By Mark McCarron
( MarkMcCarron_ITT@hotmail.com, angelofd7@icqmail.com)
Introduction
Context, context, context. I was sick hearing that phrase from Egyptologists in regards to my research on the Great Pyramid. They never could grasp that context is irrelevant to the scientific process or methodology, science examines facts, not interpretation. In saying that, they taught me a lot, it is funny how the entire aspect of a thing or situation can change, just by applying a different context to it.
In this article, I intend to do just that, with Microsoft's Windows Operating System.
If you have ever wondered, if;
1. Microsoft, was secretly spying on end-user machines?
2. Big Brother deployment scenarios were real?
3. M$ Windows was a type of bugging device?
Then this, is for you my friend, the 'Top-47 Windows bugging functions', and then some. There is also an appendix on forensic methodology and Magnetic Force Microscopy (MFM).
All sing...'There may be trouble ahead...' :)
If You Could See, What I Can See, Reinstalling Windows...
In general, to people in the western hemisphere; bugging devices, parabolic microphones, signal tracing, satellite tracking and secret government agencies, performing highly illegal activities, on a covert basis, are the source of inspiration for novels, movies and theater, rather than any real event.
These devices and activities have been part-and-parcel of my life (and almost anyone else in Northern Ireland), from the moment of birth and conspiracy theories are simply facts of daily life that, could put, any of my friends, or myself, into an early grave. Therefore, it is only natural for me to see things in a military context and this provides a very interesting picture of odd behavior, at Redmond and various other big names, throughout the US.
Microsoft is of the 'opinion' that its software is an operating system with a wide range of 'features'. As I am about to demonstrate, that is simply a matter of 'how you see things' and the context in which they are highlighted in. This is a very subjective experience and different people tend to see different things, simply because their own personal context is automatically applied, a 'bias', if you will.
The point to hold, in the front of your mind, throughout reading this article, is the fact that the 'features' and their descriptions, presented here, are accurate representations of Window functions, in their own right, however, any suggestion as to motivation would be speculation.
More clearly, Microsoft has presented it own 'opinion' on the various features within Windows, other 'opinions' do exist and this article presents one of them, in a hypothetical scenario. For this analysis to hold, the hypothetical scenario must be demonstrated to be consistent throughout the design of the OS, not just its usage.
The style and tone throughout, is based upon the working hypothesis, that Microsoft has altered the Windows OS, to reflect US military requirements and that its primary role is that of a modern variation of a 'bugging device'. It is simply taken as a given fact throughout.
This clarification allows for a more direct style of writing and legal protection for publishers. In addition to this, the views expressed in this report are the authors and have nothing whatsoever to do with anyone else.
There are no accusations being made, this is presented only as a 'working hypothesis', at all times, to allow for the fullest exploration of this particular train of thought. If the hypothesis holds, then we will expand it a little, to place it in proper context and draw the conclusion from the entire investigation.
Report On Analysis of Microsoft Windows XP
1. Start -> Search :)
Each and every time a search is conducted using the search option under the start button on Windows XP, the system automatically checks if your online and transmits information directly to Microsoft.
This is done, without informing the end-user in any fashion, nor providing a clear method to disable. It has been hidden by design. In technical terms, a form of Trojan.
A good application level, stateful firewall, will catch this communication attempt.
Done by design.
2. Help System, F1
When accessing Microsoft Help systems, through the F1 key. A communication attempt to Microsoft's ActiveX site is made.
Done by design.
3. Microsoft Backup
Designed to bypass all security, even ownership rights of a drive. Try it.
Done by design.
4. Process Viewer (Task Manager)
No mapping to executable file, nor will it show all running processes. Designed to hide important information required for determining system infections and sources of network data transmission.
Done by design.
5. Dr Watson
This used to loadup with information on dlls that had been hooked. Hooked DLLs are used to intercept keystroke, etc. Microsoft removed end-users capability to see this. It now generates a simple messagebox.
Done by design.
6. The Windows Registry
Now, on the face of it, this may seem like a good idea, however, as any developer will tell you, they only use it because the commands are quick, simple and, when it comes down to it, security is mainly the end-users responsibility.
It would be much faster, simpler and provide greater system security to use an ini file. Linux uses this approach with config files. An entire database must be examined each time request is made. This is why Windows slows down after you begin installing applications. The registry grows and more cycles must be dedicated to completing each query.
When you multiply this, by the wide range of systems accessing the registry, it is clear to see, that as a design architecture, it is completely moronic.
That is, until it is examined from another perspective, try the following perspectives as examples:
a. HKEY_CURRENT_USER - psychological profile of logged on user, real-time usage focus.
b. HKEY_LOCAL_MACHINE - Detailed reporting of hardware and a wide range of traceable unique identifiers
c. HKEY_USERS - psychological profiling of all users, post-forensic usage focus.
d. HKEY_CURRENT_CONFIG - Advanced psychological profiling based on a ranking system of 'psychologically-based options' embedded throughout the system. This could include things like favorite colour, pictures, sounds, etc.
Throughout the registry are an extensive amount of MRUs. These areas store your recently accessed documents each application and other information. Now instead of having a single area were these are stored, for both rapid access and cleaning purposes, Windows was designed to fragment these throughout the registry database.
