I'm trying really hard to understand the difference between Malware and Windows 10 and..... so far I... well honestly... have not the faintest idea.
1. Malware tricks people into installing it. Check..
2. Once installed it spies on users Check and Check...
3. Malware monetizes its victims with ads and shit Check..
4. Malware bundles other malware to financially reward the original malware author.... and Check..
What is the difference? I'm not trying to be a smart alec, or bash Microsoft. This is an honest to god serious question.
What is the daylight between what Microsoft's doing and your average malware vendors business models?
Much of the malware I see these days will actually uninstall itself from add-remove programs... Both Microsoft and Malware vendors generally seem to be trying to walk a tight rope of not acting in a blatantly illegal manner.
What's the difference? Why isn't Windows malware? Why isn't Microsoft a malware vendor?
Well, Obama was at war for all eight years of his presidency. Beating all other presidents. Hard to argue that he was better than Bush with that record.
Imagine I were president.. out of sheer boredom I decide to start a war on the very last day of my warless presidency.
Imagine the very next president spends the bulk of his remaining 8 years calming the hornets nest I kicked around like a football.
Even in this maximally ridiculous case your argument is no more or less valid. It's unfalsifiable gibberish.
And there is no way in hell Russia will ever release Snowden. They have coerced him for example to "call" into the Putin's Propaganda hour show (either that or Snowden is really really naive). The Russians will not release
His interview question was fair in my view. It at the very least put Putin on record as being a liar when competing information enters the public domain.
Snowden so he can talk about his treatment or detail what he released to the Russians. They have absolutely nothing to gain.
What impressed me about Snowden was what he has actually said about the Russian government while in Russia.
Some tweets from Snowden:
"Signing the #BigBrother law must be condemned. Beyond political and constitution consequences, it is also a $33b+ tax on Russia's internet."
"#Putin has signed a repressive new law that violates not only human rights, but common sense. Dark day for #Russia."
Also do you have any idea how hard it is to find an ASLR leak? These are the same or similar features to those found in gcc / Ubuntu. You can read about the Ubuntu implementations here. https://wiki.ubuntu.com/Securi... These are features implemented by all modern operating systems / compilers. But they weren't common in the Windows 7 era. Again we could all *prefer* that MSFT back port features to Win/7 and or give up on Windows/10 telemetry.
There are things like DEP/NX and ASLR that require varying degrees of buy in from the OS/loader/processor however what you seem to be referring to (stacks) are security checks injected at COMPILE TIME adding various protections with a nominal performance tradeoff. This makes a lot of sense. Once code is compiled information necessary to make any kind of coherent determination is severely diminished to do anything about it later at runtime.
I can use GCC to compile windows programs if I want and take advantage of GCC security features in my app running on Windows XP. Mozilla can follow through with their threat to compile Mozilla in Rust enabling users to become immune from certain classes of security bugs in the subset of code using that language (assuming it actually behaves with advertised constraints).
Numerous security checking features have been available directly in visual studio and as add-on libraries from third parties for as far back as I can remember.
Now you can argue since the operating system itself is not compiled with x, y and z that it is less secure. To which my response is users tend to sit behind stealth mode firewalls anyway in a single user/household environment. If you can protect applications from external compromise this is sufficient in practical terms since the application is the thing sticking its neck out. You can of course still exploit vulnerable OS provided aspects the application relies on. Font processing for example has previously been a successful target but holistically the security of the application is way more important than OS selection for most users.
This obviously is not sufficient in other settings such as multi-user systems/ application servers yet I have never in my life trusted an operating systems ability to fend off privilege escalation from interactive users... It's too unrealistic...too big an ask. Associated stream of CVE's in this regard is hardly surprising.
Use Windows 7, and everybody with access to malware techniques from the last decade can get in, or
Use Windows 10, and only the nation-state threats with access to the latest techniques or legal avenues will be able to get in.
More likely use either, click on the wrong email and get hit with ransom for continued access to files you neglected to ever backup.
I know it's Slashdot's fetish to think that the NSA really cares what websites you're visiting, and to think that you're all protecting the rights of freedom fighters around the globe, but really, using antiquated software just means that the barrier for entry is lowered. The NSA might not be able to pull your telemetry directly from Microsoft, but their regular old RATs and spyware will work just fine, along with the same kit from every hacker group around the world. Not only will the NSA still have access to your data, but so will everyone else.
I just want to be left alone. It simply isn't anyone's business what I do or what software I install and run. Using Windows 10 guarantees I won't be left alone.
The proof that ASLR and DEP work is that when they are enabled, the exploits always require an ASLR leak!
So what? What effect did this have in the real world? People either go through an extra hoop to find a bypass which exist or they focus on social engineering.
Any data or references you care to offer showing objectively Windows 10 offers substantially better security outcomes? Not extra security features but actual outcomes to real world users?
This what everyone cares about. Nobody gives a crap about alphabet soups of three and four letter acronyms. They care about results.
Stack sentinels work wonders. It took from 1970 to 2015 to find a solution for buffer-overflows.
Are you talking about VS2015 "CFG" feature that instruments *code* at compile time to add extra stack checks? Otherwise I have no idea what your referring to.. sentinels are as old as the oldest computers and buffer-overflows are still alive and well in 2017.
