19.8 C
London
Sunday, September 24, 2017
Home Tags Windows Phone

Tag: Windows Phone

Windows could for the first time ever have a bunch of apps that actually look good.
New "design system" will span everything from phones to virtual reality.
You're not high; original game's "definitive edition" lands on Steam on 4/20 for $19.99.
One really addictive facet of Apple’s device ecosystem is how they work together.

AirDrop lets you move files and other data from a Mac to an iPad to an iPhone, in any combination of directions. Your Apple Watch can unlock your Mac.

Any Apple device can control a Keynote presentation on any other Apple device.

Apple’s Handoff lets you start work on one Apple device and pick up where you left off on another.

Bookmarks, contacts, email settings, passwords, and even credit card details can be synced automatically across all your devices. Windows 10 was supposed to do the same, relying on Windows Phones to be take the role of the iPhone in this fluid ecosystem.

But Windows Phone (renamed Windows Mobile) is in cryogenic suspension, waiting for a future miracle cure to bring it back to life.

Thus, Microsoft’s ambitions to copy Apple’s liquid computing have gone unrealized.To read this article in full or to leave a comment, please click here
The taskbar is getting ever so monochrome—even as apps are looking more exciting.
A sizable and dormant Twitter botnet has been uncovered by two researchers from the University College London, who expressed concern about the possible risks should the botmaster decide to waken the accounts under his control. Research student Juan Echeverria Guzman and his supervisor and senior lecturer at the college Shi Zhou told Threatpost that the 350,000 bots in the Star Wars botnet could be used to spread spam or malicious links, and also, more in line with today’s social media climate, start phony trending topics, attempt to influence public opinion, or start campaigns that purport a false sense of agreement among Twitter users. Compounding the issue is a larger botnet of more than a half-million bots that the researchers have uncovered since their initial research.

That research, the two academics said, will be shared in a future paper.
In the meantime, the Star Wars botnet dataset is available for study; the researchers said the data is tens of times larger than any public collection on Twitter bots. The researchers also said they have not shared their data with Twitter yet because they are waiting for their current research to be approved in a scientific journal. “We would also like to give researchers a chance to get the dataset by themselves before they are gone, this is why we have not reported to Twitter directly, but we will as soon as the paper gets accepted,” Echeverria Guzman said. A request to Twitter for comment was not returned in time for publication. The researchers said the botnet was created in 2013 and has remained hidden since then with relatively little activity.

The mundane pace at which the bots tweeted seemed automated and intentional, the researchers said. Most of the content are benign quotes from Star Wars novels and do not include URLs, giving the tweets the appearance of real human language as a means of side-stepping bot detection services.

The user profiles behind the bots also used tactics that would not trigger alerts, such as having real profile pictures. “All the accounts were created in a short window of time, less than two months.

They all behave in exactly the same way, quoting Star Wars novels including the same hashtags (and adding random hashtags to the quote),” Echeverria Guzman said. “All of their tweets are marked as coming from ‘Windows Phone,’ which means that they are likely to be controlled by the API instead of the Twitter site.

For reference, that source accounts for less than 0.1% of tweets normally.” The clincher, however, connecting the hundreds of thousands of bots to the same network comes in the geographic distribution of the host accounts.

Tweets were tagged with geographic locations which, when mapped, fall within neat rectangles plotted over North America and Europe.

The tweets are distributed within the rectangles, even in uninhabited areas.

The researchers describe the plotting in the paper: “These rectangles have sharp corners and straight borders that are parallel to the latitude and longitude lines. We conjectured that the figure shows two overlapping distributions. One is the distribution of tweets by real users, which is coincident with population distribution.

The other is the distribution of tweets with faked locations by Twitter bots, where the fake locations are randomly chosen in the two rectangles – perhaps as an effort to pretend that the tweets are created in the two continents where Twitter is most popular.” Echeverria Guzman said the split between the two rectangles is exactly 50 percent and the tweets are uniform throughout the rectangle. “All of this is almost impossible to have originated from normal users,” he said. The researchers point out previous work demonstrating how Twitter bots have been able to abuse Twitter’s streaming API.