Firstly, this makes cleaning the registry a specialized job, as a mistake can corrupt Windows. Secondly, and most importantly, this is what we call 'fragmentation'.
Now 'fragmentation' is a well known source of problems when accessing information. Many will point out, that the registry is a hierarchy and that that this eliminates fragmentation. I must point out that I am referring to the 'entire structure of recorded information' and not the technical definition of fragments of data.
By fragmenting the various forms of 'recorded information' throughout the registry, it can take upwards of a week to list every key that should be cleaned. The entire process must be repeated each time a new application is installed, to determine what exactly was placed into the registry. Windows also uses an extensive amount of MRUs that have been altered to an 'unreadable' format. This would leave 95% of users completely unaware of Microsoft was recording.
There is no need or requirement for a registry, other than to provide central access to 'private information'. As a programming architecture model, the design borders on the moronic and is directly opposing every known, best practice, in programming.
The true motivations behind the registry design are quite clear and highly specific.
Done by design.
7. Temporary Files
Temporary files are retained under 'Document and Settings' for a prolonged period of time and in most case require manual clearance.
Done by design.
8. Recycle Bin
Even when told to not use deleted item to the recycle bin, it is used anyway, only with out the prompt. This generates a ghost copy on your hard disk of any deleted files.
Two copies are better than one for recovery purposes, especially were Magnetic Force Microscopy is concerned. The two copies can be referenced with each other for rapid recovery procedures, its an attempt to eliminate bit errors in overwritten files.
The more ghosts images, the better the chances are for fast and complete recovery of during post-forensic examination.
Done by design.
9. Recent Files
Only a small portion/subset of the recent files accessed is displayed in 'Documents' section under the start button. The folder that contains the shortcuts has a far longer list hidden from general view.
For example, 11 files are listed under the Start buttons 'My Documents', however, 'My Recent Files' contains 17 entries. The other 6 came from my last list of files which I deleted using the 'Clear' button.
Done by design.
10. NotePad
Windows XP versions cannot word wrap properly and have been redesigned to make their usage as frustrating as possible. For example, when saving text only file, the screen resets the position of the text to the line where the cursor is at.
This takes specific coding and not something that happens by accident. The idea is to push people towards Microsoft Office, were all security can be breached and copies written, at will, across your drive.
Done by design.
11. Swap Space/Virtual Memory/Page File
Regardless of how much memory is in your system the page file can not be disabled. Its main function is too swap memory to disk and allow memory to be freed for running applications. With a large amount of RAM, this function becomes redundant, except under exceptional circumstances.
What is the useful purpose of a 2MB page file? Other than writing data, across the drive, in 2MB chunks, none.
Its designed to flush encryption keys and sensitive information to disk. This also generates ghost images which can be retrieved.
Done by design.
12. Firewall
Incoming firewall only. This allows spyware to transmit information without any problems or detection. 90% of spyware information is transmitted to and shared throughout the US.
Done by design.
13. Memory Usage
Designed to use large amounts of memory to drive the hardware industry sales of components. For Windows XP to function correctly, it requires at least 1GB RAM and at two physical drives on separate IDE channels or SCSI interface I/O.
Even then, it hogs everything and leaves random fragments in memory. These fragments or 'memory leaks' are then flushed to disk, in an effort to capture some information from running applications, encrypted viewers, etc.
The ever expanding registry is designed to keep up, with ever expanding hardware and slow the system. End users think programs have gotten more powerful and they must upgrade. Its simply that more and more cycles are dedicated to various expanding databases, each and every boot.
Done by design.
14. Automatic Updates
Can allow remote installation of any form of software at Microsoft's whim.
Done by design.
15. Raw Sockets
Microsoft prevents new protocols being developed on Windows to prevent usage of nonstandard protocols. This allows for easy access to information. It also prevents the disabling of Microsoft's TCP/IP stack, which for all we know, could have 30,000 extra 'ports' coded into it.
Windows 2000 was actually programmed to reject any driver, that would allow custom protocols to be developed, without Microsoft certification. Microsoft claimed this was a 'mistake'.
Now lets all try to picture the conversation at Microsoft on this one, shall we?
{In an office at Redmond...}
Executive 1: '...my hand slipped and wrote 10 pages of code..., no wait...,
Executive 2: the dog coded it, ah nuts..., erm...,
Executive 1: Can we blame Bin Laden?'
Raw socket access also bypasses every known firewall, from Sygate to Zone Alarm. The reason being that these applications, rely on the Windows message/event handling and Microsoft designed Raw Sockets not to report to this layer.
Komodia produce a TCP/IP Packet Crafter, install that and Sygate's Personal Firewall on WinXP service pack one. Craft a few packets to see this in action. Nice trojan tool M$.
Reverse psychology was employed, although not a very good example of it, in Microsoft's deployment decision to support raw sockets. It was to get people to focus on a 'hoax' alert, rather than the high level of security such a system would provide.
