 Can you translate and just mention this? Welcome to the C-CAM 2015. I'm sure it's important to look at the date of the camp. Many people imagine that this is not the first talk about Windows problems. In fact, that is something that happened to us for quite a while, but now it's escalated significantly. The situation escalation happened that I even put up a nice image in the inside. Is it really that nowadays with Windows 8 and before, always from the side of Microsoft, there was a certain take-back, a option that they do not, that they accepted people running Linux on it. And it's more and more getting lost. Microsoft changes its complete operational model and with Windows 10 the users will get removed of the control of its own heart and software. So it's not really surprised that FIFA is surprised that Microsoft even updates the recovery key to the data. So everybody who listens to it, all the data can be encrypted. So Microsoft really has to be asked itself, is it really good to update customers data massively in its own cloud? Okay, let's look at the points. So what's the idea? The idea is trusted computing and that existed already at the end of the last millennium and a lot of cryptographical scientists looked at it. And at 2003 I had this page, a person from RSA, he developed RSA and he developed a hash function and a cryptograph who knows, has a deep influence on the encryption of the internet and he pretty simply said, in principle you put parts of your computers and rent it out to people who you can't trust. So if in future, if you buy a computer there is a key in it that protects our computer from the others but also from ourselves. So we were warning a couple of years ago that it may have legal problems about and hackers had the tendency of talking about it but profs are just wise guys and the warning that they could be blocked was communicated from the beginning. So here I have a high as a security newsletter and I also use that is that really Microsoft deactivated systems. They don't have the option, the possibility but they actually used that. One of those things was in December 2013 that boot system of other producers were deactivated and sometimes there were just no reasons or the more you asked, the more worried you became. So let's take back a step. People have the right to choose and secure Windows world. In theory they do have that but because there is a lot of... Windows is the only big distributor it's question. If you think about, hey do they say hey we care of everything but the question is do they do it properly? Also in the past all the ideas are ten years old of the encryption standards and that leads to a significant amount of problems. Just up here there are errors in standard documentation. There are unsecure parameters that were bad at the start of this millennium but they're still there or say with an unsecure key length and there were cryptographical errors. There are security problems through the integration. All the time people say hey that's trusted computing, that's a new tool of security so we can make it more secure than integrated systems but that was diluted. So we have the situation that at the moment there are up-to-date systems where there are really deeply integrated solutions where also the security chip is just part of the system and if we put security chips in there because there's a hardware boundary in most cases it's not a good idea to give up the hardware boundary so if we hacker with these highly integrated devices we will have a lot of fun with that, more towards the end of the talk and maybe we are just too crazy or too worried and we think too much about corner cases and I will show in one or two cases that the securitization is even worse. You don't need hacker skills to reduce the security significantly. One of the standard errors, the normal errors, if there are standards where you say it should or you write it may should and may is something like it would be good to do that but we don't have to and usually suggestions are a good thing but always think about if you're a developer and you go to your boss and say hey I want to mail the new chip and I want to build it more secure and that's always something about the capitalist and it's that job the job of the people is to ask hey how much is that and the cheaper solution is always to use the old cryptography so you don't have to redevelop it and if we live in a world where the people who have a decision about the finance have a more important word than the people who do security you will see what gets out of it and in the end I don't have to downbeat it too much security I can always say if I look at the signature laws it's only possible for short term, middle term security if you look at the... and nobody says that with 2,500 bits it's just not secure over the long term and my favorite story is the continued use of a broken hash function SHA1 and here's the point where I said it's really too stupid for me I googled for that and there was an article in Datenschleuder 2005 and it wasn't even my work and I looked there back then it wasn't even my work I wrote that it's basically broken for 10 years and I just wrote it up so we're 10 years later now and it's not even discussed anymore and there was a competition for SHA3 there were advisories not to use it anymore and I had the possibility to work with the standardization within the German norming process and the German norming process was... criticized these security problems with the security of SHA1 but the international norms didn't take this into account there's a pretty unspectacular leak it was a really unspectacular leak compared to others but it was... in the end there were counter votes against that and it's notable that they're from Germany and the people from the Republic of China so this... a couple of weeks ago I said that the discussion whether to use... the discussion about Windows 8 and the security issues are dealt with in a different manner in China Windows 8 is forbidden in China and Germany is allowed and I'm pretty sure that a similar fatwa has spoken out against Windows 10 the cryptographical problems are highly relevant and the integrity check is attackable the certificate security is attackable and there was an attack on one CCC Congress where Dutch researchers with Jacob Appelbaum together showed that the cryptographic weaknesses can be used directly in order to fake certificates and that's an absolute catastrophe in this case and in the field of security another footnote I mentioned in the crypto talk this morning