doctordawg's comment on Windows flaw spawns dozens of attacks

[Guest guest]

By Dawn Kawamoto

URL: http://news.zdnet.com/2100-1009_22-6016140.html

 

A flaw in Microsoft's Windows Meta File has spawned dozens of attacks

since its discovery last week, security experts warned Tuesday.

 

The attacks so far have been wide-ranging, the experts said, citing

everything from an MSN Messenger worm to spam that attempts to lure

people to click on malicious Web sites.

 

The vulnerability can be easily exploited in Windows XP with Service

Pack 1 and 2, as well as Windows Server 2003, security experts said.

Older versions of the operating system, including Windows 2000 and

Windows ME, are also at risk, though in those cases the flaw is more

difficult to exploit, said Mikko Hypponen, chief research officer at

F-Secure.

 

" Right now, the situation is bad, but it could be much worse. The

potential for problems is bigger than we have ever seen, " Hypponen said.

" We estimate 99 percent of computers worldwide are vulnerable to this

attack. "

 

The Windows Meta File flaw uses images to execute arbitrary code,

according to a security advisory issued by the Internet Storm Center. It

can be exploited just by the user viewing a malicious image.

 

Microsoft plans to release a fix for the WMF vulnerability as part of

its monthly security update cycle on Jan. 10, according to the company's

security advisory.

 

" We have seen dozens of different attacks using this vulnerability since

Dec. 27, " Hypponen said. " One exploits image files and tries to get

users to click on them; another is an MSN Messenger worm that will send

the worm to people on your buddy list, and we have seen several spam

attacks. "

 

He added that some of the spam attacks have been targeted to select

groups, such as one that purports to come from the U.S. Department of

State. The malicious e-mail tries to lure the user to open a map

attachment and will then download a Trojan horse. The exploit will open

a backdoor on the user's system and allow sensitive files to be viewed.

 

The WMF flaw has already resulted in attacks such as the Exploit-WMF

Trojan, which made the rounds last week.

 

Although Microsoft has not yet released a patch, security vendors such

as F-Secure and the Internet Storm Center are noting Ilfak Guilfanov, a

Russian security engineer, has released an unofficial fix that has been

found to work.

 

" Ilfak Guilfanov has published a temporary fix which does not remove any

functionality from the system, " F-Secure noted in its daily security

blog. " All pictures and thumbnails continue to work normally. "

 

Security companies also are advising computer users to unregister the

related " shimgvw.dll " portion of the Windows platform. Unregistering the

dll, however, may also disable certain Windows functions and has not

been thoroughly tested, according to a security advisory issued by Secunia.

 

Despite the potential for a large number of computer users to be

affected by exploits related to this vulnerability, Hypponen said the

chances of a widespread outbreak from a virus, as people return to work

from the long holiday, are unlikely.

 

" We are still far away from a massive virus, " he said. " Most people get

attacked by this if they (search for something on the Internet) and get

a million results. They may that goes to a malicious Web

site or one that has been hacked, and then get infected. "

 

 

TalkBack 83 of 101:

 

AntiVir caught it already

Last weekend I was surfing some new MILF sites (come on, like no one

else does this) and AntiVir popped up with that message, too, and denied

access to the offending image. Aren't the real guys at Norton and McAfee

already hip to this, too? My rig works fine, my ZoneAlarm isn't

complaining... why are the oompaloompas at Microsoft tweazing over this?

My conspiratorial mind says they are setting us up for a virtual 9/11

event to clamp down on the internet, especially after their QUOTE on

Reuters today that said " in the mean time, be careful not to visit

unfamiliar websites. " ROTFLMAO!!!! God, I woke the whole neighborhood I

was laughing so loud! Peace out all.

Posted by: doctordawg Posted on: 01/04/06

 

TalkBack 84 of 101:

Previous message

Next message

 

Microsoft writes the viruses

I've had the sneaking suspision for quite some time that Microsoft

actually writes a lot of the viruses that people get infected with, what

better way to make more money from your friendly neighborhood Anti-virus

software companies...

Also check this out, it may open your eyes to some interesting

information about your PeeC boxes

 

http://www.saveourcivilliberties.org/en/2004/09/682.shtml

M$ Windows XP Professional Bugging Device?

 

author: Mark McCarron

If you have ever wondered, if;

1. Microsoft, was secretly spying on end-user machines?

2. Big Brother deployment scenarios were real?

3. M$ Windows was a type of bugging device?

Then this, is for you my friend

M$ Windows XP Professional Bugging Device?

By Mark McCarron

 

( MarkMcCarron_ITT, angelofd7)

 

 

Introduction

 

Context, context, context. I was sick hearing that phrase from

Egyptologists in regards to my research on the Great Pyramid. They never

could grasp that context is irrelevant to the scientific process or

methodology, science examines facts, not interpretation. In saying that,

they taught me a lot, it is funny how the entire aspect of a thing or

situation can change, just by applying a different context to it.

 

In this article, I intend to do just that, with Microsoft's Windows

Operating System.

 

If you have ever wondered, if;

 

1. Microsoft, was secretly spying on end-user machines?

2. Big Brother deployment scenarios were real?

3. M$ Windows was a type of bugging device?

 

Then this, is for you my friend, the 'Top-47 Windows bugging functions',

and then some. There is also an appendix on forensic methodology and

Magnetic Force Microscopy (MFM).

 

All sing...'There may be trouble ahead...'

 

 

If You Could See, What I Can See, Reinstalling Windows...

 

In general, to people in the western hemisphere; bugging devices,

parabolic microphones, signal tracing, satellite tracking and secret

government agencies, performing highly illegal activities, on a covert

basis, are the source of inspiration for novels, movies and theater,

rather than any real event.

 

These devices and activities have been part-and-parcel of my life (and

almost anyone else in Northern Ireland), from the moment of birth and

conspiracy theories are simply facts of daily life that, could put, any

of my friends, or myself, into an early grave. Therefore, it is only

natural for me to see things in a military context and this provides a

very interesting picture of odd behavior, at Redmond and various other

big names, throughout the US.

 

Microsoft is of the 'opinion' that its software is an operating system

with a wide range of 'features'. As I am about to demonstrate, that is

simply a matter of 'how you see things' and the context in which they

are highlighted in. This is a very subjective experience and different

people tend to see different things, simply because their own personal

context is automatically applied, a 'bias', if you will.

 

The point to hold, in the front of your mind, throughout reading this

article, is the fact that the 'features' and their descriptions,

presented here, are accurate representations of Window functions, in

their own right, however, any suggestion as to motivation would be

speculation.

 

More clearly, Microsoft has presented it own 'opinion' on the various

features within Windows, other 'opinions' do exist and this article

presents one of them, in a hypothetical scenario. For this analysis to

hold, the hypothetical scenario must be demonstrated to be consistent

throughout the design of the OS, not just its usage.

 

The style and tone throughout, is based upon the working hypothesis,

that Microsoft has altered the Windows OS, to reflect US military

requirements and that its primary role is that of a modern variation of

a 'bugging device'. It is simply taken as a given fact throughout.

 

This clarification allows for a more direct style of writing and legal

protection for publishers. In addition to this, the views expressed in

this report are the authors and have nothing whatsoever to do with

anyone else.

 

There are no accusations being made, this is presented only as a

'working hypothesis', at all times, to allow for the fullest exploration

of this particular train of thought. If the hypothesis holds, then we

will expand it a little, to place it in proper context and draw the

conclusion from the entire investigation.

 

 

 

Report On Analysis of Microsoft Windows XP

 

1. Start -> Search

 

Each and every time a search is conducted using the search option under

the start button on Windows XP, the system automatically checks if your

online and transmits information directly to Microsoft.

 

This is done, without informing the end-user in any fashion, nor

providing a clear method to disable. It has been hidden by design. In

technical terms, a form of Trojan.

 

A good application level, stateful firewall, will catch this

communication attempt.

 

Done by design.

 

 

2. Help System, F1

 

When accessing Microsoft Help systems, through the F1 key. A

communication attempt to Microsoft's ActiveX site is made.

 

Done by design.

 

 

3. Microsoft Backup

 

Designed to bypass all security, even ownership rights of a drive. Try it.

 

Done by design.

 

 

4. Process Viewer (Task Manager)

 

No mapping to executable file, nor will it show all running processes.

Designed to hide important information required for determining system

infections and sources of network data transmission.

 

Done by design.

 

 

5. Dr Watson

 

This used to loadup with information on dlls that had been hooked.

Hooked DLLs are used to intercept keystroke, etc. Microsoft removed

end-users capability to see this. It now generates a simple messagebox.

 

Done by design.

 

 

6. The Windows Registry

 

Now, on the face of it, this may seem like a good idea, however, as any

developer will tell you, they only use it because the commands are

quick, simple and, when it comes down to it, security is mainly the

end-users responsibility.

 

It would be much faster, simpler and provide greater system security to

use an ini file. Linux uses this approach with config files. An entire

database must be examined each time request is made. This is why Windows

slows down after you begin installing applications. The registry grows

and more cycles must be dedicated to completing each query.

 

When you multiply this, by the wide range of systems accessing the

registry, it is clear to see, that as a design architecture, it is

completely moronic.

 

That is, until it is examined from another perspective, try the

following perspectives as examples:

 

a. HKEY_CURRENT_USER - psychological profile of logged on user,

real-time usage focus.

 

b. HKEY_LOCAL_MACHINE - Detailed reporting of hardware and a wide range

of traceable unique identifiers

 

c. HKEY_USERS - psychological profiling of all users, post-forensic

usage focus.

 

d. HKEY_CURRENT_CONFIG - Advanced psychological profiling based on a

ranking system of 'psychologically-based options' embedded throughout

the system. This could include things like favorite colour, pictures,

sounds, etc.

 

Throughout the registry are an extensive amount of MRUs. These areas

store your recently accessed documents each application and other

information. Now instead of having a single area were these are stored,

for both rapid access and cleaning purposes, Windows was designed to

fragment these throughout the registry database.

 

Firstly, this makes cleaning the registry a specialized job, as a

mistake can corrupt Windows. Secondly, and most importantly, this is

what we call 'fragmentation'.

 

Now 'fragmentation' is a well known source of problems when accessing

information. Many will point out, that the registry is a hierarchy and

that that this eliminates fragmentation. I must point out that I am

referring to the 'entire structure of recorded information' and not the

technical definition of fragments of data.

 

By fragmenting the various forms of 'recorded information' throughout

the registry, it can take upwards of a week to list every key that

should be cleaned. The entire process must be repeated each time a new

application is installed, to determine what exactly was placed into the

registry. Windows also uses an extensive amount of MRUs that have been

altered to an 'unreadable' format. This would leave 95% of users

completely unaware of Microsoft was recording.

 

There is no need or requirement for a registry, other than to provide

central access to 'private information'. As a programming architecture

model, the design borders on the moronic and is directly opposing every

known, best practice, in programming.

 

The true motivations behind the registry design are quite clear and

highly specific.

 

Done by design.

 

 

7. Temporary Files

 

Temporary files are retained under 'Document and Settings' for a

prolonged period of time and in most case require manual clearance.

 

Done by design.

 

 

8. Recycle Bin

 

Even when told to not use deleted item to the recycle bin, it is used

anyway, only with out the prompt. This generates a ghost copy on your

hard disk of any deleted files.

 

Two copies are better than one for recovery purposes, especially were

Magnetic Force Microscopy is concerned. The two copies can be referenced

with each other for rapid recovery procedures, its an attempt to

eliminate bit errors in overwritten files.

