[HN Gopher] Microsoft no longer signs Windows drivers for Proces...
___________________________________________________________________
Microsoft no longer signs Windows drivers for Process Hacker
Author : XzetaU8
Score : 556 points
Date : 2021-10-24 08:14 UTC (14 hours ago)
(HTM) web link (borncity.com)
(TXT) w3m dump (borncity.com)
| ogurechny wrote:
| Keep in mind this has happened because people agreed that they
| can't (normally) run code not singed by someone else (Microsoft)
| on their own system for "security" reasons. Well, it was not
| security, it actually was a way to keep keys to themselves, and
| hold the user system as a hostage. And it has been explained many
| times by many people.
|
| If you care about software freedoms, even just a tiny bit, you
| wouldn't touch "Microsoft open source", and you wouldn't be happy
| about your friends using any of it, like you wouldn't be happy
| about seeing them with a heroin syringe. That is going to explode
| spectacularly one day.
| 29athrowaway wrote:
| The user wants convenience, and then, under the premise of
| convenience, corporations create systems that give them the
| convenience they want in exchange for their privacy and
| freedom.
|
| Being spied on, having forced updates, a remote kill switch on
| your computer, "telemetry", advertisement, and the best of all:
| your government being bullied and lobbied on with the money you
| paid... it is all worth it because you can run a stupid DirectX
| game at 60 fps instead of 58 fps. Until the forced update
| interrupts your game, that is.
| throwuxiytayq wrote:
| An immensly powerful and useful tool. Can't live without it.
| Hopefully the situation resolves soon.
|
| What is it with MS these past few months? It's like they're
| trying to throw away the little community goodwill they managed
| to build up over the years.
| beermonster wrote:
| > What is it with MS these past few months?
|
| I was thinking the same. It's not been a good few weeks for
| them. They're quickly losing trust which was hard to acquire in
| the first place given their history. Maybe a timely reminder to
| mention Halloween [1] ?
|
| [1] https://en.wikipedia.org/wiki/Halloween_documents
| southerntofu wrote:
| They've always been acting as a strong monopolistic
| corporation with a "fuck you" attitude. Here's a summary of
| Microsoft attitude these part 5 years:
|
| - rebrand as open-source friendly, only open-source whatever
| narrow side-projects they barely care about but could be run
| on other systems (VSCode, Powershell); distribute official
| packages with spyware
|
| - monopolize the education system by offering bribes
| including gratis hardware devices to whoever in State
| education will work with them to pretend Microsoft loves kids
| and kids need computers (with Microsoft software, obviously)
| to learn anything in the 21st century
|
| - force manufacturers to deploy "TPM v2.0" on their new
| machines so they can run Windows 11, continuing the push so
| that people have 0 understanding and control over the
| machines they own (instead are controlled by the machines),
| and don't have a choice of system because "SecureBoot" [0]
|
| - love Linux! let them integrate all your POSIX/Linux APIs in
| a VM on their system, so that you never have to use anything
| else than Windows ever again (embrace...) ; it's just like
| reverse-Wine (execute Windows program on free systems) except
| they have an army of developers with $$$$ and don't have to
| waste time reverse-engineering anything because they have the
| source code to both systems... how convenient!
|
| - viruses are such a huge problem, if only we had some sort
| of digital signatures for software, and trustworthy places to
| get it from?! sure let's have a Microsoft market where you
| can buy adware/spyware signed by Microsoft, with two key
| advantages: 1) it's super faster because signed software is
| not inspected real-time by Windows defender 2) noone else can
| make their own "appstore" repository with their own signature
| keys (like we do with Flatpak/APT/nix/guix) ; very soon they
| can start to hide how to run programs unapproved by Microsoft
| like Android or MacOS [1] have been doing... and it's all for
| security, right? because app-store monopoly has definitely
| stopped malware (oooh that's a nice flashlight app you got
| there Google Play) without harming FLOSS/hobbyist devs (yeah
| sure)
|
| It's just *washing (openwashing here) straight out of
| marketing textbooks. If you know/learn anything about
| capitalism and public relations, you won't be tricked next
| time!
|
| [0] Briefly touched upon in this bigger article about how
| Microsoft is still evil, why Secure Boot has nothing to do
| with security, and why hardware manufacturers happily play
| along: https://www.haiku-
| os.org/blog/mmu_man/2021-10-04_ok_lenovo_w...
|
| [1] There was even this worrying story at some point that
| MacOS would refuse to open applications (whether signed or
| not) because their centralized server could not be reached:
| https://news.ycombinator.com/item?id=25074959 <-- Soon coming
| to your Windows setup
| rocqua wrote:
| Note that secureboot does have a minor advantage for
| encryption at rest. Making much weaker passwords
| acceptable. I am happy my work laptop has secureboot. And I
| get why they lock down their device for me to use.
|
| For devices I own, I gotta control the secure boot, or I
| simply don't own it.
| southerntofu wrote:
| In theory, yes. In practice, what control do you have
| over the hardware? Can't basically anyone with a few
| million dollars to throw at the problem compromise any
| form of Secure Boot? If you're NSA, no need to go so
| far... they've probably got access to the Microsoft root
| signing key.
|
| If the schematics and code to the TPM were free and there
| were "tamper evidence" mechanisms in place, we could
| argue secure boot had some benefits for security. But in
| its current forms, it's just preventing users from owning
| their devices with little evidence for security for
| determined attackers.
|
| Machines should be simpler and auditable: that's how
| reliable security works. Adding piles of shit on top the
| other piles of shit is just producing more overall shit.
| pas wrote:
| Ah, I don't really care about telemetry, but their amazing
| outlook.com SMTP service rejects mail from small senders,
| and there's no way to successfully appeal.
|
| Yeey, brave new megacorp world!
| huhtenberg wrote:
| Ah, yes: Hello, My name is
| [Kumar/Numan/Punith/Suresh/Sachin] and I work with the
| Outlook.com Sender Support Team. I do not
| see anything offhand for the IP (xx.xx.xx.xx) that would
| be preventing your mail from reaching our customers.
| Good bye and fuck off.
|
| In response to complaining that their servers say -
| 550 5.7.1 Unfortunately, messages from [xx.xx.xx.xx]
| weren't sent. Please contact your Internet
| service provider since part of their network is
| on our block list (S3150).
|
| Completely and utterly ridiculous.
| southerntofu wrote:
| At least you got a response! Most people don't. According
| to some previous blogposts and threads on this topic,
| apparently if you just contact them often enough, they
| will after a few months escalate the problem to the
| competent team and get you unblocked.
| op00to wrote:
| What's the difference between a small sender and a spam
| host?
| pas wrote:
| My old university mailbox got migrated to Microsoft, and
| now people who don't use a professional mail provider
| (gmail, yahoo, etc..) basically can't send to that
| address.
|
| We (small devshop + some hosting + self-hosted email)
| hosted a few things for a foundation for years, and about
| two years ago they migrated the mail stuff to MS. (We
| continue to host a few sites, domains, DNS.) Now when
| they need something and send us an email we can't reply,
| because our IP is "listed".
|
| Okay, I know spam can be bad, and fine-tuning spam
| filters is a PITA, so let's go through the delisting
| process, surely with enough perseverance eventually MS
| will tolerate us into their graces.
|
| Well, it has been more than a year now, and still no
| luck.
|
| ---
|
| We have completed reviewing the IP(s) you submitted. The
| following table contains the results of our
| investigation.
|
| Not qualified for mitigation x.x.x.x Our investigation
| has determined that the above IP(s) do not qualify for
| mitigation.
|
| ...
|
| -\\_(tsu)_/-
| roblabla wrote:
| What's similar between them? A spam host will likely be
| high volume of similar-looking email sent to users who
| will never reply and most probably trash/spam-categorize
| the email. A small, single-user sender will likely be
| *very* low volume of fairly different-looking email sent
| to users who will likely answer and otherwise interact
| with the mail. They have literally nothing in common.
|
| Before I moved to fastmail, my email was consistently
| getting nullrouted by microsoft. Everything was setup
| correctly (SPF, DKIM, DMARC, ARC, etc...), and every
| other mail host I tried would receive my mail correctly.
| I send out a very low amount of email (3-4 per month?).
| southerntofu wrote:
| The difference is decided by decent spam filters:
|
| - is the exact same message being sent to many users?
|
| - does it look like previous spam?
|
| - are messages from this host being reported as spam by
| users?
|
| We have plenty of techniques to filter out spam (those
| above and technical ones like DKIM to enable host
| reputation systems) and they mostly work great. What
| Google/Microsoft are doing is just monopolistic attitude
| and has _nothing_ to do with spam filtering. Spam from
| big email servers is still common, but legit emails from
| smaller servers will _not_ reach intended recipients, and
| will _not_ produce any indication of that on either side
| of the communication. It 's just _silently_ going in the
| trash.
|
| If there was at least a decent way to get allowlisted on
| their side, we _could_ give them the benefit of the doubt
| and accept that email ecosystem has turned to an opt-in
| federation model. But the way they do it and prevent
| recourse is a clear abuse of dominant position to crush
| the competition.
| Lex-2008 wrote:
| do you mean you never received spam from @gmail.com?
| Lucky you!
| majkinetor wrote:
| LOL @ "narrow side-projects" such as VSCode and Powershell
| ?
| southerntofu wrote:
| Yup, we're still far from having open source Windows,
| Active Directory, SQL Server, Teams, Github, Office... or
| any "central" product essential to their business offers.
| JeremyNT wrote:
| Are they losing trust though? Many young developers don't
| remember the height of the EEE days in the 90s and 00s when
| MS was trying very hard to extinguish free software. These
| are just stories to them.
|
| Now, MS runs the world's largest source code sharing service
| and many of these young developers launch proprietary MS code
| editing tools daily.
|
| We old timers always knew what the end game was, but young
| people lack the context and so many are already hooked on MS
| now. It's not obvious to me that they will ever care enough
| to switch no matter how hostile MS behaves.
| flatiron wrote:
| I remember. It's also hard to turn down WSL and VSC. They
| are wonderful products and I'm fairly certain I'm sadly
| contributing to all this nonsense but I also need to get my
| day job done and pay the bills. One day large corporations
| I hope will allow Linux. But at least mine it's windows or
| macOS and apple is far behind the wsl/vsc curve right now
| and apparently doesn't have any motivation to catch up.
| They rely on "you have to use Xcode" right now which is
| unfortunate.
| Shared404 wrote:
| > young people lack the context and so many are already
| hooked on MS now. It's not obvious to me that they will
| ever care enough to switch no matter how hostile MS
| behaves.
|
| Not all of us. I had just barely started being willing to
| trust Microsoft again, and they've repeatedly shown
| themselves to be hostile since the initial "Github is cool!
| And WSL! And VSCode!", enough is enough.
|
| I've read the Halloween documents, I know where this goes.
| dpbriggs wrote:
| Young free software advocates exist - I'm one. I know about
| EEE and agree we're in a sorry state.
|
| I have a feeling MS will continue to dominate due to
| network effects and vscode/wsl being a nice enough
| experience. It'll take them resting on their laurels or
| some great act of user hostility to change this status quo.
| dTal wrote:
| Quite a lot of community goodwill, unfairly granted. I've lost
| count of how many times I've read on this very forum, "calling
| it Micro$oft is childish, they're a changed company, Nadella is
| better than Ballmer, etc".
|
| They are as hostile to free software as they ever were. Why
| wouldn't they be? It's antithetical to their business model.
| The only thing that's changed is how sneaky they are about
| their time-honored tactic - embrace, extend, extinguish.
| fyzix wrote:
| Microsoft took the same approach as Bill Gates. Gate's
| ruthlessness made the public hate him(remember the
| milkshaking?). He took public relations serious and put on
| the nice guy public facing image while still being as devious
| and wretched as he was back then. The Microsoft leaders saw
| how well this worked him and used the same tactic.
| maccolgan wrote:
| EEE isn't obsolete, very far from obsolete in fact, they are
| just playing it (very) long.
| tata71 wrote:
| Shareholders are getting anxious.
| fortran77 wrote:
| I don't think so.
|
| https://ycharts.com/companies/MSFT/price
| Gargyle wrote:
| Where did they actually do nice things?
|
| VSCode is still not entirely open source and the official
| builds have spyware included.
| Oddskar wrote:
| It's honestly weird to see "Telemetry" labeled as "Spyware"
| by a technical people that, quite frankly, should know
| better.
|
| Spyware is NOT the same as gathering Telemetry data.
|
| You can also just _turn off_ Telemetry in VSCode in the
| settings.
|
| I think a _vast_ majority of people on HN gather data on
| customer usage of the products that they build. Because it
| ultimately makes us able to tailor the products better for
| our customers. It 's just ignorant to put this in the same
| category as applications that slurp up as much data as they
| can for e.g. ad-profiles or to sell that data off to the
| highest bidder.
| TeMPOraL wrote:
| > _It 's honestly weird to see "Telemetry" labeled as
| "Spyware" by a technical people that, quite frankly, should
| know better._
|
| It's precisely because it's technical people who know
| better that you see "telemetry" labeled as "spyware",
| _which it is_ , and it's how we called it back in the
| 1990s/2000s.
|
| The only reason people these days call spyware "telemetry",
| is because it got normalized by large companies, and is now
| defended by devs who figure it's better to ship spyware to
| people than to give a damn and talk with users.
| ziml77 wrote:
| My issue with telemetry is it increases the chances of data
| leakage. I don't care if Microsoft gets data on what
| commands I'm selecting from the menus. What I do care about
| is that they record any free-form entries. Let's say they
| want to know everything I type in the command palette so
| they can figure out if they should add aliases for certain
| actions. That doesn't sound too bad until you consider the
| case where you tried to paste in what you were looking for,
| but forgot that you had something very personal in the
| clipboard. Once that happens, you just have to hope that
| the first person to see it is a good enough person to wipe
| all traces of that info out.
| e0a74c wrote:
| > You can also just turn off Telemetry in VSCode in the
| settings.
|
| Such a feature should be disabled by default.
| kuschkufan wrote:
| What did you expect? Microsoft labeling their data
| collection actions as "spyware" themselves? "Spyware" is a
| term used by people who oppose data collection, they didn't
| ask for. "Telemetry" is an euphemism by the ones that build
| this data collection into their apps.
| Oddskar wrote:
| I expect professionals to be able to distinguish between
| the two instead of being suckered into some sort of hive-
| mind thinking of "all data gathering bad hurr durr".
|
| I'm absolutely all for privacy and limiting unnecessary
| gathering of data. But there's nuances to this discussion
| and labeling everything that has any amount of telemetry
| as "Spyware" does not do anyone any good.
| craftinator wrote:
| https://github.com/dotnet/sdk/issues/6145
|
| My favorite part is when someone figures out "telemetry"
| includes the MAC address, and the dev team just goes
| completely silent.
| hulitu wrote:
| The MAC address is very important for developers. It
| tells them which GUI elements are accesed, what error
| messages are common and what features of the program are
| accessed.
| hulitu wrote:
| Collecting data to "improve" programs and then not doing
| any improvement really look like spyware.
| anonymousab wrote:
| > some sort of hive-mind thinking of "all data gathering
| bad hurr durr"
|
| Maybe it's not "hurr durr" and people have a legitimate
| reason to hold that opinion. To those people, any
| distinction between spyware and "good" telemetry is
| merely academic and effectively irrelevant.
| indymike wrote:
| > Spyware is NOT the same as gathering Telemetry data.
|
| Telemetry and spyware differ only in the way collected data
| is used.
| cromka wrote:
| > Telemetry and spyware differ only in the way collected
| data is used.
|
| No, they first and foremost differ in the _kind_ of data
| is collected. _Spying_ is not _spying_ if you anonymously
| collect information about how frequently a feature
| /future/option is used only.
| CamperBob2 wrote:
| Would it be OK if the NSA required it? No? Well, it's not
| OK for your OS vendor to require it, either.
|
| And the illusion that it will always be possible to
| disable telemetry is just that, an illusion.
| ptx wrote:
| What if you repeatedly fail to anonymize the information
| and also collect user-entered data like command line
| arguments?
|
| https://github.com/dotnet/sdk/issues/6145
| cromka wrote:
| Well, you make my point. What you linked to is definitely
| _not_ telemetry.
| sangnoir wrote:
| I disagree - they are correct because once collected, the
| data is fed into a blackbox, and a user has no way of
| knowing if the data collected is - by your definition -
| spyware or telemetry. The beat way to treat this
| Schrodinger's telemetry, is to assume it's spyware.
| Oddskar wrote:
| I would say the intent very much dictates the _what_ and
| _how_ of Telemetry as well. There 's a huge difference
| between gathering data on feature usage of VSC vs e.g.
| slurping up the code from its users.
|
| A lot of software lets you opt-out from Telemetry
| gathering when you install it. I would not think Spyware
| would do this.
|
| And I feel like saying it's " _only_ in the way collected
| data is used " really makes a small thing out of
| something that is very important. There's a very big
| difference in doing something maliciously and doing it to
| genuinely try to make your software better!
| michaelmrose wrote:
| Actually there are of course different levels of bad like
| in any other area of human endeavor. Many criminals who
| would happily break your car window to steal your laptop
| wouldn't kill you to sell your Kidneys.
|
| Lots of spyware that wants to remain on one side of a
| less dramatic divide simply provides "options" for
| example in the installer that are opt in and vaguely
| defined that no sane individual fully understanding his
| options would opt for.
|
| Such software isn't usually cryptolocking your family
| pictures instead its frequently grossly violating your
| privacy and selling your time and attention to third
| parties who in turn may opt to use this bought and paid
| for back door into your computer to waste your time or
| cryptolock your family pictures.
|
| Here's a clue. If you have to make a feature opt out
| because nobody on earth would opt in given time and
| expertise sufficient to understand your offer then you
| are victimizing your user. I cannot think of a case where
| any data collection being anything other than opt in
| would be acceptable.
| pid-1 wrote:
| From my POV (user), how do I know if my data is being
| aggregated correctly and not being sold?
|
| As a developer, how do you know the data you're collecting
| now won't be used maliciously in the future by your org?
| lordofgibbons wrote:
| Thank you for saying this. For those who don't know about the
| open-source release of VSCode, check out
| https://vscodium.com/
| canada_dry wrote:
| Sadly, MS has locked-out the extremely useful and popular
| PlatformIO from being available in vscodium.
| alias_neo wrote:
| I use VSCodium every day, and recommend it over VSCode to
| everyone, however, due to microsoft's locked down plugins,
| particulary the ones related to remote development and
| debug, there are certain things which can be done with
| VSCode and not VSCodium.
|
| It's worth bearing in mind for those considering switching.
| rzzzt wrote:
| SSH FS, a third-party extension seems to work well with
| VSCodium: https://github.com/SchoofsKelvin/vscode-sshfs
| pedro2 wrote:
| They mean Microsoft's plugins -- they just work with
| VSCode on purpose.
| rzzzt wrote:
| This one is an alternative to the remote development
| tooling which doesn't work on VSCodium. It is certainly
| not a full replacement, but you get to poke around the
| files on the remote system and run commands over SSH.
| pmontra wrote:
| Trusting a company with the history of Microsoft (and its size)
| is at least naive. Not one of the mistakes I did in my life.
