{{Header}} == Windows Backdoors == '''Table:''' ''Windows Backdoors'' {| class="wikitable" |- ! scope="col"| '''Category''' ! scope="col"| '''Description''' |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | User Content Upload to Microsoft | {{Anchor|User Content Upload to Microsoft}}Windows sometimes takes user content, such as documents and uploads it to Microsoft servers. Quote {{Archive_link |url=https://web.archive.org/web/20160316135752/https://technet.microsoft.com/en-us/library/mt577208.aspx |text=Microsoft: Configure telemetry and other settings in your organization (web archived website) }} (Underline added.)
Full level The Full level gathers info necessary to identify and to help fix problems, following the approval process described below. This level also includes info from the Basic, Enhanced, and Security levels. Additionally, at this level, devices opted in to the Windows Insider Program will send events that can show Microsoft how pre-release binaries and features are performing. All devices in the Windows Insider Program are automatically set to this level. If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional info becomes necessary. This info can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the Full telemetry level and have exhibited the problem. However, before more info is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: * Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. * Ability to get registry keys. * Ability to gather user content, such as documents, if they might have been the trigger for the issue.
Media also reported. [https://www.theregister.com/2016/02/24/windows_10_telemetry/ The Register: Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data] (Underline added.):
At the Full setting, you grant Microsoft permission to collect extra data [...] The formal documentation makes it clear that this sort of investigation can snag personal documents: [...] Ability to gather user content, such as documents, [...]
Quote [https://www.zdnet.com/article/windows-10-telemetry-secrets/ ZDNet: Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data] (Underline added.):
At the Full setting, you grant Microsoft permission to collect extra data when your device "experiences problems that are difficult to identify or repeat using Microsoft's internal testing. The formal documentation makes it clear that this sort of investigation can snag personal documents: [...] Ability to gather user content, such as documents, if they might have been the trigger for the issue.
The default level is Full for Windows 10 Home and Pro and Enhanced for Enterprise edition. (On a device that is running an Insider preview edition, this value is set to Full and can only be changed by installing a released version.) If you are concerned enough about privacy to have read this far, you probably want to set the telemetry level to Basic.
Quote [https://www.researchgate.net/publication/336750047_OS_Call_Home_Background_Telemetry_Reporting_in_Windows_10 OS researchgate: Call Home: Background Telemetry Reporting in Windows 10] (Underline added.):
The default level for Windows 10 Home and Pro is “Full” and “Enhanced” for Enterprise editions.
Quote [https://web.archive.org/web/20180520075416/https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization Microsoft (web archived, year 2018]) (Underline added.):
Full level The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the Basic, Enhanced, and Security levels. This is the default level for Windows 10 Pro.
Alternative write-up, [https://www.sandon.it/node/104 Scaring: Windows 10 lets Microsoft access your own local files]. In theory it might be possible to disable this behavior but then there have also been cases where these settings have not been honored as documented in chapter [[#Inescapable Telemetry|Inescapable Telemetry]]. There is a privacy by policy safeguard implemented at the Microsoft organisational level. Quote "However, before more info is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer." However, privacy by policy is not privacy by design (privacy enforced through technology). Generally speaking, there is a history of privacy by policy safeguards being circumvented by malicious employees (insider attack), hacking (outsider attacks) and privacy by policy also fails in case of government requests. Microsoft’s privacy governance team would be circumvented if Microsoft was compelled through a government order. Quote [https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_dispute FBI–Apple encryption dispute] (Underline added. code added.):
In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789. Most of these seek to compel Apple "to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones [...]
While there exists (to the knowledge of the author) no law that allows the government to compel companies to add new surveillance capabilities, new backdoors to operating systems, Microsoft has an existing capability of accessing user content on the Windows operating system. It is therefore conceivable that Microsoft is receiving orders of using that existing capability. Possibly even orders which Microsoft would never be allowed to talk about due to a [https://en.wikipedia.org/wiki/Gag_order gag order]. [https://web.archive.org/web/20200225185417/https://www.microsoft.com/en-us/corporate-responsibility/us-national-security-orders-report Microsoft's U.S. National Security Orders Report] states [https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Act Foreign Intelligence Surveillance Act (FISA)] orders for the time period of July - Dec 2019, 0 - 499 orders seeking disclosure of content with 14,500 - 14,999 Accounts impacted by orders seeking content. Some orders probably related to hosted accounts such the Microsoft live e-mail service or Skype. It is unknown if that might also include user content from Windows. FISA is just one order that includes a secrecy order (gag order) by the U.S. government. Microsoft must also abide by other types of government orders as well as by [https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report orders from governments of different countries]. The relevant statement by Microsoft Ability to gather user content, such as documents, can be found on this {{Archive_link |url=https://web.archive.org/web/20160316135752/https://technet.microsoft.com/en-us/library/mt577208.aspx |text=web archived website }}. The relevant statement can no longer be found in the {{Archive_link |url=https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization |text=current version of the document |archive=none }}. If just the text or the actual behavior was changed in unknown by the author since no changelog, no further information on this could be found and no source code is available to the general public. With the ability to be legally allowed to actually talk about. I.e. without non-disclosure agreement (NDA). If using this existing capability is possible against any users where only an IP address or Windows Live ID is known at any time or if an existing crash report is a prerequisite is also unknown for the same reasons. It would be far better if there would be no such existing capability. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Encryption | {{Anchor|Encryption}}Microsoft has backdoored its disk encryption. Quote [https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-microsoft-probably-has-your-encryption-key/ The Intercept: (...) Microsoft Probably Has Your Encryption Key]:
But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key — which can be used to unlock your encrypted disk — to Microsoft’s servers, probably without your knowledge and without an option to opt out.
“When a device goes into recovery mode, and the user doesn’t have access to the recovery key, the data on the drive will become permanently inaccessible. Based on the possibility of this outcome and a broad survey of customer feedback we choose to automatically backup the user recovery key,” a Microsoft spokesperson told me. “The recovery key requires physical access to the user device and is not useful without it.”
But disabling this requires awareness of the issue, skills of using search engines and finding documentation how to do so, and technical skills to disable this privacy intrusion. This is often not the case for non-technical users. ([[#The Tyranny of the Default|The Tyranny of the Default]]) Quote [https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data Microsoft handed the NSA access to encrypted messages]:
Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption, according to top-secret documents obtained by the Guardian.
|- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Software Choice and Deletion | * Windows has a feature to [https://www.computerworld.com/article/2500036/microsoft--we-can-remotely-delete-windows-8-apps.html remotely deleting applications installed through Windows Store] from the computer. At time of writing there are no known cases of abuse of this feature. It was only used for malware removal. * Windows 10 upgrades [https://www.ghacks.net/2015/11/24/beware-latest-windows-10-update-may-remove-programs-automatically/ delete applications without permission]. |- |} == Windows Surveillance == '''Table:''' ''Windows Surveillance Threats'' {| class="wikitable" |- ! scope="col"| '''Category''' ! scope="col"| '''Description''' |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Adversary Collaboration | * Microsoft SkyDrive [https://www.itproportal.com/2014/05/14/microsoft-openly-offered-cloud-data-fbi-and-nsa/ allows adversaries to examine user data]. * Microsoft has [https://www.forbes.com/sites/petercohan/2013/06/20/project-chess-how-u-s-snoops-on-your-skype/ enabled spyware in Skype] and [https://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data specifically changed the software] to enable this function. ** Microsoft purchase of Skype was detrimental to privacy. Quote: [https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data The Guardian: Microsoft handed the NSA access to encrypted messages]: ***
In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;
*** It might have been better for privacy if Microsoft didn't purchase Skype. *** Microsoft could have kept end-to-end encryption intact, transformed Skype into an Open Source project and/or fought illegitimate requests in the courts as Apple did. ([https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_dispute FBI–Apple encryption dispute]) Microsoft however did not decide to take a stand of their users and did none of that. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Anonymity | * Windows DRM files can [https://www.bleepingcomputer.com/news/security/windows-drm-files-used-to-decloak-tor-browser-users/ potentially identify people browsing with Tor]. * Windows assigns a unique advertising ID for each user so that other companies can track individual browsing habits. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Keylogger | {{Anchor|keylogger}}Windows 10 comes with a keylogger. Quote {{Archive_link |url=https://web.archive.org/web/20150801001352/http://windows.microsoft.com/en-us/windows-10/speech-inking-typing-privacy-faq |text=Microsoft (year 2015 web archived version): Windows 10 speech, inking, typing, and privacy FAQ }}:
What are speech, inking, and typing services? When you interact with your Windows device by speaking, writing (handwriting), or typing, Microsoft collects speech, inking, and typing information—including information about your Calendar and People (also known as contacts)— [...]
Quote modified by author: added link to web archive with quote from 2015 [https://www.pcworld.com/article/2974057/windows/how-to-turn-off-windows-10s-keylogger-yes-it-still-has-one.html PCWorld: text input and unique typing cadence (pattern)]:
Microsoft pretty much admits it has a keylogger in its {{Archive_link |url=https://web.archive.org/web/20150801001352/http://windows.microsoft.com/en-us/windows-10/speech-inking-typing-privacy-faq |text=Microsoft: Windows 10 speech, inking, typing, and privacy FAQ }}: “When you interact with your Windows device by speaking, writing (handwriting), or typing, Microsoft collects speech, inking, and typing information—including information about your Calendar and People (also known as contacts)…”
Quoting 2015 version of [https://web.archive.org/web/20150801001352/http://windows.microsoft.com/en-us/windows-10/speech-inking-typing-privacy-faq Microsoft: Windows 10 speech, inking, typing, and privacy FAQ]:
Can I clear the speech, inking, and typing data Microsoft has collected about me? Yes, you can clear your speech, inking, and typing data from your device and from the cloud. * [...] * To clear data stored on the cloud, go to Start, then Settings > Privacy > Speech, inking, & typing, and then select the Go to Bing and manage personal info for all your devices link.
Note: any deletion from the quote is only a promise. If data was leaked or shared with other parties previously or requested thought government order previously, it would not be deleted. Such data is vulnerable to [[Keystroke Deanonymization|Keystroke Deanonymization]]. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Voice Recording | Quote 2020 [https://support.microsoft.com/en-us/help/4468250/windows-10-speech-voice-activation-inking-typing-privacy Microsoft: Windows 10 speech, inking, typing, and privacy FAQ] (Underline added.):
When you use the Microsoft cloud-based speech recognition service, Microsoft collects and uses your voice recordings to create a text transcription of the spoken words in the voice data.
This means Windows is recording the voice of the user and storing it on servers owned by Microsoft. The same website mentions this can be disabled.
You can use device-based speech recognition without sending your voice data to Microsoft.
But disabling this requires awareness of the issue, skills of using search engines and finding documentation how to do so, and technical skills to disable this privacy intrusion. This is often not the case for non-technical users. ([[#The Tyranny of the Default|The Tyranny of the Default]]) Quote [https://privacy.microsoft.com/en-us/privacyStatement Microsoft Privacy Statement, Last Updated: March 2021] (Underline added.) (Bold added.):
Inking and typing Recognition. You also can choose to help Microsoft improve inking and typing recognition by sending inking and typing diagnostic data. If you choose to do so, Microsoft will collect samples of the content you type or write to improve features such as handwriting recognition, autocompletion, next word prediction, and spelling correction in the many languages used by Windows customers. When Microsoft collects inking and typing diagnostic data, it is divided into small samples and processed to remove unique identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to you. It also includes associated performance data, such as changes you manually make to text, as well as words you've added to the dictionary. [https://go.microsoft.com/fwlink/p/?LinkId=614828 Learn more about improving inking and typing in Windows 10].
This sounds rather theoretic, "collect samples" - how many samples? "processed to remove" data "which could be used to reconstruct the original content or associate the input to you" - how well does that processing work? Such data is vulnerable to [[VoIP|Voice Deanonymization]]. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Spyware | {{Anchor|spyware}} * [https://www.theregister.co.uk/2003/02/28/windows_update_keeps_tabs/ information sent to Microsoft includes details of all the software installed in a machine]. Quote:
According to tecChannel, the information sent to Microsoft includes details of all the software installed in a machine, not only Microsoft applications.
* Windows [https://www.infoworld.com/article/2611451/a-look-at-the-black-underbelly-of-windows-8-1--blue-.html snoops on local searches]. * The [https://archive.is/0QYef smartscreen filter also reports what software is running on the computer]. * [https://www.bleepingcomputer.com/news/microsoft/windows-10-smartscreen-sends-urls-and-app-names-to-microsoft/ Windows 10 SmartScreen Sends URLs and App Names to Microsoft]. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Telemetry and Personal Data | * The "privacy" policy in Windows 10 explicitly authorizes Microsoft [https://edri.org/microsofts-new-small-print-how-your-personal-data-abused/ to look at user files at any time and to sell almost any information] it collates.
Summing up these 45 pages, one can say that Microsoft basically grants itself very broad rights to collect everything you do, say and write with and on your devices in order to sell more targeted advertising or to sell your data to third parties. The company appears to be granting itself the right to share your data either with your consent “or as necessary”.
By default, when signing into Windows with a Microsoft account, Windows syncs some of your settings and data with Microsoft servers, for example “web browser history, favorites, and websites you have open” as well as “saved app, website, mobile hotspot, and Wi-Fi network names and passwords”. Users can however deactivate this transfer to the Microsoft servers by changing their settings.
“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to”, for example, “protect their customers” or “enforce the terms governing the use of the services”.
* Windows 10 sends a host of [https://betanews.com/2016/11/24/microsoft-shares-windows-10-telemetry-data-with-third-parties core debugging information to Microsoft] and third parties. * Windows 10 sends information to Microsoft about [https://www.ghacks.net/2016/01/05/microsoft-may-be-collecting-more-data-than-initially-thought/ applications used and those that are running]. * Windows 10 has a [https://duo.com/blog/bring-your-own-dilemma-oem-laptops-and-windows-10-security host of snooping options enabled by default]. This includes [https://web.archive.org/web/20151001035410/https://jonathan.porta.codes/2015/07/30/windows-10-seems-to-have-some-scary-privacy-defaults/ snooping] on files, text input, voice input, location information, contacts, calendar records, web browsing history, screenshots of running programs and how long they were running, and auto-connection to open hotspots which show targeted advertisements. Many options cannot be disabled at all in a standard installation. [https://www.theverge.com/2017/2/21/14682256/microsoft-windows-10-eu-privacy-concerns EU still concerned over Windows 10 privacy despite Microsoft’s changes] (2017) Quote EFF [https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive With Windows 10, Microsoft Blatantly Disregards User Choice and Privacy: A Deep Dive]:
Windows 10 sends an unprecedented amount of usage data back to Microsoft,
[https://www.theverge.com/2017/4/5/15188636/microsoft-windows-10-data-collection-documents-privacy-concerns France orders Microsoft to stop tracking Windows 10 users], [https://web.archive.org/web/20160912174936/https://www.cnil.fr/en/windows-10-cnil-publicly-serves-formal-notice-microsoft-corporation-comply-french-data-protection Quote government order] (Underline added.):
The Chair of the National Data Protection Commission (CNIL) issues formal notice on Microsoft Corporation to stop collecting excessive data and tracking browsing by users without their consent. She is also demanding that Microsoft take satisfactory measures to ensure the security and confidentiality of user data.
