Who "Owns" Your Computer & Data?

Or you might say, who can access it anytime they want?

We know that we merely "license" the use of Windows when we "buy"
Windows, and we have to agree to a EULA so long and detailed it would
take an SEC lawyer to figure it out.

When we allow the Windows update to run or do it manually, we know
Microsoft is updating to keep things running smoothly.

But what happens when they access your computer without your
knowledge? And once you ask that, If they can access your computer to
upload files to it without your knowledge, the engineer in me asks the
next question, can they download what they want from your computer?
And the obvious comes up, if Microsoft can do it, can't a competitor
or hacker if they reverse engineer the Windows Update?

It is very obvious at this point that if you have proprietary
information you can't afford to lose on your Windows Boxes, you have
to start thinking security from the ground up. PCs connected in any
way to the Internet are NEVER inherently secure, no matter what anyone
says. There are just too many damn holes, deliberate and otherwise in
Windows.

http://windowssecrets.com/2007/09/13/01-Microsoft-updates-Windows-without-users-consent

http://www.microsoft-watch.com/cont..._sneaky_updates.html?kc=MWRSS02129TX1K0000535

http://blogs.zdnet.com/hardware/?p=774

Happy Hunting - Bo

 

PCs connected in any

Ditto for Macs.

"Mac OS X doesn't stand out as particularly more secure than the
competition, according to Secunia. Of the 36 advisories issued in
2003-2004, 61 percent could be exploited across the Internet and 32
percent enabled attackers to take over the system. The proportion of
critical bugs was also comparable with other software: 33 percent of
the OS X vulnerabilities were "highly" or "extremely" critical by
Secunia's reckoning, compared with 30 percent for XP Professional and
27 percent for SLES 8 and just 12 percent for Advanced Server 3. OS X
had the highest proportion of "extremely critical" bugs at 19 percent.
"

http://www.techworld.com/security/news/index.cfm?newsid=1798

 

So the question remains: How do you keep proprietary information
safe?

Key critical information has to reside on computers that do NOT need
to be connected to the Internet to keep "running" without some damned
nlicense application demanding you connect via the Internet.

Right now, the Mac OSX can operate off a network and you don't have to
go on except in the first launch to register (you can bypass that,
though I haven't tried it). Win XP Pro can also do that and remain
off the Internet, though apparently it may still try to connect to its
update servers without the user's knowledge or warning.

Vista, on the other hand, sounds like it will have a heck of a time
operating in a secure non-internet connected basis, at least without
some form of special license or version.

Given the nature of hacking for profit that is going on worldwide, I
get the feeling many companies just hope they won't get hacked.
Obviously, companies that must meet rigorous military or government
requirements for secrecy and safety, will NOT use PCs that can not be
run successfully off the Internet.

What does your company do with sensitive data?

Bo

 

Check out "Shields up" at:

https://www.grc.com

it may give you a warm feeling in your pants or make you even more
paranoid!

Kev

 

I'm not paranoid, Kev, & I've used the Shield's up check and keep most
things locked down and behind hardware firewalls. But I don't allow
critical data to be on a computer that is on the web.

Bo

 

Anecdote from Chinese user of Windows XP posted on Slashdot.org:

"Xinhua report that a Beijing University student has sued Microsoft
for allegedly gathering personal information via Windows Genuine
Advantage. He has demanded a compensation of 1,350 RMB (around US$
180) and an open apology printed in a national newspaper. The student
has accused Microsoft of using WGA to gather information about his
computer and himself, rather than solely checking whether or not the
installed Windows XP system was genuine. A Microsoft spokesman has
declined to speak on this issue and said that the matter is under
investigation."

 

One would have to ask what kind of firewall you have if they can do
this. Normally, a connection can't be made from outside unless a
computer inside asks for it. So the logical conclusion is that your
computer called home like a beacon.

TOP

 

But when the OS, in effect, has a back door programmed into it, it can
call out any damn time it wants to do so. If it is smart, it does it
at minimal activity times, in short amounts, etc.

In the news today was the Ameritrade software that also had a
malicious back door programmed into it by someone on the inside to
allow data extraction. Just like Microsoft does.

http://it.slashdot.org/article.pl?sid=07/09/14/1849239

Bo

 

The absolute worst part of this is what hackers can now do, which is
suggested by the following user comment on Slashdot:

"So now that hackers know there exists a backdoor to the windows
update which will let them update a stealth patch to anything they
want in the system because it runs with admin rights, this isn't a big
deal to you?"

If this doesn't tell you something very serious about what a hacker or
a former "white hat" from Microsoft could do, it they can gain control
of your computer, your data, your applications, etc., any time they
want.

Microsoft has reached the point of be all do all, and it is now
dangerous. I am beginning to wonder now when businesses start
abandoning Windows soley on the basis of lack of being able to audit
the code.

I think the true value of open source OS's has now been revealed. If
Linux or BSD Unix had back doors installed, it would be known very
quickly by programmers examining the code. Microsoft will never tell
what is in their OS. In fact, I would bet that the NSA worked with
Microsoft to make sure the NSA can access any Windows machine if they
want.

How is that for informed speculation?

Bo

 

The traffic is still going to be caught by the firewall if it is
separate from the Windows machine. I noticed Windows update stuff
typically happens after hours. But it does show up on the radar.

TOP

 

Given this mornings news from the EU, it appears from headlines that
Microsoft may be required to open up some of their code in addition to
the fine. Maybe there will be more transparency in their proprietary
OS, and maybe that will alleviate fears about back doors and lack of
privacy as a result of all the accidental security holes.

Time will tell.

Unfortunately, for me, I do not think I will ever trust my PCs to be
on the Internet along with my proprietary data, as I don't have the
time and expertise to become an expert at protecting PCs from hack
jobs.

For me that means I will keep proprietary data off the PC whenever
activation is needed, and hopefully the PC will never be back on the
Internet or a network, or if it is, it won't have proprietary data on
it.

Bo

 

One thing about SW models. If anyone tried to download even a fraction
of the vault we have it would show up on the IT radar as a huge one
way outbound traffic jam.

TOP

 

Such is probably now REQUIRED by secret neocon
"executive order" anyway now so why worry?
SureShot wants your p00rn.

 

Needs wider ...

Banquercadcam has none such I heard. He could not even
find the front door so ....

 

That is true.

Often the most valuable Intellectual Property that a firm owns is its
trade secret spreadsheets and product plans, though, & those may be as
simple as a 100k spreadsheet or outline.

Given the breaches in various large companies involving various types
of consumer data in a variety of ways, including secret back door code
installed by coders (think Ameritrade), there are good known reasons
to be careful and cautious.

Bo

 

And this is why any computer system with any pretense to security
has an "air gap" between itself and the Internet, especially if it uses a
proprietary (no source code available) operating system and application
suite.

 

And yet I'll bet 95% of the Comp.Cad.SolidWorks viewers do NOT have
that attitude for various reasons:

1. I am just a single designer for God's sake
2. My work is too inconspicuous
3. My firm is too small
4. Nobody knows we are doing cutting edge machines
5. Hackers only pick big companies

 

6. Collaboration over the Internet is required.

 

BINGO!! (it's like cross posting... let's open up another can of
worms!)

...

 

That Internet collaboration is what a 2nd computer is for, like the
one that is only 1 ghz which is too slow for SolidWorks anymore, but
can whack away just fine for anything in email or ftp for files and
browser work.

They are just tools, and we use them as such, just like we don't do a
single drill hole on a CNC, because it is quicker and easier to use a
drill press.

Bo