It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Microsoft's Backdoor ::::RELOADED:::::

page: 2
24
<< 1    3  4  5 >>

log in

join
share:

posted on Jul, 15 2013 @ 11:34 AM
link   
Thank you all for sharing your knowledge with us.

Please tell me something about Linux.....is it easy to install? Do I do a clean install away from Microsoft then install LX on the same partition? New partition? Is LX 100% safe? I have heard things like they are in the tank with the NSA as well.

On a more humorous note - the Russians are back to using old Underwoods - not in all case but in the most sensitive areas I suppose............


By the way.........anyone here who still thinks that Snowden "hasn't done anything we didn't already know about" is either in dreamland or working for the enemy in an effort to minimize the overall effects of what ES has actually accomplished. Snowden is a 'revolutionary' in the true sense of the word. Please read Thomas Paine in order to comprehend what is a 'true revolutionary. He's a patriotic combo of Paul Revere and Thomas Paine.

See Andrew J. Galambos and the Science of Volition
This is an open source download of a 3 session course by Andrew Galambos, delivered live in 1966, entitled 'The Declaration of Independence, Thomas Paine and Your Freedom.'

You will be well informed as to the meaning of 'revolution(ary)' and how Edward Snowden fits the patriotic description of what is meant by "Resistance to Government Tyranny."

edit on 15-7-2013 by Lysistrata because: (no reason given)



posted on Jul, 15 2013 @ 11:35 AM
link   
OP I think it is a bit out of order for you to encourage people to turn off cryptsvc.exe. People will not be able to update their WIN boxes. This is a bit irresponsible.

See link: maximumpcguides.com...

I am like others concerned at the authoritarian behavior of Governments especially the USA and the UK.

As far as back doors go here is the plan: www.eff.org...

The FBI are "bigging it up" how they "go dark" on some suspects. (Lying bastards)



posted on Jul, 15 2013 @ 12:11 PM
link   
reply to post by Lysistrata
 


If you're new to linux it might be worth running it in a virtual machine to have a play with it, theres oracles virtualbox and MS's virtual PC products which are free and i think VMWares most basic offering is also free

While all linux distributions these days use precompiled binaries to patch systems theres nothing stopping you downloading the source and having a look at it and compiling it yourself but then you're out of luck should something go wrong so is for those IT people who abhor the evil day star and have beards you could hide a badger in as debugging it could require a lot of hardware/software knowledge



posted on Jul, 15 2013 @ 12:46 PM
link   
All firewall programs let windows do what it likes.
and you can not make the programs stop it.

I did once find a firewall that did it on XP.
but they did up dates! no you can not do it.
if you stop't all traffic.

windows installs a hook !
yes thats the name!
in every program, key board, screen.



posted on Jul, 15 2013 @ 01:53 PM
link   

Originally posted by buddha
All firewall programs let windows do what it likes.
and you can not make the programs stop it.

I did once find a firewall that did it on XP.
but they did up dates! no you can not do it.
if you stop't all traffic.

windows installs a hook !
yes thats the name!
in every program, key board, screen.


It doesn't but you are convinced it does so their is no point in trying to talk logic with you.
Run a capture and look ingress and egress to your INT and you can see exactly what is traversing your wire.

As for the person asking about running Linux..Your best bet is to virtualize an install if you don't have a spare PC and you want to keep your machine on Windows. This approach works great and gives you the flexibility to install as many different flavors as you want. Again that is predicated on you not wanting to format your current HD or not having a spare PC.

