Imagine hacking into a key supplier's driver software and sneaking in defective metadata to Windows Update. Wouldn't this result in mass installation on various systems? Sounds like a serious vulnerability in security.
chaining accessing a likely air-gapped rsa private key to sign the malformed update with an already unlikely attack vector of a metadata parsing exploit itself means this is pretty pie in the sky
I expect that many of the players have their private keys not only on accessible machines but also likely under version control. Probably on a cloud platform.
I always liked imagining big players like Apple, Sony, Microsoft, Nintendo, etc.. taking absurd measures to protect their private signing keys, something like that Coca-Cola recipe vault.
I've seen some documentaries implying that about some of the root keys for things like certificates, but you know that there are some laying around in easy to use format ...
That was my assumption considering that is exactly what we did do for our covid certificates. Ran on the same infra as passports which is gold standard.
You can split any key into x/n pieces that require x outta n keys to approve a transaction.
All senior dev's, physical locations, board members, hell, even all stock holders, could cryptographically vote via an agreed upon method for any actions.
> chaining accessing a likely air-gapped rsa private key
Unfortunately, who knows if that's the case? Whoever was behind Stuxnet managed to steal the crown jewels of not just one but two different companies. There's a lot of companies with credentials to sign Windows kernel level code out there... which is also the reason why Apple is so insistent on getting rid of kext's - they want to get rid of the entire business model of allowing anyone but themselves to run kernel-level code on ordinary macOS machines.
Presumably because it was a cost saving measure and they agreed with the cost savings, but I wasn't in the room where it happened. So all I can do is speculate unfortunately.
Thank you for the clarification/correction. I see that Myerson is now a corporate raider at the Carlyle Group. Fitting destination for such a capital fellow.
Exactly, and it was the right move too. It's saved MS lots of money, and eliminated a function that just wasn't necessary. The users can do the QA; why should MS pay money for professionals to do it? My Microsoft stock price has done great as a result of smart cost-cutting moves like this, and also adding more advertising to the OS.
And it isn't like the users are going to stop using Windows anyway. Some of them will whine and make empty threats about switching their OS "if they keep it up" but nobody actually believes them because they've been keeping it up for almost 10 years now.
Exactly. MS has finally figured out these people aren't changing OSes, probably ever, no matter how much MS abuses them. So why shouldn't MS do this stuff?
The more "oops" things like this get pushed in automatic updates, the more I begin to despise our modern culture of continual updates. This is by no means just a Microsoft/Windows problem either, this affects everything nowadays. My damn Pixel watch suddenly has a bug where if I turn around and walk back down the road I just came on, it rolls back my distance, like an old school odometer that is just tied to wheel rotations.
I'm so sick of having working software one time, and the next time I open it it's broken or worse, has a completely overhauled UI and I don't have time to learn the new way to use it.
As a dev I love CI/CD, but as a user I'm beginning to actively despise it for the UX that it's led to. I think too many people have decided that QA isn't needed anymore because "we'll get bug reports and can patch and deploy them quickly." That's a terrible philosophy and you are bad and you should feel bad if that's how you ship your software.
I've always despised it. I demand control over the timing of updates, and I allow only very few exceptions in any of what I consider my critical infrastructure.
It means I pass on buying or using a lot of modern hardware / software. It also means my PC won't fail the night before a big delivery deadline for a multimillion dollar project for a client (and yes, I also keep duplicate spare hardware and backups to mitigate against regular failure).
> I begin to despise our modern culture of continual updates.
I started fully despising it a number of years ago. I think it's one of the worst fads that has swept through the industry. I hope that eventually it will die a horrible death.
> bug where if I turn around and walk back down the road I just came on, it rolls back my distance, like an old school odometer that is just tied to wheel rotations.
Ah, they must be using the classic physics definition of work, where if you start and end in the same position you didn’t do any work.
(…does nobody at Google actually look at the step number? Isn’t that half the use of these watches?)
Absolutely. I don't trust any software these days. It might work today, but it's only a matter of time before the company outgrows the need to satisfy my requirements and I get left behind.
At least with local software you could keep an older version if you needed to. With everything in the cloud with a subscription model, you can't get off the ride before they drive it off a cliff. Which it feels like they will do more often than not.
My Samsung phone once bricked itself with a forced update. That was fun.
It also downloads updates totally unprompted overnight and gives me a non-dismissable notification about it. I also get toasts at random intervals demanding I restart immediately for the 15 minute update process.
It lets me defer the update for anywhere between 5 and 9 hours before rebooting with no warning and leaving me with a dead phone for 15 minutes.
Absolutely no way to stop it or disable updates. I've gone so far as trying to MiTM the network traffic and blocking the IP it connects to, but it seems to use different addresses sometimes.
I'm never buying a Samsung device again. For that matter, I'm never buying a phone that I can't control.
Not a fan of some corporation remotely bricking my phone with no warning.
This explains the confusing email I got from Microsoft Family Safety last week saying that my child (who uses a locked down Windows PC for gaming) had purchased the HP Smart application from the Microsoft store for $0.00.
Great, I can’t wait for the promised utopia when things are all “joined up” and my PC automatically orders me ten litres of unwanted HP toner when this happens.
