Slashdot Mirror
Windows 10 Will Soon Protect Files and Folders From Ransomware (theverge.com)
Microsoft is making some interesting security-related changes to Windows 10 with the next Fall Creators Update, expected to debut in September. From a report: Windows 10 testers can now access a preview of the changes that include a new controlled folder access feature. It's designed to only allow specific apps to access and read / write to a folder. If enabled, the default list prevents apps from accessing the desktop, pictures, movies, and documents folders. "Controlled folder access monitors the changes that apps make to files in certain protected folders," explains Dona Sarkar, head of Microsoft's Windows Insiders program. "If an app attempts to make a change to these files, and the app is blacklisted by the feature, you'll get a notification about the attempt."
It should prove quite useful, especially for backups. Currently even doing a backup every day I am risking that malware will become active during the process and encrypt backups on connected external disk along with everything else. With this feature I can specify that only backup program can have access to the external drive.
But the recent malware attacks weren't simply malicious trojaned apps changing each other's files. It was spread by compromising / using system services that are meant to be used to access a broad array of files. I don't see how changing the permissions model to block inter-app accesses will fix this...
So it'd be enough for ransomware to impersonate those specific apps or just get into the party list. Shouldn't it?
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
Why not implement a sane security model instead of having hundreds of little services and programs trying to patch all vulnerabilities?
Maybe I am wrong, but it looks like Office has been an attack vector.
Will it be in the party list of "allowed apps"?
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
My 3 remaining Windows computers from Window 10! By keeping them on Window 7 Pro ;)
I better be able to edit the whitelist.
And exclude half the shit microsoft does from touching my files.
If it's a reasonable mandatory access control implementation I see no downsides, it's just unfortunate it took this long and became this much of a problem before it was addressed.
will be used to block steam unless you buy windows 10 pro gamer
..the next generation of Ransomware will exploit a vulnerability in this new service to prevent YOU from accessing these folders and files.
How very convenient!
=Smidge=
Microsoft must have discovered their use
That's how it used to be called. Now Microsoft will probably invent some obscure new terminology for it so it looks like they actually invented something new.
Well they are only 5-10 years behind RedHat.... Like SELinux and security contexts this will help to limit activity if you do have a virus, but if the "right" program gets taken over you are still SOL.
Just create a unique privileged user and have the program execute as that user. Is this not a solved problem?
This sounds strangely like the App-Locker feature that's available on some Windows Server and Enterprise editions...
The only way to protect apps from LUDDITES is to use appy Appdows 10 S, which blocks all LUDDITE software from running!
Apps!
NotPetra, for example, doesn't directly encrypt files while Windows is running. Instead, it schedules a reboot, and dies the encryption as part of the book process. During which, presumably, this process isn't running.
I used to get work done in Windows but I've diversified away from it on my production machines -- I do have it on a few test machines just in case they make some customer friendly decisions
Things I'm unhappy about:
- the broken update process (when I tried a few months ago, Windows 7 no longer auto-updates all the way through without manual intervention) -- it was supposed to work until 2020
- the telemetry which reportedly can't be completely be turned off -- I like building nice quiet machines that are ready and waiting for my work
- auto installed apps like Candy Crush, Facebook, Twitter -- I saw this happening and the first thing that popped into my head was a picture of Dilbert screaming "GAH!!!!" -- I don't want those busy bees on my computer either -- I want my computers to be quietly waiting until I start some software for my work
I remember thinking back in 2014 how this must somehow be as good as it gets in computing -- I had no idea that I was right and we'd have the nightmare we have today
Ah, Windows - the cause of, and solution to, all of life's problems.
The sad but hilarious thing here is that the head of Microsoft's Insider Program doesn't know the difference between whitelisting and blacklisting.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Don't get me wrong. This is still a step forward to throw off simple malware but ...
Nice function to stop script kiddies. Microsoft is trying PR stunt to cover egg in the face and hide the fact that Windows is still full of serious security holes. The ransom-ware used by recent attacks was using holes in the OS that allowed full control of the machine. Nothing can stop such software from encoding entire hard drive any way it wants and demanding money. Software that has full control can easily undo the lock on the folders, can replace OS function that checks for valid access and that way guarantee itself unrestricted access to any folder or in extreme case just replace relevant parts of Windows OS by its own code and encipher entire hard drive sector by sector.