| forgotmypw17 wrote:
| The motivation seems pretty obvious to me: They want to obscure
| as much as possible what's going on inside OS.
| e0a74c wrote:
| What goodwill?
| [deleted]
| beebmam wrote:
| Didn't Process Explorer start as a third party tool which
| Microsoft acquired?
| [deleted]
| TonyTrapp wrote:
| If you follow the ProcessExplorer link it becomes clear that
| there's a typo, they are talking about TaskExplorer, an open-
| source clone of ProcessExplorer.
| [deleted]
| [deleted]
| zahllos wrote:
| The article mentions Process Explorer. Since Sysinternals were
| bought by Microsoft many years ago and the tools are distributed
| directly via Microsoft, such tools are unlikely to have an issue
| being signed.
|
| A brief history of the process for those not following it.
| Originally for kernel-mode drivers, you needed a code signing
| certificate _cross signed by Microsoft 's root_. This means that
| the certificate follows a chain up to a standard CA _and also_
| one Microsoft use to approve that CA to issue kernel-mode
| certificates. It was not sufficient to have a certificate capable
| of signing code, even with MS' OIDs for that.
|
| Then, around Windows 10 I think, Microsoft announced that one
| would need to acquire an EV certificate. You would then be
| required to submit the driver package via sysdev.microsoft.com
| and after spending time in Ballmer's Brewery, it would come out
| signed by Microsoft.
|
| It was technically possible to use the old mechanism at this
| stage too, provided the end user did not have UEFI secure boot
| enabled. IF secure boot were enabled, the kernel would: a) if the
| driver was signed pre-Win10, accept it, b) if it was signed post
| win-10 RTM date and by Microsoft, accept otherwise reject.
|
| Thus the only mechanism to realistically get your driver working
| on all Windows out of the box is to submit via sysdev. You can't
| realistically ask users to disable secure boot, even if this is
| entirely possible on all x86 motherboards.
|
| Finally, the cross signed roots expire soon and I think some
| already have. Microsoft have decided that this mechanism will now
| be retired, and all drivers must be signed via sysdev from now
| on. You still require an EV certificate as well, to sign the
| package.
|
| This is a bit of a mixed bag. On the one hand, Microsoft have
| repeatedly signed the shim maintained by redhat in order to allow
| Linux distributions to boot directly on secure boot-enabled
| hardware (UEFI binaries also go through this process and always
| have). Microsoft have their keys in the default keychain because
| they bothered to be involved in the process, unlike linux
| companies like Redhat. So on the one hand, they're being quite
| friendly to open source.
|
| On the other hand, the push to EV certs rules out individual
| developers like myself[1]. I could register a company but... that
| entails effort and expense for a hobby project. And now hobbyist
| projects like this run the risk of being rejected by MS.
|
| I mostly believe this is an attempt to reduce the number of code
| signing cert leaks that result in people writing malware, and
| lock down the Windows kernel a bit more, but still. It is a
| shame.
|
| [1] This is because most CAs won't issue EV certificates to
| individuals, even if those individuals happen to have detailed
| knowledge of cryptography and all the pkcs.
| lotsofpulp wrote:
| Thanks for the background and info!
| hvdijk wrote:
| > Microsoft have their keys in the default keychain because
| they bothered to be involved in the process, unlike linux
| companies like Redhat.
|
| The status quo was that systems could boot any operating system
| the user wanted. Microsoft tried to force OEMs to lock
| operating systems other than those on a very short list (they
| tried to force Secure Boot to be enabled with no way for users
| to turn it off, and you can confirm this by checking out
| earlier versions of the UEFI spec), knowing very well that that
| list would always include Windows for pretty much every
| computer out there, but you try to spin this as it somehow
| being every other vendor's fault for not getting in on that
| list with each and every manufacturer?
| zahllos wrote:
| There are two sides to this coin. Firstly there's the
| hardware vendors who make firmware, who decided to
| incorporate UEFI presumably because intel pushed it hard
| (original efi booted itanium and is also found in older
| Macs).
|
| But it was certainly possible for a Linux vendor to have got
| a key into the kek and dB lists:
| https://mjg59.dreamwidth.org/12368.html
|
| That's from Matthew Garrett, who along with Peter Jones, were
| responsible for the first shim.
|
| A central authority like the Linux foundation could have
| stepped up here and could have since, actually. I understand
| why fedora/redhat preferred not to be in a privileged
| position but I can't help but feel someone ought to have
| stepped up.
|
| The other side of the coin is the windows logo program, that
| requires secure boot be turned on by default. For x86 I'm
| fairly sure it also requires that the user can take control
| of the platform key and therefore evict Microsoft keys from
| the firmware. It also requires that secure boot should be
| disabled. I'm fairly sure Microsoft did this because they
| realised there would be objections otherwise
|
| Microsoft's ARM hardware _is_ locked down with no such
| options and I object to that wholeheartedly. But then I also
| don't buy Apple kit for daily driver use for the same reason.
| Also luckily Microsoft are currently irrelevant in the arm
| space, although that might change with the serverready
| profiles.
|
| I am sure the process was onerous, but someone could have
| done it. Linux is big business in the server hardware space
| and intel for example contributed the thunderbolt code to the
| kernel. I am fairly sure they could between them organise a
| foundation and throw a few 100ks per year at maintaining a
| signing key for other distros independently to Microsoft.
|
| I don't believe any entirely locked down firmware ever made
| it into any x86 board.
| my123 wrote:
| > Microsoft's ARM hardware _is_ locked down with no such
| options
|
| That was for 32-bit Windows on Arm hardware. 64-bit Windows
| on Arm laptops/tablets have unlockable Secure Boot, with a
| regular SETUP interface and all.
| zahllos wrote:
| That's really good news and I'm glad they decided to do
| that.
| cptskippy wrote:
| > This is because most CAs won't issue EV certificates to
| individuals, even if those individuals happen to have detailed
| knowledge of cryptography and all the pkcs .
|
| Honestly the majority of Orgs don't have these chops. There's
| really no go way to proof anyone.
|
| I think the rationale for Orgs is just that they have more to
| lose.
| urthor wrote:
| Very informative.
|
| And presumably on OSX none of this applies because it's all BSD
| underneath? Or is OSX different again to just running BSD out
| of the box?
| my123 wrote:
| On macOS, you have those options:
|
| - SIP off (totally, or just driver signature enforcement)
|
| - kernel driver (deprecated, Apple doesn't issue new certs
| anymore it seems)
|
| - system extension (user-mode driver, explicitly intended for
| device compatibility)
| jabedude wrote:
| > Apple doesn't issue new certs anymore it seems
|
| This is not true. kexts are still signed by apple after
| being submitted and vetted.
| heavyset_go wrote:
| Apple deprecated KEXTs[1], but still signs some .kexts
| they've chosen to grandfather in like macFUSE.
|
| [1] https://developer.apple.com/support/kernel-
| extensions/
| JonathonW wrote:
| Kexts are not deprecated in general-- only kexts that use
| deprecated KPIs are deprecated. (The page you link is the
| list of deprecated KPIs.)
|
| The net effect of this: if something can be done using a
| System Extension rather than a kernel extension, you'll
| get deprecation warnings if you try to do it with a
| kernel extension. Kernel extension points that have not
| been replaced yet are still valid, will still be signed
| if used, and will still run on current versions of macOS.
| [deleted]
| grishka wrote:
| And as far as I understand, disabling AMFI disables code
| signing support and enforcement completely.
| my123 wrote:
| Disabling AMFI is a whole other level of a hammer, that I
| do not recommend at all on a system that you might
| actively use.
| bpye wrote:
| So whilst three is different aren't the analogues on
| Windows for 1) and 2)
|
| 1) Test signing - do what you want
|
| 2) Kernel driver - still possible, needs EV cert?
| my123 wrote:
| 1) on Windows entails a significant security downgrade,
| as you cannot just pick custom kernel extension only,
| with validation by the user. That might however not be
| important, depending on your threat model.
|
| For 2), it's borderline impossible to get a driver
| signing cert for macOS nowadays for individuals, it's
| easier on Windows.
| ogurechny wrote:
| qBittorrent developers just said fuck it three years ago, and
| let the world burn with unsigned installer. I suggest everyone
| to join the civil disobedience. If you don't, you'll soon find
| out you can't run your programs.
| zahllos wrote:
| User mode code is a different scenario. There are three
| possibilities:
|
| - unsigned code pops up with a big warning 'your pc will
| explode' or something like that when you try to run it. -
| signed code does not need a cross signed certificate. Any CA
| can include the code signing oids and voila. This displays as
| yellow but the CN is extracted as the publisher name. -
| Finally EV certificates give you 'instant reputation' i.e. no
| orange warning. The difference is entirely audit related and
| the OIDs you may include. The crypto is identical to normal
| certs.
|
| This I'm fine with. I understand Microsoft wanting to protect
| their kernel and the user experience and I'm on board with
| that but I like the fact that windows has traditionally been
| a very open system. It is a real shame it is heading the
| other way.
|
| I haven't developed windows drivers for years though, or used
| windows as my daily machine for years either (it was Linux at
| home, windows at work, now Linux for both).
| guilhas wrote:
| Seriously, I don't understand Firefox, Microsoft, Google...
| always alienating community to reimplement something that already
| exists, works well, and they rarely do better....
| happynacho wrote:
| It's simple. Money.
| 2OEH8eoCRo0 wrote:
| I had a highschool history teacher who said that money/power
| is the answer to everything. If you don't know the answer,
| just say money; it's usually right.
| stavros wrote:
| Is there no way to run unsigned software on windows?
| cheschire wrote:
| I believe you can self sign.
|
| http://woshub.com/how-to-sign-an-unsigned-driver-for-windows...
| the_only_law wrote:
| For drivers, I don't think so. You can enable some boot
| settings that allow you to run unsigned drivers, for
| development purposes, but it will revert upon reboot, without
| anyway to enable it permanently.
| XenophileJKO wrote:
| Actually you can turn off enforcement if you want to.
| Requires a reboot and going into safe mode if I remember
| correctly. I have done it before when loading hacked drivers
| for old hardware, etc.
| userbinator wrote:
| The last I checked there's a patch that will make it
| permanent, but of course the patcher itself is labeled as
| "malware" by plenty of AVs, possibly even Windows Defender
| itself.
|
| Also, updates will probably revert the changes too.
| ebanana wrote:
| you would have to automate that somehow if it becomes an
| issue
| heavyset_go wrote:
| All Microsoft has to do to stop that from being a problem
| is to tell Defender to block that automation from running
| on Windows, for example, by refusing to run anything signed
| with the automation developer's certificates.
| stavros wrote:
| Oh wow, the refusal is devastating then...
| dataflow wrote:
| There is: test signing. Painful for non-savvy users, but not
| impossible.
| smileybarry wrote:
| It's one command and you're forever in test mode[1], i.e.:
| don't enforce driver signatures: bcdedit
| /set testsigning on
|
| You just have to disable Secure Boot in UEFI first. (And I
| can confirm Windows 11 doesn't actually require Secure Boot
| to boot, I've had it off for months as part of win11
| certification testing.)
|
| I'm not sure but DRM might revert to lower levels (e.g.:
| 720p), but that also happens on macOS when you disable SIP
| IIRC.
|
| 1: https://docs.microsoft.com/en-us/windows-
| hardware/drivers/in...
| Gigachad wrote:
| One thing to note is that game anti cheats will just lock
| you out if you are in this mode.
|
| It's the reason that game cheat makers look for exploits in
| random drivers to load their cheat in kernel space.
| smileybarry wrote:
| True, I forgot about that detail. Basically anything that
| relies on driver signing enforcement for security/privacy
| -- DRM, anti-cheats, specific proprietary algorithms --
| will deactivate when test mode is enabled, whether one-
| time via the bootloader or set via bcdedit.
| melvyn2 wrote:
| https://github.com/Mattiwatti/EfiGuard
| 2OEH8eoCRo0 wrote:
| Smells like a lawsuit.
| jmclnx wrote:
| Yes, and seems they are based in Germany, so I would think with
| the EU laws, they have a very good chance of winning.
|
| If based in the US, they would be SOL.
| sli wrote:
| I hope the folks who claimed up and down that Microsoft was
| different and better these days, and ridiculed people who didn't
| believe it, are paying close attention to this.
|
| Reminder that they own Github as well as what is likely the
| single most widely used code editor.
| chris_wot wrote:
| ReactOS is looking better and better.
| eps wrote:
| In related news - ever wondered why Windows 11 can't be installed
| on "older computers"?
|
| You know, the ones that don't have a TPM chip?
|
| Now you know. Windows 11 completes the lock-up of the OS.
|
| That's why Windows 11 exists in the first place. All other
| changes are secondary. Microsoft knows they would've not been
| able to pull shit like this as a Windows 10 update, so they were
| effectively forced to do a version increase. Against older
| promises of W10 being the last Windows version ever.
|
| Welcome to the future that Microsoft always wanted, but couldn't
| have - a platform with airtight control. Just like what Apple has
| with its AppStore and its wonderful, _wonderful_ 30% commission.
| Almost there and the lemmings didn 't even notice it, distracted
| by the new and friendly Microsoft front, free upgrades to Windows
| 10 and centered Start menu in Windows 11.
|
| Mark my words - Windows 12 will severely impede direct
| installation even of an user-space software, funnelling everyone
| to go through the store. That's the end goal and we will all be
| there in a couple of years, whether we want it or not.
| robertlagrant wrote:
| > In related news - ever wondered why Windows 11 can't be
| installed on "older computers"?
|
| Except of course some older Surface line hardware, because why
| even be subtle?
| passivate wrote:
| >Mark my words - Windows 12 will severely impede direct
| installation even of an user-space software, funnelling
| everyone to go through the store. That's the end goal and we
| will all be there in a couple of years, whether we want it or
| not.
|
| People have been saying that forever. At our company we rely on
| windows backwards compat to run older commercial software which
| has saved tens of thousands of dollars for us. It seems to me
| like people are not exposed to a large swath of the computing
| landscape that uses industry specific commercial software that
| isn't going anywhere.
|
| Also who are the "lemmings" in your analogy? Hopefully you're
| not referring to normal people who make rational decisions
| based on their needs.
| 29athrowaway wrote:
| Microsoft fanboys will finally get the maximum security digital
| prison they asked for, built with their own money.
|
| We tried to tell you, but you were too busy playing your dumb
| DirectX games. It's not that those same games could not have
| developed for Linux, though.
|
| Let's see how long you tolerate having to kiss Satya Nadella's
| ring every day now that you have forced choices.
| schmorptron wrote:
| Does a TPM chip actually bring any relevant security advantages
| for end users, or is it just for DRM?
| technion wrote:
| There's a practical benefit that it leads to seamless
| Bitlocker deployment without making users manage keys or do
| things that would lead them to prefer to not have Bitlocker.
|
| That definitely counts for a lot. It's just a shame that they
| can't let that stand on its own with their current marketing.
| e2le wrote:
| Measured boot and secure storage of keys. It's not all bad.
| schmorptron wrote:
| That's good to hear then! So will most computers having a
| TPM chip lead to easier integration of secure boot with
| i.e. linux distros as well?
| e12e wrote:
| As long as most computers ship in a manner where the
| owner can adjust the keys in TPM/SecureBoot - you could
| argue its a good thing.
|
| Eg,like: https://ubuntu.com/blog/how-to-sign-things-for-
| secure-boot
| rightbyte wrote:
| I had to disable secure boot to get Nvidia's drivers to
| work. So I guess the end result might be more hardware
| trouble for distros, with a subsystem that tries to
| prevent usage of the computer when it is not happy.
| vetinari wrote:
| You can also enroll your MOK (Machine-Owner-Key) to UEFI
| and then sign the nvidia driver with it.
|
| That way, you can leave Secure Boot enabled. However,
| leaving the secret part of MOK on the machine and let the
| dkms or whatever updater of kernel modules to use it
| unattended kind of defeats the purpose.
| ziml77 wrote:
| Is the NVIDIA driver already signed? If it is, couldn't
| you create a certificate signed with the root key that
| says that the NVIDIA key is trusted?
| vetinari wrote:
| No, last time I used it, it was object file and source
| for a shim. You had to build the shim for your specific
| kernel and link together with the supplied object file.
| The result is kernel module, that is unsigned because it
| is you who built it.
| FDSGSG wrote:
| Huge benefits.
| slaymaker1907 wrote:
| It brings enormous security benefits to end users. TPMs
| drastically reduce entropy/complexity requirements for things
| like passwords/pins since the TPM can rate limit guess
| attempts. Doing that without a TPM is impossible since an
| attacker can always read the encrypted password off of the
| drive/directly from memory and then brute force it.
| frankzander wrote:
| an who of an average user does need that? I'm not an
| average user but I never need that. I also know no one who
| can't wait to get it or even think about wanting it. I only
| read in blogs or HN that one would need it. I think "you
| need that because of security" is PR/propaganda from
| certain companies.
| kevingadd wrote:
| As someone with executive function and memory issues,
| being able to use short pins/passwords to access my
| secured hardware is incredibly useful.
| Wowfunhappy wrote:
| I think that's a wonderful use case for a TPM, but I
| don't think it means all users should be forced to buy a
| TPM in order to get security patches past 2025.
|
| (I realize this is a slightly different goalpost, but I'm
| not GP.)
| concordDance wrote:
| What threat model do you have that has people breaking I
| using a short password?
| nly wrote:
| A dictionary/cracklib check, password length requirements
| and good password hashing go a long way to protecting users
| as well.
| DeathArrow wrote:
| HDD content can be encripted without storing the password
| anywhere, without a TPM. If the ecryption algorithm is
| decent, good luck waiting billions of years to bruteforce,
| even with the next gen hardware.
| slaymaker1907 wrote:
| What secret do you use to encrypt the hard drive? That
| itself ends up being a password/key file that needs to
| get stored somewhere whether it is someone's brain or a
| more secure storage location. I guarantee you that
| whatever password average users pick will not take
| billions of years to brute force, more like an hour tops.
|
| I don't think it should have been required for Windows
| 11, but TPMs are a useful tool for mitigating brute force
| attacks.
| canada_dry wrote:
| > security advantages for end users
|
| I'd say about as much as Intel's Management Engine. /s
| kenjackson wrote:
| People always say this sort of stuff, but I feel like never
| really ask, is there any reason why Microsoft would do this?
|
| Desktop revenue from apps is small and will get smaller. MS
| gets that the web will continue to grow larger.
|
| I just don't believe the App Store angle. I don't think Satya
| does either. The cloud runs the company now. They did this for
| a different reason. I just feel like people aren't even trying
| to reason through what it is.
| fendy3002 wrote:
| My 2 cents, if MS control the app and store, it means no
| pirated office / sql server running on both servers and
| development machines.
|
| Open source solutions may also meet a hindrance when they
| somehow collides with MS's line of business (postgres).
|
| Theoretically Microsoft can get a cut from adobe subscription
| (no longer puchase, screw them too). They can also
| potentially force valve or epic for a fee or shared revenue,
| which is why steamOs are there. Netflix and spotify are also
| potential targets.
|
| Then no telemetry can be published if MS said so, forcing
| third parties to deal somehow with MS.
| kenjackson wrote:
| But for Office they are already trying to move all the
| revenue to O365. That's the future and there you don't have
| to deal with piracy. I've never heard pirated copies of SQL
| Server being an issue.
