Looks like it’s going to be another great year to be a hacker. Windows 8 is almost ready for release.
As I sit here writing this entry, I muse on how it seems like not too long ago I was writing a similar article about Windows 7. I remember back when Windows 7 was released and users got angry about unfair Microsoft techniques designed to exploit users. “Microsoft had deliberately crippled Windows 7, leaving users at the mercy of Microsoft to control which applications they could use, as well as the number of applications that could be run simultaneously.” (Quote from en.windows7sins.org)
So I sit here now, wondering if there will be similar anger over Microsoft’s latest operating system, which seems designed to exploit users as well. Windows 8 Sins, anyone?
No Microsoft account? Too bad!
Windows 8 provides two methods of authentication, one using a local account and the second relying exclusively on a Microsoft account. The only way to get access to complete Windows 8 functionality is to use the latter, basically forcing you to apply for a Microsoft account in order to benefit from all features. Don’t have a Microsoft account? Don’t want to get/use Windows Live? Want to use your Google account instead? Tough luck. Windows 8 only works with Microsoft account. If you do not have one or do not want to create one just for Windows 8 you’re out of luck.
Exclusively Skydrive…
Microsoft places its own services on the front lines, which is partly good and bad. True, working exclusively with Microsoft products provides added functionality, but on the downside it does not offer an alternative to the people out there using Dropbox, Google Drive or other cloud storage providers. If you’ve already paid for extra storage space on the popular cloud storage providers and you think it’ll work on Windows 8, think again. It won’t.
Then there is the issue of all cloud data being stored on Microsoft’s own servers, which raises extensive privacy issues and concerns. But I’ll touch on privacy later.
A city without walls… because you only have Windows
Security features are sorely lacking in this version of Windows as well. Windows Defender still doesn’t integrate with the Windows Firewall. By default, Windows Firewall is set to deny access to Windows Defender.
The Windows 8 Firewall is so full of holes it might as well not be there. The Firewall allows all programs to establish outgoing connections to the Internet with no user confirmation. It’s only purpose seems to be to block incoming connections. Feel secure? With this firewall in place you would think nothing would infect your computer, and yet through all that, Windows still manages to get viruses and other crap installed on it? Why? Because the Windows Firewall only stops programs from establishing incoming connections. Scripts, malware, and spyware (to mention just a few threats out there) aren’t recognized by Windows Firewall as programs and can access both incoming and outgoing connections.
So if you get a virus, the Windows Firewall won’t prevent you sending it to everyone on your network, and the Windows Defender won’t stop it because the Firewall blocks the Defender program.
The problem with privacy just got a whole lot bigger
“The licensing agreement users are required to accept before using Windows warns that Microsoft claims the right to inspect the contents of users’ hard drives without warning.”
The above quote was from several years ago about a serious concern raised on Windows7. Has the problem been fixed on Windows8? Absolutely not! If anything, it’s gotten worse!
Windows 8 has a new feature called Windows SmartScreen, which is turned on by default. Basically it functions this way: You click a program installer and Windows8 “screens” the program by sending information to Microsoft, who will respond back whether they think the program is safe to install or not.
It sounds like a laudable idea, one that will make your computer more secure. The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install. This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users.
And to make matters even worse, the encryption on SmartScreen’s transmissions to Microsoft aren’t secure! Windows Internet Information Services (http://www.iis.net) uses SSLv2. SSLv2 has been deprecated since 1996 and is considered unacceptable for any modern security library.
What’s wrong with SSLv2.0?
- The SSLv2 message authentication uses the MD5 function, and is insecure.
- There is no protection of the handshake in SSLv2, which permits a man-in-the-middle attack.
- SSLv2 relies on TCP FIN to close the session, so an attacker can forge a TCP FIN, and the peer cannot tell if it was a legitimate end of data or not.
- The cryptographic keys in SSLv2 are used for both message authentication and encryption, so if weak encryption schemes are negotiated the message authentication code uses the SAME weak key.
So it’s insecure. So what? What are hackers going to be able to get from a SmartScreen communication?
For starters, your IP address, a list of every program on your computer, and how you use those programs! This would allow any hacker to profile their victims and customize their attack to their personal selection of applications and their computing habits.
And that’s Windows8!
So to explain everything is a simple sentence… Windows8 is only designed to exploit you and your privacy, and is not secure at all.
Nessun commento:
Posta un commento