Unencrypted Windows Crash Reports a Blueprint For Attackers

An anonymous reader writes "According to Forbes online, up to 1 billion PCs are at risk of leaking information that could be used as a blueprint for attackers to compromise a network from Microsoft Windows Error Reporting (WER) crash reports that are sent in the clear. Researchers at Websense Labs released a detailed overview of the data contained in the crash reports, shortly after Der Spiegel released documents alleging that nation-state hackers may have used this information to execute highly targeted attacks with a low risk of detection, by crafting attacks specifically for vulnerable applications that are running on the network. Also interesting to think that Microsoft knows exactly what model of phones that you have plugged into your PC..."

Not everything is about software security.

[i+kan+reed]

If you're really concerned about security on your individual systems, don't send critical system information externally. Otherwise the vulnerable applications were already vulnerable before and after sending, and if your messages are being intercepted, you've got bigger security issues already.

Re:Not everything is about software security.

[recoiledsnake]

If you're really concerned about security on your individual systems, DONT USE WINDOWS. There, fixed it for ya.

Ubuntu does the same, if not worse.
https://launchpad.net/apport

pport intercepts Program crashes, collects debugging information about the crash and the operating system environment, and sends it to bug trackers in a standardized form. It also offers the user to report a bug about a package, with again collecting as much information about it as possible.

It currently supports

  - Crashes from standard signals (SIGSEGV, SIGILL, etc.) through the kernel coredump handler (in piping mode)
    - Unhandled Python exceptions
    - GTK, KDE, and command line user interfaces
    - Packages can ship hooks for collecting speficic data (such as /var/log/Xorg.0.log for X.org, or modified gconf settings for GNOME programs)
    - apt/dpkg and rpm backend (in production use in Ubuntu and OpenSUSE)
    - Reprocessing a core dump and debug symbols for post-mortem (and preferably server-side) generation of fully symbolic stack traces (apport-retrace)
    - Reporting bugs to Launchpad (more backends can be easily added)

If you're really concerned about WER on Windows, just say no when it asks you to send crash reports.

Re:Not everything is about software security.

[MobSwatter]

That is not entirely true, though open source does have huge benefits in the world today, and RSA has shown pretty serious reasoning as to why core security should remain open source. The primary target of malicious affection will always be the majority of the market share, any os can be hardened, unfortunately hardened is in most cases less user friendly.

Re:Not everything is about software security.

But in ubuntu you can (and i do) turn it off!

Re:Not everything is about software security.

You can turn it off on Windows too.

Re:Not everything is about software security.

[EvilSS]

But in ubuntu you can (and i do) turn it off!

You can turn it off in Windows as well, which is what I always recommend when we are brought it to do Windows projects.

Re:Not everything is about software security.

[recoiledsnake]

But in ubuntu you can (and i do) turn it off!

In Windows, it's turned off until you turn it on.

Re:Not everything is about software security.

[icebike]

If you're really concerned about WER on Windows, just say no when it asks you to send crash reports.

Had you bothered to read TFA (I know, right?) you would have seen that there is a lot of stuff sent each time you plug in a device, USB, or otherwise, and it is sent silently, with no real simple or obvious way to turn it off.

Even turning off WER is buried in places the average user will never find. (hint start / search / type in WER)

Re:Not everything is about software security.

[Ravaldy]

I don't mean to be rude but that is an ignorant statement. Based on your statement we should all be using Calculators since it's probably the only device you don't risk having data stolen from.

Re:Not everything is about software security.

[icebike]

Joe user will never find this, and some are sent silently with no clear ability to turn it off.
Even TFA is vague about this, suggesting you route them to an internal server on your network.

Re:Not everything is about software security.

[MrEricSir]

Ubuntu does the same, if not worse.

Ubuntu has better security in that in order to find this information, the attacker would have to wade through countless confusing pages on the sluggish mess that is Launchpad.net.

Re:Not everything is about software security.

[recoiledsnake]

In order to turn it on, the user must have given explicit permission. It's off by default.

Re:Not everything is about software security.

[icebike]

Not necessarily. Someone gave it permission, but it wasn't necessarily YOU. Besides, YOU just clicked through the message without reading it anyway, because we all know you can trust Microsoft, right?

Re:Not everything is about software security.

[recoiledsnake]

Not sure what the solution to that is, except to prompt the user every hour with a hundred status messages(the antivirus/firewall turned off ones are bad enough).

. Besides, YOU just clicked through the message without reading it anyway, because we all know you can trust Microsoft, right?

Add a 5 minute timer to prompts? Is that the solution?