|
| And then, sure there's Adobe, but 99% of apps are pure web
| apps. No desktop client needed. Netflix Windows dekstop
| usage is small compared to their webpage and if MS pushed
| hard on this, they could just pull the app altogether.
|
| The app store angle just isn't going to be this revenue
| monster for them long term. When I look at my desktop the
| only apps I have open are Microsoft and Adobe apps. That's
| it -- and the occassional game.
|
| IMO, I think the thing they should care about the most is
| preventing ransomware/malware on their devices. Apps will
| be in the cloud, but the entry point is the device.
| Enterprises will want to have the most secure and easy to
| use entrypoint.
| mickotron wrote:
| We all won't be, only those still choosing to run windows. For
| those not doing so, we are not affected.
| dTal wrote:
| "Dan would eventually find out about the free kernels, even
| entire free operating systems, that had existed around the turn
| of the century. But not only were they illegal, like debuggers
| --you could not install one if you had one, without knowing
| your computer's root password. And neither the FBI nor
| Microsoft Support would tell you that."
|
| --Richard Stallman, "The Right To Read"
| matheusmoreira wrote:
| In a future where laws mandate signed software, the only way
| out is to somehow make our own hardware. We'll never be truly
| free unless we can manufacture free computers at home just
| like we can write free software at home. There is no software
| freedom if the processor refuses to run our code.
|
| Right now the chip fabs require billions of dollars in
| investments in order to make our processors. They are single
| points of failure. There's nothing we can do if the
| government starts targeting them for regulation in order to
| curb effective cryptography, copyright infringement or any
| other subversive technology.
| userbinator wrote:
| _In a future where laws mandate signed software_
|
| "If you outlaw freedom, only outlaws will have freedom."
| saganus wrote:
| But even if you can somehow make your own hardware, how
| long until governments start requiring interaction with
| certain services (health, banking, taxes, etc) be signed by
| an _approved_ OS/processor combo?
|
| Imagine tax software (comercial or gov provided) refusing
| to work unless you use an OS with TPM support for "security
| reasons".
|
| Or even worse, what would happen if gov regulations started
| requiring ISPs to stop working with non-compliant hardware?
| I.e. something like requiring network devices to attest
| they are "oficially" approved before allowing to connect?
|
| I don't think this will happen any time soon (hopefully)
| but I can see how even making your own hardware might no be
| enough.
| IvanAchlaqullah wrote:
| > Imagine tax software (comercial or gov provided)
| refusing to work unless you use an OS with TPM support
| for "security reasons".
|
| > I don't think this will happen any time soon
| (hopefully) but I can see how even making your own
| hardware might no be enough.
|
| This already happened in Android, at least where I lives
| (Indonesia). Most of Banks, Government Services, and
| _freaking_ McDonald 's apps will refuse to run if your
| phone are rooted "for security reason".
| TedDoesntTalk wrote:
| Honest question: how do those apps know your phone is
| rooted, and can you still use their websites for
| equivalent functionality?
| pxeboot wrote:
| The most popular root solutions have a "hide" feature so
| apps you specify can't tell you are rooted. It is
| slightly more complicated with custom roms.
|
| I have Google Pay and several banking apps on my rooted
| phone without issue.
| SXX wrote:
| Does your phone pass hardware attestation?
|
| Google can make it mandatory at any moment and then you
| won't be able to "hide" anything.
| zbrozek wrote:
| Google provides attestation and it's a constant cat-and-
| mouse game that the rooters are usually losing.
|
| Websites can't tell, but lots of companies don't provide
| equivalent functionality via website. I know I can't
| upload check images for remote deposit unless I use the
| native banking app.
| IvanAchlaqullah wrote:
| It's called SafetyNet [1]
|
| What irked me is sometime app developers are abusing it
| without asking themself "Does this app really need to
| check for rooted phones at all?"
|
| I'm okay if banks apps are using that. But why does fast
| foods apps need to use that? Most people that I know are
| paying with cash when they order foods online (and you
| can't hack paper money with rooted android phones).
|
| [1] https://developer.android.com/training/safetynet/atte
| station
| ryanlol wrote:
| Platforms like deliveroo have lost tens of millions to
| fraud, I don't blame them for enforcing safetynet.
|
| Perhaps "food delivery" means pizza to you, but there are
| many places where it also includes thousand dollar
| bottles of wine.
| zbrozek wrote:
| Could you explain how the locked-down phone is protection
| against fraud here?
| novok wrote:
| Statistically people who do payment fraud crap use rooted
| phones more, probably to help with things like location
| spoofing to get around other fraud detection methods when
| apps use third party payment libraries, so you reduce
| your fraud cost with something that is a few lines of
| code. The cost/benefit ratio is too good which is why you
| see it everywhere that has a payment fraud risk of some
| sort.
| blibble wrote:
| probably becomes a tick on an auditor's checklist
|
| like having to rotate your password every 3 weeks and
| requiring 4 special characters/...
| matheusmoreira wrote:
| That would be oppressive but at least the unfree
| activities are restricted to the parts of our life where
| we must deal with authorities. We are still free to do
| whatever we want with our free computers in all other
| cases.
|
| > Or even worse, what would happen if gov regulations
| started requiring ISPs to stop working with non-compliant
| hardware? I.e. something like requiring network devices
| to attest they are "oficially" approved before allowing
| to connect?
|
| Looks like we're going to need a concept of networking
| freedom as well. Ideally, this will be solved by
| ubiquitous mesh networks that the government can't
| possibly hope to ever regulate or outlaw. Practically...
| We'll probably end up living in some dystopian cyberpunk
| hell since the vast majority of the population is too
| apathetic to join this cause and help run this
| decentralized infrastructure.
| novok wrote:
| Ad-hoc radio mesh networks are constrained by physics and
| math as far as throughput goes, they are not competitive
| with normal networks. Governments have also shown the
| ability to regulate radio usage very well the world over.
| citizenpaul wrote:
| AT&T fiber basically alreadydoes this. You cannot connect
| without their crappy routerbox that authenticates to the
| network every so often. Some people have created work
| arounds but they all requie the att box be plugged in
| somewhereand forward its certificates
| hilbert42 wrote:
| _" AT&T fiber basically alreadydoes this. You cannot
| connect without their crappy routerbox that authenticates
| to the network every so often."_
|
| If you look at the IT/computing/internet position from a
| global perspective you'll note that there are many
| outrageous situations that warrant political action.
| These issues include copyright overreach, gross privacy
| breaches by the likes of Google, Facebook, et al, to
| internet protocols done at the bequest of corporations
| for their own benefit, to the ever-increasing proprietary
| nature of both software and hardware including CPUs not
| to mention hidden proprietary firmware code in vehicles
| that drivers do not have access to, etc. - much of it
| done under excuse or the false premise of security.
|
| If one matter stands above all else then it is that
| there's no cohesive political opposition of any notable
| size that's capable of disrupting the political
| system/establishment to the extent where politicians
| _must_ take notice.
|
| This is a serious problem and it's a fundamental one. For
| instane, Cory Doctorow noted that the problems with
| copyright including copyright reform can't be sorted out
| as the big players have too much money, power and
| influence and those of us in opposition are just too few
| in number to make any difference no matter how just and
| legitiate our cause may be. In essence, in the grand
| schema of social and political life, copyright
| essentially amounts to nought - so it's little wonder
| copyright reform is left to wither and languish (note,
| this is my interpretation/summary of what he's been
| saying on various occasions).
|
| Even organizations such as the EFF and influential people
| such as Tim Berners-Lee and Bruce Schneier have very
| little influence on their own in the face of huge
| corporate opposition, MS, Google, Facebook, etc not to
| mention governments, the NSA, GCHQ, etc.
|
| In essence, it's all a lost cause unless we can all
| coalesce together to form one overarching body of
| international standing that's politically able to fight
| the forces of darkness. Unfortunately, I'm pessimistic
| that this will ever come to pass simply because pretty
| much all of those involved have demonstrated that they're
| very independent and headstrong and thus they're unlikely
| to be sufficiently united to be fully effective in a
| common political cause (one only has to look at the
| hundreds of disparate Linux distributions to see that).
| Nevertheless, it'd be wonderful if I were to be proved
| wrong.
|
| _In the same vein, I 'd suggest that there's a more
| fundamental problem at stake here. That's the general
| apathy and unease about democracy currently held by huge
| swathes of the citizenry. Modern democracy formed
| hundreds of years ago when life and times were simpler
| thus the democratic systems that were set up to deal with
| them were structured accordingly and there's been
| precious little change since.
|
| This brings us back to issues such as the copyright one
| I've mentioned. Modern democracy has no simple way of
| dealing with the many thousands of genuine legitimate
| causes that have arisen out of the complexities of
| modern-day life.
|
| Modern democracies with their mainly (effectively) two-
| party systems can't effectively accommodate all the
| nuances of these complexities and like the parable of The
| Man, the Boy and the Donkey, they try to please all with
| botched compromises and end up pleasing none (for
| example, just witness the many political shemozzles over
| COVID).
|
| In my opinion, the only way to overcome such problems is
| to review and then agree on new - or even which covenants
| should bind citizens and The State then take it from
| there (on some issues where there's no common agreement
| society may have to divide into groups and individuals be
| bound by the laws of that group, etc.) Whatever the
| outcome it's highly unlikely to be resoled in the
| foreseeable future._
| totetsu wrote:
| I think to do your taxes online in Japan you need an NFC
| card reader and software b that only works in Windows.
| matheusmoreira wrote:
| In Brazil, we have a Java application that works on any
| system with a JVM. It's pretty nice. Why exclude citizens
| based on their choice of operating systems?
| cesarb wrote:
| Note also that this was not always the case. Originally,
| it was a DOS-only application, then a Windows-only
| application, then for a while we had both the Windows-
| only application and the Java application, and then
| finally the Windows-only application was retired.
|
| I believe that the creation of the Java version of that
| application was due to complaints from Linux users, so
| this is AFAIK a case where citizens used to be excluded
| based on their choice of operating systems, and convinced
| the government to allow more choice.
|
| Another example is online banking in Brazil; for a while,
| most banks required the use of an horribly invasive
| "security plugin" for the browser which ran only on
| Windows. Nowadays, there's also a Linux version of that
| invasive software, so users of Linux are no longer
| excluded from online banking on their computers (it's not
| perfect because it still requires that invasive software,
| but it's better than before).
| voldacar wrote:
| Well people have already made decently fast homebrew
| computers with FPGAs. The problems are threefold:
|
| - To what extent do you interop with existing (closed?)
| hardware, vs trying to recreate the world from scratch. Do
| you implement usb, pcie, etc, or do you make your own
| philosophically free equivalent that isn't compatible with
| existing devices?
|
| - In any case you will have to cope with the fact that
| homebrew CPUs will always be a decade or two behind the
| cutting edge intel/amd cpus in terms of performance
|
| - Your system has to be useful in order to get people to
| use it, but it has to have people working on it
| consistently in order for it to get to a state where it's
| useful. A chicken and egg problem.
|
| There is, however, at least one off-the-shelf free computer
| system - I'm thinking of the Raptor Talos platform. But
| even then, you're paying significantly more for a computer
| that performs worse, unless you're running supercomputer-
| esque workloads on your desktop PC
| novok wrote:
| Personally I think the practical solution is companies
| like frame.work & valve making open hardware and creating
| software shims like proton because it's part of their
| value prop and business model to make open hardware.
|
| If valve doesn't make Linux a viable gaming platform,
| they are going to be chess maneuvered into a checkmate by
| MSFT and Apple. Epic recognizes a similar issue too which
| is why even if they are competitors, they recognize the
| greater threat and are working together somewhat with
| Epic porting EAC to Linux & proton.
| ddalex wrote:
| Stallman was ALMOST right.
|
| The fight is not about which programs the user can run, but
| who controls the user data
| matheusmoreira wrote:
| No, Stallman was right about pretty much everything. It's
| impressive how far into the future he saw, much earlier
| than many of us, including myself. There is no computing
| freedom without software freedom, and there is no software
| freedom without hardware freedom.
|
| Control of data is a related problem. It's absolutely
| relevant but it's not in any way opposed to computing
| freedom. In fact, they are aligned. Computing freedom helps
| us retain control of our data even when faced with hostile
| corporations.
| ddingus wrote:
| Exactly right.
|
| The move to ARM will highlight the hardware freedom in a
| big way.
|
| People are used to ARM being different and are that much
| more likely to forget open, general purpose computing
| right along with that "old" x86...
|
| Heh, I always disliked x86. But now? I look at it fondly.
|
| Strange times.
|
| Edit: It is the IBM PC lineage I speak of here, not just
| the ISA.
| dTal wrote:
| It's not the instruction set - it's the IBM PC-compatible
| standard that gave us our golden era of desktop
| computing. Standard bootloaders, standard ports, standard
| keyboard layouts. We owe it so much.
| ddingus wrote:
| Yes, I agree and just made the reference off hand.
|
| We do!
|
| [Looks over at Apple //e and IBM XT]
|
| We need another open effort. Soon.
| Causality1 wrote:
| Are you aware of the enormous amounts of blood, sweat, and
| tears expended by people on XDA Developers just to unlock
| bootloader to use functions as simple as custom gesture
| controls?
| tata71 wrote:
| Are you aware of how often they fail?
| Causality1 wrote:
| Exactly. It's very much a war about what programs users
| can run, and the users don't always win.
| HeckFeck wrote:
| > The fight is not about which programs the user can run,
| but who controls the user data
|
| Some things were so horrible, not even Stallman could
| imagine them happening in his worst nightmares.
| temac wrote:
| There is a fight for both.
|
| And the fight to stay in control of your data is far easier
| when you use Free Software.
| DeathArrow wrote:
| >The fight is not about which programs the user can run,
| but who controls the user data
|
| But the user data is mostly in the cloud, owned by Apple,
| MS, Google, Amazon, Facebook.
|
| In the future we will be lucky to have apps that work
| offline with local data.
| hutzlibu wrote:
| "In the future we will be lucky to have apps that work
| offline with local data. "
|
| Are you from the past? This here is 2021. And right here,
| the expensive, professional apps still lets you
| grudgingly do it, but small/casual apps that work really
| offline? That became rare. Usually it is mainly server
| and some local cache, you better take care of, if you are
| in an area with bad connection.
|
| But more and more of my peers realize, how much spotify
| sucks, when there is suddenly no more internet.
|
| Well, I still have my own music collection(and my own
| player for it) and use spotify just for discovery. Each
| to his own and thank you, for the existence of open
| source and foss.
| johnebgd wrote:
| Office, creative suite, and your flavor of pdf viewer
| still all work primarily off local files since cloud
| storage vendors all compete and don't interconnect except
| at integration for the endpoint.
| FpUser wrote:
| >"but small/casual apps that work really offline?"
|
| I do not have single small/casual app I paid for or free
| ones that does not work with offline data.
| jynelson wrote:
| Spotify works fine offline, you just have to download the
| tracks ahead of time.
| hutzlibu wrote:
| Yeah, but there is a tight limit.
|
| And they get removed after some time.
| cabalamat wrote:
| It's both.
| dTal wrote:
| Weird take, given this is a thread about Microsoft
| effectively banning a program.
| appleflaxen wrote:
| He was early, but he wasn't wrong.
|
| We are _still_ headed directly to the place he described.
| skeeter2020 wrote:
| How is early not wrong?
| echelon wrote:
| Tell that to every iPhone app developer.
|
| It's worse than not having the right to execute. You can't
| even build the program you want. You have to use Apple pay,
| Apple subscriptions, Apple login. And you don't even get a
| relationship with your customer.
|
| Truly draconian.
| depressedpanda wrote:
| They also prevent installing 3rd party web browsers,
| while keeping Safari way behind all others in order to
| ensure that you cannot escape their control.
|
| Their behavior is inexcusable but not surprising; what
| baffles me is that it's allowed.
| [deleted]
| HeckFeck wrote:
| And they tell me that automake is bad!
| DeathArrow wrote:
| And we don't that to happen to Windows too.
| Arisaka1 wrote:
| I saw the writing on the wall the moment they could sloppily
| justify the TPM requirement.
|
| Then I got into arguments with people proclaiming that it's
| just Microsoft enforcing it for the casual user's safety, and
| that I'm a Microsoft hater. Who? Me, whose first programming
| language was C#, who worked as an Windows server administrator
| for years, and my operating systems have been nothing than
| Windows for 2 decades. And I'm suddenly a hater for daring to
| raise an eyebrow and question their design motivation?
|
| I'm very convinced that the desktop world is at its worse. You
| have the commonly owned yet absurdly powerful tool known as a
| desktop computer have its market dominated by a single company,
| with no competitors whatsoever. Even worse, Microsoft's deal
| with hardware vendors ensure that even if a competitor were to
| rise they'll have to earn their favor as well. The game is lost
| for any competitor before it even starts.
|
| And with the PC dominance under their thumb they test the
| waters to see with how much they can get away with, an approach
| they cannot even afford to consider when it comes to their
| other products like Azure or even the C# programming language.
| They also did their best to make Visual Studio Code great,
| until you realize that this also follows the same pattern.
| iforgotpassword wrote:
| And they will get away with it. The generation that grew up
| with smartphones primarily, getting a computer only later on
| (if at all) will find this totally normal. Even Android is
| getting locked up more and more over the couple last releases
| too, even most Chinese vendors stopped letting you unlock the
| bootloader, and nobody complained.
| ChuckNorris89 wrote:
| _> I saw the writing on the wall the moment they could
| sloppily justify the TPM requirement._
|
| Microsoft doxed itself on the TPM limitation being purely
| arbitrary when Windows 11 compatibility checks passed on a
| Pentium 4 CPU and installed just fine due to a mistake from
| Microsoft where they forgot to blacklist that CPU family lol.
|
| https://twitter.com/Carlos_SM1995/status/1448561898035851264.
| ..
| FDSGSG wrote:
| >purely arbitrary
|
| As if years of experience hasn't taught us that opt-in
| security is stupid. This would be arbitrary if the TPM was
| useless, but it isn't.
| ChuckNorris89 wrote:
| We have to disagree here. The threat models where the
| security that TPM offers are mostly applicable to the
| enterprise and business sectors where all devices on the
| network/AD/VPN have to be trusted and their storage
| encrypted. There TPM makes perfect sense.
|
| You average consumer/home user does not benefit at all
| from the features of TPM since they're not subject to the
| same threat model. Here TPM, and also stuff of the UEFI
| security chain like Management Engine and Secure Boot in
| the past, act more like hostile wall-gardening that limit
| what a user can install on his system (remember how
| enabling secure boot originally meant you couldn't
| install any linux distro?) rather than add any meaningful
| security (will TPM and Secure Boot prevent grandma from
| getting her PC infected by malware off some shady
| phishing site? No? Then don't force those requirements
| for private users)
| FDSGSG wrote:
| This assumes that home users don't have any data worth
| protecting. I think that's a ridiculous thing to assume.
|
| IME does not affect your average user at all, so I'm not
| sure why you'd bring that up.
|
| >remember how enabling secure boot originally meant you
| couldn't install any linux distro?
|
| A lot of people were spreading this FUD back when secure
| boot was being introduced. It was a lie back then, it is
| a lie now.
