Windows: Insecure by design

The REgister ^ | 28 June 2024 | Steven J. Vaughan-Nichols

[ShadowAce]

I've been pointing out Windows security bugs since Windows for Workgroups showed up in 1992 and I showed how you could steal data from your coworker's spreadsheets using Object Linking and Embedding (OLE). You'd think Microsoft would have figured security out by now.

But no. It's only gotten worse – much worse.

In June 2023, Chinese hacking group Storm-0558 stole US government "secure" messages from Microsoft's Exchange Online. I was only surprised that the Feds managed to catch them – Microsoft certainly didn't figure it out.

Former senior White House cyber policy director AJ Grotto said it best: he asserted it was fair to classify Microsoft and its products as a national security concern.

Think about it for a minute. What other business could get away with having products that are so bad that every month – every month – we have a day, Patch Tuesday, devoted to the latest fixes to their seemingly endless flaws?

These problems don't tend to be small corner cases either. No, take for example the latest one: CVE-2024-30080, a Microsoft Message Queuing (MSMQ) remote code execution (RCE) issue, which earned a 9.8 out of 10 CVSS severity rating. A 9.8 on that scale, for those who don't know it, is a "Patch it now or you will be pwned" level.

Let's not forget CVE-2024-30078, a Wi-Fi driver remote code execution hole, rated 8.8. Microsoft admitted this one could enable an attacker to hack your PC to remotely, silently, and wirelessly run malware or spyware.

Boy, does that make me feel warm and fuzzy about Microsoft or what!?

Really, that's just life with Windows. In the decades I've been covering technology, I've seen this level of security crapola over and over again.

What's really annoying me today is the security holes Microsoft is adding – by design – into Windows.

I mean of course Microsoft Recall. This delightful AI addition to the next generation of Windows PCs would have taken regular snapshots of everything you do on your computer.

Let me emphasize the word "everything." Your bank account numbers, your passwords, your cheat codes, your My Little Pony porn stash, how much money you lost betting on real-life ponies, etc. What would your partner think if they could scroll through your entire online life? Your mom? Or your boss using Microsoft Purview?

GDPR? What's that?

But, hey, who needs to worry? It's all safe on your computer, right? No one could get into your PC over Wi-Fi and start hoovering up all your Recall data, right?

Oh, wait.

Recall, which will now be optional, is a security hole pretending to be a feature. Even if it were not such an invitation for privacy invasion, I'm hard pressed to imagine what practical use it would be for anyone. We have more than enough useless data clogging up our drives without adding even more.

Finally, thinking of over-filling our storage, in another "What were they thinking!?" moment, with the latest releases Microsoft made it nigh on impossible to install Windows 11 without a Microsoft online account. I'm not happy about that, but I could tolerate it.

What I can't stand is Microsoft automatically sets up OneDrive to back up my folders whether I want it to or not. Not cool, Microsoft! Not cool at all. If I want to back up my files, I'll decide where I want them to go – not you.

I only have 5GB of free OneDrive storage, while I have terabytes of data in my personal directories. And, no, I won't be paying you for more storage, thank you very much. Instead, I'll use one of my Rocky Linux servers running Nextcloud, and I won't have to worry about Microsoft looking over my shoulder.

Besides, consider what the OneDrive automatic backup could do if paired with Recall? I, for one, don't want all my files open to Microsoft or Windows hackers. Do you?

Is it any wonder I've been a Linux desktop user for over 30 years? The only question I have is: Will any of these latest Windows security fiascos finally get the rest of you to join me? I mean, how much punishment are you willing to take? ®

[Jamestown1630]

It probably depends on what exactly you use computers for.

We changed and found Linux (Mint) to be very easy to use; the user interface is not much different from Windows. You just have to spend some time learning the little differences that do exist in some particulars of Linux programs. We’ve been very happy with it, never had a problem. I haven’t found anything I wanted to do for which I couldn’t download a Linux program.

[Brian Griffin]

‘”Security-By-Design”
needs to be required by federal law.