Re:Not everything is about software security.

[lgw]

They really made this confusing in Windows 8 (as with everything else in Windows 8). In Win7 and before, it wasn't so bad.

However, I have the same complaint about Firefox, and I'm sure there are many other popular applications that phone home on a crash by default.

We really need an OS with all applications jailed by default, but the only good one is SE Linux, and the NSA has destroyed my trust in everything they've touched.

Re:Not everything is about software security.

[JamieIanMacgregor]

never had linux crash on me, I didn't even know it did this stuff. unlike M$ (Im much older than 14 by the way, it is an apt acronym, if you think otherwise you're really not paying any attention to what they are doing) which I have experienced uncountable crashes over my years of experience.

Re:Not everything is about software security.

No, it nags you that it wants to send a crash report to MS, and you must agree or not then.

Re:Not everything is about software security.

[F.Ultra]

I just looked at the source for Apport in Ubuntu and it does encrypt the crash reports when they are sent to Launchpad since they use HTTPS.

return 'https://bugs.%s/%s/+source/%s/+filebug/%s?%s'

This was so obvious 10 years ago

I should consider making a list of obvious things that will prove to be security risks in the future for everyone to be aware of it. This was so expected.

breaking news:
- the NSA tampers with scripts hosted on googleapis.com. 90% of the internet impacted.

At least with the gifted nose i have for smelling crap i must say none of the Snowden's revelations made me bat an eye or change any passwords.

Duh

[mythosaz]

Also interesting to think that Microsoft knows exactly what model of phones that you have plugged into your PC..."

Wait, you mean my crash reports include a list of devices?!?

The horror.

Re:Duh

Reading the article, it says that each time you plug in a new USB device, it automatically sends that information to Microsoft. Even if you don't send the Windows crash reports to Microsoft, your computer is still phoning home each time you install a new USB device.

Re:Duh

[recoiledsnake]

Reading the article, it says that each time you plug in a new USB device, it automatically sends that information to Microsoft. Even if you don't send the Windows crash reports to Microsoft, your computer is still phoning home each time you install a new USB device.

Duh, how does it search for drivers on Windows Update then? Turn off that functionality and then check, if it still does, then it's news.

Next you will tell me that my browser is broadcasting an IP Address.

Re: Duh

[gweilo8888]

Came to say this. It is interesting in the exact same sense that it is interesting how Apple know exactly what type of operating system you install iTunes on. The AC submitter went all obvious troll in the last sentence.

Re:Duh

There are two cases where it will do this, both are optional:
1. to install a driver for the device
2. for a shiny graphic in Explorer/Device Stage

You can control both trivially: http://support.microsoft.com/kb/2500967

Re:Duh

Sorry; perhaps I'm being incredibly ignorant here (I'm the AC that posted above), but my understanding was that Windows came with a bunch of generic drivers for devices, and only checked Windows Update for a device if you told it to when installing the device.

Am I wrong?

Re:Duh

[heypete]

Sorry; perhaps I'm being incredibly ignorant here (I'm the AC that posted above), but my understanding was that Windows came with a bunch of generic drivers for devices, and only checked Windows Update for a device if you told it to when installing the device.

Am I wrong?

Windows typically checks Windows Update for drivers for all newly-connected devices, then look for locally-installed drivers if the Windows Update check didn't find anything. Certain devices (like USB mass storage devices, for example)) are installed using local drivers first, as most people want their USB flash drives to work as soon as possible but are willing to wait a few tens of seconds for other devices.

Ignoring privacy concerns, this is a fairly sensible thing: more devices can be "plug and play" and this benefits users. Similarly, while a driver might be included on a CD that comes with a device, it might be outdated -- an online check with Windows Update can retrieve the latest driver.

Re:Duh

[icebike]

If you're really concerned about WER on Windows, just say no when it asks you to send crash reports.

It does it even if the device itself supplies drivers or uses standard drivers, and even when the driver is already on the local machine and installed. Searching for drivers on windows update is completely unnecessary for about 95% of the things you will ever plug in, and usually fruitless for the other 5%.

It defaults to always searching, and you will only see a choice the very first time, any device is installed, (even a keyboard). So chances are that 99% of computers have device driver fetching turned on, and chances are that 99% of users don't know how to turn it off.

Re:Duh

[recoiledsnake]

I think what you said is true for Windows XP, but is certainly not true for Windows 7+.

Re:Duh

[recoiledsnake]

. Searching for drivers on windows update is completely unnecessary for about 95% of the things you will ever plug in, and usually fruitless for the other 5%.

