Aug 30
2015

Windows 10 – Why the human race is screwed when it comes to Security…

2015-08-30_15-45-01Please allow me to introduce myself, I’m David Schaefer, an Information Technologies professional that has supported security via teaching and other unique findings for over 25 years.  I’m not crazy and I don’t believe in things like the Illuminati, the 13 families, etc.

I love my country and what it is supposed to represent, although I believe something has gone terribly wrong along the way to utopia, and it’s due to human greed.

I’m a father first who loves his family,  as I work full time in an Information Technologies department while developing/teaching offensive/defensive computer security classes, on top of balancing out a number of other things in my life.

I’m not paranoid, but I am a fan of history as it does repeat itself, and I do observe data and trends – especially concerned with Information Security (InfoSec).

That is why I’m taking a break out of my normal hectic life – as this is extremely important to get out as this is not just another Cybersecurity rant… it’s a concern for the human race.

It shuman windows batetarted with this article this morning: “Despite privacy concerns 75 million devices are already running Windows 10” (http://bit.ly/1hpgezi, August 2015).   I tweeted about this, but I can’t possibly encompass everything going through my head in a twitter account.  Please take the time to read the article I referenced and watch the video in the link I shared above to see what I’m talking about.  Truly, it’s not just me, as I’ve been reading these things for weeks, but I’m astonished by how many are already on Windows 10.  So I’m writing this as a supplement.

With that said… Microsoft has finally crossed that line, where I can’t tell if they are an individual company or a subsidiary of the United States government when they starting pushing out the worse Windows 10 features to their Windows 7 and 8 OSs this month via the KB2068708, and KB3022345 updates (http://onforb.es/1Q1CLhO, August 2015).  This being said by someone that remembers the Microsoft antitrust lawsuit brought on by the government, my how times have changed.

Image Source: https://www.secureworldexpo.com/sites/secureworld/files/Cyber%20Offense-Defense%20Image%20-%20Labeled%20for%20Reuse_0.jpgPlease share this post with everyone you know and love or at least those that care.  We are fighting a human battle here that we can’t win on the War of Cybersecurity.  Security advocates like myself consistently try to protect others, but few care.  Often our battle screams fall on deaf ears as the majority of people that choose not to understand why we teach how to break into systems, or why we even try to break into systems to start with.  However, at the same token, people in general accept and can understand when we teach how to defend computers.

Image Source: https://www.staysafeonline.org/download/document/598/FTC+online+safety+guest+blog+2014_9_16.jpgGeneral society for the most part choose not to understand that defensive and offensive security go hand-and-hand.   They also choose not to understand or seem to care about security to the point that they will risk their own data and the data of their loved ones in making technology choices that put loved ones at risk.  A simple choice to put an internet connected camera in your daughters room that is on and connected 24×7 is strange to me for example.  The problem is that putting this camera into your own daughter’s room is not an example of typical people, however this is taken from my personal real life experience from working with a higher level system programmer that thought this was a good thing to do.  Did they ever get compromised?  I’d like to think not, but why risk a compromise like that with someone you love so much?

However, even now we don’t think much about providing technologies like computers with camera’s in them, and phones that can have spyware installed on them to record sound and video.  I’m talking from yet another experience where a student of mine provided a cell phone to a 6 month old baby… it’s all conditioning the human race and that child like many now-a-days will not know a day without technology.

hydraThe Windows 10 article is just as concerning to me as the daughter camera incident – in the way that there are privacy concerns in Windows 10 – especially with passwords being stored on Microsoft servers, along with biometric behaviors, location data, etc. by default.

It’s not just about us as system administrators.  It’s about everyone… it’s about our mothers, grandmothers, daughters and sons, friends, and people we haven’t even met yet. We have the knowledge to protect them but unless they want to learn… and do something about it – it’s worthless.  Besides, who is going to take care of them after we are gone?

