Microsoft Says Windows 10 Version 1607 is The Most Secure Windows Ever

A new white paper from Microsoft claims that "devices running Windows 10 are 58% less likely to encounter ransomware than when running Windows 7". But an anonymous reader brings more news from Windows-watcher Paul Thurrott: in a separate blog post, it also makes its case for why Windows 10 version 1607 -- that is, Windows 10 with the Anniversary Update installed -- is the most secure Windows version yet. Improvements in this release include: Microsoft Edge runs Adobe Flash Player in an isolated container, and Edge exploits cannot execute other applications... [And] the Windows Defender signature delivery channel works faster than before so that the in-box anti-virus and anti-malware solution can help block ransomware, both in the cloud and on the client. Additionally, Windows Defender responds to new threats faster using improved cloud protection and automatic sample submission features, plus improved behavioral heuristics aimed at detecting ransomware-related activities.
Interestingly, the paper also touts Microsoft's "Advancing machine-learning systems in our email services to help stop the spread of ransomware via email delivery."

Security that the USER cannot control. . .

[Salgak1]

. . . .is not what **I** would call a selling point. Sticking to Win7 on my Windoze gaming box, and Ubuntu for my main box. . .

Re:Security that the USER cannot control. . .

[Salgak1]

And what of small businesses ? Medical practices ? Only the Enterprise Edition of Win10 gives any real control over security. Not controlling your own security will make things like, oh, HIPAA and PCI compliance problematical.

Claiming security controls for the public is like handling firearms without training ? Well, there goes Linux as a replacement for Windows, by your argument. . .

Re:Security that the USER cannot control. . .

"Security that the USER cannot control..."

As we still live in the age where the USER needs to maintain local administrative rights in order to support many 3rd party (read: corporate) applications, let me re-write your bashing title for you:

Security that MALWARE cannot manipulate...

And THAT is what I would call a selling point. They can tout their Defender anti-protections all day long, but when the zero day hits, reduced rights and an utter inability to fuck around with built-in security mechanisms ARE the last lines of defense.

Catch-22? Sure. That said, I'll take a lack of options over an ignorant click-happy user any day.

Re:Security that the USER cannot control. . .

[fisted]

That said, MS has labeled every version of Windows as 'the most secure windows' ever since computers are regularly networked. Geez.

Re:Security that the USER cannot control. . .

Not the same AC but I am a scientist in a corporate environment who does electron microscopy and x-ray microanalysis. We have a lot of hardware that requires Windows. Typically the software is a minimal part of the problem. I have hardware that still only runs on Win XP and Win 7. We have one system still Win 2000 and one on NT. They are all like the Energizer Bunny - they keep on going... The hardware upgrades would cost anywhere from several thousand to over $1 million because entire instruments would need to be replaced. We are specialists at getting parts from E-bay. We preserve jobs by letting our analytical needs determine our upgrade path, not Microsoft...

Re:Security that the USER cannot control. . .

[temcat]

Being a translator still kind of forces me onto Windows because of the lack of quality GUI OCR tools in the Linux ecosystem. (The commercial ABBYY engine does exist and is really not that expensive, but I need manual area selection and categorization, heuristics still suck big time.) That may change in the (not so distant) future but still is the case.

Re:Security that the USER cannot control. . .

[houghi]

I have no issue of the company doing the updates and users having no control. I do blind updates on my Debian as well. The issue is that you can't turn it off. If have not done updates because I have read there where issues, so I waited two days.

So Windows tries to be too clever for its own good.

Re:Security that the USER cannot control. . .

[Ol+Olsoc]

Um i think that more applies to crApple then microsoft since they can't do barely anything without something telling you no or keeping you locked in.

Examples?

Re:Security that the USER cannot control. . .

[fnj]

I have no issue of the company doing the updates and users having no control ... The issue is that you can't turn it off.

Consistency is the hobgoblin of little minds, eh?

Re:Security that the USER cannot control. . .

[dkone]

You can turn it off by setting the Windows Update service to manual and turning it off. If I had to put only on thing on my hate list for Win10 it would be the automatic updates and worse yet the automatic reboot. I constantly run with 10-15 open apps at any given time most as source references to my main app. Nothing worse then coming in in the morning, or even walking down to the kitchen to get water and finding you computer has rebooted.

FYBG

Re:Security that the USER cannot control. . .

[drinkypoo]

That said, MS has labeled every version of Windows as 'the most secure windows' ever since computers are regularly networked. Geez.

Odds are they're correct, but it never actually seems to become functionally secure, does it?