We now have it and the Slashdot crowd pans it because they hate the telemetry more than they like the features. I personally hate the telemetry too.
Yes absolutely. I hate telemetry to the extent features are irrelevant. I refuse to accept an operating system that is in fact malware.
You are free to make a different value judgment. Some people abandoned RISERFS out of spite just because the developer turned out to be a murderer. Sometimes political considerations and principals trump technical considerations.
At the end of the day I look at windows and I notice they are still using insecure authentication protocols such as Kerberos leaving users at risk of offline credential compromise. I see MS pushing all kinds of unsafe biometric password replacement gimmicks. It is great they are taking the initiative to improve security but to be honest if I really cared deeply about security I would be running BSD or qubes. Probably would only use a browser from a throwaway VM or an isolated computer. I don't care that much and it seems clear neither do most users because if they did they would never accept the status quo.
I personally think the best security features of Windows is Hyper-V virtualization and sandboxing of browsers 'n shit. Hypervisors are simple enough to have a snowballs chance in hell of being defensible which is way more than can be said for the execution environment exposed to applications.
But if I'm in a position where I have to decide what's better for my company or my customers, the visceral hate cannot be the deciding factor.
Visceral hate is your characterization and your opinion. It is a characterization I neither agree with or see happening. You are free to disagree. The issue of importance of telemetry relative to other considerations is political not scientific and everyone has different security requirements. People are entitled to assign a suitable weight and take measures they see fit.
The underlying thought here on/. seems to be that we should talk down Windows 10 so that MSFT repents and gives us a Windows/10 without telemetry. This isn't a good strategy.
What makes you say that? How would you know the difference? How do I know your not just a paid schill for some Microsoft hired PR firm?
What isn't a good strategy is questioning motives in the first place.
Now on to some bashing, we'll start with force updates that everyone complains the most about. Sorry, but this is a necessary evil,
Sorry, but you have no right to force people to update. It's their choice. More importantly normalizing constant updates provides extremely perverse incentives to software vendors. It signals they can get away with crappy QA using customers as beta testers and endless streams of security vulnerabilities at no cost to them.
leaving them vulnerable and they just don't give a flying f. The only way to address this needless insecurity is to force updates.
Most consumer desktop users are behind a stealth mode firewall where their external exposure is mediated by the security of their browsers and other network connected software. From publically available web statistics majority of Windows users don't even run a Microsoft web browser.
The overwhelming majority events that cause people to get hacked have nothing to do with operating system bugs. Social engineering and associated lapses in judgment account for upwards of 90% of compromises.
Insecure computers connected to the internet AFFECT ALL OF US, and since that includes way too many non-technical (aka muggles) people, who refuse to update when asked to, we have to force you, to protect ALL OF US from YOUR insecure system.
The Internet had better be engineered to fend for itself. Requiring permission or license or certification affects ALL OF US far worse than any unpatched desktops. Look at what the brilliant 1337us3rs who run the Internet are doing. Nobody is taking fixing DNS amplification seriously. SMTP email continues to be deemed an acceptable form of communication and every website on the Internet is using adhoc user authentication forms driven by plaintext over HTTP encrypted or not. The basis of trust on the Internet is a series of redundant CA's several of which are run by "unfriendly" governments and most of which perform completely automatic signing based on completely INSECURE protocols. If all windows vulnerabilities were completely fixed tomorrow and everyone updated their computers **NOTHING** would change. I think it is rich in the extreme to start dictating anything to users.
Next: Spying. Telemetry. Malware. So much accusations. Has anyone actually taken apart the packets being sent to M$ to see what the hell is being sent? I didn't think so, I haven't seen any reporting on precisely what is being sent.
My characterization of Windows 10 as malware is informed simply by reading Microsoft's own documentation on the subject.
At the enhanced level of reporting (which you can turn off) it also supposedly sends info on what applications you're using, and how long they're running. Again
List of software on device and uptime of applications are also sent for the lowest level (BASIC).
But I have a pretty good educated guess. Usage statistics, performance markers, errors that occur, those are the basic things that're sent home. Probably shoved into a giant database along with every other computer that reports back.
I don't care why they use the data. I don't care what they do with it. It's none of their business. I don't want them to have mine. If you don't agree you are welcomed to your view. It's irrelevant to me.
I highly doubt anyone can successfully take telemetry data out of this database and tie it back to some individual. So who cares?
I was most comforted to learn the NSA telephone database is just numbers not names and addresses.
Do you really think you're so important that someone actually cares what you're doing with your PC? Again, probably all s
The simple problem is that telemetry has been overstated and overblown. Try to find a comprehensive description of what Microsoft captures about users. What you get is things about Windows making DNS lookups against hundreds of domains, some chatter about what Windows 10 could be doing, and some criticisms of ill-thought-out features like Wifi network password sharing. Nobody knows what's happening, but they've all assumed so.
I'm hopelessly confused... should I believe "telemetry has been overstated and overblown" or should I think "nobody knows what's happening"?
The result is a bunch of people talking about how Microsoft is spying on you by doing such things as identifying all software installed,
I think the reason for this "misunderstanding" is their own documentation describing lowest possible rung of telemetry settings state the following:
"Helps provide understanding about which apps are installed on a device and to help identify potential compatibility problems."
