Slashdot Mirror

An anonymous reader quotes Microsoft's Developer blog: Early adopters on the Windows Insider program will notice that Windows Subsystem for Linux is no longer marked as a beta feature as of Insider build 16251. This will be great news for those who've held-back from employing WSL as a mainline toolset: You'll now be able to leverage WSL as a day-to-day developer toolset, and become ever more productive when building, testing, deploying, and managing your apps and systems on Windows 10... What will change is that you will gain the added advantage of being able to file issues on WSL and its Windows tooling via our normal support mechanisms if you want/need to follow a more formal issue resolution process. You can also provide feedback via Windows 10 Feedback Hub app, which delivers feedback directly to the team.
Microsoft points out that distro-publishers are still responsible for supporting and fixing the internals of their distros -- and they have no plans to support X/GUI apps or desktops. And of course, Linux files are not currently accessible from Windows -- though Microsoft says they're working on a fix.

Even though you would assume that people would know better, an anonymous reader writes, in my experience, I have found many who think installing more than one antivirus program on their computer is the right way to go about it. Some have installed as many as three third-party security suites, which among other things, takes a toll on the performance. This week the New York Times' tech tip section addresses the matter. From the article, which could be paywalled, but you don't have to read it in entirety anyway: Installing more than one program to constantly scan and monitor your PC for viruses and other security threats can create problems, because the two applications will likely interfere with each other's work. Clashing antivirus programs can cause the computer to behave erratically and run more slowly as the applications battle for system resources. Microsoft advises against running its Windows Defender security software on the same system with another installed third-party antivirus program. Likewise, antivirus software companies also warn against using other system security products when you are using theirs; Bitdefender, Kaspersky Lab and Symantec all have articles on their sites explaining the potential problems in detail. Programs that do not constantly patrol your operating system, like mail scanners, may not be an issue. What do you folks recommend to people who are not as tech-savvy?

Microsoft on Wednesday announced the Windows Bounty Program. Rewards start at a minimum of $500 and can go up to as high as $250,000. From a report: To be clear, Microsoft already offers many bug bounty programs. This is also not the first to target Windows features -- the company has launched many Windows-specific bounties for those starting in 2012. The Windows Bounty Program, however, encompasses Windows 10 and even the Windows Insider Preview, the company's program for testing Windows 10 preview builds. Furthermore, it also has specific focus areas: Hyper-V, Mitigation bypass, Windows Defender Application Guard, and Microsoft Edge.

An anonymous reader writes: "Thai security researcher Worawit Wang has put together an exploit based on ETERNALSYNERGY that can also target newer versions of the Windows operating system," reports Bleeping Computer. "ETERNALSYNERGY is one of the NSA exploits leaked by the Shadow Brokers hacking group in April this year. According to a Microsoft technical analysis, the exploit can allow an attacker to execute code on Windows machines with SMB services exposed to external connections. The exploit works up to Windows 8. According to Microsoft, the techniques used in the original ETERNALSYNERGY exploit do not work on newer platforms due to several kernel security improvements. Wang says his exploit targets the same vulnerability but uses a different exploitation technique. His method 'should never crash a target,' the expert says. 'Chance should be nearly 0%,' Wang adds." Combining his exploit with the original ETERNALSYNERGY exploit would allow a hacker to target all Windows versions except Windows 10. This is about 75% of all Windows PCs. The exploit code is available for download from Wang's GitHub or ExploitDB. Sheila A. Berta, a security researcher for Telefonica's Eleven Paths security unit, has published a step-by-step guide on how to use Wang's exploit.

Windows PCs with Intel's Clover Trail Atom chips will not upgrade to the Windows 10 Creators Update, which could wind up being trouble in the future. PCWorld reports: Owners of some Windows 10 laptops and tablets are crashing into a worrying roadblock when they try to install the Windows 10 Creators Update. Windows Update initially says the notebooks are compatible with the upgrade, but fails to install it after downloading the setup files, instead displaying the following message: "Windows 10 is no longer supported on this PC. Uninstall this app now because it isn't compatible with Windows 10." That sounds ominous, but you don't need to uninstall your existing version of Windows 10, and there's no app to uninstall. Instead, the message means your PC's hardware isn't compatible with the Creators Update.

A recent ZDNet article thrust this issue into the spotlight, but Microsoft laid out details about the error in an April forum post. Microsoft won't let affected hardware install the Creators Update because "Icons and/or text throughout the Windows interface may not appear at all, or may appear as solid color blocks on some devices." Can I install the Windows 10 Creators Update? Nope. But you might be able to in the future, according to the April forum post. "Microsoft is working with our partners to provide compatible drivers for these processors. Until then, Windows Update will prevent devices containing one of the processors listed above from installing the Creators Update." [Devices with these Intel "Clover Trail" processors are impacted: Atom Z2760; Atom Z2520; Atom Z2560; Atom Z2580.]

Ubuntu is now available for download on the Windows Store. "Initially spotted by Rafael Rivera and Necrosoft Core on Twitter, Ubuntu on the Windows Store will let you install and run the Ubuntu terminal on Windows next to your other apps," reports Windows Central. From the report: Ubuntu's arrival, and that of SUSE, are part of a recent push by Microsoft to embrace Linux and the open source community more broadly. This began with the arrival of the Windows Subsystem for Linux in 2016, allowing users to use the Bash shell from within Windows. Keep in mind that this is limited to the Fall Creators Update, which isn't set for a public release until later this year. If you're running a PC testing the Fall Creators Update through the Windows Insider Program, however, you should be able to download and try Ubuntu from the Windows Store just fine.

BrianFagioli quotes BetaNews: Thursday, Microsoft released yet another open source tool on GitHub -- Visual Studio Code Extension for Arduino. This MIT-licensed code should greatly help developers that are leveraging Arduino hardware for Internet of Things-related projects and more. "Our team at Visual Studio IoT Tooling, researched the development tools developers are using today, interviewed many developers to learn about their pain points developing IoT applications, and found that of all layers of IoT, there are abundant dev tools for cloud, gateway, interactive devices, and industrial devices, but limited availability and capability for micro-controllers and sensors...