Reference?
The drivers that come with the device or Windows might be outdated, buggy and/or omit new features.
I see updates to drivers in Windows Update many times so they're quite useful to me. Even as a power user, I don't keep visiting my hardware driver websites and keep comparing driver versions. Do you do that? The other option is to clutter up the system with 15 auto updaters from 10 companies. Is hiding the hardware you use from MS(assuming they start encrypting the data, which was a bad omission) that important to all users? Those who have that issue can turn it off.

Re:Duh

[icebike]

The drivers that come with the device or Windows might be outdated, buggy and/or omit new features.

So your thumb drive grows new features over its life? Amazing.

Everybody has the issue. Those that don't think its an issue are like vaccinated children, running around on the playground serving as a conduit for exposing others.

Re:Duh

I understand getting updated drivers through Windows Update; I just thought it only did that when I ran Windows Update, not automatically without telling me.

But thank you for the info!

Re:Duh

[recoiledsnake]

The drivers that come with the device or Windows might be outdated, buggy and/or omit new features.

So your thumb drive grows new features over its life? Amazing.

Sure it can, like encrypted thumb drives can have security fixes.

Everybody has the issue. Those that don't think its an issue are like vaccinated children, running around on the playground serving as a conduit for exposing others.

Most people do not need military grade security in everything, especially things like USB device info. Those that do have a mechanism to do it. That said, MS should at the least, start encrypting them over SSL, there's no excuse for that. Why are you unconcerned over search terms, email and documents being sent, stored and tracked forever in the cloud, but are worried about USB Device IDs?

Ask a bunch of people which would they prefer if they had to pick one. 1) Publish all their web search terms and email for the past 5 years in the local newspaper 2) Do the same for USB device IDs or even software installed on their system.

Re:Duh

[colinrichardday]

Those that don't think its an issue are like vaccinated children, running around on the playground serving as a conduit for exposing others.

Vaccinated children are a conduit?

Re:Duh

[icebike]

DOH! Clearly I meant to say un-vaccinated.

Who submits these reports?

[Gothmolly]

Who actually lets Windows submit these?

Also, if you don't trust your ISP not to snoop these, you shouldn't trust them not to snoop your real traffic too.

Re:Who submits these reports?

That's the thing, isn't it? The "we're all friends" model of computer networking has been stabbed, choked and shot by the NSA. Trust was yesterday.

Re:Who submits these reports?

[X0563511]

Sure, but it died in a fire a long time before that.

So...this is what WebSense has been up to...

[xxxJonBoyxxx]

...instead of fixing their slow and buggy web filtering software. (Ducks.)

Re:Windows users need to be raped by horses

[MobSwatter]

True, now if we could just bread that trait out of politicians we'd be set!

Old news

[cyberspittle]

Anyone who can access technical support resources can access customer data. The biggest issue is that most technical support is outsourced to other countries, which now have full technical (hardware+software version, etc.) and customer information (good for social engineering).

Next!

[ledow]

Disabled on every machine I own, every machine I've deployed, every machine that I've been given the permission to manage.

Not because I think someone might be able to sniff them and then use them against my workplaces / PC's. Purely because they are WORTHLESS.

Reporting them, you see nothing back. All those people who get error reports upon upgrading to a duff hotfix, it takes someone to whinge to Microsoft to get it fixed. Millions of crash reports aren't acted up, from what I see. I doubt anyone reads them.

When offered to software developers, etc., I'm always told that it's easier to just get me to run a debug version rather than piss about with any built-in error reporting / dumping possible from the Microsoft tools. It gives them more information, they can debug it live, and I don't have to worry about information going back and forth.

Pretty much every time I've had one, it's been ignored, by Microsoft, developers, or myself. I learned a long time ago that debugging from any default dump or crash report - even for huge multinational companies that are trying to help solve your problem - is worthless. It's just not worth the effort.

Hence I've disabled them since day one. Not only do they not do anything useful, they don't tell me anything useful, they want to connect to the Internet (which can trigger my software firewall for a completely different process to those authorised applications I already allow through, assuming the machine is even online), and they actually make the error messages HARDER to read for my users. I disabled it entirely. "There was an error" and a hard crash is infinitely better than my users trying to debug a crashed application themselves or sending off dumps because the button says to do it, and still getting a hard crash. Hell, if the crash was because the network cable fell out (which apps will if they are based on a network share sometimes), the submission process triggers a DNS lookup which hangs the PC for 30+ seconds sometimes.

Worthless. Disabled.

Re:Next!

[drinkypoo]

Millions of crash reports aren't acted up, from what I see. I doubt anyone reads them.

