Slashdot Mirror
All Windows 10 Kernel Mode Drivers Must Be Digitally Signed By Microsoft (i-programmer.info)
"Last year, we announced that beginning with the release of Windows 10, all new Windows 10 kernel mode drivers must be submitted to the Windows Hardware Developer Center Dashboard portal to be digitally signed by Microsoft," reads a MSDN blog post. "However, due to technical and ecosystem readiness issues, this was not enforced by Windows Code Integrity and remained only a policy statement. Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal."
Slashdot reader mikejuk quotes a report from i-programmer.info which argues "the control of what software users can run on their machines is becoming ever tighter," and compares Microsoft's proposal to an XKCD cartoon: Before you start to panic about backward compatibility with existing drivers the lockdown is only going to be enforced on new installations of Windows 10. If you simply upgrade an existing system then the OS will take over the drivers that are already installed... Only new installations, i.e. installing all drivers from scratch, will enforce the new rules from Windows 10 version 1607... Be warned, if you need to do a fresh install of Windows 10 in the future you might find that your existing drivers are rejected.
Slashdot reader mikejuk quotes a report from i-programmer.info which argues "the control of what software users can run on their machines is becoming ever tighter," and compares Microsoft's proposal to an XKCD cartoon: Before you start to panic about backward compatibility with existing drivers the lockdown is only going to be enforced on new installations of Windows 10. If you simply upgrade an existing system then the OS will take over the drivers that are already installed... Only new installations, i.e. installing all drivers from scratch, will enforce the new rules from Windows 10 version 1607... Be warned, if you need to do a fresh install of Windows 10 in the future you might find that your existing drivers are rejected.
You cannot imagine how excited I am to be submitting my drivers to the Windows Hardware Developer Center Dashboard portal. Talk about boner killer.
For 97% of Windows 10 users (yes, I made that figure up) this is a total non-issue. It may even be a benefit to protect them from themselves. Many can't distinguish between safe and not so safe web sites from which to download programs and such. These folks may not even know how to uninstall drivers that don't uninstall automatically when a related piece of software is uninstalled. If you are a registered developer, this isn't an issue either as MS gives you a way around it.
For the rest of us, well, there aren't enough who haven't already migrated to iOS or Linux so MS doesn't give a shit.
Microsoft answer!
134340: I am not a number. I am a free planet!
How is Microsoft going to be able to securely distinguish between drivers that existed before an upgrade and those that were installed afterward? I imagine that someone will quickly figure out how to get their driver to show up as a previously being installed.
Right now, if secured boot is off, this policy doesn't kick in. That may change of course. For the vast majority of Windows users, this is fine, but for power users, kind of a pain.
To run older drivers:
"(...) In addition, if Secure Boot is set to OFF, then drivers signed with existing cross-signed certificates will continue to be valid."
https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/
Thanks for not even giving people the choice to run an unsigned driver, since there's lots and lots of hardware out there that will instantly be made 'obsolete' by this policy.
Just cruising through this digital world at 33 1/3 rpm...
Does this break TrueCrypt? If so, all is lost.
If the submitter is proposing that the xkcd comic about having your admin account be separate from your user account...
He's not. And you don't log in as Administrator to do your online shopping, either. At least, I hope that you don't.
Il n'y a pas de Planet B.
But I'm worried I'll be completely screwed next time I need to do a Windows reinstall.
Thank goodness that sort of thing never happens. No one EVER finds it necessary to reinstall Windows!
#DeleteChrome
That's what's so ridiculous about the whole thing. The stuff that's insecure is left wide open. It's like making sure the shed door is triple bolted but only having a chain latch on the front door.
Also, Submitting drivers to the Dev center now requires EV CODE SIGNING CERTIFICATE.
Even though Microsoft will sign the final result, you have to have an EV CERT from a small list of approved CAs to
sign your code before their portal will sign it per the new policy.
In case you have not noticed, the cheapest of the EV Certs is $1000 a Year; Only organizations can obtain these certificates, not individual developers.
Also, all EV Code signing certs require Smartcard/Token-Based Storage of your certificate's private key to ensure credentials cannot be shared, and you cannot automate the digital signing process.
Thus is a move to make sure Open Source software developers and individuals cannot produce Kernel mode drivers.
No. MS wants to "xbox" Windows. MS actually hates lusers. So, rather than teying to find a happy medium, where we lusers still feel like we have a modicum of control of our systems, no. MS wants to control it all, just like Xbox.
how much independent Xbox apps are there? I'll argue, none. MS could snuff Netflix. right now, Netflix attracts users, so it isn't in MS interests to hijack Nwtflix too bad on Xbox. But Netflix writes to MS' rules on Xbox. Comcast (aka Universal Studios...) as a content license owner could easily get MS to effectively reduce Netflix's app to oblivion once Comcast figures out a better business model with MS (that has enough sideband $$$ coming to MS, so that MS feels confident they can afford to "lose" to Netflix at some point in court...)
I guess I saw this starting to happen in the 90's. Stewart Allsop did too back then, too.
The scales are finally tipped in MS' favor to finally start doing it. We're more or less conditioned to it now: cell phones, the Apple way, Xbox, etc.
Windows 7 is/was the last freedom-enabled OS from Microsoft.
Actually I think they are in cahoots with the movie and music ownership industry. This move is all about enforcing DRM.
Intel and AMD want Microsoft to make the OS have CPU busting features .. Like I dunno 3D animated window management, voice control, fingerprint recognition etc.
But this driver move, it seems entirely dreamt up by the DRM crowd. The don't want you to play any video or music that may be similar looking or sounding to anything they own. I mean the browser industry sold out already. How come when ads play in a browser the player controls are limited?
It's about lock-in and lock-out.
Lock you into their ecosystem, and lock out anyone who they deem as "undesirable". That definition can mean what you think it means.
Apple did the same with El Capitan...
Give it a year or two, and there won't be any way to install OpenOffice, GIMP or any other free Software .. just like GPLed Software isn't allowed in Banana AppStore (read Apple)
Important question 1: will this improve the quality of drivers on MS Windows?
Important question 2: will this provide any additional benefits for the "average user", e.g. keeping them from borking their systems?
It is a shame for there to be less user control over the OS, less hacking possibilities. It seems to me we are heading to a future where there will be very locked down systems for general use, and open systems that will allow user hacking (such as Linux). Perhaps that is not so bad.
I'm not in front of W10 right now, but is it in compmgmt.msc? You used to be able to do it via that
1. Upgrade: MS wasted tens of millions of manhours worldwide with their all-but-forced upgrade
2. Telemetry: They listen to you using your computer
3. Ads: They push ads at you via the OS, taking over what remains of your attention span
4. Kernel Mode Drivers: No more can your programs manipulate Windows 10 internals (bye bye www.colinux.org)
5. UEFI Secure Boot: No more can you boot another OS on a Windows 10 tablet or mobile device. For now, you can do so on a desktop, but manufacturers now have the 'option' (wink) to remove this 'security risk' (nudge).
KERNEL MODE drivers? What the #### is a PRINTER driver doing in KERNEL mode?! If you think about it, there's no reason for that. (Kernel mode is the base 'part' of the operating system, where performance really matters and part of the base structure of the OS. Printing, on the other hand, is nowhere near as performance critical as, say, video card rendering or memory management, so most operating systems push printing out of the kernel into user-space. Linux kernel, for example, has nothing to do with printing other than supporting USB or parallel port communications.)
