search

DNSCrypt / dnscrypt-proxy

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
https://dnscrypt.info
ISC License
11.35k stars 1.01k forks source link

[Question] Could the local Windows DNS cache and the one built-in Firefox/Chrome leaks DNS information? #284

Closed Carl1971 closed 6 years ago

Carl1971 commented 6 years ago

Hi!,

I wrote a question in a closed issue related to an answer @jedisct1 gave me (thanks) and I didn't get any response probably because of that; so I apologize for copy-paste it here in a new issue:

Good to know about the fact that it uses its own cache but, in the future, I will create an Unbound setup for other features. So Windows is registering all the DNS requests in its local cache anyway?, then I have another question in this regard:

Could the local DNS cache of Windows and the one built-in Firefox/Chrome leak some DNS information? (I am not paranoid, It is just out of curiosity)

BTW, I read some months ago about You @jedisct1 leaving the project and now using a VPN (I think it was a tweet actually) I am really happy about you continuing the Dnscrypt-proxy with this new version. I've been using your software for some years (even without Simple DNSCrypt) and I learnt a lot about the DNS protocol since the very first day I discover your project and start researching about it, so thank you so much for all those years of work in this project.

jedisct1 commented 6 years ago

Hi Carl,

The system cache can be used for fingerprinting. If a name resolves quickly, it means that you've been accessing it before. This can leak the websites you've been visiting, but also installed software.

If the cache is not cleared when switching to a new network, this can also lead to rebinding attacks. It can also be used to fingerprint internal devices. But I'm pretty confident that Windows, like macOS, automatically wipes the cache when connecting to a new network.

These are generic DNS caching issues, nothing really specific to the Windows and Chome caches, and you can hardly disable them anyway. It would make everything very slow.

Firefox is currently running a controversial study. Maybe Chrome and other browsers did or will do similar studies. This can qualify as a leak considering the fact that it's sending DNS queries to a party you didn't explicitly ask to receive your navigation history.

iWARR commented 6 years ago

@Carl1971

In chromium, browsers you can check this special pages:

Async DNS Configuration (check if internal DNS turned off) chrome://net-internals/#dns

Turn off unnecessary browser's net discoveries (USB devices, Network targets, etc): chrome://inspect

Also look at:

chrome://net-internals chrome://webrtc-internals chrome://sync-internals

Google continues adding unsafe options in the chromium core more and more. For example, this time I can't find (next new discovery) option that produce SSDP (chromecast-like) queries massively in several last versions. Some time before I've expected the same issues within DNS... No clear descriptions, no actual links to specifications, no forum answers. Terrible.

Carl1971 commented 6 years ago

@jedisct1 Thanks for your fast reply (as usual :D). Is interesting your point about the rebinding attacks. Also, in a different scope, the Windows cache can be used in a forensics analysis to recover your DNS entries (I deploy full disk encryption to help with the local offline leaks). Interesting read the study of Firefox about the DNS leak. About Windows clearing the DNS cache entries when it connects to a new network I am not so sure but I have to try it, I think it never gets cleared (until the TTL of the DNS entry expires). I think the same as this guy.

At the beginning, my concern was more about if the browser could leak DNS cache info at some point even if I am using DNScrypt and all the DNS traffic goes through its proxy. I say this because I think web browsers, under the hood, are using the Window's network protocol stack, so all the DNS requests are cached, routed and translated by using the DNS Client service (the web browser doesn't has its own DNS cache per se). As far as I test, web browsers have a DNS cache in order to speed the process but if you disable it, then they only uses the Windows one (it looks like Windows is always caching the requests anyway). A The info relate to the Firefox DNS cache can be seen in the URL about:networking#dns and to disable the cache you can set "network.dnsCacheExpiration" to 0. I never touched this preference although what I really do is disable all the related DNS prefetching and IP caching done by Firefox:

user_pref("network.dns.disablePrefetch", true);
user_pref("network.dns.disablePrefetchFromHTTPS", true);
user_pref("network.predictor.enabled", false);
user_pref("network.http.speculative-parallel-limit", 0);

In Chrome, as @iWARR notice, can be disable the DNS cache by visiting the URL: chrome://net-internals/#dns

Anyway, is it possible to stop the Windows DNS caching process by disabling the "DNS Client" service wich is the one used to do the caching. The problem is I did some research and this service is involved in other tasks so it is a good idea to not mess with it (as I never did) unless you are not using none of the following:

@iWARR Thanks for the info on Chrome. I knew about the internal pages but I am not a Chrome user anymore; I've noted those urls you give me though, because I am planing in creating a website so I would Chrome too for testing. Since some years I am a Firefox user which give far more control over my privacy, plus now is getting better and better.