This sounds like SELinux and AppArmor, which were developed in the late 1990s and incorporated into RedHat and Ubuntu and the like in the early 2000s. I mean I think Android started using SELinux access controls three versions ago. But ok... yeah, good job Microsoft!
FUD
This controlling-which-app-has-access-to-what concept sure sounds like SELinux and AppArmor for Linux, which have been around for 10-20 years and are a standard component of Linux today. I think Android incorporated this concept three versions ago. But you know, Microsoft should get some kind of small trophy too.
So Microsoft is implementing a crippled version of SELinux?
I kind of didn't realize Windows did NOT have a similar feature already. This explains all this ransomware crap in the news. Huh.
Office macros are one of the most notorious attack vectors...
Finally doing something right
Personally I would be more concerned with exfiltration than deletion but if MS wants to provide safety they should consider versioning file system so that designated folders can be rolled back to prior states no matter what happened to the data. Not all fail is intentional and this could provide useful value beyond attack resistance.
Aspect based access control mechanisms have a tendency of subverting themselves in the name of convenience over time. First there was the windows firewall, then every app installed makes exceptions for itself and before you know it firewall may as well no longer exist.
I'm not sure how they could even implement such a thing in a meaningful way. What prevents an attacker from overwriting the application and then proceeding to encrypt files or suffering large numbers of false positives as apps are updated resulting in error fatigue and rendering "notification" useless.
This could be done by running apps in isolated containers and assigning access rights to shared stores to the container rather than the software. This is what windows should be doing to meaningfully improve secure wherever it can possibly get away with it.
You can use SELinux to accomplish a similar setup. You can ensure that a given application only has access to specific directories or files. Having spent a little time with it I can say it has an obscene learning curve.
I guess they figured a way to keep the user session running as root, while still sorta having security-ish behavior. If only there was an obvious solution like not making every user root.
Prediction: It will be exactly 6 months, maybe less, before MS largely defeats this, because, just like UAC, the only way MS knows how to make anything is either COMPLETELY in-your-face to the point of madness, or COMPLETELY useless.
Errr why would you say that? MS already has the ability to block Steam they don't need to write a new feature for that. Please try and fit the hole in the tinfoil hat, some of the mind control is getting through and you're missing some really basic crap.
I've seen "disk firewalls" in other operating systems. Macs use something like SELinux to keep all but root tasks out of the Time Machine repository.
I think this isn't a bad thing, and a must eventually. However, it does force an organization system (where the Documents folder winds up organized into Word, Excel, etc. subfolders, each only allowing the appropriate application and the backup program to access that directory.) Some ransomware can use a Dancing Bunnies attack and just ask the user for permission to write in that directory, in return for free pr0n.
I can see separation of files becoming commonplace, where the web browser has no access (except perhaps via a special dialog) to anything but its own VM [1], and perhaps applications start winding up more separate as well, with contexts (SELinux-like), containers, or VMs.
[1]: Web browsers need as much separation as possible, since they touch untrusted code constantly. It should be assumed that the machine the browser is running under is tainted, with downloads saved to a special one-way directory, perhaps passing through a Virustotal-like scanning system before plopping it in a place accessible by anything else.
and hacked, probably.
I suspect that is still a few years off. They learned with Trusted Computing that the chains have to go on a bit more slowly for the public to not cause a fuss about it.
On a side note: Holy shit Slashdot is terrible without noscript. Actually, all of the web is. Been redirected to viruses twice so far this morning. How does this ecosystem even exist? Turn off the scripts,
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
Please try and fit the hole in the tinfoil hat, some of the mind control is getting through and you're missing some really basic crap.
Not just Steam, but any non-Microsoft blessed application. Want to edit something with LibreOffice? You might have to jump though some hoops to get there. Want to use a third party tool to edit your photos? It might not be that simple any more. Such a capability could easily be another avenue for blocking legitimate as well as illegitimate access. Not saying it will block third party apps, only that it could block them, or potentially make them harder to use.
History is on the side of the tin foil crowd with this, unfortunately.
All you need to do is send $300 worth of bitcoin to Redmond every few years if you want to keep using your computer.
Seven puppies were harmed during the making of this post.
didn't the last ransomware virus (petya or whatever) just reboot and encrypt the disk sector by sector, probably using good old INT 13h, then what is this going to help people ?!