 

The more ghosts images, the better the chances are for fast and complete

recovery of during post-forensic examination.

 

Done by design.

 

 

9. Recent Files

 

Only a small portion/subset of the recent files accessed is displayed in

'Documents' section under the start button. The folder that contains the

shortcuts has a far longer list hidden from general view.

 

For example, 11 files are listed under the Start buttons 'My Documents',

however, 'My Recent Files' contains 17 entries. The other 6 came from my

last list of files which I deleted using the 'Clear' button.

 

Done by design.

 

 

10. NotePad

 

Windows XP versions cannot word wrap properly and have been redesigned

to make their usage as frustrating as possible. For example, when saving

text only file, the screen resets the position of the text to the line

where the cursor is at.

 

This takes specific coding and not something that happens by accident.

The idea is to push people towards Microsoft Office, were all security

can be breached and copies written, at will, across your drive.

 

Done by design.

 

 

11. Swap Space/Virtual Memory/Page File

 

Regardless of how much memory is in your system the page file can not be

disabled. Its main function is too swap memory to disk and allow memory

to be freed for running applications. With a large amount of RAM, this

function becomes redundant, except under exceptional circumstances.

 

What is the useful purpose of a 2MB page file? Other than writing data,

across the drive, in 2MB chunks, none.

 

Its designed to flush encryption keys and sensitive information to disk.

This also generates ghost images which can be retrieved.

 

Done by design.

 

 

12. Firewall

 

Incoming firewall only. This allows spyware to transmit information

without any problems or detection. 90% of spyware information is

transmitted to and shared throughout the US.

 

Done by design.

 

 

13. Memory Usage

 

Designed to use large amounts of memory to drive the hardware industry

sales of components. For Windows XP to function correctly, it requires

at least 1GB RAM and at two physical drives on separate IDE channels or

SCSI interface I/O.

 

Even then, it hogs everything and leaves random fragments in memory.

These fragments or 'memory leaks' are then flushed to disk, in an effort

to capture some information from running applications, encrypted

viewers, etc.

 

The ever expanding registry is designed to keep up, with ever expanding

hardware and slow the system. End users think programs have gotten more

powerful and they must upgrade. Its simply that more and more cycles are

dedicated to various expanding databases, each and every boot.

 

Done by design.

 

 

14. Automatic Updates

 

Can allow remote installation of any form of software at Microsoft's whim.

 

Done by design.

 

 

15. Raw Sockets

 

Microsoft prevents new protocols being developed on Windows to prevent

usage of nonstandard protocols. This allows for easy access to

information. It also prevents the disabling of Microsoft's TCP/IP stack,

which for all we know, could have 30,000 extra 'ports' coded into it.

 

Windows 2000 was actually programmed to reject any driver, that would

allow custom protocols to be developed, without Microsoft certification.

Microsoft claimed this was a 'mistake'.

 

Now lets all try to picture the conversation at Microsoft on this one,

shall we?

 

{In an office at Redmond...}

 

Executive 1: '...my hand slipped and wrote 10 pages of code..., no wait...,

Executive 2: the dog coded it, ah nuts..., erm...,

Executive 1: Can we blame Bin Laden?'

 

Raw socket access also bypasses every known firewall, from Sygate to

Zone Alarm. The reason being that these applications, rely on the

Windows message/event handling and Microsoft designed Raw Sockets not to

report to this layer.

 

Komodia produce a TCP/IP Packet Crafter, install that and Sygate's

Personal Firewall on WinXP service pack one. Craft a few packets to see

this in action. Nice trojan tool M$.

 

Reverse psychology was employed, although not a very good example of it,

in Microsoft's deployment decision to support raw sockets. It was to get

people to focus on a 'hoax' alert, rather than the high level of

security such a system would provide.

 

The truth is, raw sockets is not required, however, it just makes life

simpler. For real time software, the overhead presented by TCP, is too

great and the effects can be seen on excessive lag during online gaming,

or media playback. A streamlined custom stack, allows for faster

processing of the IP packet and over a 1000% improvement to connectivity

management than TCP encapsulation.

 

Many developers do not realize that TCP is not required and that custom

packets can be encapsulated within IP alone. IP routes the packet, from

A to B, and TCP provides a data path encapsulated with the IP packet.

This allows Internet routing to change, without effecting application

support. Custom stack creation is a 'walk in the park', all it involves

is parsing a binary stream and executing functions based on flags or

value, it also, automatically, supports the OSI/DoD model.

 

By breaking support for raw sockets on Windows 2000, Microsoft

manipulated the entire global market, as no developer could be assured

their applications would function after 12-24 months. It also provided a

way for Microsoft to eliminate tools such as 'Ethereal' that could

inspect the communications of a Windows system.

 

An active attempt at blocking end-users knowing what information a

Windows system was transmitting, as Microsoft is aware, that over 80% of

end users only have a single PC.

 

Done by design.

 

 

16. Remote Access Bugs

 

This is a good example of 'context and highlighting' (perspective). I

want you to consider this statement:

 

Is a remote access bug, not the same thing as a backdoor access code?

 

Write a detailed essay on your conclusion, no less than 30,000 words.

You should consider statements such as 'buffer overflow executes code',

'invalid datagram shuts down PC', etc.

 

OpenBSD has no such remote exploits and no money.

 

Done by design.

 

 

17. Music Tasks

 

A nice big link to 'Shop for Music Online'. This is a direction to US

based enterprises and also a violation of the Microsoft EULA, as it

mentions nothing whatsoever in regards to Microsoft Windows being an

advertising supported platform.

 

No matter how small the feature, that is still what it represents. If

Microsoft is in breach of its EULA, does that invalidate it?

 

Done by design.

 

 

18. Windows Media Player

 

No way to disable automatic check for updates. This allows any form code

Microsoft chooses to be used as an upgrade. Defaults to uniquely

identifying an end user and stored media.

 

Certain websites warn their visitors that using Windows Media Player

version 7 on their websites will reveal your 'personal information' t

Microsoft. An example can be located here:

 

http://ekel.com/audio

 

Have you ever wondered how p2p information on end users is gathered?

Think about it the next time you connect to a commercial Internet radio,

video or media service.

 

Done by design.

 

 

19. Alternate Data Streams

 

This 'feature' of Microsoft Windows relates to how information is stored

on your harddrive. Under NTFS, not only is there the file, but there is

a second, hidden aspect to each file. This hidden aspect is stored

separately on your hard drive and not as part of the file.

 

I suppose the term, 'Alternate Data Streams' make better business sense,

than 'hidden information gathering process combined with standard file

functions'.

 

All additional information to a file, such as date/time stamps, file

name, size, etc. is stored in this layer. Not only this, but so is the

thumbnail cache of all images viewed by the system. This 'feature' is

hidden by design and requires either a 1 month long 'disk nuke' (for

average 80GB HD) or physical destruction of the disk platters to remove.

 

Physical destruction is recommended, as it requires specific

manufacturers codes to access bad blocks, internal scratch areas and

internal swap/cache areas of the drive. Even with the codes, certain

problems can arise from unreadable sectors which may contain copies of

sensitive information.

 

Nothing beats an nice afternoon with a screwdriver and grinder.

 

The caching can be disabled, however, Microsoft has made this as

'obscure' as possible. Microsoft Windows also does not explain the

function of 'Do not cache Thumbnails'.

 

It is aware 90% of end-users have the technical aptitude of 'a banana

with a with a drink problem' and would never grasp the implications, let

alone, understand.

 

Done by design.

 

 

20. Stability

 

Microsoft Windows is designed to collapse upon extensive number

crunching, of large arrays, of floating point calculations. This would

prevent; nuclear modelling, physics modelling, and genetic modeling.

These three aspects can produce Nuclear, alternative and biological

weapons.

 

I don't know about you, but this 'feature', I can live with, or couldn't

live without, for very long.

 

Done by design.

 

 

21. Internet Explorer 'Features'

 

 

MSN Search

 

When Internet Explorer fails to locate a web address it initiates a

search through Microsoft. Therefore, every failed access attempt is sent

to Microsoft, with all your system information in the X header

structure. to Microsoft, cleverly disguised as 'assistance'.

 

Done by design.

 

 

22. Temporary Internet Files

 

Without extensive reconfiguration of Windows end users will not see the

real files. Instead they see a database generated representation drawn

from a file called index.dat.

 

Even the controls to access the drive are hidden with an obscure setting

called 'Simple File Sharing (Recommended)'. Windows XP does not always

delete the actual files from your hard disk. Even the emulated DOS

reports the database, unless windows is substantially reconfigured.

 

Windows goes to great lengths to prevent this reconfiguration. Also,

many do not know there is no need for this cache, other than to go back

to pages. Its main role is to maintain a record of users activities and

generate ghost images throughout the drive.

 

Done by design.

 

 

23. Index.dat

 

A database file of the contents of an area of the drive, including

deleted files. In the 'Temporary Internet Files' it records date, time,

Internet location and file name information of downloaded

graphics/images and sites accessed, allowing with user IDs in a nice big

list.

 

There are various 'index.dat' files throughout Windows, a dat file is

generally a database. A users activities can be recorded for several

weeks and user names (etc) recovered. The index.dat file retains

information about recently deleted files and Microsoft has failed to

provide any reasonable explanation.

 

You cannot provide, what does not exist, there is no genuine reason to

retain deleted files information other than deliberately recording an

end users activities for forensic analysis.

 

This is used for rapid identification, file recovery and time-plotting

of a users activities. A small application produces a timetable of a

user's usage, referenced against the recorded information for each

second of activity.

 

On large networks, this can be used to verify each member of staff

location and movement across an entire infrastructure, this type of

output in normally rendered in a full 3D layout of the target building.

 

Done by design.

 

 

24. Cookies

 

The official explanation for cookies is to offload information from the

server, to the client. This can be authentication, preferences, etc. As

you can see, its just a cheap solution, designed to cut costs.

 

When costs are cut, so are corners and in this case a corner that

presents a major threat to information security. Cookies retain a lot of

information such as logon IDs. In fact, the first cookie I look for, is

generally, passport.com. This cookie will have the last recorded hotmail

address stored within it. Combined with index.dat information, I can

tell the following;

 

1. Windows logon ID of the person involved

2. The hotmail email address

3. The Date and time the account was accessed

4. External graphics viewed and the sources of those graphics

5. The machine from which it was accessed.

6. The duration of viewing.

7. And generally, the individuals sexual, political, social, personal

and religious preferences based upon the information accessed.

 

That's with only two file sections.

 

Cookies can also be accessed remotely and are used to track the

movements of end users as they move from site to site. Passport,

Microsoft's common logon system, relates itself against the Windows

account by default.

 

There is no need for this, it is these 'subtle functional intrusions'

that Microsoft prefers. I honestly do not know what is going on in these

people's heads, to think for one second, that the world would spot this

a million miles off. It really does show the level of intelligence these

people have; my dog demonstrates more social engineering skills when

looking for food.

 

Done by design (very poorly executed).

 

 

25. Auto-Complete

 

Designed to record search terms, web addresses, and anything else it can

get its grubby little digital hands on, for rapid post-forensic retrieval.

 

Done by design.

 

 

26. MSN Messenger

 

Microsoft has been retaining each persons deleted contacts from

messenger. M$ has been monitored in this area and is known to retain

everyone's deleted contacts for 3 years, at least.

 

This could be seen using a console-based version of MSN Messenger under

Linux. Microsoft has since changed the protocols, so I am unaware if you

can still see some of the information, M$ retains, on over 150 million

people.

