Friday, August 02, 2013

The creepy experience of installing Windows 8.1 (when you are paranoid about security)

Update 1 June 2014: Somewhere in the blog post I recommended Truecrypt. Strange events happened today when suddenly, in the wake of a crowdfunded security audit, the Truecrypt page changed to recommend switching to something else, mainly Microsoft's BitLocker, published a version that only decrypts and does not allow creating encrypted disks and basically went "poof!". It is noteworthy that the developers of the encryption tool were and have always been anonymous. Strange indeed. Read more here.

Update 24 Aug 2013: Just forget what I said about having a secure and anonymous Windows 8 computer. Read this link here: LEAKED: German Government Warns Key Entities Not To Use Windows 8 – Links The NSA.

I wanted to see how Windows 8 looked and felt, as I didn't really see or try it beyond looking from afar at those obnoxious icon things they called tiles. Also, as a prerequisite that I added myself, I wanted to be as anonymous as possible, using new emails that have no connection with my previous names or nicknames and hiding as much as possible about my identity. So far, I can only describe the experience as creepy.

But let's start with the beginning, as they say. I plugged a Windows 8.1 Preview bootable USB stick in a laptop and started the machine, after previously making sure it could only boot from USB devices. On a black screen a little fish appeared, a strange little creature that blew air bubbles, then a funny looking 'waiting' logo that looked like beads trying to catch other in a circle. It entered a pretty standard interface that allowed me to upgrade or install a new version of Windows. I took the latter, as I wanted a clean, anonymous install. I've reconfigured the partitions, formatted them, but, to my surprise, a warning appeared informing me I could not install Windows on the newly created partitions, as the computer could not boot from them. This was all related to the settings in BIOS that allowed only USB devices to boot. It was an unexpected surprise, both pleasant (they thought about the drive not being bootable) and unpleasant (I had to restart the laptop, add the hard drive to the boot list and start over.

Starting over I had to immediately connect my computer to the Internet. It was not mandatory, but I didn't really have an easy alternative. As a warning, connecting the machine to the Internet gives away your location (especially if it's your broandband IP which is contractually linked to your name and address) and probably pins it to that location. In truth what I should have done is use some sort of anonymous Internet source, like via GPRS from a disposable card. The best option that I can think of is to create a TOR router and use it exclusively with this machine. Now, using a cellular Internet source is not a grand idea, either, as to use it they need to triangulate your position anyway, but we're already getting into more details than needed. After all, this is all a test for now and the blog entry is mostly about Windows 8.

Choosing a colour theme was a bit annoying. That colour theme defined at least the background colour of my desktop. I had a lot of colours to choose from, but they were all overly bright. The best one (which was my favourite anyway) was chosen by default, which forced me to choose another. The only other option that was remotely acceptable was grey, but a bright version of grey. I wanted black, but there was no option for that.

Choosing a username was the real creeper. The username was actually an email. I chose to create a new Windows account, but this would not actually create a new email, just use the email provided by you to associate it with Microsoft. I had to give them my email, my password, my phone number, a security question, my alternate email. I refused to enter my phone number, but they forced it anyway, as they needed two ways of recovering my password and I didn't want to enter an alternate email, so I entered a bogus phone number. The password was the funniest part. I entered a password, one that would be safe from cracking, only to be met with an alert "Your password cannot have more than 16 characters". Are they trying to make passwords easy to crack? Apparently (with emphasis on that word) they don't, as they suggest or require all the other "standard" solutions for a safe password: upper and lowercase letters, digits, special characters. As a famous Xkcd comic shows, that's just stupid.

Just another detour towards personal security and anonymity: giving them an email as the account name normally means you already had that email. I entered a bogus one, but eventually I would have to create it. Any access to that email will be logged somewhere. The email that you use (and by extension the Microsoft account) should be accessed only from this machine and only when the network is secured (via TOR or other mechanisms), otherwise connecting you with the laptop and finding you will be trivial. Obviously the phone number should not be real, nor the alternate email. Also, there were the options that you could Customize. Even if I left all the options as suggested, there were a lot of them set to true by default that did things like: send files to Microsoft in case of crash, remember searches and location in order to optimize Bing searches, send to Microsoft browsing history in order to preload pages in Internet Explorer, etc. Spooky, indeed.

After all this, the screen turned grey (obviously) and a large text appeared slowly: "Hi". Then a long pause, then the text was replaced just as slowly by "We are setting things up for you" or something to that effect. During the "set up" stage, the background cycles the hue from colour to colour. This was by far the creepiest part of the setup. Perhaps I've seen to many horror movies, or perhaps the Windows startup designer has, but I half expected a screeching sound and something jumping from the screen, or maybe a quiet voice coming from a big red eye calling me Dave or something.

To summarize the security bit (of which I am not an expert, mind you): the setup was creepy enough, but after being prepared a plan should be more clear. The most fragile part of the anonymising process is the Internet, actually. No matter how you do it, it identifies you and your location rather directly. There is something called TOR to save you, but to be certain your software always uses it for Internet access, a true external hardware router should be set (there are several solutions, the one that I like best - without actually trying it - is the Raspberry PI version). Even so, anything you do from Windows 8 will likely be associated with the Microsoft account, so the first thing you do after setup is use some sort of encryption on your drive (TrueCrypt sounds like it has both the required features and spirit), then make sure you only use this laptop for things that have nothing to do with your real life. You don't send yourself emails, you don't visit your own blog, you don't lookup restaurants near your location, talk to friends who know who you are on the messenger, or anything that has to do with your real life.

All that pretty much sounds like having a dedicated laptop for a completely different part of your life; a bit schizoid. But consider what that means: there is almost no one on this planet that cannot be traced or located on the Internet. The technology is more and more connected and there are numerous ways to circumvent the meagre security measures that are put in place for most software. Even TOR is not perfectly safe and besides, it only proxies TCP packets, so it's not a full replacement. So: Human nature, the connected nature of operating systems and software these days, numerous vulnerabilities that can be exploited by both evil hackers and governments, they all conspire to make you visible on the Internet. You are not "safe" on the Internet because it provides you with anonymity, but because no one cares enough to get to you.


Jamie said...

I was wondering if anybody else found Windows 8.1 creepy. I'm used to the feeling that whoever at Google can read my e-mail ... now I've got to get used to the feeling that whoever at Microsoft can access my home PC ...
Great xkcd link! I'd somehow never seen that. Brilliant.