It’s (crypto)party time!

With our advanced free democracies resembling George Orwell’s “1984” more and more (your TV is spying on you, NSA global mass-surveillance, pre-crime repression of free speech  etc), there surely couldn’t be a better time to throw a CryptoParty!

Where?

New Academic Building
Goldsmiths, University of London
New Cross
London SE14 6NW
(OpenStreetMap)

When?

Saturday 30th November, 11am onwards

Cost/audience

The event is free & open to the public. Anyone who worries about the privacy and ultimately freedom of expression of their loved ones should attend.

Great lineup of speakers/presenters – check out the event schedule!

I will be doing a few workshops on mobile device privacy, encrypted Internet phone calls and using a computer without leaving any traces behind.

If you’re around on the 30th, join us for a day of practical tinkering with privacy tools!

…and here are the slide decks of the workshops I ran:

Qubes OS – a secure operating system: http://apapadop.files.wordpress.com/2013/12/qubes1.pdf

TAILS – This session never happened: http://apapadop.files.wordpress.com/2013/12/tails1.pdf

VoIP- Private voice calls: http://apapadop.files.wordpress.com/2013/12/voip1.pdf

Mobile privacy – how to keep your smartphone communications private: http://apapadop.files.wordpress.com/2013/12/mobile5.pdf

OTR – a gentle introduction to chatting Off The Record: http://apapadop.files.wordpress.com/2013/12/otr1.pdf

The Battle for Your Digital Soul

apapadop:

Silent Circle’s CEO takes a rather optimist view on the state of the cryptowars. If only we could reasonably assume that the all-star team of technologists he mentions are incorruptible by the full weight of the nexus of global government/corporate complex, we should see the sunny side of things too.
Yes, learning at least part of the truth due to Snowden is a reason to celebrate – we now know what is done in our name. But what we have learned is so sobering and matches our most dystopian projections so well, at the same time generating so little outrage around the world, that I still cannot be optimistic about a better future.

Originally posted on Silent Circle Blog:

There have been so many disclosures, revelations and speculations since Snowden fled and the media trickled out one tantalizing slide after the next- that it’s hard not to get overwhelmed. It’s hard not to get angry.

Now that the sheer scope and massive worldwide surveillance of the NSA has come to light over the last few months, it seems as if a veritable cloud of “Privacy Depression” has set in lately among citizens and the technology community at large. Adding to that hot mess is the willing complicity of the tech giants, backbone providers and hardware manufactures. Fuel to the fire.

Yes, there are some feigning outrage, some with true concern, and others calling for heads-on-a-platter while western intelligence agencies and big technology firms hunker down and hope it all goes away. It won’t. It’s only going to get worse for them and the government.

Through the great work of…

View original 1,022 more words

What can I do about PRISM?

Now that the most powerful nation states of the world have been caught performing wholesale surveillance on us, their citizens, and have responded with a “so what?”, the question arises… what are we, the citizens caught in a surveillance society to do?

It seems to me there are five broad strategies:

1. Retreat

Leave the big cities. Stop using credit cards and mobile phones. Live off the land. Read only paper books. Send snail mail. Use cash. Deny your children education in and enjoyment of modern technology.

2. Ignore

Carry on your life as if PRISM did not exist. Suppress the inconvenient knowledge that you have acquired. Hope it’ll all be okay, since you will always toe the line of whatever establishment you happen to operate under. Leave your children uninformed about what’s going on, or just tell them “that’s normal, that’s how it’s always been”. Carry on using Facebook, surf the web while being logged into Yahoo!, Google or Hotmail, carry on syncing all your Apple iThings content to “the cloud”. Chat with your loved ones over Skype/Google Talk/FaceTime/WhatsApp/MSN/Facebook and all the other “freebie” services that are surveillance chambers. Have photos of your kids online.

