Closed doors keep the back doors out of sight and resistant to change
Summary: Microsoft willingly leaves Windows users exposed to costly attacks and surveillance, but its propaganda blames the messenger that warned Microsoft about the problem 3 months ago
BASED on Microsoft’s own actions, the company is not at all interested in security and as we last noted the other day, the company is now pulling out of (withdrawing) notifications of back doors, except for the NSA. One might guess this would appease British Prime Minister Cameron, who now openly calls for back doors in everything and a ban on everything without back doors, but will this appease the rest of us, including journalists (never mind banks) who require encryption for secure communication? We have put some related articles in our daily links for those who wish to know more.
“One might guess this would appease British Prime Minister Cameron, who now openly calls for back doors in everything and a ban on everything without back doors, but will this appease the rest of us, including journalists (never mind banks) who require encryption for secure communication?”For those who missed last week’s news, here is what the British press wrote: “MICROSOFT HAS ESCHEWED the first Update Tuesday, or ‘Patch Tuesday’, Advance Notification of the year to announce that it is killing off the Advance Notification Service (ANS) for the general public and, as such, from next month there will be no Advance Notification.”
This basically means that while the NSA, GCHQ etc. know about back doors (or bug doors) that are not patched, the rest of us will know nothing. Since it is secret proprietary code, there is nothing that can be done about it either.
Earlier this month there were also report about Microsoft knowingly failing to patch a serious Windows flaw. It took Microsoft 3 months to actually do anything and when it did do something it was after Google had forced it to. It was Google that originally told Microsoft about this flaw 3 months ago. Here is what a reader of ours insists on calling “Microsoft apologists” wrote about it. They basically blame it all on Google rather than chastise Microsoft for leaving a lot of Windows users vulnerable due to Microsoft’s own laziness. It is worth emphasising that “the problem was not fixed within 90 days.” That’s how much of a priority security is to Microsoft.
Amid the calls for encryption bans in the UK it is clear that everyone who cares about privacy should move to Free software. Software freedom is imperative for privacy because only when the code is free can one be sure there are no back doors and also remove any that exist. Proprietary software exercises unjust power and control over its user, as Richard Stallman said all along, and the calls to ban encryption in the UK reinforce Stallman’s views. Microsoft’s negligence and reluctance to patch known flaws which are very serious also prove Stallman’s point to be valid. It is almost as though Microsoft actually chose to leave users exposed. Remember that the so-called ‘Sony hack’ was due to use of Microsoft Windows, based on numerous reliable reports. Also remember that about half a decade ago Google prevented its staff from using Windows. That was due to recognition that Windows was Swiss cheese when it comes to security. █
Send this to a friend
Summary: Some blobs like Microsoft’s Windows patches and the binary-level UEFI ‘validation’ do not and cannot provide real security, only insecurity in disguise
THE ‘PROMISE’ of UEFI ‘secure’ boot is as ludicrous as Microsoft's claims that it pursues security. UEFI does nothing real for security; in fact, it once again does the very opposite. Quoting the news:
A pair of security researchers have found a buffer overflow vulnerability within the implementation of the unified extensible firmware interface (UEFI) within the EDK1 project used in firmware development.
Bromium researcher Rafal Wojtczuk and MITRE Corp’s Corey Kallenberg said the bug in the FSVariable.c source file was linked to a variable used to reclaim empty space on SPI flash chips.
According to other news, as told (spun) by a Microsoft booster.,”Microsoft’s advance security notification service no longer publicly available”. The booster says that “Microsoft is taking its Advance Notification Service private, claiming the change is due to changes in the way users want their advance security notifications.” Microsoft sure
tells the NSA about ways to hijack/wiretap Microsoft software, so it’s a matter of privilege, not some company-wide policy.
How does the above serve users? It doesn’t. This is about Microsoft, not users. Users will be left even more vulnerable. As Pogson correctly points out, “There are no Patch Tuesdays with Debian GNU/Linux so the bad guys are no further ahead. We can all get Debian’s patches as soon as they generate them and we can usually install the updates on running systems with no adverse consequences, like a re-re-reboot.”
