Security ad absurdum

an inconvenient truth

for which (hardly) anyone is interested?


If someone had told me in the past that I would voluntarily carry a bug around with me and even charge it myself, I would have laughed out loud. Today, I have a smartphone. (Author unknown).
The majority of users would not accept having to do without Facebook, Google, Youporn and Twitter, Microsoft Windows, Apple's macOS and iPhones, and Android smartphones and so on. I'm always amazed when people have been fighting against the legal obligation to retain data (or minimum storage requirement) for years and have no problem with it when it comes to their favorite lifestyle gadgets and even voluntarily consent to them collecting the communication data for retention and making it available to authorities.

It is often "argued" that Google, Facebook and other ad-financed Internet services are "paid for with data". This is not quite correct in such a simplified way. Data is not a currency that can be used to pay employees or bills for hardware. Data is a resource that is exploited to sell a product.
97% of the TOP100 websites and about 80% of the German-language websites are infected with various elements of Google for the insertion of advertising or traffic analysis. (Reppesgaard: Das Google Imperium, 2008) Every call of such a prepared website is registered at Google, evaluated and assigned to a surfer. In addition to commercial websites, information offered by professional journalists and independent bloggers on the and platforms, this also includes many private websites that are happy to receive a few cents from the Adsense advertising program.

The resulting user profiles are now very meaningful. Although 80% of Internet users reject the tracking of surfing behavior, it continues to be expanded both technically by the large data collectors and through political decisions, data collection is made easier. Many services on the Web are taking advantage of the opportunities to track and analyze surfing behavior and our private communications, and to make a profit from the data collected.

"Do-Not-Track" has failed due to lobbying

"Do-Not-Track" (DNT) was proposed by in 2009. With an additional HTTP header, the browser was supposed to convey the user's basic wish not to be tracked. In December 2010, the FTC declared support for DNT, and in 2012, the W3C began standardizing the feature.

Users' clear desire, expressed by enabling Do-Not-Track in the browser, was ignored wholesale by the tracking industry. Empirical studies showed that this reduced tracking while browsing by less than 2%.

It was a brilliant move by Microsoft to enable "Do-Not-Track" by default in IE10 without user interaction. This clearly contradicted the intentions of the W3C standard, which explicitly defined that a DNT header may only be sent by the browser if the user wants to actively express a request. This activation by default gave the tracking industry the necessary excuse to officially ignore DNT, as it could no longer be assumed that a user had actively opted in. Yahoo declared in May 2014 that all of its services would ignore DNT, followed by Google and Facebook in June and Twitter two years later.

However, it is not just about the display of advertising, but also about the collection and use of large amounts of personal data.

Tracking and motion analysis

re:publica - Visitor flow analysis Link/Image open re:log - Visitor flow analysis All smartphones (and laptops!) have a WLAN module. It's convenient when you come home or when your smartphone automatically uses the WLAN at work instead of the expensive data connections of your mobile provider. If one is on the road with the WLAN module activated and automatic login for the preferred WLANs, then the smartphone or laptop regularly sends active "probes" to scan the environment for the preferred WALNs. In addition to the globally unique MAC address, this also sends a list of SSIDs of the preferred WLANs to which the smartphone would automatically connect (Preferred Network List, PNL). This list provides information about locations where the smartphone owner prefers to be (home, office...). With little technical effort, this data of active WLAN "probes" can be used for tracking and attacks.

At re:publica 2013, a free WLAN was provided. This WLAN tracked all WLAN-enabled devices (laptops and smartphones) of the visitors, regardless of whether the devices used the WLAN or not. The project re:log - visitor flow analysis via re:publica W-LAN visualizes the data.

The advertising company Renew set up 200 litter garbage cans at the 2012 London Olympics that tracked pedestrians using the MAC addresses of their smartphones with an integrated WLAN access point. Within a week, over 4 million devices were tracked as they made their way through the City of London.