SHA1 comes from the NSA that stands in the proposals it's nothing that's top secret or a conspiracy one thing I learned from SNON documents that in the area of hash functions the NSA has a couple of cryptographic tricks and there's leave that we still have to research but we have the situation that the best organization in terms of hash functions then the break in the hash functions namely the NSA is designing the hash functions and that's not a conspiracy theory the SNS has done a new competition for SHA3 where the openness is pretty central SHA3 has gone through this official process in the last couple of days I've been asked from people to say something more specific about the specific update about the security problems I already predicted them at the congress and we'll get a couple of funny security updates I'll do this in the next couple of minutes and in terms of tradition I will only quote the serious colleagues from Heiser Security who should be taken serious why did I decide to use the term crypto-sombie while they're still running around and still being dangerous this freak attack was the first there's a complete computer security catastrophe because the Americans decided in the 90s that they didn't want to export cryptography so the only people who got cryptography out the years were weapons smugglers I didn't do that of course I didn't but I was in a more relaxed situation less relaxed situation like the terror hysteria today it would have been even worse on the first one of the first camps I think hip 1997 Americans took the source code of PGP printed it out in books and because books were allowed to be exported freedom of speech and they took it to the field close to Amsterdam and they scanned it the first version of PGP in and implemented there so we made it part of the history on our camps but these problems are I'd like to state that again thanks to Wernher Koch Wernher Koch wrote GBG and the day after GBG was published the Americans loosened their crypto export restrictions so whatever you do you might be able even able to get world superpower to change their policy and thank you very much Wernher Koch for that and that's the thing I'll tell my students who thinks that you can't change the world you should see that we have the potential with the internet and cryptography and mathematics so whoever has the hoodspot to actually implement this you can actually change something so Fritick Attack was announced by noticed by Microsoft on the 6th of March then there was a workaround that should make it more safe but the next day the Windows updates didn't work anymore Microsoft killed their own update system they find everybody who makes the joke I made all the jokes about these Windows update system I wanted to continue this with the most the next thing from high security Windows users are already used to it I really grinned a little about that and then I said well there's a zombie in the house and there's the export restriction the camera in England wants to warm them up again terrible, it's pretty easy then I can recycle my old slides so I'm pretty chilled out about it back then it was a dumb idea now it's a dumb idea so it still stays that way and the surveillance as we know about the surveillance now it's the good thing the idiots who talked about echelon in 1999 on the camp well they weren't that kind of idiots anymore and there's not only this note and document that these people didn't say the truth and I wanted to say thank you to them because it was a mood where you claimed to know that these kind of things that our American friends are surveilling us and represented off the SPD in Bavaria Mr. Schmidt I want to thank him because he talked about this in the European Parliament and then we are at the point to say thank you to mention them here especially and honour them dirty grin again about windows is one thing but bad surprises are even worse for people who have a linux on the system and windows update on March the 13th Microsoft killed dual boot systems with windows and killed all the boot things but the settings but there's also embedded systems where they call up windows or there's an old windows that updates itself and then this embedded system doesn't boot anymore and that yes again thanks to Microsoft they killed SHA-1 and integrated SHA-2 in 2015 we only asked for that in the middle of the 90s so after 90 years Microsoft listened to some of the critiques it would have been nice if they hadn't killed all the things then the worst enough that I have to update my slides but after a couple of days before we left into the camp there was a black hat session by Ston and Chapman that you can show that you can compromise windows systems via windows updates and it says you have one malicious update ready to install let's conclude that people want to manage our security completely who aren't even able to update safely and we're laughed about at two CCC events that build an old crypto and are in the situation that are angry that people are angry that they have to update they care about it but I say you can't do it and if you can't do this then please leave our systems alone and allow us to install whatever you want and this is the problem and that's getting more difficult Windows 10 is important that you mean that you have to include a trusted platform module in your computer switch to turn it off it's only optional but it's mandatory to include it and all the dirty tricks we use to kill windows to install alternative system will get large problems and there will be systems where you can't turn off security at all and one of the few points I want to name I want to criticize how security is with and this quote it means that there's problems with exotic software there's problems with all software with any software that is free software we need if you want to install an open source system then you need a signature by Microsoft Microsoft Signs bootloader and that loads another bootloader and then the things continue and Microsoft can at some point revoke the signature and then we remind us about a couple of slides before this all really happened I have to say again that my friends and I we start buying old hardware because we don't know without huge pains we know we'll do it somehow but we don't want to use our own hardware to get into a strong hacking fight and I want to say friends of how the secure non-exoxic software is if you if you define Debian or Linux as Susan has a signature and Ubuntu and stuff but but normal free development will get more or less impossible and