Article 43

 

Microsoft And Windows

Tuesday, June 04, 2019

Still Looking For Reasons To Keep Away From Windows? Part 22

badwindows.jpg

Russia’s Would-Be Windows Replacement Gets a Security Upgrade

By Patrick Tucker
Defense One
May 28, 2019

For sensitive communications, the Russian government aims to replace the ubiquitous Microsoft operating system with a bespoke flavor of Linux, a sign of the country’s growing IT independence.

For the first time, Russia has granted its highest security rating to a domestically developed operating system deeming ASTRA LINUX suitable for communications of “special importance” across the military and the rest of the government. The designation clears the way for Russian intelligence and military workers who had been using Microsoft products on office computers to use Astra Linux instead.

There is hope that the domestic OS [operating system] will be able to replace the Microsoft product. “Of course, this is good news for the Russian market,” said German Klimenko, former IT advisor to Russian President Vladimir Putin and chairman of the board of Russia’s Digital Economy Development Fund, a venture capital fund run by the government. Klimenko spoke to the Russian newspaper Izvestia on Friday.

Although Russian officials used Windows for secure communications, they heavily modified the software and subjected Windows-equipped PCs to lengthy and rigorous security checks before putting the computers in use. The testing and analysis was to satisfy concerns that vulnerabilities in MICROSOFT OPERATING SYSTEMS could be patched to prevent hacking from countries like the United States. Such evaluations could take three years, according to the newspaper.

A variant of the popular Linux open-source operating system, Astra Linux has been developed over the past decade by Scientific/Manufacturing Enterprise Rusbitech. In January 2018, the Russian Ministry of Defense said it intended to switch to Astra Linux as soon as it met the necessary security standards. Before that, the software had been on some automated control systems, such as the kind sometimes found on air defense systems and some airborne computer systems.

It’s another example of Russia’s self-imposed IT exile, along with the efforts to disconnect the country from the global Internet by 2021 and to create its own domain name service.

“The Russian government doesn’t trust systems developed by foreign companies to handle sensitive data, due to fears of espionage through those systems,"” said Justin Sherman, Cybersecurity Policy Fellow at New America. Using domestically produced technologies to manage sensitive data is just another component of the Kremlin’s broader interest in exercising more autonomy over the digital machines and communications within its borders.

Sam Bendett, research analyst with the “Center for Naval Analyses” International Affairs Group, said, One of the main sticking points for the Russian government was the fact that imported operating systems had vulnerabilities and back doors that Moscow thought could be exploited by international intelligence agencies. This is essentially Russia ensuring its cybersecurity against potential intrusions.

It’s unsurprising that Moscow distrusts Microsoft software, given that Russian-developed malware, like the NotPetya virus used against energy targets in Ukraine, exploits vulnerabilities in Windows.

Sherman says that while the Russian government may find Astra Linux a suitable substitute for Windows, its not a serious competitor anyplace else. There’s no particular reason for others to use this bespoke variant of Linux. Also suspicion of Russian software has been rising internationally. The country’s most successful and recognized software company, Kaspersky, can no longer sell its wares to the U.S. government. Last May, the cybersecurity firm opened a “transparency lab” in Switzerland in an attempt to assuage jittery European customers.

“If this operating system were to be marketed outside of Russia, the prospects likely aren’t great,” Sherman said. Astra Linux doesn’t exactly have worldwide foothold compared to the systems its replacing within Russia, and this is only compounded by the fact that just as the Russian government has security concerns about software made in other countries - Other countries may very well have security concerns about using software made in Russia and endorsed by the Russian government.

But, says Bendett, a potential client list for Russian software does exist outside of Russia, just as there is for Russian anti-aircraft systems. “There is a growing list of nations that will probably want to have its main government and military systems run on an OS from a nation more friendly to their interest like Syria.. or other countries where Russia is seeking to make inroads. So the possibility for export definitely exists.”

SOURCE

Posted by Elvis on 06/04/19 •
Section Privacy And Rights • Section Microsoft And Windows
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Thursday, May 04, 2017

Book: Down and Out in the New Economy

image: Down And Out in the New Economy

Homeless and Unemployed in an Economy We’re Supposed to Think Is Liberating
In Ilana Gershon’s new book ”DOWN AND OUT IN THE NEW ECONOMY,” the employer power dynamic is called into question.