"Keeping open source and open platform in mind, we started the work to add an extension on Visual Studio Code, the cross-platform, open sourced advanced code editor, for Arduino application development," says Zhidi Shang, R&D and Product Development, Microsoft.
Microsoft's adds that its tool "is almost fully compatible and consistent with the official Arduino IDE," extending its capabilities with "the most sought-after features, such as IntelliSense, Auto code completion, and on-device debugging for supported boards."

Maybe this would be a good time to ask if anybody has a favorite IDE that they'd like to recommend?

theodp writes: EdSurge reports that a new PBS show will teach preschoolers how to think like computers. Marisa Wolsky, an executive producer at WGBH Boston, believes television can be a way to teach Computational Thinking. She is in the first stages of creating an animated television show called Monkeying Around [$3,000,000 NSF award] that uses four monkeys to teach the subject. Why monkeys? EdSurge explains, "Initially, Wolsky said her team wanted to use rabbits to teach the kids, but after realizing the animal would need to use its hands, they decided to go with monkeys [Rabbits historically enjoyed success teaching the 3 R's]." In a press release announcing the new pre-K show, WGBH cited "a great deal of national interest in computer science and coding," adding that "it is never too early to start." WGBH is not the only PBS station that's bullish on CS. According to an NSF Award Abstract, "Twin Cities PBS (TPT), the National Girls Collaborative (NGC) and [tech-bankrolled] Code.org will lead Code: SciGirls! Media to Engage Girls in Computing Pathways, a three-year [$2.63 million] project designed to engage 8-13 year-old girls in coding through transmedia programming which inspires and prepares them for future computer science studies and career paths [...] Drawing on narrative transportation theory and character identification theory, TPT will commission two exploratory knowledge-building studies to investigate: To what extent and how do the narrative formats of the Code: SciGirls! online media affect girls' interest, beliefs, and behavioral intent towards coding and code-related careers?" And Code Trip, a PBS series touted by Microsoft that aired in 2016 [$200,000 NSF award], explored computer science opportunities for young people by, as Microsoft explained, following "three students traveling around the country to speak with leaders including Elizabeth Holmes, founder of Theranos, and Hadi Partovi, entrepreneur and cofounder of Code.org."

theodp writes: EdSurge reports that a new PBS show will teach preschoolers how to think like computers. Marisa Wolsky, an executive producer at WGBH Boston, believes television can be a way to teach Computational Thinking. She is in the first stages of creating an animated television show called Monkeying Around [$3,000,000 NSF award] that uses four monkeys to teach the subject. Why monkeys? EdSurge explains, "Initially, Wolsky said her team wanted to use rabbits to teach the kids, but after realizing the animal would need to use its hands, they decided to go with monkeys [Rabbits historically enjoyed success teaching the 3 R's]." In a press release announcing the new pre-K show, WGBH cited "a great deal of national interest in computer science and coding," adding that "it is never too early to start." WGBH is not the only PBS station that's bullish on CS. According to an NSF Award Abstract, "Twin Cities PBS (TPT), the National Girls Collaborative (NGC) and [tech-bankrolled] Code.org will lead Code: SciGirls! Media to Engage Girls in Computing Pathways, a three-year [$2.63 million] project designed to engage 8-13 year-old girls in coding through transmedia programming which inspires and prepares them for future computer science studies and career paths [...] Drawing on narrative transportation theory and character identification theory, TPT will commission two exploratory knowledge-building studies to investigate: To what extent and how do the narrative formats of the Code: SciGirls! online media affect girls' interest, beliefs, and behavioral intent towards coding and code-related careers?" And Code Trip, a PBS series touted by Microsoft that aired in 2016 [$200,000 NSF award], explored computer science opportunities for young people by, as Microsoft explained, following "three students traveling around the country to speak with leaders including Elizabeth Holmes, founder of Theranos, and Hadi Partovi, entrepreneur and cofounder of Code.org."

Steve Lohr, writing for the New York Times: A few years ago, Sean Bridges lived with his mother, Linda, in Wiley Ford, W.Va. Their only income was her monthly Social Security disability check. He applied for work at Walmart and Burger King, but they were not hiring. Yet while Mr. Bridges had no work history, he had certain skills. He had built and sold some stripped-down personal computers, and he had studied information technology at a community college. When Mr. Bridges heard IBM was hiring at a nearby operations center in 2013, he applied and demonstrated those skills. Now Mr. Bridges, 25, is a computer security analyst, making $45,000 a year. In a struggling Appalachian economy, that is enough to provide him with his own apartment, a car, spending money -- and career ambitions. "I got one big break," he said. "That's what I needed." Mr. Bridges represents a new but promising category in the American labor market: people working in so-called new-collar or middle-skill jobs. As the United States struggles with how to match good jobs to the two-thirds of adults who do not have a four-year college degree, his experience shows how a worker's skills can be emphasized over traditional hiring filters like college degrees, work history and personal references. [...] On Wednesday, the approach received a strong corporate endorsement from Microsoft, which announced a grant of more than $25 million to help Skillful, a program to foster skills-oriented hiring, training and education. The initiative, led by the Markle Foundation, began last year in Colorado, and Microsoft's grant will be used to expand it there and move it into other states. "We need new approaches, or we're going to leave more and more people behind in our economy," said Brad Smith, president of Microsoft.

From a blog post by Microsoft: On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States. The new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of Ransom:Win32/Petya. This new strain of ransomware, however, is more sophisticated. [...] Initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers -- including Ukraine's own Cyber Police -- there was only circumstantial evidence for this vector. Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. A New York Times reports how rest of the world is dealing with Petya. From the article: A fuller picture of the impact will probably emerge in the coming days. But companies and government offices worldwide appeared less affected than the WannaCry attack, notably in places like China, which was hard hit in May. Reports from Asia suggested that many of the companies hit were the local arms of European and American companies struck on Tuesday. In Mumbai, India, a port terminal operated by A.P. Moller-Maersk, the Danish shipping giant, was shut after it disclosed that it had been hit by the malware. In a statement, Indian port authorities said they were taking steps to relieve congestion, such as finding places to park stranded cargo. The attack shut the terminal down on Tuesday afternoon. On the Australian island of Tasmania, computers in a Cadbury chocolate factory owned by Mondelez International, the American food company, displayed the ransomware message, according to the local news media.