By the way, I always use private navigation in Firefox but, even if this were the case, Windows caches locally all the DNS requests of the sites you are visiting. Also, I tweaked Firefox have a bunch of the about:config preferences disabled (pings, third party cookies, protocols like WebRTC or WebGL, insecure cypher suites...) and I block JavaScript per site basis (Noscript + RecuestPolicy in past and now using Ublock Origin with full dynamic filtering blocking). Additionally, I disable all the local Firefox caches but not the RAM cache because I am not that paranoid (browser.cache.memory.enable):

user_pref("browser.cache.disk.enable", false); 
user_pref("browser.cache.disk_cache_ssl", false); //lo avoid local ssl leaks
user_pref("browser.cache.offline.enable", false);

The thing is, by doing this you are, indeed, increasing your security but rising your entropy too so all these changes in your browser preferences makes your more unique/trackeable. What a crazy world we are living in.

iWARR commented 6 years ago

@Carl1971

1) Since you show here your Firefox preferences, I can summarize that Chromium and Firefox are very close in a mainstream development - the same options and flags/problems/instruments/security. No big difference, just details. The most confusing circumstance is that people over World in 2018 still don't have two the most basic things - satisfactory OS and Browser.

2) Since I've read the jedisct1's comment, that dnscrypt-proxy has it's own DNS cache, I immidiately turned off the native - the Windows one. And was happy safely deactivate a couple of relative services - unnecessary and unsafe (as it usual for Windows OS).

jedisct1 commented 6 years ago

There are a lot of very interesting information here!

I didn't know about all these browser and Windows settings that could be tweaked to improve privacy.

This is very useful!

Since this can be useful to a lot of people, could you guys possibly add a dedicated page to the wiki with this? Maybe other people will have additional suggestions to improve privacy, especially on other operating systems.

iWARR commented 6 years ago

@jedisct1 Yes. I think about it a long time, how to help you with wiki and DNSCrypt/Overall security questions on Windows. Including my very powerful/very small/extremely optimized and tested 'blackist.txt' as good start point. For all people.

Only several things were stopped me:

I really wish that our DNSCrypt "big-small" coner become a harbour of the freedom and smart strategy against corporations, using open-source techs as a powerful weapon changing a future.

As I said, I thinked about how to make this wiki-job effective. Where to start. And how make the process comfortable for us. May be I can start creating first materials on my own page, then you may read/note and topics that you like we can put on your wiki as "ready" documents. Because Windows security questions may have a tons of self-crossed topics... I can start from DNSCrypt-relative questions.

(P.S.: I hate promises, because it make us disappointed too often)

Carl1971 commented 6 years ago

@iWARR Yeah Chrome added lots of preferences but it is not near to the customization and transparency of Firefox. That is its strong point :D. It's really interesting to know about your Chrome preferences too. @jedisct1 I have to be honest right here, and give credit to a friend who was the one who told me years ago about your project (big fun of yours) and he is the nerd one about security-privacy (he show me all these Firefox tweaks too). I had a talk with him minutes ago about this issue and you being interested in create a Wiki about this topic so he is thrilled about it to give you a hand guys. I am too old for this things and I not as techie as him. He is the weirdo one after all hahahaha.

ArGoSh commented 6 years ago

@jedisct1 I have to be honest right here, and give credit to a friend who was the one who told me years ago about your project (big fun of yours) and he is the nerd one about security-privacy (he show me all these Firefox tweaks too). I had a talk with him minutes ago about this issue and you being interested in create a Wiki about this topic so he is thrilled about it to give you a hand guys. I am too old for this things and I not as techie as him. He is the weirdo one after all hahahaha.

I am not weirdo and I'm not your friend @Carl1971 I barely speak with you one per year hahahaha. At least I am not the one with an english name who doesn't speak the language fluently (mine is worse). Jokes a part, I am happy you put my advices in practice and thank you for the credit (I was just simple plain tips) :D

@jedisct1 Hi! Frank as @Carl1971 told you I discovered your project some years ago while I was looking for a feasible way to encrypt my DNS traffic in order to avoid possible leaks and then I just read the specification of DNSCurve and DNSCrypt. So is nice to stop around here and say hello and thanks for your work (BTW I am still using DNSCrypt-proxy). I could create a wiki page if you want about privacy tweaks if you want. It would be a nice excuse to use this GitHub account (I usually work with BitBucket or private/local repositories).

