30 comments

[ 4.8 ms ] story [ 74.8 ms ] thread
I wanted this to be good, but upon close inspection of the "source code" you can find various executables, archives as well as a lot of scripts that download files from various urls at runtime, not to mention the atlas themes, background, oem/bios settings, etc. which don't appear to be optional.

I don't think they would intentionally compromise your machine, but at least they're very susceptible to supplychain attacks.

That said, there is a lot of good stuff in the scripts and registry tweaks that I wish could be made available independently.

One would think this is the entire point of Windows Pro and Enterprise, but apparently not.
LTSC is the new Enterprise. No, you can't have it.
Yes you can. Massgrave :)
https://www.vice.com/en/article/m7bv4b/windows-for-gamers-ro...

>An operating system marketed to gamers disables a host of Windows security features enticing users with promises of a smooth gaming experience which they may not realize is opening them up to potential attack.

Most of the virtualization based security measures it disables are, well, described here nicely: https://xkcd.com/1200/
You might want to read the article more carefully. Disabling Defender is a real risk, and the virtualization-based security is used by things like Credential Guard precisely to _prevent_ the problem in that xkcd cartoon. It’s not perfect but when you have a billion PC users each risk mitigation can be preventing a lot of people from having a very bad day.
I think you miss the point. Literally all the documents and information I need to protect are not protected by credential guard or virtualisation based security.
You probably do care about your saved credentials and application secrets, CNG keys, and passkeys, though, and VBS can protect those. I appreciate the humor in xkcd but a cartoon over a decade old is not an accurate depiction of the current state of the art, and while Microsoft may not have gotten as far as Apple has (backwards compatibility for the enterprise is a tar pit) it’s not like the security engineers didn’t laugh bitterly at that when it came out and decide to do better.
AFAIK Credential Guard only protects enterprise login details (think kerberos tickets or NTLM hashes). I don't think any browser or password manager uses it.
It can also protect application domain secrets and CNG private keys, and it looks like they are starting to use it for Windows Hello, too:

https://learn.microsoft.com/en-us/windows-hardware/design/de...

It’s definitely a work in progress but I mostly found it disappointing when someone uses a comic from 2013 to argue against the kind of tools which have been getting built in the subsequent decade to prevent those kinds of failures. I wish we’d go further sooner but at least we’ve broken the assumption many people had in the 2000s that there was nothing you could do about it.

>but I mostly found it disappointing when someone uses a comic from 2013 to argue against the kind of tools which have been getting built in the subsequent decade to prevent those kinds of failures

Practically speaking everything in the comic is still correct. The fundamental problem is that apps aren't sandboxed from each other, so once a malicious program gets on the machine it's game over. VBS tries to protect specific parts of the system, but without app sandboxing it's useless. For instance even if you use VBS to protect a service that can encrypt/decrypt on behalf of apps, all of that's useless when the system can't be assured which app is asking to decrypt the secrets.

Even in the case of windows hello, I'm not sure what VBS is trying to protect. If a malicious program is running on your system, it doesn't need to bypass the lock screen. I guess it's better for privacy because your biometrics are more protected, but it can always control the camera to capture a fresh set of images next time you sit in front of it.

> Practically speaking everything in the comic is still correct. The fundamental problem is that apps aren't sandboxed from each other, so once a malicious program gets on the machine it's game over.

On Windows, perhaps. On Apple and some Linux configurations, it hasn’t been correct for years because they implement app level sandboxing. Windows Sandbox, App Containers, etc. show that the Windows team isn’t ignoring that even though their backwards compatibility problem is much harder.

> For instance even if you use VBS to protect a service that can encrypt/decrypt on behalf of apps, all of that's useless when the system can't be assured which app is asking to decrypt the secrets.

There’s no technical reason why it can’t verify the app - indeed Chrome just started to do this to prevent infostealers from grabbing cookies – but also note that it’s still an advantage if malware can’t get the private key because that’s protected by VBS. Things like what password managers have done for years to require a handshake or rate-limit help to shift from the attacker getting everything effortlessly to only getting some things they specifically request or the first n things they try.

Look, I am not going to install it on my machine and I think a business would be insane to allow it on their servers, but I can also recognize that I am not exactly their market. If I want 10% more performance I can make that happen using my AMEX. I read this and I think “14 year old with a hand me down who wants to be epic” and I can respect that. I remember being a kid and wanting just a little more out of my machine to run the latest and greatest.
So AltasOS is the 2024 equivalent of Windows XP Gold Edition? Granted, it does appear to have a nicer theme.

https://crustywindo.ws/Gold_Windows_XP_2016

(comment deleted)
Not really. Atlas contains a bunch of non-visual windows tweaks that so far as I can tell windows xp gold edition doesn't have. The only two they have in common is that they're both modded versions of windows.
That's true. My comment was made in jest at both being questionable Windows mods. The privacy tweaks (changing GPO policies to disable telemetry) have some merit, but IME "performance tweaking" Windows is in placebo territory. I went through that phase in my teen years when trying to squeeze more performance out of a Athlon 64 box so that I could play Team Fortress 2 at a reasonable frame rate... :^)
It appears to boil down to powershell scripts and "playbooks" that disable services, and one that installs LibreWolf?

Much more simple project here that "debloats" Windows 11: https://github.com/Raphire/Win11Debloat

Atlas seems to be doing quite a bit like downloading archives, unzipping them, and installing executables.

How can you reassure me that those scripts and mods don't contain some malware injection or something else ?
How can you reassure me that a random project by the name of AtlasOS doesn't contain some malware or something else?
Exactly, that's the same question. At least the parent I replied too is a bunch of open source scripts that anyone can monitor. But I'm not sure I'd install a closed source OS
I've been through a Windows tweaking phase, trust me, it's a waste of time. All these Windows "distros" do is make weird placebo registry edits that are guaranteed to result in system instability.

The best way to use Windows is just not to fuck with it. Default install, don't log in during setup, don't run any "debloat" placebo-ware and your computer will work just fine. If it gets slow or you get errors just nuke it and reinstall.

> nuke it and reinstall

ah that brings back memories! I think the last time I even thought about that kind of thing was before installing nixos around 2016.

it's such a weird concept now!

Been through the options ranging from "run as default" to "tweak to within an inch of its life" which results in having done lots of nuke and reinstalls.

The answer I've settled on, which has kept me slightly more happy and stable for a number of years, is Linux (primarily Pop_OS).

lol at everyone hereabout "disabling defender".

the copy on the site opens with "F... windows". the target demographic is running pirated games and keygens. they already disable defender.

A good summary for why I flagged the submission on this open, free, and otherwise useful project:

> I wanted this to be good, but upon close inspection of the "source code" you can find various executables, archives as well as a lot of scripts that download files from various urls at runtime, not to mention the atlas themes, background, oem/bios settings, etc. which don't appear to be optional. I don't think they would intentionally compromise your machine, but at least they're very susceptible to supplychain attacks. That said, there is a lot of good stuff in the scripts and registry tweaks that I wish could be made available independently.

So Atlas guys, if you hear that, please split it into safe and potentially problematic parts so that the user can have a choice.