By Ilana Gershon
University of Chicago Press
April 27, 2017

The following is an adapted excerpt from the new book Down and Out in the New Economy: How People Find (or Dont Find) Work Today by Ilana Gershon (University of Chicago Press, April 2017):

Chris, an independent contractor in his midfifties, knows a lot about what it means to deal with an unstable job market, especially during those moments when you are between gigs and don’t know when you are going to get the next one. There was a period in 2012 where he hadn’t had a contracting job for a while, and he had no idea how he was going to pay his rent. He realized he might be able to make his rent for another month, but if he didn’t get a job soon, he might be homeless. He decided that he needed to get his body ready for this very likely possibility. I started to sleep on the floor a few hours each night, as long as I could take it, so I could get used to sleeping on a sidewalk or on the dirt. That’s how bad it looked. It just seemed hopeless, Chris said. Out of the blue, a staffing agency based in India contacted him and offered him a contract in the Midwest, giving him enough money to make it through this bad patch. But this stark moment, in which he saw homelessness around the corner, is part and parcel of the downside of careers made up of temporary jobs. Chris responded to this possibility in the way that you are supposed to if you are constantly enhancing yourself. He began to train his body for living on the streets, realizing that he needed to learn how to sleep without a bed. He was determined to be flexible and to adapt to potential new circumstances. Seeing the self as a bundle of skills, in practice, means that for some people enhancing your skills involves training yourself to survive being homeless. This too is a logical outcome of our contemporary employment model.

I have studied how people are responding to this new way of thinking about work and what it means to be a worker. In the United States, people are moving away from thinking that when they enter into an employment contract, they are metaphorically renting their capacities to an employer for a bounded period of time. Many people are no longer using a notion of the self-as-rented-property as an underlying metaphor and are starting to think of themselves as though they are a business, although not everyone likes this new metaphor or accepts all its implications. When you switch to thinking about the employment contract as a business-to-business relationship, much changes - how you present yourself as a desirable employee, what it means to be a good employer, what your relationships with your coworkers should be like, the relationship between a job and a career, and how you prepare yourself for the future.

The self-as-business metaphor makes a virtue of flexibility as well as the practical ways people might respond in their daily lives to conditions of instability and insecurity. As Gina Neff points out in Venture Labor, the model encourages people to embrace risk as a positive, even sought-out, element of how they individually should craft a career. Each time you switch jobs, you risk. You don’t know the amount of time you will have at a job before having to find a new one, and you risk how lucky you will be at getting that job and the next job. And with every job transition, you risk the salary that you might make. If there is a gap between jobs, then some people will find that they no longer experience a reliable, steady, upward trajectory in their salaries as they navigate the contemporary job market. Yet this is what you are now supposed to embrace as liberating.

Chris’s experiences cycling between employment and increasing periods of unemployment was a familiar story for me. I interviewed so many people in their late forties to early sixties who had a few permanent jobs early in their careers. But as companies increasingly focused on having a more transient workforce, these white-collar workers found their career trajectories veering from what they first thought their working life would look like. They thought that they might climb the organizational ladder in one or maybe even three companies over the course of their lifetime. Instead, they found that at some point in their mid to late forties, they started having shorter and shorter stints at different companies. The jobs, some would say, would last as long as a project. And as they grew older, the gaps between permanent jobs could start growing longer and longer. They struggled to make do, often using up their savings or selling their homes as they hoped to get the next job. Some started to find consulting jobs in order to make ends meet before landing the hoped-for permanent job, and then found themselves trapped on the consulting trackliving only in the gig economy. True, not everyone felt like contracting was plan B, the option they had to take because of bad luck. In their book about contractors, Steve Barley and Gideon Kunda talk about the people they interviewed who actively chose this life. I met these people too, but they weren’t the majority of the job seekers I interviewed. Because I was studying people looking for a wide range of types of jobs, instead of studying people who already had good relationships with staffing agencies that provided consultants, I tended to meet people who felt their bad luck had backed them into becoming permanent freelancers. These were people who encountered the self-as-business metaphor as a relatively new model, one they felt they actively had to learn in order to survive in today’s workplace, as opposed to the younger people I interviewed, many of whom had grown up with the self-as-business model as their primary way to understand employment.