"Some examples are the amount of time a connected standby device was able to full sleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app."
Microsoft not only knows about all of the porn apps on my computer but how long each are used.
meanwhile when you run yum or apt, it sends an HTTP request for each individual piece of software you're updating or installing back to a central server--which actually does what people said Windows 10 does, but doesn't freak anybody out because... reasons. EVERYBODY PANIC!
With most things Linux you are often downloading from independently operated mirrors and you always retain full control over whether and from where to obtain updates. You can also download them somewhere else and update from a CD-ROM if you want.
I find it hard to accept the premise people are upset about downloading software from remote servers. I think they may in fact be concerned about other things such as telemetry, retroactive software removal and both unwanted software installation and execution.
Cortana used to search the web if you typed search terms into the Cortana search bar, and people freaked out.
There is one search bar at the bottom next to start menu intentionally designed to leak local searches to Microsoft. They removed the start menu search functionality and provide no easily accessible option to control scope of search intentionally to cow people to use it unless they understood/figured out how to turn it off.
With not so clever UX design you can trick millions into creating a Microsoft account they might not want or need or leak URLs entered into the URL bar to search engines. You can even make dismissal of a consent form constitute consent.
Every keystroke you enter into your browser's search bar is sent to a remote server, where it's logged in Web server logs.
Extremely creepy.
Every domain you look up goes back to a Malware service to block bad sites.
If you want to help people you use a bloom filter. If you want to spy on them you download every domain and claim it's for their own safety.
To be fair, people freaked out when Ubuntu started searching Amazon through the Unity bar. It's not that they have legitimate fears; it's that they fear new things, and confusion in groups turns into mass hysteria
Privacy invasions and underlying incentives to go there are not "new things". They've been around as long as the social contract.
You get a few people suggesting folks are just afraid Amazon will see them trying to look for their child porn collection, but that's retarded; the truth is
Retarded is an apt description of the third party doctrine in the US.
Win95 had real pre-emptive multi-tasking and memory protection.
It had no such thing.
It also forced a new UI that people hated.
Program manager shell and related goodies were included with Windows 95.
Windows/10 has a lot of exciting new security features.
Which ones protect users from themselves? Most exploits are result of social engineering. Even if Windows worked perfectly nothing would change.
That's pretty common in commercial software.
Most commercial software vendors I know cannot afford to piss off their customers by inserting malware and ignoring widespread unambiguous negative feedback during product development.
The security features in Windows/10 provide exploit mitigation. What this means is that Windows/10 may or may not have more bugs, but let's assume that it does have more bugs. The changes in Windows/10 mean that bugs do not become exploitable. Let's assume that there are twice as many bugs but 10% can be successfully exploited vs 30%.
We heard all this before when ASLR and DEP were introduced. Did it work? Where is the evidence informing your assumptions?
The first posts are pretty much what one would have expected. Many people have concerns with Windows/10 telemetry. But it's still a more secure OS than Windows/7. There are an incredible number of security features built-in to thwart malware. Stack sentinels, call graph protection, delayed freeing of memory, et cetera. I'm in no way advocating for the telemetry data. You can disable it in the Enterprise edition of Windows. I don't like this business decision from Microsoft. But I'd still rather the telemetry data than other malware. The snide quips that show up in articles like this add no value to the discussion.
With cheap VPS providers, your local hardware only has to be powerful enough to run ssh and vnc or rdp. I would argue this is beneficial since it lowers the barrier of entry.
So does a credit card but I wouldn't consider that beneficial.
As they continue to turn the dial up to "11 shocking things your mom does that may surprise you" filled with hyperbole and incoherent nonsense the more people tune out and dismiss/ignore it as noise. It's a self-fulfilling prophecy.
There can be value in such a DB, as stated in the document, for prototyping/demo purposes, as it gives the flexibility to experiment and converge to a solution which you might then pin down to not be dynamic anymore. Thus, one persons "asinine" is another persons "useful". Black and white categorisation is rarely correct.
RFC3252 gives flexibility to experiment and converge to a solution which you might then pin down to not be dynamic anymore. Thus, one persons "asinine" is another persons "useful". Black and white categorization is rarely correct.
Apple should have used the argument that they sell devices which run controlled sets of software, with part of their product being a best-effort attempt at device security via application white listing managed remotely through the Apple store.
The only question of merit with regards to device security is whether operating systems are able to prevent applications from escaping their sandbox. No other calculus is feasible.
Neither Apple or anyone else has the capability to offer any assurances with respect to activities both intended and unintended of software available on their stores. There have been thousands of examples of total failures on Apple's app store. The only possible defense is a defensible execution environment.
Because developers make "iPhone Apps", they have to sell onto the iPhone platform, the same as with Nintendo, Microsoft, and Sony locking out their console platforms. This is not unusual in the device market.
Putting aside my opinions about "platforms" I can go anywhere and purchase software for Wii, Xbox, PS4. Not sure what your trying to say.
Because Apple does not sell software outside the core system software available on the phone and supplying Apple services, it isn't abusing a device monopoly to gain a software monopoly. Further, Apple allows various software in its store, such as Spotify and Google Maps, which competes with Apple's own software and thus precludes the leveraging of a device monopoly to expand a monopoly of a particular bundled software or service.
