Microsoft's Backdoor ::::RELOADED:::::

I never trusted Microsoft when it comes to security or privacy.

Luckily there are multiple alternatives to such untrustworthy operation systems. I am currently a very happy Debian user.

Originally posted by Maxatoria
reply to post by Gu1tarJohn

 

You aint technical or of a piractical nature or you'd think its more about some warez being released by a group of pirates....but a C before the :::::: and an 8 at the end would of pushed it into the naught region

LOL

Actually, I work in the IT industry, but was only commenting about the title.

Originally posted by sean
Many have wondered if Microsoft has a backdoor to your system. The answer to that may not be to far from the truth. A few days ago a thread popped up about it and It got me thinking and poking around. Microsoft themselves has said Windows 7 etc does not have back doors. However, what I am about to show you is a remote connection done everyday from your system without your knowledge. The most concerning part about all this is.... Well you will see for yourself...

The service we're talking about here is CryptSvc..

--------------------Description------------------------

Service name: CryptSvc

Description: Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

Path to executable: C:windowssystem32svchost.exe -k NetworkService

Startup type: Automatic

--------------------Hidden Network Account------------------

------------------CMD.exe Scan-------------------------

Note: Normally you cannot get this type of information without first elevating your CMD.exe to Administrator privileges. I created a log scanning at 10 second intervals. The command used shows the name of the file, ports/IP & what PID number was used.

-Command used: netstat -bo 10 > C:netstat.txt

---------------------Output--------------------------------

TCP 192.168.1.100:49175 64.4.11.42:http ESTABLISHED 1324 CryptSvc [svchost.exe]

---------------------Final Thoughts---------------------------------

As you can see this connection runs automatically as a service and has a login/password to this service. This account doesn't exist under management users/groups. If you type 64.4.11.42 in your web browser it will resolve to Microsoft. The most concerning of all this....a Crypto service connecting to a HTTP non secured unencrypted web server?? Wow Microsoft really??? Stopping this service will undoubtedly cause issues. So there you have it enjoy your potential security hole.

---

Good job in discovering some of the loopholes in Windows.

I suspect that IP address has to do with basic authentication of the Windows update procedure
such that the update can exchange digital signatures and/or encrypt/decrypt keys before allowing
downloads form Windows Update. (i.e. probably part of the Microsoft Genuine Advantage program
which sees if you're running a genuine copy of Windows and are allowed a valid update)

In Windows 2000, at the NSA's request, Microsoft put in a separate encryption/decryption
infrastructure (i.e. the infamous NSA Key) which allowed U.S. Federal Agencies to use greater
than 128-bit encryption for all disk read/writes and Internet communications. The enhanced
Triple-DES encryption at the time would have required "Code Thunking" so that the 16-bit/32-bit
infrastructure of Windows function calls would work with the NSA-designed extended internal
private/public key infrastructure and thus Microsoft wanted to keep it all separate from
Mainstream Windows thus Registry Keys were assigned to the NSA to allow installation
of their OWN encrypt/decrypt systems.

The NSA registry key is merely an identifier so that the right Dynamic Link Library is called
for disk reads/writes and encrypted TCP/IP packet communications. That's not to much of a
big deal because this NSA key assignment was done for commercial reasons and not
anything particularly malicious.

---

HOWEVER, the Windows Update Services and TCP/IP/Ethernet Driver Services
are INHERENTLY not as secure as they could be. While Windows is genuinely
secure from MOST concerted commercial-level attacks, the whole Key-Exchange
and Authentication infrastructure is DESIGNED to be vulnerable to Man-in-the-Middle
attacks and Fake Credentialed Software attacks.

The NSA has a number of corporations it operates that obtain REAL digital signatures
from companies such as Verisign or any other MAJOR Digital Signature verification company.
This means that driver-level code, major applications and other software WILL be automatically
installed by Windows update because those apps have REAL DIGITAL SIGNATURES but the
application or driver software contains malicious code that can install itself for any purpose
so required by the NSA. Those applications also have polymorphic and encrypted sub-routine
libraries that decrypt and run on-the-fly in such a manner that they do not trigger anti-virus
programs. CONTINUED

reply to post by StargateSG7

Those anti-virus programs won't detect the software that
the NSA installs or runs on your system since those software
apps tend to have built-in script interpreters or Just-In-Time compilers
that run scripts and code downloaded from special servers OR they
concatenate code stored on various PUBLIC servers into specialty
scripts that then do their nefarious work.