Re: Security that the USER cannot control. . .

[thundercattt]

Same here. Debian since 2002 here. Win 7 (using Never10) for gaming until Linux gets their act together on gaming. I still try to crowbar my games every now and then.

Re:Security that the USER cannot control. . .

[The-Ixian]

The issue is that you can't turn it off.

Actually there are a couple of things I have heard (not personally tested) that you can do:

1. Set local GP to assign your WAN connection to a metered connection - This works by telling Windows that your WAN connection is metered so that downloading anything will cost money. Updates will not be auto downloaded in this case.
2. Set WU to profile 2 (notify before downloading and installing any updates) - This works by telling Windows not to download the updates until authorized. If the update is not downloaded, it cannot be installed.

Re:Security that the USER cannot control. . .

[xxxJonBoyxxx]

>> Security that MALWARE cannot manipulate...And THAT is what I would call a selling point.

^^^ This, and Apple agrees. Anyone else remember the Mac commercials ripping Windows for asking a million indecipherable security questions (as MS phased in UAC)? The "invisible to user, hard for malware" security on a Mac was EXACTLY the selling point Jobs' team was marketing then.

Re:Security that the USER cannot control. . .

[chispito]

. . . .is not what **I** would call a selling point. Sticking to Win7 on my Windoze gaming box, and Ubuntu for my main box. . .

Is an iPhone secure, then?

Re:Security that the USER cannot control. . .

[Vlad_the_Inhaler]

Well - I am having a bunch of problems, both with my remaining Windows 7 install (I have some software there which does not run under later levels) and with my Windows 10 machine.

• Windows 7 updates have been bundled together for two months now. Unfortunately there was an update two years ago which could not be applied on my machine, I had automatic updates on back then and it was forwards - backwards - forwards - backwards completely automatically until I booted up into safe mode and turned automatic updates off. The bundled updates look to be including that particular patch so my Windows 7 is in a similar state to an ancient Win XP laptop lying around somewhere: Unsupported. I think I need to work out what the legal situation is here.
• My Windows 10 machine was dual-boot with Linux. Windows 10 broke that with the October update (or was it September?) and it is going to take a lot of time and energy to recover things, Windows 10 updates routinely and deliberately reset configuration values. Each time. Breaking things deliberately is not improved security, it is what Malware does. The only thing stopping me reverting to Windows 7 is that the machine prefers UEFI and that is a bear under Windows 7.

Microsoft seem to think that I bought my computers so I could experience the privilege of running Windows Update, the thought that I could actually want to run anything else on it has either not reached their consciousness or it is something they are actively trying to inhibit.

Re:Security that the USER cannot control. . .

[tepples]

Because on desktop and laptop computers sold in the United States, Windows is used as a substitute for an operating system far more often than a real OS such as FreeBSD or GNU/Linux is. One can walk into a Staples or a Best Buy store in the United States, and virtually every desktop or conventional laptop computer for sale will come with Windows. There are three categories of exceptions:

• Apple products, which run a GUI similar to GNUstep on top of a FreeBSD-derived operating system.
• Devices running Android, a smartphone-derived operating environment that uses Linux as its kernel but whose GUI enforces "all maximized all the time" window management. Android 7 "Nougat" begins to fix this, but most tablets don't come with Nougat yet.
• Chromebooks, which are designed to run a web browser and nothing else. If a more conventional GNU/Linux environment is installed, a Chromebook begs the user to wipe it and reinstall Chrome OS every time it is turned on.

Re:Security that the USER cannot control. . .

[The+Optimizer]

> Not controlling your own security will make things like, oh, HIPAA and PCI compliance problematical.

Add Sarbanes-Oxley (SOX) Compliance to the list as well.

My wife just dealt with this at her Fortune 500 company. Microsoft will not disclose completely what the telemetry in SQL Server 2016 is phoning home. They have no choice with respect to compliance , and have made the decision to migrate their older reporting from SQL server (older versions) to Oracle.

She wishes she had a recording of their MS sales rep telling her team that it doesn't matter.

Re:Security that the USER cannot control. . .

[Rick+Schumann]

I think everyone misunderstands the story. Win10's malware and spyware is the most secure ever -- from the end-user trying to disable or bypass it. MS has made themselves extremely clear, through their actions, that they don't give a rats' ass about the end user, other than the revenue they can squeeze from them. Therefore MS makes a priority of ensuring their revenue stream is secure, not anything the silly sheep users ever do.

Re:Security that the USER cannot control. . .

[fahrbot-bot]

That said, MS has labeled every version of Windows as 'the most secure windows' ever since computers are regularly networked. Geez.

