Threaded Mode | Linear Mode

lovelyk · 07-14-2007, 08:21 AM

M$ Windows XP A Professional Bugging Device?
By Mark McCarron

( MarkMcCarron_ITT@hotmail.com, angelofd7@icqmail.com)

Source : http://www.indymedia.org.uk/en/2004/10/298702.html

Introduction

...

In general, to people in the western hemisphere; bugging devices, parabolic microphones, signal tracing, satellite tracking and secret government agencies, performing highly illegal activities, on a covert basis, are the source of inspiration for novels, movies and theater, rather than any real event.

These devices and activities have been part-and-parcel of my life (and almost anyone else in Northern Ireland), from the moment of birth and conspiracy theories are simply facts of daily life that, could put, any of my friends, or myself, into an early grave. Therefore, it is only natural for me to see things in a military context and this provides a very interesting picture of odd behavior, at Redmond and various other big names, throughout the US.

Microsoft is of the 'opinion' that its software is an operating system with a wide range of 'features'. As I am about to demonstrate, that is simply a matter of 'how you see things' and the context in which they are highlighted in. This is a very subjective experience and different people tend to see different things, simply because their own personal context is automatically applied, a 'bias', if you will.

The point to hold, in the front of your mind, throughout reading this article, is the fact that the 'features' and their descriptions, presented here, are accurate representations of Window functions, in their own right, however, any suggestion as to motivation would be speculation.

More clearly, Microsoft has presented it own 'opinion' on the various features within Windows, other 'opinions' do exist and this article presents one of them, in a hypothetical scenario. For this analysis to hold, the hypothetical scenario must be demonstrated to be consistent throughout the design of the OS, not just its usage.

The style and tone throughout, is based upon the working hypothesis, that Microsoft has altered the Windows OS, to reflect US military requirements and that its primary role is that of a modern variation of a 'bugging device'. It is simply taken as a given fact throughout.

This clarification allows for a more direct style of writing and legal protection for publishers. In addition to this, the views expressed in this report are the authors and have nothing whatsoever to do with anyone else.

There are no accusations being made, this is presented only as a 'working hypothesis', at all times, to allow for the fullest exploration of this particular train of thought. If the hypothesis holds, then we will expand it a little, to place it in proper context and draw the conclusion from the entire investigation.

Report On Analysis of Microsoft Windows XP

1. Start -> Search:)

Each and every time a search is conducted using the search option under the start button on Windows XP, the system automatically checks if your online and transmits information directly to Microsoft.

This is done, without informing the end-user in any fashion, nor providing a clear method to disable. It has been hidden by design. In technical terms, a form of Trojan.

A good application level, stateful firewall, will catch this communication attempt.

Done by design.

2. Help System, F1

When accessing Microsoft Help systems, through the F1 key. A communication attempt to Microsoft's ActiveX site is made.

Done by design.

3. Microsoft Backup

Designed to bypass all security, even ownership rights of a drive. Try it.

Done by design.

4. Process Viewer (Task Manager)

No mapping to executable file, nor will it show all running processes. Designed to hide important information required for determining system infections and sources of network data transmission.

Done by design.

5. Dr Watson

This used to loadup with information on dlls that had been hooked. Hooked DLLs are used to intercept keystroke, etc. Microsoft removed end-users capability to see this. It now generates a simple messagebox.

Done by design.

6. The Windows Registry

Now, on the face of it, this may seem like a good idea, however, as any developer will tell you, they only use it because the commands are quick, simple and, when it comes down to it, security is mainly the end-users responsibility.

It would be much faster, simpler and provide greater system security to use an ini file. Linux uses this approach with config files. An entire database must be examined each time request is made. This is why Windows slows down after you begin installing applications. The registry grows and more cycles must be dedicated to completing each query.

When you multiply this, by the wide range of systems accessing the registry, it is clear to see, that as a design architecture, it is completely moronic.

That is, until it is examined from another perspective, try the following perspectives as examples:

a. HKEY_CURRENT_USER - psychological profile of logged on user, real-time usage focus.

b. HKEY_LOCAL_MACHINE - Detailed reporting of hardware and a wide range of traceable unique identifiers

c. HKEY_USERS - psychological profiling of all users, post-forensic usage focus.

d. HKEY_CURRENT_CONFIG - Advanced psychological profiling based on a ranking system of 'psychologically-based options' embedded throughout the system. This could include things like favorite colour, pictures, sounds, etc.

Throughout the registry are an extensive amount of MRUs. These areas store your recently accessed documents each application and other information. Now instead of having a single area were these are stored, for both rapid access and cleaning purposes, Windows was designed to fragment these throughout the registry database.

Firstly, this makes cleaning the registry a specialized job, as a mistake can corrupt Windows. Secondly, and most importantly, this is what we call 'fragmentation'.

Now 'fragmentation' is a well known source of problems when accessing information. Many will point out, that the registry is a hierarchy and that that this eliminates fragmentation. I must point out that I am referring to the 'entire structure of recorded information' and not the technical definition of fragments of data.

By fragmenting the various forms of 'recorded information' throughout the registry, it can take upwards of a week to list every key that should be cleaned. The entire process must be repeated each time a new application is installed, to determine what exactly was placed into the registry. Windows also uses an extensive amount of MRUs that have been altered to an 'unreadable' format. This would leave 95% of users completely unaware of Microsoft was recording.

There is no need or requirement for a registry, other than to provide central access to 'private information'. As a programming architecture model, the design borders on the moronic and is directly opposing every known, best practice, in programming.

The true motivations behind the registry design are quite clear and highly specific.

Done by design.

7. Temporary Files

Temporary files are retained under 'Document and Settings' for a prolonged period of time and in most case require manual clearance.

Done by design.

8. Recycle Bin

Even when told to not use deleted item to the recycle bin, it is used anyway, only with out the prompt. This generates a ghost copy on your hard disk of any deleted files.

Two copies are better than one for recovery purposes, especially were Magnetic Force Microscopy is concerned. The two copies can be referenced with each other for rapid recovery procedures, its an attempt to eliminate bit errors in overwritten files.

The more ghosts images, the better the chances are for fast and complete recovery of during post-forensic examination.

Done by design.

9. Recent Files

Only a small portion/subset of the recent files accessed is displayed in 'Documents' section under the start button. The folder that contains the shortcuts has a far longer list hidden from general view.

For example, 11 files are listed under the Start buttons 'My Documents', however, 'My Recent Files' contains 17 entries. The other 6 came from my last list of files which I deleted using the 'Clear' button.

Done by design.

10. NotePad

Windows XP versions cannot word wrap properly and have been redesigned to make their usage as frustrating as possible. For example, when saving text only file, the screen resets the position of the text to the line where the cursor is at.

This takes specific coding and not something that happens by accident. The idea is to push people towards Microsoft Office, were all security can be breached and copies written, at will, across your drive.

Done by design.

11. Swap Space/Virtual Memory/Page File

Regardless of how much memory is in your system the page file can not be disabled. Its main function is too swap memory to disk and allow memory to be freed for running applications. With a large amount of RAM, this function becomes redundant, except under exceptional circumstances.

What is the useful purpose of a 2MB page file? Other than writing data, across the drive, in 2MB chunks, none.