Another thing the NSA likes to do is modify the microcode and BIOS of motherboards,
graphics cards, network cards and even newer model disk drives or ANY OTHER HARDWARE
that has a flashable BIOS which then runs it's OWN key-logging, communications and or recording
code so that the NSA can keep watch.

One of the NSA's favorite thing to do is use a Man-in-the-middle server to allow download requests
for Graphics Card drivers from specific ranges of IP addresses to be redirected to the NSA servers
which then have a version of that graphics driver for your super-duper ATI/AMD or NVIDIA graphics
card which contains properly digitally signed Ring-0 privileged microcode that takes snapshots of
your screen on a regular basis and storing those snapshots in an encrypted *.TMP or *.DAT for
later uploading by your ALSO compromised Ethernet Network Card or Compromised TCP/IP
stack software (i.e. WinSock) which will send those files to a 123.x.x.x server probably
based somewhere in the Netherlands or Delaware!

Once in a while the secret TMP or DAT files are temporarily DELETED (i.e. into the trash bin)
by the NSA's logging software, which then keeps them out-of-sight of the user and/or any anti-virus
software but then miraculously "recovers" (i.e. undeleted) those deleted files once the software is
ready for upload. This takes advantage of the way Windows and MacOS schedules file space re-use
on deleted files.

And since the code is digitally signed and technically anti-virus free, Norton and McAffee
won't raise any hackles about the NSA's custom bugging software.

BUT my all-time favorite HACK from the NSA is when they make a copy of the HDMI or
DISPLAY port streams that get looped out of your display monitor ports and back into
an encrypted file. This allows them to capture the audio/video from Skype calls,
Apple Facetime, Voice-Over-IP and any other video or audio multimedia files
that were played on your system.

The compression algorithm they use is AMAZING...far better than anything that out there
commercially (i.e. near real time Fractal Encoder) so they can stuff a lot of data in a really
small space for eventual upload to one of their servers.

There's lots the NSA can do on a more nefarious level but that Windows 2000 era NSA key
was more of a Microsoft decision based on federal computing systems procurement economics
than any NSA directive.

This is kind of an interesting read: "Your computer BY DEFAULT is spying on you

Did you know: Your computer BY DEFAULT is spying on you and sending everything you do to MS... It's true OPEN the following (following applies to win7)

Start Menu
Accessories
System Tools
Task Scheduler

On the left you'll see "Task Scheduler Library" seems innocent enough right... Expand it the expand microsoft then expand Windows. As you go through the list some are innocent enough but there are several that are sending your use info to "who knows who" at MS. Just a few that I've disabled are "application experience" "customer experience improvement program" "location" "WPD" "

www.diyaudio.com...

reply to post by StargateSG7


Can we have some links to see how these are done....no wonder the NSA costs so much when they need to have so many specialist hardware engineers along with low level coders for the firmware

Originally posted by Maxatoria
reply to post by StargateSG7

 

Can we have some links to see how these are done....no wonder the NSA costs so much when they need to have so many specialist hardware engineers along with low level coders for the firmware

----

The key is that the GPU's are now pretty generic and can do much of what
a CISC (Complex Instruction Set Computer) CPU does.

Here's some code for ARM Chip based graphics firmware templates
used in many tablets and smart phones:

ARM Chip Graphics Firmware Repository:
github.com...

The above code base is processor specific but the instruction set is generic enough that almost
ALL graphics chips used on-board ANY ARM chip or a co-processor based system can be targeted.
That would include Android tablets and iPhone/iPod!

---
AMD graphics card open source drivers AND actual BIOS/firmware code:

GPU firmware dissassembler:
phoronix.com...

More Info on custom AMD/ATI graphics BIOS:
www.phoronix.com...

Grand Overview:
en.wikipedia.org...

---

Motherboard BIOS mods and custom BIOS:

BIOS mods:
www.bios-mods.com...

Motherbioard BIOS hacking:
www.rebelshavenforum.com...

Custom Open Source Motherboard BIOS:
www.openfirmware.info...

World first mainboard open source BIOS:
www.coreboot.org...



---

Here firmware for modifying common routers that use common Ethernet/TCP/IP stacks so that
you can copy or redirect internet traffic to anywhere you like:

www.pcworld.com...

----
And for ATI/AMD graphics drivers you can modify this:

www.phoronix.com...

---

Here's a hardware hack for NVIDIA cards:

hackaday.com...

---

Open source graphics driver code for NVIDIA:

nouveau.freedesktop.org...


So if I HAVE this ability to get this much hardware information, imagine what
OTHERS like the NSA can do with their much bigger budgets and personnel rosters.
---

Hope that helps!