I have used Virtualbox in this manner for awhile now and you can get everything you need about an OS , when first learning it, from this approach.
edit on 15-7-2013 by opethPA because: (no reason given)



posted on Jul, 15 2013 @ 02:16 PM
link   
reply to post by abecedarian
 

TCP 192.168.1.100:49175 64.4.11.42:http ESTABLISHED 1324 CryptSvc [svchost.exe]

TCP is the Protocol
192.168.1.100 is the users PC on his private network.
49175 is the port number.
64.4.11.42 is the Microsoft private owned IP address.
The OP assessment is correct.



posted on Jul, 15 2013 @ 02:22 PM
link   

Originally posted by staple
reply to post by abecedarian
 

TCP 192.168.1.100:49175 64.4.11.42:http ESTABLISHED 1324 CryptSvc [svchost.exe]

TCP is the Protocol
192.168.1.100 is the users PC on his private network.
49175 is the port number.
64.4.11.42 is the Microsoft private owned IP address.
The OP assessment is correct.


OP Assessment is correct with what?
Yes MSFT uses a service for patching.
If you are claiming that's indicative of a backdoor then the OP just found the most blatant and obvious 0day ever. In and of itself that does not mean it can't be used for something nefarious but how many TCP and UDP ports have dual usage. Does any and all traffic going to a port indicate a backdoor or does specific traffic going to a specific port indicate it?

Again, you want to really see whats going on, fire up wireshark.



posted on Jul, 15 2013 @ 02:25 PM
link   

Originally posted by andy06shake
That svchost.exe can be a real resource hog sometimes, guess now we know why!




Seriously. I've wondered about that, myself. Sometimes this process takes up quite a large % of my CPU.


At different periods I have also seen more than one svchost.exe process running.


Are we sure, if this is indeed connecting to microsoft, that it doesn't just have to do with "Windows Update" or whatnot? IME Windows update can be pretty intrusive / aggressive sometimes.


Anyway, back to the process... speaking of multiple processes, a couple of the times I've seen multiple instances of svchost.exe running, I was under the impression / belief that my system was infected, and that this process might have been part of that infection. Actually, I think I recalled reading somewhere that sometimes a virus will disguise its running process as "svchost.exe." But don't quote me on that one....



posted on Jul, 15 2013 @ 02:36 PM
link   
reply to post by opethPA
 


This.

Also, the people who wrote the code also know it's weaknesses.

Makes for perfect 0 day opportunities....



posted on Jul, 15 2013 @ 03:59 PM
link   
reply to post by sean
 


Interesting thread, great posts!

Side note, though:

The thread title sounds VERY dirty!



posted on Jul, 15 2013 @ 04:01 PM
link   
reply to post by Gu1tarJohn
 


You aint technical or of a piractical nature or you'd think its more about some warez being released by a group of pirates....but a C before the :::::: and an 8 at the end would of pushed it into the naught region



posted on Jul, 15 2013 @ 04:43 PM
link   
Seems to be a bit of mis-understanding here. NETWORK SERVICE is a standard account that is used by about 1/3 of your windows services (Control Panel => Administrative Tools => Services). These a important services that are needed to perform various network-related tasks on your computer such as allowing access to network shares on you machine, network printers, the ASP.Net framework, DNS client, SQL Server, IIS, Fax & Voice services and a bunch of other stuff. It's not a nefarious "backdoor" account used by Microsoft to invade your privacy. Some services such as the Office Software Protection System "Software Protection" do phone home at regular intervals to verify that your machine does not have a pirated version of Windows or MS Office on it but it's nothing to get paranoid about.

There's actually a few different service accounts on your machine that don't appear in the User Management console (LOCAL SERVICE and LOCALSYSTEM are two examples). That's because they aren't standard user accounts, they are service accounts that have elevated rights/priority (more access/priority than an administrator account).

Normally applications don't have free access to these services, but they can get access to them if you randomly install software from suspicious sources or run executables/scripts attached to e-mail clients while either logged in under an Administrator account, or by blindly clicking "ok" everytime you see a security warning come up.



posted on Jul, 15 2013 @ 06:02 PM
link   

Originally posted by abecedarian

TCP 192.168.1.100:49175 64.4.11.42:http ESTABLISHED 1324 CryptSvc [svchost.exe]


192.168.*.* is a private address range, never to be directly connected to the Internet.
It is the default for nearly every home router out there.