The truth is, raw sockets is not required, however, it just makes life simpler. For real time software, the overhead presented by TCP, is too great and the effects can be seen on excessive lag during online gaming, or media playback. A streamlined custom stack, allows for faster processing of the IP packet and over a 1000% improvement to connectivity management than TCP encapsulation.
Many developers do not realize that TCP is not required and that custom packets can be encapsulated within IP alone. IP routes the packet, from A to B, and TCP provides a data path encapsulated with the IP packet. This allows Internet routing to change, without effecting application support. Custom stack creation is a 'walk in the park', all it involves is parsing a binary stream and executing functions based on flags or value, it also, automatically, supports the OSI/DoD model.
By breaking support for raw sockets on Windows 2000, Microsoft manipulated the entire global market, as no developer could be assured their applications would function after 12-24 months. It also provided a way for Microsoft to eliminate tools such as 'Ethereal' that could inspect the communications of a Windows system.
An active attempt at blocking end-users knowing what information a Windows system was transmitting, as Microsoft is aware, that over 80% of end users only have a single PC.
Done by design.
16. Remote Access Bugs
This is a good example of 'context and highlighting' (perspective). I want you to consider this statement:
Is a remote access bug, not the same thing as a backdoor access code?
Write a detailed essay on your conclusion, no less than 30,000 words. You should consider statements such as 'buffer overflow executes code', 'invalid datagram shuts down PC', etc. :)
OpenBSD has no such remote exploits and no money.
Done by design.
17. Music Tasks
A nice big link to 'Shop for Music Online'. This is a direction to US based enterprises and also a violation of the Microsoft EULA, as it mentions nothing whatsoever in regards to Microsoft Windows being an advertising supported platform.
No matter how small the feature, that is still what it represents. If Microsoft is in breach of its EULA, does that invalidate it?
Done by design.
18. Windows Media Player
No way to disable automatic check for updates. This allows any form code Microsoft chooses to be used as an upgrade. Defaults to uniquely identifying an end user and stored media.
Certain websites warn their visitors that using Windows Media Player version 7 on their websites will reveal your 'personal information' t Microsoft. An example can be located here:
http://ekel.com/audio
Have you ever wondered how p2p information on end users is gathered? Think about it the next time you connect to a commercial Internet radio, video or media service.
Done by design.
19. Alternate Data Streams
This 'feature' of Microsoft Windows relates to how information is stored on your harddrive. Under NTFS, not only is there the file, but there is a second, hidden aspect to each file. This hidden aspect is stored separately on your hard drive and not as part of the file.
I suppose the term, 'Alternate Data Streams' make better business sense, than 'hidden information gathering process combined with standard file functions'. :)
All additional information to a file, such as date/time stamps, file name, size, etc. is stored in this layer. Not only this, but so is the thumbnail cache of all images viewed by the system. This 'feature' is hidden by design and requires either a 1 month long 'disk nuke' (for average 80GB HD) or physical destruction of the disk platters to remove.
Physical destruction is recommended, as it requires specific manufacturers codes to access bad blocks, internal scratch areas and internal swap/cache areas of the drive. Even with the codes, certain problems can arise from unreadable sectors which may contain copies of sensitive information.
Nothing beats an nice afternoon with a screwdriver and grinder. :)
The caching can be disabled, however, Microsoft has made this as 'obscure' as possible. Microsoft Windows also does not explain the function of 'Do not cache Thumbnails'.
It is aware 90% of end-users have the technical aptitude of 'a banana with a with a drink problem' and would never grasp the implications, let alone, understand.
Done by design.
20. Stability
Microsoft Windows is designed to collapse upon extensive number crunching, of large arrays, of floating point calculations. This would prevent; nuclear modelling, physics modelling, and genetic modeling. These three aspects can produce Nuclear, alternative and biological weapons.
I don't know about you, but this 'feature', I can live with, or couldn't live without, for very long. :)
Done by design.
21. Internet Explorer 'Features'
MSN Search
When Internet Explorer fails to locate a web address it initiates a search through Microsoft. Therefore, every failed access attempt is sent to Microsoft, with all your system information in the X header structure. to Microsoft, cleverly disguised as 'assistance'.
Done by design.
22. Temporary Internet Files
Without extensive reconfiguration of Windows end users will not see the real files. Instead they see a database generated representation drawn from a file called index.dat.
Even the controls to access the drive are hidden with an obscure setting called 'Simple File Sharing (Recommended)'. Windows XP does not always delete the actual files from your hard disk. Even the emulated DOS reports the database, unless windows is substantially reconfigured.
Windows goes to great lengths to prevent this reconfiguration. Also, many do not know there is no need for this cache, other than to go back to pages. Its main role is to maintain a record of users activities and generate ghost images throughout the drive.
Done by design.
23. Index.dat
A database file of the contents of an area of the drive, including deleted files. In the 'Temporary Internet Files' it records date, time, Internet location and file name information of downloaded graphics/images and sites accessed, with user IDs in a nice big list.
There are various 'index.dat' files throughout Windows, a dat file is generally a database. A users activities can be recorded for several weeks and user names (etc) recovered. The index.dat file retains information about recently deleted files and Microsoft has failed to provide any reasonable explanation.