[https://arstechnica.com/gadgets/2017/10/dutch-privacy-regulator-says-that-windows-10-breaks-the-law/ Ars Technica: Dutch privacy regulator says Windows 10 breaks the law] https://www.government.nl/documents/publications/2019/06/11/dpia-windows-10-enterprise-v.1809-and-preview-v.-1903
Regulator says Microsoft doesn't offer enough information to enable informed consent.
|- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Trust | * Even when data collection features are disabled, [https://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/ Windows 10 still sends a range of identifiable information to Microsoft]. * Microsoft has [https://web.archive.org/web/20160407082751/https://www.theregister.co.uk/2015/11/26/microsoft_renamed_data_slurper_reinserted_windows_10/ renamed "data slurping" features] to give the impression they were removed. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Windows Error Reporting (WER) and [[Core Dumps]] Privacy Issues | {{Anchor|WER}} * [[Core_Dumps#Security_and_Privacy_Risks|Core dumps can be a security risk]]. [https://en.wikipedia.org/wiki/Windows_Error_Reporting#Privacy_concerns_and_use_by_the_NSA Quote wikipedia]:
Although Microsoft has made privacy assurances, they acknowledge that personally identifiable information]could be contained in the memory and application data compiled in the 100-200 KB "minidumps" that Windows Error Reporting compiles and sends back to Microsoft. They insist that in case personal data is sent to Microsoft, it won't be used to identify users, according to Microsoft's privacy policy. [https://privacy.microsoft.com/en-US/microsoft-error-reporting-privacy-statement Microsoft Privacy Statement for Error Reporting] [https://web.archive.org/web/20140204003023/http://support.microsoft.com/kb/283768/ Description of the end user privacy policy in application error reporting when you are using Office] But in reporting issues to Microsoft, users need to trust Microsoft's partners as well. About 450 partners have been granted access to the error reporting database to see records related to their device drivers and apps. https://rcpmag.com/articles/2002/10/03/microsoft-error-reporting-drives-bug-fixing-efforts.aspx
In December 2013, an independent lab found that WER automatically sends information to Microsoft when a new USB device is plugged to the PC. https://web.archive.org/web/20200312211152/https://www.forcepoint.com/blog/x-labs/are-your-windows-error-reports-leaking-data
[[#crash_reporter_abused_by_NSA|#crash reporter abused by NSA]] {{Anchor|crash_reporter_abused_by_NSA}} According to [https://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-2.html Der Spiegel: Inside TAO: Documents Reveal Top NSA Hacking Unit]: * The Microsoft crash reporter has been exploited by NSA's Tailored Access Operations unit to hack into the computers of Mexico's Secretariat of Public Security. * Microsoft crash reports are automatically harvested in NSA's XKeyscore database, in order to facilitate such operations.
Having Fun at Microsoft's Expense One example of the sheer creativity with which the TAO spies approach their work can be seen in a hacking method they use that exploits the error-proneness of Microsoft's Windows. Every user of the operating system is familiar with the annoying window that occasionally pops up on screen when an internal problem is detected, an automatic message that prompts the user to report the bug to the manufacturer and to restart the program. These crash reports offer TAO specialists a welcome opportunity to spy on computers. When TAO selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft. An internal presentation suggests it is NSA's powerful [https://www.spiegel.de/international/world/germany-is-a-both-a-partner-to-and-a-target-of-nsa-surveillance-a-916029.html XKeyscore] spying tool that is used to fish these crash reports out of the massive sea of Internet traffic. The automated crash reports are a "neat way" to gain "passive access" to a machine, the presentation continues. Passive access means that, initially, only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer. Although the method appears to have little importance in practical terms, the NSA's agents still seem to enjoy it because it allows them to have a bit of a laugh at the expense of the Seattle-based software giant. In one internal graphic, they replaced the text of Microsoft's original error message with one of their own reading, "This information may be intercepted by a foreign sigint system to gather detailed information and better exploit your machine." ("Sigint" stands for "signals intelligence.")
Quote [https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels Microsoft] (Underline added.):
Enhanced error reporting, including the memory state of the device when a system or app crash occurs (which may unintentionally contain user content, such as parts of a file you were using when the problem occurred).
|- |} Trying to disable the [https://lifehacker.com/what-windows-10s-privacy-nightmare-settings-actually-1722267229 lenghty of privacy invasive features] is a huge task similar to playing "whack-a-mole". Being unaware of some spyware feature could result in unwanted surveillance. == Windows User Freedom Restrictions == A number of conscious decisions by Microsoft severely limit user freedoms. '''Table:''' ''Windows User Freedom Threats'' {| class="wikitable" |- ! scope="col"| '''Category''' ! scope="col"| '''Description''' |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Trust | The German government, Ministry of Economics, Federal Office for Information Security (BSI) does not trust Microsoft Windows. Archived, redacted version after court order requested by Microsoft against news paper ZEIT ONLINE: {{Archive_link |url=https://web.archive.org/web/20160311015742/https://www.zeit.de/digital/datenschutz/2013-08/trusted-computing-microsoft-windows-8-nsa |text=page 1 }}, {{Archive_link |url=https://web.archive.org/web/20160314224745/https://www.zeit.de/digital/datenschutz/2013-08/trusted-computing-microsoft-windows-8-nsa/seite-2 |text=page 2 }} (DeepL translated
So heißt es in einem internen Papier aus dem Wirtschaftsministerium von Anfang 2012: "Durch den Verlust der vollen Oberhoheit über Informationstechnik" seien "die Sicherheitsziele 'Vertraulichkeit' und 'Integrität' nicht mehr gewährleistet." An anderer Stelle stehen Sätze wie: "Erhebliche Auswirkungen auf die IT-Sicherheit der Bundesverwaltung können damit einhergehen." Die Schlussfolgerung lautet dementsprechend: "Der Einsatz der 'Trusted-Computing'-Technik in dieser Ausprägung … ist für die Bundesverwaltung und für die Betreiber von kritischen Infrastrukturen nicht zu akzeptieren."
):
For example, an internal paper from the Ministry of Economics from early 2012 states: "Due to the loss of full sovereignty over information technology," the security goals of "confidentiality" and "integrity" are no longer guaranteed. Elsewhere, there are sentences such as, "Significant impacts on the IT security of the federal administration may result." Accordingly, the conclusion is: "The use of 'trusted computing' technology in this form ... is unacceptable for the federal administration and for operators of critical infrastructures."
What was it that ZEIT ONLINE needed to redact? Quote [https://wikileaks.org/bnd-inquiry/docs/BSI/ A BSI-2i.pdf German government internal documents leaked on wikileaks] (DeepL translated
Bei der Verhandlungsführung kann bezogen auf die TPM-Nutzung daraufhingewiesen werden, dass nicht nur die Bundesregierung den nicht selbst kontrollierten Einsatz von TPMs kritisch sieht, sondern auch weite Teile der deutschen Industrie, insbesondere in Kritischen Infrastrukturen.