I'm imagining a hard drive riddled with undeletable files and folders created by apps that failed to uninstall correctly.
Support Right To Repair Legislation.
Blog spam from TheVerge... here's the Microsoft statement: https://blogs.windows.com/wind...
Didn't this used to be known as AppArmor or SELinux ..
The average computer user is a few IQ points away from vegetable status. They won't be able to understand this feature, detect false positives, or correct erroneous blockage. Malware will happily guide the user through setting up the permissions and lock it all away, using Microsoft's feature against the user. Users will have to keep whitelists, or use graylisting, both techniques are too complex for "normal" computer users.
This will be extremely useful to management types at businesses. Business computing will be a lot more controlled and boring as a result.
It just takes a zeroD to escalate privileges and whitelist anything. It's windows we're talking about, fellas.
Yes, if you can express any such security rule in English, you can do it with Selinux.
Only this role (group of users) can access this set of files, and only by running these programs, and only has read/write/execute permission. There are other attributes you can use as well.
SELinux was released it in 1998.
It's particularly well suited to servers. You can say exactly what your mail server software, or Apache web server, has access to, under exactly what conditions.
Microsoft giving us features that we could have had a fucking decade ago.
Just like how even back in the windows 95 days that writing to /windows/system32 should not have been possibly by ANY software for ANY REASON except for windows updates. Yes that means your shit-tastic program that needs 600 DLL's can install them in the programs directory.
Trusting Microsoft to protect your data is asking for a disaster to happen. Take charge of your own data and store it offline somewhere. Do NOT use so-called 'cloud storage'. External drives aren't expensive anymore. Even an external SSD isn't that expensive. With all the high-speed external data interfaces at your disposal these days plus how cheap large external storage is there's really no excuse anymore for not keeping your important files offline on a device in your physical possession.
There's an even easier way Microsoft could solve the problem that already exists and has probably 99% of the work already done for them: Volume Shadow Copy Service.
Set aside 100 gigs of a 500+ gig hard drive, and designate one or more folders for protection.
Any changes to files in the protected folders get journaled to that 100-gig area.
If the journal fills up, the hard drive gets write-protected, with the exception of a 1-2 gig area where the user can create and save NEW files, but can't overwrite/delete existing files (so there will always be somewhere to save open files if the rest of the drive gets write-locked).
Add some extra logic to warn the user as the journal reaches certain milestone sizes. Allow users to override the limits... but treat it like the safes used for change at convenience stores... you can override the limit NOW, but it won't take effect for 24 hours (and maybe up to a week, with warnings leading up to its execution, for more radical overrides).
Need to write lots of temp files? Do it to a directory that's not protected. Or get a bigger hard drive, and make policy changes (that have to either be set at installation time, or get delayed by a period of time to give adequate advance warning).
The only real difference between how it's used now would be the setting of hard thresholds that couldn't be exceeded without write-protecting the drive to give the user time to take action. It would probably create some new denial of service opportunities (some, accidental rather than malicious), but it would be a fairly effective safeguard against the current #1 mode of action used by ransomware (mass-encryption in the background of files over a short period of time).
So far Windows 10 has protected me from my music files (deleted), my purchased software (used to run in VM, not any more) and most recently hardware adapters like USB to Serial that I use daily to talk to embedded hardware. Thankfully, I still have a couple of Win7 machines that escaped the auto-update.
There is (or used to be, at least) GPOs for limiting what could be executed, and we did try it to prevent non-admin staff from running executables located outside of the usual execution paths (for instance, forbidding execution of anything in their profile paths), but it was a pain in the ass, broke a few things, and then I discovered that the execution path limits could be bypassed and thus didn't offer the level of security we wanted.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Windows security would be way better if they didn't put backdoors in for the NSA, so they can have administrative rights your machine.
That "feature" has been in Windows since at least 1995. Every new version of Windows makes it harder to access the file system. But seriously, a new feature is designed to do what "chroot" was basically designed to do? Clever.
Stick to user-level authorization for reading... but having application whitelists writing to folders may help the situation somewhat for the moment, or at least until the malware author learns how to masquerade their creation as some ordinarily trusted application on the user's machine.
