For a while now, folks have listened to me “talk dirt” about the direction many software companies (especially those in the PRISM program) have gone in terms of opening giant holes in YOUR control of YOUR machine.
Microsoft now “takes it up a notch” with Windows 10.
The “agreement” you must agree to to use the software you bought, grants to Microsoft effective admin rights on your computer. Then they go rummaging around and if they find software they don’t like, they delete it. (They claim it is for pirate software, but what is to stop them from deciding, say, OpenOffice infringes on their file format by being able to read it, and deleting that, too?)
But the real bad thing is that you are one (not very hard) DNS Hijack away from anyone wanting to pretend to be Microsoft rummaging around on your machine. Do they have World Class keys and encryption to prevent this? I doubt it. Does the NSA have a set even if they do? Count on it.
https://smp-blogs.com/windows-10-will-automatically-delete-pirated-games-other-software/
Well, I was only going to include a quote / teaser, but since those folks have some kind of ‘right click select block’ you get the whole front page. Force me to use GIMP and I’m not going to spend a lot of time quoting small parts and multiple snips… One of the stupider ways to attempt to prevent quoting around. Often I’ll just go to the next link down and quote them, instead.
Quote on Windows 10 and software deletion
Click the image for an even larger more readable image.
OK, the point here is pretty simple. AVOID Windows 10. If it grants ANYONE admin privs over the internet, it is only a matter of enough time and it grants EVERYONE admin privs. Even stellar encryption methods ‘age out’ in a matter of years. Often on the order of 5 to 10, and that isn’t even including blatant bugs, subtle bugs, and NSA inspired ‘back doors’.
Windows 7 is still the better choice.
But Wait, there’s MORE!
On tips, we had this nice link (and a h/t to Nick Fiekowsky) :
https://chiefio.wordpress.com/2015/07/26/tips-july-2015/#comment-63557
You get points for prescient UEFI paranoia. Windows and UEFI Anti-Theft Mechanism Makes Systems Less Secure.
Lenovo uses this pre-OS-boot environment to ensure its system management utility is installed. Even if you’re doing a “clean” install with a Windows version downloaded from Microsoft.
I’ve worked in small & large tech vendors. Can imagine Lenovo’s view that this is good customer service, eliminating all those pesky Support calls stemming from absent or back-level drivers…
Which includes a link to this article:
http://www.techrepublic.com/article/windows-and-uefi-anti-theft-mechanism-makes-systems-less-secure/
The original is full of nice links and more that I’m not reproducing here, so ‘hit the link’ for the real deal.
Windows and UEFI anti-theft mechanism makes systems less secure
Features added in Windows 8 were misused by Lenovo to install unwanted software on top of a clean OS install, introducing a critical vulnerability.
By James Sanders | August 13, 2015, 9:37 AM PST
With the litany of free trial programs, adware, and other unwanted “features” that come with the factory images of Windows computers, it has become standard procedure for many users to wipe the system drive of a new PC and install Windows from the Microsoft-published media. However, these attempts by the user to have a clean installation are turning out to be less secure than they should be.
Windows Binary Platform Table
Windows 8 introduced a feature called Windows Binary Platform Table (WBPT), which allows OEMs to insert small executables into the Unified Extensible Firmware Interface (UEFI); these executables are copied into the filesystem and executed by Windows. There is no way to prevent this behavior in Windows using the Group Policy Editor or other obvious system management tools.
That’s the basic “magic sauce” that had led me to state I would never trust a UEFI boot box for anything that actually needs to be secure. It comes from the factory “pre hacked”, and if you think that various TLAs have not requested they have a special chunk in there, you don’t have what it takes to work in computer security.
According to Microsoft’s documentation for WBPT (DOCX file):
“The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration. One use case for WPBT is to enable anti-theft software which is required to persist in case a device has been stolen, formatted, and reinstalled. In this scenario WPBT functionality provides the capability for the anti-theft software to reinstall itself into the operating system and continue to work as intended.”
