What are you trying to say? Windows was the target of three out of six successful exploits, four if you consider the platform-agnostic exploit on Virtualbox.
The point I try to make to people still stuck in the "OS-loyalty" mindset is, all OSes are vulnerable by default. What matters is what measures you take to protect yourself. If you take no measures, then you have misunderstood security and privacy.
I did say I try to make the point, but brand loyalty is very difficult to talk over.
Dunning-Kruger has a substantial effect over Linux users, it seems. I say that as a Linux fanboy. You are 100% correct. Linux (especially certain distros) is not secure by default. Especially for as long as the user-friendly distros aim to minimize configuration, without harming convenience. Which is to say always.
- more likely to be blocked by web filtering
- the TLD is intended for "risqué content" according to the registrar
- the TLD is more expensive due to the novelty, a novelty which negatively impacts the reputation as indicated here by some.
Social reasons:
- It can lead to awkward situations when browsing or sharing with others if people assume the content to be related to the URL.
You mean, other than the obvious reason that any corporate firewall will probably block it and send notifications to your manager?
I mean, do whatever, but there's a certain irony to something which is about privacy and security forcing you to pollute your search history with the word 'sexy' in a way that you cant control locally.
"sexy" is so whitebread it's on daytime tv and op-ed headlines. Other cultures are already exposed to this if they are consuming Western media in the first place, how they deal with it is on them.
Their being shy is of no consequence, it doesn't necessitate an imperative for self-censorship on the part of the Westerner on the conceit that some outsider interest groups hypothetically might not like x/y/z.
EDIT: This is according to the HN guidelines: “Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. They're too common to be interesting.”.
It is a useful resource but as others have pointed out the TLD will be blocked by many software/browsers and inhibit the broad distribution of the content via that fqdn.
We've banned this account for taking HN threads into flamewar hell after we asked you not to do that.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
"carries far more weight than it really should in our society"
If it should or shouldn't carry the weight is irrelevant, "Sexy" does carry weight so surely the problem is obvious.
Besides, speaking from first hand experience, historically 'sexy' content on the internet usually came with a Malware/Virus, not a good association when the intention is to run scripts that make significant changes to your computer configuration, all for a novelty that lends nothing to the product.
With that being said, I have no issue with it personally.
The answer probably depends where you live. Stereotypically, Americans are afraid of sex, and Europeans are afraid of violence - for example many video games released in Germany were modified to have green blood.
My take: both sides of the pond need to lighten up
"Please don't pick the most provocative thing in an article or post to complain about in the thread. Find something interesting to respond to instead."
All we get out of generic tangents like this is a tedious, offtopic subthread that often ends up being much larger than the on-topic discussion, and usually descends into flamewar after a while—perhaps because the mind resorts to indignation to amuse itself in the absence of anything interesting (https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...).
It is a useful resource (the more people are aware the better kind) but as others have pointed out the TLD will be blocked by many software/browsers and inhibit the broad distribution of the content via that fqdn.
Thank you.
Looks like it handles a lot of items 'Shut Up 10' and 'Windows 10 cleaner' does. Great to have everything rolled into one spot, customizable, and easy to understand. Great work.
Some of the choices are neither privacy nor security improvements. Take quarantine or integrity protection or signature validation for example. Those three alone limit drive-by binary malware rather effectively.
The only thing one could argue for in a privacy oriented manner is the signature validation with OCSP checks since it somewhat leaks what signature owners you're trying to check. But without it you'll never be able to find out if a signature was revoked, including self-signed signatures.
It's a tradeoff. You can have your built-in anti-malware, or you can choose not to leak information on the files you open. Which is more important is not a "one size fits all" situation. If you shut any of that off, you should be aware of the implications, as it is a potential footgun.
It's good that things with security ramifications are separated, but they must be used with care.
I've found one of the easiest ways to enforce privacy on Windows is using the Local Group Policy Editor, which can then be backed up using LGPO.exe from the Security Compliance Toolkit and re-imported to other machines. Another option is PowerShell Desired State Configuration which you can then use to backup your local GPO into a MOF file, and reapplied to multiple machines or even added as part of an unattended setup:
I'm glad other people are working on tools, but you'll probably realize sooner or later that a few registry edits are not sufficient to maintain privacy, and policies are really the better approach.