 

Messenger is also activated on accessing Hotmail. Microsoft claims to be

using the 'features' provided by Messenger and will not allow it to be

disabled. Now, as millions access M$ Hotmail without messenger, I must

seriously question this behavior.

 

The 'features' provided by MSN Messenger are the transmission and

reception of typed text and files. So, Microsoft has stated that it is,

'transmitting typed text and files', to and from, end users machines,

when hotmail is being accessed.

 

Just cleverly worded.

 

Done by design.

 

 

27. Web-Cams and Microphones

 

These devices can be remotely activated providing visual and audio

feedback from the target subject. There is also no way of telling if

your devices have been remotely activated. These features are

demonstrated in 'proof of concept' applications such as NetBus, etc.

 

With raw sockets (or driver) this information can bypass your firewall

without any problems.

 

 

Microsoft Windows XP Services

 

 

1. Application Layer Gateway Service

 

Microsoft's Description:

Provides support for 3rd party protocol plug-ins for Internet Connection

Sharing and the Internet Connection Firewall,,Manual,Local Service

 

Alternative Description:

This thing just loves making remote connections and accepting them. Set

this up in your firewall to ask each time using ADSL or higher.

 

Have fun.

 

Done by design.

 

 

2. Automatic Updates

 

Microsoft's Description:

Enables the download and installation of critical Windows updates. If

the service is disabled, the operating system can be manually updated at

the Windows Update Web site.,,Disabled,Local System

 

Alternative Description:

Enabled by default. Enables Microsoft to distribute and incorporate any

'feature', at will. Not the greatest thing in the Universe to be allowing.

 

Done by design.

 

 

3. Computer Browser

 

Microsoft's Description:

Maintains an updated list of computers on the network and supplies this

list to computers designated as browsers. If this service is stopped,

this list will not be updated or maintained. If this service is

disabled, any services that explicitly depend on it will fail to

start.,Started,Automatic,Local System

 

Alternative Description:

This stupid design will breach security. The only computer a client

needs to know, is the server and it should coordinate everything.

 

Why does Microsoft Windows identify and map every computer on the network?

 

The design principal is based upon 'remote orientation' requirements,

using insecure clients as targets. Servers would be difficult to

compromise and arouse to much suspicion.

 

The flow of information on any network is about 'the need to know'.

Clients do not need to know any other computer, other than the server.

The server acts as a 'proxy' to the entire network, data transfers may,

optionally, be proxied too.

 

Done by design.

 

 

4. Fast User Switching Compatibility

 

Microsoft's Description:

Provides management for applications that require assistance in a

multiple user environment.,,Disabled,Local System

 

Alternative Description:

Switches to every account, but the Administrator account. In fact,

unless you know exactly what your doing, an end user cannot access the

administrator account.

 

Post-Forensics can, that includes your Windows Encrypting Filesystem.

Cheers M$.

 

Done by design.

 

 

5. IMAPI CD-Burning COM Service

 

Microsoft's Description:

Manages CD recording using Image Mastering Applications Programming

Interface (IMAPI). If this service is stopped, this computer will be

unable to record CDs. If this service is disabled, any services that

explicitly depend on it will fail to start.,,Manual,Local System

 

 

Alternative Description:

Part of CD Burning and this thing is a nightmare. Any CD you make, it

first makes a copy to the system drive, then only to use a scratch drive

after that. Why?

 

That action is a waste of time. This is designed to generate 'ghost

images' that can be recovered by Magnetic Force Microscopy. It is

unlikely that the target subject will destroy their boot drive. Also,

pointing the scratch to another drive, just makes more ghost copies.

 

Not only that, but I have caught Windows XP, pointing me to the CD

burning directory when viewing CDs. That would suggest a cached image of

some form.

 

Done by design.

 

 

6. Indexing Service

 

Microsoft's Description:

Indexes contents and properties of files on local and remote computers;

provides rapid access to files through flexible querying language.

,,Manual,Local System

 

Alternative Description:

A search using the DOS emulator will run like a bullet. Windows search,

however, will take its time unless the indexing service is activated.

This provides quick post-forensic and real-time access to files remote

files.

 

This behavior is by design.

 

 

7. Internet Connection Firewall(ICF)/Internet Connection Sharing(ICS)

 

Microsoft's Description:

Provides network address translation, addressing, name resolution and/or

intrusion prevention services for a home or small office

network.,,Manual,Local System

 

Alternative Description:

First off information is sent to both Microsoft and to a range

identified as belonging to ARIN whenever a PC connects to the Internet.

Random connection attempts are made by Explorer, NT Kernel, Internet

Explorer, Windows Help, svchost.exe, csrss.exe and numerous others. I

have even caught calc.exe (The calculator) attempting to initiate a

remote connection, now and again. Without reverse engineering, I was

unable to tell if it really was the applications, or a subsystem calling

the applications. Very odd.

 

Microsoft Windows defaults to sharing your files using SAMBA across the

Internet. This even bypasses most domestic firewalls or security setups,

unless specific options are set in the firewall. This allows for remote

access to files, documents, etc. without breaching any known legal

regulations.

 

Try entering random IP addresses into your 'My Network Places' window

when online, preceded by the '\\' network identifier.

 

i.e. '\\91.111.2.80', or '\\222.54.88.100'

 

Within about 30 attempts (of a good netblock), you should get a remote

machine to share files with you, in the same manner as a LAN setup.

Expect your machine to freeze when performing any remote operations for

up to 4 minutes at a time (i.e. such as right-clicking a file).

 

The reason for behavior is that native SAMBA is designed for 10Mbit

networks (at least) and is therefore a very bulky protocol. Also, the

remote host may be using their Internet connection, have a low bandwidth

connection or performing processor intensive tasks.

 

A quick examination of Sygate's instruction on how to use their firewall

with ICS, reveal that your kernel cannot be blocked, nor can several

other systems. These systems are not required on a LAN, so Microsoft has

designed these systems to breach security.

 

There is no difference between TCP/IP over a LAN and the Internet, other

than settings. As a programmer I know Network Address Translation is

simply a case of storage and substitution of IP addresses, with a few

whistles and bells. There is no excuse for these systems to be exposed

to the network.

 

Done by design.

 

 

8. Messenger

 

Microsoft's Description:

Transmits net send and Alerter service messages between clients and

servers. This service is not related to Windows Messenger. If this

service is stopped, Alerter messages will not be transmitted. If this

service is disabled, any services that explicitly depend on it will fail

to start.,,Disabled,Local System

 

Alternative Description:

Messages should only be broadcast, by and to, the main server. Having

this on every machine provides a method of transmitting real-time

keystroke intercept across the Internet. This service is also enabled by

default, even with the known Internet abuse of the function. This only

indicates design manipulation.

 

Done by design.

 

 

9. Network Connections

 

Microsoft's Description:

Manages objects in the Network and Dial-Up Connections folder, in which

you can view both local area network and remote

connections.,Started,Manual,Local System

 

Alternative Description:

Only weakens security by providing a central reporting mechanisms. These

aspects have been combined by design, with no logical requirement for

the function. Again, a single-point of failure is introduced into the

system.

 

Done by design.

 

 

10. Protected Storage

 

Microsoft's Description:

Provides protected storage for sensitive data, such as private keys, to

prevent access by unauthorized services, processes, or

users.,Started,Automatic,Local System

 

Alternative Description:

Also provides quick access to this information. Swift breaking of

security. Sweet.

 

Done by design.

 

 

11. Remote Procedure Call (RPC)

 

Microsoft's Description:

Provides the endpoint mapper and other miscellaneous RPC

services.,Started,Automatic,Local System

 

Alternative Description:

May the saints preserve us from RPC. RPC provides remote computers with

the ability to operate your PC and listens for these connections on the

network/Internet.

 

What sort of idiotic decision making was behind an RPC service that

cannot be disabled? Why not just come into my livingroom M$? You're

practically there anyway!

 

(I'm just losing my head now! This is disgraceful.)

 

Done by design.

 

 

12. Remote Registry

 

Microsoft's Description:

Enables remote users to modify registry settings on this computer. If

this service is stopped, the registry can be modified only by users on

this computer. If this service is disabled, any services that explicitly

depend on it will fail to start.,,Disabled,Local Service

 

Alternative Description:

This nifty service is enabled by default. It provides remote access to

the windows registry, allowing run-time modifications to be made to your

PC. Hmmm....what an excellent idea! Just what I always needed, a way to

'tweak' my running spy applications remotely.

 

I knew M$ was thinking about me, I'm touched, or at least they're close

enough to reach out and touch me.

 

Done by design.

 

 

13. Server

 

Microsoft's Description:

Supports file, print, and named-pipe sharing over the network for this

computer. If this service is stopped, these functions will be

unavailable. If this service is disabled, any services that explicitly

depend on it will fail to start.,Started,Automatic,Local System

 

Alternative Description:

This is not required, it provides a central management for open files

and printing operations. It also provides a method of remotely

monitoring a users activities.

 

This 'service' (ha!) provides a single-point of failure for an entire

network. It is linked to the authentication, so if the server collapses,

so does the entire network, as this is managed by the server. Again,

security and functionality have been manipulated to focus on information

retrieval and access.

 

Done by design.

 

 

14. SSDP Discovery Service

 

Microsoft's Description:

Enables discovery of UPnP devices on your home network.,,Disabled,Local

Service

 

Alternative Description:

What in Gods name for? This is part of the 'remote orientation'

facilities encoded into Windows, allowing remote hackers the ability to

explore the network swiftly, reducing chances of alarm and excessive

activity through exploration.

 

Done by design.

 

 

15. System Event Notification

 

Microsoft's Description:

Tracks system events such as Windows logon, network, and power events.

Notifies COM+ Event System rs of these

events.,Started,Automatic,Local System

 

Alternative Description:

No way of knowing, without full reverse engineering, how many

undocumentented events exist throughout Windows. Windows could have an

entire additional level of event reporting.

 

Event and thread management in Windows is very suspicious due to its

sluggish and sometimes unpredictable behavior. Compensation for this is

normally done by 'peeking' into the message cue, however, sometimes it

simply refuses to work. This would tend to suggest the interaction of an

unknown component (or several component) with the event system producing

conflicts.

 

Done by design.

 

 

16. System Restore Service

 

Microsoft's Description:

Performs system restore functions. To stop service, turn off System

Restore from the System Restore tab in My

Computer->Properties,,Automatic,Local System

 

Alternative Description:

Keeps ghost copies of various forms of cached information in a nice

quick accessible format. We can't let our hard earned information go

down the pan now.

 

Done by design.

 

 

17. Terminal Services

 

Microsoft's Description:

Allows multiple users to be connected interactively to a machine as well

as the display of desktops and applications to remote computers. The

underpinning of Remote Desktop (including RD for Administrators), Fast

User Switching, Remote Assistance, and Terminal Server.,, Disabled,Local

System

 

Alternative Description:

I just bet its interactive and highly 'functional' too. This is enabled

by default, providing a remote desktop for any hacker. Wow, what a

service M$.

 

I'll agree with you on this one, that is a 'service and a half'!

 

Done by design.

 

 

18. Windows Time

 

Microsoft's Description:

Maintains date and time synchronization on all clients and servers in

the network. If this service is stopped, date and time synchronization

will be unavailable. If this service is disabled, any services that

explicitly depend on it will fail to start.

,,Disabled,Local System

 

Alternative Description:

Sends information to Microsoft and keeps your date and time stamps nice

and fresh for post-forensic analysis. At least they're tidy when they

invade your privacy.