File under 'M' for 'Manic ranting'
Chmod? Something like fswatch? Mailx? If you want to monitor the file system, folders, or an individual file, there's quite a few ways and programs to do that and have an email sent via something like mailx. Welcome to the 21st century M$. I just hope this isn't onemore step closer to total control over what you can and can't do. I'm also pretty sure there's a few firewalls for Linux that do more than just "internet" and include in-system stuff too. What the hell took them so long? Mac has something like this in their built in firewall stuff for years too.
Microsoft reinvented groups - the hard way.
They used to own Xenix, there's no legal issues in the way of them learning from the examples of others.
if no one can modify the contents of a folder (not even using Windows explorer, or any system service), except using the registered binary
Then an application's publisher could hold your data for ransom.
Apple's solution is to allow apps to open any file which is dragged onto the app by the user, or selected from a standard file selector.
I'm thinking more in the context of a workstation on a network with network shares.
The user would drag a file from the network share onto the app or use the standard file selector from within the app to choose the file from the network share.
How does this ecosystem even exist? Turn off the scripts,
Without scripts, how would an interactive web application like pix2pix work? Would it instead have to be an OS-specific executable that the user is expected to download and install, or just do without if the user is running a different OS?
IMHO, this is yet another sad example of Microsoft solving the problem backwards.
Take the way it handles program installation. If the .msi installer goes to create a new directory in c:\program files, c:\program files(x86), or somewhere else, Windows throws up all kinds of warnings. But if the installer simply goes to MODIFY an already-existing .exe file, it'll silently allow it without complaint once you've swatted away the UAC prompt. Which, IMHO, is fucking STUPID. Almost BY DEFINITION, if I launch a .msi installer, I'm installing something new, so the creation of a new directory in one of those two directories is normal and expected... but if a launched .msi installer wants to write into an EXISTING directory, or alter an EXISTING .exe/.dll/other-strategic-file (let's say, any existing file whose first two bytes are the ASCII value of "MZ"), THAT is ABSOLUTELY an unusual activity, and Windows should pull out all the stops to make sure you're aware of what's about to happen and its implications.
An even better solution would be for Windows to allow the .msi installer to run, but to "stage" all the files & changes to some intermediate location, then allow you to review all of its proposed changes to the filesystem and registry AFTER the installer has run, but BEFORE those changes actually get applied. Instead, UAC acts more like a EULA or disclaimer.... going through the motions to let Microsoft argue that they gave you legally-sufficient warning, without actually giving you any real details to make an informed decision.
Another example: the fact that there are certain paths you can access from a .bat file, powershell script, or from a C program... but not from a dotnet program or Windows Explorer, or sometimes (but not always) within Office extensions. Or one case I remember from about 3 years ago, a Windows update that changed the path-specification rules for legacy Office extensions so you HAD to use "extended UNC" notation instead of regular UNC or the letter mapped to a network share, or it would fail with an error code whose plain text in the log gave a TOTALLY misleading impression of what the actual problem was (it reported the error as "file not found", even though I could access the file just fine using the exact same path in a command prompt. A genuinely USEFUL error message would have been something like, "NotAllowedAnymoreException" ("the script attempted to do something that was allowed prior to KBxxxxxx, but is now prohibited").
https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/#XvxHhDZkxXIspVsQ.97
And also, Windows ATP...ass to pussy..mmmm
Without scripts, how would an interactive web application like pix2pix work?
Hm. You are correct that it does not work without scripts. I just went there and only saw a few lines of text crediting some people for something.
After turning on scripts, it seems like a nifty niche thing that could be considered useful.
I am unsure why the need for this particular app to exist requires me to agree on an architecture that is fundamentally broken. I am sure nifty apps like that can exist without twisting a markup language into an application serving protocol.
Perhaps create something not called HTML/HTTP that is specifically designed to allow interactivity? You could even use HTML within that new something. ;)
There is so much foul shit on the internet right now. With scripts enabled, I have watched in horror as my web browser started downloaded hostile executable (Windows viruses) code twice this morning.
Why would you want to expose yourself to this cesspool? I am even more curious how normal Windows users keep their computer virus free for more than 24 hours nowadays. Just what the fuck is going on out there?
Turn. Off. Scripts.