Bots, the researchers said in their paper, are programmed to time tweets so that they are included in the streaming API as much as 82 percent of the time versus the expected 1 percent. “If and when these bots are activated, they can do all of the threats as listed above—but on a large scale with a sudden effect,” Zhou said. “For example it is known that the Streaming API is susceptible to tampering by bots.

The size of the Star Wars botnet is clearly enough to contaminate the Twitter API and the Twitter environment itself, particularly if focused on a single topic. “In other words, it is scary to know there are bad guys and see the terrible things that they have been doing; yet it is much more scary to know there are a lot of bad guys around, but we have no idea what they are up to.” The researchers said they hope others download and analyze the available data.

They’ve also created a Twitter account, @thatisabot, and website, where bots can be reported.
Computer researchers uncover yuuuge dormant army Computer boffins Juan Echeverria and Shi Zhou at University College London have chanced across a dormant Twitter botnet made up of more than 350,000 accounts with a fondness for quoting Star Wars novels. Twitter bots have been accused of warping the tone of the 2016 election. They also can be used for entertainment, marketing, spamming, manipulating Twitter's trending topics list and public opinion, trolling, fake followers, malware distribution, and data set pollution, among other things. In a recently published research paper, the two computer scientists recount how a random sampling of 1 per cent of English-speaking Twitter accounts – about 6 million accounts – led to their discovery. Pursuing an unrelated inquiry, the researchers were examining the geographic distribution of 20 million tweets with location tags in the dataset of 843 million tweets from the account sample, and they noticed an unusual distribution pattern. Some accounts followed the expected distribution pattern, which coincides with population centers in America and Europe. But another set of accounts showed random distribution within those areas, often resulting in tweets from unlikely places such as seas, deserts, and the Arctic. Blue dots at edge of box over Europe, barely visible after image compression, show Star Wars bots When the researchers manually examined the text of these tweets, they found the majority of them consisted of random excerpts from Star Wars novels, and that many of them started or ended with an incomplete word or included a randomly placed hashtag. For example: Luke's answer was to put on an extra burst of speed. There were only ten meters #separating them now. If he could cover t "This quote was from the book Star Wars: Choices of One, where Luke Skywalker is an important character," the paper explains. "We have found quotations from at least 11 Star Wars novels." The manual examination of data associated with 4,942 accounts resulted in the identification of 3,244 bots with consistent characteristics: Tweets only random Star Wars quotes. Uses hashtags associated with follower acquisition or prepended to random words. Never retweets or mentions other Twitter users. Each bot has made only 11 or fewer tweets since its inception. Each bot has between 10 and 31 friends. The bots choose only "Twitter for Windows Phone" as their source application. The bots' user ID numbers fall into a narrow range between 1.5 × 10^9 and 1.6 × 10^9. Given that set of bots, the researchers created a machine learning classifier to hunt for other accounts with similar characteristics. The algorithm identified 356,957 Star Wars bots. The researchers say they were lucky to have spotted the bots, which appear to have been designed to thwart automated detection methods. They note that being human helped make the discovery possible. "The fact that the bots tagged their tweets with random locations in North America and Europe was a [deliberate] effort to make their tweets look more real," the paper explains. "But this camouflage trick backfired – the faked locations when plotted on a map seemed completely abnormal. It's important to note that this anomaly could only be noticed by a human looking at the map, whereas a computer algorithm would have a hard time to realize the anomaly." Curiously, the Star Wars bots have been silent since 2013. The researchers observe that pre-aged bots can be sold for more than newly created bots on the black market, presumably because bot detection methods consider older accounts more likely to be reputable. Twitter declined to comment on the findings, which may be because the company was unaware of them until now. "We have not reported the accounts directly to Twitter (yet)," said Echeverria in an email to The Register. "We are waiting for the paper to be approved by the scientific journal to which it was submitted. We would also like to give researchers a chance to get the dataset by themselves before they are gone, this is why we have not reported to Twitter directly, but we will as soon as the paper gets accepted." Inspired by their success identifying the Star Wars botnet, Echeverria, a research student, and his faculty advisor, senior lecturer Shi Zhou, claim to have identified an even larger botnet numbering half a million accounts. "The larger botnet is part of a subsequent research paper, which is also under review," Echeverria said. "As soon as it gets approved, I will be able to disclose more information about it." Echeverria added that there's now a Twitter account named "@thatisabot" to make it easier for people to report bots to researchers. "Think of it as @spam but for researchers instead of Twitter," he said. "Furthermore, we have a webpage, www.thatisabot.com, which will (soon) also allow people to report bots to researchers." "Commander, tear this ship apart until you've found those plans and bring me the Ambassador. I want her alive!" ® Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub
Illustration by Aurich Lawsonreader comments 19 Share this story Google—as expected—has dismissed the European Commission's charge that the ad giant abused Android’s dominance to block its competitors in the market. The company is accused of using Android’s position as the dominant smartphone operating system in Europe to force manufacturers to pre-install Google services while locking out competitors. Competition commissioner Margrethe Vestager sent a so-called Statement of Objections to Google in April. On Thursday, the multinational corporation defended its position and spoke of the open source nature of the Android operating system.
It also compared a typical Android smartphone to rivals Apple and Microsoft.