Apple routinely blocks competing apps and acts as a gatekeeper of what software is acceptable..e.g what software users are allowed to run. This would include Spotify having been previously rejected for competing with iTunes.
Everyone seems to be obsessed with building and supporting a world where everything is called a "device" or "platform" where software may only be executed at the pleasure of the vendor. It's hard to imagine a more dystopian harmful outcome with regards to computing than legitimizing vendors seeking to enrich themselves, governments seeking to limit and control populations and IP holders wanting to further erode consumer rights than to continue to support this bullshit toward an inevitable future where general purpose computers are denied to the public.
Because Android phones are available, Apple is not locking consumers into its platform by controlling the market: software developers can produce equivalent software for Android, iOS, Windows Mobile, or any combination thereof, and sell in one, several, or all of the available markets for all devices.
The point is that *Apple users* can't buy software from anywhere else. If you bought a house in a certain neighborhood you wouldn't accept being limited to only purchasing physical goods from one specific store as a condition of living in that neighborhood. If anyone tried to enforce such a ridiculous constraint it would be deemed unconscionable. This is no different the only difference is the enforcement mechanism is technological. It is like being fitted with a GPS assisted shock collar and being zapped upon trying to enter any other store. Exclusive walled gardens are inherently anti-competitive.
This appears to be an attack on the fundamental principle of the "walled garden". I don't think this is a good idea.
I think it is an excellent idea. Walled gardens are inherently anti-competitive. If government is going to regulate at all taking actions to incite competition within a market is the best possible form of regulation one could hope for in my view.
You may not like it, but then fine don't buy it. Apple sells this as a feature, that benefits the users by improving quality control, a problem that non-walled appstores have to deal with more all the time.
Nothing prevents stores from deciding what products are in their best interests to carry.
A level of quality control is always demanded by stores of manufacturers due to fact dealing with high levels of defects and unhappy customers is bad for the stores bottom line.
The last time I walked past a Game Stop at the mall one thing I didn't notice were walls littered with shareware quality "indie" titles even though the same titles are also available from best buy.
Neither are there a shortage of specialty (dollar) stores selling junk or high end stores specializing in separating the rich from their money.
The problem with Apple's scheme is not quality but rather deliberate action on their part to preclude existence of competing stores. If you feel comfortable buying from Apple's store nobody is arguing you shouldn't continue to be able to buy from Apple.
It's not bulletproof, nothing is, it just improves it quite a bit. I find it reassuring that I don't have to sweat it when browsing the app store, "I wonder if this app is legit?"
App stores directly incentivize bad actors to pursuit shady business models. They actively promote everything must be cheap/free race to the bottom leaving even previously legitimate vendors little choice whether to adapt similar business practices as malware vendors.
Few would accept a world in which the only place physical goods could be purchased was Wallmart. This would be seen insane / dystopian... yet that's exactly the type of structure mega corps are trying very hard to carve for themselves for less physical goods.
Do you actually believe the NSA's quantum computer won't break the encryption you use ?
How charmingly naive.
If government is hoarding code breaking class of quantum computers unknown to or inaccessible to the rest of world/industry then cracking encryption is the least of your problems. Any such exclusive technological edge would be massively dangerous/disruptive.
I'd be much more concerned about what they can/will put on there to implicate you. Rewards do funny things to people, they become most shady when money is involved. I wonder how many instances of planting of illegal items, reporting it and collecting the $$$ occurs.
Given the fact these guys are smart enough to have a job at geek squad how many would be able to pull it off without leaving incriminating forensic evidence?
If there are more than a few instances I would expect someone to have learned about file system structures and transaction logs at their hearing before being carted off to jail.
Yep. Because no one is going to think about or see it like we do. They don't worry about spectrum, bandwidth, saturation, or why their goddamn toaster needs network access. They go "oooh, wifi!". And every marketing department in the world knows it.
To people like you and me, LG just said "We're a bunch of morons, and you're probably not going to want to buy our stuff". To everyone else, they just said "We're the most advanced appliance maker in the world, and buying our products put YOU at the forefront of technology fashion!".
It used to be fashionable to have your teeth bleached so they would look clean and healthy. At some point it became widely understood bleach was actually rotting holes in them.
It doesn't take long for a few news @ 10 stories about the inevitable happening. Ransomware spoils food. Is your toaster spying on you? Is your LG blender slowing down your Internet? Panini press manufacturer subpoenaed by divorce lawyers. Botnet armies of LG smart shit takes down Google.
Trend line on public perception of technology is going in the wrong direction thanks in no small part to persistent news coverage of hack after hack after hack after hack after hack after hack after hack.
At least a 3rd of the country now have a pessimistic default outlook on technology. I'm sure LG has looked carefully at the current environment and made the decision profiting from sprinkling Wi-Fi in everything is currently in their best interests. We'll see.
Slashdot Mirror
I'm trying really hard to understand the difference between Malware and Windows 10 and..... so far I... well honestly... have not the faintest idea.
1. Malware tricks people into installing it.
Check..
2. Once installed it spies on users
Check and Check...
3. Malware monetizes its victims with ads and shit
Check..
