Can someone please just make Linux good for the normies so that devs make shit for it?
Never10 was a tool that tweaked the Win7 and Win8.1 registry to stop OS upgrades, effectively disabling the option to install Win10.
Once the deadline for the free "upgrade" expired, people still used Never10 on a fresh Win7 or Win8.1 install until recently, but that's merely because it allowed you to download and install the latest version of Windows Update.
Without that, a fresh Win7 or 8.1 install would take days looking for updates. Now MS has updated Windows Update again, and Never10 appears to be obsolete.
I'm not really sure if Steve Gibson has updated it to get the newer Update. Perhaps I should mail him about it. He could extract his own Update grabbing code from never10 and make a 10kb tool that sorts out the whole Windows Update misery once and for all.
1 Like
Hehe, there is much more shit made by devs for linux than for all proprietary platforms combined.
Linux is a tool. Windows is a product. If you want Linux to be a product, you can pay people for peripheral services, but that still doesn't make Linux into a product. If you can't make the mental switch, don't worry about it, just don't spread completely false prejudice about something you don't understand.
Just one of the main desktop environments, KDE, which has been around for a very long time and has had convergence and multi-platform adaptability for many years, has had more than 1.15 million commits made by more than 4200 contributors representing more than 21 million lines of code (https://www.openhub.net/p/kde), with an equivalent effort of more than 6700 years up until now, which is over half a billion worth of development investment. The skill level of the people in open source projects is also typically higher, because they are constantly in competition with each other and every bit of code is visible for everyone, so only the best solutions survive.
Microsoft, Apple, Oracle, Adobe, etc... couldn't possibly afford a single desktop environment at a quality level like that... in linux, KDE is but one of the different options. There is a magnitude difference that makes open source software and limited commercial products like MS-Windows, completely incomparable. If it's a product you're looking for, just go for the software console and don't lose sleep about it, but if you want to expand your universe, don't drop money in limited products, get tools instead. Comparing Windows with Linux is like comparing a Lexmark 25 USD inkjet Printer with a Heidelberg press with a complete high quality industrial digital front-end (these things happen to also run on Linux of course).
1 Like
Speaking of Steve and the Windows shift+F10 bitlocker bypass, I just downloaded the latest Security Now and it appears he'll be talking about it.
The problem I have with Bitlocker is that the default settings don't require a passcode to boot the computer like just about every other commercial full disk encryption product on the market. It seems to me that your system isn't really that secure unless you set bitlocker to require a passcode to even boot the computer.
If I understand this shift-f10 issue, a passcode to boot would block this from being an issue, correct?
It's a little more complicated.
In order to be able to do the big upgrades, Microsoft needs to boot the PC on a "temporary OS" (by lack of a better word, it's basically the same as the Windows Installer) so they can modify the essential system files. You can't modify those files while the drive is encrypted, so the temporary OS / installer has been granted access to the encryption key and decrypts the entire storage (all connected drives) for the duration of the upgrade.
What they didn't count on (or tried to hide) is the ability to shift+F10 into the command prompt (something that has been around on MS installers for ages).
Someone who can use command prompt, can use it to access the files (and copy them to an external drive that isn't encrypted if they desire so), thereby completely bypassing BitLocker.
A passcode to boot would need to be entered for the OS upgrade to start, at which point you still have the same vulnerability.
something something your really stupid if you really on MS for security ?
Lets look at some MS choices :)
1 Like
What do you mean ? Several distros that have an excellent ease of use that even windows users can grasp. I have a few machines that i have never done anything to but use and update when suggested. Htpc, basic internet surfing, and light office work. Gaming that is a different story but basic gaming is pretty painless for the most part. Well documented " How to do something guides " that far exceeds the mess that windows publishes ? Thirty years of using MS products and it is still stabbing in dark part of the time and hoping nothing breaks :(
I don't know much about Bitlocker, but it seems that the whole "Shift-F10" thing isn't the scariest part. The scariest part is that OS (or PE) has access to encrypted volume without user interaction, which means that it either stores master key somewhere (and what's stored may be retrieved) or has some sort of a backdoor into TPM (which would be even scarier).
