Microsoft Corp. yesterday vigorously denied reports that it had built a secret "back door" into its Windows operating system to enable the National Security Agency to read encrypted information.
The reports grew from a code specialist's discovery that one of two software "keys" in Windows is labeled by Microsoft as "NSA Key." The company says the keys are only useful for installing new scrambling software. However, the term is commonly used to mean a piece of code that helps people--including intelligence agencies--unscramble secret information.
Many software experts dismissed the notion of a secret alliance between the company and agency. But some denizens of the online world saw a team-up that crystallized all their fears.
Claims were flying in message boards and e-mail yesterday that the company that many see as the "evil empire" was conspiring with the super-secret intelligence agency. The title of one such message summed up the paranoia: "how M$ [Microsoft] sold your a-- to the ph3dZ," an intentional misspelling of "feds."
The presence of two keys in Windows has been known for some time. Microsoft says they are there to allow the company to help users who have lost passwords and can't get to scrambled data. They can also let such people as system administrators install software on a computer without getting authorization from the computer's user.
The fact that Microsoft has placed two keys in Windows, however, raised eyebrows among some cryptographic researchers, and the purpose of the second key was a source of much speculation.
Then a few weeks ago cryptographer Andrew Fernandes was looking through the code in an update of software from Microsoft that fixes bugs in Windows when he made a discovery that he said was "serendipity at its best."
As he was at his desk scrolling through the software, glancing from his screen out at the golf course outside his Research Triangle, N.C., office window and back at his screen, he saw the label "NSA key" attached to the second key. The label had apparently been left in the update accidentally, since it does not normally appear.
"My eyes focused on these six little letters and I almost fell out of my chair," Fernandes said.
In the community of cryptographers, Fernandes said, "NSA has only one meaning. Those letters are very ominous." Saying it means anything else, he insists, "would be like at the height of the Cold War, trying to convince the Russians that 'ICBM' stands for 'I Can Be Mellow.' " He published his find yesterday on the Web site of his company, Cryptonym Corp., sparking an Internet flurry.
Microsoft said Fernandes and his online allies misinterpreted the NSA label, which it said is only a notation that the key conforms to technical standards set by the NSA.
"These guys do appear to have jumped to an unwarranted conclusion," said Mark Murray, Microsoft's director of public affairs. "The key in question is a Microsoft key. . . . We have not shared this key with any other party, including the NSA."
Murray said the second key was simply a fail-safe mechanism in case problems emerged with the primary key.
The NSA issued a statement late yesterday that it had no key-sharing agreement with Microsoft. "U.S. export control regulations require that cryptographic APIs [Application Programming Interfaces] be signed. The implementation of this requirement is left up to the company. Specific questions about specific products should be addressed to the company."
Fernandes has posted software on his company's Web site, www.cryptonym.com, that can be used to disable the key or to substitute a cryptographic system of the user's choosing.
Some calmer hands dismissed yesterday's speculation out of hand. Russ Cooper, editor of the NTBugTraq online mailing list, which monitors problems with Microsoft operating systems, posted an online message stating "anyone who programs knows that [software code such as keys] might get named anything for a variety of reasons." In an interview, Cooper said: "They're all looking pretty foolish to me."