3. Hide (with technical means)

Use Tor for surfing the web, PGP to encrypt your email, ZRTP to encrypt your voice/video calls, OTR to encrypt your chats, learn how to manage your keys securely, use secure operating systems like Qubes OS. This approach is inconvenient, difficult to do properly even for experts, network effects penalise you because others will not communicate with you in compatible (private) ways and therefore it will be difficult to communicate with them. Loathing by others because you’re visibly putting barriers between them and you. A losing battle, but buys you and (if you manage to convert them to your cause and if they are capable of following) your loved ones some privacy and decency, even though what you are practically doing is hiding.

4. Fight (within the system)

Become a member and donate as much as you can to organisations like the Electronic Frontier Foundation (EFF, US-focused), the Open Rights Group (UK-based), EDRI (Europe-focused) etc. Write to your politicians. Write to newspapers. Publish articles on your blog. Talk to your friends to raise awareness. Join demonstrations. Vote accordingly whenever you’re given the chance.

5. Fight (with all you’ve got – also known as civil disobedience)

“Cast your whole vote, not a strip of paper merely, but your whole influence.” Subvert the system in any (non-violent) way possible. Stop obeying the rules of a system that is immoral. Become as vocal as possible and follow your words with actions. No matter what the consequences to you personally, it’s worth it if we all fight together. Remember that “A minority is powerless while it conforms to the majority; it is not even a minority then; but it is irresistible when it clogs by its whole weight.”

Most people will want to do a combination of different elements of the above – although a clear strategy that balances pain to you with protection for your family is difficult to describe.

Stop Google recording your chats

Many Gmail users also use Gchat to talk to their buddies. Why not – the Gchat window is right there, next to their emails and very easy to use.

Problem is, Google automatically analyzes everything Gmail users are emailing or chatting about. It’s obvious that Google stores your emails, but if you’re sceptical about how much of your chats Google records, just go to any of your Gchat contacts and click “More” -> “Recent Conversations”.

Recent Google Chat conversations

Bringing up your recent chats with another Google user

You can now see the contents of all conversations you’ve had with this user. This should make it obvious that everything you type in Google Chat is recorded and stored.

Why is Google recording our chats?

But why do Google record all this? Because by knowing everything you talk about, Google can perfect your “behavioural profile”. The better this profile, the higher its market value.  Remember, if you’re not paying for it, you’re not the customer, you are the product! And everything you say or do while logged on to Google services is used to make you a higher-yield product. Google then charges marketing companies (Google’s real customers) for access to this massive data set. Marketers are aching for an opportunity to directly target the more than 350 million Gmail users (as of Jan 2012) with personally targeted, customised ads. Of course this is done automatically with software, and Google is not the only “free services” provider to sell your data for profit. Facebook follow the same business model, and it appears to be working out quite well for them. Facebook recently reported $3.7 bn (yes, that is billions of US dollars) in revenues. There is a lot of money to be made for companies that turn our entire lives into sellable products.

This is one of the two reasons you would want to stop Google recording your chats.

Why is this dangerous?

The second reason why Google recording your chats is not a good idea is that Google hands over this information (your emails, chats, things you have searched for, YouTube videos you have watched) to the law enforcement agencies of your country. They have no choice – they have to. Google provides a “Transparency Report“, which is commendable. Unfortunately it falls short of giving us a clear view of just how much personal information has been handed over to government agencies due to the way the numbers are presented.

The following table attempts to answer the question:

“For how many user accounts was Google asked to hand over data to government agencies between January – June 2011″?

Country

# of users (approximate)

USA 11,057
UK 1,444
 Spain  709
 Italy  1,263
 India  2,439
 Germany  1,759
 France  1,552
 Brazil  1,822

You can look up your country by following any of the links in the table.

Given just how much Google knows about us, our friends, and our friends’ friends, it is a troubling thought that all this data, all of our contacts, the videos we have been watching, our chat messages, things we +1’ed, services we use from other service providers (Flickr etc) are recorded by Google and therefore being handed over to government agencies all over the world at this unprecedented rate.

