Windows: Insecure by Design

Even as a well known &quot;windows hater&quot;, this is hyperbole. It&#x27;s not insecure by design really. In fact in principle it&#x27;s a lot better than anything Unix side due to the ACL and security model. It did however exist before anyone gave a crap about security, was implemented in a vastly insecure language and runtime and grew to a huge size and surface area and <i>that</i> is hard to fix retrospectively.<p>I&#x27;ll give Linux a stab here: half the stuff I can run can write to my ~&#x2F;.profile if it wants to. Anything which can read ~ is a problem because there&#x27;s where all my important shit is...

The gulf between what the average person knows and what they would need to know in today&#x27;s world to live an autonomous self-directed life with full agency, free from covert coercion by large corporate entities, is truly staggering. Every now and then I contemplate writing a book or a series of blog posts with all the things that I wish someone would tell me if I were a young person today, but then I read articles like this which remind me of the magnitude of the task and it takes all the self-control I can muster just to avoid curling up in a fetal position and sinking into the pit of despair, let alone actually start writing.

Of course, we are on what, 30 years of trying and failing to certify protection against attackers with moderate attack potential [1][2].<p>Page 53: “The evaluator will conduct penetration testing, based on the identified potential vulnerabilities, to determine that the OS is resistant to attacks performed by an attacker possessing Basic attack potential.”<p>Maybe at some point we will start believing what they achieve in their certifications rather than what their marketing spews.<p>[1] <a href="https:&#x2F;&#x2F;learn.microsoft.com&#x2F;en-us&#x2F;windows&#x2F;security&#x2F;security-foundations&#x2F;certification&#x2F;windows-platform-common-criteria" rel="nofollow">https:&#x2F;&#x2F;learn.microsoft.com&#x2F;en-us&#x2F;windows&#x2F;security&#x2F;security-...</a><p>[2] <a href="https:&#x2F;&#x2F;www.commoncriteriaportal.org&#x2F;files&#x2F;ppfiles&#x2F;PP_OS_V4.2.1.pdf" rel="nofollow">https:&#x2F;&#x2F;www.commoncriteriaportal.org&#x2F;files&#x2F;ppfiles&#x2F;PP_OS_V4....</a>

Clickbait titles should be automatically flagged&#x2F;not even show up on the front page.

Well, Windows UAC was the last user facing push for security. It remains to be seen what Satya thinks, especially of the recent security failures on the backend (the windows client vulnerabilities is a constant and has always been).<p>The recent &quot;insecurity&quot; pushes are more of getting microsoft to &quot;catch up&quot; to google&#x2F;facebook in terms of making their users a product they can sell. I&#x27;m sure they feel left out as chromebooks have eatin&#x27; into their market and supply such nice metrics for advertisers.

Dupe: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=40819495">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=40819495</a>

It IS a national security concern, one that worsens every year.<p>The US government should be investing billions in Linux to harden it and make it more usable and appealing.<p>So should Intel, amd, Qualcomm, because that keeps their processors compatible with a rapidly patched mainstream os.<p>So should the EU.<p>But... They won&#x27;t. Surely as long as 90 year old presidents are what we are stuck with.

Qube OS is nice, but when people are paid to get things done security is not forgotten but cut by a thousand paper cuts. It might all seem to be based on a secure design somewhere but even in small teams of 50 people you will always find people who have made short cuts.

I dont know what the solution is here short of some kind of vulnerability liability legislation...

I remember a few years back AT&amp;T execs&#x2F;investors talking about HBO when they bought it, that they didn&#x27;t care what product HBO made, their goal was to capture more of a person&#x27;s life interacting with media they owned. Like at the highest levels, leadership viewed their lane to extract profits was the entirely of a person&#x27;s available free time, against hiking or cooking or transit and entertainment just happened to be the vehicle to do it.<p>When it comes to Microsoft and others, their active business strategy always seems to be overlapping sectors of power and software just happens to be the vehicle to do it. Recall is just the latest tentacle of the strategy.<p>If a capitalist company with a specific product focus, within a specific market is a healthy cell, I see this type of company as a cancer and think we should treat it just the same. Starve it or destroy it, and if we can&#x27;t destroy the company then we can imprison investors for this kind of monopolistic behavior.<p>Knowing hacker news likes myopia and not discussing such concepts as power, my ask to you is how many years do we tolerate this same overreaching behavior from the same places? I&#x27;m at 25 now for Microsoft specifically.

<i>What&#x27;s really annoying me today is the security holes Microsoft is adding – by design – into Windows.<p>I mean of course Microsoft Recall. This delightful AI addition to the next generation of Windows PCs would have taken regular snapshots of everything you do on your computer.</i><p>Security and privacy are not the same thing. I get the frustration about Microsoft&#x27;s security practices, but equating those two is a mistake.

100% nonsense. Windows itself is as secure as Mac or Linux, and the other points (OneDrive, Recall) are security tradeoffs that make way for features (sort of like how you don&#x27;t keep your computer in an air-gapped fallout shelter in a file cabinet with a note that says &quot;beware of the leopard&quot;. You traded security for convenience, congratulations!)