from the you-say-sandbox-I-say-litterbox dept.
Submitted via IRC for SoyCow1984
Microsoft is trying to address the fear of running an unknown .exe on your PC. While some power users set up virtual machines to check unknown apps, Microsoft has developed a simple way for anyone running Windows 10 to launch apps in an isolated desktop environment. Windows Sandbox is a new feature coming to Windows 10 next year that creates a temporary desktop environment to isolate a particular app to that sandbox.
It's designed to be secure and disposable, so once you've finished running the app in this mode the entire sandbox will be deleted. You don't need to set up a virtual machine, but it will require virtualization capabilities enabled in the BIOS. Microsoft is making Windows Sandbox available as part of Windows 10 Pro or Windows 10 Enterprise, and it's clearly aimed at businesses primarily or power users.
Technical details: https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849
(Score: 3, Funny) by MichaelDavidCrawford on Thursday December 20 2018, @07:25PM
You say that like it's a bad thing.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by JoeMerchant on Thursday December 20 2018, @07:31PM (10 children)
When you're starting from ordinary Windows 10 as a baseline, it's not hard to move in a more safe direction.
I wonder, are sandboxes supported within virtual machines, or is that too many layers of virtualization?
🌻🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Thursday December 20 2018, @08:22PM (9 children)
Going the other way, I wonder if this concession to security from MS could also include ways to really turn off all the auto-updating, tracking and calling home that Win10 does? I might be willing to use 10 (instead of 7) if there was a way to refuse all updates. Note, Linux not an option, my customers insist on Windows environment.
(Score: 5, Informative) by Immerman on Thursday December 20 2018, @08:28PM
No, they're only trying to protect you a bit from *other* threats. They don't like the competition.
(Score: 3, Funny) by JoeMerchant on Thursday December 20 2018, @11:32PM (7 children)
https://www.youtube.com/watch?v=sZfZ8uWaOFI&feature=youtu.be&t=190 [youtube.com]
🌻🌻🌻 [google.com]
(Score: 3, Informative) by Ethanol-fueled on Friday December 21 2018, @01:49AM (5 children)
Did you get the latest corporate update lately? I shit you not, it BSOD'd with an "IRQ_NOT_LESS_OR_EQUAL" message, which I haven't seen since the '98 days and before.
And not only did I have to reconfigure my Edge settings all over again, but a shortcut to fucking Netflix was placed in the top of my start menu. In a fucking corporate environment where shit is locked down so tight we can't even right-click without admin's approval and even thinking about pissing away bandwidth on Netflix is a cardinal sin.
(Score: 1, Insightful) by Anonymous Coward on Friday December 21 2018, @02:16AM (3 children)
"The behavior of any bureaucratic organization can best be understood by assuming that it is controlled by a secret cabal of its enemies." -- Robert Conquest
(Score: 2, Insightful) by Ethanol-fueled on Friday December 21 2018, @02:34AM (2 children)
If you mean the Pajeets running Microsoft, then yes, I totally agree, it is a secret cabal of enemies. Otherwise it's just plain incompetence.
(Score: 1, Insightful) by Anonymous Coward on Friday December 21 2018, @05:02AM
Never ascribe to incompetence anything adequately explained by malice.
(Score: 0) by Anonymous Coward on Friday December 21 2018, @11:03AM
Pajeet unknown A slang / racial slur for a smelly dirty curry drinking hairy Indian that poos in the loo .
(Score: 2) by urza9814 on Friday December 21 2018, @06:49PM
I've seen more than one IRQ BSODs (and some other BSODs) over the past year on our Windows 7 systems at work, and I'm not even in IT, that's just from the four people on my team.
Starting from Windows XP though I'm pretty sure the default behavior was to silently reboot without displaying the BSOD, so that's potentially why you stopped seeing them so much after '98. They still happened, they just weren't typically visible unless you remembered to change the settings (Advanced System Settings > Startup and Recovery > Settings > System Failure > Automatically restart). Haven't installed Windows on any of my own systems in quite a few years though so I can't say if that's still the default.
(Score: 1) by ShadowSystems on Friday December 21 2018, @06:42AM
At JoeMerchant, re: that Youtube link.
The video led with an ad for laxatives.
Coincidence?
=-D
(Score: 5, Funny) by Virindi on Thursday December 20 2018, @08:20PM (5 children)
Oooh, can I sandbox Windows 10, then?!
(Score: 1, Insightful) by Anonymous Coward on Thursday December 20 2018, @09:10PM
I got a much easier option. Just ditch windows altogether; install linux instead.
Right, then. I'll just get me coat.
(Score: 3, Funny) by Nuke on Friday December 21 2018, @12:00AM (1 child)
More than that, can we sandbox the sandbox in case it is yet another MS trick?
(Score: 0) by Anonymous Coward on Friday December 21 2018, @05:13PM
It's sandboxes all the way down!
(Score: 3, Touché) by The Mighty Buzzard on Friday December 21 2018, @01:27AM
Litterboxing it would be more appropriate.
My rights don't end where your fear begins.
(Score: 1, Funny) by Anonymous Coward on Friday December 21 2018, @04:05PM
I would recommend doing that or not running it at all with Microsoft's track record with Windows 10.
(Score: 3, Insightful) by Anonymous Coward on Thursday December 20 2018, @08:22PM (1 child)
Can I force user to run internet explorer, outlook, excel, word and pretty much every Microsoft technology in this sandbox? They are where all the viruses come from.
(Score: 1, Informative) by Anonymous Coward on Friday December 21 2018, @11:05AM
No, They are no longer executables.
(Score: 0) by Anonymous Coward on Thursday December 20 2018, @08:30PM
who will sandbox the sandboxers?
(Score: 2) by Snow on Thursday December 20 2018, @08:36PM
Windows 10 eat a dick.