According to Google, 39 out of 39 pre-installed apps are from Apple on iPhone 7, and 39 out of 47 pre-installed apps on the Microsoft Lumia 550 are from Microsoft. In a blog post on Thursday, Google general counsel Kent Walker said: "The response we filed today shows how the Android ecosystem carefully balances the interests of users, developers, hardware makers, and mobile network operators.

Android hasn’t hurt competition, it’s expanded it." The 100-plus page response to the commission focuses on metrics in an attempt to add weight to the claim that it hasn't abused any competitive advantage. Walker said: The commission’s case is based on the idea that Android doesn’t compete with Apple’s iOS. We don’t see it that way.
In fact, 89 percent of respondents to the commission’s own market survey confirmed that Android and Apple compete.

To ignore competition with Apple is to miss the defining feature of today’s competitive smartphone landscape. Walker claimed that possible remedies to resolve the case could create fragmentation in the mobile ecosystem. "The commission’s preliminary findings underestimate the importance of developers," he said. Walker continued: The commission argues that we shouldn’t offer some Google apps as part of a suite. No manufacturer is obliged to preload any Google apps on an Android phone.

But we do offer manufacturers a suite of apps so that when you buy a new phone, you can access a familiar set of basic services.

Android’s competitors, including Apple’s iPhone and Microsoft’s Windows phone, not only do the same, but they allow much less choice. Vestager can fine the search behemoth up to 10 percent of its global turnover—around $7.4 billion (£5.9 billion)—if she finds Google guilty of wrongdoing. Google is currently appealing against a similar case in Russia after authorities fined the company approximately 438 million rubles  ($6.8 million, £5.25 million) in an almost identical Android antitrust case earlier this year. Yandex, Russia's biggest search engine and the main complainant in that case, is also one of four complainants in the EU case.

Google rivals Microsoft, Nokia, and Oracle—under the Fairsearch umbrella organisation—lodged the first complaint against Android in 2013. Fairsearch said in a statement to Ars: Google says there's no problem because Android is 'open.' The truth is that Android is today a closed operating system, and any claim to the contrary is disingenuous.

Any manufacturer or network operator seeking to differentiate its devices or services is prevented from doing so by the web of Google's contractual restrictions. Google imposes severe sanctions on those who defy its insistence on conformity.

