Microsoft Accidentally Released a Backdoor to the World

 

shutterstock_380478805Remember the iPhone mess, when half the country was yelling for the government to have access to encrypted machines, and the other half was yelling back about the foolishness of that idea? Well, Microsoft just found its private access codes leaked, seriously compromising the security of its tablet and mobile devices (PCs are unaffected).

First, a little background. Newer Windows computers, with the UEFI system installed (the modern replacement to good old BIOS), have a feature called “Secure Boot” to make sure only the Right Software gets to be the operating system on the computer. This has genuinely positive security implications (making sure that on your laptop, only your OS and not some malware lookalike is in charge). However, as in all things computers, the only way to ensure validity of images is through cryptographic means: encryption and its twin, signing files. However, Microsoft wanted the ability to circumvent these restrictions; presumably the security got in the way of development, where files change every minute instead of every upgrade. This was where they got into trouble.

Microsoft created a special shim that disabled all of Secure Boot’s confirmation, probably for internal convenience. And that shim ended up getting copied to devices that ended up in the hands of security researchers. Now it’s out in the world, and Microsoft can’t do anything to stop it, try as hard as they are.

But don’t worry. I’m sure that if the government had the special shim, it would still be secure.

Published in Domestic Policy
Like this post? Want to comment? Join Ricochet’s community of conservatives and be part of the conversation. Join Ricochet for Free.

There are 28 comments.

Become a member to join the conversation. Or sign in if you're already a member.
  1. Arahant Member
    Arahant
    @Arahant

    kidCoder: But don’t worry. I’m sure that if the government had the special shim, it would still be secure.

    You’re a laugh riot, Kid.

    • #1
  2. Annefy Member
    Annefy
    @Annefy

    So, Kid, what should I be worried about?

    • #2
  3. Arahant Member
    Arahant
    @Arahant

    Annefy:So, Kid, what should I be worried about?

    How to change your system to a Linux based system?

    • #3
  4. Titus Techera Contributor
    Titus Techera
    @TitusTechera

    Thanks for the news. Can you keep us posted if anything should happen as fallout?

    Also, but unrelated, is there any way–shy of taking over a small country, training a new model army & invading America discreetly–I can stop Microsoft from endlessly updating my win10?

    • #4
  5. BrentB67 Inactive
    BrentB67
    @BrentB67

    This should end well.

    • #5
  6. Annefy Member
    Annefy
    @Annefy

    Annefy:So, Kid, what should I be worried about?

    How to change your system to a Linux based system?

    Annefy:

    I can probably figure out how to do that.

    But what should I be worried about if I DON’T do that?

    Are you saying that the backdoor is out there in many, many hands and anyone running Microsoft should be worried about their personal data?

    Should we be worried if for some reason we’d be targeted (because we’re a politician or gotten on somebody’s enemies’ list) or is my mom’s social security # at risk (I handle her finances) ?

    In other words, should I start deleting my emails now? Or is it too late?

    • #6
  7. Guruforhire Inactive
    Guruforhire
    @Guruforhire

    Arahant:

    How to change your system to a Linux based system?

    Annefy:

    I can probably figure out how to do that.

    Depends on the distro and the computer.  when I was messing with debian I had to turn off secure boot, ubuntu says they have it working with some computers…. So….

    But you have to have a device that lets you disable it.

    • #7
  8. Chris B Member
    Chris B
    @ChrisB

    A Microsoft spokesperson told ZDNet

    “The jailbreak technique described in the researchers’ report on August 10 does not apply to desktop or enterprise PC systems. It requires physical access and administrator rights to ARM and RT devices and does not compromise encryption protections.”

    The only thing that this really does is make it possible to install non-Microsoft operating systems on Windows RT Certified hardware (tablets using ARM processors). On x86 based hardware, which comprises the vast majority of Windows based computers, it was already possible to simply disable Secure Boot with physical access to the hardware.