They're used for two things. One, to figure out which bugs are actually impacting customers. Two, when there's a bug Microsoft has decided they care about. Either way, by never sending them in you're not voting for your bugs to be fixed.

Re:Next!

[clodney]

Several times I have gotten the little popup in the tray of Win7 telling me that there is a fix for an issue that I have had. Usually it takes the form of a driver update or a hotfix.

At one point I worked for a company that used Windows Error Reporting in our app, and MS did indeed route the crash reports to us, which we did debug and generally fix.

Re:Next!

[Ravaldy]

I can assure you they aren't ignored by Microsoft. Many fixes stem from these reports. If you were a programmer you would understand why it's important and why they don't handle every single message received.

Re:Next!

[Etherwalk]

Millions of crash reports aren't acted up, from what I see. I doubt anyone reads them.

They're used for two things. One, to figure out which bugs are actually impacting customers. Two, when there's a bug Microsoft has decided they care about. Either way, by never sending them in you're not voting for your bugs to be fixed.

This. It's true lots of crash reports aren't acted on--it's also true that something like 5% of users generate 90%+ of crash reports. But they give great information on "this is affecting umpteen million people so we should fix it because it will save lots of man-years" or "someone's having a problem and we should see if any of the data we have will help us fix it."

Re:Next!

[Rich0]

Disabled on every machine I own, every machine I've deployed, every machine that I've been given the permission to manage.

All the good stuff you posted aside, you're still just as vulnerable. This isn't just about you leaking info to the NSA about what you have installed, but it is also about everybody else leaking info to the NSA about the bugs in Windows in general. The NSA can use that to create zero-days, which will work perfectly fine against your version of Windows since it contains the same flaws even if you aren't personally reporting them to MS.

Re:Next!

Thanks for your opinion.

Re:Next!

Millions of crash reports aren't acted up, from what I see.

Woah. You must know a lot of people!

As someone who works across from people actively working on said data, I can say that it is being looked at. There are a billion PCs in use. All of their reports have to be sorted and filtered to prioritize what to work on. And of course all of this is automated to bucketize and correlate reports (no human being could possibly keep up). Crash reports are worked into app-updates, hotfixes, windows update, etc. Many third parties improve their software because of this (nvidia, and AMD to name just a few).

Does it work? Yes!
Is it perfect? No. Nothing ever is.

Re:Next!

As a developer, I have access to crash dumps from my users through WER. Whether or not something happens when you send depends on if your application vendor bothered to register on WER.

  I do find the crash dumps useful and have fixed bugs in my software based on them.

Re:Next!

[bmajik]

fyi, I have personally analyzed WER crash dumps and used them to get the root causes fixed in the next update/release in multiple Microsoft products.

(Dynamics AX and Visual Studio, if you're curious)

We (Microsoft) not only look at WER data, we act on it.

You are correct that it is often really hard to figure out what crazy thing happened, but we try anyway, and sometimes, we're able to figure it out and create fixes.

As was mentioned elsewhere, WER data also tells us WHO is hitting a problem and how often it is being reported. That gives us valuable information about prioritizing WER responses.

If you don't want to pay the perf/bandwidth penalty for collecting/uploading reports, that's understandable. But as mentioned elsewhere, you're abstaining from "voting" to have your issues looked at sooner/more thoroughly.

Then, if you care about such things, there's the "social responsibility" aspect of it. I'd much rather we shipped perfect software, but we don't. WER is one of the best ways we can see issues that customers are hitting and get a sense of how painful they are for customers. If the goal is for MS to be less awful, WER is a key feedback mechanism to help us help you.

It would be a shame if your environment produced just the right heap dump that let us understand an issue that was impacting millions of people... and it was locked on your machine. Not only would your abstention cost YOU, but it would cost everyone else as well.

Is it your fault we ship bugs? Of course not. Would it help you, us, and millions of other people if you turned on WER? Probably.

Thanks,
Matt Evans
Senior SDET, Visual Studio

Re:Next!

[bmajik]

Rereading what I wrote, I should clarify this part

WER data also tells us WHO is hitting a problem

WER data doesn't tell us your personally identifiable information (name, email address, etc)

What I meant by that is that it bucketizes crash reports according to different dimensions. User's language/locale, operating system revision, product binary version, etc.

This is more valuable than you might think. It turns out that certain crashes only happen on certain languages, or that crashes happened shortly after release but stopped happening within a few weeks, or that no builds past revision xxx of a file matched the crash, etc.

