Slashdot Mirror
Leaked Docs Offer Win 8 Tip: FinFisher Spyware Can't Tap Skype's Metro App
mask.of.sanity (1228908) writes "A string of documents detailing the operations and effectiveness of the FinFisher suite of surveillance platforms appears to have been leaked. The documents, some dated 4 April this year, detail the anti-virus detection rates of the FinFisher spyware which German based Gamma Group sold to governments and law enforcement agencies. The dump also reveals Windows 8 users should opt for the Metro version of Skype rather than the desktop client because it cannot be tapped by FinFisher."
Skype belongs to Microsoft, Microsoft is in the US, the US records your calls.
That would be a good idea if Metro Skype wasn't so utterly useless. It's almost as if they didn't even try. It is missing such basic features as marking yourself as "Busy" and is even missing the screen sharing feature.
Kriston
"People are aware that Windows has bad security but they are underestimating the problem because they are thinking about third parties.
What about security against Microsoft? Every non-free program is a 'just trust me program'. 'Trust me, we're a big corporation. Big corporations would never mistreat anybody, would we?' Of course they would! They do all the time, that's what they are known for. So basically you mustn't trust a non free programme."
"There are three kinds: those that spy on the user, those that restrict the user, and back doors. Windows has all three. Microsoft can install software changes without asking permission. Flash Player has malicious features, as do most mobile phones."
"Digital handcuffs are the most common malicious features. They restrict what you can do with the data in your own computer. Apple certainly has the digital handcuffs that are the tightest in history. The i-things, well, people found two spy features and Apple says it removed them and there might be more""
From:
Richard Stallman: 'Apple has tightest digital handcuffs in history'
www.newint.org/features/web-exclusive/2012/12/05/richard-stallman-interview/
"The dump also reveals Windows 8 users should opt for the Metro version of Skype rather than the desktop client because it cannot be tapped by FinFisher."
That's what they want you to think!
...the docs were leaked by spy agencies, because the Metro version is *easier* to spy on?
Sheesh, evil *and* a jerk. -- Jade
This of course is very old news, but relevant.
Ha. For those old enough to remember, it's kind of like 'new coke' vs 'coke classic'. When W9 comes out it will be like coke classic and everyone will come flocking back and buying new PCs. Then MS will claim that W8 was a marketing ploy to get more sales of W9 as a way to save face with all the losses from W8.
-- I ignore anonymous replies to my comments and postings.
No one cares, Ballmer.
Move along.
CLI paste? paste.pr0.tips!
This is just another one of the recent MS gimmicks to get you to switch to the Metro version.
I just received a very official Skype Team email stating my desktop version would be automatically removed. That's exactly what it said: YOUR SKYPE VERSION WILL BE REMOVED. If a company would add such a trigger on an application (even one that highly depends on a single external cloud service to do anything at all), I would call that heavy persuasion.
To start, you need a pre-boot scan. The occasional scan from a USB image would provide an integrity check: EFI settings (boot order), bootloader, kernel image, and initrd.
You mean like the Windows 8 UEFI Secure Boot?
That depends on a TPM, which depends largely on a secret key in the OS RAM (magic cookie) that can be accessed if you have a kernel exploit. From there, you can modify the TPM.
Support my political activism on Patreon.
" To really get a high-security setup, boot chain, you need to do a lot of start-up work. "
No. To get a high-security setup, you simply never connect to the internet.
If you have internet access, you're fucked. Man can make it, man has repeatedly proven man can break it.
There is ZERO other alternative.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
There's a few things that seem off in that statement...
IIRC, Secure Boot didn't actually hook into the TPM.
Another, I'm not sure what you imply with 'modify the TPM'. You can have perhaps the TPM bind some stuff that the legitimate user wouldn't want you to do but you couldn't defeat sealing to a sufficient set of PCRs by having os level control of the TPM facilities afaik.
XML is like violence. If it doesn't solve the problem, use more.
Keep in mind just what exactly Microsoft handed the keys to the NSA for:
http://www.theguardian.com/wor...
Microsoft wasn't called out as an "enthusiastic" partner in the NSA's documents for nothing. Definitely consider all versions of Skype to be damaged goods - along with all other Microsoft products - can't imagine how excited the NSA was for the Xbox One and its always on audio monitoring and (originally) required connected video camera.
I drink Mt Dew (pr Mello Yello) anyway.
Oh, huh. SecureBoot isn't Palladium; it's some new-fanegaled UEFI feature.
It looks like you can insert new keys into the SecureBoot DB with dpkg-reconfigure secureboot-db in Ubuntu, so sufficient OS-level access should allow for bypassing SecureBoot in UEFI. This is a little easier than it was with the TPM, I guess.
Support my political activism on Patreon.
Security: Confidentiality, Integrity, Accessibility. Removing Accessibility is called a Denial of Service.
It's like you just said the only way to be safe from murder is to kill yourself.
Support my political activism on Patreon.
I'll take spyware over metro any day.
They will, after their third tablet has broken because the batteries died.
Likely the virus just replaces the bootloader with one that logs the passphrase.