You cannot provide, what does not exist, there is no genuine reason to retain deleted files information other than deliberately recording an end users activities for forensic analysis.
This is used for rapid identification, file recovery and time-plotting of a users activities. A small application produces a timetable of a user's usage, referenced against the recorded information for each second of activity.
On large networks, this can be used to verify each member of staff location and movement across an entire infrastructure, this type of output in normally rendered in a full 3D layout of the target building.
Done by design.
24. Cookies
The official explanation for cookies is to offload information from the server, to the client. This can be authentication, preferences, etc. As you can see, its just a cheap solution, designed to cut costs.
When costs are cut, so are corners and in this case a corner that presents a major threat to information security. Cookies retain a lot of information such as logon IDs. In fact, the first cookie I look for, is generally, passport.com. This cookie will have the last recorded hotmail address stored within it. Combined with index.dat information, I can tell the following;
1. Windows logon ID of the person involved
2. The hotmail email address
3. The Date and time the account was accessed
4. External graphics viewed and the sources of those graphics
5. The machine from which it was accessed.
6. The duration of viewing.
7. And generally, the individuals sexual, political, social, personal and religious preferences based upon the information accessed.
That's with only two file sections.
Cookies can also be accessed remotely and are used to track the movements of end users as they move from site to site. Passport, Microsoft's common logon system, relates itself against the Windows account by default.
There is no need for this, it is these 'subtle functional intrusions' that Microsoft prefers. I honestly do not know what is going on in these people's heads, to think for one second, that the world would spot this a million miles off. It really does show the level of intelligence these people have; my dog demonstrates more social engineering skills when looking for food.
Done by design (very poorly executed).
25. Auto-Complete
Designed to record search terms, web addresses, and anything else it can get its grubby little digital hands on, for rapid post-forensic retrieval.
Done by design.
26. MSN Messenger
Microsoft has been retaining each persons deleted contacts from messenger. M$ has been monitored in this area and is known to retain everyone's deleted contacts for 3 years, at least.
This could be seen using a console-based version of MSN Messenger under Linux. Microsoft has since changed the protocols, so I am unaware if you can still see some of the information, M$ retains, on over 150 million people.
Messenger is also activated on accessing Hotmail. Microsoft claims to be using the 'features' provided by Messenger and will not allow it to be disabled. Now, as millions access M$ Hotmail without messenger, I must seriously question this behavior.
The 'features' provided by MSN Messenger are the transmission and reception of typed text and files. So, Microsoft has stated that it is, 'transmitting typed text and files', to and from, end users machines, when hotmail is being accessed.
Just cleverly worded.
Done by design.
27. Web-Cams and Microphones
These devices can be remotely activated providing visual and audio feedback from the target subject. There is also no way of telling if your devices have been remotely activated. These features are demonstrated in 'proof of concept' applications such as NetBus, etc.
With raw sockets (or driver) this information can bypass your firewall without any problems.
Microsoft Windows XP Services
1. Application Layer Gateway Service
Microsoft's Description:
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall,,Manual,Local Service
Alternative Description:
This thing just loves making remote connections and accepting them. Set this up in your firewall to ask each time using ADSL or higher.
Have fun. :)
Done by design.
2. Automatic Updates
Microsoft's Description:
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.,,Disabled,Local System
Alternative Description:
Enabled by default. Enables Microsoft to distribute and incorporate any 'feature', at will. Not the greatest thing in the Universe to be allowing.
Done by design.
3. Computer Browser
Microsoft's Description:
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.,Started,Automatic,Local System
Alternative Description:
This stupid design will breach security. The only computer a client needs to know, is the server and it should coordinate everything.
Why does Microsoft Windows identify and map every computer on the network?
The design principal is based upon 'remote orientation' requirements, using insecure clients as targets. Servers would be difficult to compromise and arouse to much suspicion.
The flow of information on any network is about 'the need to know'. Clients do not need to know any other computer, other than the server. The server acts as a 'proxy' to the entire network, data transfers may, optionally, be proxied too.
Done by design.
4. Fast User Switching Compatibility
Microsoft's Description:
Provides management for applications that require assistance in a multiple user environment.,,Disabled,Local System
Alternative Description:
Switches to every account, but the Administrator account. In fact, unless you know exactly what your doing, an end user cannot access the administrator account.
Post-Forensics can, that includes your Windows Encrypting Filesystem. Cheers M$.
Done by design.
5. IMAPI CD-Burning COM Service
Microsoft's Description:
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.,,Manual,Local System
Alternative Description:
Part of CD Burning and this thing is a nightmare. Any CD you make, it first makes a copy to the system drive, then only to use a scratch drive after that. Why?
That action is a waste of time. This is designed to generate 'ghost images' that can be recovered by Magnetic Force Microscopy. It is unlikely that the target subject will destroy their boot drive. Also, pointing the scratch to another drive, just makes more ghost copies.
Not only that, but I have caught Windows XP, pointing me to the CD burning directory when viewing CDs. That would suggest a cached image of some form.
Done by design.
6. Indexing Service
Microsoft's Description:
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language. ,,Manual,Local System
Alternative Description:
A search using the DOS emulator will run like a bullet. Windows search, however, will take its time unless the indexing service is activated. This provides quick post-forensic and real-time access to files remote files.