Moreover, in large corporations in particular, patching code internally is possible or even relying on third parties. Don’t ever trust security at binary level, such as large blobs being sent that are supposedly ‘patched’ or some opaque board giving ‘approval’ before the running of a binary blob, mostly likely based on some cryptic signature approved by unknown people for unknown reasons (usually employees of companies that work with the NSA). Real security emanates from transparency, which breeds trust and provides to ability for one to study and patch one’s own programs (or rely on others to do so using their specialised skills). █
“Anyone wonder why the Microsoft SQL server is called the sequel server? Is that because no matter what version it’s at there’s always going to be a sequel needed to fix the major bugs and security flaws in the last version?”
Send this to a friend
Summary: The PHP-based WordPress is reported as the cause for ISC’s woes, but it was not kept up to date (a very simple and risk-free task) and the victims are actually Microsoft Windows PCs
I could personally relate to this report about a high-profile WordPress site getting cracked as it very closely relates to my job. What’s interesting about it is that the victim (or the target) is really Windows, not GNU/Linux.
“So, it looks like the chances are that ISC’s problem is limited to Windows PC malware and it hasn’t effected BIND or ISC’s DNS site,” wrote Steven J. Vaughan-Nichols. Microsoft Windows is targeted via the browser. It’s just so easy.
“Bind is outdated anyway,” told us a reader. “Better replacements have been available for a long time.”
According to the first report, “ISC was hacked by way of a WordPress flaw, but there is now an automatic way to secure WordPress sites and (eventually) eliminate the risk of nonpatched systems.” This might not help protect from out-of-date or vulnerable extensions to WordPress. It’s not an easy task. I have worked with WordPress for over 10 years and with Drupal for close to 5 years (including involvement in the development community), so I can confess that some flaws are inevitable. When it comes to Free software, however, the patching process is vastly superior to that of proprietary software, where many of the flaws are never patched or are silently patched without even informing users.
The whole notion of protecting from bugs at a binary level is ludicrous. Someone who is a programmer from Microsoft spoke to me for hours some days ago and told me that Windows system updates can take a vast amount of time because of lack of modularity. Large blobs that have unknown changes in them are not the way to patch flaws, let alone inform those affected of what is being patched and why.
It is with that in mind that we also approach the binary-level checks for ‘security’ by UEFI ‘secure’ boot. It’s complete nonsense. It doesn’t work and it does not improve security, it just restricts the function of general-purpose computing. Bottomley from Novell continues to support this nonsense based on a Phoronix report that says:
James Bottomley has updated the open-source UEFI Secure Boot Tools for Linux distributions to build against the UEFI 2.4 specification.
UEFI 2.4 has been out for the past year and a half while finally now the UEFI Secure Boot Tools have been updated against the latest spec.
UEFI ‘secure’ boot is how Microsoft and Intel (Wintel) have complicated Free software use, as we’re reminded by a new article where Jamie is nagging about UEFI ‘secure’ boot when installing a new good flavour of GNU/Linux:
“Any computer that comes with UEFI should now be avoided.”“[I]f you are installing PCLinuxOS to a UEFI-firmware system,” he writes, “the best thing to do (and the most common and sensible by far, I’m sure) is to simply leave it in Legacy/MBR boot enabled, don’t try to switch back to UEFI boot.”
Any computer that comes with UEFI should now be avoided. It is possible to avoid such computers and voting with one’s wallet can be very effective. █
Send this to a friend
The great power of lies and gullible journalists
Summary: Microsoft’s partner Alert Logic is trying to label a feature of Linux a security flaw and even makes marketing buzz for it
IF A reporter or two can be bamboozled into printing a lie (digitally distributing it), this can lend some credibility/legitimacy to the lie and then it is possible that the lie will spread and be echoed in other reports. Hence the importance of this matter.
“They are trying to change perceptions around Free software security.”Several journalists have already rebutted something that I debunked some days ago when I first saw some nonsense about “Grinch” with a suitable “marketing” image. Here is one rebuttal among a few:
The Grinch flaw was reported by Stephen Cody, chief security evangelist at Alert Logic. Cody alleges that the Grinch flaw enables users on a local machine to escalate privileges. Leading Linux vendor Red Hat, however, disagrees that the Grinch issue is even a bug and instead notes in a Red Hat knowledge base article that the Grinch report “incorrectly classifies expected behavior as a security issue.”