Its designed to flush encryption keys and sensitive information to disk. This also generates ghost images which can be retrieved.

Done by design.

12. Firewall

Incoming firewall only. This allows spyware to transmit information without any problems or detection. 90% of spyware information is transmitted to and shared throughout the US.

Done by design.

13. Memory Usage

Designed to use large amounts of memory to drive the hardware industry sales of components. For Windows XP to function correctly, it requires at least 1GB RAM and at two physical drives on separate IDE channels or SCSI interface I/O.

Even then, it hogs everything and leaves random fragments in memory. These fragments or 'memory leaks' are then flushed to disk, in an effort to capture some information from running applications, encrypted viewers, etc.

The ever expanding registry is designed to keep up, with ever expanding hardware and slow the system. End users think programs have gotten more powerful and they must upgrade. Its simply that more and more cycles are dedicated to various expanding databases, each and every boot.

Done by design.

14. Automatic Updates

Can allow remote installation of any form of software at Microsoft's whim.

Done by design.

15. Raw Sockets

Microsoft prevents new protocols being developed on Windows to prevent usage of nonstandard protocols. This allows for easy access to information. It also prevents the disabling of Microsoft's TCP/IP stack, which for all we know, could have 30,000 extra 'ports' coded into it.

Windows 2000 was actually programmed to reject any driver, that would allow custom protocols to be developed, without Microsoft certification. Microsoft claimed this was a 'mistake'.

Now lets all try to picture the conversation at Microsoft on this one, shall we?

{In an office at Redmond...}

<span style="color:#CC0000">Executive 1: '...my hand slipped and wrote 10 pages of code..., no wait...,
Executive 2: the dog coded it, ah nuts..., erm...,
Executive 1: Can we blame Bin Laden?'

Raw socket access also bypasses every known firewall, from Sygate to Zone Alarm. The reason being that these applications, rely on the Windows message/event handling and Microsoft designed Raw Sockets not to report to this layer.

Komodia produce a TCP/IP Packet Crafter, install that and Sygate's Personal Firewall on WinXP service pack one. Craft a few packets to see this in action. Nice trojan tool M$.

Reverse psychology was employed, although not a very good example of it, in Microsoft's deployment decision to support raw sockets. It was to get people to focus on a 'hoax' alert, rather than the high level of security such a system would provide.

The truth is, raw sockets is not required, however, it just makes life simpler. For real time software, the overhead presented by TCP, is too great and the effects can be seen on excessive lag during online gaming, or media playback. A streamlined custom stack, allows for faster processing of the IP packet and over a 1000% improvement to connectivity management than TCP encapsulation.

Many developers do not realize that TCP is not required and that custom packets can be encapsulated within IP alone. IP routes the packet, from A to B, and TCP provides a data path encapsulated with the IP packet. This allows Internet routing to change, without effecting application support. Custom stack creation is a 'walk in the park', all it involves is parsing a binary stream and executing functions based on flags or value, it also, automatically, supports the OSI/DoD model.

By breaking support for raw sockets on Windows 2000, Microsoft manipulated the entire global market, as no developer could be assured their applications would function after 12-24 months. It also provided a way for Microsoft to eliminate tools such as 'Ethereal' that could inspect the communications of a Windows system.

An active attempt at blocking end-users knowing what information a Windows system was transmitting, as Microsoft is aware, that over 80% of end users only have a single PC.

Done by design.

16. Remote Access Bugs

This is a good example of 'context and highlighting' (perspective). I want you to consider this statement:

Is a remote access bug, not the same thing as a backdoor access code?

Write a detailed essay on your conclusion, no less than 30,000 words. You should consider statements such as 'buffer overflow executes code', 'invalid datagram shuts down PC', etc.:)

OpenBSD has no such remote exploits and no money.

Done by design.

17. Music Tasks

A nice big link to 'Shop for Music Online'. This is a direction to US based enterprises and also a violation of the Microsoft EULA, as it mentions nothing whatsoever in regards to Microsoft Windows being an advertising supported platform.

No matter how small the feature, that is still what it represents. If Microsoft is in breach of its EULA, does that invalidate it?

Done by design.

18. Windows Media Player

No way to disable automatic check for updates. This allows any form code Microsoft chooses to be used as an upgrade. Defaults to uniquely identifying an end user and stored media.

Certain websites warn their visitors that using Windows Media Player version 7 on their websites will reveal your 'personal information' t Microsoft. An example can be located here:

http://ekel.com/audio

Have you ever wondered how p2p information on end users is gathered? Think about it the next time you connect to a commercial Internet radio, video or media service.

Done by design.

19. Alternate Data Streams

This 'feature' of Microsoft Windows relates to how information is stored on your harddrive. Under NTFS, not only is there the file, but there is a second, hidden aspect to each file. This hidden aspect is stored separately on your hard drive and not as part of the file.

I suppose the term, 'Alternate Data Streams' make better business sense, than 'hidden information gathering process combined with standard file functions'.:)

All additional information to a file, such as date/time stamps, file name, size, etc. is stored in this layer. Not only this, but so is the thumbnail cache of all images viewed by the system. This 'feature' is hidden by design and requires either a 1 month long 'disk nuke' (for average 80GB HD) or physical destruction of the disk platters to remove.

Physical destruction is recommended, as it requires specific manufacturers codes to access bad blocks, internal scratch areas and internal swap/cache areas of the drive. Even with the codes, certain problems can arise from unreadable sectors which may contain copies of sensitive information.

Nothing beats an nice afternoon with a screwdriver and grinder.:)

The caching can be disabled, however, Microsoft has made this as 'obscure' as possible. Microsoft Windows also does not explain the function of 'Do not cache Thumbnails'.

It is aware 90% of end-users have the technical aptitude of 'a banana with a with a drink problem' and would never grasp the implications, let alone, understand.

Done by design.

20. Stability

Microsoft Windows is designed to collapse upon extensive number crunching, of large arrays, of floating point calculations. This would prevent; nuclear modelling, physics modelling, and genetic modeling. These three aspects can produce Nuclear, alternative and biological weapons.

I don't know about you, but this 'feature', I can live with, or couldn't live without, for very long.:)

Done by design.

21. Internet Explorer 'Features'

MSN Search

When Internet Explorer fails to locate a web address it initiates a search through Microsoft. Therefore, every failed access attempt is sent to Microsoft, with all your system information in the X header structure. to Microsoft, cleverly disguised as 'assistance'.

Done by design.

22. Temporary Internet Files

Without extensive reconfiguration of Windows end users will not see the real files. Instead they see a database generated representation drawn from a file called index.dat.

Even the controls to access the drive are hidden with an obscure setting called 'Simple File Sharing (Recommended)'. Windows XP does not always delete the actual files from your hard disk. Even the emulated DOS reports the database, unless windows is substantially reconfigured.

Windows goes to great lengths to prevent this reconfiguration. Also, many do not know there is no need for this cache, other than to go back to pages. Its main role is to maintain a record of users activities and generate ghost images throughout the drive.

Done by design.

23. Index.dat

A database file of the contents of an area of the drive, including deleted files. In the 'Temporary Internet Files' it records date, time, Internet location and file name information of downloaded graphics/images and sites accessed, with user IDs in a nice big list.