|
| > rather than add any meaningful security (will TPM and
| Secure Boot prevent grandma from getting her PC infected
| by malware off some shady phishing site? No? Then don't
| force those requirements for private users)
|
| Secure Boot essentially killed off bootkits, that's a
| significant achievement. Perhaps you should learn what
| these technologies are actually used for before attacking
| them?
| EvanAnderson wrote:
| To give an example harm caused by the TPM / disk
| encryption feature in the consumer space: A recently-
| deceased friend's wife contacted me about getting
| personal data off from her late husband's computers. I
| ended up being able to get nothing for her.
|
| My friend, no doubt influenced by dementia and paranoia
| he was feeling, changed the passwords, made no note of
| them, and subsequently died. The computers in question
| run Windows 10 using Bitlocker and key storage in the
| TPM.
|
| The data is effectively gone. I believe he was using
| encrypted backups to a "cloud" storage provider, too, but
| I'm also fairly certain the key is only on these
| computers. (The Windows accounts on these machines are
| local accounts so the Bitlocker recovery keys weren't
| saved on Microsoft's servers either.)
|
| Matters were arguably handled poorly on my friend's part
| prior to his becoming of unsound mind. He wasn't terribly
| technically savvy and I'm not sure he considered the
| "losing my own mind" threat model. Nonetheless, it adds
| insult to injury that Bitlocker, which added no security
| for his day-to-day use, effectively caused the loss of
| his data.
| Wowfunhappy wrote:
| This is similar to why enabling 2FA actually scared the
| heck out of me! I use a password manager to generate
| strong unique passwords, so I think the chances of
| someone getting in that way are incredibly low. But I can
| absolutely see myself loosing all of my 2FA keys some day
| in a freak accident.
| Tijdreiziger wrote:
| You are supposed to store the recovery key(s) in a secure
| location. Then if you lose your 2FA device, you can reset
| your 2FA from those recovery keys.
| Wowfunhappy wrote:
| What secure location? My sock drawer? Or am I expected to
| go buy a safety deposit box? I'm really not that
| organized and I loose slips of paper all the time, it's a
| major reason I was drawn to computers growing up.
| deadbunny wrote:
| I keep mine in a file in a drawer. My threat model
| doesn't cover people breaking in and finding them as well
| as knowing my password managers master password.
| vetinari wrote:
| Nowadays the password managers can store the 2fa secrets
| and generate the codes as needed.
|
| It kind of defeats the purpose of the second factor --
| the password manager becomes it -- but at least it makes
| the services that insist on it happy.
| marcosdumay wrote:
| Nowadays 2FA are always about something you know and
| somebody that vouches for you (SMS, email, whatever).
| Nobody seems to do any version of it that relies on you
| alone. So a password manager won't improve its
| reliability.
| batch12 wrote:
| Did he enable a boot pin or are the drives just
| encrypted?
| EvanAnderson wrote:
| The drives are encrypted without a boot PIN. If I could
| exploit a vulnerability in the OS I could get the data.
| There will probably be a vulnerability discovered, at
| some point, that will allow access. I'd advised my
| friend's widow to hold onto the computers for the time
| being.
| [deleted]
| lupire wrote:
| That has nothing to do with TPM. It's the opposite, in
| fact. That's software that obeyed user commmands.
| matthewfcarlson wrote:
| If you can log into his microsoft account on the
| internet, you can recover the bitlocker key from there if
| his account on his machine was a microsoft one
| imchillyb wrote:
| > (The Windows accounts on these machines are local
| accounts so the Bitlocker recovery keys weren't saved on
| Microsoft's servers either.)
|
| Reading the comments, before posting, helps.
| shawnz wrote:
| I'm sorry for your loss, but did your friend not have a
| right to privacy just because he had dementia? Should we
| be building dementia backdoors into all our platforms'
| encryption systems? What about cases where people are
| estranged from their spouses?
| EvanAnderson wrote:
| As I said, it wasn't handled well. I don't think we
| should be building backdoors into secruity systems. I
| also don't think my friend explicitly requested the
| functionality or would have understood the ramifications
| even if he did.
|
| Bitlocker is, apparently, enabled-by-default on consumer
| machines that, I'd argue, don't suffer from a threat
| model that necessitate its use.
|
| There is a huge problem with technical and legal
| constructs associated with the rights to accounts and
| data after death. I don't have the answers for everybody.
| I've done what I can for myself and my immediate family.
|
| The "I've lost my mind and undermine efforts I made,
| while still in my right mind, for successors-in-right to
| access my data" is one that I'm not sure how to defend
| against, and one that scares the willies out of me. I can
| document my last wishes but if I, in a fit or paranoia,
| change keys / passwords / remove recovery mechanisms,
| then those last wishes might be irrelevant.
| kenjackson wrote:
| This seems like a plus not a problem.
| shawnz wrote:
| What about the scenario where your laptop is stolen and
| the attacker reads your data off the disk? All modern
| mobile devices protect against this scenario by default,
| but Windows devices required additional configuration to
| be protected.
|
| And in fact Secure Boot does protect against Grandma
| being infected by boot-time malware. And when has it ever
| been the case that it prevented you from installing
| Linux?
| ChuckNorris89 wrote:
| _> And in fact Secure Boot does protect against Grandma
| being infected by boot-time malware._
|
| And how can grandma get boot time malware at Home? IIRC
| those were common back in the days when people were
| plugging in infected floppy disks or thumb drives
| everywhere and you'd try to boot off them. Can't remember
| last time I saw this type of malware in the wild as
| phishing and ransomware is a lot more profitable for
| malicious actors than boot time malware.
|
| _> And when has it ever been the case that it prevented
| you from installing Linux?_
|
| This was always the case ever since secure boot launched
| and any OS that didn't have it's first stage bootloader
| signed by Microsoft could not boot. Even To this day, to
| install arch or puppy on my XPS i had to disable secure
| boot. Ubuntu and other major distros are fine here though
| but this gate keeping doesn't make it ok in my book.
| tata71 wrote:
| > And how can grandma get boot time malware at Home?
|
| Depending on the demographic, they can: get caught up in
| during some (possibly unrelated, likely automated)
| attack, click the wrong ad, or load the wrong common page
| with JS.
| ChuckNorris89 wrote:
| Can you please provide some sources for JS ad-based boot
| time malware you mentioned that one can get off the web?
| SXX wrote:
| Usually JS part it's just exploit that is just a first
| step. After there is compiled and native "loader" malware
| that required to setup actual trojan / rootkit.
| shawnz wrote:
| > Can't remember last time I saw this type of malware in
| the wild.
|
| That's exactly because widespread secure boot has made it
| impractical!
|
| As for niche Linux distros, it's been mandated since the
| beginning that you can install your own Secure Boot keys
| on Microsoft certified desktop platforms.
| yjftsjthsd-h wrote:
| That branch of malware was already rare when uefi secure
| boot was introduced.
|
| > it's been mandated since the beginning that you can
| install your own Secure Boot keys on Microsoft certified
| desktop platforms.
|
| ...on x86; on ARM they mandated that the user _couldn 't_
| install their own keys, which shows that they will lock
| users out as much as they think they can get away with.
| vladvasiliu wrote:
| > This was always the case ever since secure boot
| launched and any OS that didn't have it's first stage
| bootloader signed by Microsoft could not boot. Even To
| this day, to install arch or puppy on my XPS i had to
| disable secure boot. Ubuntu and other major distros are
| fine here though but this gate keeping doesn't make it ok
| in my book.
|
| But this is kind of a circular problem, isn't it?
|
| If everyone's bootloader is signed and recognized by
| every Secure Boot implementation, then signing is useless
| since it doesn't afford discrimination between "known
| good" and "dubious" bootloaders.
|
| I'm not familiar with XPS computers, but to me what's
| important, as another sibling says, is that the user be
| able to load their custom keys with which they sign their
| own bootloader. This is how I run Arch on my HP
| computers.
|
| This way, I can be reasonably sure that when I boot _my_
| arch linux, it 's actually mine, and not some random live
| medium based of arch's (or whoever's) install disk that
| will sniff my passwords or whatever.
|
| To me, this is what SecureBoot is supposed to offer, and
| I don't see how you would implement this if you could
| easily get anything signed and accepted by most PCs.
| ChuckNorris89 wrote:
| _> to me what's important, as another sibling says, is
| that the user be able to load their custom keys with
| which they sign their own bootloader. This is how I run
| Arch on my HP computers._
|
| Like I said above, this and stuff like management engine
| and TPM makes perfect sense in the enterprise environment
| where the owner of the device (the employer) is different
| than the user (the employee), so IT needs to strictly
| control what's running on the devices they trust on their
| infrastructure, but why should we expect home users to
| have to sign bootloders to use whatever software they
| want as they're both the users and the owners of the
| devices and the network infrastructure in their homes?
| vladvasiliu wrote:
| I agree that the process could be more straight-forward,
| especially as, from what I read, some computers may need
| some coaxing into changing the keys.
|
| But the thing is that, like it or not, most people simply
| don't care enough, so they'll just use Windows. I
| remember a while ago, when there were many live CD-based
| distros and there was no such thing as SecureBoot, people
| wouldn't even be curious to give Linux a spin. All it
| would have taken was to pop a CD in the drive and boot
| up. To paraphrase another commenter, I think many people
| feel the same way about their PC as their washing
| machine: just another appliance. Of course, lock-down
| platforms don't help instill curiosity in people...
|
| So you get, roughly-speaking, two populations: those who
| care and those who don't. And usually, those who do care
| are curious enough to follow a few simple steps to
| disable SecureBoot for the installation and then set up
| their own signing process.
|
| But I stand by what I said earlier: the process cannot be
| fully automatic, or it defeats the purpose. But I do
| think that willingly making it a pain is wrong.
| vetinari wrote:
| > And when has it ever been the case that it prevented
| you from installing Linux?
|
| There was a window, when shim.efi was not signed.
|
| > And in fact Secure Boot does protect against Grandma
| being infected by boot-time malware.
|
| When it was the case that grandma was infected by boot-
| time malware? One-half-like malware happened decades ago,
| and under windows they need administrator rights anyway.
| gruez wrote:
| >Microsoft doxed itself
|
| Does "dox" mean "anything vaguely secret" now? I still
| remember the days when it meant "personal information".
| matheusmoreira wrote:
| The issue isn't the TPM, it's who owns the keys to the
| machine. If the user configures their own keys, it becomes an
| empowering technology that allows them to verify their boot
| process hasn't been tampered with. If Microsoft owns the
| keys, they own the computer and the technology becomes their
| means of control over the user. They will use this technology
| to oppressively deny the user their software freedom while
| simultaneously extracting rent out of any developer who wants
| to reach that person.
|
| Those who own the keys own the machine. We must ensure we are
| the ones holding the keys at all times or suffer the
| consequences.
| ngneer wrote:
| Insightful analysis, though "oppressively deny" sounds
| harsh to me. There is not a blatant malice in TCG per se,
| mainly a neutral desire for control and by proxy profit.
| The treacherous versus trusted computing debate really does
| boil down to control. Do we trust vendors to be stewards of
| control on our platforms? Do we even have a choice?
|
| I do not recall giving the keys to anyone, and yet it feels
| like the person building your house is telling you that
| they can pop in for dinner and lock you out should the need
| arise (deny you the ability to run your choice of software
| and your control is forfeit).
|
| There is something flagrant when the question is brought
| home to the personal computer. No user complains too much
| about not being able to replace the firmware for some
| faraway BGP router, yet that router is also part of the
| infrastructure like the PC and the OS installed on it. If a
| consumer thinks about the PC less as providing a personal
| computing service and more as an Internet terminal, then
| the problem goes away a little. Naturally, the PC does
| both, but since the two are at odds with one another, the
| PC has conflicting interests, serving two masters.
|
| A similar issue exists with cell phone debug, where the
| carriers log into your phone to troubleshoot. Granted,
| debug is control for the sake of helping the user and does
| not deny the user the ability to run software (the OS and
| app store do that).
|
| This just leaves the problem of where can a user actually
| go to do secure compute. An abacus works nicely, but is
| impractical. Free open source hardware (FOSH) is really the
| only option.
| matheusmoreira wrote:
| > A similar issue exists with cell phone debug, where the
| carriers log into your phone to troubleshoot.
|
| You cannot be serious. How do I know if this can happen
| to me?
|
| > Free open source hardware (FOSH) is really the only
| option.
|
| Yes.
|
| > No user complains too much about not being able to
| replace the firmware for some faraway BGP router
|
| The network is a very clear line to me. The BGP router is
| not my computer. It's the ISP who should be demanding
| free software from their hardware manufacturers, so that
| they too could enjoy complete control and trust.
|
| > If a consumer thinks about the PC less as providing a
| personal computing service and more as an Internet
| terminal, then the problem goes away a little.
|
| In these cases, the user is not using a computer. They're
| using appliances that just happen to have computers
| inside. Modern consumer products make every effort to
| hide the computer. There is no computing freedom if there
| are no computers we can use.
|
| We must oppose all "consumer" products, all "fully
| integrated and converged" solutions. Computing is about
| simple parts in the form of hardware and software; from
| these parts, powerful systems emerge. Consumer appliances
| are these whole things that have swallowed up the entire
| system. They are indivisible, non-interoperable,
| uncontrollable, they only do what was foreseen by the
| corporation that made them despite the perfectly capable
| computer inside. I can't interface directly with the
| computer controlling my air conditioner, I need an
| infrared controller for that.
|
| This article is linked from Stallman's website, it covers
| this matter with a lot of depth:
|
| http://contemporary-home-computing.org/RUE/
|
| > We are giving up our last rights and freedoms for
| "experiences," for the questionable comfort of "natural
| interaction."
|
| > But there is no natural interaction, and there are no
| invisible computers, there only hidden ones. Until the
| moment when, like in the episode with The Guardian, the
| guts of the personal computer are exposed.
|
| > Every victory of experience design: a new product
| "telling the story," or an interface meeting the "exact
| needs of the customer, without fuss or bother" widens the
| gap in between a person and a personal computer.
|
| > The morning after "experience design:" interface-less,
| desposible hardware, personal hard disc shredders,
| primitive customization via mechanical means, rewiring,
| reassembling, making holes into hard disks, in order to
| to delete, to logout, to "view offline."
| userbinator wrote:
| _There is not a blatant malice in TCG per se, mainly a
| neutral desire for control and by proxy profit._
|
| The originators of the idea were thinking of DRM and came
| from the content industry. I don't think it's a neutral
| technology at all.
| HeckFeck wrote:
| I genuinely miss the days of playing with DOS, Windows 9x and
| then all the excitement of Windows XP. All on my own
| hardware, which was whatever I could scrape from parents,
| savings, neighbours. I could do what I wanted with these old
| PCs.
|
| There was an openness that existed in the world of computing.
| Despite all that was said of Microsoft back then, and much of
| the complaints about proprietary software were true then
| also, it wasn't anywhere near as bad as this. Back then, new
| releases actually did improve my experience of computing.
|
| Every time I use Windows 10 I feel like I'm constantly in
| battle with the PC. Every new piece of news I read, every new
| feature in software and now _hardware_ I read and shudder,
| thinking, how much more of my privacy will it cost? What
| other aspect of my life is being invaded?
|
| And because of the network effect, I'm trapped in their
| clutches. I have to use these services or I can't work, can't
| talk to friends. All well and good saying 'use Matrix' but a
| chat program with no friends is just a note taker.
|
| Such a seismic shift and it was only two decades. I just want
| this hostility to end. A computer is a machine, which is an
| elaborate tool, for Pete's sake. I don't feel the same way
| towards my garden hose or washing machine.
|
| (And I increasingly wonder, were we freer back then because
| there was still some empathy towards customer needs at
| Microsoft, or because they were simply stifled from their
| real intentions by technological limitations?)
| mrandish wrote:
| I completely agree with your points.
|
| > I don't feel the same way towards my garden hose or
| washing machine.
|
| We just built and furnished a remote vacation home from the
| ground up and the shiny new appliances and even some
| fixtures (mostly ordered or approved by my wife) default to
| stubbornly demanding cloud access, often before they will
| even perform their most basic functions. At the moment,
| internet is only via 4G hotspot as we await Starlink's
| rollout next year.
|
| This of course includes the Samsung TV but extends to the
| Denon amplifier, all the major appliances from washing
| machine, refrigerator etc all the way down to the light
| switches, thermostats and 'smart' toilets (which I view as
| 'input-only' devices). Fortunately, I intercepted the light
| switches before installation and hacked open source
| firmware on them but that required opening each one and
| temporarily soldering to reflash the firmware (I had to
| draw the line somewhere).
|
| Most of the devices can be coaxed into functioning without
| permanent cloud access but it's a time-consuming escape-
| room adventure through dark UX patterns. The rest will
| require blocking at the router firewall level.
| HeckFeck wrote:
| Well, when the story began I though this sounds like a
| pleasant getaway, and I was happy to read you've acquired
| such a place.
|
| Then the rest of it was just a dour decline. Man, oh man.
| The worst of it is that all these devices could integrate
| genuine 'smart' functionality, but a user-respecting way
| would be locally run from a central box with open and
| interoperable protocols across devices. Exactly how a
| router and server works on a LAN. It isn't impossible to
| design this in a consumer-friendly way either. But the
| will and the demand just isn't there.
|
| I wonder how these devices will be when the remote
| servers are inevitably switched off. I learnt this lesson
| very early on with online games (think GameSpy), the
| servers are not forever.
|
| What has come over the population? It wasn't that long
| ago that they burnt identity cards in the UK (at the end
| of the second world war), the public were glad to see the
| back of them despite the touted 'benefits' by some
| politicians. My grandmother shuddered at the thought of
| giving any financial details online. In the early days, I
| never used my real name anywhere on the Internet. There
| is just so much passivity now.
| no_time wrote:
| I have a theory that this seismic shift is the result a
| demographic shift of PC users. It gradually went from
| engineers, businessmen and hackers to a much wider audience
| including younger people who have trouble grasping concepts
| such as folders[0]
|
| This by itself is not bad, problems arise when companies
| use this to justify deny control even from those who can be
| responsible with it.
|
| [0]: https://www.pcgamer.com/students-dont-know-what-files-
| and-fo...
| merrywhether wrote:
| The problem arises when there is no way to differentiate
| between the user classes. And while I enjoy computing
| freedom, I'm not exactly proclaiming its value when I
| have to deal with a DDoS or hear about people getting
| ransomwared. I know things like Mirai also exist, and
| that user error isn't the only ransomware vector, but
| poor computing habits absolutely fuel such problems and
| they cause pain for society as a whole.
|
| I have no idea what the answer is, other than having
| Linux et al be the place for free computing (protected by
| its various barriers to entry) while the consumer OS
| space eventually becomes increasingly locked down. The
| only other ideas I have are dumb ones like requiring
| regular examination/certification/licensure to be able to
| use the "developer" version of Windows or something.
| no_time wrote:
| Let's pretend there is no financial interest in
| restricting computer access. I think the best and safest
| option would be to manufacture all PCs with a similar
| mechanism to chromebooks write protect screw that you
| have to remove to unlock the bootloader. But instead of
| just unlocking the bootloader it also gives you
| TrustedInstaller privilege in windows.
