LetsWindows10

I figured it's time to start poking at security in Win10. Working with local only standard accounts vs admin accounts. Full disclosure: This is a hobby, I don't claim bug bounties, I don't want credit for anything, I value my privacy, however, the infosec community I've found recently is very inclusive and shares, so here's my noob evaluation. The Administrator account is hidden by default, but a user with admin priveliges can activate it from an elevated command prompt with net user administrator /active:yesThe default password is blank. A user with standard access has basically read-only access to the registry, critical folders, and command prompt. (my favorite find on Win7 machines was appending an executable to the key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit") This key still exists, but it's read only to standard users. However, the task manager does have some limited access which carries over to services. Checking services that are set to "Automatic (delayed start)" yields a handful that grant "Start" access to the standard account The majority are invoked by svchost.exe so we're gonna ignore them assuming they're locked down. The one that's interesting is sppsvc. It's got an AES key embedded and tracing DLL calls may yield a more simple attack vector. Finding an executable-on-boot path (via weak folder permissions) and replacing the service call could be fun! This can only work on say a Staples demo PC or high school PC with a lacking security policy, but if anyone has any feedback, or can take the money & run, go for it. Edit: all testing done on latest fast track build 10586 and Windows was happy to install week-old updates under standard account Edit #2: best post I've found so far on Windows Privilege Escalation. http://fuzzysecurity.com/tutorials/16.html

Why I worry so much about the Microsoft Account/Windows10 tie-in. (or, a morose "told you so" moment) Cross-site scripting vulnerability found in Microsoft Account login site, disclosed after it was patched fortunately - as recently as September 22 of this year. If MS can't secure the central component of their business plan and can't audit for simple, old vulnerabilities, should you trust them with your data? Sure the members of this forum have (hopefully) either used Windows 10 with a local account only, or created their own "anti-social" Windows 10 install because we're all savvy enough to use the advice and research shared by the good folks here. But the number of friends, family and coworkers who have willingly or unwillingly upgraded scares me. Most of them have more to lose than I do. It's not a matter of "Evil M$ wants to spy on me!" that concerns me. It's the naive, irresponsible attitude that MS thinks they can anonymize your data and it will never leak. The tweet posted above is just the tip of the iceberg - a benevolent security researcher who alerted MS. A bigger vulnerabilty that leads to a massive leak will happen eventually. It won't be from the "Chinese hackers" or "Russian hackers" It will be one of the following vectors: A simple vulnerability in the realm of XSSAn MS employee with elevated access to the "cloud data" will be comprimised by trojan/keyloggerThe data that MS now has to share with the gov't (thanks to CISA and UN agreement) will not be properly sanitized and an entry level IT specialist who doesn't get paid enough to care, does something careless with the data.The CDN account at one of the many providers Win10 is chatty with will be compromised and captured.At some point, with thousands of customer accounts reported compromised by various vendors each day, is it possible this leak will cause your credit and the money you have in any financial institution to come into question and the financial system will collapse? Have a nice day! /goes off grid with hatchet, flint & steel, and a new tinfoil hat (outgrown the old one)

Edit: forgot to add that if you check the Microsoft Store, the top free app with in-app purchases has about 127k reviews. The top paid app has less than 10k. Granted reviews aren't indicative of actual sales but that's a huge discrepancy from android and iOS apps. Who's with me for developing a minecraft-style racing casino game with call of duty style side missions and castle-building overworlds!?!? Windows 10 is like a mischievous pebble in my shoe. I can't remove it, so I just keep wearing it.

This week's earning report from Mr. Satya "got my groove back" Nadella claims Windows 10 adoption leaped from 75 million devices in Aug 2015 to 110 million to-date. That's 35 million devices. It's possible, I understand as a corporate talking head you need to be a spinster, no harm in that. But down to dollar & cents, a company that 'restructures' earnings reports, relies on loss-leading Windows 10 to upsell an ethereal "cloud" service is starting to smell fishy. (toss the books on the fire until you can cash out on your shares and bounce) Why does the URL at USA today show "Microsoft-Earnings-Miss" yet preach otherwise? http://www.usatoday.com/story/tech/2015/10/22/microsoft-earnings-miss/74407358/ From today's NYTimes reality post: http://www.nytimes.com/2015/10/23/technology/microsoft-earnings.html?_r=0 The revenue Microsoft gets when it sells copies of Windows to PC makers fell 6 percentDuring the quarter, Microsoft’s revenue from its Surface devices fell to $672 million, a steep drop from $908 million a year ago.A more jarring decline was the 54 percent drop in revenue, when the impact of foreign currency fluctuations is excluded, from its mobile phone business. Intuit has bailed on Windows 10 and there's a lesson to be learned here: http://finance.yahoo.com/news/outrage-over-popular-app-highlights-234328495.html "the lion's share of mobile app developers either ignore Windows Phone completely, or else end up neglecting it once they realize that the return on investment just isn't worth it — just as Intuit found. " "And so, we see Microsoft's dilemma in minature: There just aren't a lot of reasons for developers to make Windows Phone apps or Windows 10 apps. And without those apps, it can't sell more Windows Phones. The vicious cycle marches on. " Yet in the world of perception-dictates-reality, MSFT has been blowing up. Since CEO Satya Nadella took over for Steve Ballmer in February 2014, Microsoft stock has risen from $35 and hit a post-1990s high of $50 a year ago. It closed up 1.7% at $48.03. /me scurries back to the garage to continue working on my rocket ship to another planet

