In-hardware security can be defeated with just two extra bytes:
The Trusted Platform Module (TPM) secure crypto-processor became a topic for public debate in 2021 when Microsoft forced TPM 2.0 adoption as a minimum requirement for installing Windows 11. The dedicated hardware controller should provide "extra hard" security to data and cryptographic algorithms, but the official specifications are bugged.
Security researchers recently discovered a couple of flaws in the Trusted Platform Module (TPM) 2.0 reference library specification, two dangerous buffer overflow vulnerabilities that could potentially impact billions of devices. Exploiting the flaws is only possible from an authenticated local account, but a piece of malware running on an affected device could do exactly that.
The two vulnerabilities are tracked as CVE-2023-1017 and CVE-2023-1018, or as "out-of-bounds write" and "out-of-bounds read" flaws. The issue was discovered within the TPM 2.0's Module Library, which allows writing (or reading) two "extra bytes" past the end of a TPM 2.0 command in the CryptParameterDecryption routine.
By writing specifically crafted malicious commands, an attacker could exploit the vulnerabilities to crash the TPM chip making it "unusable," execute arbitrary code within TPM's protected memory or read/access sensitive data stored in the (theoretically) isolated crypto-processor.
In other words, successful exploitation of the CVE-2023-1017 and CVE-2023-1018 flaws could compromise cryptographic keys, passwords and other critical data, making security features of modern, TPM-based operating systems like Windows 11 essentially useless or broken.
TPM provides a hardware number generator, secure generation and storage of cryptographic keys, remote attestation with a "nearly unforgeable" hash key summary of the hardware and software configuration, and other Trusted Computing functions. On Windows 11, the TPM can be used by DRM technology, Windows Defender, BitLocker full-disk encryption and more.
According to CERT Coordination Center at Carnegie Mellon University, a successful payload exploiting the vulnerabilities could run within the TPM and be essentially "undetectable" by security software or devices. The issue is resolved by installing the most recent firmware updates available for the user's device, but the process is easier said than done.
While the flaws could theoretically impact billions of motherboards and software products, just a few companies have confirmed that they are indeed affected by the issue thus far. Chinese company Lenovo, the world's largest PC manufacturer, acknowledged the issue in its Nuvoton line of TPM chips. An attacker could exploit the CVE-2023-1017 flaw to cause a denial of service issue in the Nuvoton NPCT65x TPM chip, Lenovo said.
(Score: 5, Insightful) by coolgopher on Tuesday March 07 2023, @12:13PM (4 children)
As someone who's had the displeasure of interfacing with a TPM 2.0, I would say the far bigger security risk is that the spec is a convoluted blob of indecipherable security-by-obscurity. I'll be amazed if people genuinely manage to not fall into one pit or another while trying to do the right thing. And why-oh-why did they insist on rolling their own encryption layer for the comms channel (and then decide to do it half-arsed)? As far as I could see TLS with ECDH would've been a smarter choice.
(Score: 5, Informative) by Unixnut on Tuesday March 07 2023, @12:59PM
Because if they just installed a backdoor into every device, it would have caused outrage. This way they just make a complete pigs breakfast of the entire thing, and any vulnerabilities that happen to compromise the system can be written off as incompetence rather than malice.
I remember some of the arguments against TPM were precisely saying that things like this could happen, and here we are.
(Score: 2) by Barenflimski on Tuesday March 07 2023, @02:47PM
I tried to use it a few weeks ago. I gave up. They're lucky I left UEFI on.
I wasn't installing machines for the NSA, so likely won't matter if a nation state acquires my kids roblox passwords.
I wasn't impressed with the effort it took out of the box for a guy that builds one computer every 3 years.
(Score: 2) by RS3 on Tuesday March 07 2023, @05:02PM
IIRC when UEFI came out there was furor over not being able to install Linux, so I saw UEFI (and TPM) as feeble attempts by MS to ward off Linux the way they warded off Novell in the '90s. If I'm correct, then MS are not super-bright, and significantly underestimated the intelligence and adaptability of Linux developers. Sadly the security theater does fool most people, especially the technologically impaired decision makers.
I don't deal with lots of PCs and different motherboards as I did some years ago, but from what I've had my hands on, I've been able to disable TPM and UEFI and just use normal BIOS boot. I suppose Win11 won't install.