That's the root of the problem indeed. This is a MASSIVE security flaw just waiting to be exploited. (assuming the government isn't exploiting it already)
I don't think that's the case at all, it's just pre-authenticated using the previous session, or the session past TPM authentication.
It can be set to do the password but you have to disable the TPM chip first, and even then it's going to want a flash drive to use as a pseudo TPM. The problem with disabling TPM these days is that Windows 8.1/10 authenticate the OS through that so if you disable that your windows won't authenticate either.
Agreed, you have a point, although just because someone needs to use Windows they don't have to use IE, Edge, Silverlight or Flash.
It now looks like that unless they can safeguard the physical access to their machine they shouldn't put much faith in Bitlocker either. Fortunately there are Open Source products that can be used, albeit they require a little more learning to use properly.
Which remind me...
A few years ago I worked as a consultant for relational database platforms. Mostly for SQL Server & Windows but also for some PostgreSQL and Oracle. The thing was the gaping security risks I found were rarely down to platform choice; you can deploy stuff on Linux badly and have far worse security problems than on Windows, but I digress...
Mostly however, it was .Net developers doing stuff without consulting with experienced admins. Often my report would end something like "The Windows/SQL Server environment needs to adopt exactly the same methods and processes to being deployed, configured and secured as the RHEL\Oracle data-platforms which are properly managed".
How many forum members do you think would even do something as basic as having a regular account that has no local admin rights? Probably none, I bet a large number of people on here also disable UAC because its a little bit annoying - and they won't get hacked, right?
:-)
1 Like
Pretty much this. I run with admin privileges on my main PC and have UAC turned off. Otherwise I'd have to type my admin password 200 times per minute (slight exaggeration, but you get the idea).
On the secondary PC I do run a regular user with AUC turned on tho, and in Linux I also run with regular user privileges (as per default).
Sheep mentality... We are far more mentality strong here. There is no reason to 'Have to' put up with anything you feel is not right.
This isn't even really common practice anymore. I actually had a security consult mock me during an audit exam at my old job (Medical facility) when I got prompted with a UAC and had to put in the domain admin credentials instead of my own.
Not sure why no one practices this anymore. I'm working to move my current facility to doing this, actually. There's other things I have to get squared away before I can make that happen.
I love Linux. I use it as my daily operating system, this is Arch btw and using just one of the main desktop environments, Gnome.
My point was that no one has yet made a Linux distro that can compete with Windows and macOS, I know that that doesn't go well with your whole idealistic notion of what Linux is but it's what we need to get over 2% market share. If we want Linux to succed we need it to be accessible to the normies/non-techies/whatever.
How do you mean? System reboots into PE to upgrade itself, but stays authenticated?
A master key is stored in the TPM. If you didn't do this a long passkey would be needed every boot. On laptops with a broken TPM you would need to store the passkey on a usb stick to avoid manual entry.
This is the essence of the flaw, the windows update has access to the TPM to decrypt the drive and the ageold shift f10 lets you interrupt the update...
Even so, you still need some sort of secret to get master key from the TPM on boot. don't you? Otherwise, I don't see how Bitlocker would protect against anything.
That's the whole thing.
When booting into Windows, entering your password retrieves the hidden master key that decrypts the drive. So you're properly protected.
When booting into the updater on the other hand, the updater itself apparently retrieves the key and decrypts the drives without the user having to enter his password. Microsoft never saw the updater as a proper OS that the user could use, so they figured this wouldn't be a problem. However shift+F10 does launch what is essentially MS-DOS and at that point anyone who has physical access to the keyboard can have full access to the (decrypted) drives without ever having to enter a password.
Thankfully this is only possible during a major update (like the anniversary update for normal users, or every so often for insiders).
But the moment someone figures out how to make a bootable stick that tricks the PC into thinking that it's a windows upgrade ...