In this intended use, this type of behavior is beneficial — an anti-theft system is vital to organizations that deal with sensitive data, and to end users concerned with personal property protection. An anti-theft system that can be overridden by a disk format and Windows reinstallation would not be useful. However, if an OEM were to use it for the installation of a system management utility that the user would ostensibly be trying to avoid by wiping the factory OS image, this would be a substantial problem for the user.
The abliity to have “anti-theft” software persist is the ability to have ANY software persist, and the ability to install “anti-theft” software is the ability to install ANY software…
Now, we all implicity trust the Chinese Government, right? And the fact that any company in China exists only so long as they do EXACTLY what the government requests is no reason to worry they would not stand up for us, right? ( ;sarc> for the sarc impaired…)
Lenovo is using this to install a system management utility
As if the public fallout from the Superfish debacle wasn’t enough of an issue, the only OEM known to be using WBPT improperly (so far, and I’m not optimistic) is Lenovo. Certain consumer-grade desktops and laptops have a WBPT entry that copies a small dropper executable to the filesystem called the Lenovo Service Engine; the executable replaces autochk.exe, which writes two additional files to the filesystem, which in turn creates a service that downloads the Lenovo OneKey Optimizer (PDF) through an unencrypted HTTP connection.
[…]
Lenovo is a Chinese company. Nuff said.
And this is a great example of how to hack in from that small bit of WBPT code. Note, too, that it arrives unencrypted. I doubt they are using strong keys and defending against “man in the middle” attacks. An obvious line of attack is to capture any router along the way to Lenovo including those at the Chinese telcos or in the USA at NSA monitored exits from our telcos and substitute your own “dropper executable” that points to your server and load your root kit.
Considering the method by which this is installed, and the difficulty with which it can be removed, Lenovo has instructions for disabling the WBPT entry in desktops and removes it entirely using a firmware update for laptops, this behavior is tantamount to installing a rootkit. The desktop version doesn’t install OneKey, though it does transmit information to Lenovo.
Bold added by me. And it’s nice to see I’m not the only one thinking this is a root-it path.
This is Microsoft’s fault too
This is actually what “working as designed” looks like — Microsoft provided a means in WBPT for OEMs to force the execution of a program in Windows without user consent. Concerns about Windows 10’s overreach on privacy settings have been high since it was released.
Welcome to the PRISM Prison… "All your data are belong to us! – NSA and friends in China"…
The move to UEFI was already controversial, as it was seen as a way to prevent the user from installing alternatives to Windows, such as Linux distributions. Having the option to disable UEFI Secure Boot was a requirement for OEMs with Windows 8, though Microsoft is allowing OEMs to enforce Secure Boot for Windows 10. There are plans to sign Linux in a way to be compatible with UEFI Secure Boot, but the search continues for a solution that is intelligent enough such that Linus Torvalds won’t go on a tirade.
Dear Linus: Please continue to tirade.
Everyone else: Please, when shopping, stop by the computer department and ask what they have for sale without UEFI and Microsoft? Just state that since they are riddled with security holes and crap, you won’t buy one, but a nice Linux box with a non-UEFI bootloader would be fine. Then wait a polite amount of time before moving on…
In the meantime, I’m going on with my development of a secure enough and cheap enough alternative based on NON-PC non-corrupted hardware and software.
Microsoft and UEFI: Just Say NO! (Or better yet WTF #((*#%)! No!)
Musings from the Chiefio 
Thanks for this information. Is there a competitor remaining for Bill Gates’ Windows?
@omanuel; under construction. You Are There.;-)…………..pg
Sounds like someone needs to work on a tool to fry the OEM UEFI code and replace it with audit-able open source data or block its behavior. Do you know if it is located on an individual chip on the mother board who’s only function is to provide UEFI function or in a reserved part of the CPU?
I have an old lenovo laptop that I know had a built in reserved restore function that would allow a tech to “recover” the system if it got hopelessly corrupted with a fresh clean image. Never used it but I know it existed.