Regarding myself, I have DECADES of firmware and embedded software systems
programming experience and as such can build assemblers, compilers, BIOS Firmware
and even ENTIRE Operating systems from SCRATCH...so it's not a fair comparison
as to my capabilities. In reality, only the OLDER programmers at the NSA would
have my broad-based experiences while the younger programmers would be CHIP-specific
or OS-family specific! They won't have the LOW-LEVEL coding experience I have but since
the NSA is one of the world's LARGEST EMPLOYERS of statisticians, mathematicians,
Information Technologists and systems level coders, I think they have enough platform-specific
talent that they could easily equal my own BROAD-BASED coding talent...but then again
i've got 35 years of coding experience since I was seven years old on them!

Originally posted by myn4m3
This is kind of an interesting read: "Your computer BY DEFAULT is spying on you

Did you know: Your computer BY DEFAULT is spying on you and sending everything you do to MS... It's true OPEN the following (following applies to win7)

Start Menu
Accessories
System Tools
Task Scheduler

On the left you'll see "Task Scheduler Library" seems innocent enough right... Expand it the expand microsoft then expand Windows. As you go through the list some are innocent enough but there are several that are sending your use info to "who knows who" at MS. Just a few that I've disabled are "application experience" "customer experience improvement program" "location" "WPD" "

www.diyaudio.com...

There is so many ways to get a program to start in windows it's ridiculous. I remember back in the day a instructor was talking about this and everyone kind of got into it and started listing all the ways a virus could hide it's start up. There was one I thought it was quite ingenious. It was adding it to the system.ini file under a run= but taking it a step further and adding a bunch of null spaces before it so it looked as though it was blank. The system.ini and win.ini frame itself by default was coded to always open in a preset size. This certain pixel x pixel size helped hide the code that sat off the screen to the right. A quick glance and you would see that run= has nothing after it, but in reality it did way off to the right. All one had to do is scroll way to the right or open the windows in full screen.

Reminds me of the methods of bypassing the security policy and still being able to use the command prompt. Simply bring your own command.com on a floppy and a winword document that had a embeded macro that pointed to the command.com on the floppy. Or the mspaint method creating a picture that essentially opens command.

reply to post by StargateSG7


Thanks for the list of info what's your take on CPU dep? Have you seen the video of the raspberry pi server cluster? It's funny as the rack is all built out of legos.

Originally posted by phishyblankwaters
reply to post by sean

 

Apparently no one else finds it odd for a service account that has a 15 character salted password connecting to a normal http web server.

Well, you wouldn't want that account open, as a hacker could modify the system files / ssl certificates and have you pulling updates from a compromised source.

As well, I'd have to assume, and probably be right, that any files that do get pulled down are hashchecked in some manner, removing the need for a secure SSL connection.

And lastly, if there is an issue with your SSL store, this would be the means of fixing it, how exactly are you going to pull down updates if your ssl is fried?

Right I got ya, but MD5 and ssl is aging. SHA1 is garbage. There are methods of stripping ssl. Hopefully by the time all of this is compromised there will be a new method or algorithm in place. More and more people are heading towards open source linux as users/groups access is simplified and SSH, VPN, SFTP etc are natively sound without having all the Microsoft Bullcrap. Oh you want a create a Microsoft server you gotta spend thousand of dollars on software and user CALS.

Originally posted by sean
reply to post by StargateSG7

 

Thanks for the list of info what's your take on CPU dep? Have you seen the video of the raspberry pi server cluster? It's funny as the rack is all built out of legos.

---

Love the Raspberry PI server cluster demo...not sure what you mean by the term "CPU dep" tho.......
but in terms of tracking, almost ALL CPU's have a UNIQUE serial number on them that allows software
to TRACK an individual CPU so that the powers that be can find if it was YOUR machine that is the
source of any shenanigans.

You can print your OWN silicon by using the Open Source Super/UltraSPARC CPU designs
and using copper-vapor deposition on plastic substrates at process sizes around one micron or less
which means you could literally "laserprint" out a whole CPU on an 11 by 17 inch sheet of plastic.
It would be a bit power hungry and slow (at about 250 to 500 MHZ) but its definitely doable if you
want to make sure that no one can subvert your hardware. You can even layer them in stacks to
form your OWN supercluster of plastic CPU's!

If you want .95nm or 0.65nm CPU processes that will cost you some bucks but you CAN get some used
lithography and older 120mm silicon disc wafer manufacturing gear for less that $500,000 which means
you can print your own chips by the bazillions to your hearts content.

reply to post by StumpDrummer


You could always make your own operating system. lol

Originally posted by StargateSG7

Originally posted by sean
reply to post by StargateSG7

 

Thanks for the list of info what's your take on CPU dep? Have you seen the video of the raspberry pi server cluster? It's funny as the rack is all built out of legos.