If you believe that nothing you ever type or click on will be of interest to any law enforcement agency, government or court around the world until you and your entire family pass away (but what about your grandchildren? Think 40 years ahead. Could someone in 2052 dig up a record of an internal joke with one of your buddies back in 2012, cast it as proof of extremism and use it to harm your family?), AND you subscribe to the “I have nothing to hide, therefore I have nothing to fear” camp, you can stop reading here.

If you are genuinly uncomfortable with how your online life is harvested and recorded and wish to take steps to protect what little parts of it you can, read on.

Going “Off the record” in Google Chat

Google provide a mostly-hidden feature on their Gchat client that allows you to indicate you want to go “Off the record”. You can see it under the “Actions” menu when you are chatting with someone on Google Chat.

Google say that going “Off the record” means that “Chats [...] aren’t stored in your Gmail chat history…” which sounds good, but does not actually promise your chats are not being recorded.

Google Chat: You are now off the record

Google Chat: You are now off the record

Given that Google “will share personal information with [...] organizations [...] outside of Google if [...] preservation or disclosure of the information is reasonably necessary to meet any [...] enforceable governmental request“, it is a safe assumption that Google Chat’s “Go off the record” option does not really buy you any privacy.

Getting some real privacy for Google Chat

We will use Free Software tools that allow you to be reasonably confident that Google is not recording what you say over chat.

Before you continue, please understand:

  1. To have a private chat, both you and the person you wish to privately chat to, need to follow these steps.
  2. If you use multiple computers to chat (e.g. a work computer and a home laptop), you have to repeat these steps in every computer before you use it to chat. You will only have to “prepare” every computer once.

First, download and install the Pidgin instant messaging software

Get the software from http://pidgin.im and install it on your computer.

Done installing Pidgin? Great. Continue to the next step.

Download and install the OTR plugin

The Off The Record (OTR) plugin allows Pidgin users to encrypt their communications. Get it from http://www.cypherpunks.ca/otr/ and install it on your computer.

Configure Pidgin for Google Chat

The first time you start Pidgin you will see this:

Click on “Add…” – a new window comes up. (this may happen automatically before you even press “Add”)

Adjust the settings as shown, using your Google username and password:

Pidgin Google Chat settings – basic

Click on the “Advanced” tab and adjust the settings as shown:

Pidgin Google Chat settings – advanced

Almost there! Now click on “Add” to complete setting up your account.

You should now be connected to Google chat! A list of your online contacts (or “Buddies”) will come up right away:

Pidgin buddy list when logged onto Google Chat

If you see something like the above, congratulations – you are successfully connected to Google chat.

If you get error messages, likely causes are:

  1. You didn’t type all settings exactly as shown above
  2. You are using Google’s two-step authentication. In that case your “main” Google password is not accepted. You need to create an application-specific password for Pidgin on the computer you’re currently setting up. Why?
  3. Your (corporate or national) network firewall is blocking the chat protocol XMPP. It may be possible to bypass it with Tor.

Activate and configure the OTR plugin

From the Pidgin “Buddy List” window go to Tools -> Plugins as shown here:

Scroll down the list until you find “Off-the-Record Messaging”. Tick the box next to it – this will enable the plugin:

Now click on the “Configure Plugin” button:

In the new window that comes up, configure the default OTR settings as follows:

Congratulations! You can now chat privately with buddies who also use the OTR plugin.

You have just made it very difficult for Google or anyone else to eavesdrop or record what you say. Just point your Google chat buddies to this page and get them using the OTR plugin!

Start a private conversation

Note: You can communicate privately only if the chat buddy you’re communicating with has followed the above steps, or is using other software that uses the OTR plugin.

Double-click on a buddy’s name to bring up the Conversation window. Notice the “Not private” button on the bottom right?

This means you have not activated the privacy features yet. But you’re about to!