This is the piece of the puzzle that just doesn't fit. Digging around for answers, I started to fly into the "CLOUD"!!! and once I reached an altitude high enough to stop smelling all the dung spewed by marketing folks, I began to choke and gasp for air, then I escaped back out and came up with this -- WARNING: this could be based in reality or it could be tabloid-style FUD. The Windows mobile market share is dreadful, surely they don't think they can change that and convert complacent iPhone/Android users by making them pay for a new phone when theirs are already FREE (so they think) and subsidized by the carrier? Haven't cared to look, but all we've seen for the new Lumias is a retail price tag, no word on carriers that will be supplying it. In conventional business, campaigns with loss-leaders to upsell later are commonplace. But can MS really afford to have so many loss leaders in recent years Xbox, Windows 10, now phones?) Just as they want Windows 10 on all desktops, perhaps they want Windows 10 on all phones - Lumias and everything else? You read that correctly. Currently there is only 1 model of phone - the Xiaomi Mi4 in China where you can re-flash Android and install MS's custom ROM. So what, right? That's just 1 phone, they can't possibly develop drivers for all the different chipsets that Samsung and all other Android phone manufacturers use, right? They'd have to be willing to shell out a boatload of cash for cooperation, or have some pretty serious leverage against Samsung. Microsoft vs Samsung Patent settlement Assuming MS is now in possession of a multi-billion dollar royalty carrot over Samsung and now privy to the confidential business information of Samsung (presuming hardware drivers, etc) the question is what delivery method are they going to use to start "upgrading" Android phones to Windows 10 with custom ROM's? The writing's on the wall! Resistance is futile! Time to stop worrying and learn to love the "bomb"!Stop fighting and just join! We need to develop some more Mahjong clones, Bejeweled clones, FPS clones, Angry BIrds clones, tower defense clones, etc just like the top-earning apps in the Windows Store! Join and copy your way to success and profit!!!One of us! One of us!

I wouldn't put this past them either, but the downgrade rights updated for Windows 10 are here: https://www.microsoft.com/en-us/Licensing/learn-more/brief-downgrade-rights.aspx In short: If you buy a new PC (or license for custom-built PC) with Windows 10 Home, you're stuck. Every other edition grants downgrade rights to Win7 & Win8/8.1 You just have to buy or supply the install media. You can switch among OS's as much as you want as long as you only have 1 active install at any given time. (Excluding software assurance, but that's another whole bag) Functionally, the 30 day timer is just the window where you can revert back to a previous OS with all your data intact. You can wipe Win10 and clean install 7/8 and be in compliance. You may have to go through the special activation challenge/response process but that's not that bad really. With build 10565 they added the ability to activate the OS using Win7/8/8.1 keys. To test I did a clean install of 10565 on a new hard drive so the "entitlement" wasn't present. Plugged in my Win7 key and it activated just fine. Progress!

It appears they're catering to Joe Consumer by mimicking Apple in some regards and running around like a fox in a hen house, stealing all the data while you pay no attention to the man behind the curtain. Both companies' offerings are functioning as they have specified so the only things left to improve are fonts, menus and emojis for christsakes. Apple releases flat menus and new fonts in Yosemite -> Microsoft releases flat menus and new fonts in Windows 10 Apple releases new emoji in iOS 9 -> Microsoft releases new emoji in Windows 10 I've listened to headline news on the net and on radio news/talk shows where grown men are excited about new SMILEY FACES as much as they are about cars/sports/new power tools?!!!? They're just smiley faces! Reported for Apple's release: "you’ll see a ton of new emoji on the keyboard including taco, unicorn, a stop hand, turkey, burrito and block of cheese." A block of cheese! Reported for Microsoft's release (Forbes no less!): "Microsoft has its mojo back. Under Satya Nadella the company is now radical, cool and determined to take risks. Apparently even with its emoji…While it may offend some, the middle finger emoji is at least racially diverse and it is included in five new Windows 10 emoji skin tone options." I'm saving my money so I can buy the next ticket off this planet.