An anonymous reader quotes a report from the BBC: Microsoft has admitted that it does temporarily disable anti-virus software on Windows PCs, following an competition complaint to the European Commission by a security company. In early June, Kaspersky Lab filed the complaint against Microsoft. The security company claims the software giant is abusing its market dominance by steering users to its own anti-virus software. Microsoft says it implemented defenses to keep Windows 10 users secure. In an extensive blog post that does not directly address Kaspersky or its claims, Microsoft says it bundles the Windows Defender Antivirus with Windows 10 to ensure that every single device is protected from viruses and malware. To combat the 300,000 new malware samples being created and spread every day, Microsoft says that it works together with external anti-virus partners. The technology giant estimates that about 95% of Windows 10 PCs were using anti-virus software that was already compatible with the latest Windows 10 Creators Update. For the applications that were not compatible, Microsoft built a feature that lets users update their PCs and then reinstall a new version of the anti-virus software. "To do this, we first temporarily disabled some parts of the AV software when the update began. We did this work in partnership with the AV partner to specify which versions of their software are compatible and where to direct customers after updating," writes Rob Lefferts, a partner director of the Windows and Devices group in enterprise and security at Microsoft.

Microsoft is kind enough to offer Surface Laptop users the option to upgrade to Windows 10 Pro for free until later this year if they don't like Windows 10 S, which is installed by default and is only able to run apps or games that are in the Windows Store. The company is taking that generosity one step further by letting users revert back to Windows 10 S if they installed Windows 10 Pro and aren't happy with the performance and battery life. The option to revert back to the default OS wasn't available until now. MSPoweruser reports: Microsoft recently released the official recovery image for the Surface Laptop which will technically let you go back to Windows 10 S on your device but you'll be required to remove all of your files which is a bit frustrating. The recovery image wasn't available a few days after the Surface Laptop started shipping, but it is now available and you can download it to effectively reset your Surface Laptop. The recovery image is 9GB, so make sure you have a good internet connection before downloading the file. It is quite interesting how Microsoft isn't letting users go back to Windows 10 S from Windows 10 Pro without having to completely reset their devices, as the company would want more users to use its new version of Windows 10 for many reasons. Maybe this is something Microsoft will be adding in the future, but for now, we'll just have to do with the recovery image. If you own a Surface Laptop, you can find the recovery image here.

Ed Bott, reporting for ZDNet: Citing an "elevated risk for destructive cyberattacks," Microsoft today released an assortment of security updates designed to block attacks similar to those responsible for the devastating WannaCry/WannaCrypt ransomware outbreak last month. Today's critical security updates are in addition to the normal Patch Tuesday releases, Microsoft said. They'll be delivered automatically through Windows Update to devices running supported versions, including Windows 10, Windows 8.1, Windows 7, and post-2008 Windows Server releases. But in an unprecedented move, Microsoft announced that it was also making the patches available simultaneously for manual download and installation on unsupported versions, including Windows XP and Windows Server 2003. The new updates can be found in the Microsoft Download Center or, alternatively, in the Update Catalog.

Maluuba, a deep-learning team acquired by Microsoft in January, has created an AI system that has achieved the perfect score for Ms. Pac-Man. According to The Verge, the AI system "learned how to reach the game's maximum point value of 999,900 on Atari 2600, using a unique combination of reinforcement learning with a divide-and-conquer method." From the report: Though AI has conquered a wealth of retro games, Ms. Pac-Man has remained elusive for years, due to the game's intentional lack of predictability. Turns out it's a toughie for humans as well. Many have tried to reach Ms. Pac-Man's top score, only coming as close as 266,330 on the Atari 2600 version. The game's elusive 999,900 number though, has so far only been achieved by mortals via cheats. Maluuba was able to use AI to beat the game by tasking out responsibilities, breaking it up into bite-sized jobs assigned to over 150 agents. The team then taught the AI using what they call Hybrid Reward Architecture -- a combination of reinforcement learning with a divide-and-conquer method. Individual agents were assigned piecemeal tasks -- like finding a specific pellet -- which worked in tandem with other agents to achieve greater goals. Maluuba then designated a top agent (Microsoft likens this to a senior manager at a company) that took suggestions from all the agents in order to inform decisions on where to move Ms. Pac-Man. The best results came when individual agents "acted very egotistically" and the top agent focused on what was best for the overall team, taking into account not only how many agents wanted to go in a particular direction, but the importance of that direction.

An anonymous reader writes: Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool. The problem with Intel AMT SOL is that it's part of Intel's ME, a separate chip inside Intel CPUs that runs its own OS and stays on even when the main CPU is off.

Inside Intel's ME, AMT SOL opens a virtual network interface which works even when the PC is turned off. Furthermore, because this virtual network interface runs inside ME, firewalls and security products installed on the main OS won't detected malware using AMT SOL to exfiltrate data.

The malware was created and used by a nation-state cyber-espionage unit codenamed PLATINUM, active since 2009, and which has targeted countries around the South China Sea. PLATINUM is by far one of the most sophisticated hacking groups ever discovered. Last year [PDF], the OS maker said the group was installing malware by abusing hotpatching — a mechanism that allows Microsoft to issue updates that tap into active processes and upgrade applications or the operating system without having to reboot the computer.

Details about PLATINUM's recent targets and attacks are available in a report [PDF] Microsoft released yesterday.

An anonymous reader writes: Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool. The problem with Intel AMT SOL is that it's part of Intel's ME, a separate chip inside Intel CPUs that runs its own OS and stays on even when the main CPU is off.

Inside Intel's ME, AMT SOL opens a virtual network interface which works even when the PC is turned off. Furthermore, because this virtual network interface runs inside ME, firewalls and security products installed on the main OS won't detected malware using AMT SOL to exfiltrate data.

The malware was created and used by a nation-state cyber-espionage unit codenamed PLATINUM, active since 2009, and which has targeted countries around the South China Sea. PLATINUM is by far one of the most sophisticated hacking groups ever discovered. Last year [PDF], the OS maker said the group was installing malware by abusing hotpatching — a mechanism that allows Microsoft to issue updates that tap into active processes and upgrade applications or the operating system without having to reboot the computer.