(Score: 3, Insightful) by driverless on Wednesday March 08 2023, @09:47AM
Yup, beat me to it. I don't think they'll ever stop finding vulns in that festering mound of crap, not only from the problem you've pointed out but also because no-one would ever voluntarily want to implement that which means that the code is written under duress from a gobbledigook design-by-committee spec by people who'd really, really rather be doing something else. End result is a great pile of awful code that you can barely make work properly when you're really trying hard to use it correctly, let alone under any kind of adversarial conditions.
(Score: 3, Funny) by Rosco P. Coltrane on Tuesday March 07 2023, @12:37PM (26 children)
Gee, what a shocker... Nobody saw that one coming.
(Score: 5, Insightful) by RedGreen on Tuesday March 07 2023, @01:08PM (25 children)
"Gee, what a shocker... Nobody saw that one coming."
Indeed as I have said for decades Windows is a virus delivery system masquerading as an operating system. Why any one would every believe anything else is beyond me just seeing windows and security used in the same sentence is a joke, unless it is to say how utterly useless it is to think you are secure when using it. They do not have one single clue how to do security it has been proven beyond any doubt, if I had dollar for every machine/time exploited I would be richer than BillyG himself hell probably more than that fucking piece of garbage Musk.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by JoeMerchant on Tuesday March 07 2023, @01:40PM (21 children)
>They do not have one single clue how to do security it has been proven beyond any doubt
I seriously doubt that they "don't know how to do security right", what they lack is the willingness to make it happen.
🌻🌻 [google.com]
(Score: 3, Insightful) by RedGreen on Tuesday March 07 2023, @05:00PM (20 children)
"I seriously doubt that they "don't know how to do security right", what they lack is the willingness to make it happen."
I stand by my statement I have seen zero evidence that have any clue in the matter. This is a multi-decade problem they keep coming up with these new ideas that are supposed to be for security but every single one of them fail to do anything about improving the security. They are total clueless morons who only a stoke of luck got them into the monopoly position they are in or they would have been long since dead. I do not really care I have not used their trash in twenty-five years, made a pile of money repairing their junk though so thanks for that one idiots.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 4, Insightful) by RS3 on Tuesday March 07 2023, @05:07PM (18 children)
It's called "security theater" and the audience is the business decision-makers who are technologically incompetent, but very bold, brash, exude confidence, belittling of any (much smarter) lower-downs who try to raise concerns (and get themselves labeled "complainer" and "trouble-maker").
As I've said many times, the very wrong people are in charge and making dumb decisions, but are very good at making themselves look good and passing blame.
(Score: 3, Insightful) by JoeMerchant on Tuesday March 07 2023, @06:24PM (17 children)
>the very wrong people are in charge and making dumb decisions, but are very good at making themselves look good and passing blame.
I don't disagree, but... it's not as simple as "put the geeks in charge." There are all kinds of business skills, and some of the most idiotic looking successful people at the top actually have and exercise skills that were valuable in getting them to where they are today.
In other words: in a screwed up world, it usually takes screwed up people to compete their way to the top and stay there. (Drastic oversimplification ignoring not only the cash based head start that children of successful people start with, but also their circle of contacts, friends of daddy who help them out, chums from Harvard, etc. etc.)
🌻🌻 [google.com]
(Score: 2) by RS3 on Wednesday March 08 2023, @12:21AM (16 children)
Shelved a longer reply, but either way I absolutely agree. I'm just sad that, as you mentioned with the Challenger disaster, tech people are overridden, as with Columbia, MCAS, and far far too many individual cases.
Ever watch "Mayday!" or "Disasters of the 20th Century" or read about some stunning near disasters? In many cases the builder deviates from the engineered design, without permission of course. If you ever study some of the terrible air disasters, many have been caused by excessive hierarchy in the cockpit. So FAA, NTSB, others, have worked to change that atmosphere of one kingpin and everyone else has to shutup and do. Now, supposedly, captains have to listen to copilots, flight engineers, flight attendants, etc.
My hope and wish is that all of society would learn from these mistakes; that sometimes the lower-downs have the best ideas / insight. Sometimes (often) children see things completely clearly. Point is, a bit too much hierarchy. You know, the many times and places where bosses say they have an open-door policy. (not necessarily open-mind though...)
(Score: 3, Insightful) by JoeMerchant on Wednesday March 08 2023, @03:08AM (15 children)
>tech people are overridden
My first job out of grad school was 12 years in a tech oriented, techie run company. I actually stood in a trade show booth under a banner reading "We're scientists, not salespeople." Primary lesson of those 12 years? We built the better mousetrap - world class - and the world did anything but beat a path to our door.
