CAST Workshop “Secure Software Development”

7033818-3d-abbild-monster-mit-investigate-linseWe are organizing the workshop on “Secure Software Development” now for the third year in a row. As usual, the workshop is in Darmstadt and the logistics is cared for by the CAST e.V. The date for the workshop is 12 November.

This year most presentations seem to be in German, so probably it does not make much sense for non-German speaking people. But if you speak German, we have some rather interesting subjects like our experiences with vulnerability management, research into sociotechnical basis of development security and problems with developing the mobile payment infrastructure security.

The workshop is a great place for discussions and meeting various people working on security in software development. Please, come and join us on 12 November!

Windows 10: catching up to Google?

windows-10-is-spying-on-every-user-but-theres-a-way-outWindows 10 has turned out to be a very interesting update to the popular desktop operating system. Apparently, Microsoft envies Google for their success in spying on everyone and their dog through the Internet. Accordingly, Microsoft could not resist turning Windows into a mean spying machine. People were mightily surprised when all of the new spying features of Windows started to get uncovered.

To start with, the EULA, the license agreement, actually states clearly that Microsoft will collect the history of browsing, WiFi access point names and passwords, and website passwords. All of this information will be stored in the “user’s” Microsoft account, i.e. on the servers of Microsoft. Every user will receive a unique identification number that will be available to third parties for targeted advertisement.

When you use BitLocker for disk encryption, the key will be also stored at Microsoft! The license agreement states that the password will be copied automatically to OneDrive servers. I told you that going with BitLocker was not something a sane person would do, didn’t I?

And now all of that personal data can be used by Microsoft at will:

We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services.

See, it’s not just in case that a court issues an order, but simply whenever Microsoft thinks that they need to.

Some observers report that the license also reserves the rights for Microsoft to disconnect “unlicensed hardware”. I did not find that part in the EULA though, I don’t know if it is true. I found something else though. Windows 10 will also remove your anti-virus or other anti-malware protection: “other antimalware software will be disabled or may have to be removed”.

That’s the part about EULA. There is also Cortana, the virtual assistant, and various parts of the OS that submit various information to Microsoft. Well, Cortana can be disabled. However, it turns out that even disabling every single thing that reports user information to Microsoft does not help – Windows 10 still reports a lot of things, now without even informing the user. Apparently, the user cannot switch off all of the monitoring.

One of the things that cannot be switched off is a built-in keylogger. The keystrokes are recorded in a temporary file and then submitted to Microsoft servers. Keylogger is active even when you are not logged into the Microsoft account.

Another thing is the microphone and camera. Whenever the microphone is on, it records the sound and transmits it to the servers of the company. The same happens to the video camera, the video is recorded automatically and the first 35 MB are sent over to Microsoft.

Microsoft explains that all of this is necessary to create a database of users, so that the targeted advertisement can be sold to third parties. However, these are obvious privacy violations and some of them are even performed without informing the user.

Microsoft has also announced that some of the features of the Windows 10 will be backported to the previous versions of Windows. So we can expect soon the updates for previous versions that will introduce these spying features across all of Windows computers.