The Free Republic website allows for posting text, showing pictures and movies, and collecting money.

Many of us are here because the site is rather free of annoyances (excluding fighting the Ukrainian-Russian war in the USA as well).

[ducttape45]

One wonders how the IT landscape would have developed if CP/M would have become the O/S of choice instead of MS-DOS.

[ducttape45]

I always uninstall OneDrive whenever I load the office suite. I don’t like it either.

[Openurmind]

"MS is menu-based.

You can see what your choices are and what you might have to do."

OK, with all due respect I have to think you might be misunderstanding what Linux is really like now. If you mean menu based are you describing a full Graphics User Interface with graphic menus to point and click and such? You may have an assumption that Linux is just a terminal where you have to enter commands in a command line to use it. If so good news... Linux is NOT like that anymore.

The current Linux distros are a full Graphics User Interface just like Microsoft, and one no longer even needs to use the command line terminal at all unless you want to do some higher level technical work to it like building your own VPN server Etc. It is all point and click and drag and drop just like Windows.

There is a prevailing myth that just keeps hanging on and on that to use Linux you have to learn to code and use a command prompt in a terminal like DOS was. It is just not true, maybe 20 years ago, but not any longer.

I run Mint and it is almost exactly like Windows 7 in use. Anyone who has used Windows 7 can jump right on it and fly with no problem. The menus are all similar in usage and do the same things for you.

But you can do much more with Linux because it belongs TO YOU not Microsoft.

[dayglored]

> ”Security-By-Design” needs to be required by federal law.

Eh, I disagree. We don't need government authoritarians deciding what we get to see, or how "secure by their definition" it is.

OTOH, a web service that could evaluate a given website from the outside and make an assessment of its security is useful, if its use is strictly voluntarily. There are a number of such services that evaluate websites based on known vulnerabilities; this is not an original suggestion.

> The Free Republic website allows for posting text, showing pictures and movies, and collecting money. Many of us are here because the site is rather free of annoyances (excluding fighting the Ukrainian-Russian war in the USA as well).

FreeRepublic.com is a shining good example of "Security-By-Simplicity", which is a form of "Security-By-Design". It has a relatively tiny "attack surface", and very few (maybe no) ways it could be hacked at the GUI.

In over 25 years of operation, while it has withstood many DDoS attacks, and undoubtedly has been a constant target of Leftist hackers, I'm unaware of any time it has been compromised due to a security flaw.

Pinging John Robinson in case he has a comment, or wants to take a bow for the excellent site he made. :-)

[ducttape45]

I like Linux Mint. The only problem I have with it is that it doesn’t communicate very well with my network. Mint 18 was the last one to navigate it with no problem, but that distro is outdated now. Mint 20 was very problematic in that regard, and so was Mint 21. Other then that, I like it, and when I no longer have a need for a “Windows” machine I’m going to completely change them all to Mint.

[Openurmind]

“We’ve been very happy with it, never had a problem.”

Same here, it is just cool...

And like the energizer bunny it just keeps going and going and going... :)

[Jamestown1630]

The one thing I thought of using it for that was a problem, was a craft machine I was interested in buying which only ran on MS compatible software. But then I found another machine where that wasn’t a problem. Maybe there’s a Linux program for the first one by now; people are always writing stuff for Linux.

[Openurmind]

It is hit and miss with drivers for MS specific machines like that. For the APP if it comes one sometimes you can run the control app in “Wine” which as you know is like an interpreter between Linux and MS apps. But the drivers are sometimes the problem and hard to cure. I have contacted the maker of the machine and sometimes found they DO actually have a Linux driver for their equipment and will send you the file so you can add it to your drivers library. Did that with a couple old printers back a few years ago. :)

[dagunk]

Changed out wife’s windows machine for a Linux Mint machine a few days ago. Microsoft finally irritated my last nerve. She’s doing OK with it.

Her old windows machine is now a unix (FreeBSD) machine.