This behavior is by design. :)
7. Internet Connection Firewall(ICF)/Internet Connection Sharing(ICS)
Microsoft's Description:
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.,,Manual,Local System
Alternative Description:
First off information is sent to both Microsoft and to a range identified as belonging to ARIN whenever a PC connects to the Internet. Random connection attempts are made by Explorer, NT Kernel, Internet Explorer, Windows Help, svchost.exe, csrss.exe and numerous others. I have even caught calc.exe (The calculator) attempting to initiate a remote connection, now and again. Without reverse engineering, I was unable to tell if it really was the applications, or a subsystem calling the applications. Very odd.
Microsoft Windows defaults to sharing your files using SAMBA across the Internet. This even bypasses most domestic firewalls or security setups, unless specific options are set in the firewall. This allows for remote access to files, documents, etc. without breaching any known legal regulations.
Try entering random IP addresses into your 'My Network Places' window when online, preceded by the '\\' network identifier.
i.e. '\\91.111.2.80', or '\\222.54.88.100'
Within about 30 attempts (of a good netblock), you should get a remote machine to share files with you, in the same manner as a LAN setup. Expect your machine to freeze when performing any remote operations for up to 4 minutes at a time (i.e. such as right-clicking a file).
The reason for behavior is that native SAMBA is designed for 10Mbit networks (at least) and is therefore a very bulky protocol. Also, the remote host may be using their Internet connection, have a low bandwidth connection or performing processor intensive tasks.
A quick examination of Sygate's instruction on how to use their firewall with ICS, reveal that your kernel cannot be blocked, nor can several other systems. These systems are not required on a LAN, so Microsoft has designed these systems to breach security.
There is no difference between TCP/IP over a LAN and the Internet, other than settings. As a programmer I know Network Address Translation is simply a case of storage and substitution of IP addresses, with a few whistles and bells. There is no excuse for these systems to be exposed to the network.
Done by design.
8. Messenger
Microsoft's Description:
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.,,Disabled,Local System
Alternative Description:
Messages should only be broadcast, by and to, the main server. Having this on every machine provides a method of transmitting real-time keystroke intercept across the Internet. This service is also enabled by default, even with the known Internet abuse of the function. This only indicates design manipulation.
Done by design.
9. Network Connections
Microsoft's Description:
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.,Started,Manual,Local System
Alternative Description:
Only weakens security by providing a central reporting mechanisms. These aspects have been combined by design, with no logical requirement for the function. Again, a single-point of failure is introduced into the system.
Done by design.
10. Protected Storage
Microsoft's Description:
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.,Started,Automatic,Local System
Alternative Description:
Also provides quick access to this information. Swift breaking of security. Sweet. :)
Done by design.
11. Remote Procedure Call (RPC)
Microsoft's Description:
Provides the endpoint mapper and other miscellaneous RPC services.,Started,Automatic,Local System
Alternative Description:
May the saints preserve us from RPC. RPC provides remote computers with the ability to operate your PC and listens for these connections on the network/Internet.
What sort of idiotic decision making was behind an RPC service that cannot be disabled? Why not just come into my livingroom M$? You're practically there anyway!
(I'm just losing my head now! This is disgraceful.)
Done by design.
12. Remote Registry
Microsoft's Description:
Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.,,Disabled,Local Service
Alternative Description:
This nifty service is enabled by default. It provides remote access to the windows registry, allowing run-time modifications to be made to your PC. Hmmm....what an excellent idea! Just what I always needed, a way to 'tweak' my running spy applications remotely.
I knew M$ was thinking about me, I'm touched, or at least they're close enough to reach out and touch me. :)
Done by design.
13. Server
Microsoft's Description:
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.,Started,Automatic,Local System
Alternative Description:
This is not required, it provides a central management for open files and printing operations. It also provides a method of remotely monitoring a users activities.
This 'service' (ha!) provides a single-point of failure for an entire network. It is linked to the authentication, so if the server collapses, so does the entire network, as this is managed by the server. Again, security and functionality have been manipulated to focus on information retrieval and access.
Done by design.
14. SSDP Discovery Service
Microsoft's Description:
Enables discovery of UPnP devices on your home network.,,Disabled,Local Service
Alternative Description:
What in Gods name for? This is part of the 'remote orientation' facilities encoded into Windows, allowing remote hackers the ability to explore the network swiftly, reducing chances of alarm and excessive activity through exploration.
Done by design.
15. System Event Notification
Microsoft's Description:
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.,Started,Automatic,Local System
Alternative Description:
No way of knowing, without full reverse engineering, how many undocumentented events exist throughout Windows. Windows could have an entire additional level of event reporting.
Event and thread management in Windows is very suspicious due to its sluggish and sometimes unpredictable behavior. Compensation for this is normally done by 'peeking' into the message cue, however, sometimes it simply refuses to work. This would tend to suggest the interaction of an unknown component (or several component) with the event system producing conflicts.
Done by design.