Anyway, printer drivers won't be affected as the programmers at Microsoft have blocked kernel mode printer drivers by default since Windows Server 2003 (and Windows 7) and completely removed all ability to load them since Vista. (They've added print driver isolation, where print drivers are forced into their own process rather than being a DLL loaded into each program; that's sadly an opt-in per system feature as far as I know.)
So, yeah, people have been warned about this for literally thirteen years (since 2003), and have not been able to load kernel mode print drivers since the end of 2006 when Vista was released, nearly ten years ago. Any printer that works (at all) on Vista or above will not be affected by this.
> Any good WINE tutorials out there?
I'm sure there are; yet over 17 years on Linux I've used WINE roughly twice. Normally, its not the best solution.
Do you typically use emulation to run the Linux versions of most programs on Windows, or do you run the Windows version on Windows? Running the Windows version on Linux doesn't normally make sense - on Linux, run the Linux software.
A lot of daily use software brands are compiled for Linux, often developed for Linux FIRST, then ported to Windows. Firefox, Chrome, OpenOffice/LibreOffice, etc are all available native for Linux.
If the specific brand of softeware you used to use is Windows-only (and therefore probably proprietary), there is probably other open, free software that does the same job on Linux. Unlike the Windows software, the software designed for Linux doesn't include telemetry, onerous licensing, etc. For example, rather than MS Outlook, there are dozens of other email qnd groupware programs for Linux. Sylpheed Claws / Claws Mail is one.
The single software package most often mentioned as a counter-example is Photoshop. If you're a professional graphic artist, you'll probably be happiest with a Mac. If you want to adjust brightness and color curves of your snapshots, or do any simple to moderate photo editing, you can use one of the tools used by Dreamworks and ILM - Gimp. True, Gimp not exactly the same as Photoshop. However, Gimp is powerful enough to be used by major Hollywood effects studios.
You are allowed to disable theirs though. It's two separate options afaik, but you can turn off both the protected filesystem and signed kext requirements.
I'm just waiting for hacks to circumvent this.
But this strategy can mean that you can end up in a Catch-22 situation for some computers - if you need an unsigned driver for the specific computer in order to install Windows 10 because you do it on a computer with unusual hardware.
The lock-down will soon cause more trouble than it's worth for many, even smaller companies. Desktop Linux will start to look more interesting now.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
If what is written further below, so can you here. But I get it, it's easy to puke on Microsoft. You wouldn't sadden all the Apple fanboys around here...
"So run an older build?"
I'm not a gamer, so I was able to ditch Windows many years ago. But my impression is that if you have network cable attached to your Windows PC, MS is likely to sneak in in the middle of the night and upgrade your older build to a newer, shinier, more secure, version whose only problem will be that it won't work. (Nothing more secure than a computer that won't run, right?).
Not so?
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
I'm using windows 10 and I cannot figure out how to change a user's password.
The Anonymous Cowards who responded to you have given you the correct answers. It should be noted that the method for administering other local accounts has not changed since Windows 2000. You still use Control Panel->User Accounts as you did back then, although the method of getting to the control panel has changed over time. In Windows 10 you right click on the start button and choose it from the pop up menu.
The command line version of "net user username NewPassword" has not changed at all since Windows NT 4.0 (19 years ago). Of course, if you are not used to Windows then it is quite reasonable that you wouldn't know the command to use, any more than a Windows admin would magically know to misspell the word password on Linux.
I'm trying to think when was the last time I re-installed Linux. It's... ah... um... actually, never. Except for experimenting with alternate distributions, entirely my choice.
When all you have is a hammer, every problem starts to look like a thumb.
MS has mighty powerful crowbars, you know...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'm using windows 10 and I cannot figure out how to change a user's password. If I were on linux or mac, I'd just type passwd username. But there seems to be no way for an admin to change a users password in Win 10. Am I missing something?
Have you not pressed control-alt-delete and clicked on change password? Or right click on computer and go to manage/local users and groups/Users and then right click on the user and select Set Password? [though this option was removed from home edition LONG ago]
I can't speak for the original Xbox, but the Xbox 360 has a pretty respectable library of indie third-party games that can be installed through Xbox Live. In fact, the third-party indie games on my 360 outnumber the retail-boxed games about 3 to 1.
Unholy Heights is a riot.
http://xbox.com/indiegames
Or being no longer in business. Or being an indie developer that doesn't have the money pay for MS' protection fees.
"Free" OS upgrades, forced telemetry, driver signing protection racket. Sound like a scam to you? Move to Linux. Hell, move to DOS. Just get the hell away from Windows.
> hacks to circumvent
Windows users will put up with anything.
While the posters here are correct (at large) please don't forget that at the same time, MS has always been urged to close malware attack vectors. So, as Master Yoda would put it: Do or do not. There is no "/. won't complain".
bickerdyke
Thanks to this, windows 7 will be my last windows OS.
I thought you need signed drivers at least since windows 7 and this is one of the reasons why for example andlinux isn't available anymore?
I'm trying to think when was the last time I re-installed Linux. It's... ah... um... actually, never. Except for experimenting with alternate distributions, entirely my choice.
Every time I get a major release (not an update) I find it quicker and less hassle to do a fresh install but then I do have a very good filesystem layout which allows me to distinguish between system files which are deleted and personal files which aren't impacted. A fresh instal takes me around 20 minutes with an extra 15 to 40 minutes getting additional packages and some basic housekeeping after which I have a fully operational system. Granted that an update may take up to an hour (depends on the network) but I can still fully utilise the computer while this is happening and I will reboot the machine at my convenience.
Personally, I like Fedora with KDE (now running version 24) which gets a new release every six months or so. However, if you like other distros such as Ubuntu or Mint and have a reasonable idea what you are doing you can easily do what I do. What is important is to clearly distinguish your system filesystems and your personal file systems and "document" any housekeeping you may need to perform (keep a copy of /etc is a good start) such as user information and additional packages you wish to install that are not in the "Live" distribution.
Even if you have forgotten one or more packages you can very quickly get them either by command line ("dnf install" for Fedora or "app-get install" for Ubuntu and Mint) or just use the package manager GUI.
Try to do the same thing in Microsoft Windows (although it is possible) and it can be hellishly messy especially if you have to get all your other non-Microsoft applications and re-register them.
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
How do you think PC component and systems manufacturers are going to react to Microsoft attempting to turn them into an effectively captive market?
There's an unholy alliance brewing around Linux, and one that Microsoft isn't going to be able to do anything about, and with the proper support and app-as-a-vm style infrastructure, it's something they are going to be hard pressed to do anything about.
Microsoft is walling themselves in.
Let them.
Funny, as that's also my experience with my own windows.. But I had to reinstall Ubuntu a couple of times after an upgrade (so the upgrade fubarred it, so I just reinstalled the new version) to get my development enviroment working again..
Seriously. Windows is now an utter pile of shite. Other than running old programs there is zero reason for anyone with a clue to run it.
Bring on ReactOS version 1.0 then we can put Windows where it deserves to be. In the dustbin of history.
Win+X -> select control panel -> user accounts -> user accounts -> change your account name (if it is the logged in account you want to change, else: -> manage another account -> select account -> change the account name)
Why MS doesn't have the alternative in the settings app I don't know. Probably afraid to confuse users?
The reason I know how to use passwd is that I read about it in a manual over 25 years ago.
So the next time Kaspersky finds a properly signed rogue driver we would know that the hardware vendor was cooperating. Would it create a liability?
I reinstall Windows as often as I do Linux. No, thinking about it in fact I reinstall Linux more often.
Or just realize how often shitty drivers fuck up Windows installations. The reason Windows have bettered its reputation of being unstable isn't so much that MS code quality have improved, it is because MS have tightened up the driver situation. The vast majority of bugs causing crashes are in 3rd party device drivers.