4. Malware bundles other malware to financially reward the original malware author. ... and Check..
What is the difference? I'm not trying to be a smart alec, or bash Microsoft. This is an honest to god serious question.
What is the daylight between what Microsoft's doing and your average malware vendors business models?
Much of the malware I see these days will actually uninstall itself from add-remove programs... Both Microsoft and Malware vendors generally seem to be trying to walk a tight rope of not acting in a blatantly illegal manner.
What's the difference? Why isn't Windows malware? Why isn't Microsoft a malware vendor?
Well, Obama was at war for all eight years of his presidency. Beating all other presidents. Hard to argue that he was better than Bush with that record.
Imagine I were president.. out of sheer boredom I decide to start a war on the very last day of my warless presidency.
Imagine the very next president spends the bulk of his remaining 8 years calming the hornets nest I kicked around like a football.
Even in this maximally ridiculous case your argument is no more or less valid. It's unfalsifiable gibberish.
Zuckerfuck is playing with fire... Literally fire and lava..
And there is no way in hell Russia will ever release Snowden. They have coerced him for example to "call" into the Putin's Propaganda hour show (either that or Snowden is really really naive). The Russians will not release
His interview question was fair in my view. It at the very least put Putin on record as being a liar when competing information enters the public domain.
Snowden so he can talk about his treatment or detail what he released to the Russians. They have absolutely nothing to gain.
What impressed me about Snowden was what he has actually said about the Russian government while in Russia.
Some tweets from Snowden:
"Signing the #BigBrother law must be condemned. Beyond political and constitution consequences, it is also a $33b+ tax on Russia's internet."
"#Putin has signed a repressive new law that violates not only human rights, but common sense. Dark day for #Russia."
Also do you have any idea how hard it is to find an ASLR leak? These are the same or similar features to those found in gcc / Ubuntu. You can read about the Ubuntu implementations here. https://wiki.ubuntu.com/Securi... These are features implemented by all modern operating systems / compilers. But they weren't common in the Windows 7 era. Again we could all *prefer* that MSFT back port features to Win/7 and or give up on Windows/10 telemetry.
There are things like DEP/NX and ASLR that require varying degrees of buy in from the OS/loader/processor however what you seem to be referring to (stacks) are security checks injected at COMPILE TIME adding various protections with a nominal performance tradeoff. This makes a lot of sense. Once code is compiled information necessary to make any kind of coherent determination is severely diminished to do anything about it later at runtime.
I can use GCC to compile windows programs if I want and take advantage of GCC security features in my app running on Windows XP. Mozilla can follow through with their threat to compile Mozilla in Rust enabling users to become immune from certain classes of security bugs in the subset of code using that language (assuming it actually behaves with advertised constraints).
Numerous security checking features have been available directly in visual studio and as add-on libraries from third parties for as far back as I can remember.
Now you can argue since the operating system itself is not compiled with x, y and z that it is less secure. To which my response is users tend to sit behind stealth mode firewalls anyway in a single user/household environment. If you can protect applications from external compromise this is sufficient in practical terms since the application is the thing sticking its neck out. You can of course still exploit vulnerable OS provided aspects the application relies on. Font processing for example has previously been a successful target but holistically the security of the application is way more important than OS selection for most users.
This obviously is not sufficient in other settings such as multi-user systems/ application servers yet I have never in my life trusted an operating systems ability to fend off privilege escalation from interactive users... It's too unrealistic...too big an ask. Associated stream of CVE's in this regard is hardly surprising.
Use Windows 7, and everybody with access to malware techniques from the last decade can get in, or
Use Windows 10, and only the nation-state threats with access to the latest techniques or legal avenues will be able to get in.
More likely use either, click on the wrong email and get hit with ransom for continued access to files you neglected to ever backup.
I know it's Slashdot's fetish to think that the NSA really cares what websites you're visiting, and to think that you're all protecting the rights of freedom fighters around the globe, but really, using antiquated software just means that the barrier for entry is lowered. The NSA might not be able to pull your telemetry directly from Microsoft, but their regular old RATs and spyware will work just fine, along with the same kit from every hacker group around the world. Not only will the NSA still have access to your data, but so will everyone else.
I just want to be left alone. It simply isn't anyone's business what I do or what software I install and run. Using Windows 10 guarantees I won't be left alone.
The proof that ASLR and DEP work is that when they are enabled, the exploits always require an ASLR leak!
So what? What effect did this have in the real world? People either go through an extra hoop to find a bypass which exist or they focus on social engineering.
Any data or references you care to offer showing objectively Windows 10 offers substantially better security outcomes? Not extra security features but actual outcomes to real world users?
This what everyone cares about. Nobody gives a crap about alphabet soups of three and four letter acronyms. They care about results.
Stack sentinels work wonders.
It took from 1970 to 2015 to find a solution for buffer-overflows.
Are you talking about VS2015 "CFG" feature that instruments *code* at compile time to add extra stack checks? Otherwise I have no idea what your referring to.. sentinels are as old as the oldest computers and buffer-overflows are still alive and well in 2017.
We now have it and the Slashdot crowd pans it because they hate the telemetry more than they like the features. I personally hate the telemetry too.
Yes absolutely. I hate telemetry to the extent features are irrelevant. I refuse to accept an operating system that is in fact malware.