There are various 'index.dat' files throughout Windows, a dat file is generally a database. A users activities can be recorded for several weeks and user names (etc) recovered. The index.dat file retains information about recently deleted files and Microsoft has failed to provide any reasonable explanation.

You cannot provide, what does not exist, there is no genuine reason to retain deleted files information other than deliberately recording an end users activities for forensic analysis.

This is used for rapid identification, file recovery and time-plotting of a users activities. A small application produces a timetable of a user's usage, referenced against the recorded information for each second of activity.

On large networks, this can be used to verify each member of staff location and movement across an entire infrastructure, this type of output in normally rendered in a full 3D layout of the target building.

Done by design.

24. Cookies

The official explanation for cookies is to offload information from the server, to the client. This can be authentication, preferences, etc. As you can see, its just a cheap solution, designed to cut costs.

When costs are cut, so are corners and in this case a corner that presents a major threat to information security. Cookies retain a lot of information such as logon IDs. In fact, the first cookie I look for, is generally, passport.com. This cookie will have the last recorded hotmail address stored within it. Combined with index.dat information, I can tell the following;

1. Windows logon ID of the person involved
2. The hotmail email address
3. The Date and time the account was accessed
4. External graphics viewed and the sources of those graphics
5. The machine from which it was accessed.
6. The duration of viewing.
7. And generally, the individuals sexual, political, social, personal and religious preferences based upon the information accessed.

That's with only two file sections.

Cookies can also be accessed remotely and are used to track the movements of end users as they move from site to site. Passport, Microsoft's common logon system, relates itself against the Windows account by default.

There is no need for this, it is these 'subtle functional intrusions' that Microsoft prefers. I honestly do not know what is going on in these people's heads, to think for one second, that the world would spot this a million miles off. It really does show the level of intelligence these people have; my dog demonstrates more social engineering skills when looking for food.

Done by design (very poorly executed).

25. Auto-Complete

Designed to record search terms, web addresses, and anything else it can get its grubby little digital hands on, for rapid post-forensic retrieval.

Done by design.

26. MSN Messenger

Microsoft has been retaining each persons deleted contacts from messenger. M$ has been monitored in this area and is known to retain everyone's deleted contacts for 3 years, at least.

This could be seen using a console-based version of MSN Messenger under Linux. Microsoft has since changed the protocols, so I am unaware if you can still see some of the information, M$ retains, on over 150 million people.

Messenger is also activated on accessing Hotmail. Microsoft claims to be using the 'features' provided by Messenger and will not allow it to be disabled. Now, as millions access M$ Hotmail without messenger, I must seriously question this behavior.

The 'features' provided by MSN Messenger are the transmission and reception of typed text and files. So, Microsoft has stated that it is, 'transmitting typed text and files', to and from, end users machines, when hotmail is being accessed.

Just cleverly worded.

Done by design.

27. Web-Cams and Microphones

These devices can be remotely activated providing visual and audio feedback from the target subject. There is also no way of telling if your devices have been remotely activated. These features are demonstrated in 'proof of concept' applications such as NetBus, etc.

With raw sockets (or driver) this information can bypass your firewall without any problems.

Microsoft Windows XP Services

1. Application Layer Gateway Service

Microsoft's Description:
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall,,Manual,Local Service

Alternative Description:
This thing just loves making remote connections and accepting them. Set this up in your firewall to ask each time using ADSL or higher.

Have fun.:)

Done by design.

2. Automatic Updates

Microsoft's Description:
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.,,Disabled,Local System

Alternative Description:
Enabled by default. Enables Microsoft to distribute and incorporate any 'feature', at will. Not the greatest thing in the Universe to be allowing.

Done by design.

3. Computer Browser

Microsoft's Description:
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.,Started,Automatic,Local System

Alternative Description:
This stupid design will breach security. The only computer a client needs to know, is the server and it should coordinate everything.

Why does Microsoft Windows identify and map every computer on the network?

The design principal is based upon 'remote orientation' requirements, using insecure clients as targets. Servers would be difficult to compromise and arouse to much suspicion.

The flow of information on any network is about 'the need to know'. Clients do not need to know any other computer, other than the server. The server acts as a 'proxy' to the entire network, data transfers may, optionally, be proxied too.

Done by design.

4. Fast User Switching Compatibility

Microsoft's Description:
Provides management for applications that require assistance in a multiple user environment.,,Disabled,Local System

Alternative Description:
Switches to every account, but the Administrator account. In fact, unless you know exactly what your doing, an end user cannot access the administrator account.

Post-Forensics can, that includes your Windows Encrypting Filesystem. Cheers M$.

Done by design.

5. IMAPI CD-Burning COM Service

Microsoft's Description:
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.,,Manual,Local System

Alternative Description:
Part of CD Burning and this thing is a nightmare. Any CD you make, it first makes a copy to the system drive, then only to use a scratch drive after that. Why?

That action is a waste of time. This is designed to generate 'ghost images' that can be recovered by Magnetic Force Microscopy. It is unlikely that the target subject will destroy their boot drive. Also, pointing the scratch to another drive, just makes more ghost copies.

Not only that, but I have caught Windows XP, pointing me to the CD burning directory when viewing CDs. That would suggest a cached image of some form.

Done by design.

6. Indexing Service

Microsoft's Description:
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language. ,,Manual,Local System

Alternative Description:
A search using the DOS emulator will run like a bullet. Windows search, however, will take its time unless the indexing service is activated. This provides quick post-forensic and real-time access to files remote files.

This behavior is by design.:)

7. Internet Connection Firewall(ICF)/Internet Connection Sharing(ICS)

Microsoft's Description:
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.,,Manual,Local System

Alternative Description:
First off information is sent to both Microsoft and to a range identified as belonging to ARIN whenever a PC connects to the Internet. Random connection attempts are made by Explorer, NT Kernel, Internet Explorer, Windows Help, svchost.exe, csrss.exe and numerous others. I have even caught calc.exe (The calculator) attempting to initiate a remote connection, now and again. Without reverse engineering, I was unable to tell if it really was the applications, or a subsystem calling the applications. Very odd.

Microsoft Windows defaults to sharing your files using SAMBA across the Internet. This even bypasses most domestic firewalls or security setups, unless specific options are set in the firewall. This allows for remote access to files, documents, etc. without breaching any known legal regulations.

Try entering random IP addresses into your 'My Network Places' window when online, preceded by the '\\' network identifier.

i.e. '\\91.111.2.80', or '\\222.54.88.100'

Within about 30 attempts (of a good netblock), you should get a remote machine to share files with you, in the same manner as a LAN setup. Expect your machine to freeze when performing any remote operations for up to 4 minutes at a time (i.e. such as right-clicking a file).

The reason for behavior is that native SAMBA is designed for 10Mbit networks (at least) and is therefore a very bulky protocol. Also, the remote host may be using their Internet connection, have a low bandwidth connection or performing processor intensive tasks.

A quick examination of Sygate's instruction on how to use their firewall with ICS, reveal that your kernel cannot be blocked, nor can several other systems. These systems are not required on a LAN, so Microsoft has designed these systems to breach security.