So instead of making things up in your mind how about following logic and accept that too many lusers install unsigned* crappy as shit drivers and then blame MS when their system becomes as stable as a M1 tank balanced on the Eiffel tower?
(* unsigned isn't of course necessarily crap but often is)
I am not a fan of the fact that you need to spend big money on an expensive certificate, more money on setting up a legal entity that will satisfy those organizations who can issue the right EV code signing certificate that Microsoft will accept and even more money on all the required hardware to actually test your driver or what it means for open source software but this move DOES have some benefits.
It reduces the amount of crappy drivers out there (both because of the testing and because entities who are making crappy drivers tend to be the ones who dont want to spend the money on certificating and signing).
It also makes it harder for anyone wanting to create kernel level malware since either Microsoft will refuse to sign it in the first place or Microsoft will revoke the signature (and blacklist the creator of those drivers).
The increased requirements in terms of the code signing certificate you need to submit drivers to Microsoft also eliminates problems with rogue code signing certificates (i.e. all the times when a code signing certificate was stolen from a major hardware vendor and used to sign malware or other bad things)
I do wonder what this means for government/law enforcement/intelligence agencies though. We know from various leaks and other things that governments and their agencies have used kernel drivers (or things that can only be done with kernel drivers even if its not actually explicit that kernel drivers are being used) as part of their spying/hacking/law enforcement efforts. Will the NSA be given the ability to sign a kernel driver that can run on a standard Windows 10 install? What about the Chinese Government (the censor-ware they wanted to force PC manufacturers to install on new PCs almost certainly requires kernel-level code to do the things it does). Or the German Bundespolizei? (the spyware they have reportedly used to spy on things like Skype may well need kernel code in order to do its job)
"Nadella has altered the bargain, every couple of weeks for the past two years. What the fuck makes you think he won't alter it farther?"
So Nadella is Darth Vader? Does that mean Gates was Palpatine?
Pain is merely failure leaving the body
I don't understand how the user is locked in through driver signing, but it makes lots of sense to lock out people publishing faulty drivers on forums and pirated stuffs. Now if drivers are also malware, the vender can be punished, via legal means, public shaming, or banishment. They can take their drivers to unsigned Linuxes.
But my impression is that if you have network cable attached to your Windows PC, MS is likely to sneak in in the middle of the night and upgrade your older build to a newer, shinier, more secure, version whose only problem will be that it won't work.
You can always block Windows Update completely and stay frozen at your current version. So if you don't want the Anniversary Update, then you have block all updates in the future. As the OP said, it is worrying what would happen if a reinstall was required though. Keeping an backup image would be the best bet.
And Ballmer was a shaved wookee.
Blank until
You can run sigverif from CLI to check to see what drivers are currently being used on your system not signed by Microsoft.
I welcome any legitimate reason for this behavior requiring Microsoft cross signing when secure boot is enabled. Currently I'm at a loss to come up with one.
It seems when secure boot is not enabled all signature validation can be bypassed by malicious code one way or another if you have admin rights by changing boot settings using bcdedit and rebooting or a million other approaches given admin level access. Signature checks don't have much bite in the real world with secure boot disabled.
With secure boot enabled any effective bypass of driver signature validation is a security bug. Since only kernels trusted databases are used for driver signature validation (regardless of secure boot setting) cross signing to MS is redundant. This is especially true given the blessings seem to be superficial at best and probably nearly fully automated given cross signing does not currently cost money.
Most likely reason for MS to do this I've been able to come up with is that without MS control anyone who develops a kernel driver and gets it signed by one of the supported CAs can break out of a Microsoft walled garden on systems where secure boot is being enforced against the user.
Even if you believe any and all measures to lock down kernel access improves security and therefore unconditionally good regardless of any other considerations... I still fail to see how any actual locking downing is being accomplished here as the MS blessing is superficial and adds nothing. Any malicious actor able to develop a kernel driver and obtain an EV cert is almost certain to also obtain blessing of Microsoft.
The only "benefit" seems to be MS getting a vote to stop execution of drivers paving way for restricting usermode execution against users. (See Windows RT and Windows Phone)
From Microsoft's FAQ: "Enforcement only happens on fresh installations, with Secure Boot on, and only applies to new kernel mode drivers"
In other words, disable secure boot and it's business as usual.
From my point of view, this increases security for the vast majority of users who just buy a computer in a store and need to be protected from themselves. If you don't know enough to disable secure boot, you probably have no business installing unsigned kernel mode drivers anyway. But if you do, you can.
win8 had a mode you had to boot to get unsigned drivers.
does this mean win10 anniversary edition doesnt have that option?
and think back to what bullshit ftdi pulled.
also, some way must remain unless they make you get a special windows version for driver development or to be developing with a connection live to ms. chip devs would crap their pants about that.
Or, you know, it's to prevent viruses and other such garbage that has plagued windows for years and years, to be able to boot up with windows by masquerading as a driver?
I see nothing wrong with this. If anything it will force manufacturers to get their sh*t together and stop releasing buggy half baked drivers.
Doesn't it violate US antitrust law or some other anti-monopoly regulations?
In the New Amerika, no reasonable prosecutor would bring a case against Clint^W^W^WMS.
Welcome to the Corporate-Political Oligarchy.
(new word suggestion: "Corpoligarchy")
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
Will this disable OpenVPN (and maybe other VPN software)? Last I checked, they relied on an unsigned virtual network driver.
super micro and other will not give in and go MS only. At least if only on server / workstation boards.
Microsoft is getting closer and closer to the walled garden.
but since this is Slashdot:
M$ = bad
Apple = good
You're right, of course. They won't. But what about the consumer laptops and PCs? All those people who just get something from PC World made by HP or IBM or Asus?
How many people here first learned linux by installing it on a hand-me-down machine? How many repurpose old PCs as media centers, routers or home servers?
It's quite possible that in ten years, if you want to run linux, you'll have to pay extra for parts intended for a real business server.
https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607
Trust me, as a driver developer, this has been causing me an immense amount of headaches, and Windows 10 is only part of the story.
But the blog entry has a key detail which nobody here seems to understand. Existing Drivers signed by a certificate that was issued prior to July 2015 will still be accepted by the kernel. What this means is that the new rollout is not going to cause the entire ecosystem of Windows legacy drivers to implode. If they were signed correctly for 64-bit Windows before, they will continue to work on Windows 10. Really, truly, I've tested this myself on preview editions of the Windows 10 AE
Where you get screwed is when a vendor needs to update a driver going forward. Then things get to be hairy. Logistically, signing became much harder, everything from obtaining a certificate to performing the actual signing. Pain. In. The. Ass.
Our company just released an update of our product just under the wire of when our legacy "get's a free pass" certificate expired so that we'd have some runway to incorporate the new driver signing nightmare into our tool chain. So we're good up until the next showstopper bug comes along, which fortunately is rare. You'll be able to use our latest release just fine on AE, even though it didn't get signed by Microsoft.
I remember using windows 8 and having issues with unsigned hardware drivers. There were some work arounds but they weren't pretty. In my case the drivers were for an internally produced dev board with restricted distribution.