 

Done by design.

 

 

19. Wireless Zero Configuration

 

Microsoft's Description:

Provides automatic configuration for the 802.11 adapters,,Disabled,Local

System

 

Alternative Description:

Zero configuration means zero security and that's exactly what you get.

The entire network is exposed to anyone within reception range.

Therefore, if you are using this in your home environment, that can mean

remote monitoring from upt o 3Km using proper equipment, or someone else

using your Internet connection from a range of around 50-80m radius.

 

Even with security, the IEEE specification for WEP was clearly

manipulated and weakened by interested parties. There is no other

acceptable excuse for that level of incompetence.

 

Done by design.

 

 

20. Microsoft Works

 

Breach of trade descriptions act? Microsoft 'probably' Works.

 

Really, it is an 'implied' suggestion based on the play of words. It can

be described as 'psychologically misleading', human psychology is

extremely complex, even if most humans are not.

 

This implied statement is registered at a deeper level of the brain and

assigned its true meaning. Otherwise, you would have never considered

the relationship in the first place.

 

One way of describing this is, 'marketing', the accurate description is

'subliminal programming', it does not matter how slight the incident.

 

This is very, similar in style, to the 'French Fries' and 'Freedom

Fries' incident in the US, used to blind the US citizens from war

opposition, through manipulation of patriotic beliefs.

 

Shameful.

 

Done by design.

 

 

 

 

Windows Security, Not What You Think

 

Since all security products that operate on the Microsoft Platform are

both designed from, and encapsulated by the OS, then it is ultimately

Microsoft Windows that is providing your security and not your firewall,

etc.

 

So, any product that claims to provide security FOR windows, is simply

reflecting the limited understanding the company has of what it is doing.

 

I bet that will inspire confidence in computer security.

 

The accurate description is that M$ Windows, secures itself, through

execution of a 3rd party application, which M$ Windows must inform, to

provide security. As we seen in 'Raw Sockets', this does not always

happen. Linux does not have this problem, as the systems is a mosaic

rather than a full encapsulation, or sandbox environment.

 

Therefore, even with all the security, in the known Universe, installed

on a Microsoft Windows Platform, it is still the responsibility of

Windows to inform the security products of each event happening. If

Microsoft Windows fails to report, or hides certain messages/events,

then your security software becomes 100% completely redundant.

 

This is a source of great concern with Microsoft's plans to encrypt the

system area of new versions of Microsoft Windows. Somehow, I don't think

this system, nor any variation of it, will ever see the light of day.

 

If this was to happen (the encrypted system), instead of an EULA, I

think Microsoft Windows should be required to read end-users their

rights. Microsoft is not the Law, nor is it above it, in any way.

 

You have the right to be bugged, click OK to continue!

 

 

Bugs Of The Third Kind

 

How long as Microsoft been programming Windows for?

 

Ten, maybe fifteen years, and we are seriously asked to believe that a

company with the financial resources of Microsoft cannot a create a

bug-free Operating System?

 

Companies with lesser resources than Microsoft provide such systems for

Air-Traffic control and medical purposes (Heart Monitors, etc). A

perfect example here is OpenBSD. OpenBSD is a free Operating System and

with very little funding (nowhere near what Microsoft has, in a million

years) the only remote exploits you will find, anywhere in the world,

will be at least 12 months old.

 

Most of Microsoft's problems are at least that old before anyone decides

to analyze them, let alone, fix them.

 

This is a very clear example, honestly, there is no acceptable excuse

here. If Microsoft claims 'compatibility', then I simply refer them to

the current deployment of service packs that destroy 'compatibility'.

 

Also, the important thing to business is their data and data cannot have

'compatibility' issues. Its simply a binary stream that can be used on

any known operating system.

 

 

Wild Speculation On Codenaming Strategy

 

Microsoft has had a consistent naming policy for its operating systems,

in the form of city names. Code names for various releases have

included; Chicago, Memphis, etc.

 

Now all this changed with the arrival of Windows XP. Its codename was

'whistler' and the next version of Windows is codenamed 'LongHorn'. I

was interested in the reasoning behind the switch. I was thinking that

these codenames could be based on one, or more, of the following points:

 

1. A play on the term 'whistleblower'?

2. A play on a reference to 'pinocheo'? (tells stories, reference to

Long (Nose) and Horn (Whistle Blower) )

3. Horn, as in a form of 'early warning system' and Long because of its

distributed nature?

 

 

Can Windows Be Secured?

 

Yes, with FDisk. (Recommended) Otherwise, due to its encapsulated

nature, the answer is a pointblank, no.

 

 

Additional Observations

 

All we need now is Intel's 'processing and storage' layer to the

Internet and we have a, full-scale, 100% genuine, deployment of a Big

Brother scenario. Thanks Intel, but, we'll pass on that one, nice to see

you are thinking of everybody for a change.

 

If anyone is wondering what on Earth is going on, well Congress went a

little nuts passing resolutions, without its normal due caution. Looking

down the barrel of a gun 24/7, does not provide the ideal circumstances

for making these decisions, nor the environment for full, open debate,

for security reasons. As such, mistakes can only be expected, congress

is still only human, despite the rumors.

 

I am just worried that this is the entire intention, due to Microsoft's

modifications, its software predates 9/11, so it could not use 9/11 as

an excuse. I wouldn't like to consider the implications of that

statement 'being inaccurate'.

 

I know many readers would be enjoy this analysis taken further, however,

it is well beyond the scope of this report. It is also an area I feel is

best left to the authorities.

 

Alterations to M$ Windows also coincides with antitrust cases and the

reversal of the ruling to split Microsoft into two companies. This leads

to three important questions:

 

1. Was Microsoft hijacked by the US government, CIA or NSA?

2. Is this why M$ Windows was altered?

3. What would the suggested reason be for military adaptations to M$

Windows prior to 9/11?

4. Why 3 Operating Systems (ME, 2000 and XP) between 1999-2001?

 

I only mention this to be fair, rather than shoot first, ask questions

later. I'm a Zen Buddhist and politics, ain't my bag baby.

 

Google's ranking methods have come under question recently and in the

context of this report, I think the follow will speak volumes for itself:

 

Search for the term 'Book'. Conducted September 11th, 2004.

 

Top 10 results from Google.com

 

1. US

Barnes & Noble.com, 6000 Freeport Ave - Suite 101, Memphis, TN 38141.

2. US

onlinebooks.library.upenn.edu, University of Pennsylvania

3. US

www.cia.gov, CIA - Factbook.

4. US

BookFinder.com - Berkley California

5. US

www.kbb.com - Orange County

6. US

www.worldbookonline.com - Country Wide, with world-wide divisions

7. US

www.superpages.com - 651 Canyon Drive. Coppell, TX 75019.

8. US

www.amazon.com

9. US

www.abebooks.com - Victoria B.C.with offices in Canada and Germany.

10. US

www.bookwire.com - 630 Central Ave. New Providence. New Jersey.

 

May I remind everyone that Google is behind nearly every major search

engine in the World. Is this what they describe as 'free enterprise' in

action?

 

I wouldn't like to see systematic manipulation of the global economy, if

that's the case.

 

 

A Small Bit of Advice

 

Linux...Open Source...Free...No worries.

 

 

Conclusion

 

Is America awake? Remember a small concept called Liberty? (Its French,

by the way.) I wonder how M$ is going to explain this one?

 

This one, I really must hear.

 

'...let's face the music and dance.'

 

 

 

Appendix Contents

 

Appendix 1. Symbiotic Duality

Appendix 2. Magnetic Force Microscopy (MFM)

 

 

 

Appendix 1. Symbiotic Duality

 

The first thing you must accept is that a product does not have to be

limited to a single purpose. The second thing to be accepted is that you

may not be aware of any other purpose, even to the extent of being

unaware of its primary purpose. Purpose comes from design, not usage.

 

Therefore, a product, such as Microsoft Windows can give the impression

of being an Operating System, whilst having been designed for an

entirely different purposes. This is the concept of 'Symbiotic Duality',

it is the basis of all manifestations of depth.

 

We'll look at a few quick examples:

 

a. When you fight with someone you love, you can hate them, yet still

love them.

 

This form 'Symbiotic Duality' is experienced as a 'depth' of emotion, it

stems from the observed contrast, or gulf, between opposing emotions.

The greater the gulf between the conflicting emotions, the more intense

the experience.

 

It is from this understanding that the, very accurate phrase, 'Fighting

is a sign of love', is drawn from. One cannot exist without the other

and 'Symbiotic Duality' is a fundamental step in every emotional response.

 

'Love thy Enemy'. Its not like I much choice in the matter

 

b. To produce the effect of Depth in a scene.

 

An image contrasting near and far (large and small) produces the

illusion of depth. This is another form of 'Symbiotic Duality', the

contrast between near and far (large and small) produces an optical

illusion, both aspects function as one, from opposing sides.

 

c. A depth of character can be expressed in apparently conflicting

viewpoints. You may both agree and disagree with a situation, for

various reasons. For example, you may not agree with war, but you

recognize a time comes when it must occur, or, you may not agree with a

situation, but since it is happening, you may as well make the best of it.

 

The greater the depth of character, the greater the gulf will be between

these conflicting thoughts there will be. A person who repeats the same

'statements or rhetoric' time and time again, has very little

intelligence and certainly lacks any depth of character, as they lack

the opposing viewpoint.

 

d. The gulf between the people and government leads to increased

anxiety, fear, paranoia and rejection.

 

The more 'stark' a contrast between government and the people, the

greater the 'perceived gulf' will become. This concept is explored in

George Orwell's book 'Animal Farm', it examines the 'US and Them'

principle, and unknowingly, touches on the 'Symbiotic Duality' of the

scenario.

 

That is, the common source of conflict between the two groups, the

'perceived gulf' that exist between them. By bridging that gulf, the

situation may have been avoided.

 

 

Why is 'Symbiotic Duality' important to understand?

 

'Symbiotic Duality', as you notice from each of the examples, ends up,

in one form or another, relating to the human biological make-up. The

simple reason for this is that, 'depth', is a perception. If a 'Symbotic

Duality' appears in an investigation, a human was involved in planning.

 

'Symbiotic Duality' can prove useful in forensics. By clearly

identifying the contrasting behaviors of any system, the design choices

made by humans and those dictated to by system requirements, can be

distinguished with repeatable methodology.

 

This separation allows for both reliable, rapid identification of human

design choices that fall outside compliance with system specifications,

or other known base references (i.e. another OS design) and for complete

focus to be given to only 'odd' human generated code.

 

Scientific investigators must operate by rigid procedures and methods,

the concept of 'Symbiotic Duality' provides such a structure, this

allows for repetition of the investigative procedure, rather than solely

relying on expert testimony and Police accounts.

 

This can be vital in cases were an officer/jury needs to follow the

scientific investigator at a technical level, collaborate on an

investigation in a distributed environment, or work through vast amounts

of information.

 

It provides a roadmap for the investigation, with one point naturally

flowing to another, or any amount of other points.

 

Let's say for example we were investigating an email application.

Firstly, we remove from the equation the basic technical functions of

the application. This leave us with what can be described as a

'human-defined design'. That is, all the fluff added to an application

to make it 'user friendly' and operational.

 

>From here, we list each of the 'features' and a description of their

functions. Next, we begin the 'Symbiotic Duality' analysis, by

contrasting the basic technical requirement to implement a 'feature'

against the actual implementation.