16. System Restore Service
Microsoft's Description:
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties,,Automatic,Local System
Alternative Description:
Keeps ghost copies of various forms of cached information in a nice quick accessible format. We can't let our hard earned information go down the pan now. :)
Done by design.
17. Terminal Services
Microsoft's Description:
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.,, Disabled,Local System
Alternative Description:
I just bet its interactive and highly 'functional' too. This is enabled by default, providing a remote desktop for any hacker. Wow, what a service M$.
I'll agree with you on this one, that is a 'service and a half'!
Done by design.
18. Windows Time
Microsoft's Description:
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
,,Disabled,Local System
Alternative Description:
Sends information to Microsoft and keeps your date and time stamps nice and fresh for post-forensic analysis. At least they're tidy when they invade your privacy. :)
Done by design.
19. Wireless Zero Configuration
Microsoft's Description:
Provides automatic configuration for the 802.11 adapters,,Disabled,Local System
Alternative Description:
Zero configuration means zero security and that's exactly what you get. The entire network is exposed to anyone within reception range. Therefore, if you are using this in your home environment, that can mean remote monitoring from up to 3Km using proper equipment, or someone else using your Internet connection from a range of around 50-80m radius.
Even with security, the IEEE specification for WEP was clearly manipulated and weakened by interested parties. There is no other acceptable excuse for that level of incompetence.
Done by design.
20. Microsoft Works
Breach of trade descriptions act? Microsoft 'probably' Works. :)
Really, it is an 'implied' suggestion based on the play of words. It can be described as 'psychologically misleading', human psychology is extremely complex, even if most humans are not.
This implied statement is registered at a deeper level of the brain and assigned its true meaning. Otherwise, you would have never considered the relationship in the first place.
One way of describing this is, 'marketing', the accurate description is 'subliminal programming', it does not matter how slight the incident.
This is very, similar in style, to the 'French Fries' and 'Freedom Fries' incident in the US, used to blind the US citizens from war opposition, through manipulation of patriotic beliefs.
Shameful.
Done by design.
Windows Security, Not What You Think
Since all security products that operate on the Microsoft Platform are both designed from, and encapsulated by the OS, then it is ultimately Microsoft Windows that is providing your security and not your firewall, etc.
So, any product that claims to provide security FOR windows, is simply reflecting the limited understanding the company has of what it is doing.
I bet that will inspire confidence in computer security. :)
The accurate description is that M$ Windows, secures itself, through execution of a 3rd party application, which M$ Windows must inform, to provide security. As we seen in 'Raw Sockets', this does not always happen. Linux does not have this problem, as the systems is a mosaic rather than a full encapsulation, or sandbox environment.
Therefore, even with all the security, in the known Universe, installed on a Microsoft Windows Platform, it is still the responsibility of Windows to inform the security products of each event happening. If Microsoft Windows fails to report, or hides certain messages/events, then your security software becomes 100% completely redundant.
This is a source of great concern with Microsoft's plans to encrypt the system area of new versions of Microsoft Windows. Somehow, I don't think this system, nor any variation of it, will ever see the light of day.
If this was to happen (the encrypted system), instead of an EULA, I think Microsoft Windows should be required to read end-users their rights. Microsoft is not the Law, nor is it above it, in any way.
You have the right to be bugged, click OK to continue! :)
Bugs Of The Third Kind
How long as Microsoft been programming Windows for?
Ten, maybe fifteen years, and we are seriously asked to believe that a company with the financial resources of Microsoft cannot a create a bug-free Operating System?
Companies with lesser resources than Microsoft provide such systems for Air-Traffic control and medical purposes (Heart Monitors, etc). A perfect example here is OpenBSD. OpenBSD is a free Operating System and with very little funding (nowhere near what Microsoft has, in a million years) the only remote exploits you will find, anywhere in the world, will be at least 12 months old.
Most of Microsoft's problems are at least that old before anyone decides to analyze them, let alone, fix them.
This is a very clear example, honestly, there is no acceptable excuse here. If Microsoft claims 'compatibility', then I simply refer them to the current deployment of service packs that destroy 'compatibility'.
Also, the important thing to business is their data and data cannot have 'compatibility' issues. Its simply a binary stream that can be used on any known operating system.
Wild Speculation On Codenaming Strategy
Microsoft has had a consistent naming policy for its operating systems, in the form of city names. Code names for various releases have included; Chicago, Memphis, etc.
Now all this changed with the arrival of Windows XP. Its codename was 'whistler' and the next version of Windows is codenamed 'LongHorn'. I was interested in the reasoning behind the switch. I was thinking that these codenames could be based on one, or more, of the following points:
1. A play on the term 'whistleblower'?
2. A play on a reference to 'pinocheo'? (tells stories, reference to Long (Nose) and Horn (Whistle Blower) )
3. Horn, as in a form of 'early warning system' and Long because of its distributed nature?
Can Windows Be Secured?
Yes, with FDisk. (Recommended) :) Otherwise, due to its encapsulated nature, the answer is a pointblank, no.
