Bonum Certa Men Certa

Windows Back Doors Spin Out of Control, End up in Black Market

Everyone is a forensic expert now

Tank



Summary: Free access for everybody; Microsoft's back-door keys are now available for everyone to download and new issues about Windows security raise serious questions about liability

Credit goes to Bruce Schneier, who warned about this when it was first introduced publicly. He predicted exactly what would happen with Microsoft's back doors (also learn about CIPAV), which it foolishly believed it could keep under exclusive police control. According to this from Gizmodo:



Apparently Microsoft's COFEE software that helps law enforcement grab data from password protected or encrypted sources is leaking all over the internet. So not only can you steal the software, but break the law by using it too.


More here:

Siren.gif: Microsoft COFEE law enforcement tool leaks all over the Internet~!



[..]

It was one of the most sought after applications on the Internet until it was leaked earlier today. And now that it’s out there—and it is all over the place, easily findable by anyone able to use a search engine—we can all move on with our lives. Yes, Microsoft COFEE, the law enforcement tool that mystified so many of us (including Gizmodo~! and Ars Technica~!), is now available to download. If only there were a “bay” of some sort where, I don’t know, pirates hang out…


Law does not directly interfere with behaviour, so mere threats against COFEE downloaders will not undo the damage which is coming.

The amusing thing is that Robert Scoble mocked me for writing about this back in 2006 when it was secret. Being a Microsoft evangelist (lead AstroTurfer), it was probably his duty to deny the existence of such back doors, which are now available for access by anyone who is interested and determined enough to find the trap door binaries.

The police is said to be carrying the software on USB drives, so how inevitable was such a leak really? It's a stupid idea to begin with, just like AutoRun, which was removed by Microsoft for doing more harm than good (infection upon insertion). That was Microsoft's admission of failure with its security approach and the Washington Post has a whole new article about it:

What Windows Autorun Has Wrought



[...]

A new report by Microsoft shows that the two most prevalent threats to Windows PCs in the first half of 2009 were malicious programs that have been aided mightily in their spread by a decision by Microsoft to allow the contents of removable media -- such as USB thumb drives -- to load automatically when inserted into Windows machines.

In its latest "Security Intelligence Report," Microsoft counted the number of threats detected by its anti-malware desktop products, and found that the Conficker worm, along with a Trojan horse program called Taterf which steals passwords and license keys for popular computer games, were detected on 5.21 million and 4.91 million Windows computers, respectively.


NASA's operations in space were affected by this (computer viruses passing via USB drives in Windows, maybe with AutoRun doing its magic). It's even too much for the FBI. Free Software Magazine now asks: "Are Microsoft to blame for 'hidden' malware costs and will Windows 7 make any difference?"

A couple of stories have hit the headlines this year concerning the huge cost that some UK Local Governments incurred when dealing with malware attack on their Windows machines. If you missed them, Manchester City Council had a single USB infected with the infamous Conficker worm and it cost them — brace yourself — £1.5m ($2.4m) of which £1.2m (US$1.9m) was spent on IT, of which a staggering €£600,000 (US$980k) went on consultancy fees including money to Microsoft. A while later, Ealing Borough Council were hit with a cost of €£500000 (about US$ 800k) when they were also hit by a single USB stick containing conficker. Some in the industry tweeted and blogged this as being a “hidden cost of using Microsoft Windows”. In the ensuing discussion, many pointed out that the high cost was really due to the lack of a proper patching and disaster recovery policy at the council. So which is right? Is dealing with malware a hidden cost of using Windows or of a poor IT strategy?

[...]

Regardless of your software choice, a poor patching policy is a very bad idea if you value system integrity. But if you going to argue your case on TCO, Microsoft, don’t then try to dodge talk of the additional costs for maintaining, patching and clearing a Windows-based system.


To answer the main question, Vista 7 will make no difference. It is just as insecure as predecessors (one might say it is even less secure). Evidence includes:

  1. Cybercrime Rises and Vista 7 is Already Open to Hijackers
  2. Vista 7: Broken Apart Before Arrival
  3. Department of Homeland Security 'Poisoned' by Microsoft; Vista 7 is Open to Hijackers Again
  4. Vista 7 Security “Cannot be Fixed. It's a Design Problem.”
  5. Why Vista 7 Could be the Least Secure Operating System Ever
  6. journalists say
  7. Vista 7 Vulnerable to Latest “Critical” Flaws
  8. Vista 7 Seemingly Affected by Several More “Critical” Flaws This Month
  9. Reason #1 to Avoid Vista 7: Insecurity
  10. Vista 7 Left Hijackable Again (Almost a Monthly Recurrence)


To address the question of liability, here we have a collection of external references. Some journalists say that Microsoft should be held accountable for these damages.