 

There are various sub-aspects to this procedure, such as contrasts from

different 'perspectives'. This would include examining ease of

information retrieval, information storage, information movement,

information processing, network communication attempts, etc.

 

By contrasting what would be 'expected', under reasonable circumstances,

against what is actually there, the 'gulf' (form of perceived depth)

between the two states is revealed (Symbiotic Duality).

 

The procedure uses the 'Russian Doll' and Henry Ford Conveyor Belt

principles, to break down the application into smaller and smaller units

in a systematic exploration of the target system.

 

The method is highly flexible, in that, it does not require a linear

approach to investigation, but rather, a completely random approach is

recommended. This can match budgets and resources of investigative

departments.

 

The results are composited in a cross-referenced mosaic that can be

expanded upon from any point, providing the investigator a model of

his/her complete investigation. This gels beautifully with the 'chain of

custody' model.

 

What we are left with, is a combination of fluff and 'Interest

Motivated' sections of the application. Its simply a matter of

contrasting the expected characteristics of fluff against the remaining

sections of code.

 

So, staring you in the face, in glorious black & white, will be a very

clear list and description of each identified 'odd' behavior. As many

investigators will have realized by now, adaptations of this can be

applied to any form of of investigative procedure.

 

If you are interested in 'Symbiotic Duality', I'm afraid you will not

find it in any texts, it was something I developed as part of my work to

assist me. An in-depth understanding human psychology is a basic

requirement in this field, as you must always think, what would this

person do? 'Symbiotic Duality', let's you understand more clearly, what

they were thinking as it exclusively relates to human perceptions.

 

I don't claim that this is any form of great new method, I just use it

to assist my own work and it also has no form of recognition as an

accepted method. Its simply another tool, in a long list, of analytical

procedures and, in my line of work, every assistance is a bonus.

 

I like to think of this procedure as a:

 

'Random access investigative procedure, which uses the horizontal nature

of emotional and perceptive responses, to clearly identify the various

ranges of possible motivations behind an incident.

 

Cross-referencing and statistical analysis, provide a mechanism of

ranking motivations, across an entire case framework, allowing for

'Computer Assisted Real Motive Analysis' (CARMA).'

 

That'll mess with your noodle for a while. Sorry.

 

The best visual representations would most likely be in the form of a

'tree' structure, expressed in 3D. Each 'Symbiotic Duality' identified

can be provided a 'score' (ranking), and numerous sub-scores

(sub-rankings) if required. The ranking system, has an unlimited

user-defined scale. This allows for statistical analysis and

cross-referencing, with stark contrasts. The scale can also be categorized.

 

I only mention it here, as it was employed in this analysis, however, I

am still developing the theory behind this. The report does not rely on

this theoretical work, but rather, standard procedures in high level

analysis.

 

Well, that's enough 'Psychology and Forensic Analysis 101' for today.

 

Have you not got a life or something?

 

 

Appendix 2. Magnetic Force Microscopy (MFM)

 

I had the chance to see this process first hand, a good friend of mine

demonstrated the following technique using an Open-Mosix cluster. The

process was mainly based on the statistical recomposition of data

sectors. The usage of highly discreet array-based statistical

recomposition can uncover data.

 

Its based on the fact that a harddisk has certain known read/write

characteristics that effect the position of molecules on a disk platter.

Its important to note, we are not trying to uncover previous data

directly, but rather explore variations in memory.

 

An MFM series of images of the disk platter is produced and converted to

3D. Then each sector's dimensional values are offset against the values

provided by the known characteristics of the read/write heads. Each

binary bit is treated independently.

 

As most can see, this method bypasses encryption by focusing on physical

position. After this, it is simply a matter of computing variations and

attempting to match patterns. Not one bit of cipher breaking, makes you

wonder about the advice security companies provide and who exactly

qualified them in 'IT Security'?

 

Most people do not realize they are self-appointed and even wrote the

texts for 'security classes'.

 

The technique came from the " The Catch 22 Guide To Business " and a

chapter entitled " Recursive Algorithms & Global Expansion " , with

cross-references to the Ferengi 'Rules of Acquisition'.

 

 

Evidence For The Microsoft WinXP Pro Bugging Device

 

author: Mark McCarron

Evidence For The Microsoft WinXP Pro Bugging Device

 

This is in the news feeds.

Evidence For The Microsoft WinXP Pro Bugging Device

By Mark McCarron

 

( MarkMcCarron_ITT, angelofd7)

 

 

Introduction

 

In the first article, I set out a 'hypothesis' and progressed through

the Microsoft Windows XP Operating System demonstrating it to be a

bugging device. Since, then, all types of accusations have appeared

about my motivations, from 'propaganda' to 'delusions'. I think what

people were really asking, was rather than providing a vague overview,

could I provide a technical, point-by-point, breakdown of the OS, that

is both clear, concise and accurate that demonstates it function as a

'bugging device'.

 

No problem. Well, I could not be expected to put up with that now, could

I? After all, a chance to kick the big guy, square in the digitals,

would be a sin to waste. The hacker, Cracker and Open Source community

would never forgive me.

 

This time, there is no hypothesis, nor anywhere to hide...

....and it's not 'exactly' a bugging device, its 'a whole lot more'.

 

Hello, Hello, Hello...What Do We Have Here Then?

 

As we demonstrated throughout the hypothesis of the previous article,

Windows XP can clearly be 'interpreted', as having been designed for

espionage, specifically, as a remote 'bugging device'. This gives us

good grounds from which to launch an examination of the physical

evidence. If the hypothesis had not given 'grave cause for concern', nor

demonstrated, that the Microsoft Windows XP could be designed for that

purpose, such an examination, in public, would have been unfair to

Microsoft.

 

We are going to view the various forms of supporting evidence, available

across the Internet, and build a clear overview of what I see in Windows

XP. I will maintain the same structure as the first article throughout,

with slight alterations, and provide both references and commentary from

a forensics point of view.

 

Please Note:

Anything that appears in this document, is the sole responsibility of

its author and not, necessarily, a view shared by the distributers of

this information (i.e. websites, etc). It is provided as a source of

information, only. All legal liability belongs to the author.

 

 

 

 

Microsoft Windows XP - The Supporting Evidence & End-User Tests

 

Conducted: September 2004

Conducted by: The GIEIS Project

Department: Forensic & Cyber-Psycho Warfare

 

 

Note: You must be online for any form of remote connection.

 

Connection attempts can be tested by end-user. Install a firewall, such

as Sygate's Personal Firewall (FreeWare V5.5 2525) and leave it to ask

for each connection.

 

You will need full ownership and 'special priviledge' rights to examine

this in detail.

 

 

General Features

 

 

1. Start -> Search

a. Click Start->Search and Select 'For Files and Folders...'

b. Notice the connection attempt to Microsoft captured in your Firewall.

c. Notice how this transmits your IP address, in the packet structure of

the IP protocol, directly to Microsoft.

d. Notice how the ARP/RARP cache can be used to obtain the MAC address

of the remote machine.

e. Notice how this gives both traceable (MAC ID Resolution) and unique

identification to each node.

f. Notice that no information about this event is provided to the end-user.

g. Notice that this is a 'phone home'.

h: Notice this statement:

 

WinXP Search Assistant Silently Downloads

http://www.theregister.co.uk/2002/04/11/winxp_search_assistant_silently_download\

s/

 

 

 

" When you search the Internet using the Search Companion, the following

information is collected regarding your use of the service: your IP

address, the text of your Internet search query, grammatical information

about the query, the list of tasks which the Search Companion Web

service recommends, and any tasks you select from the recommendation list. "

 

i. Notice the IP address is stored by Microsoft (during beta testing).

j. Notice Microsoft, therefore, has a list of developers.

k. Notice grammatical information's primary use is in psychological

profiling.

l. Notice there is no other reasonable explanation to store grammer, as

the text is already stored. Grammer is of no use in 'keyword' text

searches, as it is a literal search.

m. Notice how it is all related against marketing information.

n. Notice this is by design.

o. Notice this is intentional.

You are therefore a number, not a citizen.

 

 

2. Help System, F1

a. Press F1 to bring up help, in any Microsoft application.

b. Notice the connection attempt made randomly (keep trying!) to

Microsoft captured in your Firewall.

c. Notice how this transmits your IP address, in the packet structure of

the IP protocol, directly to Microsoft.

d. Notice how the ARP/RARP cache can be used to obtain the MAC address

of the remote machine.

e. Notice how this gives both traceable (MAC ID Resolution) and unique

identification to each node.

f. Notice that no information about this event is provided to the end-user.

g. Notice that this is a 'phone home'.

h. Notice this is by design.

i. Notice this is intentional.

You are therefore a number, not a citizen.

 

 

3. Microsoft Backup

a. Change the ownership of a second drive, then use backup to copy the

files.

b. Notice this provides rapid disk access.

c. Notice this was designed by 'security experts'.

d. Notice this is by design

e. Notice this is intentional.

 

 

4. Process Viewer (Task Manager)

a. Press CTRL-ALT-DEL to get to the task manager,

b. Now select the 'Processes'tab.

c. Examine how there is no 'useable' information from which a file

process can related to real file information.

d. Use another process viewer and compare the output. Notice that

Windows was designed to restrict this output to the end-user.

e. Notice that applications have the 'option', to appear on this list.

f. Notice that this would require the 'creation' of another product, to

perform this task.

g. Notice this is by design.

h. Notice this is intentional.

 

 

5. Dr Watson

a. Examine previous implementations of Dr Watson on earlier versions of

Windows, in relation to XP implementation, type 'drwatson' in the run box.

b. Notice the lack of output of vital information required to locate

keyloggers, etc.

c. Notice the output has been replaced by a simple message box.

d. Notice that this required deliberate modifcations to the earlier

implementations.

e. Notice this is by design

f. Notice this is intentional.

 

 

6. The Windows Registry

a. Run the registry editor by typing 'regedit'

b. Progress through every entry

c. Notice each entry with personal information.

d. Notice that the windows activation code, is actually a form of

combined report and MD5-type identifier that uniquely identifies the end

user's machine and the end users hardware.

e. Notice that the registry is divided into clear sections, separting

human and machine generated material.

f. Notice how this provides consistant psycho-analytical information in

the appropriate format.

g. Notice how information is scattered throughout the drive.

h. Notice this is by design.

i. Notice this is intentional.

 

 

7. Temporary Files

a. Check under C:\Documents and Settings\Administrator\Local

Settings\Temp and for any user name you may have.

b. Notice the extensive amount of files retained in this folder that are

required.

c. Notice the 'various contents' of those files.

d. Notice this was designed by 'experts'.

e. Notice this is by design.

f. Notice this is intentional.

 

 

8. Recycle Bin

a. Disable the recycle bin,

b. Clear a new parition,

c. Make sure all files can be seen and you have full owership rights

throughout all containers and sub-containers.

d. Now create a text file and delete it.

e. Notice the creation of the 'RECYCLER' folder.

f. Notice this step is redundant,

g. Notice it creates a copy of your file.

h. Notice it waste cycles because it must delete the copy & the origonal.

i. Notice that this is deliberate coding.

j. Notice this is by design.

k. Notice this is intentional.

 

 

9. Recent Files

a. Check under C:\Documents and Settings\Administrator\Recent and for

any user name you may have.

b. Notice the extensive amount of files retained in this folder that are

not contained under the Start button's 'My Document's'.

c. Notice that additonal screens have been introduce to obscure the

'Clear' button.

d. Notice the clear button only remove 'certain' links.

e. Notice each new file, is more information hidden in alternate

datastreams, throughout the drive.

f. Notice there is no reason for this.

g. Notice that this is recording your activities

h. Notice the pattern of behavior.

i. Notice this is by design.

j. Notice this is intentional.