Berlin's transport authority will partner with HOTSPLOTS to provide free Wi-Fi at subway stations. "We will cookie the subway." would also be a good slogan, but "Our logging tool..." is really good and appropriate.

This data makes it possible to track movements in the real world, as demonstrated by the visitor crowds at republica 2013 (see above).

Social environment analysis is also possible with location data. The sum of all location data is more than the accumulation of the locations of person A, B and C. As the study Inferring social ties from geographic coinsidences (ext.PDF ) shows, this collection enables detailed information about the social environment, even if one is not friends on Facebook. The location data from smartphones reveals who you regularly have a beer with, who you go to bed with, whether you take part in Pegida demonstrations or meet in Antifa circles, which company you work for or whether you are unemployed, and much more.

The company Sense Networks is a pioneer in the field of motion analysis. In an interview with Technology Review, G. Skibiski describes his vision. With geofenching data collections (including VDS data), easy surveillance is possible.

In Ukraine, this data was already used to intimidate protesters in Jan. 2014. Participants of a demonstration against the then incumbent president received an SMS with the content: Dear customer, you are registered as a participant of a riot.

The company Dataminr offers customers access to Twitter postings via API and advertises in a flyer (int.PDF ) using the example of a student protest in South Africa how to use the new geospatial analysis tool to monitor political demonstrations.

WiFi-Tracking on Amsterdam Airport Schiphol Bluetooth is used in the same way for tracking. In addition, each function increases the attack surface. No one can attack or secretly connect to a Bluetooth device that is turned off. Therefore, the function should only be turned on for smartphone or tablet when it is being used.

The BlueBorn attack published in Sept. 2017 shows that this warning was justified. Attackers can exploit smartphones via several security holes in Bluetooth and execute their own code on the device. Android and Linux devices can be completely taken over.

One should be aware that there is virtually no technical protection against the localization and observation of movement profiles. The examples show that it is difficult to protect oneself against possible surveillance with smartphone bugs. Even if you leave your own smartphone at home, a friend may have his smartphone with him and the bug will not only listen in on him, but also on me.

Big Data companies

Youtube Video about Acxiom and Big Data youtube ∽ 3 Min. Data collectors (Facebook, Amazon, Twitter...) sell information about users to data brokers (e.g. Acxiom, KaiBlue, RapLeaf...) who enrich, aggregate and sell complete profiles to the actual end users, such as credit card companies, HR departments of large companies and marketing departments. The customer pays.

Acxiom has accurate data on 96% of the US population. In Germany, Acxiom provides data on 44 million active consumers. Consumers are classified into 14 main groups, e.g. "single parent and low status", "affluent middle-aged single" or "golden pensioner, active" ....... These main groups are subdivided into up to 214 subgroups according to lifestyle activities (e.g. gardening, pets, sports, fashion, diet...), consumer behavior, milieu classification (e.g. "intellectual", "status-oriented middle class", "traditional working-class milieu", "hedonistic", "consumerist-materialist"...), etc.

Match Group monopolizes the dating market. The Match Group includes the dating portals Tinder, OkCupid, Plenty of Fish, Meetic, LoveScout24, OurTimes, Pairs, Meetic, Match, Twoo, and other partner portals. In the privacy policies of the portals you can read that the sensitive personality data of the benefits within the Match Group are shared between portals: We share your data with other Match Group companies. [...] Support may include technical processing operations such as data hosting and maintenance, customer support, marketing and targeted advertising [...]. We may also share your information with partners who help us distribute and market our services.

This is carte blanche to sell very private details to any third party.

Monitoring browsing behavior and online purchases provides an incomplete picture of our interests. By incorporating real-life data, the profiles should be improved.

Patent applications by Google and company acquisitions show that the empire also wants to collect data in the real world in the future. In early 2014, for example, Google bought Nest, a manufacturer of thermostats and smoke detectors, for $3.1 billion. Nest's thermostats are installed in millions of homes and equipped with temperature, brightness and humidity sensors that can be read via the Internet.