The original security researcher that reported the Grinch found that if a user logs into a Linux system as the local administrator, the user could run a certain command that would enable the user to install a package, explained Josh Bressers, lead of the Red Hat Product Security Team.
“Local administrators are trusted users,” Bressers told eWEEK. “This isn’t something you hand out to everybody.”
We believe it was Joab Jackson (IDG) who first gave a platform to the Microsoft partner (Alert Logic) that used marketing buzz and a lie against Linux, soon to be rebutted by Red Hat. I had contacted Mr. Jackson, who later told me that he posted a follow-up (or correction).
Jackson’s correction may have come too late as we saw the lie spreading to a few other news sites later on (thankfully not too many sites). Here is one example of garbage ‘reporting’ (FUD and lies), generated by the FUD firm with with a catchy name, sort of logo etc. (generated by a Microsoft partner we might add). Apart from Jackson’s piece we saw at least 3 more such articles (which came afterwards). How many are going to post a correction? How many articles will be withdrawn? How many follow-ups will be published? Tumbleweed. Silence.
It is usually Windows that has zero-days during Christmas, not GNU or Linux. There was recently other nonsense with a name, claiming to be a flaw when it was actually some other malware (potentially developed by the Russian government) that users actually have to install (not from repositories) to be infected by. It was akin to a phishing attack, but it was widely used in the press (even in IDG, Jackson’s employer) to characterise GNU/Linux as insecure.
Remember what the Microsoft-connected firm did with "Heartbleed" (the name it made up with a promotional logo). It’s all about marketing and hype. They are trying to change perceptions around Free software security. What matters is what people remember, not the truth. This is all about discouraging users or buyers.
A reader has alerted us about this article from Armenia . “Note the job title of the ‘softer,” he said. Here is the relevant portion:
Armenia’s Minister of Defense Seyran Ohanyan received Microsoft Corporation’s Regional Director for Public Safety/National Security/Defense Robert Kosla.
Joke or real? It sounds like a joke, but they are definitely not joking. Armenia talks to the NSA’s biggest partner and back doors-loving company about ‘security’, so seeing the job title from Microsoft is truly hilarious! Microsoft is good at insecurity and lies, not security. █
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Send this to a friend
Summary: The power of media spin makes the idea of hosting Free software under the control of an NSA PRISM and back doors partner seem alluring
IN the spirit of tackling FUD we thought it would be worthwhile to tackle spin regarding the news of Ubuntu Core (news that already appears in our daily links).
Microsoft boosters such as Microsoft Gavin try to frame it as Microsoft news, saying: “A smartphone-inspired version of Ubuntu Server for Docker minimalists has been revealed with initial backing from Microsoft.” The headline is even worse. It’s deceiving for the sake of drama.
The news is not about Microsoft. This is what is called bias by omission or selection — similar to this lousy piece from Lance Whitney, former staff of Microsoft media whose latest propaganda is now omitting an old disclosure saying that he is Microsoft’s ‘former’ staff and uses US-only spin to make Android look bad (the US is not the whole world and economic advantage favours overpriced phones).
Several readers have told us that the article “Canonical restructures Ubuntu in mobile mode; Microsoft is first partner” had been removed (we searched the site to verify this) before it was reinstated. How odd. No explanation was given and while it was gone we made a copy from the Google cache of the article, very shortly after it had been deleted, then created permanent archive of the removed version. We wrote publicly at around noon yesterday about how this article vanished after it had been posted (just shortly before we made copies from Google cache and also used archive.is). We later compared the version we had archived with what was reinstated and found no obvious differences in the text. Well, maybe the problem was purely technical, but the content of the article from Paul Gillin was curious, not just the angle. A reader of ours explained: “Below is the text of an article which just disappeared. It was online for only a few hours but contains some very incriminating statements. More might show up later, but for now this is all I have. It sure explains why the Ubuntu forums moderators/staff have been slamming RMS and censoring critique of Microsoft and His Billness – in any context.”
“The situation is bad,” explained our reader. “The previous article was not a mistake” because there is other coverage although it does not provide the Microsoft spin, including phrases such as those highlighted in Diaspora. The factual part is this:
Ubuntu Core is now available on Microsoft’s Azure cloud.