 

 

10. NotePad

a. Create a text document and write a document.

b. Now save it, watch how the screen jumps to the position of the cursor.

c. Notice that this requires 'specific' coding.

d. Notice how RTF documents do not line-space copy and pasted text.

e. Notice how this would push you towards Microsoft Office.

f. Notice this is by design.

g. Notice this is intentional.

 

 

11. Swap Space/Virtual Memory/Page File

a. Notice that it cannot be disabled.

b. Notice that this would require the 'creation' of another product, to

erase sensitive information.

c. Notice this is not a design requirement, but, an 'extra addition' to

the code.

d. Notice this is by design.

e. Notice this is intentional.

 

 

12. Firewall

a. Notice that Messenger (Not MSN Messenger) bypasses the incoming

firewall.

The issue is described here:

http://www.windowsxpatoz.com/cgi-bin/search/index.cgi?answer=1036285319 & id=12345\

67890

 

 

b. Notice that this allows the transmission of any form of data into

your PC, with the 'proper exploit' (backdoor access code).

c. Notice it is incoming only

d. Notice this allows information to leave your PC unrestricted.

e. Notice that this was designed by 'security experts'.

f. Notice this is by design.

g. Notice this is intentional.

 

 

13. Memory Usage

a. Notice that memory leaks are associated with pointers and references.

b. Notice that pointers and references generated at runtime, are

normally variables.

c. Notice that a variables would normally contain, so form, of end-user

inputted information.

d. Notice how these 'memory leaks' are written to disk by the swap

system, that cannot be disabled.

e. Notice how this creates highly specific MFM recoverable reminants of

sensitive information.

f. Notice how this procedure is by human design and not a natural,

expected progession of the code.

g. Notice how this degrades the performance of your PC during usage.

h. Notice how this forces upgrades to new Operating Systems and Hardware.

i. Notice how this is equivilent to 'sabotage through design' of

end-users machines.

j. Notice how this generates new capital through new 'updated' versions

of products.

i. Notice that this is highly illegal and breaches monopoly commision

rules.

j. Notice this is by design.

k. Notice this is intentional.

 

 

14. Automatic Updates

(See Services)

 

 

15. Raw Sockets

a. Windows sockets embed your IP address into the packet header.

b. Notice this is a US DoD/DARPA design implementation.

c. Notice that this design allows for MAC resolution through ARP/RARP

cache.

d. Notice Windows prevents creation of new protocols.

f. Notice this is by design.

g. Notice this is intentional.

 

 

16. Remote Access Bugs

a. Notice how the latest 'update' allows all security to be breached

remotely and swiftly.

Security Watch Special: Windows XP SP2 Security Center Spoofing Threat

http://www.pcmag.com/article2/0,1759,1639276,00.asp

b. Notice how there is no real security

WinXP SP2 = security placebo?

http://www.theregister.co.uk/2004/09/02/winxpsp2_security_review/

c. Notice that since my first article Microsoft updates to SP2 are 80%

lower than than expected.

 

Microsoft misses XP SP2 target by 80 million

September 22 2004

by Paul Festa

Only one-fifth of target PCs updated since launch…

http://www.silicon.com/research/specialreports/enterprise/0,3800003425,39124199,\

00.htm

 

 

 

d. Notice that it had a major impact on business decisions.

Corporate users snub Windows XP SP2

Published on: Wednesday, 22 September 2004, 09:37 GMT

http://www.ebcvg.com/news.php?id=3774

 

Firms aim to tighten Linux security

Published on: Friday, 24 September 2004, 16:30 GMT

7 million EURO investment

http://www.ebcvg.com/news.php?id=3817

 

e. Notice that Microsoft 'loses' code:

" Back in February federal judge Ron Boyce requested Microsoft to turn

over some DOS, Windows 3.X and Windows 95 source code to Caldera's

lawyers and expert witnesses. Microsoft refused, so last month the judge

gave them five days to hand it over or face fines. Caldera CEO Bryan

Sparks says that Microsoft gave them most of it within the five days,

but they " didn't deliver all the source code. They said they couldn't

find some of the Windows 95 and DOS source code we requested. " Sparks

said that Caldera will file a formal complaint to force Microsoft to,

um, " find " the missing code. This is a sure sign of desperation. "

 

f. Notice how absurd this is.

h. Notice that exploits for code are available almost immediatly

available upon release.

i. Notice highly sophisticated applications and code are available to

exploit the code, almost immediatly.

j. Notice the consistant lack of development time.

k. Notice a remote access bug is no different than a 'backdoor access

code'.

l. Notice a free Operating system, OpenBSB, can achieve this without

much funding.

m. Notice Microsoft has 'nearly' all the money in the world.

l. Notice the consistant pattern of behavior.

m. Notice this is by design.

n. Notice this is intentional.

 

 

17. Music Tasks

a. Notice how you are not told Microsoft is advertising.

b. Notice how this is 'subtly' introduced and located.

c. Notice how this transmits your IP address, in the packet structure of

the IP protocol, directly to 'a consortium of US businesses'.

d. Notice how the ARP/RARP cache can be used to obtain the MAC address

of the remote machine.

e. Notice how this gives both traceable (MAC ID Resolution) and unique

identification to each node.

f. Notice that no information about this event is provided to the end-user.

g. Notice that this is a 'phone home'.

h. Notice how you, your machine and your 'personal habits' are uniquely

connected to each session.

h. Notice this is by design.

i. Notice this is intentional.

 

 

18. Windows Media Player

a. Notice that updates cannot be disabled.

b. Notice that this application can be modified at will.

c. Notice your computer and user account is uniquely identified by default.

d. Notice remote access to your music library is granted by default.

e. Notice this allows any radio station to examine the contents of

people's collections.

f. Notice this identifies end users uniquely that have extensive media

collections.

g. Notice that Windows Media Player, searches for every media file

throughout your drive.

h. Notice how subtle these 'features' are.

i. Notice that this is a 'phone home' to the 'US based consortium'.

j. Notice how you, your machine and your 'personal habits' are uniquely

connected to each session.

k. Notice this is by design.

l. Notice this is intentional.

 

 

19. Alternate Data Streams

a. Notice there is no facility to examine the alternate data stream.

b. Notice that Microsoft didd not inform people that thumbnails were

cached in this area.

c. Notice for years, US security products did not clean this area of the

drive.

d. Notice there is still not great support for cleaning these areas.

e. Notice how obscure the setting is to disable this 'feature' is.

f. Notice how subtly it is placed in the middle of options, such as not

to draw attention.

g. Notice that the 'What's this?' option does not mention any of these

facts.

h. Notice that you are warned folders may take longer to open if it is

disabled.

i. Notice that this 'cache' was never required before.

j. Notice that it should not any longer, than a millisecond, to open a

non-cached folder than a cached folder.

k. Notice, this is not the case.

l. Notice this is by design.

m. Notice this is intentional.

 

 

20. Stability

a. Notice how memory leaks would prevent longterm application execution,

due to memory corruption and fragmentation.

b. Notice the random memory 'Access Violations', that terminate an

application's execution on a randon basis.

c. Notice how this could have resulted in a major air disaster.

Microsoft software implicated in air traffic shutdown

http://news.zdnet.co.uk/0,39020330,39167074,00.htm

d. Notice how money is placed before human life.

e. Notice Microsoft's complete disregard for health and safety practices

of mission-critical systems.

f. Notice how Microsoft does not mention the source of the problem.

g. Notice this is by design.

h. Notice this is intentional.

 

 

21. Web-Cams and Microphones

a. Notice that these devices can be activated remotely

b. Notice that this can be done in 'stealth'

c. Notice that this is by design

d. Notice the current deployment of worm

Meet the Peeping Tom worm

http://www.theregister.co.uk/2004/08/23/peeping_tom_worm/

e. Notice how independent actions can exploit sophisticated breaches

almost upon release.

f. Notice that this absurd without sufficient development time.

g. Notice this is another 'scam'.

h. Notice this is by design.

i. Notice this is intentional.

 

 

22. Control Panel

a. Notice how the control panel has been replaced by a simple menu by

default.

b. Notice that the majority of end-users would not know how to revert to

the old one.

c. Notice how this cuts of access to event messages and numerous vital

monitoring services throughout Windows.

d. Notice how Windows policy, is to make end user, more and more,

technically retarded, rather than encouraging the user to expand their

knowledge.

e. Notice how it is designed to look like a childs toy.

f. Notice how this affects human behavior by making the end user feel

comfortable, relaxed and 'unthreatened'.

g. Notice how this encourages people to 'open up', rather like a

psychiatrist and a comfortable chair.

h. Notice how subtle these modifications are.

i. Notice it is all by design.

j. Notice the consistant 'psychological aspect' embedded into Windows.

k. Notice this is by design.

l. Notice this is intentional.

 

 

23. Automatic Error Reports

a. Notice how all system information is transmitted to Microsoft.

b. Notice how that includes 3rd party applications.

c. Notice this is 'automatic'.

d. Notice there is no clear way to disable the function.

e. Notice the extensive amount of information, both traceable,

profilable and user related.

f. Notice how this transmits your IP address, in the packet structure of

the IP protocol, directly to 'a consortium of US businesses'.

g. Notice how the ARP/RARP cache can be used to obtain the MAC address

of the remote machine.

h. Notice how this gives both traceable (MAC ID Resolution) and unique

identification to each node.

i. Notice that no information about this event is provided to the end-user.

j. Notice that this is a 'phone home'.

k. Notice the pattern of behavior.

k. Notice this is by design.

l. Notice this is intentional.

 

 

 

 

Internet Explorer 'Features'

 

 

1. Temporary Internet Files

a. Go to C:\Documents and Settings\Administrator\Local

Settings\Temporary Internet Files (or your username).

b. Notice that this is not the real files.

c. Change the ownership rights of the drive.

d. Give yourself full permissions.

e. Notice you do not have full permissions as default.

f. Notice that to obtain full permissions requires extensive training in

Windows.

g. Notice 95% of end-users would not have such training.

h. Notice that 95% of end-users are unable to view the contents of the

files and folders.

i. Notice that Windows is a domestic platform

j. Notice that this is not consistant with end-user requirements.

k. Notice how awkward Windows makes everything.

l. Notice this is by design.

m. Notice this is intentional.

 

 

2. Index.dat

a. Notice this file is invisible to 95% of end users.

b. Notice this file cannot be accessed by 95% of end users

c. Notice that this file associated personal logons, with internet

activity.

d. Notice it records even deleted material.

e. Notice it has date and time stamps located throughout.

f. Notice the focus on recording images viewed.

g. Notice how your web activities are monitored.

h. Notice how this is completely redundant

i. Notice this is by design.

j. Notice this is intentional.

 

 

3. Cookies

a. Notice usernames and encrypted password are stored in these files.

b. Notice these files are access by US market research.

c. Notice that information is gathered as you progress.

d. Notice that this is providing a 'continuously' updated profile.

e. Notice there is no requirement for cookies.

f. Notice that major US sites refuse to function without having access

to read/write functions on your drive or scripts/ActiveX, etc.

g. Notice how obscure the clear function is located and 'titled'

h. Notice how obscurely located the folder is.

i. Notice this is by design.

j. Notice this is intentional.

