Surprise! W7 and W8 will behave like W10

For discussions about security.
Post Reply
Message
Author
User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

Surprise! W7 and W8 will behave like W10

#1 Post by prehistoric »

This started as a rant in another topic, (moved here to avoid hijacking a thread,) triggered by this quote:
Kai wrote:...Hopefully now i can ditch windows completely as i'm not happy about this news that Microsoft plans on adding all the Windows 10 spyware to both windows 7 and 8.
Was there ever any doubt about the direction they were going?

Added: Here's the reference where I learned about this change.

What has changed is that free software can pay by turning customers into products you can resell. The fact that people paid for something in the past does not exempt them from contributing to current revenue enhancement schemes. Privacy policies amount to declarations of intent that "we respect your privacy, and we'll still respect it in the morning." It is not clear that these place any meaningful restrictions on those who issue them to prevent resale of data to people who will use these in ways nobody has considered. (This protects the company selling that data from charges of criminal intent. Without criminal intent there can be no crime. Civil suits are based on specific harms like torts. When the trail of events is long and twisty, not to mention hidden by non-disclosure agreements, the chances of recovering damages are virtually zero.)

If you check your EULA you will see that M$ can change the terms at will. This is less an agreement between independent people than an oath of fealty.

Those who rely on assurances of anonymity should be aware that a modern researcher with computer access to public records was able to identify about 97% of those who contributed anonymous data to the original Kinsey report, and none of them used Facebook.

This doesn't let other companies off the hook. Google also collects a great deal of data about your on-line habits. It is clear they are reselling information to advertisers which result in targeted ads. Google also provides a good bit of free software like Chrome and Android, for which source is available. A big difference between Google and M$ is that M$ demands you accept an agreement stating you won't even think about how their software works. If you happen to figure anything out, you are forbidden to tell anyone.

They specifically rule out reverse engineering (which was used to construct BASIC interpreters, MSDOS and the ubiquitous non-IBM BIOS) and even work-arounds to defeat limitations of the software. (At one time, when M$ didn't have networking, something called NETBIOS provided a workaround for IBM machines that M$ was happy to have available. This would be legally impossible today.)

From the beginning M$ was built around grabbing all the intellectual property which was not nailed down and defended by packs of vicious attorneys, with every aspect of business protected by non-disclosure agreements. When they wanted to do something dodgy with potential blowback they always worked through other companies that could be folded up without harming M$.

This has recently become an issue with the discovery that National Security Letters can be used to compel a company to release data to the NSA, FBI, etc. while preventing even disclosure of the fact that such things exist.

If you take a look at the available text of contracts between businesses in different countries working with M$ you will find that these declare they always comply with the laws of that country. The laws of, for example, China, Russia (or even France or Germany) are likely to be firm on the subject of making data available to organs of state security.

So if a Chinese company (to choose a random example) signs a non-disclosure agreement with M$, and later provides the Chinese government with full source for Windows, and a list of zero-day exploits, M$ is off the hook. Likewise, if that company inserts code in the version of Windows on machines it ships making them vulnerable to hacking, once again this has nothing to do with M$.

We have heard about U.S. companies inserting backdoors in networking equipment the NSA could exploit. The subject of backdoors in Chinese networking equipment remains open.

The entire M$ empire was built around acquisition of intellectual property, non-disclosure agreements and limitation of legal liability. What seemed harmless in a U.S. context now has become questionable. The whole subject of what this means in other legal environments is largely unexplored.

The underlying philosophy has been that it is OK for the "right people" to hold all kinds of secrets about devices we use, and how we use them, so long as they prevent the "wrong people" from finding out. The whole subject of security was essentially non-existent at the beginning, and has proceeded along the lines of "security through obscurity" ever since. The shoe which has not dropped is the extent to which M$ created a system vulnerable to exploitation, more by incompetence than intent, while actively cooperating with what they considered "the right people".

This has failed to such a remarkable extent that someone (allegedly Chinese) now has the SF 86 forms filled out by millions of people applying for U.S. security clearances. If you haven't had any contact with this subject you would be amazed at the intrusive nature of those questions. It appears that nobody is able to protect large collections of highly-sensitive information adequately. On the other hand, efforts to limit the collection of such information in a wide range of far less obvious contexts have been remarkably ineffectual.