):
With regard to the use of TPMs, it can be pointed out in the negotiations, that not only the German government is critical of the use of TPMs that it does not control itself, but also wide sections of German industry, especially in critical infrastructures.
Daher argumentiert Microsoft damit, dass sie selbst die Kontrolle über UEFI „Secure Boot" benötigen, um für den Eigentümer UEFI „Secure Boot" sicher zu verwalten. Aus Sicht des BSI ist der Aufwand für eine selbst kontrollierte Konfiguration von UEFI „Secure Boot" zwar derzeit hoch, aber insbesondere in Einsatzbereichen mit hohem Schutzbedarf oder in Kritischen Infrastrukturen dringend geboten.
Therefore, Microsoft argues that they themselves need control over UEFI "Secure Boot". in order to securely manage UEFI "Secure Boot" for the owner. From the BSI's point of view the effort for a self-controlled configuration of UEFI "Secure Boot" is currently high, but it is urgently required in particular in areas of application with a high need for protection or in critical infrastructures.
{{Archive_link |url=https://www.heise.de/ct/ausgabe/2015-19-Deutschen-Behoerden-entgleitet-die-Kontrolle-ueber-kritische-IT-Systeme-2784249.html |text=Heise: German authorities are losing control over critical IT systems }} (German language, use DeepL and/or Google Translate)
Einerseits verlangt die Bundesregierung „uneingeschränkte Kontrollierbarkeit“ von Computern, die kritische Infrastrukturen am Laufen halten – also Atomkraftwerke, Wasser-, Energie und Verkehrsnetze. Andererseits tun die zuständigen Behörden nichts, um die bereits an Intel und Microsoft verlorene Kontrolle zurückzuerlangen.
:
On the one hand, the federal government demands "unrestricted controllability" of computers that keep critical infrastructures running - i.e. nuclear power plants, water, energy and transport networks. On the other hand, the responsible authorities are doing nothing to regain the control already lost to Intel and Microsoft.
[https://www.theregister.com/2013/08/23/nsa_germany_windows_8/ The Register - Germany warns: You just CAN'T TRUST some Windows 8 PCs] A whitewashed statement by the German government, Federal Office for Information Security, BSI, Bundesamt für Sicherheit in der Informationstechnik wrote ({{Archive_link |url=https://web.archive.org/web/20210125185418/https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2013/Windows_TPM_Pl_21082013.html |text=See full statement (web archived) }}.) (DeepL translated):
From the point of view of the BSI, the use of Windows 8 in combination with a TPM 2.0 is accompanied by a loss of control over the operating system and hardware used. This results in new risks for users, especially for the federal administration and critical infrastructures. In particular, on hardware operated with a TPM 2.0, with Windows 8, unintentional errors by the hardware or operating system manufacturer, but also by the owner of the IT system, can lead to error conditions that prevent further operation of the system. This can lead to the situation that in case of an error, not only the operating system but also the hardware used is permanently unusable. Such a situation would be unacceptable neither for the Federal Administration nor for other users. Furthermore, the newly implemented mechanisms can also be used for acts of sabotage by third parties. These risks must be countered.
For certain user groups, the use of Windows 8 in combination with a TPM can certainly mean a security gain. These include users who, for various reasons, cannot or do not want to worry about the security of their systems, but trust the system manufacturer to provide and maintain a secure solution. This is a legitimate usage scenario, but the manufacturer should provide sufficient transparency about the possible limitations of the provided architecture and possible consequences of its use.
|- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Forced Updates | {{Anchor|Forced Updates}}Microsoft has a history of [https://www.informationweek.com/microsoft-updates-windows-without-user-permission-apologizes/d/d-id/1059183 updating software without permission]. While configurable update reminders are good for those who forget to regularly update, forced updates are problematic for those that do not wish to. https://www.techrepublic.com/index.php/blog/it-news-digest/microsoft-admits-to-stealth-updates/ This Windows issue has not been foreseen. To the knowledge of the author there where no popular "really disable all Windows updates" instructions. By comparison such an issue is unlikely to happen with Debian (and many derivatives) based operating systems (and other Freedom Software Linux distributions). On Windows there was no real way to check which code will run when. Or at least, for practical purposes, nobody did reverse engineering and documented that. For example on Debian (based) operating systems by default their default package manager APT is fully Open Source. But also without reading the source code, it's behavior is much more predictable. Software sources are defined in easily human readable files such as /etc/apt/sources.list file and configuration snippets in /etc/apt/sources.list.d folder. These files can be viewed and edited with a simple text editor by the system administrator. Then also the upgrade process is divided into two parts. Downloading updated package lists ("sudo apt update") and the actual upgrade ("sudo apt full-upgrade"). The first step merely downloads metadata. No actual software packages are downloaded.
sudo apt update
...
Get:5 tor+https://deb.debian.org/debian buster-backports InRelease [46.7 kB]
Get:6 tor+https://deb.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:7 tor+https://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Hit:8 tor+https://deb.debian.org/debian buster InRelease
...
If anything looks unwanted, the user can disable any software source and re-fetch software sources to "forget" unwanted ones. The second step shows the user a preview what would happen (newly installed packages, upgrades packages, package removals) and asks the user for confirmation.
sudo apt full-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  anon-apt-sources-list anon-icon-pack apparmor-profile-dist
  apparmor-profile-torbrowser bootclockrandomization damngpl dist-base-files
  gpg-bash-lib hardened-malloc hardened-malloc-kicksecure-enable helper-scripts
  kicksecure-base-files kicksecure-cli kicksecure-dependencies-cli msgcollector
  msgcollector-gui open-link-confirmation repository-dist sdwdate secbrowser
  security-misc tb-default-browser tb-starter tb-updater timesanitycheck tor
  tor-geoipdb usability-misc vm-config-dist whonix-initializer
30 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,957 kB of archives.
After this operation, 732 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Automatic updates require installation of a software package that implements automatic upgrade functionality such as the unattended-upgrades Debian package. If no such package is installed, no automatic updates will happen. Surprises, package manager behavior unwanted by the user are extremely less likely. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Forced Upgrades | * {{Anchor|Forced Upgrades}}Microsoft now [https://arstechnica.com/information-technology/2015/07/windows-10-updates-to-be-automatic-and-mandatory-for-home-users/ enforces upgrades to Windows 10] involuntarily. https://www.theguardian.com/technology/2015/sep/11/microsoft-downloading-windows-1 * Proposed Windows 10 upgrades [https://www.theregister.co.uk/2016/06/01/windows_10_nagware_no_way_out/ remove the option to cancel or postpone the proposed upgrade] once accepted. * Microsoft undertook a range of actions to [https://web.archive.org/web/20180913102208/https://www.networkworld.com/article/2993490/windows/windows-10-upgrades-reportedly-appearing-as-mandatory-for-some-users.html force Windows 7 and 8 users to upgrade to Windows 10]. https://www.computerworld.com/article/3012278/microsoft-sets-stage-for-massive-windows-10-upgrade-strategy.html * Microsoft [https://gizmodo.com/woman-wins-10-000-from-microsoft-after-unwanted-window-1782666146 ignored flags on Windows 7 and 8] specifying that upgrades to Windows 10 were not desired. A user reported that the computer becoming non-functional after the forced upgrade and sued. * [https://www.bleepingcomputer.com/news/microsoft/man-sues-microsoft-seeking-new-copy-of-windows-7-after-forced-windows-10-upgrade/ Man Sues Microsoft Seeking New Copy of Windows 7 After Forced Windows 10 Upgrade] * [https://gizmodo.com/woman-wins-10-000-from-microsoft-after-unwanted-window-1782666146 Woman Wins $10,000 From Microsoft After Unwanted Windows 10 Upgrade] * For months, Microsoft [https://www.theguardian.com/technology/2016/feb/02/microsoft-downloading-windows-10-automatic-update tricked users into upgrading to Windows 10] if they failed to notice and deny the upgrade. * Microsoft has encouraged [https://www.infoworld.com/article/3042397/microsoft-windows/admins-beware-domain-attached-pcs-are-sprouting-get-windows-10-ads.html complaints to system administrators] about not upgrading to Windows 10. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Tiered Stability (Updates Testing) | Windows forces lower-paying customers to install new updates and gives higher-paying customers the option of whether or not to adopt them. [https://www.forbes.com/sites/gordonkelly/2015/07/17/windows-10-forced-automatic-updates/2/ Quote]:
Windows 10 Enterprise does allow users to postpone any update indefinitely but it is only available in bulk licensing.