>change that atmosphere of one kingpin and everyone else has to shutup and do.
They should come for the M.D.s next, that's a horribly toxic environment which encourages young megalomaniacs to throw their weight around, and while decisiveness and a steady course are often beneficial in both air piloting and surgery, on too many occasions they both take it too far for the good of their passengers / patients. Unfortunately, M.D.s don't die with their bad calls, and some go on making those bad calls for years before they're taken out of service.
>all of society would learn from these mistakes
Friends of ours lived on Key Biscayne (Miami) from the 1970s through to 2003. They could barely afford it in the 1970s, but by 2003 their homes were selling for 1.8 million a piece, not for the structure but for the land. Key Biscayne had become a favorite destination for rich Colombians. Before they, too, sold out to fund their retirement, they chatted with some of their new neighbors. The most telling anecdote: "Oh, we just love it here! The children can play in the street and we don't have to worry about them being kidnapped."
From that, and so many other examples, I wish society would learn: Income inequality is bad for everyone, even the rich. Instead, they just wish they could be in the rich minority and ignore all the problems that creates throughout the income spectrum. Scarier still are those who seek out jobs as doctors, or pilots, or business owners, or police, or politicians because they like the idea of throwing their weight around, and even if they don't follow those careers they still like it when people are throwing their weight around to the detriment of the people they are supposed to be serving. Like rooting for an idiot in a "reality" TV show with the tagline: "You're Fired!" Rooting for that NASA flight director with the balls to say: "Go for launch!" when he's not really sure how safe that decision is, or isn't.
🌻🌻 [google.com]
(Score: 2) by RS3 on Wednesday March 08 2023, @03:48AM (14 children)
Man, you get it. Would you please run for office? Oh, you know too much. Nevermind!
Yeah, I know too well about the good products being passed up. Did some sort of passive mgt. studying, much from Tom Peters and W. Edwards Deming (if I got that right). They talked about car industry, for example: US mfgrs. spent 75% on new product design, and 25% improving existing. Japanese: flip the numbers.
Years ago I learned how advertising and razzle-dazzle sells far more than solid reliable stuff. Look at Tucker, and many other car companies. Again, I blame the people making the decision on what to buy.
Years ago I wanted to buy a cassette deck. I wanted a really good one, but tight budget (no Nakamichi for me!). I asked salesman about specs. He was super puzzled, but not too busy, so he went to file cabinet and we looked through manuals, and specs. I bought a Pioneer- kinda cheezy build, but really good specs. A couple of years later I did some actual tests, and yup, it was every bit as good as they claimed- really good.
I'll say this: it really depends on the field / market. Some things are purchased by more intelligent people, by definition, and product quality will become known very quickly. The internets are helping with quality reviews.
Yeah, don't get me started on the medical world. Lost both parents to the chaos of the medical world. Too much to detail. Last summer I was taking too much Ibuprofen- not tons, but too much. Got COVID for a couple of days, and ended up with GI bleed. Went to ER, just barely conscious, waited in waiting area (hard chairs) for almost 7 hours. Next morning very smug arrogant GI dr., well, bottom line: he wasn't going to scope me for another 2 or 3 days. I had to lie there, not allowed to go out to my car and get my computer, paying $600 / day to lie there, no food, overall miserable. Needless to say I signed myself out, went home, ate a little bit of cheese and bread, couldn't sleep until 3 AM due to IV Protonix (which kept me awake the entire night before). Next day ate normal meals, no bleed symptoms (black you know what) at all, no problems, was fine. I think I've taken 2 IB since last summer. I do eventually learn, I think.
I've been to Miami a few times, Key Biscayne (Miami Seaquarium there?). Didn't go out farther. Was staying in Naples. Really loved it there. I had no idea about the Colombians, but I know some things about them. 'nuff said there.
Yes, you have one of the most solid grasps of reality I've ever come across. I pretty much do, I just have some hope / optimism / dream that someday someone will wise up "sudden outbreak of common sense". Every now and then I see something good in the news. Sigh.
(Score: 3, Interesting) by JoeMerchant on Wednesday March 08 2023, @11:28AM (4 children)
>sudden outbreak of common sense
Wouldn't it be nice?
I still live in Florida, pretty sure my running for office would be a complete waste of time.