I really do fear for our children and their children in regard to technology and the current state of the government, much less society in general – their lives have already changed so much in regard to what I had to worry about as a child.  I also fear that it will only get worse as time carries on as it did for us.  There are more attack vectors now in 2015 than I could have ever imagined as a teenager when I first started to break into things.

However, the general public doesn’t seem to care about security as it relates to privacy when it comes to “free” and “technology” in the same sentence.

Image Source: http://storegridcloud.vembu.com/img/out_of_box.pngHow are we as InfoSec professionals supposed to stand up for people when they en masse swarm to an OS that has so many privacy/security concerns right out-of-the-box???  Yet another vector we need to be concerned with is how Microsoft can now push updates down automatically and update terms (and they will) as time goes on after the initial install.

Sure, you may disable the auto-updates feature in Windows 10 but it’s a pain to work with – so most of these people we truly care about won’t bother (and those that do will probably become even more insecure). This auto-update feature could potentially open a bigger hole for Microsoft to suck even more data down that violates our privacy.  See the catch 22 here?  I guess we just need to figure out if it’s better for the NSA to have our data, or if it’s better for malicious attackers to have it – if there is a difference.

Microsoft and their supporters calls our security concerns overblown, however it’s not overblown.  This is a typical tactic used to make individuals less sensitive and thus dismiss a legitimate concern.

Microsoft and the US Government officials are chipping away at our privacy little by little (or in this case in one-foul-swoop) so they can catalog us for what most may think are limited to ads (however, it is potentially much more). Don’t believe me, ask representatives, like Jeb Bush, who think encryption is bad for us, but at the same token, uses encryption on his own website.

encryption failGood ole Jeb just highlights the technological bloody mess we are faced with in regard to government and our own privacy concerns as it relates to those in charge of our lovely government.  Obviously, Good ole Jeb Bush doesn’t care to protect our own data like credit cards, social security number, etc. However Jeb Bush at the same token uses HTTPS which is an encrypted protocol on his own site don’t believe me – look https://jeb2016.com/.  These are the people we elected to the government!!!!  Good ole Jeb Bush – “Do as I say, not as I do”, and who gives a care about?  Jeb doesn’t… but elect him because he’s related to two individuals that were presidents.  By-the-Way (BTW), Jeb has supporters… so if that doesn’t say we’re hosed I don’t know what does.

Political and commercial entities are just trying to condition us like a frog in the beaker.

Sad-danboI’m sad that 75 million users don’t get it (because I think we’re all in this together… the entire planet – not just the US)… and Microsoft isn’t the only one doing this… Apple is guilty as well…. it’s just more people use Microsoft than Apple.  We are selling ourselves short, and selling ourselves out… when we blindly install this junk.

This is not just about us it’s about our loved ones (as we transmit data with them and on them as well).

One only needs to study history to see that this data can be used against us, and the data Microsoft stores on us doesn’t even need to be compromised according to the End User License Agreement (EULA).  The EULA and yet some ignorant individuals claim that it’s sloppy language and vagueness, but not ill intent (http://slate.me/1KMW6nJ, August 2015).  Sorry I don’t buy it, and you’re too naive if you believe it – Microsoft has enough money and lawyers working that this wasn’t a mistake – besides I don’t see them backing down specially since 75 million users installed Windows 10.

Is it a coincidence that all this overbearing control in a Windows OS comes from Microsoft just a few years after the Snowden incident exposing corporations like Microsoft for sharing data with the government?

I think not… and the fact of the matter is they are cataloging us… much like the US did via Eugenics push back in the 1910s, 1920s, and 1930s.

Image Source: https://upload.wikimedia.org/wikipedia/en/e/e3/United_States_eugenics_advocacy_poster.jpgEugenics is a lesson that supports the theory that not much science or data needs to be studied by the masses in order to support an idea, all they need are notable leaders and public figures to support it. This is an extreme example of many where castration of those less worthy was supported all the way through the 1980s (http://bit.ly/1NQ92cg, August 2015).  I was alive during this period… so it wasn’t that long ago!