Did you check that link before you posted it? I'm getting page not found errors on it. (kind of ironic)
Player controls are limited when Ads play, because you are accessing content that costs money, time, resources, and energy to create. You need to pay for that, because I'm not putting up content so you can enjoy for free without giving anything back. Unless you're willing to pay my mortgage, bills, alcohol purchases, and otherwise buy me whatever I want whenever I want it, you owe me to view my content. If you don't want to pay by watching the ad that I make very little off of, then don't use my content. Don't look at it, don't watch it, don't think about it. In return I won't worry about you. I'm entitlted to be paid for what I say my stuff is worth. The only entitlement you have is to decide you don't like my price and not use/consume/access my content then. DRM exists because of freeloaders who think that they're too good to pay. They have no concept that life isn't free and I don't give a shit if you're too poor. Get a real (or better) job if you can't afford my stuff or go and use someone else's stuff. It's my right to be paid for the work I do. It's not your right to not pay.
If what is written further below, so can you here. But I get it, it's easy to puke on Microsoft. You wouldn't sadden all the Apple fanboys around here...
Actually, the toughest part is the tapdance you have to to to tell us that it is an excellent thing when microsoft does it, but stupid hipster shit when Apple does. Chill if you will
By the way, if getting around it is as easy in W10 as it is in OSX, it's a non issue for either.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Sounds plausible to me, but to answer GP:
I don't think Intel and AMD have anything to do with this, as it is a move by Microsoft to demand signing of Windows drivers. CPU design is not really involved here, although the goals of this move may have some overlap with the goals of introducing TPM.
Also, both Intel and AMD have so far been reasonably supportive of Linux development, which suggests they are not trying to help Microsoft control all PC hardware.
This said, people who have an interest in tinkering with their OS should probably switch to Linux or BSD entirely instead of trying to somehow keep Windows from locking them out.
C - the footgun of programming languages
As an owner of a computer service company who works on everything from residential to multinational corporation computers, I can say that I have not run into driver based kernel space malware more than a couple of times since I started my company in 2001.
This will not prevent hardware makers from releasing buggy drivers. It has absolutely NOTHING to do with the quality of the driver.
This is simply a means to force consumers to purchase NEW hardware to replace their old reliable still working fine piece of hardware because there is no longer a driver for it. It is simply a way for MS and their partner hardware manufacturing companies to separate consumers from their money.
The Linux rebel alliance may have just gotten a boost.
"Brave words. I've heard them before, from thousands of species across thousands of worlds, since long before you were created. But, now they are all Borg."
I really doubt that's it. The next version of Windows 10 includes a provision to kill off the ability to disable certain "features" (or more specifically, annoyances) and it would make sense if they want to enforce that, and things like telemetry, by banning CA signed drivers.
You missed the point of the comic.
The point of the comic is that almost all malware runs without admin privileges. So heavily restricting driver management to the admin account is not a huge security boon.
But when copyright no longer exists, you commit suicide. Is that a deal?
I am a freeloader, and it has multiple reasons, the most prominent one being that I don't want to be locked in to DRM and similar things.
I am fucking annoyed having to pay for a DVD that is noisy and where I have to watch ten unskippable promo videos and things I don't care about before I can access some stupid themed menu with stupid animations that clobber everything up and stuff.
I also don't like offerings like netflix which still have things like country restrictions (damn its the age of the internet now!, and no I am not in the US so I wont see things first and thats annoying) and most prominently DRM plus yet again some custom user interface. I want my user interface to be VLC, it has all I want.
Plus netflix is a big brother. They know each movie I watch, and every moment I pause, and how long I watch and how often. I do not like that. I understand that its important to collect statistics, but I'd much rather prefer where this stuff is opt in, not opt out. It worked before the internet age as well!
And DRM locks you in to a service. Think of apple music for example, you can't give your collection to someone else. Also, you can't e.g. "move" your purchased song to another service like soundcloud.
To still give the movie industry _some_ money, I go to the cinema and watch some movies there.
I admit that I enjoy not having to pay for content, but my main reasons for freeloading are that I prefer a model where I can use my own player choice and where I'm not being spied upon.
So the illegal way is not just free, it is much better in many regards, and I know that most people don't care about these issues as much as I do, so I am certain things won't change this fast.
I do want to access the content on a no frills basis. I want the content, and have free choice over my player, and I do not want to subscribe to some stupid service which has 10 times as much content as I want. Plus, I want the content on my disk, without DRM.
I won't switch until that happens.
Kind regards, a freeloader.
I think the problem is the UI for settings in Windows has changed slightly in the last several iterations. Start --> Control Panel --> User Accounts is no longer applicable to newer versions. Instead it's Charms bar and now "Settings" and "Accounts". Then under Accounts, it used to present all options to the admin including changing another account. Now it hides some of them under another menu or option. These changes by MS is somewhat frustrating as their push to simplify things makes it take longer and more clicks (and less obvious) to do what was easier to do in previous versions.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Realize that there are many small companies working with specialized hardware that is produced in a few numbers.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
This is a complete non-issue for anyone that actually needs to run unsigned drivers.
Hobbyist developer: Disable the setting in your machine, unsigned drivers work fine.
Business with obscure/legacy hardware: Generate your own signing key pair, sign the driver yourself then push your public key to all users machines by GPO.
Real driver dev: Generate local signing keys for test, get key from MS and apply to WHQL for release.
This is a security setting that is on by default, but easily disabled or worked around by anyone with the knowledge to safely do so.
Protip: Windows 10 is just like Windows 7. It has pretty much all the same features, and it has all the same dialogs... They are just hidden/superseded by the new Windows 10 interface, which was made to work on a touch-screen device like a tablet.
What I mean is: In Windows 7, you would make a lot of system changes in the Control Panel. Windows 10 would rather you use the "Settings" program to make the changes, but the control panel still exists, and it still works the way that you are used to. Same is true for Computer Management, Network Connections, and several other components. In fact, it's so similar, I don't understand how Microsoft can get away with saying that it's a new OS.
Desktop Linux will start to look more interesting now
It already seems to do. Netmarketshare.com shows Linux on the Desktop at 2.33% for July 2016, after 2.02% for June 2016. IIRC it was never over 2% before.
Statcounter also shows a recent upswing, although their numbers for Linux actually were better in 2015 than today.
Overall, I'm optimistic that we'll soon see a constant and consistent "marketshare" over 2% in the browser statistics. It would be a helpful signal to hardware vendors that tells them to make at least some products with decent Linux support.
C - the footgun of programming languages
cd/dvd = some what obsolete and there is some software that is loaded with disk checking DRM.
I suspect quite a few of those people you reffer to do nor actually know how to use Phootoshop either, thei just follow a procedure to "make x look good/cool" or whatever, if they knew what they where doing i suspect a goodle for somthing like for example " colour correction with gimp" would get them sorted out whitout mouch trubble for most cases. Well unless one of those steps (maybe the only one) was use plugin x and ptress auto ( wher the plugin name teally did not give a clue about what the plugin did behind the ceenes) Disclamer: as is probably obvious I'm no a photoshop or a gimp expert so pleace correcte if/when I'm wrong
No. If that were the goal, then it would merely require that drivers be signed by the machine's admin or whatever parties they have signed as delegates, not such a distant third party as Microsoft.
"Believe me!" -- Donald Trump
blocking steam = anti trust and there apps are to locked down to work for most uses.
Now with they can have an app system that can be like steam with all of it's mod's / user content / workshop / etc then it can work.
But what about app's with map editors with there own EXE's they need to have apps that can be linked to an other one / have more then 1 in the same sandbox.
Drivers as a source of viruses? Talk about unreasonable. The fact that Microsoft's is Hollywood's BITCH is far more plausible.
A Pirate and a Puritan look the same on a balance sheet.
Just who are you trying to kid? Do you know who you're talking to? A rootkit doesn't need anything quite that low level.