Details about PLATINUM's recent targets and attacks are available in a report [PDF] Microsoft released yesterday.

msm1267 writes: EternalBlue, the NSA-developed attack used by criminals to spread WannaCry ransomware last month, has been ported to Windows 10 by security researchers. The publicly available version of EternalBlue leaked by the ShadowBrokers targets only Windows XP and Windows 7 machines. Researchers at RiskSense who created the Windows 10 version of the attack were able to bypass mitigations introduced by Microsoft that thwart memory-based code-execution attacks. These mitigations were introduced prior to a March security update from Microsoft, MS17-010, and any computer running Windows that has yet to install the patch is vulnerable. You can read the researchers' report here (PDF), which explains what was necessary to bring the NSA exploit to Windows 10.

A viral Twitter rant about Windows 10 Enterprise supposedly ignoring users' privacy settings has since been clarified. "I made mistakes on my original testing and therefore saw more connections than I should have," writes IT security analyst Mark Burnett, "including some to Google ads." But his qualified results -- quoted below -- are still critical of Microsoft:

• You can cut back even more using the Windows Restricted Traffic Limited Functionality Baseline but break many things.
• Settings can be set wrong if you aren't paying attention. Also, settings are not consistent and can be confusing to beginners.
• You are opted-in to just about everything by default and have to set hundreds of settings to opt out, even on an Enterprise Windows system. Sometimes multiple settings for the same feature. Most Microsoft documentation discourages opting out and warns of a less optimal experience... But you can't completely opt-out. Windows still tracks too much.
• Home and Professional users are much worse off due to limitations of some settings and lack of an IT staff... I'm not saying ditch Windows. I'm saying let's fix this. If we can't fix it, then we ditch Windows.

An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack: Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.

An anonymous reader shares Engadget's report about Microsoft's response to the massive WanaDecrypt0r ransomware attack: Company president Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen"... Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos... While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't.
BrianFagioli shared a BetaNews article arguing Microsoft "should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March." But troublemaker_23 notes that ITwire still faults Microsoft for not planning ahead, since in February 150 million people were still using Windows XP.

An anonymous reader quotes ZDNet: With this week's monthly Patch Tuesday, Microsoft has also rolled out a new policy for Edge and Internet Explorer that prevents sites that use a SHA-1-signed HTTPS certificate from loading. The move brings Microsoft's browsers in line with Chrome, which dropped support for the SHA-1 cryptographic hash function in January's stable release of Chrome 56, and Firefox's February cut-off... Apple dropped support for SHA-1 in March with macOS Sierra 10.12.4 and iOS 10.3... Once Tuesday's updates are installed, Microsoft's browsers will no longer load sites with SHA-1 signed certificates and will display an error warning highlighting a security problem with the site's certificate.

An anonymous reader quotes the AP: Teams of technicians worked "round the clock" Saturday to restore hospital computer systems in Britain and check bank or transport services in other nations after a global cyberattack hit dozens of countries and crippled the U.K.'s health system. The worldwide attack was so unprecedented that Microsoft quickly changed its policy and announced that it will make security fixes available for free for older Windows systems, which are still used by millions of individuals and smaller businesses. [Windows XP, Windows 8, and Windows Server 2003]
An anonymous reader writes: The patches are available for download from here. Microsoft also advises companies and users to disable the Windows Server Message Block version 1 protocol, as it's an old and outdated protocol, already superseded by newer versions, such as SMBv2 and SMBv3... Microsoft had released a fix for that exploit a month before, in March, in security bulletin MS17-010 [which] included fixes for Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.
Below the fold are more stories about the WanaDecrypt0r ransomware.

• The Los Angeles Times says the attack "shows why Apple refused to hack terrorist's iPhone," and why Google, Apple, and Microsoft resist calls for backdoors. "Though the NSA hasn't confirmed it was hacked, the purported leak of its tools shows that even supposedly secret vulnerabilities can get into the wrong hands.... when flaws the agencies discover pose a threat to the nation's businesses and consumers, they should be forced to help secure systems."
• Science fiction writer Charlie Stross blogged a humorous take on the event, sharing a "Rejection Letter" from Reality Publishing Corporation that argues the plot of his newest thriller -- MS17-010 -- "does not hold up to scrutiny." (A government agency hoards known vulnerabilities about vital infrastructure, then suddenly loses control of them...)
• troublemaker_23 shares ITWire's call for a "public statement of contrition" from Microsoft, which reminds readers that "the ransomware and exploits are just the effects. The vulnerabilities in Windows are the cause."
• There's now a first-person account about the discovery of the kill switch, which insists that registering that domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..."
• Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking the kill switch's site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"

An anonymous reader quotes the AP: Teams of technicians worked "round the clock" Saturday to restore hospital computer systems in Britain and check bank or transport services in other nations after a global cyberattack hit dozens of countries and crippled the U.K.'s health system. The worldwide attack was so unprecedented that Microsoft quickly changed its policy and announced that it will make security fixes available for free for older Windows systems, which are still used by millions of individuals and smaller businesses. [Windows XP, Windows 8, and Windows Server 2003]
An anonymous reader writes: The patches are available for download from here. Microsoft also advises companies and users to disable the Windows Server Message Block version 1 protocol, as it's an old and outdated protocol, already superseded by newer versions, such as SMBv2 and SMBv3... Microsoft had released a fix for that exploit a month before, in March, in security bulletin MS17-010 [which] included fixes for Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.
Below the fold are more stories about the WanaDecrypt0r ransomware.

