As a Linux user I have kept Windows 7 & 8 partitions in my laptop and workstation disks for years because there used to be time where you needed Windows in the work for some programs to work and some documents to open.
Windows 10 upgrade push made me to realize that that time passed a long time ago. Last time I booted to Windows for other reason than playing a game was seven years ago. LibreOffice works well with MS documents and you can always use them from Google drive.
I don't get the general negativity around Windows. Variety, for me, is a good thing. Every OS has it's strengths, weaknesses and use-cases.
I know the argument is often framed as open vs closed source ecosystems but I think and hope that ultimately having more options and more variety is good and interesting for us.
Windows, does deservedly get a lot of stick for it's past issues (windows rot etc) and present issues. However, I think ultimately what we learn from these scenarios is extremely beneficial for a lot of people.
As a Web Developer I hated IE 6. I still do. But, I have to admit that it taught me a lot. It taught me about the box-model. It taught me how to debug JS before the days of Firefox/Firebug. I know this was not by design or intention and I know this is easier to say in retrospect.
I can imagine a lot of people working in info-sec learnt a lot from the various failings of Windows and other platforms too.
I guess my point is don't be negative for the sake of it. If Windows is bad, I hope it improves. Same goes for all technologies. I'm a Chrome user but I still love to run Opera, Firefox and Edge now and then because I enjoy different experiences and love playing with new apps and features. I also have a Macbook for work and and and Ubuntu partition. I enjoy using them all.
>I'm a Chrome user but I still love to run Opera, Firefox and Edge now
Chrome has never actively tried to uninstall/remove competing browsers or corrupt your ability to reliably run them, I distinctly remember my own install of Windows 10 destroying my bootloaders set up by Linux and uninstalling applications automatically. Although it has show the ability to send as much information as it wants back home.
>If Windows is bad, I hope it improves.
I'm sure people in 2001 were saying the same thing about Microsoft and it appears they are emulating it again.
> I don't get the general negativity around Windows.
For me, it's that the system is completely closed and opaque, and there routinely isn't much I can do about it.
Not saying the other guys are perfect--far from it--but at least I can take a crack at changing things. Windows is the most closed-source OS I run (more so than OSX). When it doesn't do The Right Thing, I can get very negative.
And to your point, I feel I've learned much more from OSes that expose the internals and let me mess with them, than those that don't.
For your listed use case of gaming & document creation.
There are a lot of niche applications that are Windows only. All major CAD platforms, a decent chunk of FEA packages, hardware vendor software, etc. At the professional level, Windows still has quite the grip.
I think even the idea that Linux is a solid alternative to Windows for gaming is still a joke. It's immeasurably better than it was even just 5 years ago, but outside of Valve, indie devs or smaller studios, we're not seeing a lot of linux ports. And when we do they seem clunkier, somehow. And sometimes I just want to pop into some obscure resource management game from 2006 without sacrificing a goat and praying to WINE gods that it'll work.
From a profession standpoint, I'm still tied to Windows because of Adobe's choice not to port to linux. Inkscape and Gimp are okay, but when you're the only one in the company running linux, what's the point?
I wouldn't say, it's a solid alternative for everyone, but for some people, it can definitely be.
I for example like indie games. As a result, and probably with a bit of luck, 80% of my Steam-library had Linux-support when I jumped into Linux.
And, for a game from 2006, you'll probably have to pray to the Windows-compatibility-mode gods at this point, too. I actually wouldn't be surprised, if it worked better under WINE...
> And, for a game from 2006, you'll probably have to pray to the Windows-compatibility-mode gods at this point, too. I actually wouldn't be surprised, if it worked better under WINE...
That's just not true. I've got plenty of games from 2006 and earlier than run just as good as they originally did. Sure Oblivion crashes, but it did in 2006. Half-Life 2 runs pretty darn well. Company of heroes? Yep. Dawn of War and the expansions? Sure.
In fact, my overall gaming experience on windows 10 is far better than it was on windows xp and vista. Less overall crashing, and I never get bluescreens any more.
For what it's worth, I find a lot of older games I try to run on Win 10 crash, or don't work 100%. KOTOR, for instance. So while I can get a lot to work more or less flawlessly, that's more-or-less a tie with wine.
And most of those vendors were windows-only because their customers, their suppliers were windows only. But that knot seems to be loosening.
Windows still dominates on workstations, but that no longer locks people in like it used to. Some user-interfaces can be pushed onto the web or mobile apps. Suppliers further down the chain are now as likely to support Linux as Windows.
My employer is a hardware vendor, our software is turning out Linux-only for the forseeable future. Of course the office PC's for us an most of our customers are Windows, but this is workable because of all kinds of (mostly network based) interoperability that has grown up over the years.
