Section 702 of the Foreign Intelligence Surveillance Act (FISA) gives US agencies the ability to monitor the communications of foreign citizens in the interest of national security. As part of the surveillance, a large quantity of Americans’ communication is caught in the dragnet, especially when an American communicates with family, friends, or business associates who are not US citizens. Critics have slammed Section 702 since all of the above is down without obtaining a warrant. To make matters worse, the data is held for years, with law enforcement agencies free to peruse it years after the fact—and for reasons completely unrelated to those that led to its collection.

The Reforming Intelligence and Securing America Act (RISAA) greatly expands US surveillance authority by forcing businesses to aid the government in eavesdropping on individuals. According to Marc Zwillinger, an attorney with experience appearing before the FISA Court of Review, RISAA does this by changing the definition of an “electronic communications service provider” (ECSR).

The FRRA painted with too broad a brush and would have permitted the government to compel assistance not only from data centers, colocation providers, and business landlords, but also from operators and employees of shared workspaces, hotels where guests connect to the Internet, as well as from any third party involved in providing equipment, storage, or even cleaning services to such entities. It did so by dropping the requirement that the recipient of a FISA 702 directive be a “communication” service provider, by expressly making access to equipment alone enough for eligibility, and by adding the term “custodian” as a person that could be asked to provide assistance.

As Zwillinger points out, the terminology has narrowed a bit, but still results in a significant expansion of the definition of ECSR.

The new amendment is a marginal improvement over the last go-around, but it is still problematic. It is not a change that “narrowly updates the definition of electronic communication service provider under Section 702.” Like the FRRA, it: (1) drops the qualifier “communication” from the class of covered “service providers;” (2) makes access to communications-carrying equipment enough to establish eligibility; and (3) adds “custodian” to the list of individuals who can be forced to provide assistance. But unlike the FRRA, it then enumerates a list of business types that cannot be considered ECSPs, including public accommodations, dwellings, restaurants, and community facilities.

Zwillinger makes the case that the government’s amendment to exclude certain businesses is itself proof that RISAA is too broad.

The new amendment would — notwithstanding these exclusions — still permit the government to compel the assistance of a wide range of additional entities and persons in conducting surveillance under FISA 702. The breadth of the new definition is obvious from the fact that the drafters felt compelled to exclude such ordinary places such as senior centers, hotels, and coffee shops. But for these specific exceptions, the scope of the new definition would cover them—and scores of businesses that did not receive a specific exemption remain within its purview.

Lawmakers are well aware how invasive the new legislation is, with Wired reporting that some Hill staffers, as well as privacy experts, are calling the ECSR section the “Stasi Amendment,” after the notorious, Communist-era, East German secret police force.

Senator Ron Wyden, a notable privacy proponent, has slammed the bill and vowed to fight it.

“The House bill represents one of the most dramatic and terrifying expansions of government surveillance authority in history,” Senator Wyden said. “It allows the government to force any American who installs, maintains, or repairs anything that transmits or stores communications to spy on the government’s behalf. That means anyone with access to a server, a wire, a cable box, a wifi router, or a phone. It would be secret: the Americans receiving the government directives would be bound to silence, and there would be no court oversight. I will do everything in my power to stop this bill.”

Senator Wyden goes into detail, highlighting the dangers of the new legislation.

This bill expands that power dramatically. It says that the government can force cooperation from, quote, “any other service provider who has access to equipment that is being or may be used to transmit or store wire or electronic communications.”

Now, if you have access to any communications, the government can force you to help it spy. That means anyone with access to a server, a wire, a cable box, a wifi router, a phone, or a computer. Think about the millions of Americans who work in buildings and offices in which communications are stored or pass through.

After all, every office building in America has data cables running through it. These people are not just the engineers who install, maintain and repair our communications infrastructure; there are countless others who could be forced to help the government spy, including those who clean offices and guard buildings. If this provision is enacted, the government could deputize any one of these people against their will, and force them to become an agent for Big Brother.

If the Stasi Amendment passes Friday, the US will suddenly have much in common with Communist East Germany, creating a culture in which random individuals can be forced to spy on others.

Proton, makers of the popular private and secure ProtonMail service, are calling Microsoft out for the latest terms and conditions when installing Outlook for Windows. The new dialog comes courtesy of the EU, where stricter laws require companies to disclose how a person’s data will be used. Unfortunately, US users will never see this dialog box—since the US has no comprehensive privacy legislation—even though Microsoft will still proceed with data collection and sharing.

When a user installs Outlook for Windows, they are greeted with the following message:

We and our 801 partners (emphasis ours) process data to: store and/or access information on your device, develop and improve products, personalize ads and content, measure ads and content, derive audience insights, obtain precise geolocation data, and identify users through device scanning. Some third parties may process your data on the basis of their legitimate interest.

Again, Microsoft and its 801 partner companies can:

• Access information on your device
• Personalize ads
• Derive audience insights
• Obtain users’ exact location
• Identify users by the data on their device
• Microsoft says third parties can do whatever they need to in the pursuit “of their legitimate interests”

To make matters worse, as the folks at Proton point out, the new Outlook’s ability to integrate with various cloud email providers means that the app stores users’ passwords to their other accounts.