there's Microsoft doesn't say that there's a possibility to introduce alternative software to say something nice if we have these chips there's only if we can use the security chips and it's quite surprising should there be new security issues looking at new talents of hardware security of the recent days there will be physical attack possible and even if it's a system on a chip there will be time slice attacks and timing attacks there are especially interesting attacks if you can do it of the network as I said network chips are even more funny and the number generators can also be played with and if you have a system that works by being certified chips and the chips get more secure and we remove the hardware security and we have to ask why do we do that so we don't have to do a hardware world so if we can still do it in software what I think is about the future it's not only security problems but also significant problems for the way we use our computers and if just one person doesn't help and use another Turing winner and it's called Turing Helman and Turing Helman said the start of Microsoft will not work only when they block out there are other systems but Microsoft wants to build a massively locked system and that means that in the end we will not be able to own our own systems we can't request these things with our own computers anymore and that is a problem with our hacker community and the problem is that this hacker community developed the software that runs the internet that developed Linux has a significant Linux has a significant commercial impact and this open source community will be harmed significantly and part of that are also cryptographical answers without having risking creating a new slogan, Diffie Helman said he sees the requirement that the users of their own devices have to use and have to own their keys and it was through 2013 and it's still true. I'm a bit cynical about trusted computing chips and this trusted platform chip and I take it back in here and the only thing I said if the devices are produced in China we will have to assume and there were no real proofs about that but just recently there was a response, it was published that there was a BIOS or UFI there was a Lenovo backdoor it was also the second time Lenovo is a small company in China where also this completely independent university is also there and without being polemic Lenovo has some problems so you can look at that so there's another backdoor so the slide that was ridiculous a couple of months ago and we know that it is true nowadays or yesterday another thing I want to point at is that even a couple of years ago that we say the UFI that it's not BIOS anymore we have a huge software there and we always said that's a monster and it's badly secured and we will have problems there and by now nice young people looked at hacking team and gigabytes and you are very welcome to look at an area where there's UFI backdoors and I'm quite annoyed because exactly the area where we talked about a lot over the recent years and they were just ignored and at the moment it's just not a good idea we have a Chinese organization that is close to the government and they talk at the good time to the government and they said hey we had a problem but it's known that there is backdoor in a lot of hardware in China and for example Lenovo laptops but there are also UFI backdoors that are available in the wild that were used by hacking team and if they are published it's out there also again what the creative people used to say that's nowadays well known in the recent days. Another hint if you create a TPM externally especially if you don't use it as a hardware tool it's only software so the keys are generated externally and loaded into the system so I only have to create a copy of a key at one place. Another crazy idea but I know that the Americans had a chip manufacturer in a bad state like the Netherlands they did exactly that they stole the central key that's trusted hardware if you say we don't need industrial security we have a trusted pressure and if an attacker owns every key he can open everything. What can happen there? So I want to end with some repetition of my demands that are already there. It is not illegitimate that Microsoft wants to make a close system possible that Apple already did for you but it's illegitimate that you take away the possibilities away from the people and we're talking about the cartel antitrust people there and there's even the German government demands that it's opt in is and to enter this Microsoft secured word it has to be opt out you have to get out alive and that has to be implemented in the hardware we have 2015 we have to introduce a new system is it to ask too much to want cryptography that is up to date Microsoft has added a little update they entered into SHA2 and so if they kill you know other systems with that I'm happy we have that data friendly cryptography the AFP is a forward secrecy they should be implemented we need an international control and certification process of the TPM production process we need to open and certify the TPM relevant Windows 10 on the lower level we need an absolute security there and if we have more broken UEFI things then people you know will enter that and use that against us and that's where we hackers are losing so at the moment we are laughing about it but there's hackers in the world that they don't live the excellent to each other codex of the CCC but there are people who are using their selling their hacking skills for money there's whole military departments in China that hack all day so we we are in an important game in the right game but we want to free the systems with whatever technology we can use and we want to use that one allows me that the hacking team are in Italy our Foxconn are not doesn't act in an ethically acceptable capacity and we can discuss that in the hack scene but we need independently from that a secure basic system and boot system and yeah so that we can use hardware in its manner and then yeah we have to to use antitrust measures or at least audit them for you know if Microsoft has to be entangled in an antitrust manner if Microsoft is so deep in all the systems that there's a question that if European institutions should actually accept that I fear that in the next two camps we've also got to talk about that but we shouldn't stop this and continue working with this but after the Southern Snowden revelations it's pretty clear that the warning we are giving out that they are caught up by reality so thanks for listening