They are not just written to the registry but stored in a .pol file, and not all policies are easily managed via the registry. There are hundreds of policies that impact security and privacy. With policies you can easily print a report of what is changed with descriptions, and see deprecated policies or misconfigured ones. I'd recommend anyone to try it out and see the difference for themselves as to why it is much easier to manage these using local group policies vs a bunch of registry entries.
There are too many to really point out any in particular. Here is an LGPO text file for my machine policies. These can be converted to a Policy Analyzer .PolicyRules file using LGPO.exe I believe to get more input as to what they are used for. You also have to add those policy templates (ADMX), which I have a few added for Zoom, Chrome, Firefox, LibreOffice, Office, Edge, etc.
I love it, but my work issued PC won't let me run any of the .bat files generated or install other FOSS apps such as freetubeapp.io. I wish I knew a way around Windows Defender Smartscreen managed by my company.
One of the quickest ways to get fired is to try and circumvent your work computer stuff, better to find another job where they dont lock you down so hard.
That depends on what you are doing and your position. IT must expect senior hackers will try to find ways to improve their setup. I wish more companies would recognize that it is not wise to have their workers surveilled by external companies and instead setup these machines with tight privacy by default.
If you can install and use virtual machines you can use hypervisor escapes - any company that lets you do that probably isn't in the list of super locked down envs (or if it is its probably for a great reason.)
I do use a Linux PC for all personal stuff. I still want to make my work life a bit more private since MS seems to have made a business of knowing everything they can about workers.
I'm curious, does the company-issue PC also prevent you from opening CMD and PowerShell? (If not, you can probably paste the commands directly there; or create a .bat file yourself as suggested in a sibling comment. But as another comment points out, trying to circumvent company restrictions is risky. Ideally you'd just have to ask IT to do it for you, until they get tired of fulfilling your requests and give you access to your machine.)
Depending on your field this could be a "yeah duh" comment for you, but there is a whole set of related tools and standards for this that's common when you're doing compliance-related cybersecurity, especially on server OSes.
The ones you mention can be had on Linux too (optionally, as everything, of course). But one place where the Linux ecosystem is really behind is running untrusted applications.
And, yeah, maybe I should have been more clear, as you note, they are usually an option, not the standard. Full disk encryption is the standard on MacOS. With Linux, like so many things, you never know what you're going to get. Secure boot took some work to setup on Ubuntu, but works relatively flawlessly. Immutable root filesystem is something you can do with Fedora Silverblue and a few other distros, but it's nowhere near the standard it is on MacOS.
And that's what I mean by years behind, sure you can do basically anything on Linux, but, if it's not the standard, is it even practical enough to be workable? Linux, for lack of a better word, bigots (and I'm a huge Linux fan!) may call MacOS is a toy OS, but, for a laptop, how much work does it take to get Linux to the point where Linux's practical security is similar to MacOS? Lots, and lots, and lots.
I have not tested this app. Does it give the person running it a clear explanation of all the potentially positive and negative ramifications of the changes? If not then I think that should be a high severity enhancement. Maybe that could even be a discussion thread in and of itself here on HN giving feedback to the developer what could go wrong with each change. e.g. functionality breakage, security impact, auditing impact and so on.
Privacy, not security. This removes features that call home.
Those features are not disabled in their "standard" preset which they present as "recommended for everyone".
To disable gatekeeper, you need to use the "strict preset" which they describe as "not designed for daily users, it will break important functionalities".
FWIW, the settings you refer to are under a section entitled “Privacy over security”. Though I’m not sure there’s a strong privacy argument for disabling automatic updates or the offline-only things like (I think) Quarantine. Gatekeeper, though, as I recall, does send information about all binaries being opened.
Gatekeeper performs online checks to verify if an app contains known malware and whether the developer's signing certificate is revoked. Gatekeeper, file quarantine etc. are security features also designed for data collection to learn about the files and applications you have in your computer (built in anti-malware on macOS and Windows provide them a perfect excuse to harvest all your file name and file hashes to know more about you). When automatic update is enabled macOS phones Apple periodically, leaking info like your geolocation and network etc.
You click on options and it generates code that is clearly readable on the right panel. You then have the option to copy paste it yourself or download the file. Then you can read the generated bat file before running it.
78 comments
[ 4.0 ms ] story [ 176 ms ] threadThe Annual Pwn2Own contest seems to easily crack Mac and Linux, for example
https://www.zdnet.com/article/windows-ubuntu-macos-virtualbo...
I did say I try to make the point, but brand loyalty is very difficult to talk over.