There is no difference between TCP/IP over a LAN and the Internet, other than settings. As a programmer I know Network Address Translation is simply a case of storage and substitution of IP addresses, with a few whistles and bells. There is no excuse for these systems to be exposed to the network.

Done by design.

8. Messenger

Microsoft's Description:
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.,,Disabled,Local System

Alternative Description:
Messages should only be broadcast, by and to, the main server. Having this on every machine provides a method of transmitting real-time keystroke intercept across the Internet. This service is also enabled by default, even with the known Internet abuse of the function. This only indicates design manipulation.

Done by design.

9. Network Connections

Microsoft's Description:
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.,Started,Manual,Local System

Alternative Description:
Only weakens security by providing a central reporting mechanisms. These aspects have been combined by design, with no logical requirement for the function. Again, a single-point of failure is introduced into the system.

Done by design.

10. Protected Storage

Microsoft's Description:
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.,Started,Automatic,Local System

Alternative Description:
Also provides quick access to this information. Swift breaking of security. Sweet.:)

Done by design.

11. Remote Procedure Call (RPC)

Microsoft's Description:
Provides the endpoint mapper and other miscellaneous RPC services.,Started,Automatic,Local System

Alternative Description:
May the saints preserve us from RPC. RPC provides remote computers with the ability to operate your PC and listens for these connections on the network/Internet.

What sort of idiotic decision making was behind an RPC service that cannot be disabled? Why not just come into my livingroom M$? You're practically there anyway!

(I'm just losing my head now! This is disgraceful.)

Done by design.

12. Remote Registry

Microsoft's Description:
Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.,,Disabled,Local Service

Alternative Description:
This nifty service is enabled by default. It provides remote access to the windows registry, allowing run-time modifications to be made to your PC. Hmmm....what an excellent idea! Just what I always needed, a way to 'tweak' my running spy applications remotely.

I knew M$ was thinking about me, I'm touched, or at least they're close enough to reach out and touch me.:)

Done by design.

13. Server

Microsoft's Description:
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.,Started,Automatic,Local System

Alternative Description:
This is not required, it provides a central management for open files and printing operations. It also provides a method of remotely monitoring a users activities.

This 'service' (ha!) provides a single-point of failure for an entire network. It is linked to the authentication, so if the server collapses, so does the entire network, as this is managed by the server. Again, security and functionality have been manipulated to focus on information retrieval and access.

Done by design.

14. SSDP Discovery Service

Microsoft's Description:
Enables discovery of UPnP devices on your home network.,,Disabled,Local Service

Alternative Description:
What in Gods name for? This is part of the 'remote orientation' facilities encoded into Windows, allowing remote hackers the ability to explore the network swiftly, reducing chances of alarm and excessive activity through exploration.

Done by design.

15. System Event Notification

Microsoft's Description:
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.,Started,Automatic,Local System

Alternative Description:
No way of knowing, without full reverse engineering, how many undocumentented events exist throughout Windows. Windows could have an entire additional level of event reporting.

Event and thread management in Windows is very suspicious due to its sluggish and sometimes unpredictable behavior. Compensation for this is normally done by 'peeking' into the message cue, however, sometimes it simply refuses to work. This would tend to suggest the interaction of an unknown component (or several component) with the event system producing conflicts.

Done by design.

16. System Restore Service

Microsoft's Description:
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties,,Automatic,Local System

Alternative Description:
Keeps ghost copies of various forms of cached information in a nice quick accessible format. We can't let our hard earned information go down the pan now.:)

Done by design.

17. Terminal Services

Microsoft's Description:
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.,, Disabled,Local System

Alternative Description:
I just bet its interactive and highly 'functional' too. This is enabled by default, providing a remote desktop for any hacker. Wow, what a service M$.

I'll agree with you on this one, that is a 'service and a half'!

Done by design.

18. Windows Time

Microsoft's Description:
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
,,Disabled,Local System

Alternative Description:
Sends information to Microsoft and keeps your date and time stamps nice and fresh for post-forensic analysis. At least they're tidy when they invade your privacy.:)

Done by design.

19. Wireless Zero Configuration

Microsoft's Description:
Provides automatic configuration for the 802.11 adapters,,Disabled,Local System

Alternative Description:
Zero configuration means zero security and that's exactly what you get. The entire network is exposed to anyone within reception range. Therefore, if you are using this in your home environment, that can mean remote monitoring from up to 3Km using proper equipment, or someone else using your Internet connection from a range of around 50-80m radius.

Even with security, the IEEE specification for WEP was clearly manipulated and weakened by interested parties. There is no other acceptable excuse for that level of incompetence.

Done by design.

20. Microsoft Works

Breach of trade descriptions act? Microsoft 'probably' Works.:)

Really, it is an 'implied' suggestion based on the play of words. It can be described as 'psychologically misleading', human psychology is extremely complex, even if most humans are not.

This implied statement is registered at a deeper level of the brain and assigned its true meaning. Otherwise, you would have never considered the relationship in the first place.

One way of describing this is, 'marketing', the accurate description is 'subliminal programming', it does not matter how slight the incident.

This is very, similar in style, to the 'French Fries' and 'Freedom Fries' incident in the US, used to blind the US citizens from war opposition, through manipulation of patriotic beliefs.

Shameful.

Done by design.

Windows Security, Not What You Think

Since all security products that operate on the Microsoft Platform are both designed from, and encapsulated by the OS, then it is ultimately Microsoft Windows that is providing your security and not your firewall, etc.

So, any product that claims to provide security FOR windows, is simply reflecting the limited understanding the company has of what it is doing.

I bet that will inspire confidence in computer security.:)

The accurate description is that M$ Windows, secures itself, through execution of a 3rd party application, which M$ Windows must inform, to provide security. As we seen in 'Raw Sockets', this does not always happen. Linux does not have this problem, as the systems is a mosaic rather than a full encapsulation, or sandbox environment.

Therefore, even with all the security, in the known Universe, installed on a Microsoft Windows Platform, it is still the responsibility of Windows to inform the security products of each event happening. If Microsoft Windows fails to report, or hides certain messages/events, then your security software becomes 100% completely redundant.

This is a source of great concern with Microsoft's plans to encrypt the system area of new versions of Microsoft Windows. Somehow, I don't think this system, nor any variation of it, will ever see the light of day.

If this was to happen (the encrypted system), instead of an EULA, I think Microsoft Windows should be required to read end-users their rights. Microsoft is not the Law, nor is it above it, in any way.

You have the right to be bugged, click OK to continue!:)

Bugs Of The Third Kind

How long as Microsoft been programming Windows for?

Ten, maybe fifteen years, and we are seriously asked to believe that a company with the financial resources of Microsoft cannot a create a bug-free Operating System?

Companies with lesser resources than Microsoft provide such systems for Air-Traffic control and medical purposes (Heart Monitors, etc). A perfect example here is OpenBSD. OpenBSD is a free Operating System and with very little funding (nowhere near what Microsoft has, in a million years) the only remote exploits you will find, anywhere in the world, will be at least 12 months old.

Most of Microsoft's problems are at least that old before anyone decides to analyze them, let alone, fix them.