You are free to make a different value judgment. Some people abandoned RISERFS out of spite just because the developer turned out to be a murderer. Sometimes political considerations and principals trump technical considerations.
At the end of the day I look at windows and I notice they are still using insecure authentication protocols such as Kerberos leaving users at risk of offline credential compromise. I see MS pushing all kinds of unsafe biometric password replacement gimmicks. It is great they are taking the initiative to improve security but to be honest if I really cared deeply about security I would be running BSD or qubes. Probably would only use a browser from a throwaway VM or an isolated computer. I don't care that much and it seems clear neither do most users because if they did they would never accept the status quo.
I personally think the best security features of Windows is Hyper-V virtualization and sandboxing of browsers 'n shit. Hypervisors are simple enough to have a snowballs chance in hell of being defensible which is way more than can be said for the execution environment exposed to applications.
But if I'm in a position where I have to decide what's better for my company or my customers, the visceral hate cannot be the deciding factor.
Visceral hate is your characterization and your opinion. It is a characterization I neither agree with or see happening. You are free to disagree. The issue of importance of telemetry relative to other considerations is political not scientific and everyone has different security requirements. People are entitled to assign a suitable weight and take measures they see fit.
The underlying thought here on /. seems to be that we should talk down Windows 10 so that MSFT repents and gives us a Windows/10 without telemetry. This isn't a good strategy.
What makes you say that? How would you know the difference? How do I know your not just a paid schill for some Microsoft hired PR firm?
What isn't a good strategy is questioning motives in the first place.
Now on to some bashing, we'll start with force updates that everyone complains the most about. Sorry, but this is a necessary evil,
Sorry, but you have no right to force people to update. It's their choice. More importantly normalizing constant updates provides extremely perverse incentives to software vendors. It signals they can get away with crappy QA using customers as beta testers and endless streams of security vulnerabilities at no cost to them.
leaving them vulnerable and they just don't give a flying f. The only way to address this needless insecurity is to force updates.
Most consumer desktop users are behind a stealth mode firewall where their external exposure is mediated by the security of their browsers and other network connected software. From publically available web statistics majority of Windows users don't even run a Microsoft web browser.
The overwhelming majority events that cause people to get hacked have nothing to do with operating system bugs. Social engineering and associated lapses in judgment account for upwards of 90% of compromises.
Insecure computers connected to the internet AFFECT ALL OF US, and since that includes way too many non-technical (aka muggles) people, who refuse to update when asked to, we have to force you, to protect ALL OF US from YOUR insecure system.
The Internet had better be engineered to fend for itself. Requiring permission or license or certification affects ALL OF US far worse than any unpatched desktops. Look at what the brilliant 1337us3rs who run the Internet are doing. Nobody is taking fixing DNS amplification seriously. SMTP email continues to be deemed an acceptable form of communication and every website on the Internet is using adhoc user authentication forms driven by plaintext over HTTP encrypted or not. The basis of trust on the Internet is a series of redundant CA's several of which are run by "unfriendly" governments and most of which perform completely automatic signing based on completely INSECURE protocols. If all windows vulnerabilities were completely fixed tomorrow and everyone updated their computers **NOTHING** would change. I think it is rich in the extreme to start dictating anything to users.
Next: Spying. Telemetry. Malware. So much accusations. Has anyone actually taken apart the packets being sent to M$ to see what the hell is being sent? I didn't think so, I haven't seen any reporting on precisely what is being sent.
My characterization of Windows 10 as malware is informed simply by reading Microsoft's own documentation on the subject.
https://web.archive.org/web/20...
At the enhanced level of reporting (which you can turn off) it also supposedly sends info on what applications you're using, and how long they're running. Again
List of software on device and uptime of applications are also sent for the lowest level (BASIC).
But I have a pretty good educated guess. Usage statistics, performance markers, errors that occur, those are the basic things that're sent home. Probably shoved into a giant database along with every other computer that reports back.
I don't care why they use the data. I don't care what they do with it. It's none of their business. I don't want them to have mine. If you don't agree you are welcomed to your view. It's irrelevant to me.
I highly doubt anyone can successfully take telemetry data out of this database and tie it back to some individual. So who cares?
I was most comforted to learn the NSA telephone database is just numbers not names and addresses.
Do you really think you're so important that someone actually cares what you're doing with your PC? Again, probably all s
The simple problem is that telemetry has been overstated and overblown. Try to find a comprehensive description of what Microsoft captures about users. What you get is things about Windows making DNS lookups against hundreds of domains, some chatter about what Windows 10 could be doing, and some criticisms of ill-thought-out features like Wifi network password sharing. Nobody knows what's happening, but they've all assumed so.
I'm hopelessly confused... should I believe "telemetry has been overstated and overblown" or should I think "nobody knows what's happening"?
The result is a bunch of people talking about how Microsoft is spying on you by doing such things as identifying all software installed,
I think the reason for this "misunderstanding" is their own documentation describing lowest possible rung of telemetry settings state the following:
"Helps provide understanding about which apps are installed on a device and to help identify potential compatibility problems."
"Some examples are the amount of time a connected standby device was able to full sleep, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app."