|- ! scope="row" style="vertical-align: top; text-decoration: underline;" | User Freedoms | * Windows has introduced a range of [https://arstechnica.com/apple/2007/08/aacs-tentacles/ digital restrictions mechanisms]. * Microsoft [https://www.securitynewspaper.com/2016/07/15/microsoft-silently-kills-dev-backdoor-boots-linux-locked-windows-rt-slabs/ does not allow opting out of verified boot] on RT tablets which prevents the use of other operating systems. * [https://www.howtogeek.com/442609/confirmed-windows-10-setup-now-prevents-local-account-creation/ Windows is adamant about Microsoft account creation.] * [https://arstechnica.com/gadgets/2017/05/windows-10-s-edge-bing-default/ Windows 10 S forces you to use Edge and Bing]. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Software Freedom | * Microsoft windows is nonfreedom software. See [[Avoid_nonfreedom_software|Avoid Non-Freedom Software]] and [[Miscellaneous Threats to User Freedom|Miscellaneous Threats to User Freedom]]. |- ! scope="row" style="vertical-align: top; text-decoration: underline;" | Forced Telemetry into C++ Binaries | * [https://www.infoq.com/news/2016/06/visual-cpp-telemetry/ Microsoft's Automatic Insertion of Telemetry into C++ Binaries until Microsoft's got caught] |- |} == Adversary Collaboration == Microsoft has a history of informing adversaries of bugs before they are fixed. Microsoft reportedly [https://www.bloomberg.com/news/articles/2013-06-14/u-s-agencies-said-to-swap-data-with-thousands-of-firms gives adversaries security tips] ([https://archive.is/PdLBZ archive.is]) on how to crack into Windows computers.
Microsoft Corp. (MSFT), the world’s largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process.
Redmond, Washington-based Microsoft (MSFT) and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn't ask and can't be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.
Frank Shaw, a spokesman for Microsoft, said those releases occur in cooperation with multiple agencies and are designed to give government "an early start" on risk assessment and mitigation
See also this opinion analyzing this, [https://archive.is/OBGB1 How Can Any Company Ever Trust Microsoft Again?]. By comparison, the [https://www.kernel.org/doc/html/v4.10/admin-guide/security-bugs.html Linux kernel has a security buy embargo process].
[...] Although our preference is to release fixes for publicly undisclosed bugs as soon as they become available, this may be postponed at the request of the reporter or an affected party for up to 7 calendar days from the start of the release process, with an exceptional extension to 14 calendar days if it is agreed that the criticality of the bug requires more time. The only valid reason for deferring the publication of a fix is to accommodate the logistics of QA and large scale rollouts which require release coordination. While embargoed information may be shared with trusted individuals in order to develop a fix, such information will not be published alongside the fix or on any other disclosure channel without the permission of the reporter. This includes but is not limited to the original bug report and followup discussions (if any), exploits, CVE information or the identity of the reporter. In other words our only interest is in getting bugs fixed. All other information submitted to the security list and any followup discussions of the report are treated confidentially even after the embargo has been lifted, in perpetuity. [...] Fixes for sensitive bugs, such as those that might lead to privilege escalations, may need to be coordinated with the private mailing list so that distribution vendors are well prepared to issue a fixed kernel upon public disclosure of the upstream fix. Distros will need some time to test the proposed patch and will generally request at least a few days of embargo, and vendor update publication prefers to happen Tuesday through Thursday. When appropriate, the security team can assist with this coordination, or the reporter can include linux-distros from the start. [...]
The crucial difference between Microsoft bug embargoes and Linux bug embargoes is that Microsoft notifies intelligence agencies which are then known to exploit vulnerabilities while the Linux kernel security team has a much more transparent bug embargo process where trusted parties, huge Linux distributions receive an early notification for the purpose of wide availability of the software upgrade containing the fix before to prevent wide exploitation by attackers in the wild. == Shared Source == * Open Source, Freedom Software versus * proprietary, closed source, precompiled software. are totally different development models. Both development models have advantages and disadvantages. The case for Open Source, Freedom Software is made on the [[Avoid_nonfreedom_software|Avoid Non-Freedom Software]] wiki page. One advantage for closed source software could be argued being secrecy, [https://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity]. (Also addressed on the [[Avoid_nonfreedom_software|Avoid Non-Freedom Software]] wiki page.) However, Microsoft Windows has none of the advantages of Open Source, Freedom Software but also cannot fully take advantage of security through obscurity either. Part of the [https://www.microsoft.com/en-us/sharedsource/default.aspx Shared Source Initiative] is the [https://www.microsoft.com/en-us/sharedsource/government-security-program.aspx Government Security Program]. [https://www.zdnet.com/article/us-government-demands-for-vendors-source-code-are-nothing-new/ Quote ZDNet]:
Microsoft's [https://www.microsoft.com/en-us/sharedsource/default.aspx Shared Source Initiative] makes source code available to "qualified customers, enterprises, governments, and partners for debugging and reference purposes". There's almost no information on the company's website about their [https://www.microsoft.com/en-us/sharedsource/government-security-program.aspx Government Security Program] (GSP). Just two sentences. But the first of those sentences notes that requests might come from "local, state, provincial, or national governments or agencies". When the GSP was launched back in 2003, however, Microsoft was happy to tell the media that Windows source code was made available to a number of governments and international organistions, including Russia, NATO, the UK, and China. Another report said that Australia, Austria, Finland, Norway, Taiwan, and Turkey were also on the list.
Simplified summary: Independent security researchers don't have access to the source code but huge groups of people from of which some you probably do not trust do have the advantage over you. The only motivation for sharing the source code is to get regulatory approval for deployment in foreign government networks that demand certain assurances for accessing their markets. This has nothing to do with empowering third parties or giving them the choice and freedom to modify the software or share it with others. == Inescapable Telemetry == The fact that there is no way to completely remove or disable telemetry requires further consideration. For instance, non-enterprise editions [https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive do not permit anyone to completely opt-out of the surveillance "features"] of Windows 10. Quote [https://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/ Even when told not to, Windows 10 just can’t stop talking to Microsoft]. Quote [https://thehackernews.com/2016/02/microsoft-windows10-privacy.html Windows 10 Sends Your Data 5500 Times Every Day Even After Tweaking Privacy Settings]
CheesusCrust also disabled every single tracking and telemetry features in the operating system. He then left the machine running Windows 10 overnight in an effort to monitor the connections the OS is attempting to make.