 

 

4. Auto-Complete

a. Notice that this is enabled by default.

b. Notice the wide range of user inputted information it retains.

c. Notice that this is stored in a quick access area.

d. Notice how when disabled, it keeps prompting for reactivation.

e. Notice how that prompt cannot be disabled.

f. Notice how annoying that becomes.

g. Notice that this would encourage reactivation.

h. Notice this is by design.

i. Notice this is intentional.

 

 

5. MSN Messenger

a. Notice how MSN Messenger behaves like a trojan

Windows Messenger Trojan Update

http://www.theregister.co.uk/2002/04/02/windows_messenger_trojan_update

b. Notice how it is activated upon hotmail activation.

c. Notice that no clear explanation is given to why.

d. Notice that Microsoft has proved it has control of your PC remotely.

e. Notice how by default it loads at startup

f. Notice that this loads it 'trojan' capabilities into memory.

g. Notice MSN Messenger, technically, intercepts keystrokes by design.

h. Notice how updates are forced upon the end-user, even if they do not

have the product.

i. Notice how it cannot be uninstalled.

j. Notice that Microsoft is recording your deleted contacts

k. Notice this is part of a highly consistant policy.

l. Notice this is by design.

m. Notice this is intentional.

 

 

 

Microsoft Windows XP Services

 

 

1. Application Layer Gateway Service

Download Sygate's Personal Firewall (Freeware) and leave it on training

mode.

a. Create a LAN with ICS

b. Connect to the Internet

c. Notice the various connection attempts

d. Notice the connection attempt to ARIN captured in your Firewall.

e. Notice that none of these connection are required.

b. Notice the connection attempt to Microsoft captured in your Firewall.

c. Notice how this transmits your IP address, in the packet structure of

the IP protocol, directly to Microsoft.

d. Notice how the ARP/RARP cache can be used to obtain the MAC address

of the remote machine.

e. Notice how this gives both traceable (MAC ID Resolution) and unique

identification to each node.

f. Notice that no information about this event is provided to the end-user.

g. Notice that this is a 'phone home' to a US 'consortium'.

h. Notice this is by design.

i. Notice this is intentional.

You are therefore a number, not a citizen.

 

 

2. Automatic Updates

a. Notice that this enabled by default.

b. Notice that disable mechanism is obscurely located and not part of

the services.

c. Notice that old flaws are relaced with new ones, during an update.

d. Notice this transmits information between you and Microsoft on a very

regular basis.

c. Notice how this transmits your IP address, in the packet structure of

the IP protocol, directly to Microsoft.

d. Notice how the ARP/RARP cache can be used to obtain the MAC address

of the remote machine.

e. Notice how this gives both traceable (MAC ID Resolution) and unique

identification to each node.

f. Notice that no information about this event is provided to the end-user.

g. Notice that this is a 'phone home'.

d. Notice how this a 'rotational approach' were new and old flaws are

simply removed and re-introduced.

e. Notice how any software can be delivered to your PC.

f. Notice how Microsoft has direct remote control of any XP machine.

h. Notice that terminal servies would give them a desktop and access to

your hardware/network.

g. Notice this is by design.

h. Notice this is intentional.

 

 

3. Computer Browser

a. Notice that every machine on the network is known.

b. Notice that this is not required.

c. Notice that this only provides additional network traffic.

d. Notice that this provides navigational information.

e. Notice that it provides quick access to this information.

f. Notice this is by design.

g. Notice this is intentional.

 

 

4. Fast User Switching Compatibility

Can be tested by the end user. Check 'User Accounts' in the control panel.

a. Notice this is enabled by default.

b. Notice that no explanation to the fact that it hides the

administrator account is provided.

c. Notice that there is no quick access to the administrator account.

d. Notice to get to the administrator's account requires in-depth

knowledge of Windows.

e. Notice how this does not fit in with 'user-friendly usage'.

f. Notice that they have tried to make access as difficult as possible.

g. Notice that any encrypted file system can be accessed by through the

'hidden' administrators account.

h. Notice how easy post-forensic and psychological analysis has been made.

i. Notice this is by design.

j. Notice this is intentional.

 

 

5. IMAPI CD-Burning COM Service

Can be tested by end user.

a. Place a CD in the drive. (Best type CD-R)

b. Navigate through the CD and watch the title bar move to the CD

Burning drive. This may take a while to replicate and make sure you can

see the 'full address' in the title bar.

c. Notice that the CDs image layout has been cached by windows.

c. Notice that files are copied to the C drive first.

d. Notice this is not required.

e. Notice that this slows everything down by making redundant operations.

f. Notice this is by design.

g. Notice this is intentional.

 

 

6. Indexing Service

a. Notice that this is not required.

b. Notice that Windows searches are extremely slow without it.

c. Notice there is no reason for this to be that way, DOS searches like

a bullet, so will my own custom search program.

d. Notice this just catalogues your drive.

e. Notice with Microsoft's remote access capability, this provides rapid

access to files information.

f. Notice the entire system defaults to being ready for indexing.

g. Notice the pattern of behavior.

h. Notice this is by design.

i. Notice this is intentional.

 

 

7. Internet Connection Firewall(ICF)/Internet Connection Sharing(ICS)

a. Notice how each implementation shares your files

b. Notice how SP2 has been 'pre-configured' to do this.

Windows XP Service Pack 2 Firewall Configuration Error Exposes File and

Print Sharing to Remote Users

http://msmvps.com/donna/archive/2004/09/23/14011.aspx

c. Notice that this consistant pattern of behavior.

d. Notice that 5 years has passed with the same issue since Win2k.

e. Notice that this is not an error.

f. Notice that this is a 'pre-9/11 policy'

g. Notice this is by design.

h. Notice this is intentional.

 

 

8. Messenger

a. Notice how this is enabled by default.

b. Notice that this bypasses your incoming firewall.

c. Notice that this send and recieves 'data' (No such thing as text)

d. Notice how this can send information from your PC.

e. Notice how this can receive any form of data and execute it with the

right exploit (backdoor access code).

f. Notice how it can broadcast to any IP address, rather than being

restricted to NETBios or DNS names.

g. Notice how it is scriptable rather than a GUI.

h. Notice how awkward this makes usage in any environment (standard

messages can staged in a GUI too, even imported.).

f. Notice this is not required.

g. Notice this is by design.

h. Notice this is intentional.

 

 

9. Network Connections

a. Notice that this service is simply additional overhead.

b. Notice it is not required.

c. Notice that it catalogues your network connections and all access

information.

d. Notice the only useful function is to provide quick remote access to

the information.

e. Notice the clever 'bearly noticeable' addition that this is.

f. Notice the consistant pattern of behavior.

g. Notice this is by design.

h. Notice this is intentional.

 

 

10. Protected Storage

a. Notice how this can not be viewed by any Windows application.

b. Notice 3rd party applications can.

c. Notice that it is, therefore, by definition, 'not very protected'.

d. Notice its only function is quick retreival of sensitive end user

information.

e. Notice this was designed by 'security experts'.

f. Notice you've been conned.

g. Notice this is by design.

h. Notice this is intentional.

 

 

11. Remote Procedure Call (RPC)

a. Notice this cannot be disabled.

b. Notice that remote procedure calls, allow your PC to be operated

remotely.

c. Notice, in 80% of case, RPC is never used.

d. Notice it was designed by people who know this.

e. Notice this provides 'listening port' services.

f. Notice the pattern of behavior.

g. Notice this is by design.

h. Notice this is intentional.

 

 

12. Remote Registry

a. Notice this in enabled by default.

b. Notice that remote access to the registry provides access to your

entire psychological profile.

c. Notice that information is structured for rapid access.

d. Notice no explanation is given to why it is there.

e. Notice that in 90% of cases it is not required.

f. Notice this was designed by people who know this.

g. Notice this is by design.

h. Notice this is intentional.

 

 

13. Server

(Unevaluated in this report)

 

 

14. SSDP Discovery Service

a. Notice how this service is enabled by default.

b. Notice how it is a redundant service already provided by a PC.

c. Notice its only function is to catalogue the devices on a network to

each node.

d. Notice the amount of bandwidth this absorbs.

e. Notice its only function is for remote orientation and rapid

information collection.

f. Notice the pattern of behavior.

g. Notice this is by design.

h. Notice this is intentional.

 

 

15. System Event Notification

(Unevaluated in this report)

 

 

16. System Restore Service

a. Notice the quick retreival format for system restore (edited).

 

C:\WINDOWS\system32\Restore\filelist.xml

 

 

1.0

E

 

 

%windir%\system.ini

%windir%\tasks\desktop.ini

%windir%\win.ini

*:\AUTOEXEC.BAT

*:\CONFIG.MSI

*:\CONFIG.SYS

 

 

c:\placeholder\ph.dll

 

 

 

 

%cookies%

%favorites%

%History%

%internetcache%

%nethood%

%personaldocuments%

%ProgramFiles%\WindowsUpdate

%windir%\Downloaded Program Files

%windir%\Offline Web Pages

%windir%\PCHealth\HelpCtr\Config

%windir%\PCHealth\HelpCtr\Database

%windir%\PCHealth\HelpCtr\DataColl

%windir%\PCHealth\HelpCtr\System

%windir%\PCHealth\HelpCtr\Vendors

%windir%\pchealth\ErrorRep\UserDumps

%windir%\prefetch

%windir%\temp

*:\~MSSETUP.T

*:\$WIN_NT$.~LS

*:\$WIN_NT$.~BT

*:\System Volume Information

*:\SIS Common Store

*:\TEMP

*:\TMP

*:\W95UNDO.INI

*:\W98UNDO.INI

*:\W9XUNDO.INI

*:\WININST0.400

*:\WINLFN.INI

*:\WINUNDO.INI

%SRDataStoreRoot%

%windir%\system32\wbem\repository

%windir%\system32\wbem\repository.tmp

%windir%\system32\wbem\repository.bak

%SystemDrive%\Documents And Settings\All Users\Favorites

%SystemDrive%\Documents And Settings\All Users\Documents

%SystemDrive%\Documents And Settings\Default User\My Documents

%SystemDrive%\Documents And Settings\Default User\NetHood

%SystemDrive%\Documents And Settings\Default User\Favorites

%SystemDrive%\Documents And Settings\Default User\Cookies

%SystemDrive%\Documents And Settings\Default User\Cache

%SystemDrive%\Documents And Settings\Default User\Local Settings\History

%SystemDrive%\Documents And Settings\Default User\Local Settings\Temp

%SystemDrive%\Documents And Settings\Default User\Local

Settings\Temporary Internet Files

 

 

 

*:\Documents And Settings\*\Application Data\Microsoft\Internet

Explorer\Quick Launch

 

 

 

 

~~C

~~D

1ST

CFG

CMD

CNT

DATA

DESKLINK

DIALOG

DIR

DISABLED

DUN

DYNCMD

INCL

INF

INI

INK

IP

LIVEREG

LNK

MANIFEST

MAPIMAIL

MYDOCS

NAME

POLICY

PROPERTIES

REG

SCK

SECURITY

SELFREG

SHARED

TAG

US

USA

USERPROFILE

VCPREF

WINSYS

WIPEINFO

WIPESLACK

ZFSENDTOTARGET

 

 

 

 

b. Notice that this cannot restore a system, other than for very minor

errors.

c. Notice 3rd party applications would not function or corrupt system data.

d. Notice the designers were prepared to take the risk.

e. Notice how focus is given to maintaining user data belonging to the

main user.

f. Notice that the main users psychology would be reflected throughout

the system.

g. Notice that non-main users are dropped because insufficient

information would exist to separate each user from the main user,

however, the inverse is easily automated with practice.

h. Notice how this system just eats resources.

i. Notice the pattern of behavior.

j. Notice this is by design.

k. Notice this is intentional.