Additional Observations
All we need now is Intel's 'processing and storage' layer to the Internet and we have a, full-scale, 100% genuine, deployment of a Big Brother scenario. Thanks Intel, but, we'll pass on that one, nice to see you are thinking of everybody for a change. :)
If anyone is wondering what on Earth is going on, well Congress went a little nuts passing resolutions, without its normal due caution. Looking down the barrel of a gun 24/7, does not provide the ideal circumstances for making these decisions, nor the environment for full, open debate, for security reasons. As such, mistakes can only be expected, congress is still only human, despite the rumors.
I am just worried that this is the entire intention, due to Microsoft's modifications, its software predates 9/11, so it could not use 9/11 as an excuse. I wouldn't like to consider the implications of that statement 'being inaccurate'.
I know many readers would be enjoy this analysis taken further, however, it is well beyond the scope of this report. It is also an area I feel is best left to the authorities.
Alterations to M$ Windows also coincides with antitrust cases and the reversal of the ruling to split Microsoft into two companies. This leads to three important questions:
1. Was Microsoft hijacked by the US government, CIA or NSA?
2. Is this why M$ Windows was altered?
3. What would the suggested reason be for military adaptations to M$ Windows prior to 9/11?
4. Why 3 Operating Systems (ME, 2000 and XP) between 1999-2001?
I only mention this to be fair, rather than shoot first, ask questions later. I'm a Zen Buddhist and politics, ain't my bag baby. :)
Google's ranking methods have come under question recently and in the context of this report, I think the follow will speak volumes for itself:
Search for the term 'Book'. Conducted September 11th, 2004.
Top 10 results from Google.com
1. US
Barnes & Noble.com, 6000 Freeport Ave - Suite 101, Memphis, TN 38141.
2. US
onlinebooks.library.upenn.edu, University of Pennsylvania
3. US
www.cia.gov, CIA - Factbook.
4. US
BookFinder.com - Berkley California
5. US
www.kbb.com - Orange County
6. US
www.worldbookonline.com - Country Wide, with world-wide divisions
7. US
www.superpages.com - 651 Canyon Drive. Coppell, TX 75019.
8. US
www.amazon.com
9. US
www.abebooks.com - Victoria B.C.with offices in Canada and Germany.
10. US
www.bookwire.com - 630 Central Ave. New Providence. New Jersey.
May I remind everyone that Google is behind nearly every major search engine in the World. Is this what they describe as 'free enterprise' in action?
I wouldn't like to see systematic manipulation of the global economy, if that's the case. :)
A Small Bit of Advice
Linux...Open Source...Free...No worries.
Conclusion
Is America awake? Remember a small concept called Liberty? (Its French, by the way.) I wonder how M$ is going to explain this one?
This one, I really must hear. :)
'...let's face the music and dance.'
Appendix Contents
Appendix 1. Symbiotic Duality
Appendix 2. Magnetic Force Microscopy (MFM)
Appendix 1. Symbiotic Duality
The first thing you must accept is that a product does not have to be limited to a single purpose. The second thing to be accepted is that you may not be aware of any other purpose, even to the extent of being unaware of its primary purpose. Purpose comes from design, not usage.
Therefore, a product, such as Microsoft Windows can give the impression of being an Operating System, whilst having been designed for an entirely different purposes. This is the concept of 'Symbiotic Duality', it is the basis of all manifestations of depth.
We'll look at a few quick examples:
a. When you fight with someone you love, you can hate them, yet still love them.
This form 'Symbiotic Duality' is experienced as a 'depth' of emotion, it stems from the observed contrast, or gulf, between opposing emotions. The greater the gulf between the conflicting emotions, the more intense the experience.
It is from this understanding that the, very accurate phrase, 'Fighting is a sign of love', is drawn from. One cannot exist without the other and 'Symbiotic Duality' is a fundamental step in every emotional response.
'Love thy Enemy'. Its not like I much choice in the matter :)
b. To produce the effect of Depth in a scene.
An image contrasting near and far (large and small) produces the illusion of depth. This is another form of 'Symbiotic Duality', the contrast between near and far (large and small) produces an optical illusion, both aspects function as one, from opposing sides.
c. A depth of character can be expressed in apparently conflicting viewpoints. You may both agree and disagree with a situation, for various reasons. For example, you may not agree with war, but you recognize a time comes when it must occur, or, you may not agree with a situation, but since it is happening, you may as well make the best of it.
The greater the depth of character, the greater the gulf will be between these conflicting thoughts there will be. A person who repeats the same 'statements or rhetoric' time and time again, has very little intelligence and certainly lacks any depth of character, as they lack the opposing viewpoint.
d. The gulf between the people and government leads to increased anxiety, fear, paranoia and rejection.
The more 'stark' a contrast between government and the people, the greater the 'perceived gulf' will become. This concept is explored in George Orwell's book 'Animal Farm', it examines the 'US and Them' principle, and unknowingly, touches on the 'Symbiotic Duality' of the scenario.
That is, the common source of conflict between the two groups, the 'perceived gulf' that exist between them. By bridging that gulf, the situation may have been avoided.
Why is 'Symbiotic Duality' important to understand?
'Symbiotic Duality', as you notice from each of the examples, ends up, in one form or another, relating to the human biological make-up. The simple reason for this is that, 'depth', is a perception. If a 'Symbotic Duality' appears in an investigation, a human was involved in planning.