• The Los Angeles Times says the attack "shows why Apple refused to hack terrorist's iPhone," and why Google, Apple, and Microsoft resist calls for backdoors. "Though the NSA hasn't confirmed it was hacked, the purported leak of its tools shows that even supposedly secret vulnerabilities can get into the wrong hands.... when flaws the agencies discover pose a threat to the nation's businesses and consumers, they should be forced to help secure systems."
• Science fiction writer Charlie Stross blogged a humorous take on the event, sharing a "Rejection Letter" from Reality Publishing Corporation that argues the plot of his newest thriller -- MS17-010 -- "does not hold up to scrutiny." (A government agency hoards known vulnerabilities about vital infrastructure, then suddenly loses control of them...)
• troublemaker_23 shares ITWire's call for a "public statement of contrition" from Microsoft, which reminds readers that "the ransomware and exploits are just the effects. The vulnerabilities in Windows are the cause."
• There's now a first-person account about the discovery of the kill switch, which insists that registering that domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..."
• Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking the kill switch's site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"

BrianFagioli quotes a report from BetaNews: If developers do start leveraging the Windows Store, the Windows 10 S experiment could take off, as users won't find a need to install legacy programs. This will largely depend on web browsers being available there, as many users dislike Edge. Thankfully, Microsoft is allowing third-party browser installs from the Windows Store. Unfortunately, there is a big catch -- you cannot change the default. Buried in the Windows 10 S FAQ, the following question is presented -- "Are there any defaults that I cannot change on my Windows 10 S PC?" Microsoft provides the answer: "Yes, Microsoft Edge is the default web browser on Microsoft 10 S. You are able to download another browser that might be available from the Windows Store, but Microsoft Edge will remain the default if, for example, you open an .htm file. Additionally, the default search provider in Microsoft Edge and Internet Explorer cannot be changed."

An anonymous reader quotes a report from VentureBeat: At its Microsoft EDU event in New York City today, the company announced it is bringing Microsoft Office to the Windows Store. We're talking about the full Win32 version of Office -- this is not a mobile version, Universal Windows Platform (UWP) app, or an otherwise dumbed-down release. Terry Myerson, executive vice president for Microsoft's Windows and Devices Group, confirmed onstage that Word, Excel, PowerPoint, "and more" were coming. He did not give a date for the launch (Update: Microsoft confirmed after the event that the target is June). Office is not the first set of Win32 apps in the Windows Store. This is part of a broader effort called Project Centennial, which lets desktop developers package and publish their existing .NET and Win32-based Windows applications to the Windows Store. The app type was first unveiled at Microsoft's Build developer conference in April 2015, but the first apps only started arriving in September 2016.

An anonymous reader quotes a report from VentureBeat: At its Microsoft EDU event in New York City today, the company announced it is bringing Microsoft Office to the Windows Store. We're talking about the full Win32 version of Office -- this is not a mobile version, Universal Windows Platform (UWP) app, or an otherwise dumbed-down release. Terry Myerson, executive vice president for Microsoft's Windows and Devices Group, confirmed onstage that Word, Excel, PowerPoint, "and more" were coming. He did not give a date for the launch (Update: Microsoft confirmed after the event that the target is June). Office is not the first set of Win32 apps in the Windows Store. This is part of a broader effort called Project Centennial, which lets desktop developers package and publish their existing .NET and Win32-based Windows applications to the Windows Store. The app type was first unveiled at Microsoft's Build developer conference in April 2015, but the first apps only started arriving in September 2016.

msm1267 quotes a report from Threatpost: A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power to the Conficker bug, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for years to come. MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. "This is a full ring0 payload that gives you full control over the system and you can do what you want to it," said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday. "This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it's still found in a lot of places," Dillon said. "I find it everywhere. This is the most critical Windows patch since that vulnerability." Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he's running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue. "This is easily describable as a bloodbath," Tentler said.

An anonymous reader writes: Microsoft is still encouraging businesses to rent their Office software, according to TechRadar. "In a bid to further persuade users of the standalone versions of Office to shift over to a cloud subscription (Office 365), Microsoft has announced that those who made a one-off purchase of an Office product will no longer get access to the business flavours of OneDrive and Skype come the end of the decade." PC World explains that in reality this affects very few users. "If you've been saving all of your Excel spreadsheets into your OneDrive for Business cloud, you'll need to download and move them over to a personal subscription -- or pony up for Office 365, as Microsoft really wants you to do."

Microsoft is claiming that when customers connect to Office 365 services using a legacy version of Office, "they're not enjoying all that the service has to offer. The IT security and reliability benefits and end user experiences in the apps is limited to the features shipped at a point in time. To ensure that customers are getting the most out of their Office 365 subscription, we are updating our system requirements." And in another blog post, they're almost daring people to switch to Linux. "Providing over three years advance notice for this change to Office 365 system requirements for client connectivity gives you time to review your long-term desktop strategy, budget and plan for any change to your environment."
In a follow-up comment, Microsoft's Alistair Speirs explained that "There is still an option to get monthly desktop updates, but we are changing the 3x a year update channel to be 2x a year to align closer to Windows 10 update model. We are trying to strike the right balance between agile, ship-when-ready updates and enterprise needs of predictability, reliability and advanced notice to validate and prepare."

An anonymous reader writes: Microsoft is still encouraging businesses to rent their Office software, according to TechRadar. "In a bid to further persuade users of the standalone versions of Office to shift over to a cloud subscription (Office 365), Microsoft has announced that those who made a one-off purchase of an Office product will no longer get access to the business flavours of OneDrive and Skype come the end of the decade." PC World explains that in reality this affects very few users. "If you've been saving all of your Excel spreadsheets into your OneDrive for Business cloud, you'll need to download and move them over to a personal subscription -- or pony up for Office 365, as Microsoft really wants you to do."

Microsoft is claiming that when customers connect to Office 365 services using a legacy version of Office, "they're not enjoying all that the service has to offer. The IT security and reliability benefits and end user experiences in the apps is limited to the features shipped at a point in time. To ensure that customers are getting the most out of their Office 365 subscription, we are updating our system requirements." And in another blog post, they're almost daring people to switch to Linux. "Providing over three years advance notice for this change to Office 365 system requirements for client connectivity gives you time to review your long-term desktop strategy, budget and plan for any change to your environment."
In a follow-up comment, Microsoft's Alistair Speirs explained that "There is still an option to get monthly desktop updates, but we are changing the 3x a year update channel to be 2x a year to align closer to Windows 10 update model. We are trying to strike the right balance between agile, ship-when-ready updates and enterprise needs of predictability, reliability and advanced notice to validate and prepare."