Ya, but *this* time, the baked-in, mandatory telemetry that tracks everything confirms it's the most secure version.

Re:Security that the USER cannot control. . .

[Salgak1]

Let's see. . . most of Corporate America. Pretty much, every Federal, Military, and State desktop. Most small businesses. . . .

Re:Security that the USER cannot control. . .

[Ravaldy]

Are you new to the industry?

If you work for a company that lives in Windows you should be living in Windows as well. It forces you to live like your users. After all, you're the technical expertise and you will see opportunities for improvement that users many not see.

My 2 cents.

Re:Security that the USER cannot control. . .

[The+Optimizer]

I don't have the full story - there's aspects she can't share with me, but I gathered that the politics of switching that stuff to Oracle are more complicated than just the SOX issue... but SOX compliance was the nail in the coffin so to speak. And it was a departmental decision, not just her. I do know their projects involves the handling of employee data for tens of thousands of people in many countries, as well as customer data and their compliance department is rather large and scary.

Re:Security that the USER cannot control. . .

[davester666]

The important part of the statement is "most secure Windows ever". It's relative only to earlier versions of Windows. It doesn't mean that Windows is no longer riddled with security issues, or is not actively being exploited by zero-day hacks.

Re:Security that the USER cannot control. . .

[edtice1559]

Well that makes sense if they are continuously improving security. What else would they do? Go backwards?

Re:Security that the USER cannot control. . .

[fisted]

They claim to be continuously "improving security", yes. So "$latest_windows is the most secure windows ever" isn't news.
That said, last time I checked, "writing new code" was the opposite of "improving security", and that's what seems to happen for the most part. Would be difficult to keep selling new stuff otherwise, too.

Re:Security that the USER cannot control. . .

[david_thornley]

I spent the extra $100 to get Windows 10 Pro for my home laptop. That gives me the ability to delay, but not prevent, WIndows updates.

Re:Security that the USER cannot control. . .

[0111+1110]

Upgrade to Windows 7 if you want more power over your computer.

Re:Security that the USER cannot control. . .

[david_thornley]

IIRC, 10 Pro did come with upgrade rights to 7. There was a typo in the official literature, where it said "downgrade".

You know...

[Z80a]

Just curbing the competition.

Re:You know...

[Z80a]

I mean the spyware competition.

So, if they're aware of all these flaws in Win7...

[msauve]

Where are the patches for Win7 which address all these known flaws? They're supposed to be providing security updates until 2020.

Except

Except for the direct pipeline to Microsoft servers that is.

Infinity - 58%

[Sneeka2]

...is still infinity.

OK, that's funny on it's own, but...

[Baloo+Uriza]

...now say it in Donald Trump's voice.

Re:OK, that's funny on it's own, but...

[Chrisq]

...now say it in Donald Trump's voice.

We have a big beautiful firewall. That's goin to block websites. Because websites have drugs, pornography, crime ... and some I believe may be good sites.

Re:OK, that's funny on it's own, but...

[ausekilis]

We have the best security team ever. Security, yea, Security. I know a guy, he's a genius about security. He's gonna security the hell out of that, what was it? Operating System. Yes. Security!

Re:OK, that's funny on it's own, but...

[omnichad]

Something something about Mexico paying for our firewall.

That's only because

[toonces33]

That's only because it won't boot. That way, the machine can't get infected.

Most secure windows ever

I heard they accomplished this by removing the network stack.

Re:Most secure windows ever

[fnj]

... and the USB ports ... and ...

Re:So, if they're aware of all these flaws in Win7

[msauve]

Even worse. They're lying. It's not Windows 10, it's an application.

This is like Samsung saying...

[mrsam]

... that the Galaxy Note 7 is the hottest phone of the year!

Re:This is like Samsung saying...

[MightyDrunken]

Galaxy Note 7, blazing fast.

Is this news?

[ruir]

Windows x is way better than Windows (x-1) ever was...since when? the 80s? Give us a break. https://www.youtube.com/watch?...

It's not secure at all

[RandomSurfer314]

If it was secure, I could control which outside servers the operating system contacts and what information it sends to them. An operating system for which you cannot even control where it connects to is insecure by definition.

It connects to more than a hundred outside servers Microsoft refuses to publish a complete list of these places and what data it exactly transmits, so it is also practically impossible for the end user to reliably distinguish Microsoft traffic from trojan horses and malware. It's ridiculous to call that secure.