This, however, is not the main news. A lot of effort was put into injecting some pro-Microsoft angle. Here is where promotional spin got injected (apart from the headline):
“Ubuntu Core is the smallest, leanest Ubuntu ever, perfect for ultra-dense computing in cloud container farms,” the company said in a press release. In a twist that’s sure to prompt a double-take from many industry veterans, Canonical chose the Azure cloud from longtime Linux foe Microsoft as its first deployment platform. “Microsoft loves Linux,” said Bob Kelly, Corporate Vice President at Microsoft, in a prepared statement.
“Microsoft has been a terrific steward of Ubuntu,” said Dustin Kirkland, product manager for Ubuntu Core, in an interview. “We have a very tight relationship.” The deal with Microsoft is exclusive for ”a couple of weeks,” after which Ubuntu Core is expected to be available on all public clouds that currently support the operating system.
So ‘“Microsoft loves Linux,” said Bob Kelly, Corporate Vice President at Microsoft, in a prepared statement.’
This is part of the new lie which we wrote about in articles such as:
The problem with articles like the above is the pursuit for talking points to lull the victim into passivity, pretending that Microsoft is now like a “best friend” of GNU/Linux. All that Microsoft does with Ubuntu Core is put it under surveillance and back door control. That’s what Azure is about, as NSA leaks serve to demonstrate.
We could of course tackle some other propaganda if we had more time for writing (I am working full time myself). Consider this new UBM spin which pretends TrueCrypt is FOSS (it’s definitely not) and cites one bug (in OpenSSL) to pretend FOSS as a whole is less secure than proprietary software blobs. There is another ugly story making the rounds about a so-called attack on GNU/Linux machines (attributing it to a government, possibly Russia’s); all the stories we have found (over a dozen so far) neglect to say that the victim must install the rogue code himself or herself, it cannot really propagate except by the user’s stupidity or recklessness. Finally, there is another batch of stories about DCOS, which is backed by a Microsoft thug who boasted about “tilting into a death spiral” competitors of Microsoft and bankrolled Microsoft proxies. DCOS — like Azure — is attempting to control GNU/Linux guests at a higher level. IDG called it a “data center OS” that “allows single-source command for Linux servers”, potentially providing a back door. I have personally seen companies that manage hundreds of GNU/Linux servers from VSphere (proprietary from EMC, which is connected to RSA and hence NSA back doors) on top of Microsoft Windows (also back doors). Can EMC be trusted to not allow intrusion? Can Microsoft? These are rhetorical questions.
Anyone who is reckless enough to put a Ubuntu machine under Microsoft hosting sure has not been keeping up with news. Canonical too would be reckless to recommend such a thing, but perhaps it has short-term thinking, pursuing Microsoft dollars at the expense of customers’ security. █
Send this to a friend
“Our products just aren’t engineered for security.”
–Brian Valentine, Microsoft executive
Summary: Errors in Windows that facilitate remote access and privilege escalation (affecting every version of Windows) continue to surface and those who fix these errors risk bricking their systems/services
Having just made (generated rather, using an online tool) the above meme to make an important point (pardon the “Windows” typo), we wish to bring together some recent news about Microsoft Windows, probably the least secure operating system in the world (by design). The NSA is involved in finalising Windows development and knowing what many people finally know about the NSA, it oughtn’t be shocking that Windows uses weakened/flawed encryption, enables remote access, etc.
Earlier this month there was a lot of press coverage about a massive flaw and an “emergency” patch for Windows. The NSA, for a fact (based on Snowden’s leaks), already knew about this. It knew about before it was patched, as Microsoft tells the NSA about every flaw before patches are applied and flaws become common knowledge.
Stephen Withers, a booster of Microsoft from Australia, said that a “very old but only just fixed Windows vulnerability is the key to a new in-the-wild attack.
“Security vendor ESET says it has detected a real-life exploit for a vulnerability that’s been part of Windows for nearly two decades.”
So it’s not just exploitable by the NSA anymore.