Not much you can do about that, except making sure that USB/removable media boot is disabled and there is adequate tamper evident physical security on the computer hardware casing.
Not much point in the OS driver validating the bootloader. If things have already got that far, it's game over. OK, you would get a warning and that would be nice, but at that point it's too late.
Very funny... Pull the other other one...
“He’s not deformed, he’s just drunk!”
Windows 8 Secure boot is a pretty flimsy facility that says 'yep, this code was blessed by microsoft'. It does nothing to vouch for whether the configuration leading up to or the configuration of the payload is what you actually want (e.g. a specific user expects they hve put in Windows 8, but instead Red Hat loading with malicious configuration would be a sort of misbehavior that SecureBoot does nothing for).
UEFI secure boot validates everything (configuration) until the boot-loader load. The boot-loader sits in signed cabinet files and the UEFI firmware will not load the boot-loader if the boot-loader cabinet files do not check out (invalid signature).
The boot-loader will check the operating system - Windows 8 - core before relinquishing control of the boot process to the OS. Windows 8 sits in signed cabinet files and the boot-loader will not boot the OS if the files have been tampered with (invalid signatures).
Right after the kernel has started - relying *only* on information from the signed cabinet files and signed kernel drivers (all drivers which load in kernel space in Windows 64 bit versions must be signed), the antivirus providers will be allowed to load. AV must *also* be signed by MS to be allowed to load at this stage. The AV can now control loading the rest of the OS. Still, any kernel level drivers *must* be signed.
You are correct that the boot-loader will also boot other signed OSes - like RH Linux and those *could* be used to start Win8 or some other OS in a VM and under control of the "signed" OS. You can bet that MS has requirements that the booting of non-Windows OS is obvious (something must happen at the screen clearly identifying the OS being booted).
But at the whole, UEFI Secure Boot along with Windows 8 signed boot-loader and OS is *very* hard to circumvent. I haven't heard of any successful attack yet. There was some spin on an attempt that did not use UEFI Secure Boot (it used BIOS).
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Oh, huh. SecureBoot isn't Palladium; it's some new-fanegaled UEFI feature.
It looks like you can insert new keys into the SecureBoot DB with dpkg-reconfigure secureboot-db in Ubuntu, so sufficient OS-level access should allow for bypassing SecureBoot in UEFI. This is a little easier than it was with the TPM, I guess.
No, not unless the OEM did *not* follow the specs. If they followed the UEFI specs this should not be possible.
On top op that, it is a specific requirement for "Designed for Windows 8 certification" that the keys cannot be manipulated from the operating system.
The only way to change the key store is through physical (like in at the keyboard) control of the UEFI firmware in the pre-boot "maintenance mode" *or* through a firmware upgrade. Firmware upgrades *must* be signed as well, so no, you can not use that avenue either.
OEMs who designs their system with UEFI will certainly make sure to meet those requirements.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
After these databases have been added, and after final firmware validation and testing, the OEM locks the firmware from editing, except for updates that are signed with the correct key or updates by a physically present user who is using firmware menus, and then generates a platform key (PK). The PK can be used to sign updates to the KEK or to turn off Secure Boot.
So if you have the PK, you can sign updates to the KEK. Okay, so this requires the user to intentionally load a PK first, and store it on the machine. Makes sense.
So then the chain is shorter: have your kernel load a signed initrd, perform useful scans, and then load the real initrd and engage the boot process. I likes this.
Support my political activism on Patreon.
"It's like you just said the only way to be safe from murder is to kill yourself. "
Is it wrong? The only way to avoid being killed or dying is to already be dead. The only way to avoid getting compromised online is to not be online at all.
There is no such thing as 100% security.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
But at the whole, UEFI Secure Boot along with Windows 8 signed boot-loader and OS is *very* hard to circumvent.
If you are paying attention during boot, and the attack comes from within the OS. Of course, MS could have afforded the within the OS protection themselves by being very special in how they treated the system partition without requiring firmware to verify it. If you have full control of the console and/or device, you can do exactly what you describe, boot a valid OS using a malicious configuration designed to rootkit the OS that's there or impersonate the OS that was supposed to be there to gain information about accessing the presumably cloned disk.
Because it is actually pretty ineffectual against an adversary that physically controls your entire system or your disk contents, I think a different design would have been better. Secure boot is too open ended to afford sufficient protection and yet too much a pain by being not quite open ended enough to allow OS vendors without Microsoft blessing. I think Secure Boot should have been done by the key being installed to firmware at initial OS install time. The first OS install getting to 'take ownership' of the platform, and that key being *the* key to trust. This would have allowed Microsoft to put in a Microsoft key and say 'screw trying to certify things like grub'. Installing a different OS after a first would have required going into firmware to unclaim the platform to let the new bootloader claim it on the install of that system.
I'm actually ok with TPM and how things like Bitlocker leverage the TPM. The Secure Boot scheme reeks of too much inconvenience for inadequate security compared to what *could* have been done.
XML is like violence. If it doesn't solve the problem, use more.