I mean, do whatever, but there's a certain irony to something which is about privacy and security forcing you to pollute your search history with the word 'sexy' in a way that you cant control locally.
It's just my opinion anyway.
EDIT: This is according to the HN guidelines: “Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. They're too common to be interesting.”.
Thank you.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
It is just a word. A word that carries far more weight than it really should in our society.
I kinda like the idea of "privacy is sexy" which is how I read it.
The only possible issue is I can see some companies blocking it due to "Sex" but that's their issue with way too strong rules.
If it should or shouldn't carry the weight is irrelevant, "Sexy" does carry weight so surely the problem is obvious.
Besides, speaking from first hand experience, historically 'sexy' content on the internet usually came with a Malware/Virus, not a good association when the intention is to run scripts that make significant changes to your computer configuration, all for a novelty that lends nothing to the product.
With that being said, I have no issue with it personally.
1. Arousing or tending to arouse sexual desire or interest.
2. Highly appealing or interesting; attractive.
3. Having sexual appeal; suggestive of sex.
While #2 might be the intent, there are much better alternative choices for links that I could
* send to my 10 year old niece who is interested in tech
* share with co-workers or on company forums
* use without hassle from automated filtering/proxy/scanning tools for a TLD that is associated with adult content
- Privacy is sexy
- Don't let Microsoft kill privacy
The answer probably depends where you live. Stereotypically, Americans are afraid of sex, and Europeans are afraid of violence - for example many video games released in Germany were modified to have green blood.
My take: both sides of the pond need to lighten up
https://news.ycombinator.com/newsguidelines.html
All we get out of generic tangents like this is a tedious, offtopic subthread that often ends up being much larger than the on-topic discussion, and usually descends into flamewar after a while—perhaps because the mind resorts to indignation to amuse itself in the absence of anything interesting (https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...).
The only thing one could argue for in a privacy oriented manner is the signature validation with OCSP checks since it somewhat leaks what signature owners you're trying to check. But without it you'll never be able to find out if a signature was revoked, including self-signed signatures.
if a certificate was revoked
(Just to prevent confusion. Someone might think that it’s possible to revoke individual signatures.)
It's good that things with security ramifications are separated, but they must be used with care.
I also can't figure out what the "REVER" option does on some entries.
Resizing the window doesn't seem to do anything, the program is fixed in the middle at a certain size.
https://docs.microsoft.com/en-us/powershell/dsc/quickstarts/...
I'm glad other people are working on tools, but you'll probably realize sooner or later that a few registry edits are not sufficient to maintain privacy, and policies are really the better approach.
https://windowsreport.com/enable-gpedit-windows-11/
https://dpaste.com/ARRBCVVXN
There's SCAP https://en.wikipedia.org/wiki/Security_Content_Automation_Pr... then a popular set of tools that implements it, for example: https://www.open-scap.org/tools/ However the rulesets "profiles" are flexible, one popular one is CIS.
Glibly pretending it ain't so isn't making Linux better.
First, agreed re: untrusted apps.
And, yeah, maybe I should have been more clear, as you note, they are usually an option, not the standard. Full disk encryption is the standard on MacOS. With Linux, like so many things, you never know what you're going to get. Secure boot took some work to setup on Ubuntu, but works relatively flawlessly. Immutable root filesystem is something you can do with Fedora Silverblue and a few other distros, but it's nowhere near the standard it is on MacOS.
And that's what I mean by years behind, sure you can do basically anything on Linux, but, if it's not the standard, is it even practical enough to be workable? Linux, for lack of a better word, bigots (and I'm a huge Linux fan!) may call MacOS is a toy OS, but, for a laptop, how much work does it take to get Linux to the point where Linux's practical security is similar to MacOS? Lots, and lots, and lots.
How does disabling Gatekeeper, File Quarantine or automatic updates make a MacOS system safer? It looks like the opposite !
Those features are not disabled in their "standard" preset which they present as "recommended for everyone".
To disable gatekeeper, you need to use the "strict preset" which they describe as "not designed for daily users, it will break important functionalities".
Gatekeeper performs online checks to verify if an app contains known malware and whether the developer's signing certificate is revoked. Gatekeeper, file quarantine etc. are security features also designed for data collection to learn about the files and applications you have in your computer (built in anti-malware on macOS and Windows provide them a perfect excuse to harvest all your file name and file hashes to know more about you). When automatic update is enabled macOS phones Apple periodically, leaking info like your geolocation and network etc.
It's not JS either.