Comments

Recent Techrights' Posts

Slopwatch: Brian Fagioli, Google News, and Other LLM Slopfarms
Why does Google News keep promoting these fake articles?
Links 29/10/2025: Amazon Kept "Data Center Water Use Secret", "Abuse of Power" Against Media
Links for the day
Gemini Links 29/10/2025: "My Hardware Specs" and "Goodbye Debian…"
Links for the day
EPO Cocainegate: Feedback and Clarifications
Part III will come out soon
Links 29/10/2025: "US Military Is Destroying the Planet Beyond Imagination" and Boat Strikes Deemed Unlawful
Links for the day
Quality Comes First (Techrights Search)
It's generally working already, but we wish to polish it some more
Techrights Party Countdown
Late next week we'll be holding a party near our home
European Parliament and Council Directive on Privacy is Vanishing
"edited / censored some time more recently"
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, October 28, 2025
IRC logs for Tuesday, October 28, 2025
Slopwatch: The March of Slopfarms, From UbuntuPIT to Linux Journal and to Various Fake Sites Still Promoted by Google News
It's so worrying to see what the Web has become
Links 29/10/2025: CISA, Ukraine, and Amazon Problems
Links for the day
[Teaser] The EPO's Spokesperson, a Cocaine User, Fancies Young Women
How's that for "optics" in the EU and Europe's second-largest institution?
How Will António Campinos Respond to the EPO's 'Cocainegate'?
That's the same thing we saw and still see when the press deals with enablers and partners of Jeffrey Epstein
Join Us Now and Share the News - Part IV: There Cannot be Free Software Without Free Press and Free Information
One day, one can hope, more people will recognise that for Software Freedom we need free press and free thinkers
Join Us Now and Share the News - Part III: Principled Stance Is Never Cheap
Protecting the truth and insisting that the general public is made aware of things that really happened isn't cheap
Join Us Now and Share the News - Part II: Because Scarcity of Accurate Information Breeds Collective Ignorance
we too will strive to share information that's aggressively suppressed
Gemini Links 28/10/2025: More New Arrivals at Geminispace, xkcd on "Document Forgery"
Links for the day
Join Us Now and Share the News - Part I: Defence of the Truth
This year we make a very strong, firm statement for truth, even if that means explaining our work to the top media judge in the country
Links 28/10/2025: Meta and Fentanylware (CheeTok) Age-Restricted Down Under, "Britain Needs China’s Money"
Links for the day
Links 28/10/2025: Mass Layoffs at Amazon and Charter to Cut 1,200 Jobs
Links for the day
The Cocaine Patent Office - Part II: The Person Who Planted Paid-for Fake News for the European Patent Office (EPO) is a Cocaine User, Friend of António Campinos, Now on Record as Having Been Arrested
Background: High-level manager at the European Patent Office caught in public with cocaine, arrested
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, October 27, 2025
IRC logs for Monday, October 27, 2025
Google News Drowning in Slop (and Slopfarms That Hijack About Half the Results)
Google News seems to be drowning in this stuff
Gemini Links 28/10/2025: "How to Maximize Your Positive Impact" and ASCII Art and Artist Attribution
Links for the day
PETA and Activism
Being staff or volunteer in PETA isn't easy
Big Blue, Huge Debt
debt will soar again
Links 27/10/2025: Mass Surveillance Sold as "AI", People Reluctant to Lose Physical Media
Links for the day
Parties and Milestones Again
we've begun putting up about 40 balloons
Techrights' 19th Anniversary: Bronze
Time to go back to preparing for this anniversary
Our Latest European Patent Office (EPO) Series Will Last Several Weeks, Will Ask the EPO Management and the European Union (EU) Very Difficult Questions
If nobody loses a job (or jobs) over this, then the EU basically became no better than Colombia or Nicaragua
Slopwatch: LinuxSecurity, UbuntuPIT, Brian Fagioli, and Google News
We focus on stories that are fake or LLM slop that disguises itself as "news" about Linux
Links 27/10/2025: Wikipedia Vandalism, Bruce Perens Opens up on Childhood
Links for the day
This Site Could Not be Done by LLMs Even If It Wanted to (Because It's Not a Parrot of What Other Sites Say)
LLMs have no knowledge or deep understanding
Microsoft is Disloyal Towards Its Most Loyal Employees
Against its most faithful enablers
19 Years, No Censorship
No factual information is ever going to be removed, more so if it is in the public interest
We Are Not a Conventional Site, That's Why They Hate (or Love) Us
Throughout the week this week we'll be focusing on the EPO
Following the Line of Cocaine All the Way to the Top
Even a million denials and spin-doctoring won't distract from the core issue
The Cocaine Patent Office - Part I: António Campinos Brought Corruption and Nepotism to the EPO, Then Came the Cocaine
High-level manager at the European Patent Office (EPO) caught in public with cocaine, the Office has some answering to do
Purchasing/Possessing Computers Isn't the Same as Controlling Computers
Let's strive to put computers back under the control of their users, no matter who purchased these (usually the users)
Gemini Links 27/10/2025: Alhena 5.4.3 and Fixing Bash
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, October 26, 2025
IRC logs for Sunday, October 26, 2025
Thankfully We've Made Copies of More Interesting Data From statCounter
If statCounter (the Web site or the 'webapp') vanished overnight, we'd still have something left of it
More Silent Layoffs at IBM/Red Hat
when the media counts such layoffs or presents tallies the numbers are very incomplete