>don't get me started on the medical world
Sorry to hear all that. My ER experiences have been... extremely uneven. The one in Dusseldorf was out of this (US) world. Forget about the fact that the bill was 35DM but I didn't have exact change so they said don't worry about it and took 30 ($15US,). Around 6-7pm a red stripe started growing up my arm (blood poisoning, real risk of loss of limb or worse if not treated quickly) walked 5 minutes from where I was staying to the ER (locals were apologizing that I was mid-way between two hospitals which is why the nearest was "so far."). Waited 5 minutes for the case before me to wrap up (no appointment of course) and then had the full attention of the MD and a nurse about my age (22) for 90+ minutes. Nurse asked if I she could join me and my friend for a beer after...
For contrast: Gainesville Florida, known as a medical center of excellence. Similar symptom: red stripe on wrist, accompanying stiffness in finger joints, small spot of green puss coming from fingernail (don't dig in the garden with bare hands...). Drive 20 minutes to nearest open care facility, a big hospital ER. Park in the packed patients' lot, walk across a big gated, empty but for two flashy new luxury cars Doctors' parkimg lot to get to the E.R. Waiting area is maybe 20% full, maybe 10-12 patients. Check in, show the red stripe, explain the urgency to the receptionist, sit, wait, playoffs football game is just starting. Not just me, nobody is going back for any reason. A pizza or two are delivered to the back. Around halftime an ambulance delivers a car crash victim on a stretcher, moaning in pain, EMTs quickly leave the stretcher patient there, alone, unattended. Other ER patients trickle in until the waiting room is nearly full. Somewhere in the fourth quarter tests get ordered, like an x-ray for my hand. Finally, the New England Patriots score a decisively game winning touchdown and a couple of minutes later, patients start to be seen by the 2 on duty ER doctors, rapid fire. I am seen by one MD who is doing the infectious disease oral exam from across the room (blood poisoning isn't contagious) no wound cleaning or close inspection. I get discharged with a script for antibiotics and a mumbled apology that the onsite pharmacy is closed, I will have to drive across town to a 24 hour pharmacy on my way home (Dusseldorf handed me a bottle of pills in the exam room, no charge). Nearly midnight, walking out the rear door directly into that gated Doctors' parking lot, the same.two cars are there. God only knows where the rest of the ER patients had to park and walk from, the lot I was parked in was jammed full.
I have also experienced some good urgent care in the US, though never been asked out for a beer.
🌻🌻 [google.com]
(Score: 2) by RS3 on Wednesday March 08 2023, @03:15PM (3 children)
Ugh! Sorry to hear of your travails. I don't do much gardening, and I think of gardeners who always have their hands in dirt. I'll wear gloves.
A good friend grew up in Germany. Like all Germans I've met she rightly criticizes much about the US, healthcare, food lack of quality (chemicals), etc., and sings the praises of all things Germany. I think I need to move there and be done with it.
(Score: 2) by JoeMerchant on Wednesday March 08 2023, @04:49PM (2 children)
A couple of friends of mine moved there in 1989, after graduation from college. They said, at the time, that it was temporary, they wouldn't want to raise their kids there or anything.... Three kids and 34 years later, yep, still there.
Downsides: the weather isn't the best year round. It's relatively crowded. The beaches suck. The big old cities are big old cities. Some things that are cheap here are expensive there, but there's a lot of vice versa to balance that too, except real estate - owning real estate there is much harder. Otherwise.... learn to speak some German and everything's cool.
🌻🌻 [google.com]
(Score: 2) by RS3 on Wednesday March 08 2023, @05:16PM (1 child)
Required 2 years of language in HS, and quite long story short it ended up being German, and most of them know some English, so I'm a little ahead there...
(Score: 2) by JoeMerchant on Wednesday March 08 2023, @06:44PM
I learned enough on vacation (3 months in '89 and 6 weeks in '90) to have a sort-of conversation with the couple next to me on the flight home for an hour or so in '90 - was exhausting for me, I was nowhere near fluent, less so now, but we did communicate pretty well back and forth.
The thing about speaking German, even poorly, in Germany or anywhere near to it, is that the locals seem to genuinely appreciate the effort you are making. Unlike French in Paris....
You're right about most of them speaking English, except East of "the wall" in 1990 - that was where I got my deep immersion lessons: either learn how to ask where you can get a room for the night, or sleep outside....
