues with MS Windows
Why is this misleading?
The biggest problem has nothing to do with whether or not the US Government might have the actual "
_NSAKEY". There are legal and illegal means that
US spy agencies could gain access to the "
But if "
_KEY" were replaced, anything that depended
upon it would fail. With the second key, anything that depends on
_KEY" can continue working, and anything that fails a required check with "
_KEY" is still allowed if it can be certified with whatever is currently installed in
_NSAKEY". Andrew Fernandes presented demonstration code that showed how "
_NSAKEY" can be replaced with any correctly formed key, created by anyone without any signs on the system that this has been done. It doesn't matter if Microsoft even has kept a copy of the original key to fit that "
The Microsoft "
allows resetting other keys that maybe used for personal, java or activex
signatures, while a "
PRIVATE KEY" is your key
used to sign E-Mail, Financial Transactions, Network Logins (that use CryptoAPI), and if you are a software developer, to sign your own ActiveX, Applets, and the like. For certain functions both of these are required (example: signing) and some functions need only the first (most authoritative) key (example: for establishing it is safe to run). The
_NSAKEY" key or what Microsoft refers to as
the "backup key" is the newly discovered key
that must be the cause for concern.
So How is seurity breached?