So cleansing didn’t start in Germany, it started here in the USA and continued through to the 1980s (as the US government castrated individuals among other things).  Even our own president Teddy Roosevelt, along with other known people like Helen Keller, H.G. Wells, Winston Churchill, Alexander Graham Bell, and even a Detroit favorite Henry Ford (http://bit.ly/1EtNHDL, August 2015) all supported Eugenics… (http://bit.ly/1F9xOwU, August 2015).

What does this have to do with Windows 10 and other technologies like it?  Let me connect the dots.

Windows now sends data on your bio-metric behaviors (keystrokes, voice recognition, etc.) back to Microsoft servers out of the box (OOTB), meaning it’s there by default unless you change it, and most people probably won’t.  Microsoft Windows is the most popular operating system in the known universe with Windows owning 75.9% of the market in July 2015 (http://bit.ly/1iECzUJ, August 2015).

The biometric and location data collected on us can be analyzed to see what kind of person you are.  This can give more insights into our individual human mind, and the way we individually operate.  In other words… it’s a ploy in my theory that they are hacking our minds.  Eugenics was based primarily off who you are… and how you behave and Operating Systems (OS) like Windows 10 now can be used to provide more data than the government ever had on us collectively as individuals.

This paired with the simple fact that the we are surrounded by the Internet of Things (IoT), which is basically all these other devices that can track our vitals, tell others if we are home, and where we are located (location is yet another thing collected by Microsoft in Windows 10 as well – by default).

Image Source: http://schoolgetsbetter.org/wp-content/uploads/2014/12/technology-storm.jpg

I’m not saying we may have another Eugenic’s phase coming up, but what I’m saying is we are opening ourselves up to something like that or even more potentially dangerous.  The IoT and the general willingness of individuals to blindly participate in it are putting us into a perfect storm situation on which racism and governments can pick people off based on biometric data like raw emotions, behaviors, and a myriad of data we have been recording ourselves via blogs, Facebook, Twitter, etc.

However, it’s not just limited to that, and I can’t stop thinking of some evil villain who is laughing his butt off somewhere because his plan is coming together as we naively continue to connect ourselves to sensors everywhere, even when we are strolling about (in regard to mobile devices).

It’s sad, but in order to change this we have to consider there still are other options out there.  I myself will support Windows only if I’m getting paid to support it as a professional, and will continue to support my students by providing host-based hardening lessons on Windows 10.  This will in turn make me stronger in supporting Windows.  However, I’m sad to say Windows  and Microsoft have lost me personally with this push.

We only have to look as far as our friends/heroes like Bruce Schneier to what is right and what is wrong in regard to security as it relates to the government. People like Chris Roberts gives us the ability to open our eyes to problems around us we can fix, while others like Johnny Long, remind us that we are the solution.

There are other great operating systems out there that don’t track you at the rate Windows does, and we can still use Microsoft Office on them along via Windows in a virtual machine.  Linux is what I’m thinking of primarily… mainly for my home life.

However, large organizations are harder to convert off of Windows and thus why I will continue to support Windows in the future as I can make money off of it.  I just can’t see myself saying I want anyone I know or love using Windows 10 – but again, that’s their choice, just like smoking.

trojan-horse2The general public really doesn’t care to take action on these security issues.  However, for those that do… the simplest law of economics states that we vote by our buying power (free or not), and that paired with the fact that Windows is already installed on 75 million devices shows very little concern or thought to what the data will be potentially used against them.

The Microsoft Windows 10 free offer reminds me of another history lesson where Troy accepted a Trojan Horse from the Greeks – it didn’t end too well for Troy either nor will this end well for us.  Maybe as a race we deserve what’s coming to us as we ignore security issues and security concerns.

This entry was posted in Information Assurance, New Technologies, Public Speaking, Windows, Windows 10, Windows 7, Windows 8 and tagged , , , , , , , , , , , , , , , , , . Bookmark the permalink.