SoylentNews is people
SoylentNews
Martin Brinkmann over at ghacks.net brings us info on Windows 10 security changes:
The company started to open up only recently and reveal additional information about Windows 10. It published a lengthy blog post today on the Windows For Your Business blog that details security improvements coming to the operating system.
Aimed at business and enterprise customers, it provides insight for consumers as well.
One of the changes discussed in the blog post is how Microsoft plans to change how users identify themselves on the system. Microsoft plans to eliminate single-factor authentication systems such as user/password log ins by building improved protection right into the operating system.
Yeah, I know we're way off normal in Linux usership around here but we still have relatives whose computers we have to fix, so...
(Score: 3, Interesting) by Thexalon on Thursday October 23 2014, @03:11PM
I'm sick and tired of them spreading the myth that proper security is based on the concept of trust. Quite the opposite - it's based on the concept of distrust!
For example, if somebody contacts me and tells me they need access to a system that I control, I'm not just going to take their word on the fact that (a) they are who they say they are, and (b) they legitimately have a right to the access they are requesting. Instead, I'm going to ask them some questions that help verify who they are, I may ask that they talk to me in person, and I'm going to check with a colleague who knows such things to determine whether they in fact should have access to the system. That's precisely because I don't trust them.
Similarly, if I'm running a new application, I don't want it to have any ability to overwrite system files (and indeed, I might sandbox it to think that nothing important even exists). Even for applications I've had around for a while, I'm going to get suspicious if it tries to do something it's never done before that affects something it's never touched before.
Microsoft's real goal is to collect a nice fee for their signing services for all applications that run on Windows machines. In fact, I wouldn't be surprised if they were dreaming up ways of requiring their signing certificate to be a per-copy license rather than a one-time fee. And have them have to pay again each time they issue a new release. This would put them in a position of controlling every other businesses' ability to sell to Windows users, which means they could effectively blackmail any desktop application company they wanted to into paying them a nice chunk of change. And open-source offerings like Cygwin? Fuggedaboudit!
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by emg on Thursday October 23 2014, @03:31PM
Bingo. The last company I trust to tell me what software I should run on my computer is... Microsoft.
OK, maybe second last after Google... it's kind of a toss-up between them.
(Score: 0) by Anonymous Coward on Thursday October 23 2014, @05:29PM
The issue is that if you only allow trusted code, then you will not get haxed as easily because some moron clicked on some email "screensaver".
It means, computers should not trust their users on what to do. Security problems tend to be concentrated between the computer and the chair anyway.
(Score: 2) by monster on Friday October 24 2014, @07:04AM
If the "screensaver" used a Microsoft provided signing service, it doesn't protect at all.
App signing has been around since XP at least and all it means is that it is slightly more difficult to get some malware to run on a system (unsigned would mean a warning, but signing certificates are easy to get if you fork the money), but it also means many false positives (a lot of software isn't signed, specially old programs) and a money grab to the developers, who now have to buy that signing service to not get said warnings.
What Microsoft should do instead is a category-based permission system, like smartphones. So this "screensaver" app requires: Install device drivers, access to system files, read private folders and access to the net? Let the user choose if that is reasonable for a screensaver, or even if she wants to deny some of them. Legacy software would require custom manifest files, but that's not all that different from the current situation with compatibility modes, so it would be doable.
(Score: 2) by urza9814 on Monday October 27 2014, @04:39PM
I can't tell you how much software I've installed that has included an instruction along the lines of 'If you get a security exception saying this program is not signed, tell it to install anyway'
So now they'll just include instructions saying how to disable the whitelist feature, and users will blindly follow along whether they're installing Free Puppy Screesaver 2000 or an Oracle database...
Not that I'm not a bit concerned -- at work we're using Windows XP laptops, and I don't have admin rights to mine (apparently *some people* have admin rights, there doesn't appear to be any logic in place on that.) It's also fairly common for us to pass around software like WinSCP or Notepad++ or portable browsers. Right now that works fine even without admin rights, because these programs don't need to be installed into the system itself. But if they change to only allow running signed apps?
Maybe it'll be a big enough problem that they'll give me a Linux system. I mean I'm doing all my work on *nix servers anyway...well, that's a nice dream at least...
(Score: 2) by frojack on Thursday October 23 2014, @07:10PM
For example, if somebody contacts me and tells me they need access to a system that I control, I'm not just going to take their word on the fact ... Instead, I'm going to ask them some questions that help verify who they are, I may ask that they talk to me in person, and I'm going to check with a colleague who knows such things to determine whether they in fact should have access to the system. That's precisely because I don't trust them.
Really?
You's give them that much time? Are you crazy?
Just. Hang. Up.
No, you are mistaken. I've always had this sig.
(Score: 2) by Thexalon on Tuesday October 28 2014, @04:11PM
Well, just in case they work for my organization, I want to know who's files to delete, like any good BOFH.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.