This is the actual news I wanted to comment. You just take a tour around about how the news are inflated and don't comment on that (do you think it is fair? isn't it a security threat? doesn't that make Windows kind of a virus?). That was the point of those links, not how news are inflated by other sites. That's why I gave that many links, so you can compare PoVs. I'm open to discussion about anything, but if you're only going to discredit other people's PoVs trying to distract the discussion from the main point, I can just find somewhere/someone else to discuss this.JJS wrote:They start with an article in the Seattle Times on how there is a backdoor in Windows
That "update" article never answered the main question raised on that same article:JJS wrote:Finally it comes to a closure with an update article that states that this is not a backdoor but just an usb stick with tools that cannot break any encrypted data and do not use any backdoor.
"a little usb device cannot break encrypted info (passwords) -- unless microsoft has built a back door into its computers -- it seems. i have worked with encryption software before -- stuff it would take NSA a month to crack -- so how does MS do it in minutes?"
If you re-read the articles, it's all about encryptionJJS wrote:If you have physical access to a PC you can do anything you want and all security for any system will break down anyway unless you do things like hard disk encryption
Again, depends on what OS and tools you're using. Please do not generalize.JJS wrote:Even then, if that user is currently logged in you can read everything again.
Did I say it was only Microsoft? I'll remind you my exact words:JJS wrote:Another article dealt with At&T, so Microsoft can be blamed for other company's behaviour too?
m0skit0 wrote:I would warn you about closed source antivirus, specially Microsoft's
SSL. You can also do that on Windows, of course, but cannot be 100% sure about what other services are running potentially ruining any privacy. This is also true with any closed source software you want to use: you never know what it exactly does. This is the main point for me: closed source software is always insecure because you don't know what is running on your machine.JJS wrote:I also wonder how a Linux box can prevent an internet provider from misusing the data you send over the net.
See? No backdoor.It sounds to me like the device doesn't do anything that a trained computer forensics expert can't already do. This just automates the execution of the commands for data extraction. Check later for updates.
Still doesn't answer the main question raised here.JJS wrote:Take this quote from the update article:
See? No backdoor.It sounds to me like the device doesn't do anything that a trained computer forensics expert can't already do. This just automates the execution of the commands for data extraction. Check later for updates.
Obviously Microsoft is gonna deny any accusation over this kind of things, they don't want to scare customers, since they live because of the customers."a little usb device cannot break encrypted info (passwords) -- unless microsoft has built a back door into its computers -- it seems. i have worked with encryption software before -- stuff it would take NSA a month to crack -- so how does MS do it in minutes?"
Well, it's not only that: viruses, malwares, unpatched critical vulnerabilities, and so on...JJS wrote:But just the possibility of that is not enough
[/spoiler]http://thibault.rouat.com/security-doc/ ... aft-V1.pdf (page 70)Microsoft wrote:BitLocker has a number of “Recovery” scenarios that we can exploit
30. Calls on the Commission and Member States to promote software projects whose source text is made public (open-source software), as this is the only way of guaranteeing that no backdoors are built into programmes;
11.4. Security of encryption products
In the discussion on the actual level of security of encryption processes the accusation has repeatedly been made that American products contain backdoors. For example, Excel made headlines here in Europe when it was suggested that in the European version of its programme half the key is revealed in the file header. Microsoft also gained media attention when a hacker claimed to have discovered an ‘NSA key’ hidden in the programme, a claim which was of course strongly denied by Microsoft. Since Microsoft has not revealed its source code, any assessment amounts to pure speculation. At all events, the earlier versions of PGP and GnuPG can be said with a great degree of certainty not to contain such a backdoor, since their source text has been disclosed.
http://www.europarl.europa.eu/sides/get ... PDF+V0//EN25. [...] The Commission is called upon to lay down a standard for the level of security of e-mail software packages, placing those packages whose source code has not been made public in the ‘least reliable’ category.
I think it really is and I would say that the reason for that is largely irrelevant (inferior design/large userbase/whatever). What it comes down is that security is only a factor of many when it comes down to OS choice. And most of the time it will be a low priority factor behind software availability and familiarity with a certain system.m0skit0 wrote:The question I'm raising here is that Windows is by far the most vulnerable OS around.
I do agree.JJS wrote:That question was a reaction of a reader of the first article. He completely based it on the information provided there which was not very detailed and, as I already stated, largely taken back in the follow up article. So I don't give it too much weight. Overall I think we should stop discussing about those articles because they lack hard evidence.
I would say more: it openly states that there's a "recovery" feature (a "nicer" word for backdoor).JJS wrote:That Microsoft presentation is concerning since it openly states that such known vulnerabilities exist in the bitlocker software.
I agree, but a lot of people complain about security, but they don't class it as a priority factor. I'm inclined to say to them "well, you choosed that OS, so **** and deal with it". About the familiarity, it's a very cheap excuse IMHO.JJS wrote:What it comes down is that security is only a factor of many when it comes down to OS choice. And most of the time it will be a low priority factor behind software availability and familiarity with a certain system.
I agree 100%. But for me, if I don't want it on public computers, I don't want it on mine neither. Different priorities, I guess.JJS wrote: I am all for open systems for use by the government and administration. Especially in highly sensitive areas like voting machines (if you want to use those anyway is very debatable) where transparency of operation is paramount. There is no basis on which you could trust a company on developing such a system.
Thanks for this, and the following posts. It seems XP Professional SP3 has the most "Microsoft control", but by Windows 7, there seems to be much less.m0skit0 wrote: http://seattletimes.nwsource.com/html/m ... law29.html
http://tech.slashdot.org/tech/08/04/29/1441215.shtml
http://newsworldwide.wordpress.com/2008 ... g-systems/
http://www.eff.org/issues/nsa-spying
http://www.techdirt.com/articles/200804 ... 4977.shtml
http://blog.seattletimes.nwsource.com/t ... evice.html