I didn't know neither about the dnscrypt-proxy DNS cache , quite interesting. I thought it uses the Windows local cache. I never saw that information on the documentation It would be useful to add it to the front page description tough. I tested it and it is true, windows keep adding DNS registers to its local cache even when set the dnscrypt-proxy cache to true. As Carl said, it is due to the DNS Client service being active. I leave it active because in the new versions of Windows is used in various things as I told to Carl and I have run some tests before. But if you don't use network discovering (so no domain nets) and you don't use DHCP DNS configuration, you should be OK. Also, probably we don't care much about the de-registration of the DNS entries done by that service, because our DNS resolver and requests are handle by DNSCrypt not Windows.

About the @Carl1971 https://github.com/jedisct1/dnscrypt-proxy/issues/284#issuecomment-377455487 and @iWARR comments, it is really nice to tweak the web browser (specially Firefox). I learnt so much about how the Web works by keep digging into the browser guts. The thing is I spent many time over the years documenting my preferences (I had around 200 preferences) because there isn't any information about some of them (and other are hidden so you need to create them). I did my research on TOR tickets, Mozilla wikis and forums, Firefox sourcecode, etcetera...

My point is I just stopped to do it (I only add some punctual new ones) because the more preferences you modify your entropy becomes bigger, but it is nice to add a bunch of them (like ones about prefetching or disable unsecure things like old cyphers. We could be talking for hours about third parties tracking or web browser fingerprinting cause it's crazy the amount of vectors to take into account (BTW, I am software developer who takes security very seriously not an expert). It's impossible to be anonymous, all depends of your treat model. Yes, you can use a trusted computer, with Tails/Whonix, TOR, and an anonymous purchased VPN through multiple proxies with proxychain (or whatever) and a bunch other things and you "would be" quite anonymous. Tweaking the browser preferences is just an infinitesimal step to improve privacy, but if you add some of those tweaks and use 2 or 3 security related add-ons you get a much secure browsing experience for sure.

The most important thing is to block/manage the most unsecure aspects like JavaScript, ads, cookies... and use different browsers instances (or profiles) for different proposes (bank, social networking, normal browsing) with different user.js for each (preferences file in Firefox) and different e-mails (work, social, personal...) managed with Thunderbird so you can keep a low profile unlinking your identity from your browsing history. Additionally, if you use a VPN with DNScrypt (or your VPN DNS protection) you are better covered. It is more about habits and controlling your data. For example, If I use a Google service like gmail I log into Chrome but never in my Firefox. User agents are not worth for privacy (only if we all have the same, like TOR bundle does).

It would be nice to create a very well documented page to cover the most important tweaks and advices about security/privacy/anonymization. @iWARR could add the Chrome part and me the Firefox one. I've done some configurations in Chrome (executable's command parameters, blocklists, preferences...) too but is not as configurable as the red panda. The strongest point about Firefox is the tweaking thing (and now it's adding interesting stuff with Quantum).

BTW, I am using Windows 7 right now as my first system but am gonna become a Debian testing user again because Windows 10. I love that OS from a technical standpoint but is crazy all the sneaky things that Microsoft does (tracking services, poor transparency, no information on some tricky updates...). I have a Virtual Machine with W10 for testing and even with my tweaks (GPOs, ACLs, scripts...) It keeps phone calling home more than an ex-girlfriend. Plus, blocking all the telemetry at a router level is not a cool solution. I like to be in control of my software from inside it.

iWARR commented 6 years ago

@Carl1971

Thanks for your interesting info. I'm glad to share with you (and everybody) mine.

but it is not near to the customization and transparency

Why? If I see the same problems? While chromium browsers are extremely customizable by flags and extentions. As you correctly said, this highly rising browser's entropy, user can be identified up to 99.99%.

It's really interesting to know about your Chrome preferences too.

I see that my preferences are almost the same, except I prefer keeping all discovery queries shutted down. This is potential hole in the sec, because Windows LLMNR, SSDP is also "local" techs by specs, but in real life they are known as holes for the hackers, making lot of net flood, loading adapters, antivirus, etc. If they are not needed as options for real use - deactivate it.

