Friday, September 25, 2015

Microsoft security updates violate your privacy

Carl emails to point out some posts he's put up on his blog about security.  Now I've repeatedly advised readers to make sure that they have Windows automatic updates turned on, because Windows has a pretty bad security track record and this is an easy way for people to do something that helps out their security.

Except maybe Microsoft is abusing that trust:
I would hope all Windows users are aware of the deliberate snooping built directly intoWindows 10, and know not to “upgrade” to it. If not, the short form is that MicroNSA believes so strongly in the future of “cloud computing” that it’s going to make Win10 users do it whether they like it or not.
That’s bad.
Worse: It now appears that wasn’t good enough for the NSA’s corporate buttbuddy. They’re pushing a set of updates to Win7 and Win8 that implement some of the same file, email, browsing, and search data snooping to be found in 10.
If you must run Windows, do not upgrade to Windows 10. If you are running 7 or 8, turn off Automatic Updates immediately. Check your system (Control Panel=>Windows Updates=>View Update History) for the following updates:
  • KB3068708
  • KB3022345
  • KB3075249
  • KB3080149
Disable them.
If you aren’t on automatic, check the list of “Updates to install.” If you see them there, right-click on them and “Hide Update.”
These "security" updates are the ones that collect your browsing and usage history and send it to the Borg cloud.  This is a terrible, no good, very bad thing for a security tool to do.  And quite frankly, this is something that security guys have discussed for years, going all the way back to Ken Thompson's Turning Award speech Reflections On Trusting Trust.  For a Turning Award lecture, it's pretty accessible even to lay persons - just skip over the code bits to this part:
The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user. 
It's an undetectable security backdoor introduced from a trusted source - trusted source code, in Thompson's thought experiment.  Microsoft has done something very like this.  "Trust us," they said. "We will keep you secure if you just turn on automatic updates."  And then that trusted channel becomes the means that your privacy is raped and pillaged to fatten their bottom line.

At this point it's clear that most people simply will not be able to keep their Windows computer secure.  People like Carl and myself certainly can, although it looks like we both run Linux Mint (and you should, too).  But people who aren't computer security nerds simply won't have the background to examine every single Microsoft security update and make a rational decision about the risks of installing it vs. the risks of not installing it.

Bottom line: as a security professional I cannot recommend that anyone should run Windows if they care about their security and privacy.  Trust can no longer be trusted, at least from Microsoft.  If there are certain Windows applications that you absolutely cannot live without, then keep a dual-boot system where you can boot up Windows for those times you absolutely need that app, but only run that app.  The rest of the time, run Linux, which won't sell out your privacy to fatten its bottom line.  It will never do that, because Open Source has no bottom line.

And you should read Carl's blog, which has a regular menu of techie geekdom, libertarian rants, and that sort of thing.  Plus humor like 50 Nerds of Grey.  Snerk.


matism said...

I would only add:

"And when you HAVE to run Windows, make sure you disconnect the network cable - or disable the wireless connection - except for whatever amount of time you NEED it to do your work."

Eagle said...

If you HAVE to run Windows because you have one or two Windows applications that you simply cannot run without: use a VM.

Your host system should be either OSX (I know - but it's reasonably secure) or Linux. Both OSX and Linux will run the VMWare or Virtualbox hypervisor.

Install VMware or Virtualbox on your OSX or Linux "host", create a Windows VM "guest", put your indisposable Windows application on the VM - AND NOTHING ELSE - and run your indisposable Windows application - and ONLY that indisposable Windows application - there.

For all other daily work (browsing, email, LibreOffice, calendar and scheduling, etc), use your OSX or Linux system. Put *all* of your valuable files on the OSX or Linux "host", and use the hypervisor's "shared folder" capability to give the Windows VM "guest" access to ONLY those files needed there.

It's not as much work as it seems - and you'll sleep a bit easier knowing that the Windows VM does not have full access to everything you own.

'Course this also means that you've properly configured your OSX or Linux system: firewall, network ports closed unless you're using them, no unnecessary network services running, etc.

cecilhenry said...

Thanks for this. There are so many back door updates that potentially spy or compromise privacy and security it bothers me.

Windows especially but its everywhere.

If you know of any other privacy breaches like this please let others know.

Google does this too. I am so concerned windows will just install Win 10 when I;m not looking.

The whole Windows ONE thing where your computer is always connected to Microsoft version of the Borg is just insane to me. IT really ticks me off that that is the default setting for Windows.

My computer, my system, my privacy.

drjim said...

Thanks for the current "blacklist"!

I only have one Windows 7 machine that I'm tied to for some Ham Radio stuff.

Unfortunately, I can't run that software on a VM because the performance takes too big a hit, and renders the application unusable.

Arthur said...

So about Mint, I have 15 installed on a few systems, and on my work laptop upgraded to the LTS 17. What version are you running?

The 17 LTS version appeared to take everything I liked about Mint(like it just plain working) and broke it.

Oh, running the XFCE version of both 15 and 17 - because I *like* simple/boring in a UI.

Richard said...

Most hard to find. If you have dates when these were put on, it would be most useful.

Ruth said...

Richard: go to the list of installed updates, then enter each update from the post above into the search bar one at a time till you've found and uninstalled each one. Much easier than scanning the list.

I've been trying to find a comprehensive list of these, lots of publicity that Windows is doing it, but no one seemed to have a complete list of which updates!

Richard said...

Ruth- Thanks. I was trying to figure out how to sort the list. I found two of the damn things but couldn't find the other two.

Unknown said...

Typo or auto-correct nazi-bot?

"Ken Thompson's Turning Award"

Should probably be:

"Ken Thompson's Turing Award"

Comrade Misfit said...

I found it works best if you put KB###### into the search block, instead of just the numbr itself.