| userbinator wrote:
| _And while I enjoy computing freedom, I'm not exactly
| proclaiming its value when I have to deal with a DDoS or
| hear about people getting ransomwared._
|
| "We are not truly free if we don't have the freedom to
| make mistakes."
|
| It's nice to hear about cyberattacks and such continuing,
| because it means freedom still exists.
| paulryanrogers wrote:
| That early era also included some controversy over Windows
| XP requiring online activation. It was a watershed moment,
| soon followed by their authenticity check to install
| certain updates.
|
| We are firmly in a new era of increasing DRM within the OS.
| As a producer I can see the desire but am saddened as a
| consumer with fond memories of a freer time.
| userbinator wrote:
| _And I increasingly wonder, were we freer back then because
| there was still some empathy towards customer needs at
| Microsoft, or because they were simply stifled from their
| real intentions by technological limitations?_
|
| They've been slowly cooking the frog in the background for
| a while now with the "trusted computing" stuff. It's over a
| decade old at this point. Back then the userbase was more
| technical and likely to smell BS, and DRM was definitely
| not liked even by the general public.
|
| https://www.cl.cam.ac.uk/~rja14/tcpa
|
| https://www.cl.cam.ac.uk/~rja14/tcpa-faq-1.0.html
|
| ...but then they eventually found out that people could be
| scared into doing anything by justifications of "security"
| (regardless of what's being secured, who it's being secured
| by, and who it's being secured from), and here we are
| today.
| HeckFeck wrote:
| > ..but then they eventually found out that people could
| be scared into doing anything by justifications of
| "security" (regardless of what's being secured, who it's
| being secured by, and who it's being secured from), and
| here we are today.
|
| Ah, so they took a page from the politicians' handbook.
| The same drivel that drives the public to concede privacy
| and freedom to their hands in the state also applies in
| private industry (I am thinking of the ominous UK Online
| Safety Bill). Like it is all the same zeitgeist.
| sgblp wrote:
| We notice the Microsoft front. Microsoft has marched through
| the "open" source institutions and employs a sufficient number
| of OSS people.
|
| In Python, Microsoft employees (who don't develop much ...)
| have two seats in the Steering Council and GvR, who still seems
| to pull strings.
|
| Opposition on the mailing lists is shut down ruthlessly and is
| censored. The new "JIT" project has all the hallmarks of NIH
| and will end in minor insignificant speedups. The C# guys will
| be amused.
| keddad wrote:
| Can you elaborate on the problems with JIT implementation in
| Python? I'm far from Python development, but it seems
| intresting
| aaaaaaaaaaab wrote:
| B-but they supposed to have changed for good! :'( Haven't you
| heard? They love(tm) open source! They write JavaScript! Surely
| it's just some misunderstanding...
| FDSGSG wrote:
| This reads exactly like the crazy conspiracy theory nonsense
| that FOSS-clowns were pushing out regarding Secure Boot.
|
| How did that end up? Well, turns out that they can now safely
| be called clowns.
| no_time wrote:
| The water is getting so hot the frog is having problems
| breathing from all the steam.
|
| "Crazy conspiracy!" He yells between two heavy gasps for air.
| FDSGSG wrote:
| Oh piss off, nonsense like this is why we still don't have
| any Linux distros shipping reasonable FDE implementations.
|
| I sure hate to be able to kind of trust my computer
| http://0pointer.net/blog/authenticated-boot-and-disk-
| encrypt...
| no_time wrote:
| I like how the author acknowledges that some people claim
| that TPMs are evil but doesn't actually refute it.
|
| As long as I can't extract the Endorsement Keys from a
| TPM I legally own you are not convincing me otherwise.
| pjmlp wrote:
| But it will be built on top of WSL3 and all hackers will jump
| of joy with Windows/Linux.
| gavinray wrote:
| Relevant tweets from self:
|
| https://twitter.com/GavinRayDev/status/1446459866059612162
|
| https://twitter.com/GavinRayDev/status/1446460168389136395
|
| WINE and the very popular/well maintained Linux distros have
| gotten so good in recent years that the scenario is nearly
| identical to Windows + WSL2, except with the DE reversed.
|
| And WINE is never going to run entirely as smooth/easy as
| regular Windows, though it's pretty damn close.
|
| I prefer Linux DE, both for aesthetic and resource (but
| mostly resource) purposes.
|
| I think Win11 looks great despite internet's opinion, but
| wow-ee I cannot justify/cope with the amount of resources
| (modern) Windows takes just to idle and run explorer.exe
|
| Now -- _OLD_ Windows? Windows 98, Windows 2000? That was (is)
| some good stuff.
|
| ReactOS recently released an x64 compatible build and I've
| booted into QEMU with it and toyed with the idea of trying to
| use it as a daily driver/work, even for a week as an
| experiment.
|
| https://reactos.org/blogs/newsletter-101/
|
| Feels nearly identical to Windows 2000 or so.
|
| Can check news announcement here and get the x64 MSVC build
| from the nightly page + boot into it using QEMU or whatnot (I
| used LiveCD to test):
|
| https://reactos.org/getbuilds/
| orionblastar wrote:
| ReactOS runs on old PCs that couldn't run Windows 2000 and
| up. It only requires 48M of RAM to install. They are
| getting closer to a beta build. I use the alpha builds in
| Virtual Box, along with HaikuOS, AROS, and Linux.
| gavinray wrote:
| Have you ever tried to do work in it or use it as a
| general purpose desktop?
|
| It wasn't really feasible (IMO) until they put out that
| initial x64 build in August, but in my ignorant
| understanding with x64 compatibility there's nothing
| stopping someone from running VS Code or whatnot on there
| right?
|
| What're your opinions on ReactOS?
|
| The 30 minutes I played around with it on QEMU were
| amazing.
|
| We've truly regressed so much in functional UI design. I
| genuinely felt able to focus better because there was
| less "going on" on the screen. Felt like my brain wasn't
| overstimulated with visual information.
| pjmlp wrote:
| If a full Windows/Linux ever happens, expect it to be as
| free beer as ChromeOS and Android are when not installed
| via official OEM distributions.
|
| It will be the same driver dance and boot loader stories
| since Linux exists.
| gavinray wrote:
| I am fine with this tbh, I am a pragmatic person.
|
| In spirit, I love FOSS, though I won't cripple myself by
| sticking to if something that works better for me comes
| along/use it to my own detriment.
|
| In fact, I would be willing to pay a good amount of money
| for Windows 98/Windows 2000 with a modern kernel, x64
| support, and icing on the cake would be a Linux shell.
|
| If there was "Ubuntu: Windows 2000 UI Edition" they could
| take my money.
| Snetry wrote:
| difference is WSL2 is more of a virtual machine than a
| translation layer like wine or WSL1
| nmfisher wrote:
| FWIW, I recently tried WINE/Codeweavers again after hearing
| everyone rave that it ran practically everything, and it
| was an absolute disaster. Literally 5/6 of the applications
| I tried didn't run (and the sixth was Telegram, which
| actually already has a Linux client IIRC).
|
| I doubt it's really an option for 99% of people who need
| Windows for serious work.
| gavinray wrote:
| Damn that sounds like bad luck to be honest. Or maybe the
| opposite -- I got very lucky and the apps I used were
| almost all compatible.
|
| Off the top of my head, I've gotten:
|
| - Ableton Live 10
|
| - FL Studio 20
|
| - A lot of popular Windows games
|
| To work without any bugs (Borderlands 3 had a bug loading
| an asset once)
|
| The one program I couldn't get working with WINE was
| Studio One 5.
|
| Ableton and FL Studio are multi-GB programs with dozens
| of .dll's, really complex -- and all I had to do was:
| wine <installer-name>.exe
|
| Then click through them
|
| So yeah it could just be a crapshoot as far as what
| works. Maybe it winds up that a lot of the apps you
| personally use/need don't run at all, which would really
| suck =/
|
| But WINE sees constant improvement, including
| contribution from Valve who have a vested interest in
| Proton for running games. Not to be cliche, but it's
| always improving.
|
| (I've never used the paid Codeweavers product which is
| supposedly better, so can't comment on that one. Maybe
| someone else can chime in with recent experience if they
| have?)
| intricatedetail wrote:
| Many people only use Windows because the software they have
| don't have a Linux build. Maybe people should start
| pressuring vendors to make Linux builds and that could end
| Windows.
| dncornholio wrote:
| You mean, just like Apple did?
| pjmlp wrote:
| Ironically I have been using Linux via VMWare for about 10
| years now, because I got fed up with Year of Linux Desktop,
| which to this day still doesn't provide a proper experience
| to anyone that cares about graphics programming and usable
| UI/UX tooling.
|
| When my Asus Netbook dies (1215B with XUbuntu), the next
| UNIX travel laptop will be an Air.
|
| So you can spare the talk about how much GNU/Linux has
| progressed, since I see it every time I take that netbook
| into use.
| e12e wrote:
| > a proper experience to anyone that cares about graphics
| programming and usable UI/UX tooling.
|
| I suppose the only answers here are qt or game engines
| like godot/heaps.io etc - and they probably aren't as
| good as windows. But it's a little tricky to know exactly
| what you mean.
|
| > When my Asus Netbook dies (1215B with XUbuntu), the
| next UNIX travel laptop will be an Air.
|
| > So you can spare the talk about how much GNU/Linux has
| progressed, since I see it every time I take that netbook
| into use.
|
| If you're looking for a "windows desktop replacement",
| you should probably compare it to one of the "big"
| desktop projects - ie: Ubuntu standard desktop (not a
| spin, like xubuntu), Red Hat or SuSe.
|
| It's also not clear which version of xubuntu you're
| running - 20.04 lts?
|
| Personally I think 20.04 with Wayland and pipewire has
| made great strides as a "just works" Desktop - and I'm
| looking forward to the next lts (pipewire baked in,
| hopefully).
|
| That said, I doubt much will beat an m1 Mac in the near
| future, if you're happy with apple/macos.
| pjmlp wrote:
| Qt isn't a OS framework like Cocoa, or WPF/Win32.
|
| It is the best _cross-platform_ C++ GUI framework, but
| nothing specific to Linux per se.
|
| Thanks for educating me on Linux distributions, pity that
| I have been using them since 1995, and yes it is the LTS
| version, it tends to break less.
| gavinray wrote:
| > "which to this day still doesn't provide a proper
| experience to anyone that cares about graphics
| programming and usable UI/UX tooling."
|
| Genuinely curious what doesn't work in IE Ubuntu 21.04
| for you?
|
| Not one of those raving Linux zealots (don't really care
| that much about privacy), I've just had positive
| experiences on Linux -- not using it masochistically for
| ethical reasons, but because it worked very well for me.
|
| So I would be interested in hearing the other side of the
| coin, since you've been around the block a time or two.
| blep-arsh wrote:
| I'm not the person you were replying to, but here's the
| straw that broke this multilingual camel's back: unless
| Gnome is running under Wayland, switching the keyboard
| layout steals the input focus away from the foreground
| window briefly, causing focus-loss event handlers to
| fire. This might seem an easily fixable minor issue but
| it's actually a decade-old hairball which significantly
| harms the experience and can't be fixed cleanly under X.
| e12e wrote:
| Isn't Wayland standard in 21.04? So it's already fixed?
|
| Ed:
|
| > it's actually a decade-old hairball which significantly
| harms the experience and can't be fixed cleanly under X.
|
| This is _literally_ the whole argument for Wayland -
| things that can 't be fixed under x11?
| blep-arsh wrote:
| I didn't notice Wayland becoming the default, tbh. Thanks
| for mentioning this. As for the specific bug, it was
| introduced by the implementation of a non-essential
| feature (the languague switch HUD) which was then left in
| place, likely because the Wayland transition was juuust
| around the corner. While Wayland does address many
| architectural issues, I don't think X users should deal
| with regressions caused by Wayland-optimized features
| just yet (and definitely not 8 or so years ago).
| yyyk wrote:
| I don't recall this ever happening to me in KDE under X,
| at least not in a way I've noticed.
| blep-arsh wrote:
| It's a Gnome-specific thing
| Shorel wrote:
| VMWare vs Native Linux running last Gnome is a very, very
| different experience in my laptop.
|
| VMWare is crippled performance wise, doesn't detect
| autorotate, and using it in full-screen requires me to
| resize the VMWare window every time I reboot the VM.
|
| VMWare also doesn't detect all the buttons in my mouse.
| pjmlp wrote:
| My first Linux distribution was Slackware 2.0 bought in
| 1995's Summer, and have used VMware since 2010, so all
| anecdotes.
| broodbucket wrote:
| Have you ever considered that there's a huge amount of
| users that don't care about "graphics programming and
| usable UI/UX tooling"? Maybe Linux on the desktop doesn't
| suit your individual needs, but you seem awfully
| combative about it on the basis of your specific niche.
| AnIdiotOnTheNet wrote:
| Some Linux Desktop are loudly combative about how great
| Linux Desktop is and seem to consider it some kind of
| failing if someone else doesn't agree. It's always "you
| chose the wrong distro!"[0] or "you have to be more picky
| with hardware!"[1], or even "it works for me, so you must
| be _lying_! ". I imagine decades of experience with that
| person on internet forums is what has shaped parent's
| combativeness.
|
| [0] for literally any distro choice
|
| [1] even when it isn't a hardware problem
| jenscow wrote:
| > It's always "you chose the wrong distro!"
|
| I know what you mean, but in this instance the complaint
| is poor UI/graphics while the distro in question is using
| a very cut-down desktop environment (running in a VM).
| gavinray wrote:
| > "Maybe Linux on the desktop doesn't suit your
| individual needs, but you seem awfully combative about it
| on the basis of your specific niche."
|
| I see your point. Devils advocate: we're each the center
| of our own universe, so whatever it is we find important
| is the marker for usability for us.
|
| Ideally an OS should have tools for everything. Though
| I'm not certain if "Graphics Programming" means like GUI
| in C++ (pjmlp often talks about C++ Builder and C++/CX,
| so I believe he means that kind) or programming GPU's via
| CUDA. I don't think it's the second one -- Linux is much
| easier for GPU stuff (IE most ML projects/tutorials are
| only set up for Ubuntu) than Win.
|
| I imagine the argument stems from a lack of Visual Studio
| equivalent on Linux. It looks like the only version that
| runs properly on Linux is VS 2005 -- LOL!
|
| https://appdb.winehq.org/objectManager.php?iId=892&sClass
| =ap...
|
| If you work with some of the Visual Studio specific
| tooling around things like XAML or C++/CLI etc, yeah
| there's absolutely no substitute.
|
| It's like Sketch on Mac (god I hate that company for
| being Mac-only) or Xcode. You're SOL, better buy a Mac.
|
| Lettuce pray for the day WINE is good enough to run
| Visual Studio.
| pjmlp wrote:
| Yep, pretty much it.
| broodbucket wrote:
| VS on Linux would indeed be great. I had to make a Win10
| VM the other day to compile a C# WinForms project that I
| could run fine in Wine but couldn't modify. Similar deal
| with reverse engineering, Cheat Engine runs surprisingly
| well in Wine but none of the Mono stuff works.
|
| I do think it's a little reductive to discuss Linux
| struggling with things like Visual Studio that are only
| relevant because Windows is relevant, but that is our
| unfortunate reality.
| patrec wrote:
| > Have you ever considered that there's a huge amount of
| users that don't care about "graphics programming and
| usable UI/UX tooling"?
|
| Have you ever considered that this "huge amount of users"
| might not care about graphics programming or usable UI/UX
| tooling, but that >99% of them sure care about either
| graphics (games, photos, video, digital painting, ...) or
| usable UIs and UX?
|
| I'm using Linux all the time, and it's quite amazing how
| terrible anything Desktop related is. Who is going to fix
| that if the state of graphics and UI/UX tooling is so
| poor that it either drives away or stymies all the people
| with relevant skills to drive some improvements?
| broodbucket wrote:
| I'm not saying those things aren't important, but they
| don't warrant the outright dismissal that I was replying
| to.
|
| Linux has an obvious lack of contribution from designers,
| designers are employed for products, noone is making
| money selling desktop Linux as a product. Also, most
| designers aren't tinkering with open source software
| alternatives in their free time like developers do.
|
| I also feel like I'm missing something because my
| experience on desktop Linux is way better than anything
| I've ever had on Windows or Mac, meanwhile everyone's
| saying it's unusable. Can't be easy for the handful of
| people working on desktop environments and the like.
| blep-arsh wrote:
| Honestly, I think the entire situation where we have
| multiple DEs/toolkits/video drivers/window managers/input
| methods is unmaintanable. It would be likely
| unmaintanable even for a well-funded corporation.
| broodbucket wrote:
| If there was a well-funded corporation, they would
| naturally focus on their stack of choice. I think that's
| what Red Hat does, focusing most of their desktop stuff
| on GNOME.
| [deleted]
| peteri wrote:
| There are several reasons for Windows popularity today:
|
| Active Directory - The centralised control it gives
| corporates.
|
| Games and DirectX - Although this seems to be getting to be
| less of a reason.
|
| Backwards compatibility - Windows 16 bit apps are now dead,
| but you can take the VB6 code I wrote pre-Y2K and run it
| today.
|
| Linux fragmentation - It's difficult to support all the
| Linux variations with a single binary (or at least it feels
| that way to me) I suspect it has a very high support cost.
| Related to this is the GPL and it's potential to force
| release of source code.
| Krasnol wrote:
| There is also one reason many here don't see:
|
| you don't have to bother with the console. Everything can
| be installed and run with a mouse.
|
| Don't take me wrong. I understand the good sides of
| console programs. You can do a lot there but your average
| user doesn't care.
| Dylan16807 wrote:
| I've definitely had to use a windows console on occasion,
| and regedit which is at a similar level or worse.
| jenscow wrote:
| Honestly, the only examples I can think of which support
| your claim are development related tools/libraries.
| dotancohen wrote:
| What popular end-user software cannot be installed and
| run with a mouse in e.g. Ubuntu?
| Krasnol wrote:
| The fact that you had to narrow it down to some arbitrary
| "popular" category to not touch the topic speaks for
| itself.
| dotancohen wrote:
| Alright then, what unpopular end-user software cannot be
| installed and run with a mouse in e.g. Ubuntu?
| addicted wrote:
| I'm also struggling to understand why it would be
| difficult to create a mouse driven GUI for any CLI based
| app.
|
| In fact, there are apps that can do that automatically.
| Admittedly these apps tend to create not very good UIs,
| but the point is that it's not hard at all.
| [deleted]
| Silhouette wrote:
| Not long ago I upgraded an Ubuntu system to 21.04. It
| took me more than half an hour of looking around to
| realise that the "Ubuntu Software" screen everyone was
| referring to _was a separate application that wasn 't
| installed by default_. Then I could look up the CLI
| command to install it via apt.
|
| That sort of thing would be a small (though very
| irritating) waste of time for many of us on HN but it
| could have been a showstopper for other potential Ubuntu
| users who aren't technically inclined and just want a
| system that works.
|
| Unfortunately in my experience that still sums up desktop
| Linux in a nutshell. You probably _can_ fix just about
| anything if you know what you 're doing. If you do, you
| get the benefits that come with running Linux, including
| avoiding the kind of controlling behaviours we see from
| Microsoft and Apple in their desktop platforms these
| days. But the reality is that most normal people won't
| know what they're doing to that degree and so can't fix
| the problems.