Re:It's not secure at all

[Ol+Olsoc]

If it was secure, I could control which outside servers the operating system contacts and what information it sends to them. An operating system for which you cannot even control where it connects to is insecure by definition.

It connects to more than a hundred outside servers Microsoft refuses to publish a complete list of these places and what data it exactly transmits, so it is also practically impossible for the end user to reliably distinguish Microsoft traffic from trojan horses and malware. It's ridiculous to call that secure.

Annnnd argument over! This needs to be at +5 everything moderators.

Re:It's not secure at all

[thegarbz]

Yes secure is a yes no question. There's no sliding scale at all. Nosireee none what so ever.

Re:It's not secure at all

[Skuld-Chan]

What makes you think you can't control what windows can connect to?

I love it at work when Linux nerds get a hold of windows - they automatically assume that nothing is configurable because it's made for idiots. I don't assume things about Linux and I've got no problem moving between the two.

Re:It's not secure at all

[Ol+Olsoc]

Wait. Wait. It depends on what your definition of "is" is.

What is, is. What is not, is not. That which is, is, and what is not, is not. Therefore, that which is not, is not that which is, nor is that which is, that which is not.

Re:It's not secure at all

[Artem+S.+Tashkinov]

I personally love this extract "automatic sample submission feature".

We'll make you totally secure by downloading all your data!

Re:So, if they're aware of all these flaws in Win7

[binarylarry]

Edge... that's Microsoft new Chrome installer right?

Vendor security better than mom security

[sjbe]

Security that the USER cannot control is not what **i** would call a selling point

A fine stance if you are a a technically competent IT pro or equivalent. However for the 99+% of the people out there who don't fit that description, having the security handled by the system vendor can actually be a good idea. Microsoft can do a better job of it than my mother can. (yes I know... stop snickering) The VAST majority of users don't have the foggiest idea how to properly secure their computers nor any meaningful interest in learning. Having the option of user control for those with the ability is a good idea but probably not a good default for most users. Microsoft may not do a great job but they'll probably do a better job than the majority of users (which is kind of a sad commentary but it is reality). It only is a problem if they deny competent users the ability to control security when the need arises.

Re:Vendor security better than mom security

No, it isn't.

Proof positive of this can be seen with the incidents on Kindle wherein they took content AWAY from you that you'd purchased. Very, very stupid notion that.

But, what do I expect out of /. right?

Re:Vendor security better than mom security

[Ol+Olsoc]

Security that the USER cannot control is not what **i** would call a selling point

A fine stance if you are a a technically competent IT pro or equivalent.

Because security is soooooooo hard!

What we have here is people trying to claim to have it both ways. The "most secure Windows ever" still requires a lot of security updates, which means it really isn't all that secure. As well, thre are two parts to any security updates. One is making the computer more secure. The second is having the computer work after the update.

Nothing like the secure aspect of a computer in endless reboot mode. Nothing like being powerless to do anything about it

I guess.

Microsoft's biggest failure in W10 was the Bohica update idea. Microsoft has always had problems with updates. I made a good part of my living by figuring out and repairing what they bitched up every month.

And W10 is no different - you just have no choice but to bend over and take it.

And having a working computer is as important as having one that is secure.

Re:Vendor security better than mom security

[nine-times]

A fine stance if you are a a technically competent IT pro or equivalent. However for the 99+% of the people out there who don't fit that description, having the security handled by the system vendor can actually be a good idea.

Let's assume that's true. It doesn't follow that 99+% of computers aren't managed by people who are competent. A lot of those users are using computers that are managed by IT departments, and Microsoft is taking control away from those IT departments.

I would 100% endorse Microsoft trying to set sensible defaults, and hiding complex or dangerous controls in the registry where those incompetent users won't be able to find them. The controls should still exist somewhere.

Re:Vendor security better than mom security

[MeNeXT]

Microsoft has no interest in protecting your mother. This can be attested by their license agreement. They assume absolutely no responsibility as to anything in regards to the software's intents and purposes. They only care that it's secure enough that people buy it. Your mother would be better off, if shown a little bit of safe practices than trusting that Microsoft cares for her well being.

If she was smart enough to raise you she can understand how to use it safely. Don't sell her short!

Re:Vendor security better than mom security

[Archangel+Michael]

Let's assume that's true. It doesn't follow that 99+% of computers aren't managed by people who are competent.

This very well may be true. However, one thing I know to be true in life, is that One Size Fits All is a myth. Ramrodding universal "one size" to everyone without a hint of concern for those it will not work is horrible idea.