🌻🌻 [google.com]
(Score: 2) by JoeMerchant on Wednesday March 08 2023, @11:42AM (8 children)
Oh, about the GI docs, I have only experienced two in my life, it's not much of a stretch to say that line of work is full of assholes.
No complaints about the experience or skills of either of mine, but both left me feeling reamed as to their procedure selection and scheduling. They do what they do when they choose to do it, and it's hard not to see the income maximization driving their decisions, especially with hindsight.
The last one I saw is apparently terrified that pill cams and mail-away tests are going to impact his income stream. Very insistent that the scope is the only valid diagnostic tool, and plastered the elevator and waiting room with derisive posters putting down the alternatives.
🌻🌻 [google.com]
(Score: 2) by RS3 on Wednesday March 08 2023, @03:10PM (7 children)
Interesting and informative! I had asked about a pill cam but the Dr. poo-pooed it.
(Score: 2) by JoeMerchant on Wednesday March 08 2023, @04:44PM (6 children)
I damn near walked out on mine during the consult because his explanation when I asked was: nope. I pushed for more and he came at me with 'I'm the Dr.' kind of logic.
You know, Dr. Dude, I'm paying for a 30 minute consult here, I'd at least like to hear some reasoning beyond "because I say so" which he eventually gave. I'm pretty sure I'll spin the wheel and try a new one the next time I need a camera on a stick inserted anywhere.
🌻🌻 [google.com]
(Score: 2) by RS3 on Wednesday March 08 2023, @05:13PM (5 children)
My potty humor aside, I did ask the Dr. and iirc he said the pill cam was more for intestinal problems, and I most likely had a stomach bleed, in which case the cam might not see the problem.
(Score: 2) by JoeMerchant on Wednesday March 08 2023, @06:39PM (4 children)
Yeah, at the risk of oversharing, I had some kind of "thing" develop on the surface by the "exit" that popped and bled one night, shortly after my 50th birthday. Bleeding stopped before I could get an appointment, but "it was time" by the guidelines anyway, and the guidelines also say: "if it bleeds, we stick a camera in."
The logical argument that I finally agreed to was: the pill cam gives you a picture, just a picture. If it sees anything, then they want to send in the scope anyway to take a sample, so: might as well just start with the scope (that the Dr. is familiar with, instead of the pill cam images which may actually be superior in some ways, but aren't familiar to most GI docs) - then when they see things, they can snip off samples and send those in for extra profits - ummm - meant to say: biopsy.
🌻🌻 [google.com]
(Score: 2) by RS3 on Wednesday March 08 2023, @07:32PM (3 children)
Mine was stomach- I just knew it, and the exits were pitch coal black. It healed itself very nicely and quickly. Resting at home, eating a bit, carefully, was the correct Rx for me. If symptoms had continued, I'd have gone to a different hospital. I know of a really good one but it's more than an hour away, but worth it if I ever need it.
I've always worried about biopsy, and I'm much happier to see they're doing less and less of them. Cutting into a tumor is like blowing on a dandelion or poking a bees nest.
(Score: 2) by JoeMerchant on Wednesday March 08 2023, @07:48PM (2 children)
>Cutting into a tumor is like blowing on a dandelion or poking a bees nest.
Yeah, many years ago I had an argument with a newly minted M.D. about "tests" which may cause the disease they are looking for. He took a hardline stance that the tests should be done, regardless of whether they might cause the disease, because "we know how to cure the disease." That discussion ended in an agreement to disagree.
I pressed my last GI doc about complication rates during colonoscopies, the numbers he quoted more or less lined up with what I found independently around the internet. If they had deviated significantly, I would have cancelled my appointment. All medicine is a risk vs reward thing, and the last thing I want is to be cut on by someone who lies about the risk side of the equation. Of course, as you point out, there are all kinds of other risks that they don't track. I imagine they're pretty good about diagnosing the rate of incidence of disease, but how many studies really accurately track side effects of medications and / or procedures when those side effects haven't been "scientifically linked" to the intervention - yet?
🌻🌻 [google.com]
(Score: 2) by RS3 on Thursday March 09 2023, @04:53AM (1 child)
It's a mess, and like many things, they're headed toward computers / AI doing the diagnosis. Now the real motives will be more apparent. I'm sure there will be huge pressure to bias the AI to sell more pharma. Hopefully, much like online maps, you can tell it you want the less pharma route.