|
| So continues the cycle where "normal people" don't use
| Linux and so there is no big market for commercial
| applications and so most commercial applications don't
| run on Linux and so "normal people" don't use Linux.
| yarosv wrote:
| Is synaptic not a thing anymore? I haven't used linux in
| a number of years.
| Silhouette wrote:
| Synaptic still works fine but it also needs explicitly
| installing and it is aimed at more technical "power
| users" and so solves a slightly different problem.
| dotancohen wrote:
| The "Ubuntu Software" screen should be installed by
| default. > Ubuntu Software Center is a
| one-stop shop for installing and removing software on
| your computer. > It is included in Ubuntu 9.10 and
| later. > -
| https://help.ubuntu.com/community/UbuntuSoftwareCenter
| Silhouette wrote:
| _The "Ubuntu Software" screen should be installed by
| default._
|
| "Should" being the operative word unfortunately. It
| clearly wasn't installed by default for this machine that
| had been upgraded through earlier versions (starting
| around 16 I think so well after 9.10), nor was there any
| obvious indication to the user that it was missing and
| available to be added.
|
| There were some other oddities after that upgrade, for
| example Firefox no longer appearing for one-click
| launching from the default UI layout when it had before,
| so the lack of Ubuntu Software (and, apparently, its
| underlying apt package) wasn't the only anomaly. It just
| wasn't a polished experience that a non-technical user
| should have to deal with.
| huhtenberg wrote:
| It obviously won't end Windows. Not will actually make any
| sizeable dent in Windows marketshare. That's a pipe dream.
|
| Vast majority of people use Windows because _it comes
| preinstalled_. And it comes preinstalled for business
| reasons that are _very_ hard to counter or reverse.
|
| The only way to weaken Windows is through legislative
| measures and that ain't likely to happen.
| Arisaka1 wrote:
| The thing is, vendors will only invest resources required
| to make Linux builds if there's a market that justifies the
| investment. The only pressure companies can feel is the
| pressure that comes from the promise of making more money.
| gavinray wrote:
| Bingo.
|
| Switched from 10 years of Debian-based linux (mostly
| Ubuntu, recently Pop_OS) to Windows because of some MIDI
| driver thing I could not get to install in WINE.
|
| I have had a significantly less pleasant time on both Win10
| and Win11, and it's slow as hell. Ubuntu/Ubuntu-derivatives
| with Regolith as a DE + Tiling WM is the best computing
| experience I've ever had
|
| (Disclaimer: Have never used a Mac. Have been told OSx is
| better than Linux by people who have used both for long
| time.)
|
| https://regolith-linux.org/
|
| The ironic thing is that, I later had a passing convo with
| a developer of a DAW, who told me that MIDI driver stuff is
| usually for running specific software from the vendor and
| that MIDI is universal over USB.
|
| So I never even needed to switch in the first place! I was
| just too hardware-stupid to know this!
|
| Oh man it hurts my soul.
|
| I could switch back but it takes a whole weekend to
| properly backup + wipe and setup a machine. I think I am
| going to go back to Pop_OS or Ubuntu though.
| timellis-smith wrote:
| I have a core i5 mini computer which I spin up every
| couple of months and it always amazes me that for the
| first 20 minutes or so the CPU runs at 100% while windows
| checks for updates (obviously this wouldn't happen if I
| ran it daily, but still Linux never does this)
| swiley wrote:
| >slow as hell It's surprising how poorly Windows
| performs. Many people who don't use it may have not
| noticed how bad it's gotten in the last 5 years.
| nicolas_t wrote:
| > (Disclaimer: Have never used a Mac. Have been told OSx
| is better than Linux by people who have used both for
| long time.)
|
| As someone who used both for a long time, I would agree
| 2-3 years ago, now though I'd say I prefer Linux. I do
| really love the new m1 macs in term of temperature
| control and performance though.
|
| The advantage of Linux is that when it doesn't work it's
| much easier to diagnose and fix by yourself, that didn't
| use to be a problem on macs because Apple's QA was much
| better and they were pretty stable (if you skipped the
| first 3-4 months of a new OS release) but nowadays, it's
| a lot less stable, my mac cannot even go to deep sleep
| properly (which ironically used to be a major pain on
| linux) and it's just a black box that's hard to diagnose
| but doesn't work well enough to justify it being a black
| box. And for the mac, I used to use things like SIMBL to
| modify the system exactly how I liked it but all of that
| has been slowly removed by Apple. Now I just want the
| flexibility of Linux.
| timellis-smith wrote:
| I'm due for an upgrade of laptop at work and have an
| option of Mac Pro and XPS running Linux. Despite all the
| goodness of the M1, I still think I prefer working in a
| Linux environment to Mac (probably going to choose pop os
| for its tiling)
| gavinray wrote:
| > "I would agree 2-3 years ago, now though I'd say I
| prefer Linux"
|
| This is an interesting anecdote. Do you have anything in
| particular that makes you think this, or is it an overall
| shift in feel? Also curious to hear which distro you use
|
| Call me a heretic, but I am jealous of the M1
| performance-for-price being outside the Apple ecosystem
| and have thought to buy an M1 laptop and wipe it + put
| Asahi Linux on it hahaha
| nicolas_t wrote:
| I mostly use Arch Linux. Used to use Gentoo for years
| before that. Mostly it's the continuous QA problem I've
| been getting (my mba not going to deep sleep is a big
| one), the dumbing down of the OS X interface and the fact
| that I can no longer easily use tools like SIMBL to
| extend applications.
|
| It's a bit the straw that broke the camel back. As time
| went on, little things became more and more aggravating.
|
| I'm eagerly watching Asahi Linux's progress :)
| dhdyychebr wrote:
| I can't bring myself to be sad when the outcome is a more
| secure os. If anything I want /less/ user power. Imagine a
| world where you can start a "private" chat and not even need to
| worry about screenshots. I'd love that personally. And what's
| the downside? I lose features that only matter to the cyber
| politicos?
| MikusR wrote:
| It started with Vista. Due to DRM you can't play your own
| videos. Only DRM protected ones.
| ChuckNorris89 wrote:
| How so? I could play all my pirated DVD rips just fine back
| then (DivX .avi), same how I can play pirated Bluray,
| Netflix, Amazon, etc. rips on Windows 10 and 11 (.mkv).
| huhtenberg wrote:
| I'm guessing GP is referring to the introduction of
| Protected Media Path stuff in Vista, which broke some
| existing video players. It didn't break non-DRM videos
| though.
|
| https://en.wikipedia.org/wiki/Protected_Media_Path
| MikusR wrote:
| Yes that didn't happen. It was FUD spread around back then.
| Like with TPM now.
| zigzag312 wrote:
| I find it interesting that, one one hand they are implementing
| features "in the name of security" that limit the owner of a
| computer what he/she can do with it and on the other hand they
| are adding backdoors so that government agencies (or anyone
| with right information) can spy on citizen that use this
| "secure" OS.
| ryanlol wrote:
| I will personally pay you twenty thousand US dollars (in the
| cryptocurrency of your choice, bank transfer, western union,
| whatever) if you can prove beyond reasonable doubt that
| Microsoft has ever secretly shipped a backdoor in their OS so
| government agencies could spy on their users.
|
| Perhaps you will be the first person to actually prove the
| existence of the NSAKEY backdoor? (I doubt it.)
| zigzag312 wrote:
| You might be right and there is no backdoor that was
| intentionally implemented. Although, numerous leaks do show
| that neither are always law-abiding saints, so a backdoor
| might not be too far fetched. From what I've heard (I may
| be wrong since I'm not from US), US company is not allowed
| to publicly disclose requests from NSA, so proving it would
| be very difficult.
| ryanlol wrote:
| I strongly believe that there's just no point in
| backdooring Windows, this is complicated software with
| extremely large attack surface.
|
| We've seen NSAs incredibly cool 0day exploits leak, we've
| seen some of their backdoors exposed, but so far there
| hasn't been anything indicating a desire to backdoor
| Windows itself.
| iforgotpassword wrote:
| Why would this even be necessary to prove? At least for me
| that's not required, NSA_KEY plus Snowden leaks are enough.
| Microsoft is known to have no problems cooperating with
| governments requests, or how do you think they can operate
| all their services in China?
|
| Any hard evidence for such a backdoor wouldn't really
| change anything towards Microsoft for me.
| ryanlol wrote:
| If you believe the public information regarding _NSAKEY
| to be evidence of a backdoor, I'm sorry, but you are an
| idiot.
| ptx wrote:
| They don't need a backdoor anymore. Microsoft now routinely
| collects your data and pushes mandatory updates through the
| front door.
| zepolen wrote:
| Is that $20,000 just for proof or also showing the method?
| ryanlol wrote:
| For example: I'd be very curious to learn about the
| actual mechanism by which the supposed "_NSAKEY backdoor"
| would work. I'm not interested in the private key if
| that's what you mean by method :)
|
| AFAICT it doesn't, you can't hit those code paths unless
| you already have access to the machine.
|
| (This is a pretty unfair example though, _NSAKEY is the
| "Bush did 9/11" of backdoors.)
| [deleted]
| [deleted]
| DeathArrow wrote:
| What about this old NSA backdoor?
| https://en.wikipedia.org/wiki/Dual_EC_DRBG
|
| If MS or Apple or Google or some hardware makers or some
| communication equipment makers have some backdoors for NSA,
| why would you think they would do such a poor job that
| anyone can pay $20k to prove it?
| tata71 wrote:
| Who needs a backdoor when you can just exploit the print
| spooler from 1999???
| DeathArrow wrote:
| >Mark my words - Windows 12 will severely impede direct
| installation even of an user-space software, funnelling
| everyone to go through the store. That's the end goal and we
| will all be there in a couple of years, whether we want it or
| not.
|
| This would be stupid. People use Windows because it's usable
| and because they can use software they want. But forcing the
| users and developers going through an app store won't be taken
| lightly neither by users, nor by developers.
|
| If Adobe and Autodesk would sense something like this is
| planned, they would start porting their software to Linux.
| Microsoft doesn't have a chance to lock their system down. What
| would be the next step? Use Windows only on MS hardware? They
| can't pull an Apple and I think they've realized it.
| anonymousab wrote:
| > People use Windows because it's usable and because they can
| use software they want
|
| Most people already use computers that, by default, only
| allow them to install signed software through app stores. For
| perhaps a majority of them, that's their primary or only
| computer.
| shin_lao wrote:
| It can be installed without a TPM chip. My computer does not
| have a TPM and they say it will soon be eligible for Windows
| 11. If you can't wait, you can do a full install using an ISO
| image.
| vetinari wrote:
| You can't install W11, not even from ISO, if your computer
| doesn't meet all the requirements (yes, I tried).
| DeathArrow wrote:
| There are some remastered ISOs floating around.
| nix23 wrote:
| It's absolutely fascinating that an open OS like windows (not
| open as opensource, but open to run every program) takes that
| route.
|
| Microsoft really thinks they can compete with platforms like
| android or iOS, i have to say: Thank you Microsoft!! You
| accelerate the downfall of Windows! No one will need you in the
| future, Adobe on M1(Apple), Development on Linux, Gaming on
| Linux, Workstations Linux maybe some Apple.
| FDSGSG wrote:
| Weird nerds like you that care about "open platforms" at the
| cost of security are a tiny minority. This will do nothing to
| accelerate the downfall of Windows.
| can16358p wrote:
| Yeah my thoughts!
|
| But on the other hand people also use Windows because its the
| default that comes with their new computer. (Not talking
| about HN community, talking about regular Joe) As long as
| Microsoft keeps lobbying OEMs to include Windows and there's
| no good alternative (looking at you, non-tech-savvy user-
| friendly Linux distros and major software vendors like Adobe,
| Autodesk etc, they will only keep locked to using Windows.
|
| I'd love to see an alternative world where everything has an
| equivalent open-source software that people can switch to,
| but let's get facts right, many open-source software is
| inferior to their counterparts (especially on the
| design/photography world against Adobe).
| nix23 wrote:
| >But on the other hand people also use Windows because its
| the default that comes with their new computer.
|
| True, but if Windows cannot run the application regular Joe
| wants, people will just switch to Chrome OS or Apple or
| Linux (wine?). Sometimes regular Joe's uses more exotic
| Software we can imagine, and they choose windows because it
| runs on it since 25 years. Just some examples i have seen:
|
| -VisualBasic 6 (for model train automation)
|
| -A 20yo siemens software for relay automation
|
| -A ~25yo CNC maschine (Windows software to convert CAM to
| N-language (self-written postprocessor again in VB6))
|
| And much much more
| formerly_proven wrote:
| I've ran a lot of these weird 90s-looking "The OEM did a
| thing" applications on wine, most work pretty flawlessly.
| Even a few that talked to hardware (over serial, though).
|
| However I don't think you can expect to run e.g. a
| machine controller on another OS.
| kaetemi wrote:
| Wine is pretty bad for any serious creative software.
| Tablet pressure support has been broken for an eternity.
| Alt+mouse combos don't work correctly. There's patches,
| but they keep getting ignored and broken by whatever else
| is supposedly more important. I went back to Windows,
| because Wine's broken contribution process was a waste of
| time.
| nix23 wrote:
| Well it's not a controller, it's a post-processor that
| converts and sends the specific N-Code to the CNC
| (heidenhein "OS") (serial or ir)...CNC then executes the
| stored code.
| can16358p wrote:
| It's kind of a chicken-egg problem there too: Windows is
| the most ubiquitous OS when it comes to "computers" as
| the society knows, and more software gets written for it,
| and because of it, OEMs would prefer it even if MS
| doesn't push them anymore.
|
| Not sure about the solution.
| commoner wrote:
| > I'd love to see an alternative world where everything has
| an equivalent open-source software that people can switch
| to
|
| Keep in mind that software doesn't need to be open source
| to run on Linux. Developers can still support the Linux
| ecosystem by creating/porting proprietary software for
| Linux, and users will consider it when they choose an OS.
|
| Examples of proprietary Linux software that is used
| professionally:
|
| - DaVinci Resolve (video editing suite):
| https://www.blackmagicdesign.com/products/davinciresolve/
|
| - Bitwig Studio (digital audio workstation):
| https://www.bitwig.com/overview/
|
| - JetBrains Rider (IDE for .NET):
| https://www.jetbrains.com/rider/
| watermelon0 wrote:
| Huh? Android, iOS, and macOS have their own versions of TPM,
| Microsoft is just late to the game, and it's slowly catching
| up.
|
| Out of the bunch, Microsoft is the only one that even allows
| custom kernel drivers, since Apple deprecated them with macOS
| Big Sur, and iOS/Android never really allowed them.
| nix23 wrote:
| I don't say Android or iOS is more open...quite the
| opposite.
|
| >Microsoft is just late to the game, and it's slowly
| catching up.
|
| Why do you think people want yet another platform but in
| the Microsoft-verse, you choose Windows because it's open
| and you can run ~every application on it. There is no
| catching up by closing down your hard-ware framework (aka
| OS)
| watermelon0 wrote:
| I assume majority of people want a secure platform where
| they can run apps/games, without worrying about
| ransomware and malware.
|
| For those few that want to test things or run custom
| drivers, they can still disable driver signature
| enforcement, but some features/apps might be unavailable
| in this mode.
| DeathArrow wrote:
| >Just like what Apple has with its AppStore and its wonderful,
| wonderful 30% commission.
|
| At least Google is planning to lower their 30% commission for a
| bit.
| jeroenhd wrote:
| Microsoft is doing its absolute best to move everyone to the
| Windows store by packaging the new apps everyone should be
| making into weird formats such as appx and msix which can't or
| previously couldn't be easily installed without command line
| funkiness. Luckily, Microsofts own incompetence is preventing
| this plan from working.
|
| There's another part to the exclusion of old hardware, which is
| that modern chips are a lot more reselient against crashes
| according to the telemetry Microsoft collects. The same is true
| for secure boot and other security lockdowns every Linux user
| disables. You could make the argument that this means that
| Microsoft is failing to provide stability for this older
| hardware, but it doesn't necessarily mean that it makes
| business sense for MS to put money and resources towards
| resolving the issue. Not making Windows 11 available on old
| chips doesn't hurt sales, helps them boast with great stability
| and security statistics and barely makes a dent in their
| reputation. Most people with a negative opinion of the company
| here were hating on Microsoft long before Windows 11 was even
| announced.
|
| The TPM story makes sense from a Windows Hello standpoint. I
| don't think there's any doubt that the hardware trust system is
| more secure than the previous system. However, that trust is
| completely useless because Microsoft STILL doesn't enable
| Bitlocker unless you pay extra. It's current_year and Microsoft
| still hasn't brought data security to the masses. This is an
| area where proper use of the TPM can be benefit users
| massively.
|
| Linux is having the exact opposite problem, I want to use my
| TPM and secure boot to leverage the hardware security built
| into my devices but it's as if every part of the Linux boot
| chain has implemented some kind of limitation to make the
| process difficult. Bitlocker works great, and I want it on
| Linux too, but nobody writing code for the Linux ecosystem
| seems to share my preferences here.
| andrekandre wrote:
| > modern chips are a lot more reselient against crashes
|
| sorry for a basic question, but im not sure how a chip itself
| is more resistant to a crash (in os? user space?)...
| jeroenhd wrote:
| I don't know the cause, this is based on the numbers they
| reported to defend their decision to exclude older chips.
|
| I think it has something to do with the modern instruction
| sets being kinder to the kernel and the fact that on
| computers with recent processors certain processor features
| are enabled in the UEFI config by default more often, but I
| couldn't tell you which features that would be. My hunch is
| that I has to to with stuff like virtualisation based
| security and the like?
| depressedpanda wrote:
| > I don't know the cause, this is based on the numbers
| they reported to defend their decision to exclude older
| chips.
|
| Why would you present Microsoft PR as fact?
| abcd_f wrote:
| This is a grade A bullshit, with a strong smell of
| marketing spin to it.
|
| If a program crashes on an older CPU, it damn sure will
| crash on a modern CPU just as well.
| cesarb wrote:
| > If a program crashes on an older CPU, it damn sure will
| crash on a modern CPU just as well.
|
| Not necessarily; if the crash is caused by an instruction
| that's absent on older CPUs (for instance, trying to use
| an AVX2 instruction when the most the CPU has is SSE2),
| it will work on a modern CPU but crash on an older CPU.
| ls65536 wrote:
| > modern chips are a lot more reselient against crashes
| according to the telemetry Microsoft collects
|
| Sort of a side point, but this got me wondering...Is there
| something inherently less stable about these older chips, or
| maybe is their stability somehow a function of their lifetime
| that would really matter here? My own anecdata (which is from
| a far smaller dataset than what I imagine Microsoft would
| have access to) would suggest that this isn't really the
| case, at least for anything otherwise capable of running
| something like Windows 10 or Windows 11, but I'd be
| interested in reading more about it.
|
| Is it that old systems tend to not be physically maintained
| as well thus resulting in cooling issues and more
| overheating?
|
| Is it that these "crashes" are application crashes due to the
| attempted execution of instructions in (newer) x86 extensions
| not implemented by these (older) chips?
| jeroenhd wrote:
| Those are all valid questions and I think they do make
| Microsoft's defence a lot less credible. I believe there
| are some improvements, like speeding up certain commonly
| used instructions, the hardware SPECTRE etc. defences and
| better security features, but I don't think those will
| impact stability that much.