Windows10 for Pi on the way…
E. M, just stumbled on this before I hit your site. Talking about coincidence: http://www.majorgeeks.com/files/details/destroy_windows_10_spying.html
@OManuel:
Your choices are:
1) M.S. Windows – buggered by design and going to stay that way. UEFI – buggered by design and going to stay that way.
2) Apple – somewhat less buggered by design and while Apple is signed up for PRISM, they are reluctant (didn’t sign up till Jobs was dead and a lot of folks there still don’t like it…) Probably OK for home users and better than #1, but still has outside control (though likely tightly restricted to Apple and The Government given the folks I’ve known at Apple).
3) Linux – Really the best option for The Average Joe. Secure enough, and works well enough with a “user friendly enough” front end / GUI now. Many many choices. I’ve published several here as “specific use cases” and I’m working on making my own system “from the ground up” while you watch. More on that in more postings. You can also still get plenty of non-UEFI afflicted old PCs with a normal BIOS for now. Likely also can order motherboards without it for a long time.
4) BSD and BSD derived like NetBSD (Berkeley Standard Distribution Unix) – for the hard core sys-admin types to make absolutely sure things are secure. Watch for more “appliance” type products coming from this corner. Note that China has taken this path with their own version called Kylin… They Know.
5) Chrome – prebuggerd by GOOGLE and only slightly better than Microsoft, less than Apple. Part of PRISM so not really secure against the Government and wide open to Googel. Useful for very specific things where you don’t care who’s watching, like, oh, reading your own web site.. Likely secure against attack by folks not at Google (and TLAs… Three Letter Agencies) given what I’ve seen and the folks I’ve known who went to Google. It’s a locked down Linux / Unix but with loads of data shipped to Google…
My strong recommendation would be to collect an old non-UEFI PC as the present crop of upgrades causes them to come on the used market for nearly free (like $50 or less) and convert them to Linux. Get your feet wet and get comfortable with it. Slowly, make it your secondary machine as you get used to it. Eventually, it becomes your #1 box and the old Windows machine sits shut down most of the time only used when absolutely needed ( my state today – off for months at a time). Total cost about $50 and some time playing with it. Plus you end up with two computers.
In about 2 months I expect to have a pretty good “spec” for a “roll your own” desktop machine that is all you really need for day to day email, web browsing, docs and such. Cost under $100 and likely nearer to $60. Quad core or better and plenty of performance. Also non-UEFI and open source secure. (At present the Rapberry Pi M2 almost makes it on performance. The next ‘step up’ will be fine. That means the CubieTruck ought to be fine right now. As soon as I save the nickles I intend to buy one and prove it. More in a posting on performance ‘Real Soon Now’).
@P.G.Sharrow:
Absolutely right! (See notes above… and recent postings on the R.PiM2)
@Larry Ledwick:
The boot firmware usually lives in ROM. Sometimes you can re-write the ROM and there is an “open boot” project (or several) underway in the Linux community. Worst case you can unsolder it and solder in a new one… Or just do a PXE boot overlay:
http://ipxe.org/
http://www.coreboot.org/
http://www.openfirmware.info/Welcome_to_OpenBIOS
Folks have seen this day coming for a while… (since about Windows 7). Some vendors (like Chromebooks) will let you swap to an open boot if you want.
http://www.newchromebook.com/how-to/make-seabios-default-acer-c720/
Which was, in fact, a big factor in my ‘buy’ of a ChromeBox. The fact that I can put a Linux on it if desired.