This is a very clear example, honestly, there is no acceptable excuse here. If Microsoft claims 'compatibility', then I simply refer them to the current deployment of service packs that destroy 'compatibility'.

Also, the important thing to business is their data and data cannot have 'compatibility' issues. Its simply a binary stream that can be used on any known operating system.

Wild Speculation On Codenaming Strategy

Microsoft has had a consistent naming policy for its operating systems, in the form of city names. Code names for various releases have included; Chicago, Memphis, etc.

Now all this changed with the arrival of Windows XP. Its codename was 'whistler' and the next version of Windows is codenamed 'LongHorn'. I was interested in the reasoning behind the switch. I was thinking that these codenames could be based on one, or more, of the following points:

1. A play on the term 'whistleblower'?
2. A play on a reference to 'pinocheo'? (tells stories, reference to Long (Nose) and Horn (Whistle Blower) )
3. Horn, as in a form of 'early warning system' and Long because of its distributed nature?

Can Windows Be Secured?

Yes, with FDisk. (Recommended):)Otherwise, due to its encapsulated nature, the answer is a pointblank, no.

Additional Observations

All we need now is Intel's 'processing and storage' layer to the Internet and we have a, full-scale, 100% genuine, deployment of a Big Brother scenario. Thanks Intel, but, we'll pass on that one, nice to see you are thinking of everybody for a change.:)

If anyone is wondering what on Earth is going on, well Congress went a little nuts passing resolutions, without its normal due caution. Looking down the barrel of a gun 24/7, does not provide the ideal circumstances for making these decisions, nor the environment for full, open debate, for security reasons. As such, mistakes can only be expected, congress is still only human, despite the rumors.

I am just worried that this is the entire intention, due to Microsoft's modifications, its software predates 9/11, so it could not use 9/11 as an excuse. I wouldn't like to consider the implications of that statement 'being inaccurate'.

I know many readers would be enjoy this analysis taken further, however, it is well beyond the scope of this report. It is also an area I feel is best left to the authorities.

Alterations to M$ Windows also coincides with antitrust cases and the reversal of the ruling to split Microsoft into two companies. This leads to three important questions:

1. Was Microsoft hijacked by the US government, CIA or NSA?
2. Is this why M$ Windows was altered?
3. What would the suggested reason be for military adaptations to M$ Windows prior to 9/11?
4. Why 3 Operating Systems (ME, 2000 and XP) between 1999-2001?

I only mention this to be fair, rather than shoot first, ask questions later. I'm a Zen Buddhist and politics, ain't my bag baby.:)

Google's ranking methods have come under question recently and in the context of this report, I think the follow will speak volumes for itself:

Search for the term 'Book'. Conducted September 11th, 2004.

Top 10 results from Google.com

1. US
Barnes & Noble.com, 6000 Freeport Ave - Suite 101, Memphis, TN 38141.
2. US
onlinebooks.library.upenn.edu, University of Pennsylvania
3. US
http://www.cia.gov, CIA - Factbook.
4. US
BookFinder.com - Berkley California
5. US
http://www.kbb.com - Orange County
6. US
http://www.worldbookonline.com - Country Wide, with world-wide divisions
7. US
http://www.superpages.com - 651 Canyon Drive. Coppell, TX 75019.
8. US
http://www.amazon.com
9. US
http://www.abebooks.com - Victoria B.C.with offices in Canada and Germany.
10. US
http://www.bookwire.com - 630 Central Ave. New Providence. New Jersey.

May I remind everyone that Google is behind nearly every major search engine in the World. Is this what they describe as 'free enterprise' in action?

I wouldn't like to see systematic manipulation of the global economy, if that's the case.:)

A Small Bit of Advice

Linux...Open Source...Free...No worries.

Conclusion

Is America awake? Remember a small concept called Liberty? (Its French, by the way.) I wonder how M$ is going to explain this one?

This one, I really must hear.:)

'...let's face the music and dance.'

Appendix Contents

Appendix 1. Symbiotic Duality
Appendix 2. Magnetic Force Microscopy (MFM)

Appendix 1. Symbiotic Duality

The first thing you must accept is that a product does not have to be limited to a single purpose. The second thing to be accepted is that you may not be aware of any other purpose, even to the extent of being unaware of its primary purpose. Purpose comes from design, not usage.

Therefore, a product, such as Microsoft Windows can give the impression of being an Operating System, whilst having been designed for an entirely different purposes. This is the concept of 'Symbiotic Duality', it is the basis of all manifestations of depth.

We'll look at a few quick examples:

a. When you fight with someone you love, you can hate them, yet still love them.

This form 'Symbiotic Duality' is experienced as a 'depth' of emotion, it stems from the observed contrast, or gulf, between opposing emotions. The greater the gulf between the conflicting emotions, the more intense the experience.

It is from this understanding that the, very accurate phrase, 'Fighting is a sign of love', is drawn from. One cannot exist without the other and 'Symbiotic Duality' is a fundamental step in every emotional response.

'Love thy Enemy'. Its not like I much choice in the matter:)

b. To produce the effect of Depth in a scene.

An image contrasting near and far (large and small) produces the illusion of depth. This is another form of 'Symbiotic Duality', the contrast between near and far (large and small) produces an optical illusion, both aspects function as one, from opposing sides.

c. A depth of character can be expressed in apparently conflicting viewpoints. You may both agree and disagree with a situation, for various reasons. For example, you may not agree with war, but you recognize a time comes when it must occur, or, you may not agree with a situation, but since it is happening, you may as well make the best of it.

The greater the depth of character, the greater the gulf will be between these conflicting thoughts there will be. A person who repeats the same 'statements or rhetoric' time and time again, has very little intelligence and certainly lacks any depth of character, as they lack the opposing viewpoint.

d. The gulf between the people and government leads to increased anxiety, fear, paranoia and rejection.

The more 'stark' a contrast between government and the people, the greater the 'perceived gulf' will become. This concept is explored in George Orwell's book 'Animal Farm', it examines the 'US and Them' principle, and unknowingly, touches on the 'Symbiotic Duality' of the scenario.

That is, the common source of conflict between the two groups, the 'perceived gulf' that exist between them. By bridging that gulf, the situation may have been avoided.

Why is 'Symbiotic Duality' important to understand?

'Symbiotic Duality', as you notice from each of the examples, ends up, in one form or another, relating to the human biological make-up. The simple reason for this is that, 'depth', is a perception. If a 'Symbotic Duality' appears in an investigation, a human was involved in planning.

'Symbiotic Duality' can prove useful in forensics. By clearly identifying the contrasting behaviors of any system, the design choices made by humans and those dictated to by system requirements, can be distinguished with repeatable methodology.

This separation allows for both reliable, rapid identification of human design choices that fall outside compliance with system specifications, or other known base references (i.e. another OS design) and for complete focus to be given to only 'odd' human generated code.

Scientific investigators must operate by rigid procedures and methods, the concept of 'Symbiotic Duality' provides such a structure, this allows for repetition of the investigative procedure, rather than solely relying on expert testimony and Police accounts.

This can be vital in cases were an officer/jury needs to follow the scientific investigator at a technical level, collaborate on an investigation in a distributed environment, or work through vast amounts of information.

