Linked by Thom Holwerda on Thu 19th Nov 2009 23:22 UTC
Windows Earlier this week, a senior National Security Agency official told US Congress that the NSA had worked on Microsoft's latest operating system, Windows 7. This spurred a flurry of rumours about the NSA building backdoors into Windows 7, but Microsoft has today categorically denied these claims.
Thread beginning with comment 395575
To view parent comment, click here.
To read all comments associated with this story, please click here.
lemur2
Member since:
2007-02-17

"Microsoft have admitted in the past for XP that an "update to Windows update" can be pushed and installed silently on XP without Microsoft having to know any local machine password, regardless of user settings. http://blogs.zdnet.com/hardware/?p=779 If Microsoft can silently update Windows update, then they have a backdoor. After silently updating Windows update Microsoft can always put it back again the way it was.
A backdoor that is easily thwarted by disabling the automatic update service? To be clear, the updates aren't "pushed" in the sense that your machine is contacted by Microsoft and the updates are installed forcefully - they are pulled - by the automatic update service that can be disabled by the user manually if desired. Edit: corrected service name "

Not that I use Windows, but anyway that is apparently not quite the whole story.

http://blogs.zdnet.com/hardware/?p=779

I can now confirm that the stealth Windows Update that I blogged about yesterday actually exists - because I’ve detected its presence on a machine at the PC Doc HQ.

At the PC Doc HQ we have several systems set not to update automatically. This is so that they are kept at a specific patch level for testing duties. Many of these systems are virtual machines but some are physical. When I heard about this stealth update I decided to take a look at one of these systems that don’t update automatically (it was set to download and notify) - and within seconds I found what I was looking for.

[UPDATED - Just to clarify, I can confirm that this stealth update was applied to systems where Windows Update was set to "Download updates but let me choose whether to install them" and "for updates but let me choose whether to download and install them" but not on systems set to "Never check for updates."]


I might also add that when I first read about this, that last quoted paragraph was not present, so the rider about but not on systems set to "Never check for updates" is new to me.

Anyway, it seems that you choices are: (a) enable a backdoor to your Windows system, or (b) manually check for updates all the time yourself (in which case stealth updates would probably happen anyway once you had manually checked), or (c) don't update.

Reply Parent Score: 3

umccullough Member since:
2006-01-26

Anyway, it seems that you choices are: (a) enable a backdoor to your Windows system, or (b) manually check for updates all the time yourself (in which case stealth updates would probably happen anyway once you had manually checked), or (c) don't update.


There's a *huge* difference between setting the automatic updates setting, and disabling the service entirely.

If you're worried about someone slipping an update in that might open a door - then any system you use to install updates that you "trust" is just as fragile...

The only relatively sure way to prevent unwanted backdoors is to review the code and compile your OS yourself.

Reply Parent Score: 3

lemur2 Member since:
2007-02-17

"Anyway, it seems that you choices are: (a) enable a backdoor to your Windows system, or (b) manually check for updates all the time yourself (in which case stealth updates would probably happen anyway once you had manually checked), or (c) don't update.
There's a *huge* difference between setting the automatic updates setting, and disabling the service entirely. "

Not a lot of difference, if you then subsequently run a check for updates manually anyway. The only real difference is that you are not using an automatic scheduled timer to check for updates.

The backdoor mechanism is via the stealth updates. The only thing that you can disable is the automatic updates scheduler.

If you don't periodically manually run a check for updates, your system will not get updated at all. Security risk.

If you do periodically manually run a check for updates, that effectively allows the same stealth backdoor as the automatically scheduled updates. Backdoor.

You can either get owned, or you can get owned.

If you're worried about someone slipping an update in that might open a door - then any system you use to install updates that you "trust" is just as fragile... The only relatively sure way to prevent unwanted backdoors is to review the code and compile your OS yourself.


There is another way.

You could restrict yourself to installing only software which was auditable by people who:

(1) did not write that software, and
(2) are able to read and understand and audit source code, and who
(3) use the same code themselves for their own systems.

Since their interest is your interest, you get the benefit of their audit.

Edited 2009-11-20 03:34 UTC

Reply Parent Score: 2