There was a surprise in the latest Community Technology Preview release of SQL Server 2017. An anonymous reader quotes InfoWorld: Python can now be used within SQL Server to perform analytics, run machine learning models, or handle most any kind of data-powered work. This integration isn't limited to enterprise editions of SQL Server 2017, either -- it'll also be available in the free-to-use Express edition... Microsoft has also made it possible to embed Python code directly in SQL Server databases by including the code as a T-SQL stored procedure. This allows Python code to be deployed in production along with the data it'll be processing. These behaviors, and the RevoScalePy package, are essentially Python versions of features Microsoft built for SQL Server back when it integrated the R language into the database...

An existing Python installation isn't required. During the setup process, SQL Server 2017 can pull down and install its own edition of CPython 3.5, the stock Python interpreter available from the Python.org website. Users can install their own Python packages as well or use Cython to generate C code from Python modules for additional speed.
Except it's not yet available for Linux users, according to the article. "Microsoft has previously announced SQL Server would be available for Linux, but right now, only the Windows version of SQL Server 2017 supports Python."

An anonymous reader shares a new article published on MSDN: In the latest Windows Insider build, the Windows Subsystem for Linux (WSL) now allows you to manually mount Windows drives using the DrvFs file system. Previously, WSL would automatically mount all fixed NTFS drives when you launch Bash, but there was no support for mounting additional storage like removable drives or network locations. Now, not only can you manually mount any drives on your system, we've also added support for other file systems such as FAT, as well as mounting network locations. This enables you to access any drive, including removable USB sticks or CDs, and any network location you can reach in Windows all from within WSL.

halfEvilTech writes: Last year, Microsoft announced they were planning on blocking OS updates on newer Intel CPU's, namely the 7th Generation Kaby Lake processors. Ars Technica reports: "Now, the answer appears to be 'this month.' Users of new processors running old versions of Windows are reporting that their updates are being blocked. The block means that systems using these processors are no longer receiving security updates." While Windows 7 has already ended mainstream support, the same can't be said for Windows 8.1 which is still on mainstream support until January of next year.

Microsoft has officially retired the security bulletins this week, which were issued to detail "each month's slate of vulnerabilities and accompanying patches for customers -- especially administrators responsible for companies' IT operations," writes Gregg Keizer via Computerworld. "The move to a bulletin-less Patch Tuesday brought an end to months of Microsoft talk about killing the bulletins that included an aborted attempt to toss them." From the report: Microsoft announced the demise of bulletins in November, saying then that the last would be posted with January's Patch Tuesday, and that the new process would debut Feb. 14. A searchable database of support documents would replace the bulletins. Accessed through the "Security Updates Guide" (SUG) portal, the database's content can be sorted and filtered by the affected software, the patch's release date, its CVE (Common Vulnerabilities and Exposures) identifier, and the numerical label of the KB, or "knowledge base" support document. SUG's forerunners were the web-based bulletins that have been part of Microsoft's patch disclosure policies since at least 1998. Microsoft did such a good job turning out those bulletins that they were considered the aspirational benchmark for all software vendors.In February Microsoft canceled that month's Patch Tuesday just hours before the security updates were to reach customers, making the bulletins' planned demise moot. Microsoft kept the bulletins the following month as well, saying it wanted to give users more time to prepare for the change to SUG. Finally, when Microsoft yesterday shipped cumulative security updates for Windows, Internet Explorer, Office and other products, it omitted the usual bulletins.

According to an announcement made earlier today, Microsoft has acquired Deis, "the company behind some of the most popular tools for building and managing applications on top of the Google-incubated Kubernetes container orchestration service," writes Frederic Lardinois via TechCrunch. From the report: "At Microsoft, we've seen explosive growth in both interest and deployment of containerized workloads on Azure, and we're committed to ensuring Azure is the best place to run them," Microsoft's executive VP for its cloud and enterprise group Scott Guthrie writes today. "To support this vision, we're pleased to announce that Microsoft has signed an agreement to acquire Deis -- a company that has been at the center of the container transformation." Deis provides three core open-source tools for managing Kubernetes deployments: Workflow, a platform for developers and operations teams to easily deploy and manage containerized apps; the Kubernetes package manager Helm; and Steward, a Kubernetes-native service broker (which basically allows applications to talk to each other). Like similar companies, its business model relies on providing paid support and training for these applications. The team will continue to work on these open-source tools, which are currently in use by the likes of Mozilla, CloudMine and SocialRadar.

An anonymous reader quotes a report from BleepingComputer: Microsoft will officially release Windows 10 Creators Update on April 11, the same day it will retire Windows Vista, but users unwilling to wait that long can install it starting today, April 5, using the Windows 10 Update Assistant. The tool installs Build 15063 of the Windows 10 Insiders Build program, which is set to become the official Windows 10 Creators Update next week. The Windows 10 Update Assistant, which Microsoft first launched to help users update to Windows 10, has been recently used to upgrade users to the most recent version of Windows 10. The tool is available for download via the Microsoft site, albeit some users reported still getting an older version for download, which doesn't install the Creators Update. The Update Assistant is extremely easy to use and only requires users to click a few buttons.

Microsoft corporate vice president Brian Harry announced in a blog post today that they are shutting down CodePlex, its service for hosting repositories of open source software. "As of this post, we've disabled the ability to create new CodePlex projects," Harry wrote. "In October, we'll set CodePlex to read-only, before shutting it down completely on December 15th, 2017." VentureBeat reports: While people will be able to download an archive of their data, Microsoft is teaming up with GitHub, which provides similar functionality for hosting code that people can collaborate on, to give users "a streamlined import experience" to migrate code and related content there. "Over the years, we've seen a lot of amazing options come and go but at this point, GitHub is the de facto place for open source sharing and most open source projects have migrated there," Harry wrote. Microsoft has been leaning in more and more to GitHub in the past few years. It moved the CNTK deep learning toolkit from CodePlex to GitHub last year. Today Microsoft's GitHub organization has more than 16,000 open source contributors, Harry wrote. And last year GitHub itself made a big deal about Microsoft's adoption of GitHub. At the same time, CodePlex has rotted. In the past month people have made commits to fewer than 350 projects, Harry wrote. GitHub is based on the Git open source version control software, which keeps track of changes by multiple people. People can move code to alternative systems like Atlassian's Bitbucket and Microsoft's Visual Studio Team Services, Harry wrote. The startup GitLab also offers hosting for open and closed source projects.

