Why Governments and Business Should Not Use M$’s Stuff

There is a story that is now told describing the legacy of insecurity that is M$’s operating system:

  • malicious software involved was used in targeted attacks focused on governments, political organizations and the defense industry
  • the attackers have used known techniques to bypass the Microsoft Windows code signing security model

The attacks hinged on use of 512-bit RSA keys that have been readily cracked 12 years ago. Why didn’t M$ slam the door on this route 12 years ago? Was it an inconvenience for M$’s installed base of suckers? Was it inconvenient for M$?

Rather than keys being stolen, Michael Sandee of Fox-IT provides strong evidence that the keys were simply factored so that the attackers could use them as they wished. One did not even have the flag for “digital signature” but was in the wild anyway suggesting M$ failed at multiple levels to protect users from this threat which should have been obvious to M$.

Even I, who have been called an amateur/incompetent etc. by the trolls here knew a decade ago to use huge keys for encryption/signatures since 2005. How incompetent is M$ for using/accepting 512-bit keys six years later to verify software to run on the world’s PCs?

I recommend Debian GNU/Linux. They use two methods of signature, both with longer keys since 2001.

This entry was posted in technology. Bookmark the permalink.

Leave a Reply