 

 

17. Terminal Services

a. Notice this is enabled by default.

b. Notice 90% of end users would not know how to disable it.

c. Notice that 90% of end users do not need this.

d. Notice how this traps people into windows using clever manipulation.

e. Notice how Windows reduces the technical knowledge of end users.

f. Notice how this provides entire access to your machine, even without

your knowledge, using the 'latest expoloit' (updated backdoor access code).

g. Notice the pattern of behavior.

h. Notice this is by design.

i. Notice this is intentional.

 

 

18. Windows Time

a. Notice that it connects to either Microsoft or the US military.

c. Notice how this transmits your IP address, in the packet structure of

the IP protocol.

d. Notice how the ARP/RARP cache can be used to obtain the MAC address

of the remote machine.

e. Notice how this gives both traceable (MAC ID Resolution) and unique

identification to each node.

f. Notice that no information about this event is provided to the end-user.

g. Notice that this is a 'phone home'.

h. Notice this is by design.

i. Notice this is intentional.

You are therefore a number, not a citizen.

 

 

19. Wireless Zero Configuration

a. Notice how this exposes your Wireless network.

b. Notice how this can be 'tapped'.

c. Notice this was designed by 'security experts'.

d. Notice that even the hardware encryption is weak 'by design'.

e. Notice that wireless signals can be detected in space, as they

propagate at the speed of light, the ionisphere would only filter the

signal.

f. Notice that NASA broadcasts from Mars using less than 0.0001 watts of

signal strength.

g. Notice that wireless broadcast are around 1 watt in Europe.

h. Notice that this is 1000% more powerful than a broadcast from Mars.

i. Notice we have no idea what is located in space.

j. Notice that exposing the network is the entire intention.

k. Notice this is by design.

l. Notice this is intentional.

 

 

Conclusion

 

1. Consistant unique identification of end user.

2. Consistant profiling of hardware.

3. Consistant connection attempts to some form of US based 'consortium'

that uniquely identify each end node.

4. Pattern consistant with a large scale mapping & psychological

information gathering process, of end users, on a global basis.

5. Advanced Psychological Focus - Clearly adapted from from cold-war

research in psycho-warfare techniques (advanced embedded psycho-tropic

colour schemes). Collection, distribution and 'psychosis' manifestation.

6. Consistant pattern of behavior towards security. Windows is designed

to create 'highly specific' array of companies. Specifically, the IT

security industry.

7. Consistant slow inclusion of 'subtle' features aimed at end user

manipulation and the public acceptance of that manipulation over time.

8. Consistant recording of end users 'habits' and 'personal preferences'.

9. Consistant pattern of making these files 'inaccessable' to end users.

10. Consistant pattern of collecting end user information.

11. Consistant attempt to collected end user information by the

deliberate introduction of 'highly specific flaws' into the operating

system.

12. Consistant pattern of being 'done by design'.

13. Consistant attempts to hide this activity from end users.

14. Consistant pattern of behavior matching covert intelligence

gathering techniques.

15. Implemented long before 9/11.

16. Evidence would suggest the US has some form of nuclear powered,

super-computer, processing center requiring parts on a daily basis.

Groom Lake, Nevada? Alien cover story, strange air activity nightly, FAA

restrictions on crash sites, etc?

 

My brother used to say,

 

'What are they going to do, predict your shopping list?'

 

I can now tell him,

 

'They intended to determine it for you, and for generations to come.'

 

Perhap's we should forget about locating any US 'star wars' technology,

I get the impression its just 'economic war'.

 

Hmmm...perhaps those guys, with tinfoil hats, may have a point, after

all. If I lived in the US, that is...

 

....The irony!

 

 

 

Government Advice

No government in the world, can take another second's risk of the

operating system existing within their country's borders.

 

Ban it, immediatly.

 

Check all Linux installations for 'remote access bugs', deploy sniffers

across the entire backbone.

 

 

 

Business Advice

OpenBSD and complete custom builds of Linux are recommened, as well as,

custom protocols. Due to this, no OS provider with US connections, can

be trusted.

 

Everyone is advised to contact SMB/SME's of Finland, Sweden, Ireland,

UK, India, Germany, France, Spain, Italy, Belgium, Russia, Ukraine and

Europe in general for technical advice and OS source code and kernels.

 

Everyone is advised to talk with the 'programmers' directly and bypass

all forms of 'middle-management'. Encourage developers to be open about

all issues, without impacting business contract decisions. You will

receive the best security in the world that way.

 

 

 

 

Now Microsoft:

A cold-war policy, without a cold-war, for a quick buck, for the US, is

simply not on.

 

a. Notice this is an act of treason.

b. Notice you have been caught.

c. Notice that there will be hell to pay.

d. Notice there is a new sherriff in town.

e. Notice this is by design.

f. Notice this is intentional.

 

Round 'em up, boys!

 

 

Speculation

Estimated speed 10,000 petaflops and about that again, in terrabit

bandwidth per second. Global telecoms monitoring station like britian's

GCHQ, linked to HAARP. HAARP is 'listening' to remote wireless networks

for 'economic reasons', not terrorism.

 

Starting to see the plot?

 

An upgrade would cost about a trillion and would have been required

within the last 5 years, with major upgrades being 10-15 years apart.

This would coincide with various wars/conflicts, etc.

 

America's missing money?

 

US military technology is known to be between 50-70 years more advanced,

than civilian. Therefore, so is the cost.

 

Imagine Operation Flashpoint, wow! Real-time world war.

 

You should have taken this guys hint:

 

" Bill Xia, chief executive of DIT, however, accuses Google of

reinforcing Chinese internet restrictions by leaving some sites off its

list. " When people do a search they will get the wrong impression that

the whole world is saying the same thing, " he told New Scientist. "

 

Anyone else notice that lately?

 

Apparently everyone on the entire Internet is of 'one mind', and that

'one mind' has extreme difficulty undestanding plain English and simple

logic.

 

Also, Google appears to be creating some form of 'internal' and

'external' views to countries and the information they contain.

Information returned within one country, is different to the same

information request, at the same sites, from another country. Examine

this quote from the same article:

 

" Some users recently reported that Google's Chinese news search returned

different results depending when they searched using a computer based

outside of China. The claims were substantiated by researchers who

connected to computers inside the country.

In the past, other search companies have also been accused of supporting

Chinese internet controls. In 2002, for instance, 's (Google)

Chinese search engine was modified to provide only limited results for

queries related to the banned religious group, Falun Gong.

And Xia notes that Google recently acquired a stake in a Chinese search

company called Baidu.com. "

So, the CIA made a deal with the chinese, to enter the chinese marketplace.

 

Wise up America! You've lost the plot.

 

Isolated a little too long, me thinks!!

 

 

 

 

Appendix Contents

Appendix 1. Alternative Solutions To Microsoft OS and Tools

Appendix 2. Background Information on Microsoft Related Activities

Appendix 3. Political Impact

 

 

 

Appendix 1.

 

Alternative Solutions To Microsoft OS and Tools

 

This is a great place to start 'kicking the M$ habit', welcome to 'The

Microsoft Boycott'. Here you will find everything, you ever wanted, that

is non-Microsoft related. http://www.msboycott.com/thealt/

 

 

 

Appendix 2.

 

Background Information on Microsoft Related Activities

 

Various Extracts From Old News

 

http://www.msboycott.com/news/98_08_31.shtml

 

" According to a report last Wednesday in The New York Times, the US

Justice Department is now investigating Microsoft's relationship with

Intel. According to the Times, during a 1995 meeting between Intel

Chairman Andy Grove and Bill Gates, Gates made " vague threats " to work

more closely with Intel's competitors unless Intel cancelled plans to

invest in Internet-related technologies and businesses. The DOJ has

reportedly subpoenaed Intel transcripts of the meeting, and several

Intel executives have testified about the companies' relationship. Intel

and DOJ represenatives had no comment, while Microsoft spokesmen neither

conformed or denied the allegations, merely saying they didn't see how

that evidence could harm the company's case. "

 

" Making matters worse for Microsoft, a new book due out next week will

detail the company's many illegal and unethical business practices

dating back to the mid-eighties. The book, The Microsoft File: The

Secret Case Against Bill Gates, was written by Wendy Goldman Rohm, a

longtime member of the computer media. Rohm, who writes for PC Week and

Inter@ctive Week, managed to access Microsoft executive memos previously

unavailable to the public. She then filled in gaps in the stories via

" insider " accounts from sources around the world.

The book includes incidents of Microsoft bugging competitor's motel

rooms, forcing computer manufacturers to stop shipping competing OSes

and stealing ideas from competitors. The book also details how Microsoft

included encrypted AARD code with Windows 3.x just to disable DR DOS.

Rohm claims the book's content is so damaging that Bill Gates personally

phoned magazine and newspaper editors asking them not to publish

anything she wrote. "

 

" Last week a Canadian company discovered a security hole in Microsoft's

HotMail service. The hole, which uses JavaScript to fool users into

giving their username and password, is simple enough that anyone with a

good understanding of JavaScript can take advantage of it. Microsoft

temporarily fixed the problem by blocking all e-mail with JavaScript

code in it, but that only worked for the 30 seconds it took hackers to

replace JavaScript tags with standard HTML tags. Other e-mail services

such as NetAddress and LycosMail are checking into the problem, but mail

providers like that block all HTML coded messages are immune. All

the companies have now implemented a working permanant fix.

 

 

 

The Microsoft File

 

The Microsoft File - Purchase

http://www.amazon.com/exec/obidos/ASIN/0812927168/themsbcbookstore/002-9255516-5\

172011

 

 

 

Editor's Review

http://www.amazon.com/exec/obidos/ASIN/0812927168/ref=ase_themsbcbookstore/002-9\

255516-5172011

 

 

 

The Microsoft File is based on information from not one but many " Deep

Throats, " as well as internal documents that tell a story of:

 

> How Microsoft's predatory marketing and pricing behavior belies its

claims of fair competition.

 

> How Microsoft killed the market for a competitor's operating system,

a system that could have challenged MS-DOS.

 

> How bugging devices were found in the hotel room of a supposed

business partner of Microsoft's the day before a critical meeting with

Microsoft.

 

> How Microsoft inserted hidden code in the beta version of Windows

3.1, creating fear in the marketplace that competing products would

crash and adding a byte in the final version that was marketed so the

hidden code wouldn't appear on the screen.

 

> How close Apple came to discarding the Macintosh operating system for

Windows, and the real reason why Bill Gates decided to invest some $250

million in Apple.

 

> How Microsoft, despite non-disclosure agreements, obtained and used

technological secrets from competitors.

 

> How the biggest mergers in the software industry unfolded,

blow-by-blow, as Microsoft's competitors tried to survive the increasing

power of the Gates juggernaut.

 

 

 

Appendix 3.

 

Political Impact

Not only this, but government's throughout the world were beginning to

reject Microsoft software or related companies, even without this evidence.

 

ZDNet UK

September 23, 2004, 15:30 BST

Linux goes mission-critical for Danish government

http://news.zdnet.co.uk/0,39020330,39167606,00.htm

 

The Danish know their bacon and can smell 'porky pies', half a planet

away.

 

source url: http://

homepage: http://gieis.esmartguy.com

 

http://www.saveourcivilliberties.org/en/2004/09/709.shtml

and the follow up:

 

http://www.saveourcivilliberties.org/en/2004/09/709.shtml