Any MS engineer that wants to access WER data has to deal with some legalese around customer PII, and the WER upload bundles are pre-processed before we ever get to see them.

Resume panic :)

Re:Next!

[TimothyDavis]

Reporting them, you see nothing back. All those people who get error reports upon upgrading to a duff hotfix, it takes someone to whinge to Microsoft to get it fixed. Millions of crash reports aren't acted up, from what I see. I doubt anyone reads them.

I look at them. So do many others here at Microsoft.

Background: I sit on an engineering team that works with OEMs and IHVs. I formerly supported driver developers with support and posting drivers to Windows Update

The challenge with OCA is that there are many sources of crashes. It can be caused by a bug in a Microsoft component, 3rd party driver, faulty hardware, or something else in the kernel doing something wrong (such as malware, etc). Crashes are assigned to buckets, where the hope is that there is a one-to-one relationship been a bucket and a bug. Unfortunately a lot of buckets are an aggregation of different kinds of bugs.

Grouping the crashes into buckets gives us a list of trending crash causes. As expected, the buckets with the highest counts are researched first, where analysts try and identify root cause. If the bug is identified in a Microsoft product, the product sustained engineering team is engaged to build a hotfix to resolve the issue. If the bug is in a 3rd party driver, we engage the 3rd party to resolve the issue.

When a bucket has a resolution, we will typically link that bucket to a response that will notify affected users through the "Action Center" on the system tray. This only works if the bucket is solved, and the entire bucket can be solved by the solution. A lot of buckets do not have a linked response, but the resolution is posted to Windows Update as a Windows hotfix or a 3rd party driver update.

Re:Next!

[RocketRabbit]

Not paranoid enough. The NSA doesn't need to look at bugs that are present in Windows and then craft exploits the hard way. They can simply either use a National Security Letter and force Microsoft to include any vulnerability they wish, or even just use their agents in place inside Microsoft to plant the desired bugs. Most likely it is a combination of the two at work.

Now the ChiCom and the RBN and so forth, they might have a use for these bug reports. But the NSA? Fah!

Re:Next!

//Then, if you care about such things, there's the "social responsibility" aspect of it. I'd much rather we shipped perfect software, but we don't. WER is one of the best ways we can see issues that customers are hitting and get a sense of how painful they are for customers. If the goal is for MS to be less awful, WER is a key feedback mechanism to help us help you.

It would be a shame if your environment produced just the right heap dump that let us understand an issue that was impacting millions of people... and it was locked on your machine. Not only would your abstention cost YOU, but it would cost everyone else as well//

The fact of the matter is that it will cost YOU, the coder, YOU the software company and YOUR marketing staff and effect YOUR stock price.

This is not a perfect world. But if your problem is impacting millions of people, I am gonna go ahead and not worry about that heap dump. Because it's your f*cking problem chief.

Re:Next!

[DarwinSurvivor]

All of which could still easily be done if the reports were sent encrypted or over encrypted channels.

Re:Next!

[JakartaDean]

Thanks for sharing your experience, Matt

When I first learned about this, there were two things I didn't understand: Why does Microsoft collect this data (error reports and USB insertions) and why is it sent in the clear? You and others have provided a plausible rationale for the first, but the sneakiness of the USB insertion calls home are disturbing. It still seems completely wrong to send it unencrypted. Very, very wrong in fact. Can you share why was this decision made?

Re:Next!

[bmajik]

Sadly, I cannot tell you why the decision was made (or even if it was an intentional decision as opposed to an oversight). I'm not on the WER team and I haven't spoken to them. I chimed in because I'm one of many product engineers that looks at WER data after it has been collected, processed, and assigned to the right team/product for follow-up.

That said, I can speculate, and point out publicaly available information, just like any other slashdotter :)

- regarding the clear text -- one of the comments on the original article was quite helpful. It pointed out that the WER system makes multiple requests to perform a complete incident response. The first request ("stage 1") is indeed sent in the clear, and there are a bunch of query string variables that give some information (faulting app, version, etc).

However, subsequent HTTP requests for a given WER upload, e.g. the actual file payloads, memory dumps, and so on, ARE sent via SSL. I suspect the article omits this details because the author is attempting to generate buzz for his paper and company, ahead of a security conference where more details will be published.

So, as far as what is actually being sent in cleartext over the wire -- it is NOT the memory dumps or file contents. It is, to use a lately popular word, "metadata".

On the issue of USB device insertion:

Again, I am speculating here, but part of what we use WER for is to gather customer evidence -- what are our customers actually doing. When I argue that we need to fix bug foo, if I can point at specific customers that are being impacted by it, or if I can give counts about the number of unspecific customers that are being impacted, my argument has a lot more weight.