Re:Vendor security better than mom security

[tepples]

Relegating everybody other than experienced system administrators to devices running a single-window GUI with no automation would create an even bigger divide between those with the tools to create works of authorship and those who can only view works created by others. This divide chills speech.

Re:Vendor security better than mom security

[Rick+Schumann]

See, the problem here isn't the authoritarian dictatorship attitude of MS about updates, it's the spyware they force on users, even of older versions of Windows, and forcing Win10 on people through various ruses. You're assuming MS has the best interests of the end users at heart, when clearly, through their actions, they do not; they're more interested in ensuring their revenue stream, and what the users want is not particularly relevant to them. How can you trust a company that clearly doesn't listen and doesn't care about your rights?

Re:Vendor security better than mom security

[thegarbz]

A lot of those users are using computers that are managed by IT departments, and Microsoft is taking control away from those IT departments.

That is one of the few groups which still have control over their PCs.

Re:Vendor security better than mom security

[nine-times]

This very well may be true. However, one thing I know to be true in life, is that One Size Fits All is a myth.

I'm presenting an argument for why Microsoft shouldn't force the same settings on everyone. You also seem to be presenting an argument for why Microsoft shouldn't force the same settings on everyone. Can we agree to agree on this one?

Re:Vendor security better than mom security

[nine-times]

No, we don't. Microsoft has been stripping administrative controls from Windows. Build 1607, for example, removes the ability for IT departments to control whether/when Windows Update runs.

Re:Vendor security better than mom security

[thegarbz]

Yes you do. As posted in another thread. Control is not a yes no question.

Windows Updating running? Against what? Hopefully not something other than your WSUS server because it would just be silly to voluntarily give up control of your network like that.

Re:Vendor security better than mom security

[nine-times]

Hopefully not something other than your WSUS server because it would just be silly to voluntarily give up control of your network like that.

Oh... I get it. Wink wink, nudge nudge. Funny.

And hopefully you aren't silly enough to assume that everyone's use case is the same as yours (wink wink, nudge nudge).

I'm an MSP. I have an RMM that pushes out updates. My standard practice has been to turn off automated Windows updates and use the RMM's mechanism for deciding which updates to push. Unfortunately, the RMM's mechanism uses the Windows Update service, so I can't just kill it. So up until now, I had a nice little system that gave me really good control over patches across all of my clients, many of which don't have servers to install WSUS on. I could set up an internet-facing WSUS server for all of my clients, but the last I heard, that would be a violation of the licensing terms and in violation of best practices. Fuck me, right?

Re:Vendor security better than mom security

[rastos1]

Well, I assume that if you want to drive a car you should understand what aquaplaning is, why you should not let the engine overheat, why you need to change oil, what happens if brake pads wear out, ...

Security is an historical function, not marketing

[bguthro]

How secure this version of Windows is can only be determined after-the-fact.
Once a year goes by, and security researchers have sunk in their teeth, can we really determine how good the initial threat model was.

"The most secure version of windows" has been claimed for every release since Windows 98... and we know how that turned out.

More secure than Windows 1, 2 or 3?

[grahamm]

Are they really claiming that the networked Windows 10 is more secure than the non-networked versions prior to Windows 3.11 and Windows for Workgroups? In the "old" versions the only realistic attack vector was floppy disk based viruses, which only caused the systems to misbehave, not "leak" data.

Re:More secure than Windows 1, 2 or 3?

[Ash-Fox]

Are they really claiming that the networked Windows 10 is more secure than the non-networked versions prior to Windows 3.11 and Windows for Workgroups? In the "old" versions the only realistic attack vector was floppy disk based viruses, which only caused the systems to misbehave, not "leak" data.

Before Windows provided it's own networking functionality, that stuff was handed off to other products like Netware. I'd dare say that they were more insecure considering how once you had access to a system over it, you had complete access due to Windows' failure to implement users and permission schemes on the filesystem, unlike other operating systems available at the time.

They are finally getting serious about security.

[j14ast]

After years of being told that the only secure windows PC is one that is turned off, they listened.

They released a update that broke the boot system.

Re:Security is an historical function, not marketi

[houghi]

"Most secure since" does not mean it is secure. Just that it is more secure thann what came before.

Say on a scale of 1-100 that Win95 was 1 secure and Win98 was 2 secure and Win8 was 15 secure and this one is 16 secure, it is indeed the most secure one. Not secure, most secure.

And that is all without knowing how the security is measured. Is the securety level stable over the lifespan, or does it decrease with time as more faults are found, or does it stay the same?

So even though the claim is valid, it is also meaningless. It is like saying that the birthday girl is the oldest she ever was on her birthday. True, but useless info.

