[zippoxer]

Distrusting Windows was the wisest thing you did since you climbed off your horse. [1]

No, seriously. How is it paranoia to think the NSA was/is surveilling your Windows installation if we already have proof that they have the means [2] and motivation [3] to do it at scale?

[1] http://www.quotes.net/show-quote/34121

[2] https://en.wikipedia.org/wiki/EternalBlue

[3] https://en.wikipedia.org/wiki/PRISM_(surveillance_program)

[willstrafach]

There is no proof of means or motivation to use 0-days at scale. In fact, using EternalBlue "at-scale" would have caused it to not stay a 0-day for very long.

[catdog]

They don't need to deploy 0days if the vendor (willingly or unwillingly) cooperates. Also Microsoft began to heavily spy onto Windows users as part of normal operation making it difficult to impossible to fully opt out.

[willstrafach]

I don't understand how that would be possible. Such a change would be detected and very loudly discussed, making it pretty useless. There would be very little positive gain yet a whole lot of negative blowback from doing such a thing.

[hedora]

MS engineers can login to your machine and run programs / download documents. There also is some keylogger that sends data back without warning you. I can't remember which bits you can turn off, which bits got backported to 8/7 without warning, etc.

To make a long story short: From what anyone can tell, there is no way for consumers to obtain a version of windows that has security patches and has the ability to run with sane privacy settings. There is an acceptable version called Windows LTSB, but you have to pirate it.

This has been discussed ad nauseum on HN and elsewhere.

[PuffinBlue]

What change?

Are you suggesting that there's a cast iron guaranteed way of saying 'this stuff should be in the OS and nothing else'?

If you are suggesting that, are you suggesting the trust root for that particular stack is something other than the vendor? If so who?

Take the example of Windows. Let's say they agree to put in a backdoor like DoublePulsar. Microsoft release the official OS and say 'we promise this is all good and only stuff that should be in here is in here. Honest.' How do we as third parties detect they've put something in there that shouldn't be?

I see you're CEO of verify.ly and have some background in this, so I'm actually quite curious to know how you'd detect a malicious closed source vendor like Microsoft who is working with a TLA to provide backdoor access.

[willstrafach]

> so I'm actually quite curious to know how you'd detect a malicious closed source vendor like Microsoft who is working with a TLA to provide backdoor access.

"Closed-source" certainly does not mean you cannot see the changes, just that far less people know how to read assembly/machine code to understand what is going on.

People frequently reverse engineer patches and updates as addition of features means more vulnerabilities. Security companies generally get a whole lot of free marketing in the press if they find and disclose major vulnerabilities (along with building detection/prevention into their products, so there is a large incentive there. Of course it requires trusting security companies to not hold back findings like that, a valid concern, but it at least a step up from completely trusting the vendor to deliver non-backdoored updates.

> Are you suggesting that there's a cast iron guaranteed way of saying 'this stuff should be in the OS and nothing else'?

The security researcher mindset would be along the lines of "How does this new added/changed functionality work, and how could it be abused?" (You are correct that there is no guaranteed manner to find this, otherwise all software would be un-hackable which is not the case).

[PuffinBlue]

Thanks.

So to go back to these two points:

> They don't need to deploy 0days if the vendor (willingly or unwillingly) cooperates.

> I don't understand how that would be possible. Such a change would be detected and very loudly discussed, making it pretty useless.

It would seem to me that these things are happening. 0days are being added (often to look like simple bugs) and security companies are detecting them and we're talking about them...eventually. So you're both right, but there's a period of sometimes years following the addition of a backdoor to it being discovered. And the NSA doesn't care too much if it's found as you can be sure it's not the only one as the ShadowBrokers showed.

Take the example in this thread - EternalBlue. That particular flaw was introduced in XP wasn't it? And it survived all this time despite the uncountable security researches pouring over the code for a decade and more. It took a hack to reveal these tools.

Maybe the EternalBlue exploit really did just exploit a bug. Maybe it was a backdoor. It doesn't matter though. If it was a bug, it lay undiscovered for years which means there's plenty of opportunity for an actual backdoor to remain undiscovered too. So we have to deal with the possibility that 'exploitable code' (however it originated) may be around for decades and can be in every system as a result.

Following that logic, a new piece of 'exploitable code' could be added in the next Windows update and it could lay undetected for a decade. It's happened before and we didn't find it until the ShadowBrokers did their work, so it can happen again just as easily.

What about Heartbleed. This was another piece of 'exploitable code' that was around for years undetected. The example of this are no doubt many.

It would seem to me then that there are plenty of cases where a 'backdoor' has been placed and plenty where a genuine mistake was made, but we can't ever really know which is which.

I guess that is the problem for us who talk about it as it encourages taking sides, where the reality is paranoid people are sometimes right in certain cases and cynics who think it's just a bug are right in others.

[maxander]

I honestly cannot tell if this is brilliant sarcasm or if you'be somehow missed all the "very loud discussion" about Windows 10 on HN. :)

[willstrafach]

If you are referring to the level of analytics gathered, I fully agree! My point is, there would be a similarly loud reaction (at a wider scale) if a backdoor were introduced.

[cantchooseone]

How could you tell a backdoor from a regular bug?

From a code perspective, of course.

[kahnpro]

Have you installed Windows 10 lately? It's all there in plain English.

[willstrafach]

I am definitely not a fan of all the default analytics gathered, not cool, but I took "cooperates" to be referencing legitimately malicious software.

[sillysaurus3]

That's not true. When an exploit shows up on a computer, "How did it get there?" is often the hardest question. There's no way to know short of capturing it in a lab environment.

If you're talking about "at scale" being "the entire world," then yes. But usually the NSA tends to target their operations regionally, e.g. Iran.

[willstrafach]

To clarify, I am not talking about attribution. When I say "not stay a 0-day for very long" I am referring to the fact that 0-day use by any threat actor is generally going to be very targeted, because the chance of a PSP and/or network tap logging artifacts or alerting the user is extremely risky in regards to potential exposure of the intrusion, causing the 0-day to likely get burned (Since discovery allows for detection signatures and patches to be quickly created, as well as remediations applied to affected systems).

[shallot_router]

Any use of a zero-day risks burning it, and this was one of NSA's most potent zero-days. I imagine they used it rarely and wisely; probably trying other exploits first.

[boomboomsubban]

>and this was one of NSA's most potent zero-days.

Says who? We have no idea what they're sitting on, even our guesses come from terrible data.

[rdiddly]

And so now it's in the hands of people who have no such foresight. Which means soon it will be mitigated. Which means that despite all the pain right now, in the long run Wikileaks actually may end up having kind of helped humanity.

[willstrafach]

> Which means soon it will be mitigated.

It was fixed in a security patch one month before the Shadow Brokers leak. All computers affected by this ransomware outbreak (and WannaCry) were those who decided not to patch.

[rdiddly]

I suppose with the word "mitigation" kind of already having a connotation in the security community, I probably shouldn't have used it without making clear that I wanted the term to include its more banal implications such as "install the patch" and/or "get your systems off that old-ass OS!"

[boomboomsubban]

Wikileaks was not involved, they're securely posting CIA documents.