---

Love the Raspberry PI server cluster demo...not sure what you mean by the term "CPU dep" tho.......
but in terms of tracking, almost ALL CPU's have a UNIQUE serial number on them that allows software
to TRACK an individual CPU so that the powers that be can find if it was YOUR machine that is the
source of any shenanigans.

You can print your OWN silicon by using the Open Source Super/UltraSPARC CPU designs
and using copper-vapor deposition on plastic substrates at process sizes around one micron or less
which means you could literally "laserprint" out a whole CPU on an 11 by 17 inch sheet of plastic.
It would be a bit power hungry and slow (at about 250 to 500 MHZ) but its definitely doable if you
want to make sure that no one can subvert your hardware. You can even layer them in stacks to
form your OWN supercluster of plastic CPU's!

If you want .95nm or 0.65nm CPU processes that will cost you some bucks but you CAN get some used
lithography and older 120mm silicon disc wafer manufacturing gear for less that $500,000 which means
you can print your own chips by the bazillions to your hearts content.

Right all hardware will have some sort of traceable serial number or whatever. I like how you brought up flashing roms etc. It's indeed possible to write malicious code and flash it in. or lets say a spy walking in/out with hidden code in a ROM or BOM itself. Ok ill shutup now Oh and what I meant by CPU DEP (Data Execution Protection) Just wondering if that was still even viable as far as security goes. I remember having a ati card I think it was x850 that was top of the line at the time even then it ran shotty. So I edited the bios of it and re-flashed it so it would run overclocked and 16 pipes instead of 12. Still kept it all these years as I liked the TIVO options it has.

Originally posted by abecedarian

TCP 192.168.1.100:49175 64.4.11.42:http ESTABLISHED 1324 CryptSvc [svchost.exe]

192.168.*.* is a private address range, never to be directly connected to the Internet.

Thought I'd reitterate the address in the OP (192.168) is an internal address, the established connection is your localhost (your computer). It's talking to itself.

I believe svchost checks keys against running programs to be sure they're legit. I'm pretty sure it's been around a while.

Not sure though, it's been a while since my MCP and we stay far away from windows (all Open Source for home machines and web servers). Happy Campers.

In my pc with win xp i have checked Local System Account in Log On tab of CryptSvc, if you have this network thing without modifying i can bet that you are hacked. And i use windows only for work, for some apps that cant run in linux.

Originally posted by Pearj

Originally posted by abecedarian

TCP 192.168.1.100:49175 64.4.11.42:http ESTABLISHED 1324 CryptSvc [svchost.exe]

192.168.*.* is a private address range, never to be directly connected to the Internet.

Thought I'd reitterate the address in the OP (192.168) is an internal address, the established connection is your localhost (your computer). It's talking to itself.

I believe svchost checks keys against running programs to be sure they're legit. I'm pretty sure it's been around a while.

Not sure though, it's been a while since my MCP and we stay far away from windows (all Open Source for home machines and web servers).

Happy Campers.

---

Hmm I didin't even notice that IP address but you're right.

If those Internal LAN addresses ARE connected to the greater internet they have to
do so through a gateway that's not one of the InterNIC defined INTERNAL PRIVATE
address ranges on it's public port. I do highly suggest you set your router to change
its MAC Address (Media Access Control) number say once a week so that port scanner
programs can't PROFILE and associate your hardware with an assigned public
IP Gateway/Router address which SHOULD BE DYNAMIC and NOT STATIC.

and actually localhost is almost always 127.0.0.1 as a loopback IP address
on Windows machines at least!

---

Data Execution Protection is actually a throwback to the 1970's era
DEC VAX minicomputers that had the ability to keep data SEPARATE
from execution code. Ironically, Dave Cutler the Microsoft Windows NT/Server
team head was the lead programmer of the entire Digital Equipment Corporation's
VAX minicomputer development team. If it wasn't for Dave Cutler's team we wouldn't have
Dynamic Link Libraries, Multi-Platform Server Management and Active Directory
which allows users and machines to be easily assigned and managed into
teams and security groups.

DEC hardware developers (who were ALSO working on the ironically named PRISM
superworkstation project at the time of Dave Cutler's recruitment by Microsoft)
simply added a HARDWARE version of Data Execution Protection to its CPU chips
but those hardware guys and all the DEP tech was eventually sold to Intel and
Hewlett Packard for a pretty penny.