When you think of the employment contract in a new way, you often have to revisit what counts as moral behavior, since older frameworks offer substantively different answers to questions of moral business practice. People have to decide what it means for a company to behave well under this new framework. Consider the self-as-business model. What does a good company do to help its workers enhance themselves as allied businesses? What are the limits in what a company should do? What counts as exploitation under this new model? Can businesses do things that count as exploitation or bad practices now that might not have been considered problems earlier, or not considered problems for the same reasons (and thus are regulated or resolved differently)? Businesses are certainly deeply concerned that workersҒ actions both at work and outside of work could threaten the companys brand, a new worry - but this is the tip of the iceberg. And the moral behavior of companies isnt the only issue. Can workers exploit the companies they align with now or behave badly toward them in new ways?

Yet while these two metaphors - the self-as-property and the self-as-business - encourage people to think about employment in different ways, there are still similarities in how the metaphors ask people to think about getting hired. In both cases, the metaphors are focusing on market choices and asking people to operate by a market logic. Deciding whether to rent your capacities is a slightly different question than deciding whether to enter into a business alliance with someone, but in both instances you are expected to make a decision based on the costs and benefits involved in the decision. In addition, both metaphorical contracts presume that people enter into these contracts as equals, and yet this equality doesn’t last in practice once you are hired. In most jobs, the moment you are hired, you are in a hierarchical relationship; you are taking orders from a boss. Some aspects of working have changed because of this shift in frameworks, but many aspects have stayed the same.

Avoiding Corporate Nostalgia

I talked to people who were thoughtfully ambivalent about this transition in the metaphors underlying employment. They didn’t like their current insecurity, but they pointed out that earlier workplaces weren’t ideal either. Before, people often felt trapped in jobs they disliked and confronted with office politics that were alienating and demoralizing. Like many people today, they dealt with companies in which they were constantly encountering sexism and racism. Not everyone had equal opportunities to move into the jobs they wanted or to be promoted or acknowledged for the work that they did well.

However, as anthropologist Karen Ho points out, when you have a corporate ladder that excludes certain groups of people, you also have a structure that you can potentially reform so that these groups will in the future have equal opportunities. When you have no corporate ladder, when all you have is the uncertainty of moving between companies or between freelance jobs - you no longer have a clear structure to target if you want to make a workplace a fairer environment. If there is more gender equality in the US workplace these days than there was thirty years ago, it is in part because corporate structures were stable enough and reformers stayed at companies long enough that specific business practices could be effectively targeted and reformed. Part of what has changed about workplaces today is that there has been a transformation in the kinds of solutions available to solve workplace problems.

I see what people said to me about their preference for the kinds of guarantees and rights people used to have at work as a form of critique, not a form of nostalgia. People didn’t necessarily want to return to the way things used to be. When people talked to me nostalgically about how workplaces used to function, it was often because they valued the protections they used to be able to rely on and a system they knew well enough to be able to imagine how to change it for the better.

Many people I spoke to were very unhappy with the contemporary workplace’s increasing instability. They worried a great deal about making it financially through the longer and longer dry spells of unemployment between jobs. I talked to a man who was doing reasonably well that year as a consultant, and he began reflecting on what the future would hold for his children. He didn’t want them to follow in his footsteps and become a computer programmer, because too many people like him were contingent workers. He wanted them to have their own families and reasoned: “If everybody thinks they can be laid-off in two weeks, how would they feel confident enough to be a parent and know that they’e got twenty-one years of consistent investment?”

It is not that the people I spoke to necessarily wanted older forms of work. What many wanted was stability. No matter how many times people are told to embrace being flexible, to embrace risk, in practice many of the people I spoke to did not actually want to live with the downsides of this riskier life. The United States does not have enough safety nets in place to protect you during the moments when life doesnt work out. Because you are supposed to be looking for a new job regularly over the course of a lifetime, the opportunities when you might become dramatically downwardly mobile increase. There are more possible moments in which you have to enhance your skills at surviving on much less money or even living rough.