Microsoft not only knows about all of the porn apps on my computer but how long each are used.
meanwhile when you run yum or apt, it sends an HTTP request for each individual piece of software you're updating or installing back to a central server--which actually does what people said Windows 10 does, but doesn't freak anybody out because... reasons. EVERYBODY PANIC!
With most things Linux you are often downloading from independently operated mirrors and you always retain full control over whether and from where to obtain updates. You can also download them somewhere else and update from a CD-ROM if you want.
I find it hard to accept the premise people are upset about downloading software from remote servers. I think they may in fact be concerned about other things such as telemetry, retroactive software removal and both unwanted software installation and execution.
Cortana used to search the web if you typed search terms into the Cortana search bar, and people freaked out.
There is one search bar at the bottom next to start menu intentionally designed to leak local searches to Microsoft. They removed the start menu search functionality and provide no easily accessible option to control scope of search intentionally to cow people to use it unless they understood/figured out how to turn it off.
With not so clever UX design you can trick millions into creating a Microsoft account they might not want or need or leak URLs entered into the URL bar to search engines. You can even make dismissal of a consent form constitute consent.
Every keystroke you enter into your browser's search bar is sent to a remote server, where it's logged in Web server logs.
Extremely creepy.
Every domain you look up goes back to a Malware service to block bad sites.
If you want to help people you use a bloom filter. If you want to spy on them you download every domain and claim it's for their own safety.
To be fair, people freaked out when Ubuntu started searching Amazon through the Unity bar. It's not that they have legitimate fears; it's that they fear new things, and confusion in groups turns into mass hysteria
Privacy invasions and underlying incentives to go there are not "new things". They've been around as long as the social contract.
You get a few people suggesting folks are just afraid Amazon will see them trying to look for their child porn collection, but that's retarded; the truth is
Retarded is an apt description of the third party doctrine in the US.
e
Win95 had real pre-emptive multi-tasking and memory protection.
It had no such thing.
It also forced a new UI that people hated.
Program manager shell and related goodies were included with Windows 95.
Windows/10 has a lot of exciting new security features.
Which ones protect users from themselves? Most exploits are result of social engineering. Even if Windows worked perfectly nothing would change.
That's pretty common in commercial software.
Most commercial software vendors I know cannot afford to piss off their customers by inserting malware and ignoring widespread unambiguous negative feedback during product development.
The security features in Windows/10 provide exploit mitigation. What this means is that Windows/10 may or may not have more bugs, but let's assume that it does have more bugs. The changes in Windows/10 mean that bugs do not become exploitable. Let's assume that there are twice as many bugs but 10% can be successfully exploited vs 30%.
We heard all this before when ASLR and DEP were introduced. Did it work? Where is the evidence informing your assumptions?
The first posts are pretty much what one would have expected. Many people have concerns with Windows/10 telemetry. But it's still a more secure OS than Windows/7. There are an incredible number of security features built-in to thwart malware. Stack sentinels, call graph protection, delayed freeing of memory, et cetera. I'm in no way advocating for the telemetry data. You can disable it in the Enterprise edition of Windows. I don't like this business decision from Microsoft. But I'd still rather the telemetry data than other malware. The snide quips that show up in articles like this add no value to the discussion.
Most malware is *installed* by the end user.
With cheap VPS providers, your local hardware only has to be powerful enough to run ssh and vnc or rdp.
I would argue this is beneficial since it lowers the barrier of entry.
So does a credit card but I wouldn't consider that beneficial.
As they continue to turn the dial up to "11 shocking things your mom does that may surprise you" filled with hyperbole and incoherent nonsense the more people tune out and dismiss/ignore it as noise. It's a self-fulfilling prophecy.
There can be value in such a DB, as stated in the document, for prototyping/demo purposes, as it gives the flexibility to experiment and converge to a solution which you might then pin down to not be dynamic anymore. Thus, one persons "asinine" is another persons "useful". Black and white categorisation is rarely correct.
RFC3252 gives flexibility to experiment and converge to a solution which you might then pin down to not be dynamic anymore. Thus, one persons "asinine" is another persons "useful". Black and white categorization is rarely correct.
Here's one description, but it's kind of meandering:
http://wiki.c2.com/?DynamicRel...
I'm working on a shorter description that I plan to put on github.
LOL couldn't stop laughing.
Apple should have used the argument that they sell devices which run controlled sets of software, with part of their product being a best-effort attempt at device security via application white listing managed remotely through the Apple store.
The only question of merit with regards to device security is whether operating systems are able to prevent applications from escaping their sandbox. No other calculus is feasible.
Neither Apple or anyone else has the capability to offer any assurances with respect to activities both intended and unintended of software available on their stores. There have been thousands of examples of total failures on Apple's app store. The only possible defense is a defensible execution environment.
Because developers make "iPhone Apps", they have to sell onto the iPhone platform, the same as with Nintendo, Microsoft, and Sony locking out their console platforms. This is not unusual in the device market.
Putting aside my opinions about "platforms" I can go anywhere and purchase software for Wii, Xbox, PS4. Not sure what your trying to say.
Because Apple does not sell software outside the core system software available on the phone and supplying Apple services, it isn't abusing a device monopoly to gain a software monopoly. Further, Apple allows various software in its store, such as Spotify and Google Maps, which competes with Apple's own software and thus precludes the leveraging of a device monopoly to expand a monopoly of a particular bundled software or service.
