Microsoft Gives Vista Backdoor Keys To The Police

from the meaning-the-crooks-have-it-too dept

It's long been assumed that Microsoft has built in various "backdoors" for law enforcement to get around its own security, but now reader Kevin Stapp writes in to let us know that the company has also been literally handing out the keys to law enforcement. Apparently, they're giving out special USB keys that simply get around Microsoft's security, allowing the holder of the key to very quickly get forensic information (including internet surfing history), passwords and supposedly encrypted data off of a laptop. While you can understand why police like this, the very fact that the backdoor is there and that a bunch of these USB keys are out there pretty much guarantees that those with nefarious intent also have such keys. The second you build in such backdoors, no matter how noble the reason, you can rest assured that they will be used by criminals as well. No matter what, for those of you who didn't already know it, now you have more evidence as to why trusting Microsoft's "security" isn't such a good idea. Update: Some folks in the comments, and Ed Bott, claim that this post is a misreading of the original story. The USB key includes a bunch of standard tools, not access to a "backdoor." The confusion, on my part, was due to the original article claiming that the device "can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer." In saying so, it appeared that the device must have access to a backdoor to decrypt the password -- but an update claims that it's merely "password security auditing technologies."

Filed Under: backdoor, security, vista
Companies: microsoft

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    mms, 29 Apr 2008 @ 5:13pm

    Windows passwords

    Is MS going to go through all the trouble of producing and distributing USB keys to law enforcements, and equip them with john?

    No, because MS wrote the password hashing code and likely planned in advance to distribute a tool to LE to get around Vista passwords. Since no one outside MS sees the source, no one knows what methods exist to do this.

    It seems :stupid: to hand LE a brute-force tool to solve the password hashed by your own code, since they already know how to brute-force if they want. The tool adds nothing, so why spend $$$ distributing it?

    But, if your tool has a much more efficient method of cracking (or retrieving) passwords, then you're giving LE an amazing advantage in forensic tech. This seems worth the $$$ invested.

    Vista uses NTLM passwords by default (when not in a domain), so I don't really fear anyone with a brute force trying to break my strong login password. (LM, however, scares the hell out of me and I disable it in the XP registry to be safe.) Also, an attacker armed with this key scares the hell out of me because I'm sure my NTLM 14+ char passwd is no match for a retrieval solution that doesn't care how well-crafted my login is.

    Physical access to my Vista laptop = knowing when I'm out of my room + cutting my Kensington lock. A real problem, and not a moot point for laptop installs.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.