This entire approach to the "problem" is like putting a band-aid on a bullet wound after the victim has already been shot full of holes. He never should have gotten shot to begin with.
A Pirate and a Puritan look the same on a balance sheet.
Android has 3rd party app stores and side loading.
apple has lock down and censorship
It would make far more sense to allow the end user to "lock" the drivers. This would also allow people and companies to make sure that a particular configuration OF THEIR CHOICE isn't screwed around with by anyone INCLUDING Microsoft.
Change control on a Windows box is a far more interesting problem.
A Pirate and a Puritan look the same on a balance sheet.
No. It just hasn't changed since the days of SunOS and Ultrix.
That "consistency" that some people like to whine about also matters between versions. The academics that like to make up these rules will tell you exactly the same thing.
A Pirate and a Puritan look the same on a balance sheet.
I was talking to an anonymous coward. Most rootkits I've dealt with intercept file-system calls to hide the files and the signature of the modified file. That requires kernel-level access. And they've usually been a modified ntfs.sys - tell me that's not kernel-mode. Sometimes kbd.sys.
...and all of that is unadulterated bullshit. The underlying operating system is FAR more dangerous because it's a piece of shit engineered to spy on the user. It's always been a piece of shit because Microsoft always puts marketing and other "business" objectives ahead of the product (far ahead). They only reason anyone uses their virus infested product is because they managed to corner the market in the days of MS-DOS.
The fact that the OS is swiss cheese is far more of a problem than "the user making the wrong choice".
If you're gotten to the point of showing such obvious contempt for the end user then you're doing it wrong.
A Pirate and a Puritan look the same on a balance sheet.
Or, you know, it's to prevent viruses and other such garbage that has plagued windows for years and years, to be able to boot up with windows by masquerading as a driver?
Actually the GP is right, and Microsoft calls it out themselves:
To play back certain types of next-generation premium content, all kernel-mode components in Windows Vista and later versions of Windows must be signed. In addition, all the user-mode and kernel-mode components in the Protected Media Path (PMP) must comply with PMP signing policy.
Besides, the only way to install kernel mode drivers is to be running as administrator. If malicious code is allowed to run on your computer with administrative credentials, you're already screwed in any number of ways. Installation of a kernel driver is just one avenue.
I see nothing wrong with this.
I see everything wrong with this. Microsoft is now dictating what software can be run on my computer. That alone is enough of a reason to vehemently reject this, but think also of the F/OSS software impacted. There are plenty of software tools out there which run a driver as part of their operation and not all of these will want to or be able to get their drivers signed.
I have been trying to decide lately if I'll ever bite the bullet and move from Windows 7 to Windows 10, or if I'll start looking migrating to Linux. The decision just got a lot easier.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
prevent my decade old CueCat drivers from working
Scared me for a second, but no. It's an HID-compliant standard keyboard - no driver required.
What does this mean for VirtIO drivers? I have tried searching around and don't exactly understand - are there Microsoft signed VirtIO drivers that will allow Windows virtualization under KVM, etc...
The user lost his password. SO he can't enter his old password to change it. I want to force a reset password as the admin but I cannot find any GUI path that lets me do this.
What I think is going on is it may be that WIN 10 won't let you change a password if the password is his microsoft account password???
And when the user wants to reset his password on his own it directs him to log onto microsoft account. He has no recollection of ever even setting up a microsoft account so that's a non starter. I can see why this happened in hindsight. when you create a new user the it first directs you to use your microsoft account. THen if you baypass that it asks you questions and creates a microsoft account for you! (there's a little unnoticed link off the end of the window visible on screen that lets you create a strictirly local user).
Some drink at the fountain of knowledge. Others just gargle.
That's a really nice [graphics|printer|pointer|raid] driver you've got there.
Would be a shame if something ... happened to it.
-=This sig has nothing to do with my comment. Move along now=-
Link works for me.
It's my right to be paid for the work I do.
No, that's not your right, not at all. If someone wants your stuff, feel free to negotiate for some sort of compensation. That's as far as it goes.
Also, you are subject to a contract for releasing your work to someone else, that allows you exclusive rights to make copies. It's not a perpetual right - you only get it for a limited time. Once that time is up, anyone is allowed to make all the copies of it they want and distribute them as much as they like. Using DRM to restrict another party's ability to make their own copies is a breach of contract. If you want to enjoy the benefits of having grant of copyright, you must abide by all terms of the contract.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
In fact, it's so similar, I don't understand how Microsoft can get away with saying that it's a new OS.
They don't say that it's a new OS, just a new version of the same OS. They have built new features on top of the old version (and removed some too) as they always do, hence the same utilities existing since Windows NT 4.0 (and earlier).
I never said it was an excellent thing, I merely point out that when Apple does a thing, it's OK, when Microsoft is doing it it's evil. Double standard... [yet, it's probably the same hipster who vote Democrat, so I'm not surprised...]
I never said it was an excellent thing, I merely point out that when Apple does a thing, it's OK, when Microsoft is doing it it's evil. Double standard... [yet, it's probably the same hipster who vote Democrat, so I'm not surprised...]
That is an excellent non sequitur you have there.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
In Windows 10 home version you can do that?
Yes, I did it accidentally when I set my system up in my usual way. I always set my firewall to block all outgoing traffic and then create rules to allow the programs that I want to connect to the Internet. I was very surprised that Microsoft didn't include a default rule to allow Windows Updates to connect. I haven't bothered to look at how people block updates because I had to do the opposite and create a rule to actually allow updates - which I only enable when I want them to happen.
If the metered connection trick works then that would be easier for most people to set up. I don't see that it is a problem with it not being the intention of that feature.
What's a way for me to get paid for the work that I do and still release content that doesn't "annoy" you? Furthermore this method of release should also ensure that others are not, unfairly, consuming the work I do without paying me for my efforts. When you come up with a way to help ensure I get paid for each person who views my content then I'll happily stand up against DRM.
Wait... is this article saying that the trick for loading Microsoft-unsigned drivers under 64-bit Windows since Vista no longer works?
Microsoft's official documentation has definitely given the impression that drivers had to be signed by them in order for 64-bit Windows to allow their installation... but the REALITY (up until now, at least) has been that 64-bit versions of Windows would treat drivers that were signed by SOMEBODY... but not signed by MICROSOFT specifically... the same way 32-bit versions of Windows treated drivers that weren't signed at all -- a sternly-worded dialog warning against proceeding with the installation that could be swatted away and wouldn't bother you again.
In summary form:
1. unsigned drivers: 32-bit allowed after one-time warning, 64-bit refused outright.
2. drivers that were signed, but not by Microsoft: both 32-bit and 64-bit allowed after one-time warning.
3. drivers that were signed by Microsoft: both 32-bit and 64-bit installed without complaint.
Case "2" is the one of interest here. If Microsoft eliminated it with the new release of Windows 10, I'm going right back to Windows 7 if I find so much as a single driver that can't be coaxed into running. It would suck, because I've already spent the past 5 days tweaking Windows 10 to look kind of like Windows 7 (via ClassicShell and Glass8), but I'd definitely put the elimination of case 2 as grounds for abandoning it (and would probably be so disgusted, I'd make another stab at switching to Linux as my primary operating system).
This is simply a means to force consumers to purchase NEW hardware to replace their old reliable still working fine piece of hardware because there is no longer a driver for it. It is simply a way for MS and their partner hardware manufacturing companies to separate consumers from their money.
False. According to TFA, "Drivers signed with cross-signing certificate issued prior to July 29th 2015, when the initial policy went into place, will continue to be allowed." Translation--older drivers that worked before will continue to work.