Changing Notions of What Counts as a Good Employment Relationship

When people are thought of as businesses, significant aspects of the employment relationship change. The genre repertoire you use to get a job alters to reflect this understanding as you use resumes, interview answers, and other genres to represent yourself as a bundle of business solutions that can address the hiring company’s market-specific temporary needs. Networking has changed what it means to manage your social relationships so that you can stay employed has shifted. Some people I met are now arguing that you treat the companies you are considering joining in the same way you would treat any other business investment: in terms of the financial and career risk involved in being allied with this company.

It is not just that you evaluate jobs differently when you know that your job is temporary - deciding you can put up with some kinds of inconveniences but not others. Instead, you see the job as a short-term investment of time and labor, and the job had better pay off - perhaps by providing you with new skills, new networks, or a new way of framing your work experiences that makes you potentially more desirable for the next job. What if this new framework allows workers to have new expectations of their employers, or can safeguard workers’ interests in new ways? If you have this perspective, what are the new kinds of demands that employees could potentially make of employers?

For Tom, this new vision of self-as-business was definitely guiding how he was judging the ways companies treated him and what was appropriate behavior. I first contacted Tom because I heard through the grapevine that he refused to use LinkedIn. I was curious, as I had been doing research for seven months by that point and only came across one other person who was not using LinkedIn (and has since rejoined). We talked about his refusal, and he explained to me that LinkedIn didn’t seem to offer enough in return for his data. He clearly saw himself in an exchange relationship with LinkedIn, providing data for it to use and in return having access to the platform. Fair enough, I thought: as far as I can tell, the data scientists at LinkedIn and Facebook whom I have met see the exchange relationship in similar ways. Yet Tom decided that what LinkedIn offered wasn’t good enough. It wasn’t worth providing the company with his personal data. So I asked him about various other sites that he might use in which the exchange might be more equitable, and he lit up talking about these other sites. For Tom, because he saw himself as a business, and viewed his data as part of his assets, he was ready to see LinkedIn as offering a bad business arrangement, one he didn’t want to accept. The self-as-business framework allowed him to see the use of certain platforms as instances of participating in business alliances. Some alliances he was willing to enter into, but not all.

This wasn’t his only encounter with a potentially exploitative business arrangement. He typically worked as an independent contractor, and a company asked him to come in for a job interview. When he got there, his interviewer explained that the position was a sweat equity job - Tom wouldn’t get a salary, but rather he would get equity in the company in exchange for his labor. “Okay” he replied. “So what is your business model?” His interviewer was surprised and discomforted to be asked this. He refused to answer; employees don’t need to know the details of the company’s business model, he said. Tom felt that this was wrong; because he was being asked to be an investor in the company - admittedly with his labor instead of with money, he felt should be given the same financial details that any other investor in a company would expect before signing on. It sounded to me like Tomגs interviewer was caught between two models: wanting the possible labor arrangements now available but unwilling to adjust whom he told what. The interviewer was not willing to follow through on the implications of this new model of employment, and as a result, Tom wasnt willing to take the job. This is one way in which the self-as-business model offers a new way to talk about what counts as exploitation and as inappropriate behavior - behavior that might not have been an issue decades ago, or would have been a problem for different reasons (perhaps because a couple of decades ago, few people found sweat equity an acceptable arrangement).

But this new model also opens up the possibility that companies can have obligations to their employees that they did not have in the same way before. Since companies often dont offer stable employment, they now provide a temporary venue for people to express their passion and to enhance themselves. Can this look like an obligation that businesses have to their workers? Perhaps - businesses could take seriously what it means to provide workers with the opportunities to enhance themselves. Michael Feher argues that if people are now supposed to see themselves as human capital, there should be a renewed focus on what good investment in people looks like - regardless of whether workers stay at a single company.