The DEC PRISM superworkstation was going to be Windows NT on Steroids
but DEC killed it and then half the software team was recruited by Bill Gates
and much of the hardware guys went to Sun, MIPS, AMD and Intel.

===

On a more PUBLIC NOTE, I AM PLEASED to announce that our own chip
"Midgrid DragonSlayer" is a cut above what Intel, AMD and ARM has to offer!

Heres the rundown:

Signed and Unsigned Integers from 1-bit to 2048 bits wide and all bits inbetween.

16, 24, 32, 48, 64, 80, 96, 128, 256, 512, 1024 and 2048-bits wide
Fixed Point AND Floating point real numbers within an onchip
coprocessing core that has it's OWN execution pipeline.

8, 15, 16, 32, 48 and 64 bit RGB-RGBA, CMYK-CMYKA and YCbCr pixel formats
HARDCODED with Wu-based anti-aliased line, curve, box, ellipse, circle and common
shape commands all hardcoded in silicon for speed with FULL 1, 2, 4, 8 and 16-bit
alpha transparency channels.

Built in single-bit TRUE-FALSE and 4-bit and 8-bit multi-state boolean logic values
and comparators for speedy fuzzy logic and neural net apps.

Built-in REGISTER ARRAYS that have EIGHT EACH of the 128-bits-wide-per-array-item
in flavors of 16-item, 32-item, 64-item, 256 item, 512, 1024, 2048, 4096 and finally 8192 array items
as on-chip CPU register arrays that use SIMD (Single instruction, multiple data)
that have hard-coded add, move, compare, subtract, int and real division, modulo arithmetic
plus BITWISE and or xor not flip, rotate, spin, insert, overwrite and shift operators for SPEED
of array manipulation (i.e. highspeed SIMD Vector Processing) This also makes it easy to do
advanced graphics processing!

And finally, a built in encrypt-decrypt module that uses ONLY INTERNAL cache and
CPU registers for ALL key generation, key storage and encrypt-decrypt operations using
a non-linear fully random electron well noise random number generator (i.e. Cryptographically secure)
that allows AES and quantum computing resistant encrypt-decrypt algorithms to be stored and
run ON-CHIP ONLY!

and for good measure I added an onchip 4-bit and 8-bit BCD Binary Coded Decimal processor
for all you gigantic math diehards who want to calculate PI to the Yottillionth decimal place!

And for you video nuts, an 8-core video processor that assigns TWO hardware threads to handle
EACH of the 8-input and 8-output streams of 720, 1080 and 4k MPEG, MP4, Wavelet, Motion JPEG
and VP8 video streams with full Text/Image/Map/Chart OVERLAY plus variable Alpha Transparency
Channel on EVERY pixel and built in colour pixel processing commands built in -- every video editor's
wet dream special effect and proc-amp control is included. Audio is 128 channel 192khz 24 bit audio
streams in multiple formats. Now you can EASILY create your 360 degree surround view CAVE environment!

You will kill for all this and its for sale very soon now
unless we go Black Budget at a significant selling price! Hint! Hint!

I've got multiple permanent tunnels to my computer.

Are those not normal?

I thought everyone had those.

reply to post by StargateSG7


P.S. and YES it's a REAL PRODUCT !!! It took us a long while to get or "Silicon Compiler" just right
in order to create such a beast as the "Midgrid DragonSlayer" Super-CPU chip! Let's just say Intel ,
AMD, ARM will be quaking in their boots right about.......NOW!

The system is actually manufacturable on standard .65 nm, .45 and .22 processes
since the silicon compiler takes into account the "mask hints" needed for microcircuit edges,
corners and traces for photolithography at various wavelengths into even the Extreme UV bands.

A series of multi-layer bitmap or vector based microcircuit masks is output directly
by the "Compile-to-Chip" option on our Midgrid software.

P.S. Intel/AMD: Don't Be Cheap! You Know What it's Worth!

Microsoft/Apple, whatever....they all have backdoors for remote control. Take a look at the current patents on all things computing......
Everyone seems to think that computer networks are security conscious, more than paper or anything. Nothing could be further from the truth. It was why this computational universal connection was created, after all.

Originally posted by tetra50
Microsoft/Apple, whatever....they all have backdoors for remote control. Take a look at the current patents on all things computing......
Everyone seems to think that computer networks are security conscious, more than paper or anything. Nothing could be further from the truth. It was why this computational universal connection was created, after all.

The government created the internet as a spy highway and so here we are being spied upon.