|
| Whether it's because only newer chips without wear and tear
| come out on top in these statistics or because there's
| something in the hardware itself, the perception that
| Windows 11 is more stable is something Microsoft can
| market. Dropping chips that lack certain instructions also
| make their support and testing workload lighter. In the
| end, the quality and range of support Microsoft provide for
| their operating system depends on how much money they can
| make off their sales. If their losses from the move are
| lower than the cost of supporting older hardware, it's a
| decent business decision to do the unpopular thing and drop
| support. It's a private company, after all, focused on
| making their shareholders money.
| croutonwagon wrote:
| TPM, at least older version <1.2 were still subject to
| physical key exfil attacks [1] because the chips
| communications with other parts of the board were done in the
| clear.
|
| So it was/is recommended to use a pin/key and/or recovery key
| to ensure the security of the data. Unless your only threat
| model was to protect against common thievery and assume the
| attack had no technical prowess (and that's perfectly fine, I
| do this for my company). Not to mention they were kinda used
| as a warranty canary for Truecrypt [2]. There were suspicions
| that nation states may have hardware bypasses worked out.
|
| Later there were implementations of hardware encryption found
| to be vulnerable. So even now bitlicker does everything in
| software by default. [3]
|
| So I understand why FOSS devs would rely more on standard
| practice (shared keys) with LUKS and not embrace hardware
| enclave options like TPM. They haven't been the most reliable
| over the long term and are harder to patch/fix.
|
| [1] https://pulsesecurity.co.nz/articles/TPM-sniffing
|
| [2] https://threatpost.com/of-truecrypt-and-warrant-
| canaries/106...
|
| [3] https://www.technadu.com/bitlocker-to-use-software-
| encryptio...
| jeroenhd wrote:
| Bitlocker still uses the TPM on modern installs. Hardware
| encryption on SSDs and similar aren't used anymore, but
| those aren't directly related.
|
| Bitlocker is still vulnerable to key exfiltration attacks
| because it's not using any encrypted communication
| protocols that exist in the TPM standard, but that can be
| (and should be!) fixed.
|
| In the end, I use encryption to make sure nobody can just
| plug in a flash drive and copy all my personal files and
| passwords off my laptop. If they have the time and tools to
| exfiltrate the security key through the SPI bus, they
| probably have the means to install a hardware key logger in
| my keyboard as well. The attacks against TPMs are out of
| scope for my threat model and honestly they probably should
| be for anyone but businesses carrying secrets as well.
|
| If the United States or China wanted my passwords that
| badly, they'd probably just drug me or hit me until I hand
| them over. Defending against such adversaries requires more
| than just encryption, you'd need to use something like
| Qubes and alter your entire lifestyle to be secure.
|
| What I want is to have a Linux system where I can turn it
| on without a password and have a good reason to believe
| that my files weren't compromises by the maid and that the
| OS didn't get keylogged. That requires several parts
| working together.
|
| Getting secure boot to work is easy enough these days, but
| once you get through secure boot you're in for a challenge.
| I don't know of any stable bootloaders that don't allow you
| to edit the init binary to /bin/bash to give you a root
| shell from the menu, which is a requirement for the ease of
| use Windows provides. I also don't know if it's even
| possible to get a chain of trust from initramfs back to the
| hardware like Windows allows for. The *BSDs seem to be
| doing some kind of checksumming, but I don't know how far
| Linux is along with this.
|
| In my ideal world, you get prompted on how to encrypt your
| Linux system upon install. "Disabled", "Automatic" or
| "Secure", with a note that "secure" is probably what you
| want if you can't pick but you have to provide a password
| at boot. I'd also like for popular distros to switch to
| full disk encryption because the unencrypted boot partition
| defeats half the point without secure boot and custom keys
| (which nobody actually uses).
|
| Microsoft proves that this can be done, although their
| default allows for booting without a password a bit too
| easy. If you buy Windows with a Pro key, they'll encrypt
| your system in place with the click of a button. Everyone
| can set it up, and in many cases it's even the default.
| This is a basic usability security feature that Linux just
| can't compete with, and in my opinion that's a shame.
| smoldesu wrote:
| Plus, many Linux users just outright distrust the NIST
| encryption employed by security subsystems. Why encrypt
| your drive with SHA-2 keys that might be backdoored when
| you could just as easily encrypt with Ed25519?
| fuzzfactor wrote:
| SecureBoot and UEFI were foisted to dampen continued viability
| of Windows XP and Windows 7, plus functioning as roadblocks to
| Linux booting and adoption as has been seen.
|
| It's been years but Linux remains much more badly sidelined
| compared to working under BIOS, rather than UEFI.
|
| TPM is to hasten the demise of Windows 8 & 10 and the hardware
| that dragged them in.
| pabs3 wrote:
| Someone recently got Windows 11 installed and working on a
| Pentium 4, so it doesn't seem that the restrictions are hard to
| bypass.
| heavyset_go wrote:
| > _ever wondered why Windows 11 can 't be installed on "older
| computers"? You know, the ones that don't have a TPM chip?_
|
| > _Now you know. Windows 11 completes the lock-up of the OS._
|
| Stallman[1] and others[2] talked about exactly this 15+ years
| ago.
|
| [1] https://www.gnu.org/philosophy/can-you-trust.en.html
|
| [2] https://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
| lupire wrote:
| 35 years ago.
| blame-troi wrote:
| Back to the Mac for me. Yeah, they have the walled garden
| problem too, but *nix environment for my development hobby is
| better there than I have on Windows 10. I'm not willing to go
| all the way to Linux for my main system since my wife has to be
| able to use it.
|
| Numerically developer desktops aren't significant, but
| mindshare is.
| IshKebab wrote:
| Apple are doing exactly the same thing. I'd even say they're
| slightly ahead of Microsoft on the storification of their
| desktop OS.
| fsflover wrote:
| > I'm not willing to go all the way to Linux for my main
| system since my wife has to be able to use it.
|
| What is the problem with using it? My non-technical relatives
| are quite happy with their Debian which I installed for them.
| sn_master wrote:
| Call me paranoid, but I am completely certain that TPM has a
| backdoor disguised as a very sophisticated bug for plausible
| deniability.
|
| I'll never trust BitLocker or anything that relies on TPM to
| encrypt any data I actually care about not being compromised
| (read: my very personal data, not work data).
| surajrmal wrote:
| You're in luck then! Everyone seems to be ditching TPMs in
| favor of their own security chip technology. Google has
| titan, Apple has T1/T2, and Microsoft now has Pluton. While
| the TPM is a well defined spec, I have no idea how fair.
| smoldesu wrote:
| I doubt it. A much more likely suspect is the Intel
| Management Engine, which unlike a TPM module, runs an entire
| operating system alongside your computer and hides it's
| outgoing traffic as encrypted TLS data. Yikes.
|
| A much more likely explanation for TPM is that it can enforce
| weak and vulnerable cryptography at a hardware level. It's an
| open secret by this point that the NSA weakens elliptic
| keypairs to make them vulnerable to differential
| cryptanalysis. With TPM, software can now be forced to use
| hardware crypto, which is almost always weaker than the
| programmable software crypto we had before.
| watermelon0 wrote:
| Or maybe this is related to the security, and Windows is the
| only widely used platform that didn't enforce TPM until
| recently?
|
| macOS is even more locked down, but they don't impede or force
| users to use Mac App Store.
| Wowfunhappy wrote:
| macOS still runs on Intel Macs without a T2 chip, if that's
| the TPM-equivalent you're thinking of.
| e12e wrote:
| > they don't impede or force users to use Mac App Store.
|
| They do for iOS, though? I'm not convinced we won't see
| something similar for desktop (possibly with an "opt-out" for
| power users, where you can manually sign and accept binaries
| - much like you can build a dev build of an ios app, but not
| distribute it).
| antman wrote:
| Ofcourse they don't force anything because of the competing
| windows platform which is more open up to now. Apple assumed
| market dominance and locked everything down on mobile.
|
| What I infer from your observation is that closing down
| Windows could also adversely affect Mac users, since Apple
| would not miss this opportunity.
| wongarsu wrote:
| > Apple assumed market dominance and locked everything down
| on mobile.
|
| Apple has about 26% market share on mobile globally, that's
| not exactly market dominance.
|
| Them locking down the platform limits piracy, which is one
| reason why developing for iOS is much more profitable for
| many kinds of apps, which causes better apps that drive
| consumers to the iPhone. That's the reason they put so much
| energy into locking down the platform
| DeathArrow wrote:
| Locking things down and snooping are always presented as
| an advantage. Stoping piracy, stoping CP, stoping drug
| dealers and so on.
|
| Maybe we should have some company lock us in our houses
| for safety? You know, if you wander outside you might get
| robbed.
| wongarsu wrote:
| Explaining the economic reasons why things are done is
| always seen as an endorsement of them. I don't think
| that's justified.
|
| I don't like how Apple locks down their phones, that's
| why I prefer Android. That doesn't mean I can't
| appreciate why they do it and why some people might
| prefer it.
| [deleted]
| addicted wrote:
| The gulf between OSX apps and Windows/Linux apps in
| quality was far greater than any sort of edge iOS apps
| have over competing platform apps. So it's hard to see
| how the argument that locking down the platform leads to
| better apps works.
| AwaAwa wrote:
| I have to assume that them taking 75 percent of the
| profit in the smartphone industry, gives them a blank
| check to do as they wish, and the rest of the industry
| must follow.
|
| https://www.counterpointresearch.com/global-handset-
| market-o...
| datavirtue wrote:
| So if one OS company moves in a certain direction, the
| other one can do so safely. Implicit collusion.
|
| Apps need to run/execute in an open source runtime
| environment that operating systems can choose to
| integrate...and would need to if they wanted to run any of
| the applications on the market. The browser is not the
| answer.
|
| Once these guys get settled in they are going to push for
| regulation that will somehow preclude people from using
| Linux desktops.
| neilalexander wrote:
| Apple could have done it with the Apple Silicon transition
| and yet didn't. More inclined to believe actions over words
| at this point.
| Jensson wrote:
| Not without massive loss of users. Both Microsoft and
| Apple would love to lock down their platforms, but they
| have to do it in tandem or users will flock to the other.
| So we will see a slow lock-in creep until they look like
| current day smartphones.
|
| Only way to stop this is to react strongly, so if most
| users are apathetic like you then it is inevitable. Of
| course I believe that you are right and most are this
| apathetic, so from my perspective this is inevitable.
| When they roll out the enforced appstore you will say
| something along the lines of "but this appstore is secure
| and I can get all the programs I wanted from it anyway,
| and even if I couldn't would I really want an insecure
| program?".
| neilalexander wrote:
| Apathetic -- no. I'm aware of the control creep in the
| industry, but I do think that it seems unnecessarily
| alarmist to think that Apple just can't wait to lock down
| macOS. There is nothing to gain by them doing so and I
| would be incredibly surprised if they didn't already know
| that.
|
| iOS is and has always been a closed platform. We knew
| that the day they announced the first iPhone and they
| have been consistent in their messaging about that ever
| since. iPads and iPhones are globally successful though,
| far more so than the Mac, and with a far wider target
| audience that encompasses most people. It would be great
| for power users to be able to side-load without
| jailbreaking, but there are plenty of less technical
| people out there for whom side-loading actually presents
| much more of a risk than a benefit. That's what makes it
| a complicated issue.
|
| The Mac, on the other hand, doesn't stand to benefit from
| that same closed model in the slightest. The real target
| audiences for the Mac (i.e. software developers,
| professional photography/cinematography, music
| production, publishing) all live and depend on software
| that requires flexibility, plugins etc and they stand a
| much greater chance of knowing what they're doing. They
| would walk away from Macs in an instant if the platform
| stops being useful to them.
|
| Apple Silicon was the perfect opportunity for Apple to
| close the platform if they really felt strongly enough to
| do so, but here's the thing: Microsoft tried to do it
| with WinRT, it was an absolute disaster and the market
| spoke accordingly. It doesn't seem worth the risk.
| Jensson wrote:
| > They would walk away from Macs in an instant if the
| platform stops being useful to them.
|
| Only if there was a better alternative. That is the
| point, both Microsoft and Apple works towards there not
| being any better alternatives out there. It wont happen
| in 5 years, but almost surely in 20, as they have to do
| it slowly enough for all major programs to get into the
| appstores.
|
| Just have to slowly make it more and more difficult
| shipping software that isn't in their appstores. Then you
| start paying for exclusives, imagine if Apple paid
| photoshop to only ship in their appstore and not
| distribute indipendent binaries for macOs for example,
| people would quickly learn to use the store. Ship cheaper
| variants of the OS with only access to the appstore etc.
| There are so many ways for them to reach that
| destination, and 20 years is an eternity in this space.
| DeathArrow wrote:
| >Just have to slowly make it more and more difficult
| shipping software that isn't in their appstores.
|
| Valve established their Linux presence because they
| thought MS might force developers ship only through
| appstore. What is stping others to make the same move if
| they sense the same danger? Big software companies won't
| be dilighted to be forced to use the app store. Nor would
| smaller companies.
| addicted wrote:
| Is it really alarmist to believe that Apple would like to
| make their less popular OS more like their significantly
| more popular OS?
| e12e wrote:
| > iOS is and has always been a closed platform. We knew
| that the day they announced the first iPhone
|
| Didn't the phone launch without an app store an web/html
| based apps?
|
| https://www.businessinsider.com/first-phone-
| anniversary-2016...
|
| https://en.m.wikipedia.org/wiki/IPhone_OS_1#Third-
| party_appl...
| DeathArrow wrote:
| >So we will see a slow lock-in creep until they look like
| current day smartphones.
|
| So we will see the rise on Linux on the desktop.
| fsflover wrote:
| ...and on smartphones.
| cma wrote:
| > but they don't impede or force users to use Mac App Store.
|
| They briefly pulled Epic's desktop signing keys, which they
| promised were for security only, over an unrelated iOS
| business dispute.
| ryanlol wrote:
| This is a terribly dishonest take.
|
| There was no "unrelated iOS business dispute", Epic was
| simply using their keys to sign software that they had
| agreed not to sign. Epic made it clear that they can not be
| trusted with signing keys, you can't claim that this is
| unrelated.
|
| Epic could have sued Apple and proceeded with their
| business dispute without abusing their signing keys, but
| instead they made a calculated decision to abuse their
| trusted position for a PR stunt.
|
| Even if you fully agree with the position Epic is pushing
| in their lawsuit, these facts remain the same.
| DeathArrow wrote:
| >macOS is even more locked down, but they don't impede or
| force users to use Mac App Store.
|
| Until now. And because it faced competition from Windows. If
| they gain some market share, they will.
| shukantpal wrote:
| Wouldn't it always face competition from desktop Linux?
| pjc50 wrote:
| > they don't impede or force users to use Mac App Store
|
| .. yet. The notarization and signing requirements are steps
| towards that; there's an escape hatch, but they could close
| it when it suits them.
| no_time wrote:
| Correct. It's one thing that the general population doesn't
| know what a TPM is but I just can't fathom how do governments
| deal with the fact that their entire nation's computing is
| about to be run under lock and key controlled by an american
| company. You could make the argument that up until this point
| it was possible to coexist with window's BS because despite
| it's closed nature, it was extensively documented and had
| workarounds to all to all treachorous functionality. But it's
| about to get a LOT worse with 11.
| DeathArrow wrote:
| >Correct. It's one thing that the general population doesn't
| know what a TPM is but I just can't fathom how do governments
| deal with the fact that their entire nation's computing is
| about to be run under lock and key controlled by an american
| company.
|
| And the said company would oblige to help NSA getting access
| to some users data.
|
| Both China and Russia demand users with sensitive information
| to use their own operating systems and they also build their
| own hardware because they don't trust the hardware.
| AwaAwa wrote:
| In my experience most people at government orgs simply follow
| the recommendations of 'someone' else. Said someone is in the
| pocket of some vendor, and 'champions' their cause. The
| relatively few folk that actually understand the details, are
| usually not the type to be able to wine n dine their
| management (because no vendor supported expense budget). Or
| worse, are single handedly tasked with the responsibility,
| and no reward (outside of securing your 'country', which
| effort will be diluted in front of your eyes anyway).
|
| Everyone just buys the ABC company's TPM to put it into their
| heads and out of their minds.
| im3w1l wrote:
| People weren't distracted by the friendly Microsoft front.
| People were distracted by all the other companies being even
| worse.
| hdjjhhvvhga wrote:
| Yes they were and they are. You can see it regularly on HN,
| saying that today's Microsoft has nothing to do with the ugly
| beast from the 90s, the times have changed, they are now a
| completely different company, they contribute to Open Source
| and even Linux, and they can now be trusted because they
| built the best code editor in the world. I don't know if
| people actually are that naive or if it's a part of
| Microsoft's intensive efforts to game HN.
| rnd0 wrote:
| It's a little of column "a" and a little of column "b" and
| also because there's a whole generation which has come and
| gone since the Halloween Papers and the general MS fuckery
| of the 90's.
| 2OEH8eoCRo0 wrote:
| Are there TPMs where the user has more control and can configure
| w/ a root password to control keys? I like the idea of a secure
| tamper resistant security device but I don't like that the owner
| of the PC does not retain absolute control over this device.
| will4274 wrote:
| > the owner of the PC does not retain absolute control over
| this device.
|
| This is a bit FUD-y. TPMs are key stores, the same as what
| Apple calls a "secure enclave." When you activate a device with
| a service like Netflix or a software like Windows, they stick
| their key in the TPM. As a user you can clear of disconnect the
| TPM any time you like - you're in control of your device. What
| you're not in control of is Netflix and Windows - Netflix and
| Windows are only going to authorize 5 TPMs. If you reset your
| TPM, you're going to need to re-enter your license information.
| ZekeSulastin wrote:
| Yes - the TPM isn't a Windows-only thing. For example:
| https://wiki.archlinux.org/title/Trusted_Platform_Module
| sbisson wrote:
| It's not quite as bad as presented here; yes Microsoft is in the
| process of deprecating kernel mode drivers as part of its current
| security push, however it's following Linux and implementing eBPF
| as a more secure alternative that runs mostly in user land and in
| a sandbox in kernel space. For the type of thing that this app
| does, it's a logical change of direction that does not require
| the same level of EV code signing.
| roblabla wrote:
| Microsoft's eBPF is a very different beast from Linux's eBPF.
| It is contained to very few subsystems (Currently network,
| filesystem to come) and doesn't have the same facilities Linux
| has with dynamic probes to hook arbitrary kernel functions.
|
| Windows _also_ has DTrace, which does support arbitrary kernel
| hooks, but it requires booting in a special mode with bcdedit
| /set dtrace ON, which makes it unusable for machines not under
| your direct control.
|
| None of those give enough visibility in the kernel structures
| to fully subsume kernel mode drivers. And further, they don't
| allow some of the advanced capabilities that are provided by
| things like ProcessHacker, such as killing PPL, forcefully
| closing remote handles, and a bunch of other stuff that is only
| possible via a kernel driver.