For example, a phone maker that offers even a few phones that do not comply with Google's straitjacket faces a cut-off from all of Google’s branded products. US ad-blocking firm Disconnect and Aptoide, a rival Portuguese Android app store, have also complained. None had responded to requests for comment from Ars at time of publication. Google separately faces antitrust charges on favouring its own search services and price comparison offerings over those of its rivals and for allegedly breaching competition rules with its mammoth ad business. Last week, Google rebuffed both of those charges. This post originated on Ars Technica UK

LastPass 4.0

You've heard the saying, "If it ain't broke, don't fix it." Certainly if your password manager is doing everything it should, you don't necessarily need it to change.

But sooner or later the interface starts to look dated, and the competition comes up with new features.

Accordingly, the free LastPass 4.0 has a bold new online interface, and its new features include a Sharing Center to manage shared passwords and Emergency Access to hand down your passwords to your heirs.

These new features put the free LastPass ahead of even many of its for-pay
competitors.

You can use many commercial password managers for free if you accept substantial limitations.
Some, like RoboForm Everywhere 7, limit you to 10-15 passwords before you must pay. Others, like Dashlane 3, are free as long as you stick to one device, no syncing. With such stringent restrictions, these aren't really free products.

When initially released, the free edition of LastPass only let you sync across devices of the same type. You could use it with multiple desktops (Windows, Mac, or Linux), multiple smartphones (Android, iOS, Windows Phone, or BlackBerry), or multiple tablets (Android, iOS, or Windows).

That limitation has been lifted. You can now sync passwords across all your devices, just as you can with LastPass Premium.

Getting Started With LastPass
Setting up a LastPass account is simple.
Start by downloading and installing the free app. You'll be prompted to either sign in to an existing account or sign up for a new one.

As always, you should create a strong password, something that you can remember but that nobody else would guess
.

You can add a password hint, but that may not be the best idea.
In June of 2015, hackers apparently stole some data from the LastPass servers.

Thankfully, LastPass's impressive security meaures meant that no actual passwords, master or otherwise, were exposed. Just to be super-safe, the company notified all users to change their master passwords.

The one thing that hackers might have obtained? Password hints.
If you must use a master password hint, make it something cryptic, something only you will understand.

And enable multifactor authentication, as explained below.

Note that nobody at LastPass has access to your data, not without that master password.
In the past, if you forgot your master password and the hint didn't jog your memory, you had no recourse but to start over. Now when you install LastPass on a new device, you get the option to have it save a one-time password for account recovery.

The recovery process requires access to your email account and to the device, so this isn't too much of a security risk.

Even so, I'd be inclined to stick with the master password.

During installation, LastPass offers to slurp up passwords stored insecurely in your browsers.
It also deletes the passwords from unsafe storage and turns off the browser's password capture.
In addition, you can import data from several dozen competing password managers.

Once the LastPass extension is installed in your browsers, you know the drill. Log in to your secure sites as always, and let LastPass save your credentials. You can assign a friendly name for the site at capture time, and add it to a new or existing folder. LastPass itself suggests folders for well-known sites.

Sometimes you'll run across a website that uses a weird login page, something that LastPass doesn't capture automatically. Like RoboForm and Sticky Password Premium, LastPass can handle these. Just enter your credentials and then, before logging in, select Save All Entered Data from the browser toolbar menu.
Simple!

Clicking the LastPass toolbar button in your browser brings up a menu that includes a menu of all your saved sites.

Each folder becomes a submenu, and you can have nested folders.

The menu of saved logins is a common feature, but LastPass and Sticky Password are among the few that allow nesting.

Password Generator
When you sign up for a new account or change your password for an existing account, LastPass offers to generate a secure password.

By default, the password generator creates 12-character passwords using at least one digit and a mix of capital and small letters. You can crank up the length and include punctuation to get even stronger passwords. On the flip side, if you need to remember the password and can accept a security hit, the Make Pronounceable option gives you passwords like ogypropoitio or morefesticku.