Re:You know what's also secure?

You'll be modded down, but in all honesty I get about as much useful information from your post as I get from what Microsoft says about Microsoft's Windows security.

"Most secure Windows"

[willoughby]

Isn't that something like "Best Mexican wine"?

Kernel Security Check Failure...

[MindPrison]

Well, it crashes randomly a few times a week with that above error code.

When I ran Linux (mint) on the same box, it never crashed. I have to run Windows 10 because of my HTC Vive Virtual Reality kit, otherwise I'd say bye to that flawed system by now.

So, not that secure?

[Karl+Cocknozzle]

Saying something is "the most secure Windows ever" is roughly the equivalent of being the finest outdoor ice hockey player in Ecuador. That is to say, something which is only impressive out of context.

Re:So, not that secure?

[chispito]

It could happen: http://www.xtraice.com/us/synt...

Re:So, not that secure?

[hey!]

There's an ice rink in Quito, if you can deal with the 2850m elevation.

our new product is better than our old product!

[Idisagree]

breaking news at 11...

Microsoft announce their latest version is better than their previous version.

Would you believe it, software 'development' appears to be a concept after all.

Well, the general has a different opinion ...

[Qbertino]

The general speaks with Bill Gates.

They may be right

[OneHundredAndTen]

But it is almost like saying that the Samsung Galaxy Notes 7 is the most explosive Samsung phone ever. Consider yourself middle-fingered, Microsoft.

Re:They are finally getting serious about security

[Ol+Olsoc]

After years of being told that the only secure windows PC is one that is turned off, they listened.

They released a update that broke the boot system.

Wait! Is this insightful? Or funny? Or informative?

Yes.

Wow, the most secure Windows ever!

[Trailer+Trash]

I'll add the most secure Windows ever to my collection. Let's see:

1. Most Secure Windows Evah!!!
2. World's tallest midget
3. Most pleasant smelling turd
4. Most beautiful day for Rosie O'Donnell

Re:So, if they're aware of all these flaws in Win7

[LifesABeach]

Why are the Microsoft H1B Zombie Geniuses allowed to churn out this level of code? Intrusion methodologies are publicly known. Is testing for them that difficult to master?

Sieve

[flyingfsck]

So the latest sieve from MS has one less hole. Pronouncements like that, just shows how utterly craptastic the previous versions were.

Domain expertise

[sjbe]

Because security is soooooooo hard!

For a lot of people it is. For those who make their living doing IT it might seem rather straightforward but that's a tiny percentage of the population. Like any task that is outside your domain of expertise even easy things can seem hard if you don't know enough to ask the right questions. And frankly even most IT pros really aren't experts in security despite what they might tell you.

The "most secure Windows ever" still requires a lot of security updates, which means it really isn't all that secure.

Every major operating system requires security updates including Windows, linux, Android, iOS, OS X, and the rest. You will not find a non-trivial piece of operating system software that does not require security patches from time to time.

Re:Domain expertise

[nosfucious]

For a lot of people it is. For those who make their living doing IT it might seem rather straightforward but that's a tiny percentage of the population. Like any task that is outside your domain of

expertise even easy things can seem hard if you don't know enough to ask the right questions. And frankly even most IT pros really aren't experts in security despite what they might tell you.

Standard programmer debug technique seems to be
- Turn off local firewall,
- Give everyone/world admin rights,
- Open Windows Share to "World/Everyone" (and cat, and dog), with Full access,
- Turn off UAC, and
- Request Administrator/root/QSECOFR password.

And they seem to be regarded as the security experts by non-IT. Infrastructure/Security/Compliance teams be damned!

Re:Domain expertise

[Ol+Olsoc]

Every major operating system requires security updates including Windows, linux, Android, iOS, OS X, and the rest. You will not find a non-trivial piece of operating system software that does not require security patches from time to time.

Then they might think of not brgging about the need for monthly security updates. Reminds me of the local ads that bray about "Our biggest sale ever! Prices have never been lower!" Pointless marketing talk, and coming from marketers, almost always a lie.

In addition the combination of needing those monthly or more often security updates, with the system screwups that Microsoft is famous for, means exactly this:

You ar ebuying a machine that the Operating System fucks up more than the bad guys.

If Microsoft wanted to update the OS with the latest security patches 3 times a day and you had no choice, not too bad. But since they fuck up people's computers with regularity. You are signing up for an OS that in my professional opinion, doesn't work. Once upon a time, you could do a pretty good job by turning off updates until you found out what was getting bricked, then wait for a fix, and update later. Now? Sorry, you signed up for the big dose of fail.