Eight hours later, he found that the idle Windows 10 box had tried over 5,500 connections to 93 different IP addresses, out of which almost 4,000 were made to 51 different IP addresses belonging to Microsoft.
Even if some settings are tweaked to limit this behavior, it is impossible to trust those changes will be respected. Even the Enterprise edition was discovered to completely ignore privacy settings and anything that disables contact with Microsoft servers. https://web.archive.org/web/20170609221304/https://forums.whonix.org/uploads/default/original/2X/0/004857ec71ff2e4b23c88bf596b6142373fe2879.jpg Any corporation which forces code changes on a user's machine, despite Windows updates being turned off many times before, is undeserving of trust. https://web.archive.org/web/20071011010707/http://informationweek.com/news/showArticle.jhtml?articleID=201806263 https://archive.fo/LffTy https://arstechnica.com/information-technology/2015/07/windows-10-updates-to-be-automatic-and-mandatory-for-home-users/ https://web.archive.org/web/20171006181359/http://voices.washingtonpost.com/securityfix/2007/09/microsofts_stealth_update_come.html https://www.zdnet.com/blog/hardware/confirmation-of-stealth-windows-update/779 Windows 10 updates have been discovered to frequently reset or ignore telemetry privacy settings. https://community.spiceworks.com/topic/1535835-win-10-update-resets-privacy-again Microsoft [https://web.archive.org/web/20170217011818/http://www.theregister.co.uk/2015/09/01/microsoft_backports_data_slurp_to_windows_78_via_patches/ backported this behavior to Windows 7 and 8] for those that held back, so odds are Windows users are already running it. == Forfeited Privacy Rights == By now the reader should be convinced that just by using any version of Windows, the right to privacy is completely forfeited. Windows is incompatible with the intent of {{project_name_short}} (and the anonymous Tor Browser), since running a compromised Windows host shatters the trusted computing base which is part of any threat model. Privacy is inconceivable if any information that is typed or downloaded is provided to third parties, or programs which are bundled as part of the OS regularly [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxyLeaks#Windows "phone home" by default]. == Targeted Malicious Upgrades == Microsoft Windows is not designed to be resistant to targeted malicious software upgrades of the Windows operating system or applications from Windows store. Targeted malicious software upgrade means singling out specific users and shipping malicious upgrades to these select users only. Most users are using a Windows Live ID since that is encouraged by Windows and their real names and IP addresses. When installing/updating applications using the Microsoft Store, Microsoft knows the Windows Live ID, therefore also the real name and IP address of the user. It follows that a coerced or compromised Microsoft Store could single out users and ship malicious software that includes [[malware]] with features such as remote control, remote view, file upload and download, microphone and web camera snooping, keyboard logging and so forth. This is the same situation for any OS shipped with corporate controlled walled garden app store like Apple, Google and Amazon. With knowledge of Microsoft existing privacy intrusive behavior as documented elsewhere on this page, it seems sane to assume that the same applies to Microsoft Update. By comparison: * Most Linux distributions usually do not require an e-mail based login to receive upgrades. Users can still be singled out by IP addresses unless users opt-in for using something such as apt-transport-tor which is not the default. * In case of [[Whonix]] And [[Kicksecure]], all upgrades are downloaded over Tor. There is no way for the server to ship legit upgrade packages to most users while singling out specific users for targeted attacks. == Opinion by GNU Project == The GNU Project [https://www.gnu.org/proprietary/malware-microsoft.en.html opinion] is that Windows is "Malware", due to the threats posed to personal freedoms, privacy and security, meaning the software is designed to function in ways that mistreat or harm the user. Interpretation of Opinion by GNU Project: Word definitions: Spyware is a type of malware. Quote [https://en.wikipedia.org/wiki/Malware wikipedia malware]:
A wide variety of malware types exist, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and scareware.
If that definition is accepted... It therefore follows, if one agrees that "Windows is Spyware", it then logically follows "Windows is also Malware". This is to explain the GNU Project opinion of calling Windows "Malware". Windows is malware by definition because of what it does. Individuals trusting Microsoft as an entity with all the data it collects by default doesn't change that determination. == Opinion by Free Software Foundation == The Free Software Foundation (FSF) [https://www.fsf.org/news/the-fsfs-statement-on-windows-10 writes] quote:
Microsoft uses draconian law to put Windows, the world's most-used operating system, completely outside the control of its users. Neither Windows users nor independent experts can view the system's source code, make modifications or fixes, or copy the system. This puts Microsoft in a dominant position over its customers, which it takes advantage of to [https://www.fsf.org/windows/upgrade-from-windows#abuses treat them as a product].
== Windows Insecurity == Microsoft's willingness to [https://www.techdirt.com/articles/20130614/02110223467/microsoft-said-to-give-zero-day-exploits-to-us-government-before-it-patches-them.shtml consult with adversaries and provide zero days] before public fixes are announced logically places Windows users at greater risk, especially since adversaries [https://threatpost.com/nsa-bought-exploit-service-from-vupen-contract-shows/102314 buy security exploits from software companies] to gain [https://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity unauthorized access] into computer systems. This is especially true for users of Tor, who are regularly targeted in this fashion. Even the Microsoft company president has [https://www.engadget.com/2017/05/14/microsoft-blasts-spy-agency-exploit-hoarding/ harshly criticized adversaries for stockpiling vulnerabilities] that when leaked, led to the recent ransomware crisis world-wide. This is elaborated in chapter [[#Adversary Collaboration|Adversary Collaboration]]. Windows is not a [https://en.wikipedia.org/wiki/Security-focused_operating_system security-focused operating system]. If it was, it would for example: * Not [[#User Content Upload to Microsoft|upload user data to Microsoft servers]]. * Minimize data stored on, available to servers of Microsoft. ([[#Windows Surveillance|Windows Surveillance]]) * Use end-to-end encryption whenever possible. * Be resilient to [[#Targeted Malicious Upgrades|targeted malicious upgrade attacks]] by not linking software installation/upgrading to a Windows ID and/or providing an option to download software over the Tor anonymity network (or hypothetically a next generation anonymity network developed by Microsoft). * Not upload full disk encryption keys to Microsoft servers (see chapter [[#Windows Backdoors|Windows Backdoors]], category [[#Encryption|Encryption]]). Such security standards are well affordable because since Microsoft makes billions of profit as well as very realistic since some Freedom Software Linux distributions already implemented these. Due to Microsoft's restrictive, proprietary licensing policy for Windows, there are no legal software projects that are providing a security-enhanced Windows [https://en.wikipedia.org/wiki/Fork_(software_development) software fork]. There are security-enhanced Windows software fork(s) but these are illegal, violating the copyright of Microsoft and provided by anonymous developers. In contrast, the Linux community has multiple Freedom Software Linux variants that are strongly focused on security, like [https://www.qubes-os.org Qubes OS]. Microsoft provides Tyrant Security. Not Freedom Security. ({{Archive_link |url=https://www.kicksecure.com/wiki/Miscellaneous_Threats_to_User_Freedom#Freedom_vs_Tyrant_Security |onion=http://w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Miscellaneous_Threats_to_User_Freedom#Freedom_vs_Tyrant_Security |text=Freedom vs Tyrant Security }}) Windows comes with some innovative security technologies, however privacy and user freedom is terrible. Security and privacy have a strong connection. Quote Bruce Schneier [https://www.schneier.com/blog/archives/2008/01/security_vs_pri.html Security vs. Privacy], [https://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html The Value of Privacy]:
There is no security without privacy.