Over at IDG, this flaw was said to have a botched ‘solution’. As the author put it: “Last Tuesday’s MS14-066 causes some servers to inexplicably hang, AWS or IIS to break, and Microsoft Access to roll over and play dead”
So patch or don’t patch, you are in a serious problem either way. Welcome to the “professional” and “enterprise-ready” world of Microsoft.
As Microsoft boosters put it, “Microsoft has announced that they will be pushing an out-of-band security patch today. The patch, which affects nearly all of the company’s major platforms, is rated ‘critical’ and it is recommended that you install the patch immediately.”
To brick one’s system?
Here is what British press wrote about it:
MICROSOFT HAS ISSUED an emergency patch for the Kerberos Bug that could allow an attacker to perform privilege escalation in several versions of Windows.
In what will be the firm’s third emergency patch in the past three months, the fix arrives just a week after the monthly Patch Tuesday release.
In other curious news from the same source, British taxpayers’ money has just been wasted cleaning up the mess of Microsoft Windows with its baked-in back doors. Windows is being hijacked en masse, but the corporate media refers to it as “PC”, not Windows. This is a crucial omission. The insecurity of Windows is not always accidental. It was designed to be easy to access (only by the “Good Guys”, of course!). “THE UK NATIONAL CRIME AGENCY (NCA) has arrested five people,” said the British press, “as part of a crackdown on hackers who hijack computers using Remote Access Trojans (RATs).” It’s a shame that they don’t point out that it’s a Windows-only problem. It doesn’t even take much in terms of skill to hijack Windows, as many hackers and crackers can attest to. To quote this report: “The NCA said on Friday that it has arrested two 33-year-old men and a 30-year-old woman from Leeds, along with a 20 year-old man from Chatham in Kent and a 40-year-old from Darlington in Yorkshire.”
This 20 year-old cracker is about as old as the latest bug door from Microsoft. With 19-year-old flaws in Windows (“critical” too) it oughtn’t be hard to hijack Windows-running PCs by the millions and even by the billions. As this article put it, the flaw is very severe and “Microsoft’s out-of-band update yesterday fixes a profoundly serious bug: Any user logged into the domain can elevate their own privilege to any other, up to and including Domain Administrator.”
Robert Pogson wrote that Microsoft “told the world they were naked and now system administrators are scurrying around to make sure every system running InActive Directory has a patch.”
As usual, no logos and brand names for this bug, not even the huge media hype that we saw when GNU Bash and OpenSSL had a bug in them. Perhaps the media learned to accept that Windows is Swiss cheese, or more likely it is unconsciously complicit in Microsoft’s PR. █
Send this to a friend
Summary: With Aorato acquisition Microsoft helps protect the criminals (from whistleblowers) and with lies about .NET Microsoft distracts from a bug that has facilitated remote access into Windows (by those in the know) for nearly two decades
MICROSOFT IS A company of liars, centred around media manipulation. This is why not enough people know about the company’s sheer levels of malice, crimes, and disregard for people.
Microsoft keeps throwing money around for favourable publicity, so not enough criticism is published where it’s well overdue. Today we’ll tackle several stories that deserve more attention from an appropriate angle, not a promotional (marketing) angle.
A few days ago Microsoft decided to buy a military-connected (IDF/Israel) anti-whistleblowing ‘software’ company. What a lot of shallow coverage failed to mention was the real purpose of the software (not often marketed as such). To quote one report: ‘“Snowden reportedly used colleagues’ passwords to access sensitive docs,” he told me. “Even if the user activity seems legitimate, the same account would actually present suspicious or abnormal behavior behind the scenes which Aorato would detect.”’
Actually, to keep the facts in tact, the NSA leaks were made possible by GNU WGet on the leakers’ side (same as Bradley/Chelsea Manning) and that horrible Microsoft SharePoint on the leaked side (NSA). It means that Microsoft itself was the problem which it claims to be trying to solve. We mentioned the role of SharePoint several times before. The acquisition by Microsoft seems to be geared towards stopping whistleblowing and hence defending corruption (so that Microsoft, for instance, can defend the NSA). How ethical a move, eh? So much for a ‘champion’ of privacy as it purports to be.