When you do sign up for a new account, LastPass captures your credentials, and it offers to update its saved password when you make a change.

This works whether or not you accept the aid of the password generator.

I wish this component had gotten just a little enhancement in the move to version 4.0.

True Key by Intel Security defaults to generating 16-character passwords using all possible character types. Most users won't bother to change the defaults, so they'll get less-secure passwords from LastPass.

Password Vault
With the move to version 4.0, the online LastPass Vault got a significant makeover.
From the vault, you can view, edit, and organize all of your saved logins. You now have the option to see them displayed in a grid of tiles, much the way Dashlane 3 does. LastPass's tiles are rather large; the new ability to collapse the left-hand menu makes more room for them.

A new multi-purpose Add button lets you add a new folder, secure note, or site, or share an existing item with other users (more about sharing later).
In addition, you can now select multiple items at once and perform bulk actions like moving them all to a folder, sharing them, or deleting them.

Emergency Access
The concept of setting up a way for your heirs to inherit your passwords originated with the Digital Legacy feature in PasswordBox. PasswordBox has since been subsumed into True Key, but the concept lives on.

For example, Dashlane lets you set up any number of emergency contacts to receive all or some of your passwords. With the free LogMeOnce Password Management Suite Premium, you can define one heir for your entire collection and five for individual logons.

Emergency Access in LastPass works almost exactly the same as the similar feature in Dashlane. You enter your recipient's email address and define a waiting period. Recipients must install LastPass, if they haven't already, and accept your connection request. Now if something happens to you, the recipient simply requests access to your account.

Dashlane does let you pass along just a subset of your saved credentials—for example, you might define a co-worker as recipient of your work-specific passwords.

That's not an option in LastPass.

Here's where the waiting period comes in.
Suppose your supposedly trusted recipient decides to jump the gun and get your passwords before you've kicked the bucket.

The initial request for access triggers an email to you, and you can deny the access request at any time during the waiting period.
In a real emergency, your recipient automatically gets access after that time elapses.

Clicking Emergency Access lets you view two pages, People I Trust (your password heirs) and People Who Trust Me (those who've made you their emergency access contact). On the People I Trust page you can delete anyone from the list, or change the waiting period. On the People Who Trust Me page, you can bow out of the emergency access role.

Password Sharing
We normally recommend against sharing your passwords promiscuously, but there are situations that merit sharing. You and your spouse may share a bank account, for example.
If you must share, you should do it safely.

Sharing passwords with other users is a fairly common feature among password managers, though it's found more in commercial products than free ones. 1U Password Manager limits sharing to its mobile app.

Enpass Password Manager 5 sends the credentials as an encrypted data block. Users of the free LogMeOnce can share just five passwords.

That makes LastPass the most flexible free password manager as far as sharing goes. Just point to an item in the vault to reveal the new hover-style choices, click the sharing icon, and enter the recipient's email address. Recipients who already use LastPass will see a notification that a new share has arrived; others will get an email message explaining how to create an account and accept the share.

The recipient can use the shared item to log in; you choose whether or not to make the password visible.

Sharing Center
The new Sharing Center within the online vault lets you easily manage your shared items.

As with emergency access, you can relinquish access to credentials that others have shared with you, or cut off others with whom you've shared passwords.

There's also a tab for managing shared folders. However, if you try to make use of it you'll quickly learn that folder sharing is a Premium-only feature.

Filling Web Forms
When you've got a product that can automatically fill in login credentials, it's just a short step to making it fill personal data into Web forms. However, not many free password managers include this feature. LastPass and LogMeOnce are among the few, along with Symantec Norton Identity Safe.

You can define any number of full identity profiles in LastPass, each of them including a variety of personal and contact information along with one credit card and one bank account.

Those with a certain level of Web-design expertise can define custom fields, meaning that when LastPass encounters a field with a specific internal name, it will fill that field with the selected data.