    There is some additional concern that now root kit malware can be created to exploit this vulnerability on Windows phones and tablets. It would have to be installed from a bootable device (like a USB drive).

    It also means that someone could theoretically perform a brute force decryption of a Windows RT device given enough time and physical access to the device. The Apple case has already revealed that there are faster and easier ways to defeat such encryption, however.

    • #8
  9. Eric Wallace Inactive
    Eric Wallace
    @EricWallace

    Titus Techera:Thanks for the news. Can you keep us posted if anything should happen as fallout?

    Also, but unrelated, is there any way–shy of taking over a small country, training a new model army & invading America discreetly–I can stop Microsoft from endlessly updating my win10?

    Nope. Which sucks if your computer is getting hosed by the Anniversary update.

    • #9
  10. Titus Techera Contributor
    Titus Techera
    @TitusTechera

    I will seek revenge on Mr. Gates & his boringly evil empire.

    • #10
  11. Eric Wallace Inactive
    Eric Wallace
    @EricWallace

    Titus Techera:I will seek revenge on Mr. Gates & his boringly evil empire.

    Dude, Linux. The real hackers will rise again.

    • #11
  12. Fake John/Jane Galt Coolidge
    Fake John/Jane Galt
    @FakeJohnJaneGalt

    Eric Wallace:

    Titus Techera:I will seek revenge on Mr. Gates & his boringly evil empire.

    Dude, Linux. The real hackers will rise again.

    Real hackers use abacuses.  An ancient unhackable technology passed down from our forefathers.

    • #12
  13. kidCoder Member
    kidCoder
    @kidCoder

    Annefy:So, Kid, what should I be worried about?

    Nothing. It’s not that important a key unless your Windows 8 or 10 machine refuses to let you turn off Secure Boot, and even then the most major thing you might do is install Linux, or possibly install a rootkit and take over your computer. To do so would require clicking on bad links in spam emails and classic methods of malware entry like that.

    • #13
  14. kidCoder Member
    kidCoder
    @kidCoder

    Titus Techera:Thanks for the news. Can you keep us posted if anything should happen as fallout?

    Also, but unrelated, is there any way–shy of taking over a small country, training a new model army & invading America discreetly–I can stop Microsoft from endlessly updating my win10?

    That’s easy. When they present you with the terms of service for upgrading to Windows 10, reject your many many years of training and deny the license agreement.

    • #14
  15. Titus Techera Contributor
    Titus Techera
    @TitusTechera

    kidCoder:

    Titus Techera:Thanks for the news. Can you keep us posted if anything should happen as fallout?

    Also, but unrelated, is there any way–shy of taking over a small country, training a new model army & invading America discreetly–I can stop Microsoft from endlessly updating my win10?

    That’s easy. When they present you with the terms of service for upgrading to Windows 10, reject your many many years of training and deny the license agreement.

    That ship sailed-

    • #15
  16. kidCoder Member
    kidCoder
    @kidCoder

    Annefy:

    Arahant

    Annefy:So, Kid, what should I be worried about?

    How to change your system to a Linux based system?

    Annefy:

    I can probably figure out how to do that.

    But what should I be worried about if I DON’T do that?

    Are you saying that the backdoor is out there in many, many hands and anyone running Microsoft should be worried about their personal data?

    Should we be worried if for some reason we’d be targeted (because we’re a politician or gotten on somebody’s enemies’ list) or is my mom’s social security # at risk (I handle her finances) ?

    In other words, should I start deleting my emails now? Or is it too late?

    A single security measure is gone. In this case, unlike in the case of a backdoor to all crypto, very little harm can actually be caused without physical access to your device. Your data is as safe as ever, assuming you are not stupid around links to viruses, stray flashdrives at hacker conferences, or the like.

    • #16
  17. The Reticulator Member
    The Reticulator
    @TheReticulator

    Titus Techera:Thanks for the news. Can you keep us posted if anything should happen as fallout?

    Also, but unrelated, is there any way–shy of taking over a small country, training a new model army & invading America discreetly–I can stop Microsoft from endlessly updating my win10?