Also, the new restrictions only apply when secure boot to turned on, something the submitter conveniently forgets to mention, meaning you can use any driver you want by simply turning off secure boot.
Okay, now tell us how many can be installed without Xbox Live.
In other words, you completely missed the point: everything on Xbox Live is only allowed to exist with Microsoft's permission. That is an evil and intolerable situation.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
...and all of that is unadulterated bullshit.
You keep believing that if it makes you happy. There are advantages and disadvantages to signed drivers. I pointed out some of each. If you can't wrap your head around this I can't help you.
The underlying operating system is FAR more dangerous because it's a piece of shit engineered to spy on the user.
Completely unrelated issue. Not disagreeing with you but it isn't related to the discussion here.
The fact that the OS is swiss cheese is far more of a problem than "the user making the wrong choice".
And allowing unsigned drivers solves this "swiss cheese" problem how exactly?
If you're gotten to the point of showing such obvious contempt for the end user then you're doing it wrong.
Actually I'm supporting the (typical) user if you bother to actually read what I wrote. There are advantages for *some* users to having Microsoft (or Apple) curate drivers and there are some meaningful disadvantages too. Whether you favor one or the other I leave to you. I can say that for many people, leaving it to the end user is a pointless exercise because they won't understand the difference.
I'm not totally versed in the politics of getting MS to sign your drivers, so apologies if this seems like a dumb question - what if, say, MS didn't want to sign software drivers for OpenVPN TAP/TUN network devices (let's say they just rolled out their shiny new VPN software). Or basically any other driver, hardware or software - Can they just say, "no" to OpenVPN, then OpenVPN team (or whoever else) is SOL? If true, that basically means MS has a complete, Apple-like stronghold over the hardware (and lots of software that utilizes driver framework to function) that runs on Win10+.
It is pitch black. You are likely to be eaten by a grue.
You can disable MS's driver restrictions by turning off secure boot.
False. Microsoft is saying that if you do that, playback of DRM'd media will break. Therefore:
Developer who makes software to enable users to exercise their Fair Use rights: screwed.
THIS IS THE PROBLEM.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
> No, that's not your right, not at all.
Yes, yes it is. I own the work. That's exactly like me coming up to you and stealing your wallet. You don't "own" that wallet. You don't "own" those credit cards that I'm going to use to fund my vacation with. In fact you should be perfectly fine with identity theft - I mean you don't exactly OWN your credit score either. So what's your mother's madien name, ID numbers - any ID, usernames/passwords to any account (you don't own those either)?
> If someone wants your stuff, feel free to negotiate for some sort of compensation. I did: I made this, you must pay me $XXX.XX for it, otherwise you can't view it. That's the negotiation. Otherwise you can walk away and NOT view my work.
> Also, you are subject to a contract for releasing your work to someone else, that allows you exclusive rights to make copies. It's not a perpetual right - you only get it for a limited time.
"If you buy this work from me, you agree that I retain all rights of distribution and copying in perpetuity until such time that I give you written notice terminating this limitation from this sales contract. In all other cases you agree that by purchasing this product to agree to the terms and conditions setforth herein. Furthermore both parties agree that the jurisdiction in which this contract exists shall be under the jursidiction of the United States and that contractual disputes must be filed in the proper jursidcition."
That would be a sales agreement example stating you agree to my terms to access my content or the purchase simply doesn't go through. Contracts are a beautiful thing.
> Using DRM to restrict another party's ability to make their own copies is a breach of contract.
I've seen no court case that has ever said this. DRM is a methods in which I may, as the owner of the work, ensure that the viewer/consumer of my work has actually paid for my work. You're free to not purchase my work and its DRM. That's the beauty of the market - I'm not forcing you to choose me.
Control Panel -> User Accounts is very much still there and let's you do more than Settings -> Accounts does.
tar -xzf [archive name] [install location]
Works everywhere.
Now, the different distros do also have their own package managers that handle dependencies and such, but that's separate from (even if often in place of) manually installing the software. Oh, and that's been the command for 36 years.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
It's a non-issue for older computers. If secure boot is turned off, you can use unsigned drivers. Older computers that don't even have UEFI don't even support secure boot.
The point of the comic is that almost all malware runs without admin privileges
That certainly wasn't true a few years ago. In my experience it always tries to do something which requires admin perms. That's how my family has caught onto the fact that something is a miss. They're not doing anything which should require admin perms, but would keep getting UAC prompts, which they would then deny.
yep. it shows it as an e-mail.
I've tried accessing his local files too, so I can copy them to a new (stricktly local) user account but so far the computer has resisted this. Does it also lock your local files away from the admin?
Good golly this is really diabolical.
Some drink at the fountain of knowledge. Others just gargle.
How long do you expect it to be before Windows 10 will no longer install/run on non-UEFI machines, and refuse to boot if you toggle UEFI off?
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Yes, yes it is. I own the work. That's exactly like me coming up to you and stealing your wallet. You don't "own" that wallet. You don't "own" those credit cards that I'm going to use to fund my vacation with. In fact you should be perfectly fine with identity theft - I mean you don't exactly OWN your credit score either. So what's your mother's madien name, ID numbers - any ID, usernames/passwords to any account (you don't own those either)?
That's the worst analogy I've ever heard or seen. You must think that your shit don't stink. In fact, it's mine that doesn't stink. In fact, it's beautiful. And I produced it, so you must pay me. It doesn't matter what you think of it, I put a lot of work into producing that gorgeous log, and I expect to be handsomely rewarded for all the work I did creating it! (this is what you sound like).
"If you buy this work from me, you agree that I retain all rights of distribution and copying in perpetuity until such time that I give you written notice terminating this limitation from this sales contract. In all other cases you agree that by purchasing this product to agree to the terms and conditions setforth herein. Furthermore both parties agree that the jurisdiction in which this contract exists shall be under the jursidiction of the United States and that contractual disputes must be filed in the proper jursidcition."
That's not what you get. You don't get that. Only idiots would agree to it. Also, it's not a sale.
I've seen no court case that has ever said this.
There doesn't need to be a court case. It's codified in Federal Law Regulations. Anyone case arguing against the exemption would be thrown out in summary judgement.
DRM is a methods in which I may, as the owner of the work, ensure that the viewer/consumer of my work has actually paid for my work.
Forever? Always? Is it phone home? Is your service escrowed to ensure that the viewer/consumer ALWAYS has access to the work they paid for, even when you and your company is gone?
DRM is an inherently weak system because as long as you have root on your device, you can break it. Perhaps it will take some serious reverse engineering effort, but it's always going to be breakable, because in order for you to consume the content in the fist place, your device needs to decrypt it.
Unbreakable DRM requires compromising our ability to have access to our own devices. And that's the biggest flaw of all. So, yea, I don't want my credit cards taken, my ID stolen, my user ID and passwords to everything being accessed by someone else. But if someone else "owns" and has root control over my devices but I do not, that's exactly what you're asking for.
Nobody's anything is worth giving up my ability to keep my information secure.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
I was talking to an anonymous coward. Most rootkits I've dealt with intercept file-system calls to hide the files and the signature of the modified file. That requires kernel-level access. And they've usually been a modified ntfs.sys - tell me that's not kernel-mode. Sometimes kbd.sys.
FYI - you don't need Kernel-level drivers to do that. It helps but it's not necessary; there's enough hooks into the kernel from user-space it can be done in userspace without issue.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
> And I produced it, so you must pay me. It doesn't matter what you think of it, I put a lot of work into producing that gorgeous log, and I expect to be handsomely rewarded for all the work I did creating it! (this is what you sound like).