Expect the entire Linux world to push very very hard on making damn sure we can run Linux on hardware without building our own (many companies run Linux / Unix for servers and back room use…) The major impact, IMHO, is that the supply of “Old perfectly FINE PCs afflicted by Windowz that can enjoy a full life running Linux with a simple reboot” will shrink a lot. Kiss “almost free hardware” goodbye. Then again, $60 is not that far from “almost free”…
Microsoft is happy with throwing this boulder in front of the Linux bus. I think they fail to appreciate the consequences…
@KuhnKat:
It’s already here, but it is not a full on Windoze 10, it’s a cut down specific purpose (that I forget exactly what as I tried to purge the very idea from my mind…)
@R.deHaan:
Nice, very nice.
and on into the Bing sites. Thus my blocking of *microsoft.com and *bing.com in the prior note comments:
https://chiefio.wordpress.com/2015/08/16/odd-thing-at-iceagenow-info-with-cpu-usage/
Though that .nsatc.net qualifier is a new one for me. Adding that to the block list now… These too:
so msn.com msads.net and adnexus.net and msecnd.net to be added too ( I think I already have adnxs.com in the block list).
I’ll make sure those are in before I post my dnsmasq.conf block config.
And just as soon as I can find the Lenovo address /name and the the MS name /address used for this crap you can bet both name and ip# will be ’round filed’ in my DNS / router set up…
I have been a ubuntu user for years. I have used it to run old HP, Dell and Compaq systems. Just add a solid state drive and the old machines zip right along. There is no point in letting the Dark Lord of Redmond on your machine.
“Well, I was only going to include a quote / teaser, but since those folks have some kind of ‘right click select block’ you get the whole front page.” for that peskty no copying a block of text problem, install an old Opera 12 version, set it to ‘usermode’ and the page gets stripped of those quaint attempts at published information control.
This is the second time that you claim UEFI in Windows 8 and now 10 is designed to prevent you from installing or accessing any other operating system. It is in fact a enterprise security feature (off by default) which allows corporations, which want to control the software loaded on PC’s under their control.
Microsoft in fact contributed to the LINUX community which allows the same level UEFI control if you install LINUX as your operating system.
As regards to the FUD above: This is not a WINDOWS 10 issue. It is also not covered by the WINDOWS 10 licence. This is a service level agreement which covers Microsoft’s cloud services like BING, XBOX etc. which in fact means that you may not be able to access these services with pirated software. IT DOES NOT ALLOW MICROSOFT TO DELETE THE SOTFWARE from your PC. See:https://www.petri.com/windows-10s-latest-unfounded-privacy-fear-games
For those who want to know more about WINDOWS 10 (without the FUD) here is a good article:
https://www.thurrott.com/windows/windows-10/5337/windows-10-tip-understand-and-configure-privacy-settings
You can also go to Microsoft Privacy Web Site for more information:http://choice.microsoft.com/
@ eilert says:
19 August 2015 at 8:27 am
I would strongly advise any business or corporation to blacklist Windows 10 and variants until they receive a complete legal undertaking from MicroSoft that it will not access data from machines in that company. The legal undertaking to include a significant sum in escrow (equal to the business turnover for a year?) that will be awarded to the business if it is ever discovered that MicroSoft has accessed the business or machine data without explicit permission from the nominated representative of the business.
The idea that updates for whatever reason can be installed without user approval to a business that may have bespoke code is also a non-starter. All businesses should be investigating dropping Windows as an operating system and moving to another, possibly Linux. To fail to move from Windows is to ignore a significant security risk to the business..
@ eilert says:
19 August 2015 at 8:27 am
Re your link
https://www.thurrott.com/windows/windows-10/5337/windows-10-tip-understand-and-configure-privacy-settings
I see that Windows takes all sorts of data and ‘sends it anonymously’ to MicroSoft. Anyone who believes that this will remain anonymous has not been involved in any analytics work. After a surprisingly short time there will be no anonymity even if the Advertising ID linked to your User ID is not used. With the Advertising ID you may as well have given MicroSoft full disk and keylogger.access.
The more I read of this sort of stuff (and what a lot of it there’s been over the last few weeks!), the happier I am that I finally decided to “defenestrate” myself last year. My main machine (this one) is now on Linux Mint (my only real complaint is that it’s too much like Windows …), and my laptop seems to be perfectly happy running CrunchBangPlusPlus (love it), apart from a wee taste of the old Linux bugbear – Wifi chip drivers (currently under review). I shall keep one or two older machines on XP for some favourite programs, but if any other new OS’s appear chez moi, it’ll most likely be the result of me heading towards BSD.