    I am surprised that I haven’t heard more complaints about this. Maybe it proves that I really am completely retired from the business now.

    • #17
  18. Austin Murrey Inactive
    Austin Murrey
    @AustinMurrey

    You’re looking at this all wrong, it’s a great business opportunity.

    I’m pretty sure this means we should start a new computer security firm to provide physical protection to Windows devices. If the Secret Service can guard Hillary’s server we can dispatch our employees to guard everyone else’s.

    • #18
  19. Casey Inactive
    Casey
    @Casey

    @phcheese sold me a lifetime supply of aluminum foil to wrap around my computers.  So far, so good.

    • #19
  20. Matt Upton Inactive
    Matt Upton
    @MattUpton

    kidCoder: Your data is as safe as ever, assuming you are not stupid around links to viruses, stray flashdrives at hacker conferences, or the like.

    *wakes up with piles of flash drives scattered around the house* Don’t tell me how to live my life.

    • #20
  21. Percival Thatcher
    Percival
    @Percival

    Austin Murrey:You’re looking at this all wrong, it’s a great business opportunity.

    I’m pretty sure this means we should start a new computer security firm to provide physical protection to Windows devices. If the Secret Service can guard Hillary’s server we can dispatch our employees to guard everyone else’s.

    “Ricochet TechSec: We’ll Wipe Your Servers — With a Cloth!”

    • #21
  22. PHenry Inactive
    PHenry
    @PHenry

    KidCoder on the main feed, congrats!

    • #22
  23. George Savage Member
    George Savage
    @GeorgeSavage

    The Microsoft breach is a vivid example in support of Apple’s position regarding encryption. Recall that Tim Cook recently took a lot of flack for fighting a court order mandating that Apple deploy its engineers to create a skeleton key for iPhone.  Cook reasoned, correctly, given Microsoft’s experience, that the very existence of a backdoor circumventing the many layers of iPhone security pretty much guarantees an eventual leak, inevitably compromising customer data security and Apple’s long-term business prospects.

    • #23
  24. Misthiocracy Member
    Misthiocracy
    @Misthiocracy

    kidCoder: … seriously compromising the security of its tablet and mobile devices (PCs are unaffected).

    My gawd! This could affect dozens of people worldwide!

    • #24
  25. Titus Techera Contributor
    Titus Techera
    @TitusTechera

    Misthiocracy:

    kidCoder: … seriously compromising the security of its tablet and mobile devices (PCs are unaffected).

    My gawd! This could affect dozens of people worldwide!

    You get the Austin Powers trophy for this one, Misthio. Keep it up!

    • #25
  26. Robert E. Lee Member
    Robert E. Lee
    @RobertELee

    I dual boot…Windows 10 for gaming and hobbies, Linux Mint for personal business.  Will this new tech trauma effect dual boot systems?

    • #26
  27. Chris B Member
    Chris B
    @ChrisB

    Robert E. Lee:I dual boot…Windows 10 for gaming and hobbies, Linux Mint for personal business. Will this new tech trauma effect dual boot systems?

    The key that is leaked was only used for the RT version of Windows used on systems with ARM processors. If I understand things right, the leak means it is actually possible to enable dual boot on a Windows Certified ARM based device, if someone writes the appropriate boot loader and incorporates the leaked key.

    It was not possible before, since Windows Certified ARM devices must have Secure Boot enabled, and require a Windows RT key from the boot loader in order to proceed with the boot sequence.

    • #27
  28. kidCoder Member
    kidCoder
    @kidCoder

    Robert E. Lee:I dual boot…Windows 10 for gaming and hobbies, Linux Mint for personal business. Will this new tech trauma effect dual boot systems?

    Not much at all. It’s not actually a bad thing so much as a way that Secure Boot, used by Microsoft to stop people from doing things like dual booting, is now far less important.

    • #28
Become a member to join the conversation. Or sign in if you're already a member.