’s Friday Security Roundup – November 20, 2015


SSL_com_logo Happy birthday, Microsoft Windows!

November 20th, 1985. A kinder, gentler time, when the sun shone everyday, children respected their elders, and Christmas sales marketing didn’t start until at least the week before Thanksgiving. Today’s Security Roundup salutes the thirtieth anniversary of the official release of the first-ever version of Microsoft Windows. The lads from Redmond saw the future (or possibly shoulder-surfed it) and it involved a mouse and a graphical user interface to sit atop their then-standard MS-DOS OS. Sure, the ur-Windows had serious hardware requirements and took up quite a bit of real estate on one’s IBM clone (surely issues that would be addressed in subsequent versions – or maybe not so much) and, sure, the GUI was inspired enough by other designs as to be legally actionable . But all that aside, we have to give a shoutout to the OS family that now powers five out of six personal computers and, on a related note, is implicated in four out of five malware infestations spread by mobile networks. (And we frankly would’ve picked Borland’s Sidekick as the pony to bet on for eventual market domination, which may account why we still haven’t retired to that private island.)

This spiffy browser-based Windows 1.01 emulator reproduces the OG Windows experience (and just might help you understand why veteran sysadmins often have those deeply creased permanent frowns). While you wait (and wait) for it to load from those virtual dual floppy drives, check out what we’re covering this week in this week’s Security Roundup.

Paris and Encryption: ISIS Practices Poor Infosec

Noted, by the Intercept and others : The total lack of encryption used by the terrorists in the recent Paris attacks.  Subsequent discovery that they were in fact sending messages and phone calls in the clear have led to those early hyperventilating reports of “criminal masterminds” using unbreakable super-secret ciphers in their plots to be revised or, in the case of the New York Times, quietly removed entirely.

Status: We don’t really have a pithy statement to cover these dual tragedies: the dreadful attacks on the people of Paris and the subsequent attack on encryption by fans of increased surveillance. We’ll have a more in-depth review of the many information security aspects of this ongoing and unfolding story in the near future – stay tuned.

Internet of (Insecure) Things In Your Kitchen

Reported, by security researchers Pen Test Partners: vulnerabilities in the Wi-Fi Coffee machine, which in basic unconfigured mode operates as a Wi-Fi access point (as well as a coffeemaker). At least it’s not as insecure as the same manufacturer’s other product, the iKettle

Status: We’re watching the wild and wooly new world of IoT spin out newer and stranger stories, as the potential attack surface approaches the infinite. More on IoT security issues from soon as well.

Offshoring American Jobs – Even the NSA Is Doing it!

Relocated, by the National Security Agency: metadata collection programs, which ended in the US back in November 2010 (per documents revealed by Edward Snowden). The voluntary nature of the shutdown, and the lack of impact on the information collection itself, were puzzling. However, a New York Times report (based on a request via the Freedom of Information Act) found the NSA was satisfied that “other authorities can satisfy foreign intelligence requirements.” Those “other authorities” probably refer to the Special Procedures Governing Communications Metadata Analysis, which operates outside of US borders (and therefore evades legal niceties like FISA court approval). SPCMA is described in greater detail on Marcy Wheeler’s excellent emptywheel blog.

Status: Metadata collection seems less invasive than reading the actual information sent and received – but as one informed commentator noted, “Your web records are not like ‘an itemised phone bill,’ they’re like a list of every book you’ve ever opened.” Ironic, then, that Microsoft are moving cloud services to Europe to avoid US government surveillance (and salvage their European business) after the collapse of the Safe Harbor framework last month.

As always, we appreciate your reading these words, and please let us know your take on these issues. Remember what we truly believe here at – a safer internet is a better internet.