I remember reading about a “pwn it to own it” contest from a year or few ago. All Windows versions: about five minutes tops with a script-kiddie hack; OSX/most Linux: two or three days of determined one-on-one hacking; BSD: was not cracked. That says all I want to know.
Hmmm … for the time being, I’ll just have to collect the “fixes” that can be done manually (not as part of someone’s compiled code) that are reversible. My (f)upgrade to Win10 crashed twice. “Keep everything” failed when Win10 upgraded Office 2013. Surgery to remove all the pieces of Office was unsuccessful so a clean install was the only option. Then that crashed at the same Office upgrade. Dumped MS Office, got WPS Office professional – only alternative I have found with reliable VBA implementation that I need for work-related stuff.
Problem for me and others is, there’s no decent industry standard CAD package on Linux other than Graebert’s ARES Commander. $750, deb, rpm, tbz2, but printing/plotting? No CUPS driver yet for a Brother J6910DW, so back to HP guzzler equivalent? Has to run in parallel until proven, and I don’t have desk space long enough.
I’ll follow Chiefio’s postings on roll your own desktop. Talk about deja vu – earliest XT I had was home built, on plywood and putty, hard drive mounted on foam to protect from earth tremours.
@Steve C
Following up on your comment I ran across this, which implies that the issue might be that just because it was not hacked had more to do with very few people intent on hacking it.
http://www.osnews.com/thread?307942
Some preliminary reading on that idea leads me to the conclusion that the OS is not particularly important assuming you use basic good practices since most hacks are introduced by other services like flash, java, pdf , browsers etc.
Sort of like the home burglary issue, most folks who have a break in at home did something careless like let newspapers stack up on their porch while out of town. key under the mat, or left the garage door open all the time etc to increase their target profile.
I wonder if it is really even possible to characterize how vulnerable a given system or os is since the combination of potential factors, (what services you use and how you use them) including secondary issues like how big the universe of black hats is which is trying to attack that system is largely unknowable?
@James:
Have not gotten a Solid State Disk yet, someday. The ChromeBox runs from SSD, and it just flies (especially give the mid grade CPU in it). Not looking forward to sorting out brands and makes in a whole ‘nother area of tech… but someday…
@Petrossa:
Nice to know… May take me a while to do it, though. I’ve likely got an old copy in the archives somewhere, but it likely is on the archive FTP sites too.
It’s generally just been so darned quick to “hit print screen” (or in Debian type “scrot” in the idle window) then click on the image it makes and GIMP pops, select rectangle, crop, save. Done. That I’ve not bothered looking for more precise systems. But I likely ought to. It’s kind of a meat axe approach to just grab the whole screen ;-)
@Eilert:
It is simply stating the truth.
The first rounds of UEFI were by default blocking Linux. All holy hell broke loose, and Microsoft also learned that folks would not be going to Windows 8 in droves if they didn’t have some test drive time first and ability to roll back to Windows 7, so the level of ‘enforcement’ was backed off. As quoted above (maybe you missed it…)
Note in particular “prevent users from installing alternatives to Windows, such as Linux”.
Then note: “option to disable” … “requirement of OEMs with Windows 8” so the “push back” caused a small backoff for Windows 8 at OEM request (not buyers… they don’t matter…)
Then particularly note: “Microsoft is allowing OEMs to enforce Secure Boot for Windows 10”
that means that with the advent of Windows 10, the lockout can proceed as everyone has Windows 8 signing worked out and adding 10 is easy.
Now a few vendors have been willing (after some amount of screaming) to “sign” a Linux (typically Red Hat – another giant corporation with clout that doesn’t care so much about buyers any more) but not just all Linux… And Lord help you if you want to run the “OS of the Day” like BSD or Plan 9 or a variety of Live-CD boots and rescue disks.
