This is coming from a foss primarily user. Windows needs better security practices. I believe windows and microsoft is attempting so with tpm and secure boot. Conspiracy or not, i can still have porn and roms.
TPM and secure boot was never about security, much like web certificates were never about security. If you think about it at all, it stops making sense as a security practice as long as it’s in anyone else’s hands at any stage.
In either case, you have one of two options: a platform that is insecure, or a platform that has no software variety. The “license to exist” model doesn’t have any other outcomes because it’s not sustainable.
Now, if you run a large business, and generate your own TPM keys and signing, sure. But that’s not what Windows 11 is about. Windows 11 is about bringing Microsoft and partners TPM keys to your home edition windows. You don’t have any added security, just another wall for developers looking to put code onto your home computer. One that no doubt ends with Microsoft charging a small toll for every key.
If microsoft wanted security, they’d give the user more control over windows, not less.
It sounds like you’re doing what you can. It’s the only thing reasonable anyone can suggest…
I’ve run Linux daily with just an occasional boot to MS for a rare game or two for many years (I lost count). MS is just a high end “game console” which sees no regular use. That’s fine, but voluntarily using it 100% of the time, and especially trusting it with personal data, why?
Whatever most people are thinking is “essential”… it’s probably not. None of that stuff sounds important to me, and if more people jump ship, those things would follow.
What I mean by “Linux is there” is not that it meets 100% of everyone’s requirements. No software does. But it meets 99% of most people’s requirements to use as a daily driver (and Windows doesn’t meet 100% of everyone’s requirements either).
Or, get spied on, pay more, and deal with other abusive practices if you want, but the rest of us are ready to help people switch once they’re tired of it.
1 Like
With libre office and browser support it is fine. But with drm for some online streaming platforms it is not ready. I mean if it matters to you. For me that really doesn’t as I own all my media.
I think the Windows vs Linux argument can reframed in a lot of different ways. If compatibility is your problem then you inevitably find yourself in an ecosystem with constant ever growing integration right? I feel like that’s actually what apple users pay extra for.
I see an argument about usability vs trust often and I think the reason for that is probably just symptom of simple economics. We all rely on a supply chain of software and content whether it be free or non free.
The option to not use something is often just plain off the table for most people. I wish my new screw driver would stop sending me emails for antidepressants.
Depends on what you run, have you tried the latest Gnome on a 12 month old box with a Mesa driver (e.g. not Nvidia), Wayland, and Pipewire? It’s freaking amazingly easy to use! Easier than Windows at many tasks. What is left is mostly peripherals of more unusual hardware (less popular/older models of printers, gaming mice and so on), RGB, and easy anti cheat. Not perfect and does not suit everyone though.
HDR seems to be changing sooner rather than later, though not readily available yet:
As for Dolby and DTS, low latency signal passthrough for all kinds of streamed data including Video and Audio is of course possible by default or very little tweaking via Pipewire, but also, a quick search yielded this:
https://customer.dolby.com/content-creation-and-delivery/dolby-encoding-engine-with-dolby-ac-4-v540
Lists Ubuntu and CentOS in the minimum requirements. So I think you are in the wrong here. Combine this with deew:
And I think the support you are looking for is way better than you think. Though you do need to be boring and stick to stable distros like Ubuntu and RHEL. 
At the same time, Linux is only slightly less buginfested than Windows and the whole “flatpaks vs debs vs rpms vs snaps vs appimages” is leaving a sour taste in the mouth for me right now. The foundational problem there is that most software expects a write-once-run-forever mentality - that only works on systems that never change anything. Even Windows break this on occassion, though Linux moves so fast libraries can get obsoleted after only a year or two. It is settling down somewhat (Mesa, Wayland, Vulkan, Pipewire is a good foundation for desktopping, finally). Future is bright
3 Likes
Most Windows users think compatibility or usability are the problem with switching, but the vast majority haven’t even read about it.
Those looking the other way while INGSOC is being built around us with the assistance of Skynet, they need a different conversation from this one.
But for people who are awake and do not like where things are clearly going, they can abandon the expensive spyware and life will go on just fine. Worst case everyone can switch to FOSS today for virtually everything (especially personal data), and dual boot or use a secondary/backup machine for the rest.
Even “that guy” who insists that their life depends on some piece of software “If I can’t use Photoshop I will be homeless!” (wow…) can at least keep their personal stuff effectively containerized. And for those in that situation, I think they would be crazy not looking for alternative ways to get the job done if they’re imprisoned like that. The requirement isn’t “run N software”, it’s get X, Y and Z tasks done.
You almost got it.
The point with signed code is that misbehaving software can be turned off. Not that we don’t expect criminals to either buy or steal keys. But once a cert is revoked you can stop the spread or execution of bad ware.
If a bad guy gets a cert sooner or later bad behaviour will be reported and then it’s killed.
Code signing is a good thing, it’s just a shame that some people are so blindly anti Microsoft that they lump that in with the rest of the bad behaviour they’ve been involved in. And that Microsoft, given their history deserve it. But ms aren’t the only ones pushing this - because you can’t rely on end users to identify software that isn’t Trojans or otherwise compromised.
Both due to skills required and human time required. The computer can be leveraged to do this. So that’s what we are doing.
I mean are you manually going to sha1 validate every executable you run (or even more impossibly, every called executable from the main app) every time to check it hasn’t changed? Or that it is the same as that which was distributed by the vendor (or compiled by yourself)? Of course not.
Is it a silver bullet? Of course not. Neither is splitting your user account off from root. But we don’t run everything as root because it’s something we can limit to improve security. Same with code signing checks.
A big problem these days is a lack of hardware compatibility list.
There used to be one. Now if I go to buy new hardware it’s a crapshoot. Mostly works sure. But “should be ok” isn’t good enough to base purchasing decisions on.