Click on “Not private” and ask Pidgin to “Start private conversation”:

Pidgin will now attempt to create a secure channel and should display the following:

This is the result we want. “Unverified” is not a problem (but see Improvement 2 below). Pidgin tells us that it has established a secure channel to the other end, and you can use it to chat with your buddy without Google being able to read & record your messages.

Remember to always check the bottom-right OTR status icon. If it says “not private”, you should assume that Google is recording everything you type in that window.

Improvements (optional)

Improvement 1: Ask OTR to always try to initiate private messaging

You can ask OTR to always try to “automatically initiate private messaging” from the OTR plugin configuration menu you used above. Here’s the option you need to tick:

Improvement 2: Verify the identity of people you chat with

You have stopped Google reading, analysing and recording what you discuss with your buddies. But if you have reason to believe someone might be trying to read what you say (e.g. if you’re a whistleblower, journalist, activist,  lawyer, live in the wrong country etc) you can not yet be 100% certain that the person you are talking to, is indeed your buddy and not an impostor, pretending to be your buddy.

To rule out this possibility you should always verify the people you chat with. You only need to do this once for every buddy you wish to chat with.

To do this, click on the “Unverified” button:

Encrypted, but not authenticated. You are talking to someone through a protected channel, but you don’t know yet who that “someone” is.

This brings up the following menu, allowing you to “Authenticate Buddy”:

Asking Pidgin to authenticate the buddy you’re chatting with

You are now presented with the easiest option to authenticate your buddy – asking them a question, and checking that they know the right answer. There are other methods as well, like entering a secret passphrase you have agreed on in advance.

Go ahead and type a question and its answer. It should be something obvious to your chat buddy (example question: “what’s the name of my dog?” or “who did we discuss about last time we met?”) but not to potential impostors. (If you have reason to believe someone is targetting you specifically, using a pre-shared secret is the best way to ensure you are talking to your real friend. After all, any serious adversary can find the name of your dog without too much hassle.)

Example of a question/answer pair

After you click on “Authenticate” you will have to wait for a few moments for your friend to answer the question using his computer:

Waiting for response to authentication challenge

Once your friend successfully answers the question you set, you will see this message:

If you get a “Authentication failed” message instead, your friend probably mistyped something. Please remember (and remind your friend too!) that the answer is CaSe SenSiTive – so in this example the answer “Maxx” is correct, but “maxx” is wrong!

Congratulations! You can now be confident you are talking to the right person! This is an additional benefit to what you achieved already – stopping Google (or anyone else) from monitoring & recording what you say!

A private & authenticated conversation over Pidgin. You know the person you’re talking to is who they say they are, and you know that noone else can eavesdrop on your conversation.

Next time you wish to talk to this person, you will just need to click on the OTR button on the bottom right and the conversation will immediately switch to “Private”. No need to re-authenticate,  unless you or they are using a different computer.

Now the only thing Google knows is

  • Who you chat with
  • When you chat with them

…which is a significant improvement from before.

What, you still don’t like that? What are you doing chatting on Google Chat then?! Go use CryptoCat over Tor at http://xdtfje3c46d2dnjd.onion/, or if your enemies are pros (and you trust your hardware), TAILS.

Improvement 3: Use Google’s two-step verification & an application-specific password for Pidgin

It’s a good idea to use Google two-step verification. This means that Google will ask you for two pieces of proof that you are the legitimate owner of your account whenever you log in from an unrecognised device. This is an improvement in security, but means that external applications (like Pidgin) can not access your Google account.

Google’s solution is application-specific passwords. These are passwords that only work for one designated application and can not provide full access to your Google account (e.g. to change your account settings).

See Getting started with Google 2-step verification and after you’ve activated it, create an application-specific password for Pidgin on your device.

Then, on Pidgin’s main “Buddy List” window go to Accounts -> USERNAME@gmail.com -> Edit Account, input the password you just created, ask Pidgin to remember it, hit “Save” and you should be all done.

Now starting Pidgin will automatically log you into Google Chat, without asking for your password.