Slashvertisement: Here is SourceForge's message to CodePlex devs.

Samsung has officially launched their new Galaxy S8 smartphone today, along with several different accessories. One of the accessories is the Samsung Dex, a dock that aims to replace your desktop computer with your phone. If the idea sounds familiar, it's because Microsoft attempted to do this with its Microsoft Display Dock that requires a Windows 10 Lumia 950 or 950 XL with Continuum and a USB-C connector. Given the abysmal market share of Windows 10 Mobile, it's no wonder the dock didn't take off. Samsung, on the other hand, may have more luck convincing users to get rid of their desktop in favor of the Dex. Andrew Cunningham provides some more details in his report via Ars Technica: Samsung hasn't announced pricing or a release date, and most of what we know comes from Samsung's presentation. The dock is small and circular, includes two USB ports and an HDMI port, and it is powered via USB-C (same as the S8 itself). The Verge reports that there's a small cooling fan inside the dock that presumably keeps the phone from throttling too much, enabling more desktop-y performance. The desktop UI looks mostly straightforward: there's a lock screen, a desktop, and a Windows or Chrome OS-esque taskbar with app icons on it. You can use apps full-screen or keep them in windows -- we're still talking about Android apps, and not all of them are well-suited to running on anything other than a phone or a small, narrow window.

BleepingComputer reports: During the past year, Let's Encrypt has issued a total of 15,270 SSL certificates that contained the word 'PayPal' in the domain name or the certificate identity. Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store... Lynch, who points out the abuse of Let's Encrypt's infrastructure, doesn't blame the Certificate Authority (CA), but nevertheless, points out that other CAs have issued a combined number of 461 SSL certificates containing the term "PayPal" in the certificate information, which were later used for phishing attacks... Phishers don't target these CAs because they're commercial services, but also because they know these organizations will refuse to issue certificates for certain hot terms, like "PayPal," for example. Back in 2015, Let's Encrypt made it clear in a blog post it doesn't intend to become the Internet's HTTPS watchdog.
Of course, some web browsers don't even check whether a certificate has been revoked. An anonymous reader writes: Browser makers are also to blame, along with "security experts" who tell people HTTPS is "secure," when they should point out HTTPS means "encrypted communication channel," and not necessarily that the destination website is secure.

Artem Tashkinov writes: In a move that will shock a lot of people, someone at Microsoft decided to deny Windows 7/8.1 updates to the users of the following CPU architectures: Intel seventh (7th)-generation processors (Kaby Lake); AMD "Bristol Ridge" (Zen/Ryzen); Qualcomm "8996." It's impossible to find any justification for this decision to halt support for the x86 architectures listed above because you can perfectly run MS-DOS on them. Perhaps, Microsoft has decided that the process of foisting Windows 10 isn't running at full steam, so the company created this purely artificial limitation. I expect it to be cancelled soon after a wide backlash from corporate customers. KitGuru notes that users may encounter the following error message when they attempt to update their OS: "Your PC uses a processor that isn't supported on this version of Windows." The only resolution is to upgrade to Windows 10.

Long-time Slashdot reader Billly Gates shared some news from Microsoft's Visual C++ blog: Visual Studio 2017 now lets developers write C++ code for Linux desktops, servers, and other devices without an extension, targeting specific architectures, including ARM: Visual Studio will automatically copy and remotely build your sources and can launch your application with the debugger... Today Visual Studio only supports building remotely on the Linux target machine. It is not limited to specific Linux distros, but we do have dependencies on the presence of some tools. Specifically, we need openssh-server, g++, gdb and gdbserver.

An anonymous reader quotes a report from Digital Trends: While Microsoft is addressing some other complaints about Windows 10 in the upcoming Creators Update -- such as privacy concerns over the data that's being transmitted and issues regarding how the operating system updates itself -- the company seems intent on retaining Windows 10's advertising functionality. In fact, it has apparently been adding OneDrive commercials to File Explorer, ExtremeTech reports. Basically, you might start seeing a new promotion for OneDrive when you're perusing your file structure in Windows 10. OneDrive is baked into Windows 10 and can't easily be uninstalled, and Microsoft wants to make sure you know that the 5GB of free OneDrive storage can be easily upgraded to significantly more space. Turning off the OneDrive advertising isn't without consequences. You can go to the View menu in File Explorer, then Options, and select "Change folder and search options." In the next window, select the View menu, then scroll down to and uncheck the "Show sync provider notifications" option. Note that while this should disable the OneDrive ads, it will also stop you from seeing potentially important notifications from OneDrive. The report notes that, while these OneDrive ads aren't new, "they seem to be showing up more often for more people."

The U.S. Patent and Trademark Office has issued IBM a -- what the Electronic Frontier Foundation calls -- "stupefyingly mundane" patent on e-mail technology. U.S. Patent No. 9,547,842, "Out-of-office electronic mail messaging system" was filed in 2010 and granted about six weeks ago. Ars Technica reports: The "invention" represented in the '842 patent is starkly at odds with the real history of technology, accessible in this case via a basic Google search. EFF lawyer Daniel Nazer, who wrote about the '842 patent in this month's "Stupid Patent of the Month" blog post, points to an article on a Microsoft publicity page that talks about quirky out-of-office e-mail culture dating back to the 1980s, when Microsoft marketed its Xenix e-mail system (the predecessor to today's Exchange.) IBM offers one feature that's even arguably not decades old: the ability to notify those writing to the out-of-office user some days before the set vacation dates begin. This feature, similar to "sending a postcard, not from a vacation, but to let someone know you will go on a vacation," is a "trivial change to existing systems," Nazer points out. Nazer goes on to identify some major mistakes made during the examination process. The examiner never considered whether the software claims were eligible after the Supreme Court's Alice v. CLS Bank decision, which came in 2014, and in Nazer's view, the office "did an abysmal job" of looking at the prior art. "[T]he examiner considered only patents and patent applications," notes Nazer. The office "never considered any of the many, many, existing real-world systems that pre-dated IBM's application."