In this respect (documentation) Linux has gone backwards from 1997.
Code signing sounds like a good thing, but it’s easy enough for a bad actor to just get another cert and start over. The entire reason code signing is even as big and backed a thing as it is is entirely because it consolidates power to a small subset of corporations controlled by a small group of individuals who can use this to be the effective arbiters of what is and isn’t allowed to exist.
It has some benefits in the short term, but those benefits are a slow poison because less effort is put towards finding a better solution.
In terms of manually validating code to check it hasn’t changed, that’s actually very easily done by the machine if anyone wanted to go that route. On first run, store a hash of the executable. Each subsequent run, check the hash and if it’s different than the last time it was run, notify the user and ask if they want to run it anyway and update the code.
This would actually be a much better solution as it prompts the user to learn more about what their computer is doing, rather than telling them not to think about it and just Trust The (computer) Government ™.
Code signing is only a positive thing if the end user has control over it in the first place. As long as it’s controlled by third parties, it’s just more software gatekeeping, and will only lead to worse and worse software, just like web certs.
Can you imagine a world where you’re not allowed to access your router’s webUI or update it because it’s no longer supported and it didn’t get an updated certificate on time? I can, because some browsers enforce web certificates against the user, rendering both my AP and router inaccessible from it.(IOS Firefox Focus)
Third party gatekeeping has no place in any kind of positive future. The benefits are fake and the drawbacks are very very real.
Also, to clarify, I don’t have any hatebean for Microsoft. I don’t like the direction they’ve been going, but aside from a few obviously terrible things that seem to be pretty universal with any big tech corporation, I don’t think most of what they do is as morally terrible as people make it out to be. They were actually doing pretty good from XP through 7 and even 8.0 in my eyes, and only really started to fail up with 8.1 and 10, and the change in leadership around that time.
They’re categorically still less bad than apple, and probably less bad than google. I certainly don’t rank them worse than Facebook. Gatekeeping the computing world is just fundamentally bad, no matter what big corporation is doing it.
Not really if the ca bans you.
But like I said. It isn’t and doesn’t claim to be a silver bullet catch all.
With regards to doing it manually how do you know your boot loader wasn’t compromised. Or the hashing program?
Do you run everything as root?
Suggest reading
Bans are an inconvenience at most.
You can do key signing for your bootloader without having to rely on microsoft to provide the keys. You could set those up yourself, exactly the same as if Microsoft did it, except you know it’s your own keys that no one else knows and is therefore actually more secure.
The gatekeeping is literally just a poison lie that reduces security so that large corporations can control all the software that’s allowed to exist.
Please stop trying to strawman. Multiple access levels for security absolutely is a legitimate security protocol that has nothing to do with code signing on any level and should not be equated in any way. It’s disingenuous to even bring it up.
I bring it up because the arguments against code signing requirements with a system level root of trust boil down to it not being a 100% effective solution. Which it never claims to be.
No? My argument is that it’s worse than no solution long-term, because it’s not as effective as it claims to be, and is clearly designed to lead to gatekeeping softwareuniversally.
strawman
noun
- Alternative spelling of [straw man](straw at DuckDuckGo man+definition&ia=definition).
- An effigy in the shape of a man to frighten birds away from seeds.
- A weak or sham argument set up to be easily refuted.
- A person used as a cover for some questionable activity.
That’s your opinion - and yet in the real world the most secure computing platform for consumers is iOS and it is due to the requirement for signed code installs + vetting prior to issuing carts via the app store.
IOS is literally known to be one of the least secure platforms for consumers, though.
Observation is not opinion.
Hi, I can’t stand Apple’s “our way or no way” mentality locking things down, but I would like very much to know what you mean by the above, unless you are jesting, getting incrementally more silly.
If it is a serious comment, do you mean Apple too freely allows user privilege escalation? Or too easy access to security components a user may disable? Or side loading apps? Or insecure hardware? Or the csam thing they didn’t implement?
I am surprised to hear this take, and wonder if there is a scale somewhere shoeing like percentages of I devices compromised or apps that are malicious being night than googles as an example?
I would strongly posit that for Consumers Windows is least secure, by default. Which is why there are so very many third party companies and apps to lock down enterprise versions.
I know the thread has gone off topic anyway, but the topic was not so much if a duscussion, as it was a rant…
Summarized: Apple is actively hostile to third party security reports, tries to suppress news about apple-related exploits, is slow to patch, or outright refuses to patch exploits, or properly compensate the reports as to their own terms, on top of being very secretive about everything happening inside their OS.
If someone doesn’t see why that’s less secure than openly disclosing known vulnerabilities, rolling out quick and timely patches before known exploits are being abused rampantly, well, whatever I guess.
The only thing less secure than IOS on the market is Android, and that’s more to do with the lack of updates for older android devices rather than Android it’s self being less secure, or Google’s work on securing Android.
idk, maybe y’all are just messing with me because it’s funny to see the silly internet nobody rant about the obvious?
Yup, looks like I’m just being trolled.
1 Like
So no,
edit: the following was uncalled for, and not nice: just reee, apple bad. You do you boo.
To expand, all undisclosed vulnerabilities against all systems are Zero Days.
It’s a buzz word, until disclosed
Windows is a complicated mess with many Zero Days, which remain so, until the are reported.
It is expected, and not given attention.
IOS has buggy code, and a load of Zero Days, but is held to a higher standard, so you see more of the reports.
Android is a buggy mess, and the vendors delay updates, and fail to release updates for aged devices
Linux is a buggy mess with a bunch of undisclosed vulnerabilities, and older, unpatched versions are installed in Billions of devices, keeping vulnerabilities around for decades…
I’m not saying any are good