Microsoft may have inadvertently disclosed a potential Microsoft backdoor for law enforcement earlier this week. To explain this all, here is the layman term of a backdoor from Wikipedia:
A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device.
According to an article on PC World: “The software vendor is giving law enforcers access to a special tool that keeps tabs on botnets, using data compiled from the 450 million computer users who have installed the Malicious Software Removal tool that ships with Windows.”
Not a big deal until you keep reading: “Although Microsoft is reluctant to give out details on its botnet buster — the company said that even revealing its name could give cyber criminals a clue on how to thwart it”
Stop the press for second or two and look at this logically: “users who have installed the Malicious Software Removal tool” followed by “ Microsoft is reluctant to give out details on its botnet buster — the company said that even revealing its name could give cyber criminals a clue on how to thwart it”, what? This is perhaps the biggest gaffe I’ve read thus far on potential government collusion with Microsoft.
We then have the following wording: “Microsoft had not previously talked about its botnet tool, but it turns out that it was used by police in Canada to make a high-profile bust earlier this year.” So again, thinking logically at what has been said so far by Microsoft; “We have a tool called Malicious Software Removal tool…”, “we can’t tell you the name of this tool since it would undermine our snooping…”, “it’s been used by law enforcement already to make a high-profile bust earlier this year.”
Remember a “Malicious Software Reporting Tool” is a lot different from a “Malicious Software Removal Tool”. Understanding networking, computing, botnets, let’s put this concept into a working model to explain how this is nothing more than a backdoor. You have an end user, we’ll create a random Windows XP user: Farmer John in North Dakota. Farmer John in North Dakota uses his machine once a week to read news, send family email, nothing more. He installed Microsoft’s Malicious Removal Tool. Farmer John’s machine becomes infected at some point and sends Microsoft information about the compromise: “I’m Farmer John’s machine coming from X_IP_Address”.
A correlation is done with this information and then supposedly used to track where the botnet’s originating IP address is from. From the article: “Analysis by Microsoft’s software allowed investigators to identify which IP address was being used to operate the botnet, Gaudreau said. And that cracked the case.” This is not difficult, detect a DST (destination) for malware sent from Farmer John’s machine. Simple, good guys win, everyone is happy.
The concept of Microsoft’s Malicious Software Removal tool not being a backdoor is flawed. For starters, no information is ever disclosed to someone installing the Windows Malicious Software removal tool: “Windows will now install a program which will report suspicious activity to Microsoft”. As far as I can recall on any Windows update, there has never been any mention of it.
“But this is a wonderful tool, why are you being such a troll and knocking Microsoft for doing the right thing!”. The question slash qualm I have about this tool is I’d like to know what, why, when and how things are being done on my machine. It’s not a matter of condemning Microsoft, but what happens if at some point in time Microsoft along with government get an insane idea to branch away from obtaining other data for whatever intents and purposes?
We’ve seen how the NSA is allowed to gather any kind of information they’d like (http://www.eff.org/issues/nsa-spying), we now have to contend with Microsoft attempting to do the same. Any way you’d like to market this, it reeks of a backdoor: (again pointing to the definition) A backdoor in a computer system … is a method of bypassing normal authentication, … obtaining access to … , and so on, while attempting to remain undetected. There’s no beating around the bush here on what this tool is and does.
This is reminiscent of the 90’s with the NSA’s ECHELON program. In 1994, the NSA intercepted the faxes and telephone calls of Airbus. What resulted was the information was then forwarded to Boeing and McDonnell-Douglas in which they snagged the contract from under Airbus’ feet. In 1996, the CIA hacked into the computers of the Japanese Trade Ministry seeking “negotiations on import quotas for US cars on the Japanese market”. Resulting with the information being passed off to “US negotiator Mickey Kantor” who accepted a lower offer.
As an American you might say “so what, more power to us” but to think that any government wouldn’t do it to its own citizens for whatever reason would be absurd. There are a lot of horrible routes this could take.
What happens if slash when for some reason or another the government decides that you should not read a news site, will Microsoft willingly oblige and rewrite the news in accordance to what the government deems readable?
How about the potential to give Microsoft a warrantless order to discover who doesn’t like a President’s “health care plan”, or who is irrate and whatever policy; Will Microsoft sift through a machine to retrieve relevant data to disclose to authorities?
That doesn’t include the potential for say technological espionage and gouging of sorts. What’s to stop Microsoft from say, mapping a network and reporting all “non-Microsoft” based products back to Microsoft. The information could then be used to say raise support costs, allow Microsoft to offer juicier incentives to rid the network of non MS based products, the scenarios are endless.
Sadly, most people will shrug and pass it off as nothing. Most security buffs, experts, etc., haven’t mentioned a word of it outside of “the wonderful method to remove, detect, botnets!” and I don’t necessarily disagree it’s a unique way to detect what is happening, but this could have been done at the ISP and NSP level without installing a backdoor. Why didn’t law enforcement approach botnets from that avenue? Perhaps they have, this I’m actually certain of which leads me to believe this is a prelude of something more secretive that has yet to be disclosed or discovered.
http://www.pcworld.com/businesscenter/article/145257/microsoft_botnethunting_tool_helps_bust_hackers.html
http://cryptome.org/echelon-ep-fin.htm (ECHELON MISHAPS)
MORE ON MICROSOFT’S POTENTIAL GOVERNMENT BACKDOOR