You can find discussion of the problem in books like Data and Goliath by Bruce Schneier. A U.S. police perspective can be found in the book Future Crimes by Marc Goodman.

Unfortunately, the first example Goodman uses is the hack attack on Mat Honan of Wired. This took place in 2012, and cost him $1,690 just for partial data recovery from an SSD. We won't calculate the cost of the time and effort. He had the advantage of personal contacts all over the high-tech industries. He was using Apple devices, knowing full well the vulnerabilities of Windoze.

Hey Marc, 2012 is no longer the future.

Both Goodman and Schneier give M$ remarkably little blame for creating a situation ripe for exploitation. I wonder how much of their inside information came with NDAs attached. Even without these, I'm sure many of their sources would dry up if they exposed some information they have.

Schneier makes a serious error of omission by not noticing that Edward Snowden made a big mistake if he thought the governments of China or Russia were defenders of individual privacy and freedom of expression. As it happens, we just passed an important milestone concerning the subject in Russia. Here's a link to a source with a detectable bias. Unfortunately, what they say can be confirmed via other sources.

The relationship between M$ and a wide range of security companies in different legal environments needs to be explored. What have they provided these companies, without ever mentioning the tacit assumption that this information will go straight to organs of state security?

Perhaps, you feel that you can trust Russia's FSB more than the NSA, CIA or FBI. You will definitely need to trust them, because they are deep in the Internet security business.

With this information in hand, the surprising breach of Kaspersky's systems assumes a different character. We are already far into the era of cyber warfare between nation states.
Last edited by prehistoric on Fri 04 Sep 2015, 12:03, edited 1 time in total.

rokytnji
Posts: 2262
Joined: Tue 20 Jan 2009, 15:54

#2 Post by rokytnji »

Pretty Brave New World Heady reading there prehistoric.
Pretty Grim and Depressing also.

Glad I only tune motorcycles with my Windows 7 laptop.
Think I might use the system restore partition and turn off all updates
after reading your post, but my drm motorcycle software costs makes that route too prohibitive.

So it will stay off line 99% of the time. With updates disabled from now on.

Here are some links. To put the fear of god into some. Probably make others yawn in boredom. I figure this thread should have them though.

http://www.systemdetails.com/index.php

http://silkworth.net/browser_os/basic.html

http://whatsmyos.com/

http://www.thismachine.info/

Ignorance is bliss. I popped that bubble in my mind ages ago. But I knew this back when my wife bought me my new Iphone 5S out of love and worry and care for my well being.

If you want to stay connected. Just take a moment and try and not be surprised by what bloated bloody leech may be connected to you.

Nice thread prehistoric
8


User avatar
nic007
Posts: 3408
Joined: Sun 13 Nov 2011, 12:31
Location: Cradle of Humankind

#4 Post by nic007 »

I'm a Windows XP user. Already patched and updated to the full. :lol:

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#5 Post by musher0 »

Food for thought indeed. Thanks, prehistoric.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

User avatar
perdido
Posts: 1528
Joined: Mon 09 Dec 2013, 16:29
Location: ¿Altair IV , Just north of Eeyore Junction.?

#6 Post by perdido »

nic007 wrote:I'm a Windows XP user. Already patched and updated to the full. :lol:
Some thoughts on the update hack. On my hacked Winxp, the dword value on the PosReady key changed from 00000001 to 00000001 (1) after I received the latest updates . Did not bother me until I tried to change it back to 00000001. Nope, would not permit it. Tried to delete the PosReady key. Nope. Tried to modify the key with the original .reg file I made, changed the dword in the file and applied. Nope. Went to safe mode, Nope. Nothing worked so I rolled it back.

I wonder if MS is sneakey enough to identify the machines with the hack and send them a special update that does data mining similar to Win7 and Win8?Image

.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#7 Post by prehistoric »

More food for thought: Apple had a statement commonly called a "warrant canary" in their privacy policy which stated they had never been served with a NSL. This has disappeared.

You may also be interested in what Google's user agreement for Gmail says about access to your messages. Rather than try to analyze that legal language I ran a simple test. Yep, spam related to content which was in my Gmail messages, but not in regular email, promptly appeared.

This is not exactly a new concern.