IoT security is often beyond the capabilities of IT executives because of the need to manage physical devices and objects instead of virtual assets. In fact, Gartner's 2016 IoT Backbone Survey showed that 32% of IT executives cited security as a barrier to IoT success.

Operational systems

With Windows 8.0, Microsoft has started to introduce the device-based tracking accepted for smartphones to PCs as well. Similar to Google with Android, Microsoft, as one of the five largest data collectors on the Internet, wants to expand and better personalize its data pools.
If you read the Apple privacy policy, you can see that macOS is not suitable as an operating system if you do not want to share your privacy with Apple. For this, Apple was honored with the BigBrother Award 2011.
There are a large number of Linux distributions, so you are first spoiled for choice as a beginner: Debian and derivatives, OpenSuSE, Mandrive, Fedora, Gentoo for hobbyists, mini-distributions like Puppy or particularly hardened variants like Qubes OS and Fortress Linux ...
NetBSD and OpenBSD are consistently optimized for security without compromising usability. If you have several years of experience with a UNIX-like system (e.g. Linux) and are sufficiently capable of suffering, then you can enjoy the advantages of these two operating systems.

How trustworthy is Microsoft? For the federal administration and all German authorities, companies and private users who want to continue working with the Windows operating system in the future, this question arises today more than ever. In 2013, experts from the BSI (German Federal Office for Information Security) warned against the use of Windows 8 in combination with TPM 2.0, calling it an unacceptable security risk for public authorities / companies. Users of a trusted computing system lose control of their computer, according to the experts. Today, the BSI relativizes the warning, but sees some critical aspects in connection with certain deployment scenarios.

Microsoft has been a partner in the NSA's PRISM program since 2007.

Telemetry Windows 10

Device-based tracking has been further expanded in Windows 10. A "Unique Advertising ID" is generated for each account on the computer. This ID is also made available to third parties for unique identification. Private data that Microsoft collects in the default configuration:

  • Personal interests resulting from browsing behavior as well as from data collected via apps are sent to Microsoft (a sports app sends preferred teams, a weather app sends frequently requested cities...)
  • Location data from all devices running Windows are sent to Microsoft. Preferably GPS or the WLANs of the environment are used to determine the location as accurately as possible.
  • Contact data of friends and acquaintances is transferred to Microsoft when using tools from Microsoft as an address book.
  • Contents of emails, instant messages and voice/video messages (e.g. Skype) also belong to the data that Microsoft collects.
  • Windows Defender transmits all installed applications.
  • With the digital assistant "Cortana", a kind of listening center is set up in the default configuration, which connects the living room directly with Microsoft. With the Anniversary Update on August 02, 2016, it is made almost impossible to turn off the intrusive, spying "Cortana", since the digital assistant provides the complete search (both locally and on the web).
  • The typing behavior is analyzed and sent to Microsoft. The profile of typical keystrokes could be used in the future to identify text entries in web forms or chats (keyword: keystroke biometrics).
  • The unique UUID that Windows sends when communicating with Microsoft servers (e.g., for software updates) is used by the NSA and GCHQ as a selector for Taylored Access Operations (TAO) to target the computers of persons or companies of interest.
  • As a special highlight, the automatically generated recovery keys of the hard disk encryption Bitlocker are also part of the data MS collects in its cloud and makes available to NSA/FBI/CIA. (Crypto War 3.0?)
At the end of 2018, the German Federal Office for Information Security (BSI) published a study entitled "System integrity, logging, hardening and security functions in Windows 10" (SiSyPHuS). It criticized the fact that a complete prevention of the collection and transmission of telemetry data by Windows 10 cannot be completely disabled by configuring settings. However, the BSI does not address the question of whether the transmission of telemetry data by Windows 10 to Microsoft is illegal.