RoboForm lets you create multiple instances of any form-fill field, and Dashlane stores the various components of personal data (phone numbers, emails, and so on) separately. LastPass's one gesture to the need for multiple fields is the ability to create profiles containing nothing but a credit card. When you go to fill a Web form, you can choose to use a personal data profile or to choose personal data and credit card separately.

In the vault, LastPass represents each profile by analyzing the associated credit card number.
It correctly distinguished the MasterCard, VISA, and American Express numbers I tried.

Dashlane takes this concept a step beyond.
It lets you identify each card with a color and bank logo, and displays replicas of the cards for selection when you're filling a form.

To fill a form using LastPass, you need to find the little icon it adds to one of the fields.

Click that icon, select a profile, and boom! Form filled.
In testing, it proved more accurate than most.

Multifactor Security
It doesn't matter how complex your master password is if a thief gets ahold of it.

From anywhere in the world, the thief can log in as you. LastPass does require email verification the first time you log in from a new device, which might help.

But you can seriously enhance your security by taking advantage of the available multifactor authentication options.

To set up multifactor authentication, you open LastPass's Account Settings dialog, which looks much the same as it did in version 3.0.
In the free edition, LastPass supports Google Authenticator as well as such work-alikes as Duo Mobile and Twilio Authy. Linking your account is just a matter of snapping a QR code using your mobile device.

Thereafter, each time you log in you'll need a one-time code generated by the app as well as your master password.

The free edition also supports authentication via the Toopher and Transakt apps.

These work more simply than Google Authenticator.
Instead of copying a one-time code, you simply accept or reject the connection attempt using your smartphone.

Those without a smartphone can print a wallet-sized authentication grid.

To authenticate, LastPass asks you to enter characters found at specific coordinates on the grid.

Two-factor authentication can get tedious after a while, so LastPass lets you define specific devices as trusted. When you log in from a trusted device, all you need is the master password.
In a similar vein, if you enable mobile device restriction, no login from a mobile device will be accepted if it's not one of your own mobile devices.

Security Challenge
Getting all of your passwords safely stored with LastPass is a good first step, but it's not enough. Now you need to go through those passwords and fix the weak ones, and the ones you've recycled for use on multiple websites.

That's where the Security Challenge comes in.

Click the security challenge icon, re-enter your master password, and get ready to see how good (or bad) your passwords are.

Do note that to get the full advantage of the security challenge, including automated password changing, you must launch it from Chrome.

As part of the analysis, LastPass sifts out the email addresses found among your passwords and offers to check them against known compromised sites. Naturally if you find out that one of these addresses is associated with a breach, you should change all associated passwords immediately.

At the top of the resulting report you get an overall percentage score, your standing within the LastPass community, and a score for your master password.

The overall score is mostly based on whether your passwords are strong and unique, but it includes other factors as well.

For example, you lose 10 percentage points if you haven't enabled multifactor authentication.

If you like, you can follow LastPass's prompts to fix four types of problems: compromised passwords, weak passwords, reused passwords, and old passwords. Note that "old" here is measured from the first time LastPass encountered the password.

You can also scroll down for a full list of all your passwords, along with a password strength rating for each, the time it was last changed, and a button to let you update the password.

For some common sites, LastPass displays an Auto-Change button; click it to have LastPass automatically update the password.

At present LastPass can auto-change about 80 sites, while Dashlane's similar feature supports over 500. You can also check off multiple items and update them all at once.
If the site isn't among those LastPass can handle, a Launch Site button lets you go make the change manually.

Still a Winner
Automated password updates slipstreamed into LastPass 3.0, but Emergency Access is new in version 4.0.

The updated user interface for the online vault is a welcome change, as is the handy Sharing Center.

And the breadth of features in this free password manager is amazing.

The fact that the free edition no longer limits you to syncing across devices of the same type is icing on the cake.