SHOULD COMPANIES now help provide TRAINING for an employee’s next job? Throughout the twentieth century, companies understood that they had to provide their workers training in order for them to do their job at the company to their best of their ability. Internal training made sense both for the company’s immediate interests and for the company’s ability to retain a supply of properly trained workers over the life of the company. Now that jobs are so temporary, who is responsible for training workers is a bit more up in the air. Yet some companies are beginning to offer support for workers to train, not for the benefit of the company, but so that workers can pursue their passion, should they discover that working at that company is not their passion. Amazon, for example, in 2012 began to provide training for employees who potentially want radically different jobs. Jeff Bezo’s explained in his 2014 letter to shareholders: We pre-pay 95% of tuition for our employees to take courses for in-demand fields, such as airplane mechanic or nursing, regardless of whether the skills are relevant to a career at Amazon. The goal is to enable “choice.” It makes sense for a company to support its workers learning skills for a completely different career only under the contemporary perspective that people are businesses following their passions in temporary alliances with companies.

This model of self-as-business might give workers some new language to protest business practices that keep them from enhancing themselves or entering into as many business alliances as they would like. For example, just-in-time scheduling in practice is currently preventing retail workers from getting enough hours so that they can earn as much as they would like to in a week. This type of scheduling means that workers only find out that week how many hours they are working and when. They cant expect to have certain hours reliably free, and they need to be available whenever their employer would like them to work. Marc Doussard has found that good workers are rewarded with more hours at work. While white-collar workers might get better pay in end-of-the-year bonuses for seeming passionate, retail workers get more hours in the week. If workers make special requests to have certain hours, Doussard discovered, their managers will often punish them in response, by either giving them fewer hours to work or only assigning them to shifts they find undesirable. In practice, this means that workers have trouble holding two jobs or taking classes to improve themselves, as unpredictable shifts will inevitably conflict with each other or class times. Predictable work hours, in short, are essential for being able to plan for the future - either to make sure you are working enough hours in the week to support yourself or to educate yourself for other types of jobs. Since companies are now insisting that people imagine themselves as businesses, what would happen if workers protested when companies dont allow them to “invest in themselves” or when they are thwarted from having as many business partnerships (that is, jobs) as possible? Perhaps employees should now be able to criticize and change employers’ practices when they are prevented from being the best businesses they can be because of their employers workplace strategies.

SOURCE

Posted by Elvis on 05/04/17 •
Section Bad Moon Rising • Section Revelations • Section American Solidarity • Section Privacy And Rights • Section Broadband Privacy • Section Microsoft And Windows • Section Job Hunt • Section News • Section Telecom Underclass • Section Dying America
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Sunday, August 02, 2015

Still Looking For Reasons To Keep Away From Windows? Part 21

badwindows.jpg

Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage.

Windows 10 spies on you by default

By Shannon Stapleton
Reuters
July 31, 2015

Microsoft’s new Windows 10 operating system is immensely popular, with 14 million downloads in just two days. The price of the free upgrade may just be your privacy, though, as changing Windows 10’s intrusive default settings is difficult.

Technology journalists and bloggers are singing Windows 10s praises, often using the words such as “amazing,” “glorious” and “fantastic.” The operating system has been described as faster, smoother and more user-friendly than any previous version of Windows. According to Wired magazine, more than 14 million people have DOWNLOADED their upgrade since the system was released on Wednesday.

While the upgrade is currently free of charge to owners of licensed copies of Windows 8 and Windows 7, it does come at a price. Several tech bloggers have warned that the privacy settings in the operating system are invasive by default, and that changing them involves over a dozen different screens and an external website.

According to Zach Epstein of BGR News, all of Windows 10s features that could be considered invasions of privacy are enabled by default. Signing in with your Microsoft email account means Windows is reading your emails, contacts and calendar data. The new Edge browser serves you personalized ads. Solitaire now comes with ads. Using Cortana - the voice-driven assistant that represents Redmond’s answer to Apple’s Siri - reportedly “plays fast and loose with your data.”

“I am pretty surprised by the far-reaching data collection that Microsoft seems to want,” web developer Jonathan Porta wrote on his blog. “I am even more surprised by the fact that the settings all default to incredibly intrusive. I am certain that most individuals will just accept the defaults and have no idea how much information they are giving away.”

As examples, Porta cited Microsoft having access to contacts, calendar details, and"other associated input data” such as “typing” and “inking” by default. The operating system also wants access to user locations and location history, both of which could be provided not just to Microsoft, but to its “trusted partners.”