To make it a bit more manageable, you can do what I have done for the past decade and use noscript in firefox... but Mozilla is saying that will be over soon. :(
For myself, if someone offers me candy wrapped in poison, my instinct is to just throw it all away rather than try to extract the candy. This is not always true but it is a good general rule for me.
TL;DR, I have no idea what "the web" has become because I have been isolated through noscript. I have no space in my heart for "necessary" apps that require a broken document model.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
I can already see it: A new form of ransomware that uses an exploit to modify the access settings on all your folders so only it can access them.
So should we recommend that everybody buy a Mac, not any other brand of computer, and run Windows and GNU/Linux in virtual machines? Because if we get rid of JavaScript and WebAssembly, developers will switch from web applications to native desktop applications, and that particular combination will be the only way to run all desktop applications regardless of which platform their respective developers prefer. And yes, in this hypothetical scenario, you'll end up with a lot of desktop applications being made for Mac because with JavaScript disappearing from the iPod touch, iPhone, and iPad, mobile applications will have to be made in Xcode, which is exclusive to macOS.
Currently I compromise by using Firefox Tracking Protection, a feature not to run third party scripts known to track users from one site to another. This has a side effect of blocking ad-borne malware because the vast majority of ads on sites I use are not publisher-hosted.
Of course! Thank you Microsoft for not letting us turn off telemetry!!!
or fucks shti up ... ... ... about 250 or so contacts, (most of which never speak ofcourse but in fact my whole social life is (was) comprised in there, which is not sad since its a choice and a long story which would be even more off-topic) ... so i get onto the automated cs-mill mail for mail back , mail this mail that. After a few i get some dud from belgium cs, reeking of gay microfascism pardon my southpark french telling me i am blocked for "serious violation" so im like 0_o ... and okay sir , could you please tell me what exactly i have violated so seriously that i am blocked without warning" to which i get the answer "we dont have to give you a reason, this is the last communication on the matter" to which i tried to reply if i could at least please back-up my onedrive files if not get one last chance to try and contact some people on the list to stay in touch (its not like i collected emails and phonenumbers, after all why the phrack would i get banned from skype hm ? its also not that i had all the files on onedrive in cold storage, after all ... what could be safer than the microsoft cloud ... wrong lost everything for no reasons given and no chance to defend or to know who accused me of what and that was that
.. i have no reason to blow up airports in a country im desperately trying to get out off, that would be burning bridges in the wrong direction hahah (and bad humour sorry)) ... so i missed the memo since i actually use that thing for one sole purpose : 2factor authentication ... and i mean, it WAS registered, right ... so i wake up one day , i find my linux pc where i keep my active logins active mysteriously crashed with an x-server error as in please do that annoying thing or format-c before pressing play on tape)
... which so far hasnt happened since all stores i have been to charge money, which by agreement says they cant, now its a silly 5 euros but i can get really silly myself
... i ask them okay give me a list of verified vendors so i can take a €25 train to a store that doesnt try to scam me before i go to another provider to get a new card and have my number transferred . Sorry sir we dont have that, only a list with vendors but you can "report" the stores that do. To which i go "im sorry, im not a reporter my good man d
i cant say im very happy about megafascist corps lately
however since i use windows for one and one thing only : pc gaming ; i suppose this is yet another useless feature and a good reason for them to fork out one-win-fits-all at €150-€250 i.o. windows for gamers that has like directx and the option to install a browser at €50 with zero of the crApps i never use running in the background leaking memory all over the place and in general eating up my resources and killing my hardware a LOT faster since it runs hotter than it should all the time
off-topic -> other than the fact that i see absolutely no use for windows other than directx 10/11 its a bit more personal lately
a few months ago i get notice that i need to re-this and -that the account i use for skype
now a few months later turns out Hellgian government stasi here thinks registration of cell-numbers against terrorism last year wasnt enough so everyone who has prepaid cards needs to have them re-registered (i say re- since all the cards i use have been registered last year
so i take the easy way out, which is the cleanest imo, total format, reintstall (i mean how long does it take right, probably less long than re-googling how to manually reinstall that onboard amd thing). Much to my delight when i try to get back into google and hotmail i find my simcard is blocked. So i get on the waiting list for lycamobile, after 45 minutes i get a cs rep telling me i have to register IN a store
lyca tells me "DONT PAY"
Free speech was meant to be free for all... how can anyone grow up in a nanny state ?