Anyway, there is a 19-year bug door in Microsoft Windows (almost no version is exempted from remotely-invoked full capture), but the press hardly covers it. We must give some credit to the BBC for covering it (for a change) and "calling out Windows". Other British press covered other inherent issues in Windows (compromising Tor)  and it looks like Dan Goodin is finally covering some security problems in proprietary software  rather than always picking on FOSS, then hyping it up with ugly imagery and exaggeration.
A reader of ours suspects that the .NET announcement was designed to distract from horrible security-related news. The .NET announcement is nonsense because it’s false (we wrote two posts about the .NET PR nonsense) and it also predicts future events like Visual Studio going cross-platform although the latest version of Visual Studio (proprietary) already runs under GNU/Linux using Wine, i.e. the Windows build works under GNU/Linux as it’s fully compatible anyway, for those foolish enough to want it. This is not news and the same goes for Office and other well-known Microsoft software. Xamarin staff keeps trying hard to infect GNU/Linux with .NET (that’s what they do) and as this very stupid article about .NET shows, the .NET nonsense did indeed help bury the news about the bug door. This disgusting article even gives credit to Microsoft for having fixed massive 19-year-old bug (only after IBM had found it). When bash or openssl have a bug, then FOSS is all bad, apparently. When Microsoft has a bug door for 19 years, the media says well done to Microsoft (for fixing it after another company forced it to). One has to wonder if this flaw (voluntary or involuntary) is part of Microsoft’s collaboration with the NSA, which made Stuxnet and has made yet another piece of Windows malware together with Israel. Here is a new article from The Intercept:
The Digital Hunt for Duqu, a Dangerous and Cunning U.S.-Israeli Spy Virus
Boldizsár Bencsáth took a bite from his sandwich and stared at his computer screen. The software he was trying to install on his machine was taking forever to load, and he still had a dozen things to do before the Fall 2011 semester began at the Budapest University of Technology and Economics, where he taught computer science. Despite the long to-do list, however, he was feeling happy and relaxed. It was the first day of September and was one of those perfect, late-summer afternoons when the warm air and clear skies made you forget that cold autumn weather was lurking around the corner.
Bencsáth, known to his friends as Boldi, was sitting at his desk in the university’s Laboratory of Cryptography and System Security, a.k.a. CrySyS Lab, when the telephone interrupted his lunch. It was Jóska Bartos, CEO of a company for which the lab sometimes did consulting work (“Jóska Bartos” is a pseudonym).
“Boldi, do you have time to do something for us?” Bartos asked.
“Is this related to what we talked about before?” Bencsáth said, referring to a previous discussion they’d had about testing new services the company planned to offer customers.
“No, something else,” Bartos said. “Can you come now? It’s important. But don’t tell anyone where you’re going.”
Bencsáth wolfed down the rest of his lunch and told his colleagues in the lab that he had a “red alert” and had to go. “Don’t ask,” he said as he ran out the door.
A while later, he was at Bartos’ office, where a triage team had been assembled to address the problem they wanted to discuss. “We think we’ve been hacked,” Bartos said.
They found a suspicious file on a developer’s machine that had been created late at night when no one was working. The file was encrypted and compressed so they had no idea what was inside, but they suspected it was data the attackers had copied from the machine and planned to retrieve later. A search of the company’s network found a few more machines that had been infected as well. The triage team felt confident they had contained the attack but wanted Bencsáth’s help determining how the intruders had broken in and what they were after. The company had all the right protections in place—firewalls, antivirus, intrusion-detection and -prevention systems—and still the attackers got in.
The ability to keep people’s rights away and keep the population down depends on passivity and conformity, including the use of Windows. Avoiding Microsoft Windows is imperative for those not wishing to be controlled remotely. As Microsoft’s collaborations with the NSA serve to show, mass surveillance on the whole world is practically contingent upon not just innovation but sabotage and social engineering with corporate buddies. Eradication of Microsoft software isn’t about competition only; it’s about justice. █
Related/contextual items from the news:
There are suggestions that the malware code has been around for a while, and has predecessors, and F-Secure warned internet users, anonymous or otherwise, to tread carefully when they download.
“However, it would seem that the OnionDuke family is much older, based on older compilation timestamps and on the fact that some of the embedded configuration data makes reference to an apparent version number of four, suggesting that at least three earlier versions of the family exist,” the firm added.
