Slashdot Mirror
Researchers Crack Microsoft Feature, Say Encryption Backdoors Similarly Crackable (thehill.com)
An anonymous reader writes: Researchers who uncovered a security key that protects Windows devices as they boot up say their discovery is proof that encryption backdoors do not work. The pair of researchers, credited by their hacker nicknames MY123 and Slipstream, found the cryptographic key protecting a feature called Secure Boot. They believe the discovery highlights a problem with requests law enforcement officials have made for technology companies to provide police with some form of access to otherwise virtually unbreakable encryption that might be used by criminals. "Microsoft implemented a 'secure golden key' system. And the golden keys got released from [Microsoft's] own stupidity," wrote the researchers in their report, in a section addressed by name to the FBI.
proof that [anything developed by Microsoft does] not work.
FTFY.
That web site is annoying. 8 bit game music and the text jitters.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Rotating golden key, moving starfield and crappy text. Virtually unreadable article. WTF?
Their security has a been a joke for *decades*.
Microsoft made a signed policy file which can be used with a Microsoft signed UEFI boot loader to turn off Secure Boot, and accidentally (?) published that policy with the Windows 10 anniversary update. Using this policy, Secure Boot can even be disabled on systems that won't allow the owner to disable it. And of course, this can be used to turn off Secure Boot remotely, so basically Microsoft eradicated any benefit that Secure Boot might have had. Now it's just annoying.
When will the folks in Redmond put down the pipes?
You laugh but it's a bit ironic. This wasn't a crack, it was a leak. MS actually gave everyone the fucking keys. This is great for me though, I spent 4 hours yesterday telling everyone at work that Microsoft is just as fucked on security today as they were 20 years ago. Then this happens and I'm totally vindicated.
Show me an unhackable machine and I'll show you my bare arse.
Sounds like an easily exploitable security hole to me...
Dear politicians: There will never be a backdoor key that only your law enforcement will have. Such things tend to be very, very valuable. Being able to decrypt any and all trade secrets is valuable. At a level where nation states start to be interested, not just some petty criminals, or even large criminal entities. Governments are interested. And they tend to have very, very deep pockets. Pockets deep enough that pretty much anyone becomes open for bribes. And if bribes don't work, well, there are other ways to be convincing.
Any key you have will also be held by Iran, Russia and probably even North Korea within reasonable time. That backdoor game is an odd one: The only winning move is not to play it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Congress will never outlaw stupidity. When heave they ever made a law that has negative effects that affects mostly themselves?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
My exploit from last year (CVE-2015-2552) already allowed trivially jailbreaking Surface RT tablets to run unsigned Windows programs.
This new exploit, however, adds the ability to run unsigned (technically, self-signed) .efi files, before Windows boots. In order to run an alternative operating system, you need to be able to run .efi files, because it is not possible to chainload from an EFI OS.
So yes, theoretically, you could make an Android distro for Surface RT now.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
That is because nothing happens to the FBI if they screw up. Hence they screw up more and more, because screwing up is easier and cheaper than not screwing up. Power without accountability will invariably do that to any organization.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I don't know many folks with the courage to take the position that Microsoft products might be insecure.
Way to go out on a limb and still manage to come up totally vindicated!
You were aiming for funny, but what you actually got was chilling, because in fact that is a courageous position in many boardrooms and meeting halls across the country. It is, as usual, due to cognitive dissonance. People who think they are big swinging dicks because of their corporate position believe that Microsoft must be the ultimate cocksman because of its lofty position atop the market. In order to accept that Microsoft might actually be incompetent in spite of their market dominance, they have to accept that they might actually be incompetent in spite of their dominance of their fellow employee. This will never happen, so they will argue to the end that dominance equals competence. When something bad happens to Microsoft it's someone else's fault, just as when they make a mistake it's someone else's fault. They don't just pin the blame on someone else to avoid punishment — they pin the blame on someone else to avoid enlightenment.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"