192.168.1.100 is likely YOUR computer.
Why did you not run an IPCONFIG /ALL command just to verify?
So you're raising fear in people because your computer talked to itself?


No more fear, uncertainty and doubt, okay?


edit on 7/15/2013 by abecedarian because: (no reason given)


No need to run IPCONFIG to verify what I already know. A local IP connects to the outside world by opening ports and using the routers WAN public IP address.



posted on Jul, 15 2013 @ 06:29 PM
link   

Originally posted by ispyed
OP I think it is a bit out of order for you to encourage people to turn off cryptsvc.exe. People will not be able to update their WIN boxes. This is a bit irresponsible.

See link: maximumpcguides.com...

I am like others concerned at the authoritarian behavior of Governments especially the USA and the UK.

As far as back doors go here is the plan: www.eff.org...

The FBI are "bigging it up" how they "go dark" on some suspects. (Lying bastards)


Encouraging? I said it would undoubtedly cause issues disabling it. Of course you wouldn't want to shut off your crypto services. It updates and patches and who knows what else. It may even send root CA's through it's connection. However, the most concerning part about all this....is that you figure a crypto service that boasts about security would secure it's own connection. It connects to a http server hosted by Microsoft.
Kind of makes that password pointless.



posted on Jul, 15 2013 @ 06:33 PM
link   
..i don't think there is a way to get around any of this,

it is my understanding that all hardware p3 architecture and beyond leaves a unique 'footprint' ..i am inclined to believe this since having to testify against a person who was using a p2 rig for 'nefarious' internet activities.

some of this was first brought to our attention years ago with apparent advanced encryption capabilities of the advapadi.dll file (?)

but hey, if we have nothing to hide we have nothing to worry about, eh?



posted on Jul, 15 2013 @ 07:24 PM
link   

Originally posted by JBA2848
reply to post by sean
 


And I am interested in the second key for Microsoft. The one that used to be named NSAKey. Microsoft says they have never used there second key. I wonder if there is a way to track if the second key has ever been used by the NSA or anyone else?
edit on 15-7-2013 by JBA2848 because: (no reason given)


There probably really is no way to tell as the coders that found the NSAKey reference was by blind luck and partial laziness on Microsoft's part. Microsoft guards their source code well. However, you can monitor connections and packet capture. I have read that there was a early windows 95 version that didn't have the NSAKey. If you could setup a side by side comparison and somehow monitor the differences. See if it's actively phoning home still.



posted on Jul, 15 2013 @ 07:55 PM
link   
OP, this thread is way off-base...

The Crypto service is required by Windows for updating the OS, and the reason it talks to Microsoft's servers is to make a simple service call to validate the hash of certain assemblies against the Microsoft version, in an attempt to protect your operating system from someone taking over system-level libraries with their own.

For example, kernel32.dll - a core piece of the Windows OS, can be compromised by a malicious attacker to act as a proxy to your operating system. It's an easy way to Trojan your box without you knowing it, also known as rooting it. Most Windows services are hacked this way by malware and virii.

The Crypto service verifies that your libraries are up to date for specific services, not for anything nefarious, and connects to keep other services up to date that depend on those core operating system libraries. You NEED this service for any kind of SSL connections to websites, and it's been around for a very long time without any issues.

There are good reasons for the Network Service account not being available for use, but that's a different topic.

Bottom line, you're incorrect and making WAY more out of your discovery than you realize. Network admins and programmers have long known about these things, and anyone with Fiddler or Wireshark or Netstat can see what's happening, it's not nefarious.


Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.


Source

I'm not saying that it isn't possible for it to be exploited some day, but so far, it hasn't been, and there are plenty of hackers out there who have found every known exploit under the sun. IF this were one of them, it would have been closed up a long time ago, or exploited many times over.

By making people believe this is a BAD thing, they will turn around and try to disable it, making them 100000 TIMES MORE VULNERABLE!!! I strongly recommend that NOBODY do this.