Tell websites you do not want to be tracked

 It’s called “web tracking” and “behavioural profiling”, but the result is the same. Every search you make, every email, every chat message and every page you visit is combined by e-commerce giants (Facebook, Apple, Google, Amazon etc) to create an accurate profile of… you! This is then sold to the advertisers who want to better target you as a consumer.

For more background on online behavioural tracking see the Wall Street Journal’s “What They Know” project and EFF‘s Do Not Track page. 

Here’s two of the most obvious ways one of these giants (Google) perfect their profile of you:

  1. They automatically record & analyze everything you do with the services they provide to you for “free” – every email you read or write with Gmail, your Google chats, your Google searches, online purchases and so on and
  2. They record any other websites you visit and what you do in them (where you click, how long you spend in a page etc). This is true of most websites, even those not directly affiliated with Google.

(I don’t want to single out Google as particularly evil – just using them as an example. Facebook does exactly the same – e.g. tracking which NHS pages people read and of course governments across the globe also want to know everything you think)

There is little you can do about #1. I avoid using Google for search, relying on the privacy-conscious DuckDuckGo search engine instead – which promises not to share my searches with Google. I log out of Gmail and Facebook as soon as I’m done using them. I close my browser and delete my cookies. But even if you do all that, they and their partners still know a lot about you.

For #2, there is something you can do. Due to the work of some good people, you have a way of telling them you do not want to be tracked: Enable the “Do Not Track”  (DNT) feature of your web browser.

Visit http://donottrack.us/ to check if DNT is enabled in your browser and if not, enable it now – it will only take 2 minutes. As of March 2012 DNT is supported by all major browsers except -unsurprisingly- Google Chrome.

This is where you can enable it in Firefox (on Windows):

Getting to Firefox "Options"

Step 1: Fire up Firefox's "Options" menu

Step 2: Click the "Privacy" icon on the top row and then check the "Tell web sites I do not want to be tracked" box.

Please note that enabling Do Not Track (DNT) does not stop websites from tracking you. It merely indicates that you do not wish to be tracked.

This is important, because it approaches the practice of web tracking from two sides: Technology and policy. Solely relying on technological solutions to supress/evade web tracking could never be fully successful – marketers would always find ways around your techical defenses, while publicly arguing that web users want to be tracked because it provides a better online (purchasing) experience.  But DNT has a policy side as well: It allows regulatory bodies like the FTC to nudge marketers to honour the DNT setting. The result is much more effective than a mere technological workaround: If consumers use DNT to clearly indicate “I do not want to be tracked” and the FTC has ruled that marketers must respect this choice (which has not happened as of March 2012), marketers take a lot of risk by ignoring DNT and tracking you. Such behaviour would expose them to lawsuits, fines from the FTC, harm to their brand, public image etc.

 Think of DNT as the “Do Not Call” registry for the World Wide Web. By subscribing, you’ve just made DNT stronger and the Web a better place for all.

Thank you!

PS: For the sceptics who worry DNT might kill “free” online services via hurting online advertising revenue, Stanford Law School’s Center for Internet and Society has a good analysis of why this is unlikely to happen here.

PPS: As Harvard Law professor Jonathan Zittrain put it: “If what you are getting online is for free, you are not the customer, you are the product.” You have to decide if you are comfortable being commodisised like this.

PPPS: I recently asked Mozilla’s Tom Lowenthal what good DNT is, if users don’t even know it’s there. Even if they do, how many real people will choose to venture 6 clicks deep in computer-gibberish settings pages to enable DNT? Tom re-stated that the Mozilla people do not want DNT “on” by default, therefore making it an “opt-in” feature, the cost of which should be obvious by the mere existence of this blog post.

BT, you really don’t want people to read your terms of service, do you?

As of March 2012, BT’s terms of service for broadband customers are officially too complicated for human beings.

BT seem to recognise that even they can’t come up with a consistent set of terms within this avalanche of documents, so they included a catch-all term that reads:

“If any of these documents contradict each other [...]“

Really, BT? Really?