Apple routinely blocks competing apps and acts as a gatekeeper of what software is acceptable..e.g what software users are allowed to run. This would include Spotify having been previously rejected for competing with iTunes.
Everyone seems to be obsessed with building and supporting a world where everything is called a "device" or "platform" where software may only be executed at the pleasure of the vendor. It's hard to imagine a more dystopian harmful outcome with regards to computing than legitimizing vendors seeking to enrich themselves, governments seeking to limit and control populations and IP holders wanting to further erode consumer rights than to continue to support this bullshit toward an inevitable future where general purpose computers are denied to the public.
Because Android phones are available, Apple is not locking consumers into its platform by controlling the market: software developers can produce equivalent software for Android, iOS, Windows Mobile, or any combination thereof, and sell in one, several, or all of the available markets for all devices.
The point is that *Apple users* can't buy software from anywhere else. If you bought a house in a certain neighborhood you wouldn't accept being limited to only purchasing physical goods from one specific store as a condition of living in that neighborhood. If anyone tried to enforce such a ridiculous constraint it would be deemed unconscionable. This is no different the only difference is the enforcement mechanism is technological. It is like being fitted with a GPS assisted shock collar and being zapped upon trying to enter any other store.
Exclusive walled gardens are inherently anti-competitive.
This appears to be an attack on the fundamental principle of the "walled garden". I don't think this is a good idea.
I think it is an excellent idea. Walled gardens are inherently anti-competitive. If government is going to regulate at all taking actions to incite competition within a market is the best possible form of regulation one could hope for in my view.
You may not like it, but then fine don't buy it. Apple sells this as a feature, that benefits the users by improving quality control, a problem that non-walled appstores have to deal with more all the time.
Nothing prevents stores from deciding what products are in their best interests to carry.
A level of quality control is always demanded by stores of manufacturers due to fact dealing with high levels of defects and unhappy customers is bad for the stores bottom line.
The last time I walked past a Game Stop at the mall one thing I didn't notice were walls littered with shareware quality "indie" titles even though the same titles are also available from best buy.
Neither are there a shortage of specialty (dollar) stores selling junk or high end stores specializing in separating the rich from their money.
The problem with Apple's scheme is not quality but rather deliberate action on their part to preclude existence of competing stores. If you feel comfortable buying from Apple's store nobody is arguing you shouldn't continue to be able to buy from Apple.
It's not bulletproof, nothing is, it just improves it quite a bit. I find it reassuring that I don't have to sweat it when browsing the app store, "I wonder if this app is legit?"
App stores directly incentivize bad actors to pursuit shady business models. They actively promote everything must be cheap/free race to the bottom leaving even previously legitimate vendors little choice whether to adapt similar business practices as malware vendors.
Few would accept a world in which the only place physical goods could be purchased was Wallmart. This would be seen insane / dystopian... yet that's exactly the type of structure mega corps are trying very hard to carve for themselves for less physical goods.
Anti trust implies controlling prices to the detriment of the consumer. Apple in no way sets or controls the pricing.
Except for the part where Apple extracts their cut.
Do you actually believe the NSA's quantum computer won't break the encryption you use ?
How charmingly naive.
If government is hoarding code breaking class of quantum computers unknown to or inaccessible to the rest of world/industry then cracking encryption is the least of your problems. Any such exclusive technological edge would be massively dangerous/disruptive.
I'd be much more concerned about what they can/will put on there to implicate you. Rewards do funny things to people, they become most shady when money is involved. I wonder how many instances of planting of illegal items, reporting it and collecting the $$$ occurs.
Given the fact these guys are smart enough to have a job at geek squad how many would be able to pull it off without leaving incriminating forensic evidence?
If there are more than a few instances I would expect someone to have learned about file system structures and transaction logs at their hearing before being carted off to jail.
Still can't turn off data collection and cyber stalking options now reduced from three levels to two.
Congratulations Microsoft! Way to innovate and respond to the needs of your customers.
I actively avoid OLED when purchasing anything with displays in them. IPS looks fine to me and is significantly more reliable.
Yep. Because no one is going to think about or see it like we do. They don't worry about spectrum, bandwidth, saturation, or why their goddamn toaster needs network access. They go "oooh, wifi!". And every marketing department in the world knows it.
To people like you and me, LG just said "We're a bunch of morons, and you're probably not going to want to buy our stuff". To everyone else, they just said "We're the most advanced appliance maker in the world, and buying our products put YOU at the forefront of technology fashion!".
It used to be fashionable to have your teeth bleached so they would look clean and healthy. At some point it became widely understood bleach was actually rotting holes in them.
It doesn't take long for a few news @ 10 stories about the inevitable happening. Ransomware spoils food. Is your toaster spying on you? Is your LG blender slowing down your Internet? Panini press manufacturer subpoenaed by divorce lawyers. Botnet armies of LG smart shit takes down Google.
Trend line on public perception of technology is going in the wrong direction thanks in no small part to persistent news coverage of hack after hack after hack after hack after hack after hack after hack.
At least a 3rd of the country now have a pessimistic default outlook on technology. I'm sure LG has looked carefully at the current environment and made the decision profiting from sprinkling Wi-Fi in everything is currently in their best interests. We'll see.