LastPass 4.0 remains an Editors' Choice for free password manager.
It shares that honor with LogMeOnce Password Management Suite Premium, which also packs an impressive feature set into a free product.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page.

These commissions do not affect how we test, rate or review products.

To find out more, read our complete terms of use.

Enlarge / An LG Nexus 5 at the moment it is rooted using Rowhammer-induced bit flips.van der Veen et al. reader comments 30 Share this story Researchers have devised an attack that gains unfettered "root" access to a large number of Android phones ...
Microsoft's mistake with Secure Boot and its secret policy is a perfect illustration of why it's too dangerous to create encryption systems with a secure backdoor.
Someone will inevitably make a mistake, and users are left vulnerable while the company ...
Redmond races to revoke Secure Boot debug policy Microsoft leaked the golden keys that unlock Windows-powered tablets, phones and other devices sealed by Secure Boot – and is now scrambling to undo the blunder. These skeleton keys can be used to install non-Redmond operating systems on locked-down computers.
In other words, on devices that do not allow you to disable Secure Boot even if you have administrator rights – such as ARM-based Windows RT tablets – it is now possible to sidestep this block and run, say, GNU/Linux or Android. What's more, it is believed it will be impossible for Microsoft to fully revoke the leaked keys. And perhaps most importantly: it is a reminder that demands by politicians and crimefighters for special keys, which can be used by investigators to unlock devices in criminal cases, will inevitably jeopardize the security of everyone. Microsoft's misstep was uncovered by two researchers, MY123 and Slipstream, who documented their findings here in a demoscene-themed writeup published on Tuesday.
Slip believes Microsoft will find it impossible to undo its leak. Bring you up to speed on Secure Boot Before we delve further, it is important to understand that up until now we've been talking about keys metaphorically: at the heart of this matter are what's called Secure Boot policies. You don't have to completely understand all the ins and outs of Secure Boot to get your head around Microsoft's cockup. However, if you want more details of how Secure Boot works, the Linux Foundation has a guide here [PDF] and Microsoft blogged a gentle introduction here. Basically, what you need to know is this: when Secure Boot is fully enabled in the firmware of a Microsoft device, it will only boot up an operating system that is cryptographically signed by Redmond.

That stops you from booting up any OS you want on your Windows RT tablet, certain Windows Phones and so on. Alongside this, there are Secure Boot policies, which are rules that are loaded and obeyed during early startup by the Windows boot manager.

These policies must also be signed by Microsoft to be accepted, and are installed on devices and machines using a Microsoft-signed tool. For debugging purposes, Microsoft created and signed a special Secure Boot policy that disables the operating system signature checks, presumably to allow programmers to boot and test fresh OS builds without having to sign each one. If you provision this magic policy, that is, if you install it into your firmware, the Windows boot manager will not verify that it is booting an official Microsoft-signed operating system.
It will boot anything you give it provided it is cryptographically signed, even a self-signed binary – like a shim that loads a Linux kernel. The Register understands that this debug-mode policy was shipped on retail devices, and discovered by curious minds including Slip and MY123.

The policy was effectively deactivated on these products but present nonetheless. Now that golden policy has leaked onto the internet.
It is signed by Microsoft's Windows Production PCA 2011 key.
If you provision this onto your device or computer as an active policy, you'll disable Secure Boot.

The policy is universal; it is not tied to any particular architecture or device.
It works on x86 and ARM, on anything that uses the Windows boot manager. Microsoft's response According to the pair of researchers, they contacted Microsoft's security team around March to say they had found the debug-mode policy.
Initially, we're told, Redmond declined to follow up the find, then decided about a month later it was a security issue and paid out a bounty reward. In July, Microsoft pushed out security patch MS16-094 in an attempt to stop people unlocking their Secure Boot-sealed devices.

That added a bunch of policies, including the debug-mode policy, to a revocation list held in the firmware that's checked during startup by the Windows boot manager. That didn't fully kill off the magic policy, however.