It provides a roadmap for the investigation, with one point naturally flowing to another, or any amount of other points.

Let's say for example we were investigating an email application. Firstly, we remove from the equation the basic technical functions of the application. This leave us with what can be described as a 'human-defined design'. That is, all the fluff added to an application to make it 'user friendly' and operational.

From here, we list each of the 'features' and a description of their functions. Next, we begin the 'Symbiotic Duality' analysis, by contrasting the basic technical requirement to implement a 'feature' against the actual implementation.

There are various sub-aspects to this procedure, such as contrasts from different 'perspectives'. This would include examining ease of information retrieval, information storage, information movement, information processing, network communication attempts, etc.

By contrasting what would be 'expected', under reasonable circumstances, against what is actually there, the 'gulf' (form of perceived depth) between the two states is revealed (Symbiotic Duality).

The procedure uses the 'Russian Doll' and Henry Ford Conveyor Belt principles, to break down the application into smaller and smaller units in a systematic exploration of the target system.

The method is highly flexible, in that, it does not require a linear approach to investigation, but rather, a completely random approach is recommended. This can match budgets and resources of investigative departments.

The results are composited in a cross-referenced mosaic that can be expanded upon from any point, providing the investigator a model of his/her complete investigation. This gels beautifully with the 'chain of custody' model.

What we are left with, is a combination of fluff and 'Interest Motivated' sections of the application. Its simply a matter of contrasting the expected characteristics of fluff against the remaining sections of code.

So, staring you in the face, in glorious black & white, will be a very clear list and description of each identified 'odd' behavior. As many investigators will have realized by now, adaptations of this can be applied to any form of of investigative procedure.

If you are interested in 'Symbiotic Duality', I'm afraid you will not find it in any texts, it was something I developed as part of my work to assist me. An in-depth understanding human psychology is a basic requirement in this field, as you must always think, what would this person do? 'Symbiotic Duality', let's you understand more clearly, what they were thinking as it exclusively relates to human perceptions.

I don't claim that this is any form of great new method, I just use it to assist my own work and it also has no form of recognition as an accepted method. Its simply another tool, in a long list, of analytical procedures and, in my line of work, every assistance is a bonus.

I like to think of this procedure as a:

'Random access investigative procedure, which uses the horizontal nature of emotional and perceptive responses, to clearly identify the various ranges of possible motivations behind an incident.

Cross-referencing and statistical analysis, provide a mechanism of ranking motivations, across an entire case framework, allowing for 'Computer Assisted Real Motive Analysis' (CARMA).'

That'll mess with your noodle for a while. Sorry.:)

The best visual representations would most likely be in the form of a 'tree' structure, expressed in 3D. Each 'Symbiotic Duality' identified can be provided a 'score' (ranking), and numerous sub-scores (sub-rankings) if required. The ranking system, has an unlimited user-defined scale. This allows for statistical analysis and cross-referencing, with stark contrasts. The scale can also be categorized.

I only mention it here, as it was employed in this analysis, however, I am still developing the theory behind this. The report does not rely on this theoretical work, but rather, standard procedures in high level analysis.

Well, that's enough 'Psychology and Forensic Analysis 101' for today.

Have you not got a life or something?:)

Appendix 2. Magnetic Force Microscopy (MFM)

I had the chance to see this process first hand, a good friend of mine demonstrated the following technique using an Open-Mosix cluster. The process was mainly based on the statistical recomposition of data sectors. The usage of highly discreet array-based statistical recomposition can uncover data.

Its based on the fact that a harddisk has certain known read/write characteristics that effect the position of molecules on a disk platter. Its important to note, we are not trying to uncover previous data directly, but rather explore variations in memory.

An MFM series of images of the disk platter is produced and converted to 3D. Then each sector's dimensional values are offset against the values provided by the known characteristics of the read/write heads. Each binary bit is treated independently.

As most can see, this method bypasses encryption by focusing on physical position. After this, it is simply a matter of computing variations and attempting to match patterns. Not one bit of cipher breaking, makes you wonder about the advice security companies provide and who exactly qualified them in 'IT Security'?

Most people do not realize they are self-appointed and even wrote the texts for 'security classes'.

The technique came from the "The Catch 22 Guide To Business" and a chapter entitled "Recursive Algorithms& Global Expansion", with cross-references to the Ferengi 'Rules of Acquisition'.:)

lovelyk · 07-14-2007, 08:25 AM

here's practical solutions to the problems presented

09.07.2006 15:49
PROBLEM

1. Start -> Search:)

Each and every time a search is conducted using the search option under the start button on Windows XP, the system automatically checks if your online and transmits information directly to Microsoft.

doesn't actually check whether your online, it simply sends the HTTP GET request blindly
and timesout

SOLUTION

1.) host file blackhole them;

127.0.0.1 sa.windows.com
127.0.0.1 wustat.windows.com

2.) block with 3'rd party firewall (I use 8-signs firewall)

3.) block upstream with firewall (router hardware firewall)

4.) block via local proxy (proxomitron - free)

5.) block using DNS spoofing (use BIND local or upstream - free)

PROBLEM

2. Help System, F1

When accessing Microsoft Help systems, through the F1 key. A communication attempt to Microsoft's ActiveX site is made.

SOLUTION

127.0.0.1 windows.microsoft.com

block with 3'rd party firewall

block upstream with firewall

block via local proxy

block using DNS spoofing

PROBLEM

3. Microsoft Backup

Designed to bypass all security, even ownership rights of a drive.

SOLUTION

1.) don't use it, use a 3'rd party backup like Norton Ghost (not free)
2.) don't backup system, re-install insted, only backup user data
3.) don't place trust in the NTFS anyway (encrypted or not)

4.) use a 3'rd party disk encryption system like truecrypt/scramdisk (free or not)

PROBLEM

4. Process Viewer (Task Manager)

No mapping to executable file, nor will it show all running processes. Designed to hide important information required for determining system infections and sources of network data transmission.

SOLUTION

Use a 3'rd party process viewer like Process Explorer which does show all (free)

PROBLEM

5. Dr Watson

This used to loadup with information on dlls that had been hooked. Hooked DLLs are used to intercept keystroke, etc. Microsoft removed end-users capability to see this. It now generates a simple messagebox.

SOLUTION

Use a 3'rd party rootkit scanner like RootKit Hook Analyzer (free)

PROBLEM

6. The Windows Registry

SOLUTION

use a 3'rd party registry cleaner like Registrar Registry Manager (trial/not free)

PROBLEM

7. Temporary Files

SOLUTION

1.) use a RAMDISK, point registry entry to it

2.) clean with a 3'rd party application like Killbox or Unlocker (free)

PROBLEM

8. Recycle Bin

SOLUTION

1.) empty recycle bin, then clear free & slackspace

2.) use 3'rd party encrypted filesystem (truecrypt/scramdisk)

PROBLEM

9. Recent Files

SOLUTION

clean registry, delete temp and index.dat files using above tools and/or CCleaner (free)

PROBLEM

10. NotePad (causing you to use Word/pad which leaves droppings)

SOLUTION

use 3'rd party notepad replacement or simply enable word-wrap in notepad

INACCURATE

11. Swap Space/Virtual Memory/Page File

Regardless of how much memory is in your system the page file can not be disabled.

you can disable -

START > SETTINGS > CONTROL PANEL > SYSTEM > ADVANCED TAB > PERFORMANCE > [SETTINGS] > ADVANCED > VIRTUAL MEMORY > [SETTINGS] > [x] no paging file

PROBLEM

12. Firewall (nearly worthless)

SOLUTION

1.) 3'rd party firewall
2.) filter upstream

INACCURATE

13. Memory Usage

Designed to use large amounts of memory to drive the hardware industry sales of components. For Windows XP to function correctly, it requires at least 1GB RAM and at two physical drives on separate IDE channels or SCSI interface I/O.