For some of us, we have computers to do work with, and our tasking is not to simply get the computer to work.

Re:Domain expertise

[dwywit]

My CEO once asked me why he wasn't a QSECOFR. I told him politely but bluntly that it wasn't a recommended practice for people who didn't know what they were doing to have such a level of access, that I had done the IBM courses on managing an AS400, and he hadn't.

He was a bit taken aback, but my boss backed me up.

Unfortunately at the next job the Analyst and the Programmer were QSECOFRs, and I couldn't convince my boss that was a bad thing.

Re: Domain expertise

[Ol+Olsoc]

Most, but not all, problems solved AMD back to a familiar controllable (sort of) environment.

You hit it. I never used the word controllable before in this context but that is the perfect word to use.

With Windows 10, we are no longer controlling our own computers. The updates come in when they decide they come in, They tell you things work that aren't working, and have turned even administrators into plain users.

It gets laughable some times. I've had several cases where an update bitches up a sound driver, but since the sound card troubleshooter claims the driver is okay, the person with the problem insists that the driver is okay. A few have become pretty belligerent, one telling me to fuck off and quit wasting his time.

I was really surprised when he came back and apologized after finally trying my fix.

My all time favorite was when an update pooched an ethernet card on my network, and gave me a message of "Ethernet driver not installed correctly - connect to internet".

Ransomeware Only

[Thyamine]

Looking at the links and white paper, this is really related to Ransomware and Defender only. In that regard, they are certainly getting better, which then makes it an easy marketing statement to make. But everyone is (generally) getting better over time. Reading between the lines, what this is really saying is that Windows Defender is most likely Good Enough for most home users, and realistically it probably is. Most signature based software is terrible and has a 40-something% efficacy rating. The free AV has been shown to be untrustworthy with adware or selling data or various unsavory activities.

Compared to enterprise/corporate options, it's really not a worthy comparison unless you have to implement it for compliance reasons. Some corporate solutions are not considered AV in the compliance sense, even if they perform the same role. And if you really are a geek and like to have better control this won't be what you want either. There are a lot of caveats in their claim, but it makes headlines.

Re:Ransomeware Only

[unixisc]

I agree that Defender has been good enough, although the last few times I visited the Microsoft Store, they did suggest getting a separate malware defender. I've thankfully never had to handle ransomware. But the forced updates are still something that makes me feel less secure: if Microsoft can force my system to upgrade at a certain time even if I may have overnight activities running that CAN NOT take a reboot break (been in that situation not too long ago), then anyone can hijack my system in which case, it's NOT secure

Re:Ransomeware Only

[tepples]

Why are these overnight activities not partitioned into multiple short-running processes so that they can pick up right where they left off after a reboot?

Re:Ransomeware Only

[unixisc]

There was one application I had that involved filling in insurance application forms for new customers. Sometimes, the customer wouldn't have their bank account details ready, and needed a day, but due to legal reasons, their info could not be saved on our computers - it had to be transmitted directly. Overnight, if the app was still running, we could recontact them, get the details and then submit. But Windows 10 updates would interfere, and since the reset time could not be set outside 24 hours, it meant losing everything. I have stopped using Windows for any serious (i.e. involving money) work, such as banking, shopping and bill payments.

Wow.

[Gr8Apes]

I'm shocked that they cleared such a high hurdle!

just unplugg

[kiviQr]

... all you have to do is unplug your network cable and all wireless devices.

Some progress, but nothing game-changing

[EndlessNameless]

I like the container/sandbox work in Edge. I don't use the browser myself, but I like that there's better security in the OS default browser.

The efforts on Windows Defender are OK. Enterprise already has its own host protection, as do expert users. Any improvement is good for the masses though.

Overall, this doesn't really make Windows 10 much more appealing, but it's a step in the right direction.

It's true

[penguinoid]

Windows 10 is so secure that I haven't had any security problems with it and don't expect to until Windows 7 won't run.

So fucking what

[JustAnotherOldGuy]

"Microsoft Says Windows 10 Version 1607 is The Most Secure Windows Ever"

Yeah, and and they should be able to say this about version 1608, and 1609, and 1610....so what? Every later version SHOULD be more secure than the previous versions.

It's like saying that "on my next birthday I'll be older than I was on my last birthday".

How to tell if your compiler is backdoored: DDC

[tepples]

gcc, which they trust, and shouldn't really, as it could have been compromised and no one could tell

If there exist multiple C compilers, one of which is available to the public as source code, one can use David A. Wheeler's diverse double-compiling procedure to make the probability of a backdoor negligible.

