Microsoft desmascarada: 2016

terça-feira, 29 de novembro de 2016

Holding Shift + F10 During Windows 10 Updates Opens Root CLI, Bypasses BitLocker

URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/-ScjETtY1S8/holding-shift--f10-during-windows-10-updates-opens-root-cli-bypasses-bitlocker

An anonymous reader quotes a report from BleepingComputer: Windows security expert and infrastructure trainer Sami Laiho says that by holding SHIFT + F10 while a Windows 10 computer is installing a new OS build, an attacker can open a command-line interface with SYSTEM privileges. This CLI debugging interface also grants the attacker full access to the computer's hard drive data, despite the presence of BitLocker. The CLI debugging interface is present when updating to new Windows 10 and Windows 10 Insiders builds. The most obvious exploitation scenario is when a user leaves his computer unattended during the update procedure. A malicious insider can open the CLI debugger and perform malicious operations under a root user, despite BitLocker's presence. But there are other scenarios where Laiho's SHIFT + F10 trick can come in handy. For example when police have seized computers from users who deployed BitLocker or when someone steals your laptop. Windows 10 defaults help police/thieves in this case because these defaults forcibly update computers, even if the user hasn't logged on for weeks or months. This CLI debugging interface grants the attacker full access to the computer's hard drive, despite the presence of BitLocker. The reason is that during the Windows 10 update procedure, the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system. "This [update procedure] has a feature for troubleshooting that allows you to press SHIFT + F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine." Laiho informed Microsoft of the issue and the company is apparently working on a fix.

Read more of this story at Slashdot.

quarta-feira, 21 de setembro de 2016

Microsoft Signature PC Requirements Now Blocks Linux Installation: Reports

URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/XP5Zxrlegzo/microsoft-signature-pc-requirements-now-blocks-linux-installation-reports

Reader sombragris writes: According to a well-documented forum thread, the Signature PC program by Microsoft now requires to lock down PCs. This user found out that his Lenovo Yoga 900 ISK2 UltraBook has the SSD in a proprietary RAID mode which Linux does not understand and the BIOS is also locked down so it could not be turned off. When he complained that he was unable to install Linux, the answer he got was: "This system has a Signature Edition of Windows 10 Home installed. It is locked per our agreement with Microsoft."Even worse, as the original poster said, "[t]he Yoga 900 ISK2 at Best Buy is not labeled as a Signature Edition PC, but apparently it is one, and Lenovo's agreement with Microsoft includes making sure Linux can't be installed." As some commenter said: "If you buy a computer with this level of lockdown you should be told." There is also a report on ZDNet which looks very understanding towards Lenovo, but the fact remains: the SSD is locked down in a proprietary RAID mode that cannot be turned off.

Read more of this story at Slashdot.

quarta-feira, 14 de setembro de 2016

DEF CON 24 - Zack Fasel, Erin Jacobs - Attacks Against Top Consumer Prod...

sábado, 20 de agosto de 2016

Microsoft Bitcoin Nightmare

URL: http://www.reddit.com/r/Bitcoin/comments/4yontb/microsoft_bitcoin_nightmare/

Yesterday I decided it was time to buy a year's subscription to Xbox Live Gold so the kids could play online with their cousins in Florida. When signing up, Microsoft asks the subscriber to enter credit card information so they can renew the subscription whenever it expires. But I prefer not to use a credit card because I don't want to give my kids (and their visiting friends) the power to make charges against my card. And my Xbox Live account have been hacked before.

Thankfully, Microsoft is one of those progressive companies that accept bitcoin so I have an alternative to using a credit card. But they don't allow you to just buy something and pay with bitcoin. Instead, you have to buy Microsoft Currency in advance, then apply that as credit against whatever you want to buy. So I bought $75 of Microsoft Currency and went to buy my Xbox Live Gold subscription. That's when the nightmare began.

Despite having a $75 account credit, the subscription process provides only one payment option - credit card. I thought this must be a mistake, so I searched around for several minutes looking for support phone number to call. Not finding one, I eventually settled for support chat.

After waiting a few minutes in the queue, a friendly support tech informed me that Microsoft does not allow Microsoft Currency to be used for Xbox Live Gold subscriptions. That's annoying, but not the first time I've encountered a low-level support person forced to enforce an inexplicable, poorly-documented, and counter-intuitive company policy. So I asked for a refund. He tells me they don't offer refunds of Microsoft Currency. "Is there anything else I can help you with?", he asks. I tell him I want to talk to his manager. While we wait, he reminds me that "As consumers, we must be responsible for knowing what we are buying before making a purchase."