“In any case, although much is still shrouded in mystery and speculation, one thing is certain: while using Tor may help you stay anonymous, it does at the same time paint a huge target on your back.
“It’s never a good idea to download binaries via Tor (or anything else) without encryption.”
Three weeks ago, a security researcher uncovered a Tor exit node that added malware to uncompressed Windows executables passing through it. Officials with the privacy service promptly shut down the Russia-based node, but according to new research, the group behind the node had likely been infecting files for more than a year by that time, causing careless users to install a backdoor that gave attackers full control of their systems.
Send this to a friend
Summary: At many levels — from communication to storage and encryption — Windows is designed for the very opposite of security
TO ONE who is aware of what Microsoft has been doing with the NSA since the 1990s it can be rather shocking to see entire nations relying on Microsoft Windows. As a quick recap, aided by one of our readers, back in the 90s there was this article stating: “Rubenstein, Microsoft attorney and a top lieutenant to Bill Gates. By his own account, Rubenstein acts as a “filter” between the NSA and Microsoft’s design teams in Redmond, Wash. “Any time that you’re developing a new product, you will be working closely with the NSA,”he noted.”
There is hardly room any for excuses or misinterpretation here. “How NSA access was built into Windows” is another important article from the German press and it was published back in the 90s. These older articles are merely few among many more (some no longer accessible due to ‘Web rot’) which already made it clear that Bill Gates and Microsoft were fine with back-dooring billions of people. Gates continues to be a vocal proponent of the NSA, even to this date (after Snowden had leaked details that made the NSA exceptionally unpopular like no time before, internationally).
Anyone who still thinks that proprietary software is secure says quite a lot about his/her own intelligence (and disregard for facts). It is also widely known why it is risky to connect Free software to proprietary software, which basically compromises the trust that Free software carries with it. Germany, based on this new article from Dr. Glyn Moody, is beginning to see the light as well. Here is a portion:
You Can’t Trust Closed-Source Code – Germany Agrees
Similarly, moves by both Microsoft and Amazon, among others, to set up local data centres in the EU will not on their own protect European data unless that is encrypted by the companies themselves, and the cloud computing providers do *not* have access to the keys. Indeed, if the data is encrypted in this way, local storage is not so important, since the NSA will have an equally hard time decrypting it wherever it is held – as far as we know, that is.
Because of that recent US court judgment ordering Microsoft to hand over emails held in Ireland, many people are now aware of the dangers of cloud computing in the absence of encryption under the control of the customer. But very few seem to have woken up to the problems of backdoors in proprietary software that I mentioned at the start of this post. One important exception is the German government, which according to Sky News is working on an extremely significant law in this area…
The NSA could get back door access into every data stored in Windows and now it can get access to data stored remotely, too. It’s total surveillance. Not even encryption can help.
I was contacted by a manager from Microsoft last week and after we exchanged some messages about the farce which is encryption in Windows he no longer had a counter argument. He found out, after some research, that I was in fact right. I was previously (almost a decade ago) ridiculed by top-level Microsoft staff for suggesting that encryption in Windows could easily be subverted, by design. Around that time Microsoft’s Allchin was seemingly worried about back doors and he was quoted on it (the Allchin article is hidden to many as the link has changed). Some of it is very old, but we have written about Bill Gates’ support of back doors since the early days of this Web site. Microsoft back doors in Windows go beyond just remote access and descend down to encryption, caused by a deficient-by-design (or generally bad) encryption. When we cited Cryptome's findings we received an overwhelming (and supporting) attention. The management from Microsoft tried to change our article (asking for changes) despite the article being correct. As stated in comments in Soylent News: “when my Windows 8.1 tablet recommended that I turn on encryption, as soon as I clicked “no” to handing my administrator user over to Microsoft, it disabled encryption.”
I showed it to Microsoft management, whereupon they checked and confirmed that this was true. No response since, hence we can assume there’s no counter argument.
In summary, Microsoft betrays the privacy of Windows users at many levels. No nation should deem Windows suitable for use (at any level) and ridicule is probably well deserved where one defends Windows as ‘secure’. █
Send this to a friend
« Previous Page — « Previous entries « Previous Page · Next Page » Next entries » — Next Page »