[https://forums.whonix.org/t/host-operating-system-selection-wiki-page-discussion/11303/55 Quote HulaHoop]:
I equate privacy with security because they are very much related in the real world especially for whistleblowers.
== Windows Historic Insecurity == Microsoft updates also use weak cryptographic verification methods such as MD5 and SHA-1. In 2009, the CMU Software Engineering Institute stated that MD5 "...should be considered cryptographically broken and unsuitable for further use". https://en.wikipedia.org/wiki/MD5#cite_note-11 In 2012, the Flame malware exploited the weaknesses in MD5 to fake a Microsoft digital signature. https://arstechnica.com/security/2012/06/flame-crypto-breakthrough/ Before Windows 8, there was no central software repository comparable to Linux where software could be downloaded safely. This means a large segment of the population remains at risk, since [https://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Desktop_and_laptop_computers many Windows users] are still running Windows 7. https://seclists.org/fulldisclosure/2023/Feb/14 == Windows Software Sources == On the Windows platform, a common way to install additional software is to search the Internet and install the relevant program. This is risky, since many websites bundle software downloads with adware, or worse malware. Even if software is always downloaded from reputable sources, they commonly act in very insecure ways. For example, if Mozilla Firefox is downloaded from a reputable website like chip.de, https://www.chip.de/downloads/Firefox-64-Bit_85086969.html then until recently, the download would have taken place over an insecure, plain http connection. In 2019, chip.de now enforces https for its entire website. In that case, it is trivial for ISP level adversaries, Wi-Fi providers and others to mount [[Warning#Man-in-the-middle_attacks|man-in-the-middle attacks]] and to inject malware into the download. But even if https is used for downloads, this would only provide a very basic form of authentication. To keep a system secure and free of malware it is strongly recommended to [[Warning#Always_Verify_Signatures|always verify software signatures]]. However, this is very difficult, if not impossible for Windows users. Most often, Windows programs do not have software signature files (OpenPGP / gpg signatures) that are normally provided by software engineers in the GNU/Linux world. Tools for software digital signature verification are not installed by default on the Windows platform. Neither SignTool ([[Authenticode]]) nor gpg4win are installed by default on the Windows platform. These could be manually installed but there is a bootstrap issue. These tools itself would have to be downloaded over https, i.e. only with a very basic form of authentication. In contrast, on the Linux platform usually the GnuPG software digital signature verification tool is installed by default. For these reasons it is safe to assume that virtually nobody using a Windows platform is regularly benefiting from the strong authentication that is provided by software signature verification. Windows 10 App Store does not suffer from this issue and does software signature verification but many applications are not available form Windows App Store. In the Windows ecosystem, the culture is software signature verification is less widespread. In contrast, most Linux distributions provide software repositories. For example, Debian and distributions based on Debian are using apt. This provides strong authentication because APT verifies all software downloads against the Debian repository signing key. Further, this is an automatic, default process which does not require any user action. Apt-get also shows a warning should there be attempts to install unsigned software. Even when software is unavailable in the distribution's software repository, in most cases OpenPGP / gpg signatures are available. In the Linux world, it is practically possible to always verify software signatures. == No Ecosystem Diversity Advantage == The popularity of Windows platforms on desktops actually increases risk, as attackers target the near monocultural operating system environment with regularity. A security bug is usually exploitable on many versions of Windows run anywhere, making them known in security terms as a "class break". https://www.schneier.com/blog/archives/2017/01/class_breaks.html For example: * The [https://www.pcworld.com/article/3196379/security/a-ransomware-attack-is-spreading-worldwide-using-alleged-nsa-exploit.html Wanna Decryptor ransomware attack] spreading the globe at the time of writing is solely focused on Windows platforms. * [https://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/ Flaws in Internet Explorer and Edge] have previously allowed attackers to retrieve Microsoft account credentials. * Point-of-sale terminals running Windows were previously [https://arstechnica.com/security/2013/12/credit-card-fraud-comes-of-age-with-first-known-point-of-sale-botnet/ taken over in order to collect customers' credit card numbers]. == Intransparency == Windows source code is unavailable for public review and build by independent third parties. Microsoft Windows has none of the advantages of Open Source, Freedom Software but also cannot fully take advantage of security through obscurity either. This point is made in chapter [[#Shared Source|shared source]]. There is no public issue tracker for Microsoft Windows where any reasonable user is allowed to post or reply. There is a public [https://msrc.microsoft.com/update-guide/vulnerability list of vulnerabilities] but without public discussion among developers and/or users. https://answers.microsoft.com is mostly(?) user-to-user discussion. Mostly: hard to find any employees posting there or very low interaction. [https://answers.microsoft.com/en-us/page/faq#faqWhosWho1 A volunteer moderator isn't a developer.] There is also https://techcommunity.microsoft.com. Microsoft's internal issue tracker is private, unavailable for the public even for reading. Link as evidence pointing to the fact that Microsoft does have an internal issue tracker: https://www.engadget.com/2017-10-17-microsoft-bug-database-hacked-in-2013.html The ability of the public of getting insights into the planning, thought process of Microsoft, participation in the development of Windows is much more limited. This is the case for many closed source, proprietary software projects. The community cannot participate as much in development. In comparison for Open Source projects, issue tracker are most often public for everyone to post and reply (with exception of security issues under embargo until fixed). When users are having issues and searching for advice, often the advice is to "reinstall Windows". Due to the closed source nature of windows, it's far more difficult to analyze issues and provide bug fixes and workarounds. Sometimes reverse engineering is cited as an alternative to the unavailability of Window's source code to the general public. Reverse engineering however is far more difficult. For example, the [[#Forced Updates|forced updates]] and [[#Forced Upgrades|forced upgrades]] issues, Windows ignoring the user's automatic update settings (documented in chapter [[#Windows User Freedom Restrictions|Windows User Freedom Restrictions]]) had not been foreseen and published by anyone doing reverse engineering. Users were taken by surprise. == Using Earlier Windows Versions is no good Alternative == When users learn about shortcoming, anti-features, [[#spyware|spyware]] features of Windows they often consider as an alternative to not upgrade to a newer version of Windows or to downgrade to an earlier version of Windows. Example [https://linustechtips.com/main/topic/762353-microsoft-shares-what-it-collectes-in-windows-10-telemetry-data/?tab=comments#comment-9633310 quote]:
I doubt microsoft is telling everything, im sticking with W7 indefinitely.
Example [https://linustechtips.com/main/topic/428727-windows-10-is-a-keylogger/ quotes]:
Hmm, guess I'm going back to windows 7.
This is why I went from using the beta build as my primary OS back to Windows 8.1.
And now myself and everyone in my family will be staying with their current OS (Windows XP, Vista, 7 and 8.1).