It seems careless and ripe for exploitation. In the MS profile, there's a section for Money & Gift Cards (see screenshot above) for Microsoft Stores and Apps. Wonder if it saves credit cards for "fast checkout" and how long it will take someone to compromise? A system is only as secure as its weakest link. Plain text is weak. There's a whole site dedicated to it http://plaintextoffenders.com From Krebs on Security regarding the Experian data leak (cleverly reported as a T-Mobile data leak in the media because no one needs to know it was actually the largest credit check firm in the world involved or they've never heard of Experian unless they've applied for a mortgage) It's disconcerting at the least whenever a number is assigned to a human being. I'm well aware of unique keys in databases, and that's potentially all this is, but it should not by any means be plain text and accessible via web from any unauthenticated browser. I know someone who just searched for OneDrive screenshots and was able to pull up profile photos for the people who posted them. Most of this rant is wild speculation and...well, just a rant, but there are real-world examples of this practice being a Bad IdeaTM Leave a door open for long enough and you'll start to get uninvited guests.

Oh light bulbs are already available in WiFi and Bluetooth flavors. Search "wifi light bulb" on Amazon - at least 22 hits available for purchase - get yours NAOW! Don't you know they're "SMART"!1!1oneone (insert wacky arms inflatable tube man)

Thanks to the blog post linked below where it was discovered that your unique ID was being passed to MS Cloud services in plain text, I've found the same unique ID located in the Windows 10 registry. http://annoyedmicrosoftuser.blogspot.com/2015/10/microsoft-stop-sending-user-identifiers.html The same ID passed in plain text to the cloud is located in the Windows 10 registry under: HKLM\Software\Microsoft\Windows\CurrentVersion\Census\MSACIDs The above screenshot is from Window 10 build 10240. I'll be updating OS build to confirm it persists across builds. It was found while logged into Windows 10 with my Microsoft account - not a local account, so YMMV. Originally I used the info in that blog post to verify his results under Windows 7 and IE11. I logged into my Microsoft account and found the CID with Developer Tools (F12) on the Network tab. (The CID is "yellowed-out" in all screenshots) Notice at the top right of the screenshot how Microsoft has conveniently recorded information about every PC I've used to test Windows 10. Stopped capturing network data, closed & reopened IE, started recording network data again and logged into OneDrive to find the same CID. This information persists across hardware, it is not an "anonymous identifier." It is directly linked to your MS account, in plain text, for the majority of Windows 10 users who do not use local accounts. I have Windows 10 and Windows 7 on separate physical hard drives and I physically swapped them out to test this. What does this mean to the average user? Probably not much yet, but I'm sure the blackhats are already on the case. Should we get CID tattoos now or later? One of us! One of us!

This really is a fascinating realm of legal hell that I predict Microsoft is going to find themselves sinking into and burning up. (I am not a lawyer) We've seen the EU with their stricter anti-monopoly laws strong-arm Microsoft into releasing a special version of Windows - this is why they have Windows N Edition as well as their extended support contract for Windows XP (albeit at a hefty fee). Similarly South Korea litigated their way to force the stripped & customized Windows KN Edition. Their successes at enforcing "follow our local laws or pay fines or get out" could pave the way for other countries to take action under their privacy laws that the US gov't is too corrupt and incompetent to pursue. There are now VERY tough laws protecting privacy in the EU, China and Brazil. Collecting private data in Brazil is constitutionally illegal! Just as a class-action lawsuit in the US was inevitable due to the forced downloads on metered fee connections, I predict a nasty storm of legal trouble coming straight for MS from outside the US. Here's hoping that this leads to a NEW edition of Windows 10 that is stripped of the data collection mechanisms so we can ease up on the myriad of customizations required to restrain this beast. MS: "But we don't collect private data, silly!" Prove it and provide a way for us or a competent and independent 3rd party to examine the data being sent instead of trusting your word alone. Hopefully this capability will be available after the storm, but unlikely. Quote from a decent article on data collection outside the US http://www.insidecounsel.com/2012/01/01/the-challenges-of-collecting-data-outside-the-us?page=2

The selling points for Windows 10 that are being pushed are really rather comical. Most, if not all, were already available in Windows 7 and are downright trivial and condescending. For daily updates and rehashing of these, just check the @MicrosoftHelps or @WindowsSupport Twitter feeds. All I can do is shake my head. These are actually touted on their website or other MS media as exciting new features: It has a Start Menu!!!You can change the wallpaper!!! You can doodle on webpages!!!It has Solitaire - with an exciting new subscription fee!!!You can use Bing to search!!!It has speech recognition!!! It supports Office 365!!!The Control Panel is gone!!!We removed the text "PC"!!!You can download apps!!! (formerly called 'applications, software, or programs" but those words are too long, silly!!!)You can upload stuff to the internet!!!! (OneDrive)You can view photos!!! ("photographs" is also too long of a word, silly!!!)I was genuinely excited to see the next iteration of bad OS, good OS, bad OS, good OS, but this is now just a minimally viable product to satiate consumers and investors. (But it's freeeeee!!!!) I would've gladly paid for an OS with at least a college-try at innovation, but innovation is dead at Microsoft. Windows is dead and is no longer their focus. The only innovative feature of Windows 10 is how they've managed to include a mechanism capable of circumventing data encryption with their forced automatic updates. Strangely enough, the gov't task force on the "encryption problem" even agrees that users should be able to disable the automatic updates. (put on your tinfoil hat and read page 6 of the actual draft proposal here)