~Namaste



posted on Jul, 15 2013 @ 09:18 PM
link   

Originally posted by SonOfTheLawOfOne
OP, this thread is way off-base...

The Crypto service is required by Windows for updating the OS, and the reason it talks to Microsoft's servers is to make a simple service call to validate the hash of certain assemblies against the Microsoft version, in an attempt to protect your operating system from someone taking over system-level libraries with their own.

For example, kernel32.dll - a core piece of the Windows OS, can be compromised by a malicious attacker to act as a proxy to your operating system. It's an easy way to Trojan your box without you knowing it, also known as rooting it. Most Windows services are hacked this way by malware and virii.

The Crypto service verifies that your libraries are up to date for specific services, not for anything nefarious, and connects to keep other services up to date that depend on those core operating system libraries. You NEED this service for any kind of SSL connections to websites, and it's been around for a very long time without any issues.

There are good reasons for the Network Service account not being available for use, but that's a different topic.

Bottom line, you're incorrect and making WAY more out of your discovery than you realize. Network admins and programmers have long known about these things, and anyone with Fiddler or Wireshark or Netstat can see what's happening, it's not nefarious.


Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.


Source

I'm not saying that it isn't possible for it to be exploited some day, but so far, it hasn't been, and there are plenty of hackers out there who have found every known exploit under the sun. IF this were one of them, it would have been closed up a long time ago, or exploited many times over.

By making people believe this is a BAD thing, they will turn around and try to disable it, making them 100000 TIMES MORE VULNERABLE!!! I strongly recommend that NOBODY do this.

~Namaste


How is it way off base? I am just showing people that connections happen all the time with or without their knowledge. I am not saying this is a backdoor in this case, however and many viruses that do gain remote access use such ways. I know exactly what the service does, just like you said and what it's used for. You're preaching to the choir. You don't even find it odd in the slightest that a crypto service is connecting to a unencrypted server to send/receive data??? Not saying it's a back door but this connection should in the least be investigated for security risks. Who's to say I can't intercept and inject my own nefarious code??
edit on 15-7-2013 by sean because: (no reason given)



posted on Jul, 15 2013 @ 09:42 PM
link   

Originally posted by sean
How is it way off base? I am just showing people that connections happen all the time with or without their knowledge. I am not saying this is a backdoor in this case, however and many viruses that do gain remote access use such ways. I know exactly what the service does, just like you said and what it's used for. You're preaching to the choir. You don't even find it odd in the slightest that a crypto service is connecting to a unencrypted server to send/receive data??? Not saying it's a back door but this connection should in the least be investigated for security risks. Who's to say I can't intercept and inject my own nefarious code??
edit on 15-7-2013 by sean because: (no reason given)


There is no way to inject nefarious code into the crypto service call that goes out to Microsoft. You can see this by disassembling the DLL in Visual Studio or the Windows Debugger (Win Debug).

The service that is called is on a Microsoft secure server that only stores hashes of the assemblies that the crypto service checks. The stream being sent over the wire is a simple call that involves a callback to the DLL on your computer with a strongly typed interface between the two servers so that only hash keys can be returned for comparison, not code or SQL queries or injectable code. There is nothing that can be injected into this code because it only understands and accepts one type of reply, which is usually an MD5 one-way hash.

Like I said, if it could be hacked, it would have been, and if there was anyway whatsoever that a hacker could expose it and brag about it, it would have been done. If you want to know more about it, look at the code yourself in a decomposition tool like Win Dbg.

~Namaste



posted on Jul, 15 2013 @ 10:08 PM
link   
reply to post by sean
 


Of course they do,and how about those security updates... heh heh.
What concerns me more however, would be the the Vulnerabilities
Latent to the Chinese Hard Drives that have snuck their way into virtually every new computer
system on the market. Not only Private Sector, but Public/Military Sector as well.

A Cost Cutting Greedhead Kickback Maneuver that puts Nations at Risk.

Particularly Ours. Great Thread! S&F




top topics



 
24
<< 1    3  4  5 >>

log in

join