Panic spreads over Windows Vista 'back door' that never was

MS caught not evildoing again...

Internet Security Threat Report 2014

Who'd be a Microsoft? There you are, strolling along minding your own business and the next thing you know you're in a top level conspiracy with the UK security forces to put a back door into Windows Vista. Or so, anyway, the web bush telegraph would have us believe. But disorientating as we find it to be leaping to Microsoft's defence twice in one day, we at The Register feel compelled to point out that the story is somewhat exaggerated, going on entirely untrue.

The Vista back door story originated at (tut) the BBC, with a report claiming that Professor Ross Anderson was urging the government "to look at establishing 'back door' ways of getting around encryptions", and quoting a Home Office spokesman as saying: "The Home Office has already been in touch with Microsoft concerning this matter and is working closely with them." Which we do accept sounds a bit suspicious - particularly if you haven't checked what it was that Prof Anderson originally said, and why.

Anderson was giving evidence to the Home Affairs Committee's enquiry on terrorism detention powers earlier this week, and was covering the challenge posed to police forensic investigations by hard disk encryption. He pointed out that "from later this year the encryption landscape is going to change with the release of Microsoft Vista, the next generation of Windows operating system which will support the use of a chip called a TPM which manufacturers are putting on PC motherboards. What this means is that by default your hard disc will be encrypted using a key that you cannot physically get at... An unfortunate side effect of this from the point of view of law enforcement is that it is going to be technically fairly seriously difficult to dig encrypted material out of systems if people have set it up competently. One issue that was in fact discussed at IPEC here a couple of weeks ago is whether there might in the medium term be some kind of obligation placed on computer vendors, hardware vendors like Intel or software vendors like Microsoft, to see to it that 'back door' keys be made available. Certainly if I were running the appropriate department in the Home Office I would be getting into conversations with Microsoft about this issue now rather than in November when the product is shipped."

The notion of Ross Anderson, more commonly found on the other side of the barricades, running a Home Office department is pleasantly surreal, but it's fairly clear that he was talking about a general issue here, and it becomes clearer within the context of the rest of his evidence. Essentially Anderson is pointing out that encryption poses a growing challenge to law enforcement, that the arrival of widespread hardware-based encryption will make the problem far greater, and that under the circumstances sensible governments should be talking to the industry about what to do about it. Which you might reckon is possible not big news, given that governments have been talking to industry about issues of this kind for decades - key escrow, anyone?

Anderson, incidentally, seems to view the problem for law enforcement as being considerably broader than just encryption. In the future, he says, encryption will be pretty much an either/or in the sense that if you've got the key, you get in, and if you haven't, you give up. Most effort is therefore likely to go into analysing the vast amount of data within which evidence might be found: "I would think that in ten years' time when the police raid someone's home they might find dozens or perhaps hundreds of computing gadgets on which data can be stored. It is common nowadays, for example, for people to back up their data on devices like an iPod and so in future when you raid somebody's house you will seize their iPod and see if there are data files on it" ('Police to seize iPods' stories are imminent, we predict).

What, then, might Microsoft have been talking to the Home Office about? Most assuredly not about putting back doors in Vista: "We are committed to working with law enforcement to help them understand Vista security features and will continue to partner with governments, law enforcement and industry to help make the Internet a safer place", a spokeswoman told The Register. "Windows Vista is engineered to be the most secure version of Windows yet. It is our goal to ensure enterprise users have full control over information on their PCs Microsoft has not and will not put 'backdoors' into Windows, its BitLocker feature, or any other Microsoft Products."

She declined, as one might expect, to be specific about the security-related discussions Microsoft may or may not have had with the Home Office, but the areas Microsoft (and other major IT companies) are likely to be covering are fairly obvious, and in some senses (obviously not all) we can perhaps consider Microsoft as being on the side of the forces of light here. Consider, for example, hardware encryption that is intended to be beyond the control of the user, in order to stop the user stealing videos and music - the notion of this being legislated at the behest of the entertainment industry is by no means incredible, and it's clearly something the IT industry will want to have an input on. Or, consider how legislators react when (as so often happens) they discover that encryption that is controlled by the user effectively cannot be cracked by the security services. So they consider placing legal limits on the strength of encryption, and their thoughts turn, yes, to back doors, to whether "some kind of obligation placed on computer vendors" could allow the security forces to read encrypted data.

To some extent Microsoft and TPM face both ways here. TPM will certainly be used as a mechanism for restricting users rights, to some extent by the music industry in order to protect its content, and by businesses (the "enterprise users" Microsoft refers to) wishing to protect their data from both intruders and employee abuse. It will be generally available in Vista and in future generations of hardware, but legislation aside people will not be compelled to use it. It's in Microsoft's interests for it to be available for people to use, but it's most certainly not in Microsoft's interests for Vista to either be or to be seen as the OS that restricts your rights. Nor is it in Microsoft's interests for legislators to restrict the strength of encryption, or for legislators to require back doors. It wouldn't work anyway, because lawbreakers and terrorists by definition do not obey the law, so whenever legislators start talking about such things, one of the things Microsoft will be doing is quietly trying to talk them out of it. Not because it's a nice company or anything, but because commercial suicide lies along this road. What, Microsoft is going to sell an OS as 'slightly weakened by design' or 'rock - solid security for your stuff... up to a point'? Yeah, right... ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Google opens Inbox – email for people too thick to handle email
Print this article out and give it to someone tech-y if you get stuck
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
prev story


Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.