Hopefully computer / AI medicine will track drug interactions, give you stats and reviews, track your specific, specifics, like allergies, sensitivities, etc. Worried about your personal data's security? Don't worry, it'll be as secure as it is now. Not.
I wanted to be an MD, and looked into it. For sure they have to be at least somewhat smart, but IMH opinion and observation, it's more about toughness, which I'm not so sure makes the best doctors. There are some really good ones out there for sure.
(Score: 2) by JoeMerchant on Thursday March 09 2023, @11:07AM
>bias the AI to sell more pharma
Make more profit for whoever controls the AI, I'm sure pharma will find their way into that loop, but there are lots of ways to make money. Procedures under general anesthesia (for no good reason) have been one popular route for the past few decades.
>tell it you want the less pharma route
I'm afraid patient and physician input to the process will only be diminished going forward with AI tools.
>track drug interactions
There should be fewer outright mistakes, but what worries me is when the AI system starts orchestrating coverups of high profit drugs / procedures which do more harm than good.
>I wanted to be an MD
I did too, for about five minutes in fourth grade. Other than the money, the lifestyle sucks. On call, working with the public, exposure to disease, most positions are relatively high stress.
There are good doctors, and IME a lot of good doctors who have bad days.
🌻🌻 [google.com]
(Score: 4, Insightful) by JoeMerchant on Tuesday March 07 2023, @06:17PM
It's like NASA: they employed engineers who knew that Challenger wasn't safe to launch, and raised warnings as loudly as they were permitted to in plenty of time to stop the launch, but the organization as a whole failed to act correctly on that knowledge. Then, for round two, they continued to stick their collective heads in the sand about those pesky tiles that kept falling off... they knew they were important, they knew how many fell off, they replaced them, they had plenty of clues.
Among the 220,000+ Microsoft employees, I'm certain there are more than a few who know how to implement a secure system. Probably several who could integrate those solutions into a practical system that still runs legacy Wintel applications, in a secure manner that doesn't introduce any vulnerabilities not directly present in the applications themselves. The chain of management is probably aware, if only dimly at the higher levels, of where this talent lies in the organization. What they lack is the organizational ability, or perhaps desire, to produce a truly secure product, even though they have employees who could. The clue is present, it's just not commanding the ship.
Off and on over the years I have contemplated trying to make a PGP e-mail client that people would actually use. The problem there isn't the availability of workable solutions, it's the lack of people willing to make any effort whatsoever to use them. You might say: we the users get the Microsoft that we deserve.
In other news: my wife was so fed up with Windows that she finally said "yes, I'll try an Ubuntu based laptop this time." Three days in: zero complaints so far.
🌻🌻 [google.com]
(Score: 3, Informative) by Rosco P. Coltrane on Tuesday March 07 2023, @05:07PM
That's not the case anymore. Nowadays, Windows is a surveillance / data collection / advertisement delivery platform masquerading - more and more thinly - as an operating system.
It's also increasingly a presentation API designed to fool you into believing Microsoft's cloud apps are running locally.
(Score: 5, Insightful) by digitalaudiorock on Tuesday March 07 2023, @06:37PM (1 child)
As I've said countless times, Microsoft, and all the shit programmers that grew up with Windows, have replaced the KISS principal with a "nothing simple can ever be good" mentality, and that goes double for what they call security. I'm 100% convinced that nobody out there actually understands Windows over-engineered "security" outside of the worst black-hats...and I'm including Microsoft in that.
Security in Unix has always been essentially read/write/execute for user/group/other...period. Simple. Just look at the fucking nightmare that is the Windows policy editor. I get ill just thinking about it. I've also personally run into settings that you can find in MANY different places in Windows, where only one actually works. What could go wrong? Answer: Everything, and it does.
(Score: 3, Informative) by JoeMerchant on Wednesday March 08 2023, @03:21AM
Back in the Win95 days, I tried the MS development tools, and I found myself wasting my time painting icons pixel by pixel, not because I particularly wanted to, but because the tools sort of led me there: here, isn't this diverting? Have fun painting icons, because the rest of this copy-paste boilerplate BS is just soul sucking. By contrast, developing in the Borland API for Win95: stuff actually happened, calculations were done, graphs were drawn, UI control interfaces came together and did stuff. They had icons too, but somehow I never felt the need to mindlessly click away tweaking individual pixel colors.