Just tell you about options by main blocks (too many of them to write about one by one):

Some of them helps against Spectre vulnerabilities:

Strict site isolation - #enable-site-per-process - [Enable] Top document isolation - #enable-top-document-isolation - [Enable]

chrome://inspect [ ] Discover USB device [ ] Discover network targets

How to disable again the new discovery queries in the Opera Developer?! This is broadcast queries directly from the browser: Port 1900, address 239.255.255.250. Where I can disable it just in the browser? (Of course, #media-router is [Disabled]. Firewall blocks are already done, but I want to know the OPTION) PLEASE, HELP ME.

Look at this (just one from the tons examples):

#enable-fetch-keepalive-timeout-setting - Fetch is good/new "by nature" but already infected by beacons. Furthemore, they were not being shamed implement additional "options", because they can't make this garbage work as expected. Three options in one (!): Fetch API / Keepalive timeout setting / SendBeacon. I don't care that is "useful for developers", for me it's a SPYING.

... and tens of other settings...

A BIG container of Gaarbage and very small grain of Browser.

Everybody knows great extentions like: uBlock Origin, Privacy Bager, HTTPS Everywhere, Referer Control, WebRTC Control, Canvas Defender

I wanna say here about young, but promising projects:

WebAPI Manager : https://github.com/snyderp/web-api-manager Phish.AI IDN Protect : https://github.com/phishai/idn-protect-chrome Project Zero : https://github.com/IAIK/ChromeZero

iWARR commented 6 years ago

@ArGoSh Nice to meet you :)

My point is I just stopped to do it (I only add some punctual new ones) because the more preferences you modify your entropy becomes bigger

We can try move entropy from "default" level to "secure" :) Ha-ha. Sisyphus smoking a side :) If the way of "getting secure settings" will be easy, everybody may:

Install the browser -> Go to Internet -> Get secure settings -> Press 1 button -> Done

Nothing is impossible :) Just make a Set and Way how to integrate and distribute in secure way.

Or make a simple extention that make a comparison of the present settings in the Browser with recommended secure settings. Then make an overlays as round icons-marks for flags (new Opera have some kind of such icons) within 3 colors: Green - "Good", Yellow - "Manual", Dangerous - "Red". And one BIG default Button - "Make Nice" :) Plus GitHub wiki for all options. Browser regular Settings can be described or even have another BIG button, if such automatization is possible (I don't think so).

It would be nice to create a very well documented page to cover the most important tweaks and advices about security/privacy/anonymization. @iWARR could add the Chrome part and me the Firefox one.

Take my hand. I'm not a coder/IT specialist, but agree to help as I can.

My mention is that getting secure have to be easy and fast for everybody, just because this question is so complicated itself.

(Gold frame wanted) :))))))))

ArGoSh commented 6 years ago

@iWARR https://github.com/jedisct1/dnscrypt-proxy/issues/284#issuecomment-377556716

Nice to meet you too and nice Chrome tweaks :D

I really wish that our DNSCrypt "big-small" coner become a harbour of the freedom and smart strategy against corporations, using open-source techs as a powerful weapon changing a future .... Because Windows security questions may have a tons of self-crossed topics... I can start from DNSCrypt-relative questions.

We have here three REALLY big broad fields: security, privacy and anonymization. What I had in mind was to create a list of some quick but well explained tips about tweaking the browser (some preferences, add-ons...) to give other users some insights about it (especially related to avoid the important leaks).

Don't get me wrong, I know you are motivated (which is nice) but I can tell you by experience that educate users about infosec is one of the toughest and time consuming tasks you could possibly imagine (a resource I don't have right now). I had consumed tons of books, papers, videos, keynotes... and practice a lot while I took a great amount of notes in the process. For example, over the years, I have been taking notes of all the settings I use in my Windows installation and I plan to publish a full manual when I have the necessary time (and that's only about Windows).

Or make a simple extention that make a comparison of the present settings in the Browser with recommended secure settings...

There have already been projects of this type and all usually become deprecated because is hard to maintain (Firefox has TOO many preferences changes and not all are documented) and at the end of the day you will need to do manual checks. For instance, PrivacySettings is still alive because it only has a very reduced group of settings into account.

