Blowback time

Angela Merkel, by Αντώνης Σαμαράς Πρωθυπουργός της Ελλάδας

Summary: The NSA is getting US corporations (subsidised by US taxpayers to an extent) banned for security reasons, showing in the process how proprietary paradigm helps conceal back doors and reduce trust

Angela Merkel has been working with the NSA, Microsoft's close ally, for quite some time. But right now this relationship is exploding right in her face and jeopardises her election campaign in Germany (voting is imminent). She needs to rethink her policies in light of the NSA abuses which everyone now knows about.

The NSA has been involved in Vista 8 development (as usual, the same was done with previous versions of Windows) and it gets notified of back doors in the operating system (while they are universally unaddressed). Add UEFI to the equation and the NSA can now remotely brick some motherboards as long as they run Windows. The British military does not seem to mind this. It gave the US control of all PCs. National Security in the UK assumes that by "national" we mean the US. We already have some NSA bases in the UK.

Nations are finally grasping the threat of the NSA. First China and Russia took action, with China launching a large probe and Russia abandoning some computers. Well, now Germany joins the pack. As David Sugar said it to me,‏ "Windows 8 banned by German govt for integrating forced hardware surveillance & backdoors"

They also warned against UEFI (for secure boot) less than a year ago. Here is the a summary of a report written in German:

According to leaked internal documents from the German Federal Office for Information Security (BSI) that Die Zeit obtained, IT experts figured out that Windows 8, the touch-screen enabled, super-duper, but sales-challenged Microsoft operating system is outright dangerous for data security. It allows Microsoft to control the computer remotely through a built-in backdoor. Keys to that backdoor are likely accessible to the NSA – and in an unintended ironic twist, perhaps even to the Chinese.

The backdoor is called “Trusted Computing,” developed and promoted by the Trusted Computing Group, founded a decade ago by the all-American tech companies AMD, Cisco, Hewlett-Packard, IBM, Intel, Microsoft, and Wave Systems. Its core element is a chip, the Trusted Platform Module (TPM), and an operating system designed for it, such as Windows 8. Trusted Computing Group has developed the specifications of how the chip and operating systems work together.

The other day, unofficial Microsoft spokeswoman Mary Jo Foley (her criticisms of Microsoft are rare and weak) was pushing people to buy new software from Microsoft, citing security reasons. [via]

Microsoft's latest tack in trying to wean users off Windows XP is to warn them of a possible 'zero day forever' scenario in the post-April 2014 support cut-off world.

This is nonsense because after the NSA leaks we know that this threat is perpetual. As Pogson put it:

Well, I don’t think those numbers are very accurate but it’s the trend that matters. There are still hundreds of millions of PCs out there using XP and after 234 days there will still be ~200 million clinging to what they know. According to M$, XP will be revealed as the garbage OS that it is after that because it will be a huge unprotected target for malware artists. They shipped it with ~50K bugs and added more over the years. Malware artists have been discovering hundreds of ways of penetrating the OS every day for more than a decade. XP inspired whole industies of “anti-malware” and malware, spending the resources of IT defending IT from the carelessness of M$ for security, integrity and performance. M$ has used hundreds of millions of users and owners of PCs as slaves all these years and many have accepted that slavery as a way of life.

Pogson's point is valid. But he does not address the fact that flaws are being spread to partners (like Microsoft does with the NSA). An article from the British press says that "Microsoft warns it'll hand out zero days for Windows XP" (like it has done for a dozen years with the NSA). To quote:

Microsoft has a Windows XP problem: people still like it and aren't willing to upgrade just yet. So it's warning users that if they don’t upgrade soon, each new Patch Tuesday will gift a new series of vulnerabilities to the hacking community.

Windows XP is already Swiss cheese. Microsoft is trying to exploit its rubbish security as a marketing tool right now. It wants to upsell.

Woody Leonhard, an author of IDG, wrote about 17 epic Microsoft Windows Auto Update meltdowns [via], preceding it with:

These legendary clunkers made Patch Tuesday a living hell for Windows users the world over

A lot of the press has been overlooking an important point. The Windows toggle button which tells Microsoft not to automatically update (modify) the system has no effect. We know this empirically, at least when it comes to XP; about 5 years ago it was shown to have no effect. Automatic update is a back door, so Microsoft would let the NSA take over PCs with this back door, too. Staying "up to date" with patches can thus have the opposite effect.

The bottom line is, any company that comes in contact with the Department of Espionage (the NSA) should be suspect and should be avoided where possible. Germany should do nationally what it already did in Munich and a few smaller places, ⬆