Google 2-step verification – a usability note

Google’s two-factor authentication system (they call it “2-step verification“) is a good safeguard against online criminals hijacking your account.*

After enabling 2-step verification, whenever you login to your Google account (e.g. for Gmail) you get a text message on your phone. Unless you provide the numeric code of that text message to Google, you cannot access your account.

This is classic two-factor authentication in that it ensures

  1. You know the password for your account and
  2. You have your phone in your possession

As this would quickly get annoying for people who login/out of their Google profile all the time, there is an option to “Remember this computer for 30 days”. This means that Google will not require two-factor authentication for a month for that particular computer & browser if the user says so.

But how does Google know that this computer is one to be trusted? This information is stored in a cookie. To safeguard my privacy I always setup my browsers to delete all cookies (and LSOs). But this wipes out the Google cookie that “remembers” my machine as well, which means I am asked again and again for 2-factor authentication. This situation quickly gets annoying. Isn’t it possible to tell my browser (Firefox) to delete all cookies EXCEPT the necessary Google cookies every time it exits?

Luckily it is. You need the following settings in Firefox:

  • Accept cookies from sites
  • Keep until: I close Firefox
  • Exceptions…: accounts.google.com – “Allow”

This is what your Firefox Preferences window should look like on Ubuntu Linux:

…and the exception window that does the trick – this is how the critical cookies from accounts.google.com will NOT be deleted. Instead they will be preserved across browser sessions and you will not have to do two-step verification every time you login to Gmail with computers you trust:

For Windows users, the same options work just fine – here is what the options window need to look like on Windows 7:

…and the exception rule:

Try it. Shut down Firefox, start it up again and have a look in the stored cookies from the main settings panel under Privacy -> Show Cookies. There should only be cookies from “accounts.google.com” and perhaps from your browser’s homepage there – nothing else.

You now have

  • Better security of your Google account due to 2-step verification
  • Better usability because you don’t need to perform 2-step verification all the time on your trusted computers
  • Decent privacy & lack of tracking because Firefox deletes almost all cookies every time it exits.

This is the tip of the iceberg (think malware, LSOs, unique browser fingerprints etc), but hey, it’s better than nothing.

* Unfortunately it doesn’t really help when the attacker is the government. As Wikileaks and Privacy International have pointed out with the “Spy Files” project, when it comes to government surveillance Gmail users are screwed.

When automatic “software updates” break the software

During a regular maintenance run on a MacOS X machine I asked Skype to check for software updates. It cheerfully confirmed that a new version of Skype was available for download. I allowed it to download and install the update.

Then I tried to launch Skype which to my surprise came up with “You cannot use the application “Skype” with this version of Mac OS X”.

Now, hang on.

All I did was ask the application to check if there are any updates. Updates that made it work better, closed security holes, improved stability and all that. Not updates that would stop it from working. Given that the local installation of Skype has knowledge of the OS environment and knew this was a Mac OS X 10.4.x , it shouldn’t have suggested the update  as there was no possible positive outcome for the end user.

To confirm this was by design and not a software glitch I resorted to the forums, where I found this:

Leaving aside the usability aspects of an application that prompts the user to take its suicidal advice, one has to wonder at the customer service lessons that can be learned here. Skype push out an update killing their own software (under conditions they don’t check), someone takes the time to report this mistake and the answer is “Won’t Fix”.

This is not just annoying, but damaging to the education of end users who are constantly hammered with “always update your software!” from security people.

Guess what real people would rather have: A working but potentially vulnerable version of Skype to talk with their family abroad, or an installation that “cannot be used with your machine”?

A usability case study: Microsoft Online Assisted Support

I never thought I’d be writing this on a public space but Microsoft is getting this right.

As most of us techies, I do tech support for all of my less-techie friends & family. People who are particularly close to me even get ongoing preventative maintenance. (They don’t really know it’s happening, but it is.) I thus maintain Debian servers, Macbooks and Windows XP/7 laptops alike.

