News Crypto 'backdoor' in Vista SP1

http://www.bit-tech.net/news/2007/12/19/crypto_backdoor_vista_sp1/1

Microsoft is due to ship a flawed random number generator with the latest Windows Vista service pack, which has the potential to put your encrypted data at risk.

 

Even including it is a bad idea - someone will use it, either accidentally or being secure only for the pretence of being innocent while some data is nicked. It is a broken feature, with no legit use that I can see, that just serves to increase the bloat.

Silly MS... oh well.

Do we know why they didn't just forget about it and quietly remove it?

 

So, in order to organise an attack on a computer, a malicious user would have to somehow alter the code of an application, so that it used this flawed PRNG?

This is hardly an issue, as if a malicious user is changing program code, surely he could just make it use his MAGIC_PRNG, which always returns ... 2?

But that would hardly generate a front page story eh?

 

I don't think this makes Vista less secure.

OK sure the Dual_EC_DRNG has a potential back door, but no one knows for sure who has this second set of secret numbers. We do know that no one has published this "Skeleton Key" yet and there is a chance no one ever will. Also, because it is off by default, average users most likely won't ever enable this setting on purpose or by accident.

But yes, it does make one wonder why MS wouldn't just exclude this flawed encryption.... Conspiracy?

 

Indeed, why keep this flawed version of random generator in the not-yet published sp1? What difficulty makes microsoft think it's necessary to ship the potential backdoor to us endusers?

 

Its already in Vista (and all other NT based OS's)

I'm guessing its not because they've put it in, but because they haven't taken it out
It might actually be difficult to remove it in a Service pack