I've run XP with as little as 48.mb (with much HD trashing, slow)

testing with 64, 96, 128, 256, 384 512 and 640 mb I found

64 - quite slow
96 - a bit better
128 - fair but minimal
256 - great to good, bogs down sometimes
384 - pretty good, rarely bogs down
512 - almost never uses paging file - fast
640 - safely out of paging file range

256 - 512 seems best, more is overkill

PROBLEM

14. Automatic Updates

SOLUTION

turn off

INACCURATE

15. Raw Sockets

this entry is confusing - seems to both complain about raw sockets and not

the firewall issue is bit more complicated considering the LSP layer and serial ports

while its true writing directly to raw sockets would effectively bypass most firewalls, some work at the LSP layer and the only way to get around that is to talk directly to a serial port (assuming a PPP/dialup connection here) but its really clunkly to do (WinJect does this) and can still be detected/blocked upstream

Nice trojan tool M$.

Raw Sockets is part of nearly every OS, MS simply caught up with the times

it really has little impact when you consider both the actual raw socket access all along by hitting below the LSP layer and/or serial port injection

to hackers this is a non-issue..

INACCURATE

16. Remote Access Bugs

the whole OS is full of bugs - over 60,000 and counting

to single out specific bugs with the aim of furthering your conclusion without studing the
background and history of CP/M, QDOS/DOS-86, MS-DOS, win3x, win9x to NT isn't very realistic

many of the problems you've cited are old bugs left over from the DOS days when security was
very lax

PROBLEM ?

17. Music Tasks

SOLUTION

block the ad sites

1.) host file blackhole
2.) local firewall
3.) upstream firewall
4.) DNS spoofing
5.) registry - change URLs

PROBLEM

18. Windows Media Player

No way to disable automatic check for updates.

SOLUTION

block the update site

1.) host file blackhole
2.) local firewall
3.) upstream firewall
4.) DNS spoofing
5.) registry - change URLs

INACCURATE

19. Alternate Data Streams

This 'feature' of Microsoft Windows relates to how information is stored on your harddrive. Under NTFS, not only is there the file, but there is a second, hidden aspect to each file. This hidden aspect is stored separately on your hard drive and not as part of the file.

I suppose the term, 'Alternate Data Streams' make better business sense, than 'hidden information gathering process combined with standard file functions'.:)

unless your fooling around with MAC FS structures alternate data forks are never used and
contain nothing - just an empty unused function

ADSLocator.exe

...No files with streams found.

Physical destruction is recommended, as it requires specific manufacturers codes to access bad blocks, internal scratch areas and internal swap/cache areas of the drive.

SOLUTION

check for ADS, wipe free space, wipe slack space

if your really paranoid low level format, repartition, format

INACCURATE

20. Stability

Microsoft Windows is designed to collapse upon extensive number crunching, of large arrays, of floating point calculations. This would prevent; nuclear modelling, physics modelling, and genetic modeling. These three aspects can produce Nuclear, alternative and biological weapons

some benchmarks do exactly this as a stress test..

PROBLEM

21. Internet Explorer 'Features'

MSN Search

When Internet Explorer fails to locate a web address it initiates a search through Microsoft. Therefore, every failed access attempt is sent to Microsoft, with all your system information in the X header structure. to Microsoft, cleverly disguised as 'assistance'.

SOLUTION

block the search site

1.) host file blackhole
2.) local firewall
3.) upstream firewall
4.) DNS spoofing
5.) registry - change URLs
6.) suppress/filter HTTP headers

INACCURATE

22. Temporary Internet Files

Without extensive reconfiguration of Windows end users will not see the real files. Instead they see a database generated representation drawn from a file called index.dat.

all that stops explorer from displaying these files & folders are the desktop.ini file settings and a few CLSID shell entries in the registry referenced by them

SOLUTION

I replace the desktop.ini in these folders with a null (0 byte) file and make it read-only

CCleaner will take care of this automaticly on reboot (explorer holds the index.dat files
open so killing the explorer process is required to delete them

I figured out another way - move them to a removable drive (USB stick for example) then pull
the stick - when you reinsert it you can then access the files. Pulling it forces
windows to let go of the files whether it wants to or not.

set up a RAM disk and point the registry entries to it
change or delete the CLSID entries

PROBLEM

25. Auto-Complete

SOLUTION

registry entry - delete with CCleaner or manually.

PROBLEM

26. MSN Messenger

SOLUTION

don't use it

PROBLEM

27. Web-Cams and Microphones

These devices can be remotely activated providing visual and audio feedback from the target subject. There is also no way of telling if your devices have been remotely activated.

SOLUTION

1.) the camera light shows when its on - seems to be hardwired that way but might be controlled
by firmware

2.) draws much more power when on - can detect and sound alarm

3.) unplug when not needed

4.) point to nothing when not needed

5.) cover up / plug when not needed

6.) upstream firewall

PROBLEM

1. Application Layer Gateway Service

SOLUTION

disable, use manual gateway setting

PROBLEM

2. Automatic Updates

SOLUTION

block the search site

1.) host file blackhole
2.) local firewall
3.) upstream firewall
4.) DNS spoofing
5.) registry - change URLs

INACCURATE

3. Computer Browser

This stupid design will breach security. The only computer a client needs to know, is the server and it should coordinate everything.

this is not how NETBIOS works, however you can disable all this and use only TCP/IP
with FTP or other services - NETBIOS isn't very fast anyway

(the way its set up is normal BTW)

PROBLEM

4. Fast User Switching Compatibility

Switches to every account, but the Administrator account. In fact, unless you know exactly what your doing, an end user cannot access the administrator account.