Imagine you are on the windows team. You have a finite amount of budget to test hardware compatibility. You can put a finite number of drivers "in the box" (as opposed to making people get them from somewhere). You are constantly under pressure to downgrade support for certain hardware (from inbox to download, from download to unsupported, etc) because every device you say you support costs you real time and money...

So what's the best way to decide which hardware should be supported how much? Well, knowing how many people are still trying to use that piece of hardware seems like a good piece of data to have if you are trying to make that decision.

Re:Next!

[yuhong]

Remember that this feature was released back in 2001. To put it in context, it was just after the infamous export restrictions on strong cryptography was lifted.

Encrypted

Is a buzz word, if not done with the correct protocol.. helps with a sales pitch, one less place to visit at RSA

lots of data

[minstrelmike]

This is absolutely brilliant: Looking at windows crash reports. Just think how much data there is.
Even if only 5% of users actually send those reports, it's still the mother lode

the 'news' is not for giving or forming opinions?

it WAS intended to reflect ours?

uninteresting data

Having looked at what data is actually sent, I don't see how this helps an attacker unless the system in question is already vulnerable. TFA lists some data (not entirely complete, e.g. the IP address is missing, but you get the point):

Date
USB Device Manufacturer
USB Device Identifier
USB Device Revision
Host computer - default language
Host computer - Operating system, service pack and update version
Host computer - Manufacturer, model and name
Host computer - Bios version and unique machine identifier

In all honesty, to me it looks as if websense is advocating security by obscurity here.

Re:uninteresting data

Hey, locker combinations are security by obscurity too.

That advertised info in itself doesn't give a cracker access, but it certainly lets him (or his script) focus his targeting options, which means faster cracking. Sure, there has to be a vulnerability to exploit, but the above data helps tell crackers which particular vulnerabilities you have. (Sure, "if any", but how confident of that are you?)

Re:uninteresting data

tl;dr -- obvious response by somebody who has no clue about SbO.

Nothing New

Isn't corporate spying and selling off individual customers condoned... er... encouraged at this point? I think the federal government is about 1 step away from banning encryption all together. Don't say they can't do it... if you speak of a VPN (even work related) you should be turned into your local police as a terrorist according to the FBI.

Double edged sword

[Kardos]

On one hand, it would be rather straightforward for Microsoft to push a patch to use encryption for these reports. On the other hand, now you are running closed source software that sends a bunch of data to Microsoft -- data that you can not inspect. When it is sent in the clear, at least you could sniff your traffic and see what Microsoft is getting. So with encrypted crash reports, you need to trust Microsoft more than now.

MS Word crashed? Better send the docx file that caused the crash as well, it's not like the user(s) can call Microsoft out for it with encryption.

Re:Double edged sword

Actually Windows Error Reporting lets you inspect the report before it's sent to Microsoft. This includes all data in the report and all files and crash dumps.

Re:Double edged sword

[Kardos]

I get what you're trying to say, but you're missing my point -- which is, you have to trust that Microsoft's closed source reporting tool is sending the same thing that it displays on the screen for you. Without encryption of the transmission, you can verify what it sends by local traffic snooping, and this keeps them honest. With encryption, you can't verify; the tool could send more than it displays.

Re:Double edged sword

[Rich0]

I get what you're trying to say, but you're missing my point -- which is, you have to trust that Microsoft's closed source reporting tool is sending the same thing that it displays on the screen for you. Without encryption of the transmission, you can verify what it sends by local traffic snooping, and this keeps them honest. With encryption, you can't verify; the tool could send more than it displays.

Well, they could display on-screen in that report the session key. It wouldn't really be informative, but it would let you decrypt the SSL connection. The parts that use RSA to authenticate and exchange the session key wouldn't be readable, but the payload would be, and you could easily look at the unreadable parts and say, "sure, that looks like an SSL handshake and there isn't room for any hidden data there."

Re:Double edged sword

[Arrepiadd]

When it is sent in the clear, at least you could sniff your traffic and see what Microsoft is getting. So with encrypted crash reports, you need to trust Microsoft more than now.

Sure, but when sent on the clear you need to trust everyone between you and Microsoft. I know this is Slashdot, but Microsoft may not be your worst enemy.

Easy fix.

Disable Windows Crash reporting. Problem solved.

Re:Windows users need to be raped by horses

We also need to 'breed' out the trait of illiteracy and stupidity which seems rampant in the idiots with 7 digit user IDs around here.