Here, 25+ years later, I've been "migrated" out of my self-hosted trac project management system into somebody else's DevOps instance. Now, one big plus of DevOps is that it's integrated with our Active Directory and I don't have to mess with any of that stuff, and that does work, even if Azure DevOps usage of ssh keys for git access is horridly backwards and insecure, but... other than that... when I was in trac, I documented things in the wiki, I made problem tickets and they got linked to code commits automagically, etc. All the same things that DevOps (finally) started delivering 15 or so years later, but again, in DevOps I find myself manually clicking through lists of tickets, editing tags one by one - reminiscent of that pixel-paint program so long ago. Trac never did that to me, and I can't help but feel that it's by design: MS development tools seem to do their best to waste developers' time at every opportunity.
🌻🌻 [google.com]
(Score: 2) by inertnet on Tuesday March 07 2023, @01:58PM
That would be a plus for me.
(Score: 2) by MIRV888 on Tuesday March 07 2023, @02:42PM (2 children)
I can't wait for the rollback update.
(Score: 0) by Anonymous Coward on Tuesday March 07 2023, @10:20PM (1 child)
I'd appreciate that, still using Win 7. I'm pretty annoyed that Chrome has stopped updating (as of last month or so). I don't use Chrome often, but several business-related websites seem to only work with it--so I have to fire up Chrome a few times a month.
(Score: 2) by RS3 on Thursday March 09 2023, @04:38AM
Still mostly on Win7. Finally getting it configured, refined, comfortable. Mostly.
Give Vivaldi a try. It's chrome-based, but seems much friendlier. If you do, don't download the newest version- it won't install. Newest for Win7 is: 5.6.2867.62
I'm actually happy that it's not updating any more.
I mostly use "Old Opera" (12.18), but some sites won't work, so Vivaldi it is. Not sure if chrome has it, but Vivaldi has very good built-in tracking and ad blocking. It's too good. Last year I wasn't aware, or didn't pay much attention to the new built-in blockers. Well, couldn't check out on ebay / paypal. Frustrating calls to them didn't help. Finally figured it out. Easy to turn the tracking and/or block off, on a per-site basis.
(Score: 4, Interesting) by Mojibake Tengu on Tuesday March 07 2023, @04:54PM (2 children)
All attempts to increase security by adding an opaque layer to the structure is a wrong model.
When such composition fails, you will get an opaque threat instead. Or non-analyzable situation. That does not depend on paradigm. It was proved by history of state security organizations and no doubts the same history will repeat itself in digital scene. Overloading or poisoning an opaque layer are trivial strategies, hardly defendable.
In long term, transparent security model is much better because it can be verified and audited, and threats or successful attacks can be investigated or dissected.
Transparent security is one of the fundamental ideas behind the FOSS ideology and movement. We are now being deprived of that transparency on the hardware level.
I am looking forward for fun with Microsoft Pluton now embedded with all the late consumer grade CPU designs as a TPM replacement.
Did you know EPYC processors don't have this? Why is Pluton designed as consumer grade solution only?
The best of it is still coming: legal obligation of it for all future devices with access to public network connectivity. Those Windows 11 are just a first step...
Respect Authorities. Know your social status. Woke responsibly.
(Score: 2) by JoeMerchant on Wednesday March 08 2023, @03:30AM
All security comes down to secrets. Who holds the secret key? How securely is that secret held? Making secrets take millennia to "break" is well established and trivial, even in the face of quantum computers (so far...)
The rest is obfuscation, so called: "security by obscurity" which can slow attackers, sometimes for years - centuries even, but once broken are usually trivial to reproduce quickly, and across all similar systems.
As you say: keeping the models simple is the path to true security, so developers, and attackers both white and black hatted, can focus on the security of the essential secrets.
Unfortunately, keeping secrets secure is hard, and obscurity is relatively easy, so guess what most businesses tend to pursue?
🌻🌻 [google.com]
(Score: 2) by JoeMerchant on Wednesday March 08 2023, @03:34AM
>legal obligation of it for all future devices with access to public network connectivity. Those Windows 11 are just a first step...
The unfortunately successful argument in this case (because: what are courts of law other than places to present arguments?) is this: Windows XYZ is "state of the art", we followed all "industry best practices," we can't be held liable for doing the best job possible - go prosecute the criminals instead.
🌻🌻 [google.com]
(Score: 1) by DadaDoofy on Tuesday March 07 2023, @09:42PM
That's a feature, not a flaw.
(Score: 0) by Anonymous Coward on Tuesday March 07 2023, @10:58PM
Since the beginning...