But if you think just any old (not a giant company) Linux is going to run fine on your UEFI boot machine, you have completely missed the concept of “Secure Boot”. The very purpose of it is to limit the machine to ONLY booting an APPROVED and SIGNED OS.
Which, of course, leads to the question of “Approved by whom?”…. Certainly not you, the buyer.
http://www.howtogeek.com/175641/how-to-boot-and-install-linux-on-a-uefi-pc-with-secure-boot/
Note that in ARM it is already “no you can’t disable” and the “allow to disable” for PCs was for Windows 8 and is now being eased out for Windows 10.
So that means that you need to assure that any computer you buy isn’t locked. Especially now that we have “”Microsoft is allowing OEMs to enforce Secure Boot for Windows 10”.
Yes, there are efforts to get something like Seabios “keyed and approved”… but don’t expect to be able to just choose your OS and go. AND realize that unless your OEM is very Linux friendly, you can easily buy a box that is locked and keyed to only Windows 10.
As to the Windows 10 blocking your software being “FUD”:
It was sourced from two places. One the local CBS or ABC radio network station ( I don’t remember which it is affiliated with) the other the above link. So you have a link saying “is not”. OK, it’s “link wars”.
We’ll see for certain once Windows 10 is out and in use.
However:
The basis of the “complaint” in your link was that this was about Services and not the OS. Yet the rollout of Windows 10 is the start of Microsoft going to “Software as a service” for Windows. So since Windows 10 is a software service, saying it isn’t going to be covered by the Services agreement is a bit rich… (at a minimum suspect).
Read that first line of the quote-in-an-image above:
“Windows 10 is the first version of Windows where Microsoft is pitching its marquee operating system as a service instead of a stand alone software product.”
There is also a load of other stuff in the media history about Microsoft wanting to move that direction and their desire to move to a monthly fee rental basis instead of a one time buy license.
There isn’t any doubt on that point.
So in that context, I find it very hard to accept that this isn’t (at a minimum) the camel’s nose under the tent and much much more is headed at you as soon as you take this step. Prepare to pay monthly in a couple of releases or have your computer become locked dead metal.
Back at booting Linux on the present crop of UEFI machines:
(I remember the first round of issues being raised over this and it was NOT a benevolent Microsoft who from the goodness of their spirit went this way… it was only after ‘expedites’ from a large Linux base that it was opened up… for now… and it is highly likely to require ongoing effort to defend.)
So right out the gate, you must choose a distribution that’s approved… and by whom?
“This is because Ubuntu’s first-stage EFI boot loader is signed by Microsoft.”
So why must I be saddled with Microsoft as approver of my choices? Well, someone has to be gatekeeper in a gate keeper world…
Yes, by all means, shut it off… One hopes that ongoing pressure from the Linux community will at a minimum keep this option available to us. There is no reason to expect it to stay without ongoing pressure. Again, that note above about what Microsoft is “allowing” on MY computer:
“”Microsoft is allowing OEMs to enforce Secure Boot for Windows 10”.
And that “enforce Secure Boot” means “no ticky no washee” and you had better have a “first-stage EFI boot loader is signed by Microsoft.” or you are NOT going to change the OS. Any bets on how long it will take for vendors to start shipping Secure Machines locked down to only MS? How many people buying PCs ever ask about running Linux? It will take constant pressure to keep the boxes and hardware open, and Microsoft has just said with Windows 10 that it is just fine to lock it.
<blockquote
Add a Signing Key to the UEFI Firmware: Some Linux distributions may sign their boot loaders with their own key, which you can add to your UEFI firmware. This doesn’t seem to be a common at the moment.