If I wanted your log, yes, that is exactly the correct thinking. You made it and it's yours to sell or not sell as you so see fit. If you want to sell it, then it would be unethical, immoral, and illegal for me to take it without paying for it. You literally have not refuted my point in the slightest.
> That's not what you get. You don't get that. Only idiots would agree to it. Also, it's not a sale.
In this hypothetical case, it's an agreement you would need to agree to before you would buy my product. Absolutely you can think only an idiot would agree to it. But that's just an example of how I could retain certain rights to my work in perpetutuity and as long as you're dumb enough to sign on the dotted line, I get what I want.
> Forever? Always? Is it phone home? Is your service escrowed to ensure that the viewer/consumer ALWAYS has access to the work they paid for, even when you and your company is gone?
Frankly it's not my problem once I'm gone. You seem to think that my desire to be paid for my work is silly and that people can just come and take from me whenever they so well wish with or without paying me for it. It's not even my "right" to be paid for the work I've done. Well that logic sort of reflects back to you on this question. If I'm dead, what are you going to do? Sue me? Ha. As if I'll care when I'm dead.
> So, yea, I don't want my credit cards taken, my ID stolen, my user ID and passwords to everything being accessed by someone else.
And I simply want to be paid for the work that I designed, created, and am now selling. But you're telling me I can't have that, but you should get everything you so desire. That's why people like me will always fight in favor of DRM. You have an entire generation of entitled, spoiled, children who believe that they shouldn't HAVE to pay me for my work. A lazy, entitled, spoiled generation who doesn't value hardwork because THEY have never had to work hard to get anything/do anything OR because they've never been a creator of anything. They've only been a user, a consumer, and thus have no concept of how much work it takes to build something. You seem to want me to agree that your pliight of "Duhh DRM bad" is righteous. I say, if you don't like it, don't buy a device with DRM on it - BUT IF YOU DO DO THAT don't be pissed because I decide to refuse to sell you my product(s). And don't get mad if I sue you and take all of the posessions you do own, if you decide to consume my content that I created that YOU didn't pay for.
It's hard to not side with the music/movie/software/gaming industry and at the end of the day IF you don't like it, it's not within your right to not pay for something that you SHOULD be paying for. Instead simply do not partake. Do not buy the product. Just be happy with fun games like BZFlag or Solitare or Librewriter. AAA title holders will always need to be paid for their products.
It really doesn't matter if it's possible without it. It's done. It's out there - and there were a lot of implementations made. I'm not arguing whether there's some other way to do it. I'm arguing that there are real rootkits out there doing this - and that the AC who claimed 15 years of malware cleanup experience and never seeing one is probably just not doing good cleanup.
You seem to think that my desire to be paid for my work is silly and that people can just come and take from me whenever they so well wish with or without paying me for it.
Nope, I never said that. I said you don't have a right to be paid for your work. You can work your whole life and still get paid nothing. That's how the market works. Nobody gets paid for their work unless they're working for someone else as an up-front agreement, or they can sell something that they own. Sure, if you create something out of thin air, it's yours. It doesn't mean you have a "right" to get paid for it.
You literally have not refuted my point in the slightest.
I did. You claimed you had a "right" to get paid for your "work". You don't. No one does, unless agreed to ahead of time (and in that case, the person paying owns everything).
Frankly it's not my problem once I'm gone.
You made it your problem by your own "hypothetical" agreement. You want all the rights and none of the responsibilities.
And I simply want to be paid for the work that I designed, created, and am now selling.
Yea, and I want to get paid for my turd, too. Good luck with that.
But you're telling me I can't have that, but you should get everything you so desire.
You've already said that you can't be trusted. That you'll sell me something and then take away my access. You're a rent-seeker with no morals.
And your attitude and assumptions about me (completely wrong, BTW), proves that you will never be successful in business, because you can't create anything of value. You expect someone to hand over money because you "worked", whether what you produced is valuable or not. Well guess what, little snowflake, the world does not owe you a living.
Your right to a government-granted monopoly does not trump my right to protect my privacy. That's what it comes down to. You will probably die homeless, broke, and penniless. A sad could-have-been so wrapped up in his own self-worth that he can't ever understand why nobody else sees how great he is.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Start -> Run -> control userpasswords2
This has worked on every version of windows since NT
Windows [whatever dumb name marketing comes up with for the next version] will probably only boot with secure boot.
But that's minor compared to all the other gaping holes in Windows security. Which points back to the media companies being insistent that security preventing unauthorized recording be given top priority. They've done this for years now, graphics cards have tamper detection for this reason.
Because the security with the drivers is small potatoes as that's not where the majority of malware get their footholds. If Microsoft cared about users and put their security as top priority, then they'd have years of work to do before they got around to drivers.
Let the device manufacturers sign the drivers but sign them with any trustworthy body. If you trust the manufacturer then you trust the device. Microsoft however is not a trustworthy body, they are the opposite of trustworthy.
This applies to drivers already installed when upgrading to Windows 10. Re-install (while secure boot is on) then you're screwed, or do a clean install.
"To summarize, on non-upgraded fresh installations of Windows 10, version 1607 with Secure Boot ON, drivers must be signed by Microsoft or with cross-signed certificates issued prior to July 29th, 2015."
Compare to browsers. You get a bad cert and it asks you want to do. You can select "yes, I really know what I'm doing", and if you don't know what you're doing you can screw yourself over. But the user has a choice here. People who know more than average are not treated as an undesirable class, and people who know less than average are protected.
Microsoft has a long history of removing choices and options with every release or service pack.
Which anyone with a brain should do (meaning anyone interested in using their PC for something other than Windows on it someday).
The only solution to this for me at this point is to look into any project forking windows. When I say forking, I mean cloning. wine has already made a start of it.
Someone should just submit a driver the exposes all kernel calls to userspace job done.
They'd be cutting off a significant portion of their users. I can't see that happening for at least a few years when non-UEFI machines far less common than they are now.
And when it does happen, you won't have to worry them pushing updates to your old machine that breaks stuff anymore. ;)
Exactly how would Microsoft remove the switch from your BIOS/UEFI?
This applies to drivers already installed when upgrading to Windows 10. Re-install (while secure boot is on) then you're screwed, or do a clean install.
"To summarize, on non-upgraded fresh installations of Windows 10, version 1607 with Secure Boot ON, drivers must be signed by Microsoft or with cross-signed certificates issued prior to July 29th, 2015."
You didn't read the very quote you included.
Drivers as a source of viruses? Talk about unreasonable
You misunderstand. It's not "that driver was a virus", it's "that virus installed a driver, and now there's no getting rid of it". It's the most straightforward way to make a persistent root kit.
Socialism: a lie told by totalitarians and believed by fools.
The most annoying thing about Windows is there is a ton of places where program data can be stored: The program's own directory (Program Files, Program Files (x86, and of course if you or the program is installed somewhere else), some place in the My Documents folder and variations on that same theme like My Games, in the User App Data folder, or even just in the User directory (I'm looking at you VirtualBox!).
And even if you happen to track down all of the program data files there is a high likelihood that some of your program settings were stored in the registry anyway so you are just going to lose those.
I've gotten it down to a science for my Windows reinstalls but it takes some doing.
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
A rootkit doesn't need anything quite that low level.
By definition a rootkit runs in kernel mode.
It's quite difficult these days on Windows to directly modify the kernel files to gain persistence, plus it's quite obvious that a key file has the wrong checksum. Much easier to have a driver that does whatever you want it to do, such as directly diddle kernel memory, or change a file contents between disk and user mode.