Assumptions

[WaffleMonster]

I'll admit to being surprised by this. I assumed Microsoft had the common sense to encrypt error reports especially given they contain at least partial contents of applications internal memory and would therefore assumed to be considered sensitive. The dialogues asking you to send certainly make this posture clear.

In fact when I first read this the other day I was a bit confused as to how they (NSA) were getting this data...from Microsoft servers? It didn't even enter my mind these things were sent unencrypted and trivially pulled off the wire.

While we normally have WER and associated scheduler task entries disabled there are still some machines we send the reports in the off-chance bugs get fixed...not anymore...sad.. inexcusable...

This completes creates quite an interesting feedback loop imagine using QUANTUMINSERT to load malware or trigger crashes... if there is a problem or your not sure about the memory environment sit back and wait for the error report.

Re:Assumptions

[MobSwatter]

Considering RSA has likely granted keys to the palace, NSA probably has direct access to M$ CVS. As such it may explain why certain distro's of linux have been directly attacked in the past.

Re:Assumptions

[WaffleMonster]

Reading more carefully dumps are encrypted yet certain summary data like memory offset and shared library crash occurred within are not.

Re:Assumptions

[dkf]

NSA probably has direct access to M$ CVS

That would do the NSA very little good indeed; Microsoft has never used CVS for anything.

Re: Assumptions

[MobSwatter]

Wow, I mean, just wow. My very own personal corporate driven politically sponsored shill driveling troll. You will receive no clothing from me, slave. Tido... Bring me a tissue, I think he hurt my...
My...
It's my feelings... Boohoo

Re:Assumptions

[MobSwatter]

My bad, CVS does not bare any resemblance to SourceSafe.

Re:Assumptions

[F.Ultra]

Microsoft isn't that stupid, they do not use SourceSafe internally.

Re:Windows users need to be raped by horses

What? You don't sit on the steps of the Capital feeding the congress critters bits of stale bread in the afternoon?

USB rings bell, and they must know at once.

[140Mandak262Jamuna]

As you can see, within seconds of connecting the new USB device to the computer, a report is sent to watson.microsoft.com in HTTP (clear text). This report includes a considerable amount of information that is URL encoded into the request. This information includes:

Every time you plug in a device to USB port, a di-ding bell sounds. It is of utmost importance to Microsoft to know a bell has rung, so that it can promote an angel second class to angel first class with wings.

See? There is an innocent explanation for it after all.

Not worst than the Forgot My Password feature

[Ravaldy]

The Forget My Password feature many sites offer if intercepted is just as dangerous for the user. The issue isn't MS here, it's the nature of our current open infrastructure. Although I'm sure there is a solution I don't know what it is and how easy it is deployed to secure all transmissions, not just Microsoft's .

Re:Not worst than the Forgot My Password feature

[ArsenneLupin]

If well implemented the password retrieval function is not really that easy to exploit:

• password retrieval never sends you your current password, but instead gives you the opportunity to set a new one, invalidating the old. This makes it very obvious to the user to see that a password reset has been performed.
• password retrieval usually does not send you the new password "as is", but rather a link with a "cookie" that allows you to set it. The cookie is no longer good once you've used it to set a new password. So even if the NSA just passively listened for "naturally occuring" password resets, it would do them no good, because if they followed the reset links, the user would notice. Moreover, this also means that e-mailboxes won't contain valuable passwords.

Unfortunately there is still software out there (such as mailman...) which doesn't do any of these for its password resets.

Re:Not worst than the Forgot My Password feature

[Ravaldy]

Yes,

But what about initiating a reset and intercepting the email and then performing the reset yourself. The procedure is still not safe from the Man in the Middle attack.

Any time your data can be sniffed you are in danger. This isn't an issue specific to any OS or software manufacturer. Sure, there are things we can do to limit the damages such as releasing bug free software (maybe in 3014) but until then we either live with the consequences or encrypt all network data except broadcasts intended for everyone to see.

On the down side, encrypting everything limits debugging of the data and increases overhead on both the line and the processors involved.

Re:Not worst than the Forgot My Password feature

[ArsenneLupin]

But what about initiating a reset and intercepting the email and then performing the reset yourself.

True, but that would imply:

1. Intercept the e-mail in such a way that it is no longer delivered (because the link cookie will be invalid once the spy has completed the reset, which would tip off the user)
2. Complete the reset
3. Do whatever evil need the password is needed for. This has to be right here and now, because we'll issue another reset. If a full download of the user's e-mail is needed, then good luck...
4. Perform a second reset (whose response we allow to reach the user)

And all this has to be done in the less than one minute it usually takes the server to reply, or else the user might be suspicious why the e-mail with the reset link takes so long to arrive...