An anonymous reader writes: "For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement," reports BleepingComputer. "The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll)..." According to Google, the issue allows an attacker to read the content of the user's memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

"According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable." He later resubmitted the bugs in November 2016. The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.
Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".

UnderAttack writes: Microsoft today announced that it had to delay its February Patch Tuesday due to issues with a particular patch. This was also supposed to be the first Patch Tuesday using a new format, which led some to believe that even Microsoft had issues understanding how the new format is exactly going to work with no more simple bulletin summary and patches being released as large monolithic updates. Ars Technica notes the importance of this Patch Tuesday as "there's an in-the-wild zero-day flaw in SMB, Microsoft's file sharing protocol, that at the very least allows systems to be crashed." They also elaborate on the way Microsoft is "continuing to tune the way updates are delivered to Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2."

An anonymous reader quotes a report from Windows Central: Microsoft just gave developers a sneak peek at Project Neon, Microsoft's upcoming design language for Windows 10 that aims to add fluidity, animation and blur to apps and the operating system. We exclusively revealed that this was in the works in late 2016, and today Microsoft has given us a first peak at what Project Neon will look like. During the Windows Developer Day livestream, an image of Project Neon was seen the background of one of the PowerPoint slides being shown off on stage. Although not much, it's further confirmation that this is the end goal for Windows 10's UI, and Project Neon will be bringing a fresh coat of paint to apps. Project Neon should benefit all types of Windows 10 devices, including Windows 10 Mobile, HoloLens and even Xbox. We're still several months away from Project Neon being everywhere in Windows 10, and we're expecting to see more at BUILD this coming May. In fact, a lot of the Project Neon APIs are available in the latest Insider Preview builds of Windows 10, meaning developers can already begin taking advantage of these new user interfaces and design language! Animations and transitions are a big deal with Project Neon, with the goal of making the operating system and apps feel like they work together. Peter Bright does a good job summarizing the looks of the screenshot via Ars Technica: "The picture shows a refreshed version of the Groove music app on a Windows desktop. The fundamentals of the app and its layout aren't changed, underscoring that Neon is very much an iteration of the current Metro/Microsoft Design Language (MDL). The window has shed its discrete title bar and one pixel border, with the application content now extending to the very edge of the window. The search text field no longer has a box around it, and the left hand pane has a hint of translucency to it." You can view the screenshot here and judge it for yourself.

For years, people have wondered why all Windows drivers are dated June 21, 2006. Long time developer at Microsoft, Raymond Chen explains (much of the entire post in summary): When the system looks for a driver to use for a particular piece of hardware, it ranks them according to various criteria. If a driver provides a perfect match to the hardware ID, then it becomes a top candidate. And if more than one driver provides a perfect match, then the one with the most recent timestamp is chosen. If there is still a tie, then the one with the highest file version number is chosen. Suppose that the timestamp on the driver matched the build release date. And suppose you had a custom driver provided by the manufacturer. When you installed a new build, the driver provided by Windows will have a newer timestamp than the one provided by the manufacturer. Result: When you install a new build, all your manufacturer-provided drivers get replaced by the Windows drivers. Oops. Intentionally backdating the drivers avoids this problem. It means that if you have a custom manufacturer-provided driver, it will retain priority over the Windows-provided driver. On the other hand, if your existing driver was the Windows-provided driver from an earlier build, then the third-level selection rule will choose the one with the higher version number, which is the one from the more recent build. It all works out in the end, but it does look a bit funny.

The first alleged screenshots of Microsoft's Windows 10 Cloud operating system have leaked, courtesy of Windows Blog Italia. "The screenshots seem to show a coming version of the operating system that is locked down in a way similar to the way Microsoft locked down Windows RT and, before that the Windows 8.1 with Bing version of Windows," reports ZDNet. From the report: According to Windows Blog Italia, which said they've had a chance to test the current version of Windows 10 Cloud, the product can run Windows Store apps only. The site noted that Windows Store apps built using Microsoft's "Centennial" Desktop bridge, which enables developers to move their Win32 apps to the Windows Store, work on the version of Windows 10 Cloud to which they have access. UWP apps and Windows Store apps have not been synonymous terms. But the important point here is Windows Cloud will be locked down so as to prevent users from installing apps that are not in the Windows 10 Store, which can be seen as a plus from a security and manageability standpoint, but a minus given the less-than-robust collection of UWP/Store apps available for Windows 10. Microsoft is believed to be planning to position Windows 10 Cloud, at least in part, as an alternative to Chrome OS and Chromebooks.

Saeed Noursalehi, principal program manager at Microsoft, writes on a blog post: We've been working hard on a solution that allows the Git client to scale to repos of any size. Today, we're introducing GVFS (Git Virtual File System), which virtualizes the file system beneath your repo and makes it appear as though all the files in your repo are present, but in reality only downloads a file the first time it is opened. GVFS also actively manages how much of the repo Git has to consider in operations like checkout and status, since any file that has not been hydrated can be safely ignored. And because we do this all at the file system level, your IDEs and build tools don't need to change at all! In a repo that is this large, no developer builds the entire source tree. Instead, they typically download the build outputs from the most recent official build, and only build a small portion of the sources related to the area they are modifying. Therefore, even though there are over 3 million files in the repo, a typical developer will only need to download and use about 50-100K of those files. With GVFS, this means that they now have a Git experience that is much more manageable: clone now takes a few minutes instead of 12+ hours, checkout takes 30 seconds instead of 2-3 hours, and status takes 4-5 seconds instead of 10 minutes. And we're working on making those numbers even better.

Remember how Microsoft switched to cumulative updates? Now Computerworld points out that that's bringing another change. An anonymous reader quotes their report: Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches... A searchable database of support documents will replace the bulletins; that database has been available, albeit in preview, since November on the portal Microsoft dubbed the "Security Updates Guide," or SUG. The documents stored in the database are specific to a vulnerability on an edition of Windows, or a version of another Microsoft product. They can be sorted and filtered by the affected software, the patch's release date, its CVE identifier, and the numerical label of the KB, or "knowledge base" support document.
Redmond Magazine reports that Microsoft still plans to continue to issue its security advisories, and to issue "out-of-band" security update releases as necessary.