'Symbiotic Duality' can prove useful in forensics. By clearly identifying the contrasting behaviors of any system, the design choices made by humans and those dictated to by system requirements, can be distinguished with repeatable methodology.
This separation allows for both reliable, rapid identification of human design choices that fall outside compliance with system specifications, or other known base references (i.e. another OS design) and for complete focus to be given to only 'odd' human generated code.
Scientific investigators must operate by rigid procedures and methods, the concept of 'Symbiotic Duality' provides such a structure, this allows for repetition of the investigative procedure, rather than solely relying on expert testimony and Police accounts.
This can be vital in cases were an officer/jury needs to follow the scientific investigator at a technical level, collaborate on an investigation in a distributed environment, or work through vast amounts of information.
It provides a roadmap for the investigation, with one point naturally flowing to another, or any amount of other points.
Let's say for example we were investigating an email application. Firstly, we remove from the equation the basic technical functions of the application. This leave us with what can be described as a 'human-defined design'. That is, all the fluff added to an application to make it 'user friendly' and operational.
From here, we list each of the 'features' and a description of their functions. Next, we begin the 'Symbiotic Duality' analysis, by contrasting the basic technical requirement to implement a 'feature' against the actual implementation.
There are various sub-aspects to this procedure, such as contrasts from different 'perspectives'. This would include examining ease of information retrieval, information storage, information movement, information processing, network communication attempts, etc.
By contrasting what would be 'expected', under reasonable circumstances, against what is actually there, the 'gulf' (form of perceived depth) between the two states is revealed (Symbiotic Duality).
The procedure uses the 'Russian Doll' and Henry Ford Conveyor Belt principles, to break down the application into smaller and smaller units in a systematic exploration of the target system.
The method is highly flexible, in that, it does not require a linear approach to investigation, but rather, a completely random approach is recommended. This can match budgets and resources of investigative departments.
The results are composited in a cross-referenced mosaic that can be expanded upon from any point, providing the investigator a model of his/her complete investigation. This gels beautifully with the 'chain of custody' model.
What we are left with, is a combination of fluff and 'Interest Motivated' sections of the application. Its simply a matter of contrasting the expected characteristics of fluff against the remaining sections of code.
So, staring you in the face, in glorious black & white, will be a very clear list and description of each identified 'odd' behavior. As many investigators will have realized by now, adaptations of this can be applied to any form of of investigative procedure.
If you are interested in 'Symbiotic Duality', I'm afraid you will not find it in any texts, it was something I developed as part of my work to assist me. An in-depth understanding human psychology is a basic requirement in this field, as you must always think, what would this person do? 'Symbiotic Duality', let's you understand more clearly, what they were thinking as it exclusively relates to human perceptions.
I don't claim that this is any form of great new method, I just use it to assist my own work and it also has no form of recognition as an accepted method. Its simply another tool, in a long list, of analytical procedures and, in my line of work, every assistance is a bonus.
I like to think of this procedure as a:
'Random access investigative procedure, which uses the horizontal nature of emotional and perceptive responses, to clearly identify the various ranges of possible motivations behind an incident.
Cross-referencing and statistical analysis, provide a mechanism of ranking motivations, across an entire case framework, allowing for 'Computer Assisted Real Motive Analysis' (CARMA).'
That'll mess with your noodle for a while. Sorry. :)
The best visual representations would most likely be in the form of a 'tree' structure, expressed in 3D. Each 'Symbiotic Duality' identified can be provided a 'score' (ranking), and numerous sub-scores (sub-rankings) if required. The ranking system, has an unlimited user-defined scale. This allows for statistical analysis and cross-referencing, with stark contrasts. The scale can also be categorized.
I only mention it here, as it was employed in this analysis, however, I am still developing the theory behind this. The report does not rely on this theoretical work, but rather, standard procedures in high level analysis.
Well, that's enough 'Psychology and Forensic Analysis 101' for today.
Have you not got a life or something? :)
Appendix 2. Magnetic Force Microscopy (MFM)
I had the chance to see this process first hand, a good friend of mine demonstrated the following technique using an Open-Mosix cluster. The process was mainly based on the statistical recomposition of data sectors. The usage of highly discreet array-based statistical recomposition can uncover data.
Its based on the fact that a harddisk has certain known read/write characteristics that effect the position of molecules on a disk platter. Its important to note, we are not trying to uncover previous data directly, but rather explore variations in memory.
An MFM series of images of the disk platter is produced and converted to 3D. Then each sector's dimensional values are offset against the values provided by the known characteristics of the read/write heads. Each binary bit is treated independently.
As most can see, this method bypasses encryption by focusing on physical position. After this, it is simply a matter of computing variations and attempting to match patterns. Not one bit of cipher breaking, makes you wonder about the advice security companies provide and who exactly qualified them in 'IT Security'?
Most people do not realize they are self-appointed and even wrote the texts for 'security classes'.
The technique came from the "The Catch 22 Guide To Business" and a chapter entitled "Recursive Algorithms& Global Expansion", with cross-references to the Ferengi 'Rules of Acquisition'. :)
Comments
Display the following 55 comments