This isn't an issue specific to any OS or software manufacturer. Sure, there are things we can do to limit the damages such as releasing bug free software (maybe in 3014) but until then we either live with the consequences or encrypt all network data except broadcasts intended for everyone to see.

Encryption software is not bugfree either. And neither are encryption users. I'm sure 90% of users would click away a certificate warning without a second thought. And of the 10% remaining, most wouldn't probably notice if a service that is usually https now is http...

Angels

[Etherwalk]

As you can see, within seconds of connecting the new USB device to the computer, a report is sent to watson.microsoft.com in HTTP (clear text). This report includes a considerable amount of information that is URL encoded into the request. This information includes:

Every time you plug in a device to USB port, a di-ding bell sounds. It is of utmost importance to Microsoft to know a bell has rung, so that it can promote an angel second class to angel first class with wings.

See? There is an innocent explanation for it after all.

When an angel gets his wings, a Venture Capital firm gets demoted...

Re:Windows users need to be raped by horses

[RabidReindeer]

What? You don't sit on the steps of the Capital feeding the congress critters bits of stale bread in the afternoon?

Bread them, dip them in egg yolk, fry until crispy.

A lovely alternative to tar and feathers.

Re:Oh, b.s. troll & here's how + why

Just FYI, there are two ways to avoid leaking information via the Crash Reports.
The first is to click "cancel" when it asks if you want to send it. (yes, difficult task for some)
The other is to go into your computer management and simply shut off the crash reporting service entirely.

Re:Windows users need to be raped by horses

Are you suggesting Catherine the Great was a Windows user?

Re:Closed source=security forfeit

[Em+Adespoton]

Anyone who uses closed source has forfeitted security. there is no but. none. anyone who claims that has no idea what theya re talking about.

Really?

First thing to realize: on the software level, there is NO SUCH THING as closed source. If your computer can read it, so can you. It's just rather obfuscated, and not in the form that the original author wrote it in.

But as complexity increases, having access to the source doesn't guarantee that the software operator is any more secure; it's trivially easy to insert the right insecurities into a complex system such that each one, by itself (see = vs ==) looks like a trivial bug, but together, they make a nice remote exploit.

And then, of course, you have to drill down. Do you know how all your hardware works (really know, not just understand theoretically how your specific chip types work)? Do you know exactly what information it leaks via networking, radiation and vibration? If you don't, you can't really vouch for the security of your system as a whole.

Fine, but

[ThatsNotPudding]

If you have any honor, either as an individual or a company, you will now encrypt the bloody things. Setting aside your a-hole buddies in the NSA, the other bad guys are exploiting these plain-text treasure troves as well, FFS.

Re:Fine, but

[bmajik]

Please read my other response, which points out that there were some interesting comments on the original article. In short, it appears that only a portion of the WER upload is unencrypted.

(That said, I am not on the WER team, and I have no idea if they will take action as a result of this paper or not. We'll see)

Regarding the other point -- in my opinion, having SSL turned on isn't really relevant if you're trying to hide information from the NSA/FBI.

The Lavabit legal documents that were made available a while back are illustrative here. If the FBI wants information about someone, they get a copy of the SSL certificate's private key for the entire website. The Lavabit guys made many attempts to try and negotiate a constrained delegation of wiretap powers for the FBI, but the FBI would settle for nothing less than the ability to eavesdrop on ALL SSL traffic to the entire site. This held up in court.

So if the FBI were wanting to use WER uploads to help them in an investigation, presumably they'd just force Microsoft to disclose any SSL certs used anywhere in the WER system.

The NSA situation may be different -- based on the Snowden disclosures, they tend to operate outside of the law/judicial system. They wouldn't necessarily use the court system to force handover of certs. Perhaps turning on SSL would defeat or slow them down, but I don't think so.

If you view moxie's talk about Certificate Authorities, he points out that most national governments -- even ones less trustworthy than the US -- can just (ab)use the CA/PKI system to intercept any traffic they like, and unless you're paying very close attention, you'd never know the difference. Government entity Foo replaces the certs on sites of interest with new ones that they hold the keys to, and the CA/PKI infrastructure makes such changes transparent to you because the certs are signed by a CA.

So I guess my thought is that if the opponent is a government entity, CA-issued SSL certificates are probably security theater instead of an actual impediment.

retarded encrypted or not.

[ralphaostrander]

If present Guess what I know.

Re:*NIX Trolls "best they got" = a downmod?

Another downmod of your post proves your point.