A few weeks ago I had a misbehaving Windows 7 laptop. It would simply not install a specific update available from Microsoft Update. I tried my best, spent some time researching the problem on the Internet (Google and Microsoft’s own support pages), tried a few Microsoft-supplied tricks (basically the Windows Update Readiness Tool as suggested in KB947821) and finally gave up. I could not find a solution that looked elegant enough to try (I’m not willing to try stuff that sounds wacky in the first place by users going wild on forums talking about registry hacks etc)

So I went to http://support.microsoft.com

As far as I was concerned, I had exhausted the existing documentation, so I opted to “Contact a Support Professional by Email, Online or Phone”.

Contact a support professional

This is a quite inconspicuous link rightly placed at the bottom of the page. The thinking seems to be that people should try to help themselves first by looking for a solution to the problem using the existing published resources. Only if that fails, should they contact a human and ask for personalised help.

This makes sense. If all Microsoft product users had to speak to support professionals, Microsoft would be running a 5,000,000 people call centre just answering email and picking up the phone. The option would be abused by people who just need too much hand-holding or are inherently lazy. Sure, systems should “just work”, but as this isn’t happening any time soon, it’s worthwhile focusing on how to provide quality support services. It’s important to have the (expensive) human option as a last resort. (In saying this I fully recognise that my “last resort” is different than your “last resort”.)

So I clicked on and was taken to http://support.microsoft.com/oas

There, I was asked what product I’m having trouble with, I designated “Windows Update” from the well-designed “quick product finder” input box and was instantly on my way.

I got a properly signed SSL certificate, accepted the legal terms of service and provided information about the bug I was experiencing over an encrypted connection.

Within the next 24 hours I got a polite email in proper English, giving a single suggestion in clear steps that immediately fixed my problem.

Should I want to refer back to the information I supplied, I can do so from a link sent in an email report of my opened case. To protect me from people hijacking the link in transit, Microsoft will ask for my email and then send me a new (https://) link after 7 days of the original link.

From a customer experience point of view, I am impressed.

Well done Microsoft.

 

 

PS: For posterity, my particular problem was that KB982632 fails to install with error code 0x800b0100. But the suggestion of the support engineer seems like a great way of resolving a whole class of  Windows/Microsoft Update problems. It basically wipes out all local Windows/Microsoft Update files and allows your machine to make a fresh start.

Step 1: Rename the Windows Update Softwaredistribution folder

================================================

This issue may occur if the Windows Update Software distribution folder has been corrupted. We can refer to the following steps to rename this folder. Please note that the folder will be re-created the next time we visit the Windows Update site.

1. Close all the open windows.

2. Click “Start”, click “All programs”, and click “Accessories”.

3. Right-click “Command Prompt”, and click “Run as administrator”.

4. In the “Administrator: Command Prompt” window, type in “net stop WuAuServ” (without the quotes) and press Enter.

Note: Please look at the cmd window and make sure it says that it was successfully stopped before we try to rename the folder. However, if it fails, please let me know before performing any further steps and include any error messages you may have received when it failed.

5. Click “Start”, in the “Start Search” box, type in “%windir%” (without the quotes) and press Enter.

6. In the opened folder, look for the folder named “SoftwareDistribution”.

7. Right-click on the folder, select “Rename” and type “SDold” (without the quotes) to rename this folder.

8. Still in “Administrator: Command Prompt” window, type the command “net start WuAuServ” (without the quotes) in the opened window to restart the Windows Updates service.

Note: Please look at the cmd window and make sure it says that it was successfully started. However, if it fails, please let me know before performing any further steps and include any error messages you may have received when it failed.

This worked as expected. The corrupted Microsoft Update cache was cleared out of the way and on the subsequent Microsoft Update run, everything installed appropriately. An elegant way of solving a horde of Windows/Microsoft Update problems.