“Who are the trusted partners? By whom are they trusted? I am certainly not the one doing any trusting right now,” Porta wrote, describing the default privacy options as “vague and bordering on scary.”

Alec Meer of the “Rock, Paper, Shotgun” blog POINTED OUT this passage in Microsoft’s 12,000-word, 45-page terms of use agreement:

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to.”

While most people are used to ads as the price of accessing free content, writes Meer, Microsoft is not making it clear enough that they are gathering and storing vast amounts of data on your computing habits,ԓ not just browser data.

Opting out of all these default settings requires navigating 13 different screens and a separate website, the bloggers have found. 

Meer was underwhelmed with Microsoft executives claims of transparency and easily understandable terms of use. ԒThere is no world in which 45 pages of policy documents and opt-out settings split across 13 different Settings screens and an external website constitutes real transparency,ӑ he wrote.

Tracking and harvesting user data has been a business model for many tech giants. Privacy advocates have raised concerns over GoogleҔs combing of emails, Apples Siri, and FacebookҒs tracking cookies that keep monitoring peoples browser activity in order to personalize advertising and content.

SOURCE

Posted by Elvis on 08/02/15 •
Section Privacy And Rights • Section Microsoft And Windows
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Saturday, June 22, 2013

Looking For A Reason Not to Buy An Xbox?

xbox.jpg

New Xbox by NSA partner Microsoft will watch you 24/7

Daily Caller
June 7, 2013

Possible privacy violations by Microsoft’s upcoming Xbox One have come under new scrutiny since it was revealed Thursday that the tech giant was a crucial partner in an expansive Internet surveillance program conducted by the National Security Agency and involving Silicon Valley’s biggest players.
7, 2013

One of the consoles key features is the full integration of the Kinect, a motion sensing camera that allows users to play games, scroll through menus, and generally operate the Xbox just using hand gestures. Microsoft has touted the camera as the hallmark of a new era of interactivity in gaming.

What Microsoft has not promoted, however, is the fact that you WILL NOT BE ABLE TO POWER ON THE CONSOLE without first enabling the Kinect, designed to detect both heartbeats and eye movement. and positioning yourself in front of it.

Disturbingly, a RECENTLY PUBLISHED Microsoft patent reveals the Kinect has the capability to determine exactly when users are viewing ads broadcast by the Xbox through its eye movement tracking. Consistent ad viewers would be granted rewards, according to the patent.

Perhaps the feature most worrysome to privacy advocates is the REQUIREMENT THAT THE XBOX CONNECT TO THE INTERNET at least once every 24 hours. Many critics have asserted that Microsoft will follow the lead of other Silicon Valley companies and use their console to gather data about its users, particularly through the Kinect, and collect it through the online connection users can’t avoid.

Microsoft has promised that customers will be able to pause the cameras function, but have put off questions on the precise specifics of their privacy policies.

SOURCE

Posted by Elvis on 06/22/13 •
Section Privacy And Rights • Section Microsoft And Windows
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Saturday, June 08, 2013

Still Looking For Reasons To Keep Away From Windows? Part 20

badvista2.gif

How NSA access was built into Windows

By Duncan Campbell
Heise Security
April 4, 1999

A careless mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors). The discovery comes close on the heels of the revelations earlier this year that another US software giant, LOTUS, had built an NSA “help information” trapdoor into its Notes system, and that security functions on other software systems had been deliberately crippled.

The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA.

Computer security specialists have been aware for two years that unusual features are contained inside a standard Windows software “driver” used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions. If you use Windows, you will find it in the C:\Windows\system directory of your computer.

ADVAPI.DLL works closely with Microsoft Internet Explorer, but will only run cryptographic functions that the US governments allows Microsoft to export. That information is bad enough news, from a European point of view. Now, it turns out that ADVAPI will run special programmes inserted and controlled by NSA. As yet, no-one knows what these programmes are, or what they do.

Dr Nicko van Someren reported at last year’s Crypto 98 conference that he had disassembled the ADVADPI driver. He found it contained two different keys. One was used by Microsoft to control the cryptographic functions enabled in Windows, in compliance with US export regulations. But the reason for building in a second key, or who owned it, remained a mystery.