It is hard to see that users of Facebook and Twitter have much reasonable expectation of privacy. Of course other companies want you to expose yourself on their on-line services, like Google+, Yahoo! or Skype.

I had used Skype for years before M$ bought it, and promptly noticed when the new, improved Skype installed Browser-Helper Objects which turned out to monitor every click on any popular browser, not only IE, just in case it might turn out to initiate a telephone call. They say this is not used for any other purpose, but we have to trust them since the code is proprietary. Since we now know what implicit terms of service allowed in those cases above, I would not place too much confidence in those assurances about BHOs.

I suppose it goes without saying that installing Skype now changes your search engine to bing if you don't uncheck a box.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#8 Post by prehistoric »

Oh, BTW, one friend who thought that editing the hosts file would be enough to protect him from leaking everything M$ wanted to know didn't know about the use of hard-coded network addresses.

If you can't read the code, you have to assume it is working for Big Brother.

Eugene Kaspersky denies many allegations in the Bloomberg article linked above. He wasn't actually in the KGB, he just attended a cryptography school they ran. He didn't work for the FSB, but he did work for the GRU (Russian Military Intelligence). He has said data his company collects on users is carefully anonymized, but we have seen that fail repeatedly in other cases. Finally, we have questions about the security of data the company holds following a breach that lasted more that a year.

My argument above is that all the people supplying computer security are subject to demands from national authorities. Furthermore, even the most sensitive data collected by those authorities may not be well defended against a competent attack.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#9 Post by prehistoric »

Here's the nugget from 45 pages of license agreement/terms of service:

"We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary,"

Note that the only thing protecting you from Microsoft is their good faith.

User avatar
cimarron
Posts: 292
Joined: Fri 31 May 2013, 01:57

#10 Post by cimarron »

A little context:
Mandatory Disclosures We may access, disclose and preserve your personal information, including your private content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to:

(1) comply with applicable law or respond to valid legal process from competent authorities, including from law enforcement or other government agencies;

(2) protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone;

(3) operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or

(4) protect the rights or property of Microsoft, including enforcing the terms governing the use of the services – however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.

User avatar
Burn_IT
Posts: 3650
Joined: Sat 12 Aug 2006, 19:25
Location: Tamworth UK

#11 Post by Burn_IT »

Note that the only thing protecting you from Microsoft is their good faith.
They were referring to court orders and police/government orders which they have fought in the past.


Edit:
Didn't see the above till after I'd replied
"Just think of it as leaving early to avoid the rush" - T Pratchett

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#12 Post by prehistoric »

They were referring to orders which they have sometimes fought, when they felt like it. Considering the number of National Security Letters which have been issued, and the little we have heard about these disputes, it is an obvious inference that they have provided such data far more often than we know.

When I once asked someone I knew worked for the NSA if they ever broken strong encryption like HTTPS, the response was not what I expected. "We've never needed to."

The reference to "good faith", "belief" and "necessary" pretty well gives attorneys the ability to interpret this any way they want.

There is explicit reference to protecting Microsoft's intellectual property. You won't find much evidence in these documents that end users ever generate intellectual property. One aspect of this imbalance is that all the data collected from monitoring you becomes the intellectual property of Microsoft.

Even if you feel you can trust Microsoft and the NSA/FBI/CIA or GCHQ/MI5-6, you might feel nervous about what happens when they do business in countries with different legal systems which give organs of state security access to everything. (You might check on laws about government monitoring of private individuals in France or Germany. This still tells you nothing about what happens in countries where corruption is endemic.)

How often has Microsoft pulled its business out of a country because of such disputes?

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#13 Post by prehistoric »

I'm still surprised that there hasn't been a groundswell of public outrage.

That keylogging behavior in the OS means they capture all passwords, CAPTCHAs, etc. used to verify your identity and financial obligations. This is an obvious target for system crackers.

More to the point, I wonder how many doctor's offices, law offices and financial institutions have figured out how to avoid having data collected from their machines. Most don't seem to be aware.

I can also report that the U.S. military uses Windows almost everywhere, even in extremely sensitive facilities like PANTEX. I suppose Microsoft provides them with more secure versions. This didn't work too well at the Office of Personnel Management.

I expect Microsoft has behaved as usual, by creating a problem for some people, then selling the solution to that problem to others.

Post Reply