“Although Microsoft explains that it is possible to switch back to the previous apps at any time, the data will already be stored by the company,” German IT blog Heise Online reported. “This allows Microsoft to read the emails.”

This particular outcome is especially alarming since it gives Microsoft the ability to scan users’ email from other services, mine the data, and share it with its partners.

Google—rightfully so—receives a lot of flak for its privacy or lack thereof. As Proton points out, Microsoft has taken the search giant to task for doing the exact same thing it is now guilty of. To make matters even worse, Microsoft often resorts to these tactics in products and services that people are already paying a premium for, as opposed to Google, which often provides its services for free.

It’s little wonder that the European Data Protection Supervisor recently found the EU Commission in violation of the bloc’s data regulation for its use of Microsoft 365 since there is no reasonable basis to believe EU citizen data is properly protected when using Microsoft’s products.

Similarly, a German state recently opted to migrate some 30,000 PCs from Microsoft to Linux and LibreOffice in the name of privacy and data sovereignty.

In short, Microsoft Outlook has become abject spyware in the truest sense of the word. Any companies or individuals that don’t want their data mined should immediately look for alternative email solutions.

According to Wiz researchers Sagi Tzadik and Shir Tamari, the issues stem from Ubuntu’s OverlayFS module. Several years ago, Ubuntu made custom modifications to OverlayFS. When combined with the changes made to the mainline Linux kernel, however, vulnerabilities in Ubuntu were overlooked, as the researchers describe:

The two vulnerabilities are exclusive to Ubuntu because Ubuntu introduced several changes to the OverlayFS module in 2018. These modifications did not pose any risks at the time. In 2020, a security vulnerability was discovered and patched in the Linux kernel, however due to Ubuntu’s modifications, an additional vulnerable flow was never fixed in Ubuntu. This shows the complex relationship between Linux kernel and distro versions, when both are updating the kernel for different use cases. This complexity poses hard-to-predict risks.

The researchers say that Ubuntu’s modifications pose serious risks to users:

Our team has discovered significant flaws in Ubuntu’s modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine. Linux has a feature called “file capabilities” that grants elevated privileges to executables while they’re executed. This feature is reserved for the root user, while lower-privileged users cannot create such files. However, we discovered that it’s possible to craft an executable file with “scoped” file capabilities and trick the Ubuntu kernel into copying it to a different location with “unscoped” capabilities, granting anyone who executes it root-like privileges.

Fortunately, the researchers say that remote exploitation of these vulnerabilities — labeled CVE-2023-2640 and CVE-2023-32629 — is “improbable,” and local access to a machine is likely required.

However, all users should update their kernel as soon as possible to mitigate these two security issues.

Printing is one of the most problematic issues for operating systems, with stability, compatibility, and reliability issues often plaguing users, with much of the trouble coming from third-party drivers. Microsoft wants to eliminate that pain point, saying it will eliminate them from Windows by 2027, with security-related fixes being the only exception.

Microsoft developer Jonathan Norman took to Mastodon to tout the benefits:

I’ve been working on this for a bit. In the near future Windows will default to a new print mode that disable 3rd party drivers for Printing. That new system will have quite a few big security improvements which we plan to detail in a future blog post.

Jonathan Norman (@spoofy@infosec.exchange) — September 6, 2023

Moving forward, Windows will Mopria-compliant printer drivers, according to a company blog post:

With the release of Windows 10 21H2, Windows offers inbox support for Mopria compliant printer devices over network and USB interfaces via the Microsoft IPP Class Driver. This removes the need for print device manufacturers to provide their own installers, drivers, utilities, and so on.  Device experience customization is now available via the Print Support Apps that are distributed and automatically installed via the Windows Store. This framework improves reliability and performance by moving customization from the Win32 framework to the UWP software development framework. Finally, print device manufacturers no longer have to rebuild their software since this solution is supported across all Windows versions and editions.

With these advancements in the Windows print platform, we are announcing the end of servicing of the legacy v3 and v4 Windows printer drivers. As this is an impactful change, end of servicing will be staged over multiple years. See the following Timeline and FAQ sections for guidance on the end of servicing roadmap.

Eliminating third-party printer drivers will undoubtedly present short-term issues, but the long-term benefits should make the transition worth it.

Andrew Brandt, Principle Researcher at SophosLabs, took to Mastodon to report the issue:

Well, apparently #microsoft #Sharepoint now has the ability to scan inside of password-protected zip archives.

How do I know? Because I have a lot of Zips (encrypted with a password) that contain malware, and my typical method of sharing those is to upload those passworded Zips into a Sharepoint directory.

This morning, I discovered that a couple of password-protected Zips are flagged as “Malware detected” which limits what I can do with those files – they are basically dead space now.

As Brandt points out, the practice has major repercussions for security researchers and malware analysts’ ability to share the files their work depends on:

While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples. The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.

Hopefully, Microsoft will adjust their policy to allow exceptions for security researchers.

In the meantime, the news should serve as a caution to users who rely on password protection to keep their files private and secure on Microsoft’s cloud platform.