Windows 10 and data protection

Windows 10 hasn't just been on the radar of data protection regulators since yesterday. In November 2019, the Data Protection Conference has now published a paper with a review scheme on the topic of data protection in Windows 10. One motivation causing the investigation is probably the huge market power of Microsoft and its products. Another reason why the DSK is conducting an investigation is the significant difference in functionalities between Windows 7 and Windows 10:

  • Windows 10 sees itself less as an operating system than a system environment with a multitude of additional functionalities.
  • Each update can lead to configuration settings being changed or to the scope of functions and thus also the scope of processing changing.
  • A data transfer from Windows 10 to Microsoft cannot be completely prevented by customized settings. In addition, the transmission of data is encrypted, so it cannot be determined whether and, if so, which personal data is transmitted to Microsoft in the process.

Privacy-compliant use of Windows 10

If data controllers want to use Windows 10 in their company in a privacy-compliant manner, either the transmission of any telemetry data to Microsoft must be prevented or the data controller must be large enough to negotiate an individual solution with Microsoft. Otherwise, the only option is to switch to a data protection-friendly operating system. Article 25 of the General Data Protection Regulation requires user-friendly data protection default settings ("Privacy by Default"). The responsible parties, that would be the system operators, would therefore have to ensure that the system is configured accordingly.

„However, the reality is that many authorities have long been in the situation where they have no alternative left to migrate to Windows 10 because support for the operating system currently in use is expiring and no other federal client is available."
Since the German data protection supervisory authorities cannot currently take direct action against Microsoft due to problems with the GDPR (one-stop store / consistency procedure), they are once again taking the detour via the users.

If courts confirm the view of the supervisory authorities indicated in the review scheme and classify the use of Windows 10 as generally impermissible under data protection law, Microsoft will be "encouraged" by the potential threat of user loss to take account of the data protection imperative.

User-related data in data transfer

However, Windows 10 is not the only construction site; Microsoft's Office package also transmits data. As part of the procurement process, the Dutch Ministry of Justice commissioned the consulting firm Privacy Company to prepare a data protection impact assessment for the use of Office ProPlus in accordance with the requirements of the General Data Protection Regulation (GDPR). The privacy impact assessment (ext.PDF ) published in November shows that Office telemetry data is usage data: When users translate parts of text via the Office package, for example, this can only be done via an online service at Microsoft.

In total, there are supposed to be between 23,000 and 25,000 different event types that are sent from Office to Microsoft servers. On the Windows 10 side, there should only be a maximum of 2,000 event types. With reference to the impact assessment, the Dutch government demands that Microsoft stop the illegal data transfers.

Your computer has long belonged to someone else

The Intel Management Engine ("ME") () is a dedicated microcontroller integrated into all current Intel motherboard chipsets. It operates independently of the main CPU, can be active even when the rest of the system is turned off, and has a dedicated connection to the network interface for out-of-band networking that bypasses the main CPU and installed operating system. It not only performs the management tasks it was originally designed for, but also implements features like Intel Identity Protection technology (IPT), protected audio-video path, Intel Anti-Theft, Intel TPM, NFC communications, and more. There is not much information about how it works exactly. Igor Skochinsky, REcon 2014 (ext.PDF )

REcon is a computer security conference with a focus on reverse engineering and advanced exploitation techniques. It is held annually in Montreal, Canada. The conference offers a single track of presentations over the span of three days along with technical training sessions held before the presentation dates. Technical training varies in length between two and four days.

The ME consists of a dedicated processor core, code and data caches, a timer including a cryptography engine, internal ROM and RAM, memory controllers, and a secure internal bus to which additional devices are connected. A direct memory access (DMA) engine accesses the host operating system to reserve a protected external memory area. This supplements the ME's limited internal RAM. The ME also has an Intel Ethernet controller with its own MAC address. The boot program stored in the internal ROM loads a firmware manifest from the PC's SPI flash chip. This manifest is signed with a strong cryptographic key that differs between versions of the ME firmware. If the manifest is not signed by a particular Intel key, the boot ROM will not load and execute the firmware, and the ME processor core is halted.