Microsoft says “your privacy is our priority” (unless the NSA is involved)

Over at TechDirt, a post by Tim Cushing details a recent leak published by The Guardian, showing that Microsoft values your privacy, unless the NSA comes calling. When the NSA asks for your ‘private’ information, Microsoft is happy to hand it over. This means that nothing you say on Skype, Outlook.com, Skydrive or Hotmail is safe from prying eyes.

Microsoft is quick to point out that nothing they’ve done is illegal, but that’s really the problem, isn’t it?

Updates for Flash

Version 11.8.800.94 of Flash was announced today. As always, “[t]hese updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.” For a more complete change list for this version, see the Flash Player 11.8 Release Announcement on the Flash Runtime Announcements page.

A patch for Internet Explorer 10 that includes a new version of Flash (also 11.8.800.94) was released by Microsoft today as well.

An update for Flash in Chrome should also become available from Google in the near future. The new version of Flash in Chrome will be 11.8.800.97.

Windows 8.1 available to manufacturers in late August

On July 8, at the Worldwide Partner Conference in Houston, Microsoft executives announced that Windows 8.1 will be released to manufacturing in late August. Still no word on when the update will become available to consumers in retail stores or through other channels.

Another question that remains is whether Windows 8.1 will be available through Windows Update or Windows automatic updates. If so, will it be a forced update, or will it be optional? In the past, Windows Service Packs (which are the closest analog to the 8.1 update) were available via Windows/auto update and – at least initially – not forced.

Windows 8.1 makes search even less useful

Microsoft has been gradually destroying Windows’ search capabilities since Vista. When I originally evaluated Vista, I discovered that searching for file contents would mysteriously fail if the search string only existed past the first ten kilobytes in the files being searched. I posted a video on Youtube to demonstrate the problem.

Vista search had a lot of problems, but I had discovered workarounds for most of its bizarre limitations. The 10K problem looked like a bug, so I dutifully reported it to Microsoft. After several hours on the phone with Microsoft Support, they were able to reproduce the problem and it was fixed in Vista Service Pack 1.

But the damage was done. With each new version of Windows, search has become increasingly useless, and I’m reluctant to trust it. I still try to use it, but I always go back to third party tools such as Everything and Fileseek, or even (when desperate), ancient DOS tools like FINDSTR.

The root of this gradual decline in Windows’ search functionality seems to be one of perspective. As clearly demonstrated by the Windows 8 UI, Microsoft no longer cares about ‘enthusiast’ users, which include power users, system administrators and software developers. For these elite users, the new UI just gets in the way, and the search tools are almost entirely useless.

<rant>Microsoft is making Windows a consumer-oriented O/S. What Microsoft doesn’t seem to realize is that while this change may solidify Windows as the consumer O/S of choice, and reduce support costs, they are driving enthusiast users, including me, to Linux. Worse, business IT departments are staffed with enthusiast users, and these are the people who evaluate software and make organization-wide recommendations. Eventually, these people are going to get tired of fighting Microsoft and look elsewhere for a corporate O/S.</rant>

All of which leads me to wonder how the otherwise reliable Ars Technica could publish an article extolling the virtues of the search changes coming in Windows 8.1. Possibly Ars has realized that Windows is now a consumer-grade O/S and adjusted their viewpoint to suit.

In Windows 8.1, search will be entirely integrated with the Bing web search engine. Any time you search for something, Windows will assume you want to search the web as well as certain specific areas of your local system. This also means that you’ll start seeing advertisements in your Windows search results.

Problems I see with this change:

  • Blurring the line between local and web search is dangerous for privacy.
  • For me, as with many users, there are distinct search use cases; there is almost never any reason to search the web when I’m looking for something on my local system, or search my local system when I’m looking for something on the web.
  • The same applies when searching for locally installed programs or features; it’s an activity that’s completely separate from web searching.
  • I was previously able (in Windows XP) to easily search local files in a particular folder and its subfolders, by file name and/or contents. Now that functionality has been eliminated: it is simply no longer possible to perform useful local searches and third party software is required.

Serious Cryptocat security flaw fixed

Even before the recent NSA revelations, increasing interest in online privacy led Nadim Kobeissi to develop Cryptocat, an easy to use, secure, web-based chat client.

Unfortunately, Cryptocat – until recently – had a serious flaw. A programming error limited the total possible secure keys to a number small enough to make cracking them trivially easy. The person who discovered the flaw created a demonstration program, and the flaw was quickly fixed, but Cryptocat had been running in this flawed state for at least seven months, possibly longer.

Anyone using Cryptocat versions earlier than 2.0.42 should upgrade immediately. Cryptocat typically runs as a web browser add-on or plugin.

Update: the Duo Security blog has an interesting take on this.

Advance notification for July 2013 Patch Tuesday

The next batch of updates from Microsoft will become available starting at about 10am PST on July 9. This month’s patches comprise seven bulletins – four of which are flagged as critical – addressing vulnerabilities in Windows, the .NET Framework, Silverlight, Internet Explorer and the GDI+ subsystem.

Related posts from Microsoft:

Visa and Mastercard don’t want you to use VPN services

The big credit card companies are once again trying to use their influence to make the world more to their liking. Their previous ban on payments to Wikileaks was finally overturned by the Supreme Court of Iceland only weeks ago, but it seems their lawyers are eager to get beaten up again.

It remains unclear exactly what the credit card companies have against VPN services. Virtual Private Networking has many legitimate uses, and VPN solutions are commonplace in the business world. Anywhere remote access to corporate systems is necessary, VPN is just good security. No doubt Visa’s and Mastercard’s true motives will be revealed in the coming days.

Latest Ouch! newsletter: all about ‘spearphishing’

The latest installment (warning: PDF) of the user-focused Ouch! newsletter from SANS discusses ‘spearphishing’. As in regular phishing, the goal of the attacker is to gain access to computers, systems and services. The difference is that while phishing is targeted very broadly, spearphishing targets specific companies, organizations or even individuals. Attackers typically use this technique to gain access to valuable targets like banks.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.