Additionally, I think is an error to focus in achieve the perfect web browser setup by modify all the internal preferences. Granular control is important when it comes to blocking things or giving permissions. In this case, it falsely increases your sense of security (I am not talking about the brief modifications you list related to Chrome but going crazy with the preferences in Firefox). Firefox is not Chrome. It has literally thousands of them.

A much better approach is to modify the important ones and then add other security layers to your browser (add-ons, sandbox, force integrity levels, unprivileged users for sandboxing the browser...). That is what security is about, layers. Is more important to never use an administrator account in Windows in other to avoid the 80% malware (not joking), creating GPOs, reducing the surface of attack by disabling some protocols (SMBv1, NetBT...), services... Also, applying defence in depth (creating strong rules in our FW, installing anti-malware, anti-exploit, anti-virus...), tweaking NTFS permissions, creating users with ACL list only for protect out most important files...

And we are not talking about the HW or the OS. If some is using Windows 10, there is not such a thing as privacy (you could improve security but if privacy is important to you, you would be using a *nix system or Windows 7/8 which give you more control over your computer/privacy. Besides, security in a home system starts with the router. A 30€ router with DD-WRT or similar would be far better than your ISP's one. A great switch with some protections (ej. ARP tables) in the middle. Pi-hole with DNSCrypt and a VPN could be cool... And we are not talking about smartphones... :S

My mention is that getting secure have to be easy and fast for everybody, just because this question is so complicated itself. Totally agree. That's the main concern of all security experts and is what should be done and is very difficult to deploy. Tech is complex, harden it is more complex, creating simple GUIs is even complex. Besides, the problem are not the solutions given but the foundations of the technology (i.e. DNSCrypt born because DNS is unsafe by design). We are working with tech following rules from the past. We are applying patches on a black hole.

There are lots of sites about browser preferences setups and wikis related to this topics. I think the best we can do is to create a brief section of recommendations in the @jedisct1 project's wiki with some useful browser tips/preferences and help with dnscrypt-proxy documentation. By helping in the documentation of this project we are helping others in a much meaning way (besides, this is one of the @jedisct1 planned features: "Real Documentation").

ArGoSh commented 6 years ago

@iWARR

Why? If I see the same problems? While chromium browsers are extremely customizable by flags and extentions.

Is quite the opposite. Firefox (Fx now on) is all about customization and openness (is open source after all, Chrome isn't). Since the very beginning Mozilla (an non-profit organization) is focused on give you more control over your privacy and transparency. That's the reason TOR project is based on Fx. If you say that Chrome is as customizable as Fx is because you don't tried it profusely as you did with Chrome. @Carl1971 only listed five or so, I had over 200 in my user.js in the past and if you access about:config in Fx and compare them to the Chrome://flags list you can see the difference. Also, if you look in to the source code of Fx you'll see literally thousands of them and when you install an extension it lists its internal preferences too.

Chrome added some flags and lots of them are still experimental and doesn't give us the granular control over each as Fx does. When Gecko was created in the 90s (Quantum is based on it) customization was one of the important pillars and when Firefox appear the same happen.

About extensions (add-ons in Fx), its add-ons were more powerful than Chrome because it executed native code (XUL) and the add-ons where reviewed by Mozilla devs before upload them to the AMO repo. Now you have WebExtensions which is less powerful but more secure because the its permission system and is more restricted API; not native code. Chrome and Fx now share WebExtensions code so you'll see lots of ports between them. This break lots of XUL add-ons (not supported anymore) but you still have more add-ons than Chrome. Plus, WebExtension developers like NoScript creator (the first great script blocker) are working with the devs of WebExtensions and the Fx API is already more powerful than the Chrome one and they are gonna keep adding even more functionallity. Add-ons exists in Fx before Chromium itself.

Do you want transparency?, you can see its source code, you can follow issues through the public bugtracking system, create a new one or ask for new functionality or even collaborate with the devs. That's the point of the Mozilla community. It has a wiki where you can read the technical details about how Fx and its preferences works (not as updated as I would like but is useful). Further more, Fx has a privacy policy that explains what telemetry is collected. Do you wanna see what are the connections made by Fx to the Mozilla servers? you can see and disable them.

In addition, do you wanna customize the user interface? you can tweak almost anything in Fx (scrollbars, tabs, icons, colours, themes, fonts, layouts...) thanks to the userChrome.css file. Notice, it has nothing to do with Chrome, the term "chrome" is used to talk about a IU component; plus it was there before Chrome hehe. Also, there is another file named userContent.css where you can do another customizations. There are lots of tweaks over the Internet, have fun!

