Ironic Windows Vulnerability Shows Why Backdoors Can’t Work:
Two hackers published evidence on Tuesday showing that attackers can exploit a feature called Secure Boot and install the type of malicious software the feature was created to protect against. “You can see the irony,” the researchers, known by the handles Slipstream and MY123, wrote.
Secure Boot, which first appeared in Windows 8 , bars computers from loading malware by confirming that software coordinating the operating system launch is trusted and verified. This ensures a computer isn’t tricked by a malicious program that then assumes control. Microsoft included a workaround so developers could test their software without fully validating it. It was never meant for hackers or police, but it is a backdoor just the same. And the keys leaked online.
Source: Wired
Microsoft’s president explains the company’s quiet legal war for user privacy
Apple’s legal battle over encryption dominated headlines earlier this year, but another tech giant is fighting a quieter legal war over user privacy: Microsoft. It won a major victory last week, when the U.S. Court of Appeals for the 2nd Circuit sided with the company, ruling that a U.S. warrant could not be used to force Microsoft to turn over email data stored in an Irish data center. The decision, which the Justice Department is considering appealing to the Supreme Court, could have major implications for tech companies who routinely move data around the world so it can be backed up or quickly accessed by users.
France orders Microsoft to stop collecting excessive user data:
The French data protection authority on Wednesday ordered Microsoft to stop collecting excessive data on users of its Windows 10 operating system and serving them personalized ads without their consent.
Microsoft just won a huge legal victory on email privacy
U.S. warrants can’t force tech companies to turn over data stored overseas, a federal appeals court ruled Thursday.
Microsoft Says U.S. Is Abusing Secret Warrants
Secret government searches are eroding people’s trust in the cloud, Smith wrote — including large and small businesses now keeping massive amounts of records online. “The transition to the cloud does not alter people’s expectations of privacy and should not alter the fundamental constitutional requirement that the government must — with few exceptions — give notice when it searches and seizes private information or communications,” he wrote.
According to the complaint, Microsoft received 5,624 federal demands for customer information or data in the past 18 months. Almost half — 2,576 — came with gag orders, and almost half of those — 1,752 — had “no fixed end date” by which Microsoft would no longer be sworn to secrecy.
These requests, though signed off on by a judge, qualify as unconstitutional searches, the attorneys argue. It “violates both the Fourth Amendment, which affords people and businesses the right to know if the government searches or seizes their property, and the First Amendment, which enshrines Microsoft’s rights to talk to its customers and to discuss how the government conducts its investigations — subject only to restraints narrowly tailored to serve compelling government interests,” they wrote.
Facebook, Google, Microsoft, Twitter, and Yahoo have made an unusual collective submission of written evidence to the Draft Investigatory Powers Bill Joint Committee, in which they criticise a number of key elements of the UK government’s proposed Snooper’s Charter. They write: “We believe the best way for countries to promote the security and privacy interests of their citizens, while also respecting the sovereignty of other nations, is to ensure that surveillance is targeted, lawful, proportionate, necessary, jurisdictionally bounded, and transparent. These principles reflect the perspective of global companies that offer borderless technologies to billions of people around the globe.”
Source: Ars Technica
The company already informs users if it believes their Microsoft account has been targeted by a third party and provides guidance on how to keep those accounts safe. But now it will go further and tell them if it believes the attackers were “working on behalf of a nation state,” according to a blog postfrom Scott Charney, Microsoft’s vice president for trustworthy computing.
“We’re taking this additional step of specifically letting you know if we have evidence that the attacker may be ‘state-sponsored’ because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others,” he wrote.
The shift follows in the footsteps of Google, which started warning users about potential nation state targeting in 2012. This year other companies, including Facebook, Twitter, and most recently Yahoo, also announced they were making such notifications.
Source: Washington Post