The revocation list is checked by the boot manager after policies are loaded.

By the point in the startup sequence, it's too late. However, a Microsoft tool used to provision the policy into the firmware does check the revocation list, and thus refuses to accept the magic policy when you try to install it, so MS16-094 acts mere as a minor roadblock. This week, Microsoft issued patch MS16-100, which revokes more stuff but doesn't affect the golden policy, we're told.

A third patch is due to arrive next month as a follow-up. If you haven't installed the July fix yet, you can use this script to provision the unlock policy onto your ARM-powered Windows RT tablet. You must be an administrator to update the firmware.

After that, you can set about trying to boot a non-Windows OS or any other self-signed EFI binary. We're told by one brave tester that this policy installation method worked on a Windows RT tab that was not patched for MS16-094. The aforementioned script works by running a Microsoft-provided EFI binary during the next reboot that inserts the debug-mode policy into storage space on the motherboard that only the firmware and boot manager are allowed to access. If you have installed the July update, the above script will fail because the updated revocation list will be checked by Microsoft's installation tool and the magic policy will be rejected before it can be provisioned.
In about a week's time, MY123 is expected to release a package that will work around this and install the debug-mode policy on all devices, including Windows RT tablets. People are particularly keen to unlock their ARM-powered Surface fondleslabs and install a new operating system because Microsoft has all but abandoned the platform. Windows RT is essentially Windows 8.x ported to 32-bit ARMv7-compatible processors, and Microsoft has stopped developing it. Mainstream support for Surface RT tabs runs out in 2017 and Windows RT 8.1 in 2018. A policy similar to the leaked debug-mode policy can be used to unlock Windows Phone handsets, too, so alternative operating systems can be installed.

A policy provision tool for Windows Phone is already available. We expect to hear more about that soon. This Secure Boot misstep also affects Windows PCs and servers, but it's not that big a deal for them because these machines are typically unlocked anyway. You can boot your unrestricted computer into its firmware settings, and switch off Secure Boot, or delete all the keys from its database to disable it, if you really want to. You don't need any debug-mode tricks to do that. In the unlikely event you're using a locked-down Secure Boot PC and you have admin rights on the box, and you want to boot something else, all the above is going to be of interest to you.
If you're an IT admin who is relying on Secure Boot to prevent the loading of unsigned binaries and drivers – such as rootkits and bootkits – then all the above is going to worry you. FBI and golden keys To reiterate, these Microsoft-signed resources – the debug-mode policy and the EFI installation tool – are only meant to be used by developers debugging drivers and other low-level operating system code.
In the hands of Windows RT slab owners, whose devices are completely locked down, they become surprisingly powerful. It's akin to giving special secret keys to the police and the Feds that grant investigators full access to people's devices and computer systems.
Such backdoor keys can and most probably will fall into the wrong hands: rather than be used exclusively for fighting crime, they will be found and exploited by criminals to compromise communications and swipe sensitive personal information. Anyone who thinks government servers holding these keys are safe need only be reminded of the OPM megahack; anyone who thinks these keys cannot be extracted from software or hardware need only spend a weekend with a determined reserve-engineer and a copy of IDA Pro. The Secure Boot policies Microsoft is rushing to revoke can't be used to backdoor conversations or remotely hijack systems, but they remind us that this kind of information rarely stays secret. "This is a perfect real world example about why your idea of backdooring cryptosystems with a 'secure golden key' is very bad," Slipstream wrote, addressing the FBI in particular. "Smarter people than me have been telling this to you for so long.
It seems you have your fingers in your ears. You seriously don't understand still? Microsoft implemented a 'secure golden key' system.

And the golden keys got released by Microsoft's own stupidity. Now, what happens if you tell everyone to make a 'secure golden key' system?" We asked Microsoft for comment, and a spokesperson was not immediately available.
If someone gets back to us, we'll update this article. ® Sponsored: Global DDoS threat landscape report