A second key

Two weeks ago, a US security company came up with conclusive evidence that the second key belongs to NSA. Like Dr van Someren, Andrew Fernandez, chief scientist with Cryptonym of Morrisville, North Carolina, had been probing the presence and significance of the two keys. Then he checked the latest Service Pack release for Windows NT4, Service Pack 5. He found that Microsoft’s developers had failed to remove or “strip” the debugging symbols used to test this software before they released it. Inside the code were the labels for the two keys. One was called “KEY”. The other was called “NSAKEY”.

Fernandes reported his re-discovery of the two CAPI keys, and their secret meaning, to “Advances in Cryptology, Crypto’99” conference held in Santa Barbara. According to those present at the conference, Windows developers attending the conference did not deny that the “NSA” key was built into their software. But they refused to talk about what the key did, or why it had been put there without users’ knowledge.

A third key?!

But according to two witnesses attending the conference, even Microsoft’s top crypto programmers were astonished to learn that the version of ADVAPI.DLL shipping with Windows 2000 contains not two, but three keys. Brian LaMachia, head of CAPI development at Microsoft was “stunned” to learn of these discoveries, by outsiders. The latest discovery by Dr van Someren is based on advanced search methods which test and report on the “entropy” of programming code.

Within the Microsoft organisation, access to Windows source code is said to be highly compartmentalized, making it easy for modifications to be inserted without the knowledge of even the respective product managers.

Researchers are divided about whether the NSA key could be intended to let US government users of Windows run classified cryptosystems on their machines or whether it is intended to open up anyone’s and everyone’s Windows computer to intelligence gathering techniques deployed by NSA’s burgeoning corps of “information warriors”.

According to Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system “is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system”. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards.

“For non-American IT managers relying on Windows NT to operate highly secure data centres, this find is worrying”, he added. “The US government is currently making it as difficult as possible for “strong” crypto to be used outside of the US. That they have also installed a cryptographic back-door in the world’s most abundant operating system should send a strong message to foreign IT managers”.

“How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has a ‘back door’ for NSA - making it orders of magnitude easier for the US government to access your computer?” he asked.

Can the loophole be turned round against the snoopers?

Dr van Someren feels that the primary purpose of the NSA key inside Windows may be for legitimate US government use. But he says that there cannot be a legitimate explanation for the third key in Windows 2000 CAPI. “It looks more fishy”, he said.

Fernandez believes that NSA’s built-in loophole can be turned round against the snoopers. The NSA key inside CAPI can be replaced by your own key, and used to sign cryptographic security modules from overseas or unauthorised third parties, unapproved by Microsoft or the NSA. This is exactly what the US government has been trying to prevent. A demonstration “how to do it” program that replaces the NSA key can be FOUND on Cryptonym’s WEBSITE.

According to one leading US cryptographer, the IT world should be thankful that the subversion of Windows by NSA has come to light before the arrival of CPUs THAT HANDLES ENCRYPTED INSTRUCTION SETS. These would make the type of discoveries made this month impossible. “Had the next-generation CPU’s with encrypted instruction sets already been deployed, we would have never found out about NSAKEY.”

SOURCE

Posted by Elvis on 06/08/13 •
Section Privacy And Rights • Section Microsoft And Windows
View (0) comment(s) or add a new one
Printable viewLink to this article
Home
Page 1 of 10 pages  1 2 3 >  Last »

Statistics

Total page hits 9309309
Page rendered in 0.8543 seconds
41 queries executed
Debug mode is off
Total Entries: 3175
Total Comments: 337
Most Recent Entry: 07/04/2019 10:13 am
Most Recent Comment on: 01/02/2016 09:13 pm
Total Logged in members: 0
Total guests: 8
Total anonymous users: 0
The most visitors ever was 114 on 10/26/2017 04:23 am


Email Us

Home

Members:
Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

Politics and religion are obsolete; the time has come for science and spitituality, I regard that as my guiding light. - Pandit Nehru

Search


Advanced Search

Sections

Calendar

July 2019
S M T W T F S
 1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Must Read

Most recent entries

RSS Feeds

Today's News

ARS Technica

External Links

Elvis Picks

BLS Pages

Favorites

All Posts

Archives

RSS


Creative Commons License


Support Bloggers' Rights