The manager confirms the policy - no subscription purchases with Microsoft Currency, no refunds. I reply that accepting payment for something, refusing to provide the requested service, and refusing to provide a refund is illegal. After a pause, he informs me that he would like to provide a refund, but Microsoft Currency refunds can only be processed by the people in the Microsoft Store group, not the Xbox group. He gives me their number and wishes me a good day.

I call the Microsoft Store people, happy to finally have a phone conversation rather than enduring the long pauses and cryptic half-replies in support chat. After explaining the problem I am put on hold for a few minutes, then find myself describing my problem to the Xbox group. Once again I ask for a manager.

This time, the manager is clearly trying to make me a happy customer rather than shuffle me off to someone else. He offers a free month of Xbox Live Gold. I tell him that I'll accept 12 months, since that's what I've been trying to buy all along. Otherwise, I want a refund. After a break to consult with someone else, he tells me he can provide a refund in 24-48 hours, but their system is having problems at the moment - the refund option does not appear in his control panel. He sends me a free month subscription to Xbox Live Gold as an apology. I ask him how the $75 will be refunded since I purchased it with bitcoin. "Bitcoin, is that a kind of credit card?", he asks.

Dinner is an hour late at this point and the kids are complaining, so I end it there.

The lesson here is clear to me. Microsoft caused this problem in the first place with their ridiculous "you can't buy that" rules and illegal "no refunds" policy. And they know "no refunds" would never hold up in court. They clearly have a way to issue refunds. But bitcoin, as implemented today, has no refund mechanism in place by default for the merchant. And the buyer - me - has no option to reverse a charge. Had I bought Microsoft Currency with a credit card they would have the system in place to refund me. Had they refused, I could have easily disputed the payment with my card issuer. Situations like this illustrate a scenario where bitcoin is not a good choice for online purchase.

submitted by /u/mshadel
[link] [comments]

quinta-feira, 11 de agosto de 2016

Secure Boot Isn't So Secure After All: The Golden Key Is Out

URL: http://feedproxy.google.com/~r/Phoronix/~3/P7kxEYlzKtY/scan.php

So much for Secure Boot being so secure... After a mistake by Microsoft, the "golden key" is now out in the wild...

quarta-feira, 9 de março de 2016

Microsoft Hates Linux: Patent Extortion Continues With New Software Patents Deal (Wistron)

URL: http://www.linuxtoday.com/it_management/microsoft-hates-linux-patent-extortion-continues-with-new-software-patents-deal-wistron-160308071138.html

TechRights: Microsoft is still killing (free) Linux with software patents whilst at the same time telling the media that 'loves Linux'

domingo, 6 de março de 2016

Another Windows 10 Update Causing Problems

URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/I4Hv2FjO5vQ/another-windows-10-update-causing-problems

New submitter sexconker writes: The recently-released cumulative update for Windows 10 (KB3140743) is reportedly causing problems. Symptoms include crashes, BSODs, and the inability to boot, even in safe mode. The Windows 10 subreddit has many threads detailing the inability to boot. The only fix seems to be booting to a recovery ISO, uninstalling the update / rolling back, and hoping you don't get hit again. W10Privacy 2 claims to be able to (among other things) give Windows 10 users control over the automatic updates.

Read more of this story at Slashdot.

quarta-feira, 24 de fevereiro de 2016

Bill Gates apoia solicitação do FBI para hackear iPhone de terrorista

URL: http://redir.folha.com.br/redir/online/mercado/rss091/*http://www1.folha.uol.com.br/tec/2016/02/1742383-bill-gates-apoia-solicitacao-do-fbi-para-hackear-iphone-de-terrorista.shtml

Bill Gates se dissociou do Vale do Silício no impasse entre a Apple e o governo dos Estados Unidos, afirmando que as empresas de tecnologia deveriam ser forçadas a cooperar com as autoridades em investigações sobre terrorismo. Leia mais (02/23/2016 - 16h06)

terça-feira, 5 de janeiro de 2016

Microsoft Monitoring How Long You Use Windows 10

URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/XBICu4BuXnE/microsoft-monitoring-how-long-you-use-windows-10

Mark Wilson writes: The various privacy concerns surrounding Windows 10 have received a lot of coverage in the media, but it seems that there are ever more secrets coming to light. The Threshold 2 Update did nothing to curtail privacy invasion, and the latest Windows 10 installation figures show that Microsoft is also monitoring how long people are using the operating system. This might seem like a slightly strange statistic for Microsoft to keep track of, but the company knows how long, collectively, Windows 10 has been running on computers around the world. To have reached this figure (11 billion hours in December, apparently) Microsoft must have been logging individuals' usage times. Intrigued, we contacted Microsoft to find out what on earth is going on.

Read more of this story at Slashdot.