(Score: 5, Interesting) by stormreaver on Thursday December 20 2018, @08:58PM (6 children)
I see this as a waste of resources, as it's intended to be used. If done right, it will seem to be useful for a while: run the program in the sandbox, decide it's safe, install it on the real system.
But then, malware writers will adjust to how the sandbox is used: run the program once or twice, then allow it out of the sandbox onto the real system. So they will just make the malware run benignly for a little while before springing the malicious payload.
This is just a band-aid so Microsoft can hand-wave away Windows' atrociously bad, systemic security problems.
(Score: 5, Insightful) by stormreaver on Thursday December 20 2018, @09:01PM (1 child)
Or equally likely, malware writers will learn to detect the sandbox, and act accordingly.
So this is yet another in a long line of useless misfeatures Microsoft dreamed would somehow make Windows more secure. As is usual with Microsoft, it will have the opposite effect: it will make Windows less secure because it will impart a false sense of security, making users more careless.
(Score: 2) by edIII on Friday December 21 2018, @12:11AM
I'm not sure sandboxing even works anymore for that reason. Proof of concept has already been demonstrated in detecting virtualized environments by a running program. Tails can detect if you're running it in a VM, or bare metal. Beyond that, it's been demonstrated that you can escape the VM and affect other processes. Leak encryption keys from virtualized processes that are running alongside the VM. I don't see how sandboxing is any different, or what makes it magically impossible to escape.
Then there is how M$ is going to implement it, and whether that implementation is sound or botched. Considering how utterly fucking horrible 8, 8.1, Metro, and all their new shiny UI that doesn't work for shit, I'm not confident in what they can build anymore.
Only safe way to test an .exe is a bare metal dedicated unit that can only communicate by temporary file sharing. Enable the networking connection, transfer the file, test the program, reimage the test device, analyze the network traffic and program operation, and then decide if the program is safe.
Personally, the only way I would consider a program safe in this day and age is if I could download the source code from a FOSS repo with many eyes on it. One where the author can cryptographically sign it, I can verify it, and the compile the program for my system.
Running strange binaries? This is like providing a protective condom for very questionable prostitutes. The better decision is just to not use strange binaries at all.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2, Informative) by Anonymous Coward on Thursday December 20 2018, @09:23PM (2 children)
What? Why would you bring it into the "real system." Just keep running it in the sandbox. There is no reason why my Cookie Collector game needs to interact with Maya, and neither need to interact with my tax accounting software. You keep everything sandboxed forever.
Done.
I think you are living in the past. Microsoft has tried to, and succeeded, in dramatically improving their security with the start of Windows Vista. It's still far from perfect, but they are far from the sieve-like holey mess from back in the Windows XP days. Considering they are the most-used operating system for ignorant consumers, and thus the most attractive attack target, I think they are doing pretty good from a security perspective.
Now from a spying perspective, an advertisement perspective, a UI perspective, and a "Redmond owns your hardware, not you" perspective, I think they've dramatically regressed... but you were only talking security.
(Score: 1, Insightful) by Anonymous Coward on Thursday December 20 2018, @10:10PM (1 child)
Please temper your MS shill activities with a sliver of common sense. Thanks.
https://soylentnews.org/article.pl?sid=18/12/20/0358220 [soylentnews.org]
(Score: 4, Funny) by Nuke on Thursday December 20 2018, @11:57PM
Doesn't sound like a shill to me. I don't think that any trained MS shill would mention the word "Vista".
(Score: 0) by Anonymous Coward on Friday December 21 2018, @05:57AM
Actually I'm pretty certain this thing is going to have deliberate, and massive, holes from the get-go, and Microsoft will refuse to patch them.
In a sandbox environment it is often possible to force your way into bypassing anti-piracy measures and privacy-invading features. Microsoft does not want you to be able to do that, at least not to its applications, and possibly not when it deigns its interests are superior to yours (which is an increasing amount of the time). Given Windows 10 is a step towards the gradual (or not-so-gradual) evolution of the company owning the device whether you like it or not, they will not give this feature up, both in terms of general strategy with Windows as well as protecting their own bottom line, and trying to convince development firms to embrace UWP, or whatever walled garden bullshit they're pedaling this week as they try to sink Win32 in favor of something that they control better.
(Score: 0) by Anonymous Coward on Thursday December 20 2018, @09:27PM (2 children)
in sandboxes.
(Score: 3, Funny) by Gaaark on Thursday December 20 2018, @10:58PM
Now, so does Microsoft!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 1) by ShadowSystems on Friday December 21 2018, @07:00AM
That's not cat poop, that's Almond Roca!
Extra crunchy, extra chewy, extra long lasting Almond Roca.
MS: polishing the turd so you don't have to!
*Cough*
(Score: 0) by Anonymous Coward on Thursday December 20 2018, @09:48PM
Sandboxes all the way down.
(Score: 4, Insightful) by Freeman on Thursday December 20 2018, @10:22PM
Really, people just haven't treated the Internet with the respect it deserves. You treat it like Lava, assume it will burn through everything and only touch it lightly. Otherwise, you're dead.
Ok, maybe an Ebola allegory would have been better.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 5, Insightful) by noneof_theabove on Friday December 21 2018, @12:28AM
protecting "us".
This is for Pro & Enterprise.
"Home Users" the tech clueless can continue infecting their machines as usual.
Nothing to see here, move along.
(Score: 2) by TheLink on Friday December 21 2018, @04:13PM
https://soylentnews.org/comments.pl?sid=379&cid=9544#commentwrap [soylentnews.org]
Hope they get around to implementing the other stuff too:
https://soylentnews.org/comments.pl?noupdate=1&sid=379&cid=9518#9518 [soylentnews.org]