“Cortana Flaw Allowed Takeover of Locked Windows 10 Device”
Lindsey O'Donnell, Threatpost, August 9, 2018
Thanks to Cortana's “universal access methods” … researchers were able to launch local commands through a locked Windows 10 screen and perform additional risky commands.
The root cause behind “Open Sesame” (CVE-2018-8140) is the fact that the lock screen on Windows 10 devices restricts the keyboard — but allows Cortana invocation through the voice. So once Cortana is invoked, the lock screen no longer restricts it.
Once they exploited the flaw, attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, …
“In the past, the OS made user the UI is not accessible when the computer is locked, and therefore developers did not need to think about it. Now it's the developers' responsibility,” said [Tal Be'ery of the Israel Institute of Technology].
Sure it is. This is another case of Microsoft designing the operating system so that it conforms to Microsoft's interests rather than to the preferences and needs of users and application developers.
According to the insider press, Microsoft is close to releasing the “Microsoft Managed Desktop,” which is a version of Windows that will be distributed and exclusively administered by Microsoft, for a monthly rental fee. Perhaps it will run only on some specialized hardware platforms, as MacOS runs only on Macintosh hardware.
“Microsoft's Got a New Plan for Managing Windows 10 Devices for a Monthly Fee”
Mary Jo Foley, All About Microsoft, July 27, 2018
As anyone who's been watching Windows 10 feature updates knows, many IT pros are unhappy about Microsoft's twice-yearly feature updates to the OS. They have seen updates break compatibility with things they didn't anticipate. They've seen Microsoft post and pull patches and updates to these releases, making deployment a nightmare. Windows as a service has been a rocky (or substitute your expletive of choice) road for many.
Microsoft looks to be counting on companies being ready for greater predictability — in terms of spending, updating and support — in exchange for letting someone else do the driving.
In other words, they are about to abandon the last remnants of the pretense that Windows machines are “personal computers” in any meaningful sense. A machine running a Microsoft Managed Desktop is an appliance, plain and simple — not even an appliance that you own, but one that you rent and operate on terms convenient to the lessor. The Terms of Service are going to be wondrous to behold.
“With DaaS Windows Coming, Say Goodbye to Your PC As You Know It”
Steven J. Vaughan-Nichols, Computerworld, July 30, 2018
Microsoft has been getting away from the old-style desktop model for years now. Just look at Office. Microsoft would much rather have you rent Office via Office 365 than buy Microsoft Office and use it for years. Microsoft Managed Desktop is the first move to replacing “your” desktop with a rented desktop. By 2021, I expect the Managed Desktop to be to traditional Windows what Office 365 is to Office today.
“With the Next Version of Microsoft Windows, Say Goodbye to Your Windows PC As You Know It”
Dick Eastman, Privacy Blog, July 30, 2018
I'm not sure I would trust Microsoft to keep my PC clean and tidy and free of viruses. Then there is the privacy issue: will Microsoft add spyware the way that Facebook does?
Eastman seems to be a little behind the curve here. Windows 10 is already full of spyware, although Microsoft prefers to call it “telemetry.” The difference is that under the Microsoft Managed Desktop you won't have the right to turn any of it off.
How sad. Many of my students and colleagues liked GitHub and relied on it extensively. Ah, well: Tout passe, tout lasse, tout casse.
“Buying GitHub Would Take Microsoft Back to Its Roots”
Dina Bass and Eric Newcomer, Bloomberg, June 4, 2018
The software maker has agreed to acquire GitHub, the code-repository company popular with many software developers, and could announce the deal as soon as Monday, according to people familiar with the matter.