And there is the very uncommon option of maybe kinda sorta adding a Signing Key IF Microsoft and the OEM let you on “your” hardware… sometime. Maybe. For now. Oh, and only if the OS is from a vendor and they decided to sign it in the ‘approved’ way. Forget the “roll your own” options and forget all that archive of source code for other older operating systems…
Now add that all up, and season with OEMs and vendors able to slide in chunks of code at boot time (and the KNOW just what boot time will look like since only ‘signed’ code can be run, so no surprises for them and their
trojansupdates…) and you have a heck of an insecure Secure Boot…Top with a frosting of NSA and Chinese Government “guidance” to the vendors and it is all just not at all a cake worth eating, IMHO.
Which was sort of the point of the article…
And still leads back to “UEFI – just say no” and “Microsoft- keep your mitts off MY computer and I don’t need your steeenking approval”.
And there is NO Fear in that statement. NO Uncertainty. And NO Doubt about it.
I expect a rapid growth in the market of non-Microsoft afflicted machines as evidenced by the explosion of Raspberry Pi projects and all the clones it has spawned. I know I’ve bought the last Microsoft machine I’ll ever buy. (Personally. If some company hires me and they want to buy them for some quasi-valid reason, I won’t fight them on it. Just mutter under my breath ;-)
@Ian W:
I agree with your POV.
Yeah, I’d not bothered to bring up the “Advertizing ID” issue as I was already fuming enough. But yes, “privacy” is getting killed along with your security and your ownership rights in “your” hardware. You are just a “mark” to be fleeced after you pay for the privilege by buying hardware they control….
@Steve C:
Hmmm… Nice name for a release… “Defenstrate BSD” ;-)
I’ve frequently stated that for real security you start with BSD. It’s what I’ve used in those roles for over 30 years now and has never let me down ( i.e. none of the places I used it were ever hacked while I was there using it). It is also the base on which China is building their secure OS Kylin. As you noted: ‘nuf said.
@Martin Clark:
http://www.techdrivein.com/2011/08/8-best-cad-apps-for-linux.html
lists 8 CAD packages. None of them good enough?
Surprising, really, given that CAD started on Unix workstations… there ought to be a load of good Unix based software available…
@Larry Ledwick:
Yes, Linux and Unix CAN be hacked (and are from time to time). It is much harder than hacking Windows (that is wide open mostly).
Yes, the advent of Javascript and FLASH and related makes it much easier and bit more OS independent. Part of why starting about a decade and a bit back I was saying that you can no longer assure security in any site. ( IMHO this is by design and it curiously just happens to overlay about the time PRISM starts and grows…)
For that reason, I’ve not been “the guy” responsible for site security anywhere since. I strongly value my “Never Been Broken Into” badge on the resume and don’t really want to put it at risk. I would, for a huge wad of money, but as long as money is available without risking it, it’s nice ;-)
So how to defend in a world as you described? Segment the exposures.
At present, all the worker desktops tend to be on the same “corporate network” as all the stuff that needs to be kept secure. That, IMHO, is the first and major error (well, the first is buying Microsoft products… but I’m not going to win that one in most companies so I generally ignore it and ‘go with the flow’ of the Executives…) So start by segmenting the network. For example:
At Apple, we had no less than 3 major networks (and a few minor ones). The Corporate Network had all the non-Engineering stuff on it. Hack it, you might (might as in not likely) get some financial stuff and memos from the bosses, but nothing about Engineering and products. The Engineering Network had all the Engineers. It didn’t get hacked. ( I know, since it was mine ;-) Inside the Engineering Network, we had a special secret and extra secured network only accessible with 2 factor access. You couldn’t even detect it from the E. Net. Yet it could “reach out” to the Engineering network for some things. The Engineers in that area did complain a little about the requirement to have 2 desktop machines, one super secure and one more open, for things like internet use, but it did work very well.
Today I would add to that that PII networks are common on Corporate nets (so Personal Identifying Information is treated special ;-) and all your credit card info is NOT on the same network with the secretary shopping for shoes and getting phished…) I would also advocate for a distinct “desktops network” where I would put any desktop machine with internet access and browsers and related. Limit the damage when they get hacked, rooted, phished, etc. etc. And that lets me isolate the stuff that really needs to be secure, like financial servers and engineering servers and such, onto networks without such security exposures. Route between them with VERY limited protocols and services allowed. Essentially, treat the “desktops” network rather like a DMZ and move the “perimeter” of max security inside the core of the company.