1. Start with three compilers in executable form and one in source code form. We'll call the three DCC, ECC, and FCC, and the source one GCC.
2. Compile GCC with each, producing GCC-compiled-with-DCC, GCC-compiled-with-ECC, and GCC-compiled-with-FCC. Though these binaries will all be different, having been produced by different code generators, they should have exactly the same behavior, as they are all compiled from the same source code.
3. Compile GCC with each, producing GCC-compiled-with-GCC-compiled-with-DCC, GCC-compiled-with-GCC-compiled-with-ECC, and GCC-compiled-with-GCC-compiled-with-FCC. This second round of binaries should be identical, as they were all produced with GCC's code generator. If not, disable any timestamp feature in GCC or Binutils and try again.

If the resulting binaries of GCC-compiled-with-GCC are identical other than internal timestamps, one of the following is true: A. either GCC as compiled by DCC, ECC, and FCC is clean, or B. DCC, ECC, and FCC all share the same backdoor. Which is more likely in practice?

Re:Security is an historical function, not marketi

[bguthro]

But they aren't claiming "since"
They are claiming it is the most secure version, period...which is just not possible to claim, until tested.

The oldest, supported version of Windows is likely the most secure - due to all major, known, CVE's being patched.

New code cannot inherently be claimed to be secure.

MS & mom - only two choices?

[John.Banister]

So, what if my mom is nothing like an IT pro, but is reasonably good at shopping? There's a lot of internet security products on the market designed to protect the computers of people who are not IT pros. Are you saying that reading reviews and trusting one of these products that was liked by reviewers to be competent at providing internet security is not a successful strategy - that only the system vendor can do this job sufficiently well?

Re:Back to Windows 7....

[unixisc]

Plan a migration to something else, like maybe MacOS, since ultimately, Windows 7 won't be supported, and it'll become as vulnerable as XP. I myself use either one of my tablets, or PC-BSD if it has to involve desktop work, like posting here.

Yeah right

[JustNiz]

>> "devices running Windows 10 are 58% less likely to encounter ransomware"

In other news, 78.647% of all statistics are made-up.

Windows ? Secure ?

[stooo]

Windows ? Secure ? lol.
Windows 10 ? Secure ? no way.

Could you have used Enterprise?

[tepples]

In short: Your insurance agency had long-running interactive processes because use of volatile memory was a legal requirement and overnight storage was a marketing requirement. How big was your insurance agency? Was it large enough for use of Windows Enterprise to make sense?

Most secure windows version is like saying

[GoodNewsJimDotCom]

World's fastest Geo.
Most water resistant screen door.
When every version has been a sieve before, even blocking one hole in the sieve makes it the most secure version. Totally insecure, but not technically lying.

Painful to watch

[WaffleMonster]

People in this industry never seem to learn any lessons from previous failures. It is always double down and throw resources at unwinnable problems until your blue in the face.

Hey look this ransomware iterates sequentially through all directories reads files and writes encrypted versions of the files all we need to do is check for that heuristic and we win...

Next week ransomware iterates randomly through all directories and overwrites portions of files randomly at a time.

Time well spent?

What if instead they spent this time working versioned filesystems, better application jails and systematically addressing privilege escalation?

Detecting evil bits is a fools errand.

It bloody well should be

[phorm]

Sorry, but if the latest patch of your most recent operating system ISN'T supposedly more secure than its predecessors, then that's a pretty bad thing.

That said, they can claim whatever they want, but it could all be shown useless if some hacker finds a nice juicy exploits or buffer overflow, a day, hour, or even minute from now.

Most Secure?

[hduff]

Given their past security issues, Windows 10 might be insecure. It's all relative.

Be careful, what you say

[allo]

Be careful, what you say.

MS said XP is the best windows ever. Then nobody wanted any further windows, because everyone already had the best windows ever.
When this win 10 build is the most secure ever, you should never upgrade after you got it, if you want to be secure.

Re: Too bad for Windows users that...

[UltraZelda64]

Honestly, I wonder if a single Windows release has been made in the last two decades that Microsoft hasn't bragged about the security of the then-current release of Windows. I remember a lot of bragging, right in their advertising material, bullshit like "The most secure Windows yet!" Whatever, Microsoft... we know you're full of shit already, just shut the fuck up alredy. Repeating it for all eternit will not make it true.

Most Secure Version of Windows Yet!

[b783719]

That's because most of the time you will be stuck in the updating loading screen.
.
.
.
well...At least users get to see spinning dots on a 4K monitor.