> After the printer metadata incorrectly identified everyone's printers as HP LaserJet printers, Windows installed all the software needed for an HP printer to work smoothly, including the HP Smart App.
Tangential, but I absolutely hate printers that force you to install an app (or should I say spyware?) along with their drivers.
Even more tangential, you can extend that to most common peripheral hardware. And it's kinda outrageous an OS would be forcing this down on their users.
Even worse HP scanners need an account for scanning!
On linux there is at least the https://hplipopensource.com/ library which contains the `hpscan` command line utility, which can scan flawlessly without an account or any other weird stuff.
>the move to windows being a service has been a disaster.
No, it hasn't, it's been quite the opposite. The company is more profitable than ever, so much that now instead of saying "FAANG", people are saying "MAANG" or "GAMMA" or some variation.
>I swear task manager lists some new useless daemon taking 3% of cpu after every update
What's wrong with that? Microsoft isn't paying your power bill, you are. It's not their problem. Are you going to stop using Windows because it's slow and hogging the CPU to show you ads in the home screen?
Microsoft updates are also really bloated. Fortunately, Microsoft was able to solve this problem by implementing a feature so your PC uploads updates to other PCs for them. No need to improve update size, users can just share the cost of the update infrastructure. Microsoft updates were always large but then they found out some users weren't installing updates because they didn't have enough hard drive space since the update process is so bloated. Microsoft innovation solved this as well, they just force reserved 7GB of end users (Microsoft's) hard drive so there would always be room. Mark that one as resolved.
These innovations are why Microsoft is such a profitable powerhouse. Maybe Microsoft can install a cryptominer to run on your PC when it is idle and send the money back to Microsoft. It would help pay for the cost of all the improvements Microsoft is always making to Windows. The possibilities are endless.
49 comments
[ 1.6 ms ] story [ 112 ms ] threadThis may be an attack vector, for sure
Microsoft? YOLO with their crown jewels:
https://techcrunch.com/2023/07/17/microsoft-lost-keys-govern...
All senior dev's, physical locations, board members, hell, even all stock holders, could cryptographically vote via an agreed upon method for any actions.
Unfortunately, who knows if that's the case? Whoever was behind Stuxnet managed to steal the crown jewels of not just one but two different companies. There's a lot of companies with credentials to sign Windows kernel level code out there... which is also the reason why Apple is so insistent on getting rid of kext's - they want to get rid of the entire business model of allowing anyone but themselves to run kernel-level code on ordinary macOS machines.
[1] https://en.wikipedia.org/wiki/Stuxnet
I'm so sick of having working software one time, and the next time I open it it's broken or worse, has a completely overhauled UI and I don't have time to learn the new way to use it.
As a dev I love CI/CD, but as a user I'm beginning to actively despise it for the UX that it's led to. I think too many people have decided that QA isn't needed anymore because "we'll get bug reports and can patch and deploy them quickly." That's a terrible philosophy and you are bad and you should feel bad if that's how you ship your software.
It means I pass on buying or using a lot of modern hardware / software. It also means my PC won't fail the night before a big delivery deadline for a multimillion dollar project for a client (and yes, I also keep duplicate spare hardware and backups to mitigate against regular failure).
I started fully despising it a number of years ago. I think it's one of the worst fads that has swept through the industry. I hope that eventually it will die a horrible death.
Ah, they must be using the classic physics definition of work, where if you start and end in the same position you didn’t do any work.
(…does nobody at Google actually look at the step number? Isn’t that half the use of these watches?)
At least with local software you could keep an older version if you needed to. With everything in the cloud with a subscription model, you can't get off the ride before they drive it off a cliff. Which it feels like they will do more often than not.
It also downloads updates totally unprompted overnight and gives me a non-dismissable notification about it. I also get toasts at random intervals demanding I restart immediately for the 15 minute update process.
It lets me defer the update for anywhere between 5 and 9 hours before rebooting with no warning and leaving me with a dead phone for 15 minutes.
Absolutely no way to stop it or disable updates. I've gone so far as trying to MiTM the network traffic and blocking the IP it connects to, but it seems to use different addresses sometimes.
I'm never buying a Samsung device again. For that matter, I'm never buying a phone that I can't control.
Not a fan of some corporation remotely bricking my phone with no warning.
Tangential, but I absolutely hate printers that force you to install an app (or should I say spyware?) along with their drivers.
On linux there is at least the https://hplipopensource.com/ library which contains the `hpscan` command line utility, which can scan flawlessly without an account or any other weird stuff.
No, it hasn't, it's been quite the opposite. The company is more profitable than ever, so much that now instead of saying "FAANG", people are saying "MAANG" or "GAMMA" or some variation.
>I swear task manager lists some new useless daemon taking 3% of cpu after every update
What's wrong with that? Microsoft isn't paying your power bill, you are. It's not their problem. Are you going to stop using Windows because it's slow and hogging the CPU to show you ads in the home screen?
These innovations are why Microsoft is such a profitable powerhouse. Maybe Microsoft can install a cryptominer to run on your PC when it is idle and send the money back to Microsoft. It would help pay for the cost of all the improvements Microsoft is always making to Windows. The possibilities are endless.
I think thats what “antimalware service executable” is