Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
Microsoft Accidentally Released a Backdoor to the World
Remember the iPhone mess, when half the country was yelling for the government to have access to encrypted machines, and the other half was yelling back about the foolishness of that idea? Well, Microsoft just found its private access codes leaked, seriously compromising the security of its tablet and mobile devices (PCs are unaffected).
First, a little background. Newer Windows computers, with the UEFI system installed (the modern replacement to good old BIOS), have a feature called “Secure Boot” to make sure only the Right Software gets to be the operating system on the computer. This has genuinely positive security implications (making sure that on your laptop, only your OS and not some malware lookalike is in charge). However, as in all things computers, the only way to ensure validity of images is through cryptographic means: encryption and its twin, signing files. However, Microsoft wanted the ability to circumvent these restrictions; presumably the security got in the way of development, where files change every minute instead of every upgrade. This was where they got into trouble.
Microsoft created a special shim that disabled all of Secure Boot’s confirmation, probably for internal convenience. And that shim ended up getting copied to devices that ended up in the hands of security researchers. Now it’s out in the world, and Microsoft can’t do anything to stop it, try as hard as they are.
But don’t worry. I’m sure that if the government had the special shim, it would still be secure.
Published in Domestic Policy
You’re a laugh riot, Kid.
So, Kid, what should I be worried about?
How to change your system to a Linux based system?
Thanks for the news. Can you keep us posted if anything should happen as fallout?
Also, but unrelated, is there any way–shy of taking over a small country, training a new model army & invading America discreetly–I can stop Microsoft from endlessly updating my win10?
This should end well.
How to change your system to a Linux based system?
Annefy:
I can probably figure out how to do that.
But what should I be worried about if I DON’T do that?
Are you saying that the backdoor is out there in many, many hands and anyone running Microsoft should be worried about their personal data?
Should we be worried if for some reason we’d be targeted (because we’re a politician or gotten on somebody’s enemies’ list) or is my mom’s social security # at risk (I handle her finances) ?
In other words, should I start deleting my emails now? Or is it too late?
Depends on the distro and the computer. when I was messing with debian I had to turn off secure boot, ubuntu says they have it working with some computers…. So….
But you have to have a device that lets you disable it.
The only thing that this really does is make it possible to install non-Microsoft operating systems on Windows RT Certified hardware (tablets using ARM processors). On x86 based hardware, which comprises the vast majority of Windows based computers, it was already possible to simply disable Secure Boot with physical access to the hardware.
There is some additional concern that now root kit malware can be created to exploit this vulnerability on Windows phones and tablets. It would have to be installed from a bootable device (like a USB drive).
It also means that someone could theoretically perform a brute force decryption of a Windows RT device given enough time and physical access to the device. The Apple case has already revealed that there are faster and easier ways to defeat such encryption, however.
Nope. Which sucks if your computer is getting hosed by the Anniversary update.
I will seek revenge on Mr. Gates & his boringly evil empire.
Dude, Linux. The real hackers will rise again.
Real hackers use abacuses. An ancient unhackable technology passed down from our forefathers.
Nothing. It’s not that important a key unless your Windows 8 or 10 machine refuses to let you turn off Secure Boot, and even then the most major thing you might do is install Linux, or possibly install a rootkit and take over your computer. To do so would require clicking on bad links in spam emails and classic methods of malware entry like that.
That’s easy. When they present you with the terms of service for upgrading to Windows 10, reject your many many years of training and deny the license agreement.
That ship sailed-
A single security measure is gone. In this case, unlike in the case of a backdoor to all crypto, very little harm can actually be caused without physical access to your device. Your data is as safe as ever, assuming you are not stupid around links to viruses, stray flashdrives at hacker conferences, or the like.
I am surprised that I haven’t heard more complaints about this. Maybe it proves that I really am completely retired from the business now.
You’re looking at this all wrong, it’s a great business opportunity.
I’m pretty sure this means we should start a new computer security firm to provide physical protection to Windows devices. If the Secret Service can guard Hillary’s server we can dispatch our employees to guard everyone else’s.
@phcheese sold me a lifetime supply of aluminum foil to wrap around my computers. So far, so good.
*wakes up with piles of flash drives scattered around the house* Don’t tell me how to live my life.
“Ricochet TechSec: We’ll Wipe Your Servers — With a Cloth!”
KidCoder on the main feed, congrats!
The Microsoft breach is a vivid example in support of Apple’s position regarding encryption. Recall that Tim Cook recently took a lot of flack for fighting a court order mandating that Apple deploy its engineers to create a skeleton key for iPhone. Cook reasoned, correctly, given Microsoft’s experience, that the very existence of a backdoor circumventing the many layers of iPhone security pretty much guarantees an eventual leak, inevitably compromising customer data security and Apple’s long-term business prospects.
My gawd! This could affect dozens of people worldwide!
You get the Austin Powers trophy for this one, Misthio. Keep it up!
I dual boot…Windows 10 for gaming and hobbies, Linux Mint for personal business. Will this new tech trauma effect dual boot systems?
The key that is leaked was only used for the RT version of Windows used on systems with ARM processors. If I understand things right, the leak means it is actually possible to enable dual boot on a Windows Certified ARM based device, if someone writes the appropriate boot loader and incorporates the leaked key.
It was not possible before, since Windows Certified ARM devices must have Secure Boot enabled, and require a Windows RT key from the boot loader in order to proceed with the boot sequence.
Not much at all. It’s not actually a bad thing so much as a way that Secure Boot, used by Microsoft to stop people from doing things like dual booting, is now far less important.