I could continue but I think you got point. Chrome improved by giving users more options/settings but is far FAR away from Firefox in terms of customization and privacy (just browse about it).

First of all, both are great web browsers and If something is less secure it doesn't mean it isn't. The last year, Firefox was still less secure than Chrome. You can see this by looking at the Pwn2own contest, and the CVEs publicized; Mozilla patched in less than 24h. though. Both are quite secure. This year with Quantum deployed, the new GUI and all the changes happening It will improve a lot.

As I said before, the lack of multithreading and other matters, in the design of Gecko/Fx, implied lots of refactoring in the Fx source code over the years and Chromium was designed taking that into account; which is normal, it arrived after. That the reason Fx took so long to have a 64bit version and multiprocess support. Now that the new engine is out since the end of 2017 (Fx v.57), Electrolysis and WebExtension applied the browser is up to date.

Fx manages certificates better than Chrome. It's more strict in that area and I liked more.

Fx is porting many privacy/security related functionality (TOR uplift) from the TOR project to reduce fingerprinting and improve security. For example, soon, it will block all the canvas fingerprint and you are gonna be able to allow it per site basis by clicking an icon (so goodbye canvas extension).

Fx now do multiprocess sandbox like Chrome, in a more efficient way. But it needs to fix some memory problems to get the best of it.

As you correctly said, this highly rising browser's entropy, user can be identified up to 99.99%. That rate is too exaggerate but obviously you are more unique. It depends on so so many things... You can read this nice article as a start. You can check how unique you are by visiting sites like Panopticlick AmIUnique or JoDonym

The important thing in software is being agnostic and choose the program/language best suited for a particular goal. I use Fx for browsing and Chrome for Google services and web testing because is the first in deploy the W3C standards, and I like some dev tools (I have to tell you Firefox now has an incredible devtools and Firebug extension is not necessary anymore; I am gonna give them a try too).

Mozilla is fully focused in Firefox now and they are not maintaining Thunderbird (now it's an independent project from Mozilla), people keep helping more and more and the new engine is out, so they can start bringing the new stuff. Now Is a great moment for Firefox again. If you really value your privacy, as I think you does, you should install Firefox and give it a try, if not... Chrome is a great browser! :).

I hope you'll find this big chunk of text useful, I'm f#ck1ng nuts, apologize in advance :D.

iWARR commented 6 years ago

@ArGoSh , @Carl1971

Thank you, guys for great explanations. I'm happy meet one mind friends here.

I hope you'll find this big chunk of text useful

This is the best comparison of the most significant browsers I can find everywere, reading time to time about their features/security. Because I can't stay at Opera (Dev.) any more (I've use it from the early beginning). Vivaldi have good potential, open wide to user experience, unique features, but nothing about security (I see no pushing), it still have bugs typical for the young projects, it's not fast. And all poison from Chrome comes to Vivaldi "automatically", same in the most of chromium browsers. It's like a loco (Chrome) and carriages (Cromiums) that falling to chasm.

Same time your descriptions of Firefox "reborn" looks very promising. If I'll feel the same power as you said (I beleive it really has) and will have good experience by myself, then chromiums will be trashed for me forever. The one thing - I don't wanna grow old in Fx settings. That's why your future wiki will be so valuable for me also.

Do you want transparency?, ... Mozilla community ... read the technical details ... what telemetry is collected. ... see what are the connections made by Fx to the Mozilla servers? you can see and disable them.

Fx is porting many privacy/security related functionality (TOR uplift) from the TOR project to reduce fingerprinting and improve security.

Brilliant!

I have been taking notes of all the settings I use in my Windows installation and I plan to publish a full manual when I have the necessary time (and that's only about Windows).

Same here. As you will see, I uderstand/have own experience I can share. Described facts about Windows OS are well-known for me. I've been collecting/writing my own notes from the my "local"-language area + English also.

BIOS modding, updating and keeping it secure (for old mobos also) belongs to my interests too. I'm a curator (for the FAQs, mainly) in the corresponding thread of oveclockers forum just from yesterday. :) So, now I have even more loading from yesterday.

If something is less secure it doesn't mean it isn't. ... "Pwn2own contest" ... Quantum deployed, the new GUI and all the changes happening It will improve a lot.

I remember that news. Agreed.