All of which come in pre-packaged malware kits, of course. Heck, it's probably the default for Metasploit for detection avoidance.
Socialism: a lie told by totalitarians and believed by fools.
Yes, a non upgraded resh installation of windows 10 may be for older hardware that had at one time been upgrades. It's not only for new machines. Though to be fair, anyone putting Windows 10 on older machines probably deserves the results.
What? That doesn't make any sense. All they're doing is forcing drivers to be signed before installing them. How is allowing fewer drivers to get installed somehow going to increase the amount or severity of DRM?
Microsoft has done plenty of things to deserve hate and wrath, but Xbox Live isn't one of them. Xbox Live is probably the least-restrictive commercial app market out there... probably less-restrictive than Sony, and several orders of MAGNITUDE less restrictive than Nintendo.
How is this supposed to help users?
You know what im removing now from a windows 10 machine? PUPS. "search protect" fake antivurii, fake popups, warning messages about "YOUR MICROSOFT COMPUTER" etc etc
Not loading signed kernel drivers isn't going to stop that!! Only running linux will!
It's Microsoft's customized "404: Not Found" Error page.. So yes, technically the link works in that Microsoft responds to it, but they're responding with errors in a way that obfuscates the fact that they're errors (much like a great many things from Microsoft). Viewing the link with an application like Fiddler2 or Postman you can clearly see that it's returning the 404 status instead of a 200.
It doesn't matter: it's still a first-party controlled market, with no alternative. There is no third-party market, and there is no "side-loading" (a.k.a., "the normal method of installing software since the dawn of computing"). That makes it exactly as evil as Sony or Nintendo (or Apple).
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
You apparently are putting up content so I can enjoy it for free, by sending it out to anyone who makes a HTTP or HTTPS request. You are under no obligation to serve up content for any given request, and I am under no obligation to find out what you want before sending a request. There is no contract or agreement formed by sending or responding to a HTTPS? request. You may wish to have some additional features that require (technologically or socially) the reader to read the ad if you like.
I used to avoid using ad blockers, because I didn't want to cut off sites' revenue. That became a security risk I wasn't willing to take. I installed NoScript because I was willing to put up with some hassle to enjoy websites without allowing javascript exploits. That became impossible, as sites I was trying to use imported javascript from all over the place, so I could no longer distinguish between the site's javascript and the javascript from the ads. I installed one on my phone because mobile websites were becoming impossible to use due to the ads.
As long as ads were not security holes and would allow me to use a website normally, I was fine with them. As it is, I can't accept your ads unless you're willing to guarantee they don't have malware, and accept financial responsibility if they do. It's not that I don't have a job; in fact, since I have a well-paying job and significant savings, I'm a more attractive target for whoever provides ads to the person who provides ads to whoever provides ads to you. You're perfectly free to block me from your content if I don't accept your ads. Heck, you're perfectly free to put up a sign asking me to leave if I have an ad blocker on, and I'll either disable it for your site or go away.
What you are not free to do is assume that my web request is an offer of a binding contract that I'll do something in particular if you return content.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Typically, people who hack drivers have test machines that are not their primary computers, so they can have some stability for reading email and playing WoW. I'm sure there are some people out there who like to live dangerously, but they can still do that.
If the developer is writing drivers to break DRM, why would it be necessary for the OS to allow DRMed media to play?
At any rate, developing and distributing software to get around DRM is illegal. The big problems are WIPO and the DMCA, not what Microsoft puts into WIndows.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
My arguement isn't against your kind of thinking. My argument is against those who believe that somehow, I don't deserve to be paid for my work. Yours is a technological concern: you don't want malware. My concern is more of an ethical argument. If I serve an advertisement or charge for my work, it is not up to you to determine that the value I am asking for isn't worthwhile, but that you feel entitled to consume my content/work anyways. That is the argument FOR DRM or FOR advertising - because there are people who believe that they should just be able to run Windows for free...without paying for it. And when you have an army of people who work, almost professionally it seems, to crack the latest DRM (not for money, but for "freedom") then it's hard for me to say "Gee, people will just be honest."
Other industries have methods to prevent theft. They can literally physically prevent you from leaving the store, can record your physical body, and other methods. I cannot do that with digitial mediums - instead I have to rely on DRM to enforce my rights as a business to ensure that you are paying me for the work you are using. It's so bad that people will literally argue "I didn't steal anything - you still have your original work - you can only steal cars and physical stuff" as if their denying the income that I am entitled to isn't theft if nothing else in spirit.
I am not alone in this thought and I am not alone in hoping for harder and harder to break DRM. No I don't want it to be annoying - I want people to enjoy my stuff. I simply want what is owed to me based on the assumption that if I put a sticker on something to sell it, your only right as a customer is to get me to agree to accept a lower price - not pay me for what I'm selling (unless I agree to it).
Frankly it's not my problem once I'm gone. You seem to think that my desire to be paid for my work is silly and that people can just come and take from me whenever they so well wish with or without paying me for it. It's not even my "right" to be paid for the work I've done. Well that logic sort of reflects back to you on this question. If I'm dead, what are you going to do? Sue me? Ha. As if I'll care when I'm dead.
Aaah, see, now maybe you see why the rest of us don't care about you while you're alive as well.
If you serve up an advertisement, and require me somehow to accept it if I want your content, that's fine with me. If you serve up your content and insist that I have incurred an obligation of your choosing by requesting it, that's not. That's a distinction I want to make. Note that you can't tell, in the second case, whether I'm trying to get something for free or I'm rejecting ads for other reasons.
The web is in trouble. Up until now, ads have paid for a lot of things. There are hobby websites that are supported by an individual person, and there are commerce websites. Those don't need financial support. There's a lot that are expensive to run and don't actually sell anything (Wikipedia and IMDB come to mind), and that's where ad revenue really matters. There really isn't a good substitute. Microtransactions have been kicked around for a LONG time, and have never become actually useful. There's technological and social problems with them.
Unfortunately, ads have become self-defeating. There's lots of stuff that I simply can't access from my phone, because I'm not dexterous enough to navigate around the ads. There's malware out there, and nobody takes responsibility. I refuse to take the risk. I'm also not going to stop using the web, because it's too important. If a site promises to be reasonable with the ads, and I have some reason to believe it, I can whitelist it in my ad blocker. Other than that, I've got no ideas.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Oh I do use Linux. My main computer runs Windows though as that is required at least until ReactOS can replace it (which is probably never - *sigh*). Still have a Mint installation via a VM so Unix is never far away. Am trying out the Ubuntu for Windows thingy too...
Let's see, of the other computers I have Linux is installed on all of them (had a FreeBSD installation once - but I'm more used* to Linux). One computer uses Linux Mint (Old Dell Precision machine), one uses Elementary OS (testing if it's appropriate for my mother), one uses #! (very slow hardware - haven't touched it in a while) and the last also uses Mint (test machine w.t. an AMD Bobcat APU).
(* observe that I don't claim I'm near hacker level in either Linux or Windows, but I do have clues and can look up most things)
--
What I stated _is_ a fact and not "a random statement". Since Windows 7 I have had no need to reinstall Windows - upgrade sure but I don't count that as reinstallation (for any operating system). It is stable (one bluescreen IIRC due to a crappy Intel driver) and IME it doesn't "degrade" as is often claimed. I do make sure to keep the systems clean though, never allow crap to accumulate. While Linux distributions work most of the time sometimes strange tings happen (e.g. hardware misidentified) and then a reinstall can help sometimes. Maybe I'm extremely unlucky, have a bad influence on my machines or live close to a source of ionizing radiation _but_ I'm not a liar!