(We also had a real DMZ at Apple, but I’ve covered that before. Mail relay, news relay, FTP, that kind of stuff… now I’d add ‘web server’. )
So you have multiple layers:
Internet – Wild West anything goes.
border internet router – filters the worst of it and splits out a DMZ on the side.
DMZ – holds servers that do specific services with specific protocols and all other software gone.
boundary router – filters more of if, so no WEB or email or FTP through it. Those must go through the DMZ and a web proxy server and such.
Desktops Network – where all those exposure you listed are quarantined along with the MS stuff.
Security Router – protects inner services networks. ONLY passes those protocols and services needed to get data in / out on approved paths and software. Splits out dedicated networks:
Corporate Network – for all those business machines.
PII Network – for all that money stuff with customers.
Engineering Network – for Engineering servers and information.
Special Purpose High Security networks – as needed for secret projects.
Include Honey Pots in each of the first levels ( Internet Honey Pot target, DMZ, Desktop net) and instrument the hell out of all sorts of things… You are pretty much guaranteed nobody gets to the inner layers before alarm bells are going off and they are trapped.
I’m pretty sure that with that type of structure, only the Desktop network will end up hacked (and that mostly via human factors attacks … i.e. ‘click me’ phishing and “by design” holes in PRISM Products…) It ought to limit exposure of ‘real secrets’ from the inner networks to only those things people manage to store on their computers when policy says not to do it…
Oh, and there will be some dedicated storage networks for things like NAS / SAN etc. With their own protocols, authenticators, etc. So even if someone captures the “Payroll machine”, they can only see those data sets that are approved for that machine to see over the storage networks…
Now getting that level of hardware buy signed off will require Executive Management that sees I.T. as a strategic asset and essential security rather than: a “cost center” to be minimized and staffed with the best H1B visa can supply at as near to nothing as possible…
So don’t expect to see it anywhere that isn’t serious about security (or just AFTER all their stuff has been stolen…)
More rants on Windows 10
A request to E.M. Smith:
ChiefIO, Is there the possibility of creating and sharing a detailed diagram+checklist of that Structure ?
Please advise.
Thanks,
LG
I currently have a kingston ssd on this desk top, for the OS only. It works ok, (boot time about 24 seconds – a friend has gotten down to low teens for boot times). but I did have an issue with it periodically throwing a “must run chkdsk” error. (win 7 Pro 64 bit) last time it did that it munched some dlls and the system started getting flaky. so I just re-imaged it with win 7 64 bit home premium, but it is a stripped system only has fire fox, open office 4.1.1, Irfanview (my prefered open source image program) installed. I have intentionally not installed flash or java. I use it like your R pi as a daily browser box and only boot up the other ones if I need something not available on this box, then they get shut down. Its data drive is on a usb docking station and is only powered up when I need something on the drive.
We will see if the Kingston ssd was the issue or something else was corrupting things.
I run the ZoneAlarm anti virus suite because if will fully stealth your system (will not respond to outside probes of service ports).I periodically test it with GRC.com shields up to make sure nothing is open and it to my knowledge is the only antivirus package that monitors out going packets so it will alert if something is trying to phone home.
In researching the Kingston SSD issue I noticed its write speed is not top of the line. It appears that right now the best bang for the buck ssd is the samsung units. The kingston is only about 1/2 as fast as the samsung units for read write speeds.
http://www.cnet.com/topics/storage/best-hard-drives-and-storage/ssd/
I also have another identical kingston ssd on another system as a non-os drive. Periodically it fails to mount on boot. Just reboot and it shows up. I suspect it is that mother board /bios etc. which is the issue not the kingston, but for quick boot up the ssd drives for the os are really nice.