| mastazi wrote:
| One of the comments from the comment thread below the linked
| post, it's a rant and I don't like the tone but it sums up well
| some of the reasons why me and a few colleagues recently decided
| to switch to Linux:
|
| > Dave-o says:
|
| > 2021-10-24 at 23:45
|
| > Notice how it's now virtually impossible to disable Windows
| Defender nowadays? Libvirt is also having trouble getting
| Microsoft to cert their drivers. Etc, etc etc. Who gave them the
| right to limit our freedom to run what we want on our computers?
|
| > Reviews about Windows 11 at formerly-credible websites like
| http://www.arstechnica.com & http://www.thevirge.com, etc are so
| pathetic, "oh the new toolbar! But mah techichial anayasis is
| that there are some old dialogs still in control panel! I wants
| mah new eye-candys!". And their sycophantic commenters are vastly
| worse.
|
| > Truth is, Microsoft's strategy may have been FUD in the past
| but now it's evolved to 'slowly tighten the noose'. The reason I
| liked Windows was my ability to audit it. At least someone should
| be able to. Now with hardware-enabled DRM secure envelopes &
| encrypted memory regions, that is becoming impossible. Which is
| exactly their plan.
|
| > Because, you see, Microsoft wants to become like Apple: "We
| respect your privacy; your secrets are between just you and us."
| Do you trust there's no and will be no future Microsoft-only
| back-doors in the Windows Firewall? Really?
|
| > Who actually owns your machine? Can you actually stop your
| iPhone from updating? Nope. In the past I tried and their upgrade
| permanently broke some CAD apps I heavily relied on. And there's
| no way back, baby. The content I created? _poof_
|
| > It used to be more a Facebook / Google thing. Post on social,
| they have a permanent free license to use your content and treat
| it however they like. All corporations are liable to their
| shareholders if they don't maximize profits. Why are these guys
| so insanely profitable? What do they actually create? They're all
| just leaches on our data.
|
| > SO, either get used to the 'brave' new world: mega-corporation$
| & the government own your most intimate personal information and
| control the devices you rely on. Or switch to linux and at least
| have a prayer of someone keeping the software you rely on honest
| by auditing it. Just someone having the ability to see what's
| going on inside that secure-enclave hiding in your computer is
| enough of a threat to keep them honest.
|
| > These days, most folks live in their browser. Maybe play some
| games. Install Kubuntu and run firefox and most Windows users
| will barely be able to tell the difference. Getting Windows
| running inside a QEMU virtual machine isn't really that
| difficult. At least that way you have a way of firewalling
| Windows that's outside of Microsoft's control. It's a bit more
| tricky for mom but is becoming more turn-key & productized all
| the time.
|
| > Linux Wine is coming along nicely. The day is fast approaching
| when Windows games will run great directly on Linux. Steam Deck
| will push this over the curve and it's all down-hill from there.
| Why prioritize targeting Windows when Linux becomes a large
| market? Multi-platform is kinda ugly but it's a thing. All other
| things being equal (usability, compatibility, etc) consumers will
| always opt for more privacy and control. And this is the way out
| of this privacy & control mess.
|
| > With IPFS and distributed platform tech so close, the new
| future will be the public ridding themselves of these menaces
| both for social and their personal devices. At least I hope so.
|
| > /rant
| amyjess wrote:
| Because of things like this, I'm at the point where I consider
| the invention of public-key encryption to be the worst thing
| that's ever happened to the world.
|
| If governments had _immediately_ preemptively classified anything
| related to assymetric encryption--and actively enforced the
| classified status--as soon as the first research into it started
| appearing, the world would be a much better place than it is now.
| xondono wrote:
| Yes, because governments are trustworthy entities incapable of
| unethical behavior! /s
| vbezhenar wrote:
| Asymmetric cryptography is too simple to contain it. RSA is
| unbreakable and it's very simple to understand. It would be
| reinvented over and over by multiple people in multiple
| countries, you can't contain it.
| howinteresting wrote:
| DSA and RSA are pretty straightforward math. ECDSA is somewhat
| more complex but still pretty basic.
| Synaesthesia wrote:
| If you look at the history of encryption, thats preceisely what
| happened, and right up to the 90s they did contain it.
| garganzol wrote:
| This is a slippery slope way of thinking. One would argue that
| appearance of computers is similarly evil, but many of us can
| confirm that this is not true.
|
| It all depends on who uses the tool and their motives, not on
| the tool itself. The tool is powerful but it's totally neutral.
| And can be used for both bad (dominance, ransom) and good
| things (security).
| maccolgan wrote:
| >who uses the tool and their motives, not on the tool itself.
| The tool is powerful but it's totally neutral.
|
| What if we had computer control like gun control?
| [deleted]
| userbinator wrote:
| Governments did classify encryption as munitions for a long
| time, and some of the regulations from that era still exist.
| But it's hard to ban maths.
|
| On the other hand, contrary to all the downvotes you're
| getting, it's good to see some other people who have taken the
| same critical view of encryption that governments have/had ---
| because it can be used against them.
| wiz21c wrote:
| Time to add the right to use a computer as you see fit in the
| human rights, before it's too late...
| account-5 wrote:
| I built a computer in 2012 approx. Its still going strong running
| MX Linux. I'm running Win 10 in vbox. I'm sure it would run Win
| 10 but I'm not in the habit of running something that find of
| phoning home. As long as I can run Windows for the few things I
| need if for in vbox I don't care. It would amuse me that I would
| be running an os in software that wouldn't run on my hardware!
| heavyset_go wrote:
| > _Microsoft Process Explorer has the same functionality so they
| don 't have standing to block competitors then go and include the
| exact same features in their own software._
|
| > _Microsoft has been secretly adding more powerful features than
| Process Hacker via their SAC product - SAC has no security
| whatsoever by design - they 're clearly targeting the project not
| because of any actual technical issues but rather because we're
| more popular than their products, so they're using the same
| (illegal and anti-competitive) tactics they used against Netscape
| Navigator to eliminate competition but also labeling the project
| malicious in an attempt to mislead the competition regulators._
|
| Yet another example of a trillion dollar tech company stifling
| competition and innovation with anti-competitive tactics.
|
| Both Microsoft and Apple require developers to sign software in
| order for their apps to run on Windows or macOS. Developers must
| pay to buy and renew their certificates regularly and must remain
| in good standing with either company if they want their apps to
| run on either OS. At any time, and for any reason, Microsoft or
| Apple can revoke your certificates and prevent Windows or macOS
| from running your apps at all.
|
| The control over what apps can run on Windows or macOS is all
| about securing profits for either company, first and foremost.
| Actual security is just an afterthought.
|
| Both companies take it one step further and are locking
| developers out of kernel space. Apple stills signs a few third-
| party .kexts, like macFUSE, but everyone else is out of luck.
| Microsoft needs to sign kernel-mode drivers or situations like
| the one in the OP will occur.
|
| This is certainly different than, but reminiscent of, the
| situation with AppGet and Microsoft's clone, Winget[1].
|
| [1] https://keivan.io/the-day-appget-died/
| pjmlp wrote:
| Welcome to AAA game development on consoles, since 1980's.
| laumars wrote:
| Console manufacturers have often lost their case whenever
| game studios took them to caught over this though. Hence EA
| and Codemasters not using standard Megadrive / Genesis carts.
| So there is at least some hope that there is precedence in
| favour of independent publishers.
| weisk wrote:
| Microsoft owns github, it could be said that they no longer
| depend / compete with the open source community, since they
| operate it from the shadows. It is reasonable to think that
| game development is too complex to be privatised (for now,
| at least)
| yissp wrote:
| I thought signing was only required to avoid a the OS showing
| warning on installation, or has this changed in win11?
| chronogram wrote:
| For unsigned drivers users have to enable test mode and I
| can't imagine secure boot works unless the drivers are
| signed. In the case of unsigned applications it's correct
| that it's just a warning.
| yread wrote:
| > SAC
|
| do you mean Special administration console? or Semi-annual
| channel?
| heavyset_go wrote:
| Not sure, I'm quoting directly from the article.
| y4mi wrote:
| The same question has been answered in the linked GitHub
| issue, though the comment was marked as off topic.
|
| It's special administrative console, more in depth info
| what that actually is in the comment.
|
| https://github.com/processhacker/processhacker/discussions/
| 7...
| nitrogen wrote:
| The highlighted comment has been marked as off-topic and
| requires logging in to view, which I'm disinclined to do
| from mobile. Is there a summary elsewhere?
| [deleted]
| Daedren wrote:
| Yes, it's Special Administration Console.
| EVa5I7bHFq9mnYK wrote:
| I honestly googled what the "SAC" stands for, but couldn't find
| anything. Please, please people, don't assume everybody knows
| your acronyms.
| layer8 wrote:
| Special Administration Console
| MrStonedOne wrote:
| From:
| https://github.com/processhacker/processhacker/discussions/7...
|
| >The existing drivers are compatible with Win11 and haven't been
| blocked by Microsoft yet... The large majority of changes by
| Microsoft are limited to restricting the Windows API with
| signature checks that block competitors software (e.g.
| CreateWindowInBand, NtQuerySystemInformation,
| NtQueryInformationProcess to name a few) rather than directly
| targeting the drivers themselves.
|
| >The signature checks added to those functions and classes only
| block third-parties and this includes signed binaries. We won't
| be able to implement the same functionality as Task Manager and
| Process Explorer because of those Microsoft-only signature checks
| even after we sort out the submission issue.
|
| >Always-on-top, Auto-elevation, DPS statistics, Default taskmgr
| application preferences (Microsoft hardcoded taskmgr.exe blocking
| competitors), GPU statistics (deliberately broken on Win10 and
| Win11 recently) and the DirectUI framework are some examples of
| features that I want to implement and are currently implemented
| by Task Manager but are Microsoft-only signature restricted while
| newer more advanced security like PPL that we desperately need
| are also Microsoft-only signature restricted.
|
| >The only certificate allowed to use these and other
| functionality is now limited to Microsoft Windows certificates -
| the same certificates used with Task Manager and Process Explorer
| - while SAC has even more powerful functionality than anything
| else (including Process Hacker) with absolutely no security
| whatsoever.
|
| So, basically, for some _reason_ , Microsoft wants to make it
| very hard for you to see whats running on your computer...
| [deleted]
| dataflow wrote:
| The reason might be DRM?
|
| (Also, isn't this straight up illegal according to their
| previous settlements?)
| jahewson wrote:
| That settlement expired in 2009.
| passivate wrote:
| >So, basically, for some reason, Microsoft wants to make it
| very hard for you to see whats running on your computer...
|
| That sounds a little conspiracy theory-ish. It seems like there
| are other tools to access this info, is that not the case?
| peakaboo wrote:
| Not at all. The American tech mafia is mapping all user data
| they can get a hold of. This is very far from a conspiracy
| theory in 2021.
| passivate wrote:
| I don't think "Process Hacker" is a tool that has zero
| other alternatives. As a former systems dev, I find that
| very hard to believe. Sorry, I didn't understand what point
| you were making though.
| jenscow wrote:
| > So, basically, for some reason, Microsoft wants to make it
| very hard for you to see whats running on your computer...
|
| That's my take on it, too. I doubt they care about a
| "competing" task-manager tool.
| blibble wrote:
| weren't MS slapped around during the DOJ case for undocumented
| APIs?
|
| and there's a mile of difference between undocumented and
| "can't be called by non-MS products at all"
| Arainach wrote:
| It was disallowed for _other Microsoft products_ to call
| undocumented APIs. Anything called by Office /Azure/whatever
| needs to be a publicly documented API, and there are
| automatic checks in all Microsoft codebases to confirm that
| no undocumented APIs are called.
|
| Windows components, of course, aren't subject to any such
| rules. There have always been and always will be interfaces
| necessary for Windows to call itself that the company has no
| interest in supporting in a backwards-compatible way and
| publicly documenting. An example is pinning applications to
| the taskbar: Windows needs to be able to do it, but if it was
| a public API every app would do it and the experience would
| be ruined.
|
| Of course, Chrome eventually figured out a way to bypass and
| do it (I believe using accessibility hooks to simulate user
| input? I forget the details), at which point the arms race
| escalated from there - the Windows team added new protections
| in that area - but I haven't worked in that area in a long
| time and don't follow it in detail.
| easton wrote:
| I was on a Microsoft page a few days ago reading about some
| of the Microsoft Store APIs and they were all marked with
| big warnings that claimed they could only be accessed by
| apps with special entitlements (so, basically signed
| versions of winget). Seemed really icky to me.
| api wrote:
| > So, basically, for some reason, Microsoft wants to make it
| very hard for you to see whats running on your computer...
|
| So they can run spyware. Nearly every user hostile policy or
| behavior can be explained by the insatiable lust for data.
| smoldesu wrote:
| They wanted feature parity with MacOS' ability to hide
| processes from the user.
| salawat wrote:
| Excuse me, what? Hadn't heard about this. Got a link?
| hulitu wrote:
| So basically running rootkits. So MS from spyware company
| has evolved to malware. Keep up the good work.
| dschuetz wrote:
| But they sign malware? Strange.
| pedro2 wrote:
| +1 Funny
| [deleted]
| Shorel wrote:
| I've had to authorize lots of Steam games this month in 'Windows
| Security' protected folders just so be able to save replays, or
| basic controls configuration.
|
| I think MS is going for the kill against Steam this time.
|
| And this is with Windows 10. Windows 11 will require MS
| permission, and some Steam games will simply never work there.
|
| But you will be able to purchase them again in the MS Store.
| kevingadd wrote:
| Arguably this is Valve's fault because they insist on putting a
| ton of stuff in secure folders (under Program Files) instead of
| where they belong (in the user's home/data directories)
|
| They've had a LONG time to fix this.
| garaetjjte wrote:
| That's just game fault that it saves data in game files
| instead of user directory.
| kevingadd wrote:
| No, Steam puts stuff like steam cloud in the programfiles
| dir as well. It's totally under their control where it
| goes.
| garaetjjte wrote:
| Steam Cloud files location is also specified by game
| developer:
| https://partner.steamgames.com/doc/features/cloud
| RealStickman_ wrote:
| Isn't that just because the default library is in the steam
| install folder? (On windows)
| kevingadd wrote:
| They don't _just_ put the games there, they put the steam
| cloud data there too, and I think screenshots etc.
| ryanlol wrote:
| Yeah, and Valve can't be arsed to change it.
| zeusk wrote:
| Because that won't make them any money like their loot
| boxes.
|
| As for the matter, some teams here are just as
| incompetent so someone's probably going to have a fire
| lit under their arse to either fix the signing issue or
| publicly document why these APIs are now "protected"
| elmo2you wrote:
| Monopoly abuse by any other name is still just that.
|
| Microsoft never did change, nor will it, no mater how many they
| manage to fool, manipulate or bribe. It remains a criminal
| enterprise that should be cut down. But that will never happen,
| as long as the government(s) controlling this company are made of
| the same DNA.
|
| Good luck to those who have the luxury of a choice to avoid this
| company (and similar ones). Even more if they still choose not
| to. Most of all, good luck for those who don't even have a
| choice, for they most likely will need luck more than anyone
| else.
| agumonkey wrote:
| Microsoft shouldn't rely on this too much honestly. They still
| have mass, money and maybe an edge but the rest of the world
| changed, and is potentially ready to pick up the pieces if need
| be.
|
| I thought recent efforts of MS were a sign of wisdom somehow.
| userbinator wrote:
| ...and maybe an Edge?
|
| No, they sold out to Google on that already.
| agumonkey wrote:
| unintended pun, gods spoke through me
| nix23 wrote:
| Yeah funny times we life in, from Oracle you get a free
| enterprise linux, from Microsoft a opensoured MSDOS 1.0 ;)
|
| Edit: Correction, MSDOS 1.25 and 2.0 was released too
| orionblastar wrote:
| Microsoft released their own Linux:
| https://www.tomshardware.com/news/microsoft-released-cbl-
| mar...
|
| As far as opensource DOS, nothing beats FreeDOS:
| https://www.freedos.org/
| nix23 wrote:
| >>CBL-Mariner is an internal Linux distribution for
| Microsoft's cloud infrastructure and edge products and
| services.
|
| Oh yes please...i want that universal Linux Distribution ;)
|
| >nothing beats FreeDOS
|
| Dosbox and dosbox-x beat FreeDOS anyday.
| anthk wrote:
| Call me when you can run real drivers in DOSBox-X.
|
| And, still, XDOSemu+FreeDOS runs circles over DOSBox and
| DOSBox-x.
| nix23 wrote:
| > Call me when you can run real drivers in DOSBox-X.
|
| That's exactly what i don't want.
|
| >And, still, XDOSemu+FreeDOS runs circles over DOSBox and
| DOSBox-x.
|
| No, not really have you even installed FreeDOS once? BTW
| the FreeDOS developers will perfectly tell you that they
| have no interest in being dos game focused...and you can
| feel that 50% of all games just refuse to run...that's
| not the case with MSDOS 5.22.
| vbezhenar wrote:
| Oracle basically rebuilds RHEL. It's not a tiny feat, but it
| was done by small teams for CentOS, Scientific Linux and
| other RHEL rebuilds. Real distribution work is done by
| RHEL/IBM.
| spacemanmatt wrote:
| I know people who pretend that Nadella has made the company so
| different. Microsoft will never change.
| krylon wrote:
| It looked kind of promising for a while. With the pivot to
| cloud services, there was reason to hope they just would not
| care any more about pulling that kind of move for desktop
| Windows.
|
| I guess after a decade of watching Apple and Google getting
| away with stuff that Microsoft would have been drawn and
| quartered for twenty years ago, they decided it was safe for
| them get back to their old ways.
|
| _sigh_ Would have been nice, though.
| mavhc wrote:
| What's SAC?
| tyingq wrote:
| The "Special Administration Console". Oddly, I can't find
| normal docs for it on microsoft.com, so here's the Azure docs
| for it:
|
| https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-...
| excalibur wrote:
| > Windows owns the market for the simple reason it's not some
| locked down garbage controlled system
|
| How did you come to THAT conclusion?
| userbinator wrote:
| That used to be true. But clearly Windows is going in the same
| direction as Android and macOS.
| rkagerer wrote:
| Microsoft is locking certain API's:
|
| _Always-on-top, Auto-elevation, DPS statistics, Default taskmgr
| application preferences (Microsoft hardcoded taskmgr.exe blocking
| competitors), GPU statistics (deliberately broken on Win10 and
| Win11 recently) and the DirectUI framework are some examples of
| features that I want to implement and are currently implemented
| by Task Manager but are Microsoft-only signature restricted while
| newer more advanced security like PPL that we desperately need
| are also Microsoft-only signature restricted._
| no_time wrote:
| I'm not familiar with the rest but how is Always-on-top locked
| away? Its such a basic thing and a lot of programs are using
| it.
| therein wrote:
| SetWindowPos with HWND_TOPMOST fails with Access Denied.
|
| CreateWindowInBand also fails with Access Denied.
| no_time wrote:
| That's so weird. No idea why they restricted that but not
| the other ways of setting a window to always stay on top.
| Like whatever Firefox's picture-in-picutre uses.
|
| EDIT: I guess they want to prevent you from doing
| interesting things like staying on top of the lockscreen.
| This article sheds some light on the Z ordering changes
| since win8 https://blog.adeltax.com/window-z-order-in-
| windows-10/
___________________________________________________________________
(page generated 2021-10-24 23:00 UTC)