“What Is Wrong with Microsoft Buying GitHub”
Jacques Mattheij, June 4, 2018
Many open source contributors consider GitHub too big to fail. …
Some concrete examples of the things Microsoft have done:
• Abuse of their de facto monopoly position to squash competition, including abuse of the DD process to gain insight into a competitor's software
• Bankrolling the SCO Lawsuit that ran for many years in order to harm Linux in the marketplace
• Abuse of their monopoly position to unfairly compete with other browser vendors, including Netscape
• Subverting open standards with a policy of Embrace, Extend, Extinguish
• The recent Windows 10 Telemetry abuse
• The acquisition of Skype, after which all the peer-to-peer traffic was routed through Microsoft, essentially allowing them to snoop on the conversations. …
• Unfair advantage over competitors by using internal APIs for applications unavailable for competing products
• Tied-sales and bundling
• Abuse of Patents
The list is endless. So, this is the company that you want to trust with becoming the steward of a very large chunk of the open source world? Not me. And for all you closed source customers of GitHub, do you really want the company that abused a due-diligence process faking an acquisition interest to have the inside scoop on your code?
The principals weigh in:
“Microsoft to Acquire GitHub for $7.5 Billion”
Microsoft News Center, June 4, 2018
“A Bright Future for GitHub”
“defunkt”, The GitHub Blog, June 4, 2018
The case that was supposed to determine whether the government can force Microsoft to turn over its users' data stored on servers in a foreign country is effectively over. Both sides have agreed that the case is moot now that the Clarifying Overseas Use of Data Act is law and the Department of Justice has procured a warrant under that law.
“What Will Microsoft And Ireland Do with the New CLOUD Act Warrant?”
Albert Gidari, Center for Internet and Society, April 9, 2018
The author raises several possible courses of action: It could try to quash the warrant somehow, or it could rely on the Irish government (possibly prompted by Microsoft) to insist that the United States work through the Mutual Legal Assistance Treaty that is supposed to ensure bilateral cooperation in such cases, or it could just roll over and give up the customer data.
My guess is that Microsoft will choose option C. It has already gotten what it wanted out of this lawsuit: a public-relations boost for its claim to protect users' data, some spiteful retaliation against the Department of Justice, and no real change in its close relations with the NSA, the FBI, and the Department of Homeland Security.
The United States Department of Justice is continuing its doomed quest for an encryption system that simultaneously conceals texts from some people who should not have access to them and reveals them to other people who should not have access to them. They have begun to organize research teams and conferences to discuss ways of forcing or tricking people who want strong encryption into accepting weak encryption instead.
The new feature of this story is that some of the researchers who have gone over to the dark side are now identified by name: Ray Ozzie, formerly Chief Technical Officer and Chief Software Architect for (of course) Microsoft Corporation; Stefan Savage, Irwin and Joan Jacobs Chair in Information and Computer Science at the University of California, San Diego; and Ernie Brickell, Chief Security Architect, Intel Corporation.
The presence of Brickell and Ozzie guarantee that users should never trust encryption systems supplied in Intel hardware or as part of the Windows operating system, but should continue to use systems, such as
GPG, that are entirely implemented in open-source software.
“Justice Dept. Revives Push to Mandate a Way to Unlock Phones”
Charlie Savage, The New York Times, March 25, 2018
“Hackers Can Use Cortana to Open Websites on Windows 10 Even If Your PC Is Locked”
Tristan Greene, The Next Web, March 7, 2018
A pair of independent researchers yesterday uncovered a particularly worrisome security vulnerability in Microsoft's Windows 10. If your PC's OS was installed with default settings this could affect you.
The simple “hack” involves activating Cortana via voice command to open websites on a PC that's been locked.
Well, duh. This was completely obvious from the beginning to any Windows 10 user who glanced at the page describing the settings for Cortana. One of the options is “Use Cortana even when my device is locked.” Microsoft turned this on by default because it wants to listen in on Windows 10 users even when the users try to lock their PCs. The “researchers” “uncovered” this feature by noticing that it was there and trying it out. This scarcely qualifies as a “hack,” or even as a “‘hack.’”
It seems unlikely that Microsoft will regard this routine surveillance feature as “worrisome.” From the user's point of view, it is of course a gigantic security hole. Since the user doesn't own Windows, however, that point of view is essentially irrelevant. The real owner, Microsoft, has already expressed its point of view by creating the feature and making sure that it's on by default. That's the end of the story.