For those who want to take a look at Linux Mint, the standard download allows you to boot up Linux without affecting your windows installation using a thumb drive.

[Openurmind]

Thank you. You made an important point. When you run Linux from a stick it is inert and does nothing at all to the windows OS or internal drive. So it doesn’t hurt anything to plug it in and play with it.

And here is a tip, when you have a windows PC crash you can also use this Linux stick to go save your files off to other sticks/drives before you reinstall the windows again. Because if not windows will force you to lose everything.

So everyone should have a portable Linux stick around even if it is just to retrieve files when their MS crashes. This is about the only way to retrieve files like this and not lose them all.

[Still Thinking]

But if they made it secure, how would they get your data to sell?

[RckyRaCoCo]

NOTHING is "free".

If it sounds too good to be true...

...your personal information is being bought and sold by people who DO NOT have YOUR best interest in mind...only THEIRS.

[ShadowAce]

...your personal information is being bought and sold by people who DO NOT have YOUR best interest in mind...only THEIRS.

I normally agree.

However, there is no requirement, no option, no request to enter any data when you download a distro.

There is no requirement, no option, no request to enter your data when running Linux. There is no option or request to use any kind of personal account when installing or running Linux.

There are enough users out there with the expertise and knowledge to look for anything in the code like that, and NO ONE has ever come forward with a suggestion or hint that the OS is stealing any kind of information.

So you can relax a little. Just be careful of any apps you download and install.

[daniel1212]

Not insecure in my experience, thanks be to God, as a sole user since 3. (now W.11), and MS security is actually what resulted in a clean install, while I have found Linux to be far less manageable for what I want to do. But you know that by now.

Meanwhile, what I distrust the most is my Android smartphone (which I consider vastly inferior for most computer functions, as enhanced). And much due to smartphones being used more than PCS, then we have these reports:

Aug 15, 2023 — Mobile security threats are on the rise: Mobile devices now account for more than 60 percent of digital fraud, from phishing attacks to stolen passwords.

Myth #1: Mobile devices are more secure than desktops and laptops 

Myth #2: You don’t need to worry about sensitive data on mobile devices 

Myth #3: MDM is sufficient to protect mobile devices

Myth #4: Personal devices are secure enough

Myth #5: One-time authentication is enough to secure mobile devices 

Myth #6: Mobile threat intelligence is a “nice to have” 

Mitigating mobile device security risks 

Data Privacy: Your Phone Carrier Knows More Than You ...

- https://www.cnet.com/tech/mobile/data-privacy-your-phone-carrier-knows-more-than-you-think-how-to-take-back-control/

How To Know if Your Phone Is Hacked (13 Alarming Signs) - https://www.aura.com/learn/how-to-know-if-your-phone-is-hacked

[Tellurian]

servo

[Dalberg-Acton]

Windows isn’t free.

[wastedyears]

Too bad, I switched to Linux around the end of last year.

[Openurmind]

I would like to add that the main thing as you point out is that the Linux open source code is peer and user reviewed in search for any and all security leaks because they personally don’t want any either. And they can do this because everyone can read it if they like, it is an open book and nothing can be hidden in it. There are no secrets.

The only data leaks would not come from the Linux OS it’s self, it would have to come from a personally chosen 3rd party app like browsers. Browser spying is a universal data collection problem no matter what Operating System you use. Because of the limited browser options, and because very few can be trusted, it is a universal internet problem users of all Operating Systems are dealing with right now. Both windows and Linux users equally.

“Nothing is free”. Linux is almost too good to be true because it is indeed free with no obligations or hidden costs even data collection. How can they do it then? The whole concept is based on tips if you want to give them in appreciation. The OS and app developers accept tips for their gracious work. And some apps are partially featured and usable but with the option to buy the fully featured more powerful version similar to the old days of shareware.

The most important thing to realize in perspective is that the developers are not really doing it to get rich, they mainly do it because there is a common universal hate for proprietary products like Microsoft. As it is with the users who use it.