SOLUTION

don't use accounts - you are automaticly the admin then

PROBLEM

5. IMAPI CD-Burning COM Service

This is designed to generate 'ghost images' that can be recovered

SOLUTION

1.) don't use it - use a 3'rd party burning application

2.) burn 3'rd party encrypted volumes (truecrypt/scramdisk)

INACCURATE

6. Indexing Service

A search using the DOS emulator will run like a bullet. Windows search, however, will take its time unless the indexing service is activated.

it takes as much time as the HD takes to move its heads and read - the HD is the limiting factor not windows, the index is faster still but a typical search takes only 20 seconds

SOLUTION

disable indexing

INACCURATE

7. Internet Connection Firewall(ICF)/Internet Connection Sharing(ICS)

First off information is sent to both Microsoft and to a range identified as belonging to ARIN whenever a PC connects to the Internet. Random connection attempts are made by Explorer, NT Kernel, Internet Explorer, Windows Help, svchost.exe, csrss.exe and numerous others. I have even caught calc.exe (The calculator) attempting to initiate a remote connection, now and again. Without reverse engineering, I was unable to tell if it really was the applications, or a subsystem calling the applications. Very odd.

block MS, block ARIN subnet traffic as above

use 3'rd party utilities to map the socket to the process, like inzider, TCPview etc

you can disable all those services and check using NETSTAT -an in a DOS box to make
sure the ports are closed

I use a local proxy - all other traffic stays in the intranet and goes nowhere

my machines have no public IPs to give out and I never put any personal info in them, I
only give the computers themselves names (like p500, k233)

PROBLEM

8. Messenger

SOLUTION

1.) disable - most people do anyway due to the annoyance
2.) block using local firewall
3.) block upstream

PROBLEM

10. Protected Storage

SOLUTION

use truecrypt

PROBLEM

11. Remote Procedure Call (RPC)

What sort of idiotic decision making was behind an RPC service that cannot be disabled?

SOLUTION

disable - yes you CAN disable RPC (disabling RPC services will slightly affect XP's functionality but nothing important)

use "NETSTAT -an" to check that ports are closed to confirm

PROBLEM

12. Remote Registry

SOLUTION

disable

INACCURATE

13. Server

This is not required, it provides a central management for open files and printing operations. It also provides a method of remotely monitoring a users activities.

This 'service' (ha!) provides a single-point of failure for an entire network. It is linked to the authentication, so if the server collapses, so does the entire network, as this is managed by the server.

no the workstations are mostly P2P, and some of these services overlap. The browsemaster
is a "pull server", while this service is a "push client"

again none of this is needed and can be disabled - you can just use TCP/IP file sharing
applications insted

INACCURATE

14. SSDP Discovery Service

What in Gods name for?

UPnP while buggy and not needed by everyone does come in handy sometimes

it allows new network devices to discover a place in the network automaticly rather than
you entering IP's, gateway and DNS/WINS info manually

DCHP just doesn't quite cut it assuming your even running that service

it also allows auto NAT port translation

SOLUTION

1.) disable
2.) block with local firewall
3.) block upstream

INACCURATE

15. System Event Notification

No way of knowing, without full reverse engineering, how many undocumentented events exist throughout Windows. Windows could have an entire additional level of event reporting.

SOLUTION

1.) track file system changes
2.) track registry changes
3.) track process changes
4.) track socket mappings

using above 3'rd party utilities

no "full reverse engineering" required..

PROBLEM

16. System Restore Service

SOLUTION

disable, delete files, wipe space

restore from your own backup or re-install

INACCURATE

17. Terminal Services

I just bet its interactive and highly 'functional' too. This is enabled by default, providing a remote desktop for any hacker. Wow, what a service M$.

carryover from the old DOS "CTTY" command - ties serial port to screen & keyboard hooks

SOLUTION

1.) disable
2.) block

INACCURATE

18. Windows Time

Sends information to Microsoft and keeps your date and time stamps nice and fresh for post-forensic analysis. At least they're tidy when they invade your privacy.:)

it doesn't "send" anything but a request for time, varify that using ethereal - upstream
if you think its being sneaky about it

SOLUTION

1.) disable
2.) block
3.) use alternate time server

INACCURATE

19. Wireless Zero Configuration

Zero configuration means zero security and that's exactly what you get. The entire network is exposed to anyone within reception range. Therefore, if you are using this in your home environment, that can mean remote monitoring from up to 3Km using proper equipment, or someone else using your Internet connection from a range of around 50-80m radius.

you don't have to use it - almost all wi-fi adaptors come with thier own utilities which
BTW don't do anything different/better

even when it claims it can't install in XP (not needed due to WZC) you can do it anyway using "compatibility mode" then with WZC disabled use it

> up to 3Km

and as little as 15 meters even with the best equipment depending on antenna, power and interference

> using your Internet connection from a range of around 50-80m radius.

up to a few Km depending - I specifically operate long haul links using special "stealth" antennas

SOLUTION

use encrypted tunnels - hamachi, zebedee etc. Remote monitoring of useless random bytes..

INACCURATE

Since all security products that operate on the Microsoft Platform are both designed from, and encapsulated by the OS, then it is ultimately Microsoft Windows that is providing your security and not your firewall, etc.

wrong, some appications can talk directly to the hardware totally bypassing windows or even
DOS

if a security/firewall company desired they could loopback through a serial port talking directly to it, and nothing windows or DOS can do would affect it so as long as the actual
application was secure it would give unstoppable security since this is even below raw sockets

below raw socket communication and kernel hook rootkits are the real threats we face

and most people don't even know about these dangers

the article gives people the wrong impression by focusing on the author's ignorance borne
fears while both ignoring the real issues and not supplying practical solutions

*nix isn't a cureall or safe - the newest worms are now targeting these OS's.

While these OS's are better than windows in some ways most people will not undergo the
steep learning ride required to master them

one person made a point about controlling your computer and not letting it control you

fear causing you to dump the OS your used to for a false sense of security would be an
example of your computer controlling you

these days the internet is pretty hostile and the main threats are from spammers/scammers/
malware pushers and big business

1.) close the open services, NETBIOS, RPC, UPnP - varify with netstat

2.) name the computer not yourself - avoid having any personal information in it

3.) have anti-virus, malware, rootkit and alternate data stream checking utilities

4.) use browser protection like proxomitron, hijack this!, spywareguard, ie-spyad

5.) use an utility like CCleaner to delete index.dat files, temp, etc

6.) use truecrypt and keep all your important data in encrypted volumes

7.) use the freespace and slackspace wiping utility included

8.) for wireless use a VPN/encrypted tunnel

9.) backup user data to encrypted volumes on DVD+R

optional ;

WEP/WPA on wi-fi, firewalls

I would rather do this than change to a new OS - I feel more secure knowing the OS's weaknesses
and taking steps above to secure it then an OS I know nothing about, and would depend on a
mere perception/projection of safety without anything concrete or directly from my knowledge
or efforts to back it up or varify it

for all spying/snooping problems your own strong encryption is the ultimate and last line
of defence - feel free to replace any/all part of your OS's functionality with whatever
3'rd party applications suit you

Hex

***Easy Skanking*** · 07-14-2007, 09:06 AM

Very excellent find.
Thank you!

justice · 07-17-2007, 07:08 PM

This is the tip of the iceburge.

take double click, now owned by google and see how it can track just about your every move on the internet.

all the CIA need to do is place an image in this forum like

<Img src='WWW.CIAandConCentral.jpg' />

that gives them your IP address and even lets em put a cookie on your machine so they know it's you even if your on another site.

solar · (This post was last modified: 07-17-2007 08:19 PM by solar.)

Anybody know if Mac OS X is just as compromised as XP ? :o

I wonder ... B)

... and thanks for the great (and eye-opening) article, lovelyk !!;)

subgenius · 07-23-2007, 08:49 AM

well I had been thinking of getting a LINUX box up and running and this was the 747 that broke the camel's back. Knew a bit was going on but this is too much. THANKS IMMENSELY for this info