This is not a solid plan for the future since security support for older versions of Windows is being dropped and without security support, newly found security vulnerabilities will remain unfixed. * Microsoft has [https://arstechnica.com/information-technology/2017/04/new-processors-are-now-blocked-from-receiving-updates-on-old-windows/ dropped support for Windows 7 and 8 on recent processors] following the release of Windows 10. * Microsoft has made [https://support.microsoft.com/en-us/help/4012982/discusses-an-issue-in-which-you-receive-a-your-pc-uses-a-processor-tha Windows 7 and 8 non-functional on certain new computers], compelling a switch to Windows 10 for many people. For example, support has been dropped for all future [https://www.theverge.com/2016/1/16/10780876/microsoft-windows-support-policy-new-processors-skylake Intel], [https://gizmodo.com/only-the-latest-version-of-windows-will-run-on-some-fut-1753545825 AMD and Qualcomm CPUs]. * Microsoft cuts off support for specific platforms (like [https://www.computerworlduk.com/blogs/open-enterprise/windows-xp-end-of-an-era-end-of-an-error-3569489/ XP]) and software such as popular [https://www.computerworlduk.com/news/security/3605515/more-than-half-of-all-ie-users-face-patch-axe-in-10-months/ Internet Explorer versions], after a software dependency has developed. This is also made difficult due to [[#Forced Updates|forced updates]]/[[#Forced Upgrades|upgrades]] which are mentioned above. == Terrible Company == Microsoft has been hostile against Freedom Software. Microsoft is a patent troll. Microsoft claimed that Linux infringed its intellectual property. Microsoft experienced backslash over that claim, never substantiated this claim, sued anyone or apologized. References: * now defunct website Show Us The Code, archived: https://web.archive.org/web/20071120042104/http://showusthecode.com/responses.htm * internet search term: "microsoft" "Show Us The Code" * https://www.redhat.com/en/blog/microsoft-and-patent-trolls * https://openinventionnetwork.com/ Other: * https://www.eff.org/deeplinks/2015/12/stupid-patent-month-microsofts-design-patent-slider * Microsoft used DMCA (Digital Millenium Copyright Act) to shut down reverse engineering of Skype. See [https://github.com/github/dmca/commit/db9b442f0ac68512d0ca83fe7b25a7f9bf766e63 DMCA notice received by and published by github]. == The Tyranny of the Default == Quote The Tyranny of the Default broken link: https://cmitsolutions.com/hartford/the-tyranny-of-the-default :
“‘The tyranny of the default’ [is] the expression I like to use for: we know most users don’t go in and change things. They just assume that someone smarter than them choose the settings that are best for them, and so they say ‘YES’ a lot when they’re asked questions. What that means is that if it’s enabled by default, it’ll tend to stay on.
Any anti-features of Windows such as telemetry cannot be excused by "but it can be disabled". That's a workaround at best. Not a fix. Fact remains, for most users, if it’s enabled by default, it’ll tend to stay on. Changing defaults requires awareness of the issue, skills of using search engines and finding documentation how to do so, and technical skills to change the default. This is often not the case for non-technical users. Even technical users might forget it in some situations such after re-installation. Therefore default settings matter. == Nuisances == * "reinstall Windows": When users are having issues and searching for advice, often the advice is to "reinstall Windows". Due to the closed source nature of windows, it's far more difficult to analyze issues and provide bug fixes and workarounds. * Windows update often take a long time and require multiple reboots. * https://superuser.com/questions/335313/why-dont-windows-updates-install-all-at-once * https://gist.github.com/joefitzgerald/8203265 # User runs Windows update. # Windows downloads updates and installs. # Reboot is required, the user reboots, shutdown takes a long time since Windows is finalizing some updates. # Boot takes a long time since Windows is finalizing some updates. # Windows update reports further updates. Back to 1. # Repeat a few times. By comparison, for example for Debian based distributions a single "sudo apt update && sudo apt full-upgrade" is sufficient to download and install all updates. No extra time is required for shutdown or the next boot. No further updates are required right after reboot. Because a previous update was a prerequisite for getting the next update. Advertisements: * Windows [https://www.theverge.com/2017/3/17/14956540/microsoft-windows-10-ads-taskbar-file-explorer displays advertisements] for Microsoft products and those of its partners. * Windows [https://www.theguardian.com/technology/2017/mar/10/windows-10-users-complain-new-microsoft-subscription-onedrive-adverts inserts advertisements inside of File Explorer] to nag about paid subscriptions. Windows is less flexible. While with Linux distribution it's easily possible to install them on USB or to swap a hard drive installed in one computer and boot it inside a replacement computer, these are major challenges for Windows users. It's hard to modify Windows. For example, Qubes Windows Tools for Windows 10 are still not ready. == Freedom Software Superiority == Based on the preceding section and analysis, it is strongly recommended to learn more about GNU/Linux and install a suitable distribution to safeguard personal rights to security and privacy. Otherwise, significant effort is required to play "whack-a-mole" disabling Windows anti-features, which routinely subjects users to surveillance, limits choice, purposefully undermines security, and harasses via advertisements, [[#Forced Updates|forced updates]]/[[#Forced Upgrades|forced upgrades]], and so on. See also [[Avoid_nonfreedom_software|Avoid Non-Freedom Software]]. == Conclusion == Can Windows 10 be secure for huge enterprise level customers? In theory, maybe. These customers might have access to [[#Shared_Source|Windows Shared Source]] which [https://security.stackexchange.com/questions/41964/do-the-windows-shared-source-files-compile-into-the-same-binaries-as-the-retail might] even be complete enough to building Windows from source code. Who knows. It cannot be known for sure due to the [https://www.microsoft.com/en-us/sharedsource/enterprise-source-licensing-program.aspx high requirements] to get access to Windows source code and the requirement of signing a non-disclosure agreement (NDA). Even if the author of this page did know, it could not be published here due to the NDA requirement. Such customers might even be able to escape the otherwise for mere mortals [[#Inescapable Telemetry|Inescapable Telemetry]], to build their own Windows installer ISO and Windows updates from Windows source code. In practice, it is foolish to trust any version coming from an entity that has proved beyond doubt that is not trustworthy. Much better to move on and instead use sustainable alternatives. Can Windows 10 be secure for laymen users? Probably not. Due to [[#WER|Windows Error Reporting (WER) and Core Dumps Privacy Issues]], telemetry, [[#spyware|spyware]] and [[#keylogger|keylogger]] (see chapter [[#Windows Surveillance|Windows Surveillance]]) too much private information including user data is ending up on Microsoft servers which is then in part harvested by any government with thousands of employees which Mircosoft is compelled to cooperate with. Such data can then be used in [https://en.wikipedia.org/wiki/Parallel_construction parallel construction] (evidence laundering), circumvention of constitutional protections against protection from unreasonable searches and seizures. Security updates are necessary for any operating system but the issue with Microsoft is they tend to sneak in things other than what users can reasonably expect. In the past at least they made changes to the update system to still phone home even if it was disabled. Examples include [[#Inescapable Telemetry|Inescapable Telemetry]] and [[#Forced Updates|forced updates]]/[[#Forced Upgrades|upgrades]]. Windows officially admits their data mining activity and gives users so-called options to “choose” what they share. [[#Inescapable_Telemetry|Third parties have uncovered time and time again, these user choices are ignored and there is no way to disable data gathering completely.]] Does Windows result in a world wide net gain or net loss of privacy? A proprietary security hardened Windows that resists third party spyware + includes data snooping in its core = net loss of end user freedom/privacy and security risk as [[#crash_reporter_abused_by_NSA|NSA has been know to use windows error reporting for aiding exploitation]]. A less security hardened Freedom Software operating system might more vulnerable to active attacks + no privacy invasive code include by default = net gain of privacy by default as nothing is being reported anywhere unless targeted attacks are deployed. == Forum Discussion == https://forums.whonix.org/t/host-operating-system-selection-wiki-page-discussion/11303 = Footnotes = [[Category:MultiWiki]]