Yeah, it's the only reason I have a Windows laptop (or desktop) - I teach music technology, and that means a DAW which works - in my case Cubase - so unless Steinberg changes their mind on supporting Linux (which seems massively unlikely given the amount of effort needed to get it working properly), I'll have to have a Windows machine for the foreseeable future; everything else I do is done on my Chromebooks (one Chrome, one GalliumOS).
In case you haven't heard about it: Bitwig Studio works effortless on Linux with a great feature set. The workflow is more similar to Ableton Live than Cubase though.
I've heard about it, but there are a number of problems - firstly, as you've said, it's more Ableton than Cubase, and I've spent a fair bit of time trying to get on with Ableton (I regularly work with a producer who uses it), but alas, having spent 20 years+ using Cubase, it's difficult for my addled brain to make the shift in paradigm, and things which are just "natural" now in Cubase involve a lot of thinking to remember how to do in Ableton.
Secondly, plugins - there are a heap of free and paid plugins that are Windows-only that I'm not sure will work in Linux (I know about being able to bridge them, but even 32/64 Windows bridges have issues!) - having said that I've not tried this lately, so hopefully there's been some good progress.
Third, and probably most intractably - it's a big enough ask to get school IT departments to support 'odd' software like Cubase; getting them to support Linux, alas, would be infinitely unlikely, so I'd still need a Windows PC to support my teaching work (which is my main income).
Thanks for the tip, though, I shall re-look into Bitwig again as it's on Linux, and then my GalliumOS Chromebook could become even more useful!
Windows is still definitely dominant for gaming. There are definitely an increasing number of games being released on Linux, but the vast majority of "PC" games are still windows only.
I think for the kinds of applications that the poster was talking about (CAD, FEA, etc...), there's no concept of the department or business being a Windows shop or a macOS shop any more than it being an Intel shop or an AMD shop. The OS is just infrastructure and not that interesting.
It's the applications that are key and if some application requires a Windows machine, that's what they buy.
The biggest reason why windows still has that grip vs linux is hardware based.
Try installing Ubuntu on a brand new laptop. Its just not something a non technical user can deal with. I am sure a good share of us here on HN has, at-least one relative who calls us because the "internet is broken" imagine them trying to deal with something like ubuntu on a brand new computer.
I like to think this is partially our fault as consumers, we need to actually do more to demand hardware vendors to support Linux. Especially laptop manufacturers.
I've got a reasonable number of relatives who would not be able to install windows or MacOS on a new computer, they just purchase new computers.
In my experience installing a friendly linux like Ubuntu is a lot more simple than installing Windows. Unless the hardware is very new the install will just work. If you want to play games you may have to play around with installing the latest video drivers from the vendor, but how is this any different from what you have to do on a Windows machine?
At the consumer level, it makes little difference now that most things are interoperable. It's only at the enterprise where lots of enterprise grade software are still NT-only and its likely to remain that way for a while as most of those shops don't have enough in-house expertise to support multiple platforms simultaneously.
I agree to an extent... but I have seen a massive push to Mac's at the two largest companies I've worked at. Literally, all new employees get Mac's as opposed to Windows, which was not the case five years ago. Both are fortune 500 companies, so they have a large number of employees.
Just want to throw out that AutoCAD runs incredibly well on the Mac; I suspect that it's more likely the significant cost premium of the Mac that's keeping it out of some parts of the professional world...
The desktop market is bigger than the little world you live in. It seems every month there's a highly rated HN post about how this is finally the year of the Linux desktop. And before that on Reddit and before that on Slashdot and before that newsgroups for the past 15+ years.
I think its difficult to know the vast amount of software that's user/business critical that's Windows-only and how many people will never run an OS that isn't pre-install on their computer. Even as a sysadmin/devops for over a decade, I'm still surprised how strong Windows is. Some of it is legacy inertia and some of it is merit. No one else is investing in gaming like MS does. No one else builds developer friendly tools that a very mediocre team of devs can be made productive with. No one else builds a dumbed-down office suite that even a high school drop out can be productive in. No one else markets to the business community like MS, etc, etc.
It also doesn't help the "year of the linux desktop" argument that Windows is losing to mobile, but Windows 10 includes many mobile concepts. In fact, as far as I can tell, its very much modeled after Android. I know grandma won't buy a Surface Pro, but it is now easier for her to go from Android or iOS to Win10 and not be scared or confused.
I think Windows has a long life still. Just because you don't like it, doesn't mean you can just wish it away. For segments that aren't the kinds of people who post on HN, its still very popular and that's ignoring its dominance in business.
I develop mostly on Linux (EC2 instance), but my email and documents are still on Windows. Excel still beats LibreOffice in terms of data analysis (yes, we use other tools such as Jupyter as well, but sometimes Excel is an easy route to communicate with other business people).
Also I use two massive 27-inch screens at work. My co-worker Ubuntu boxes have difficulties driving them properly (probably driver issues, manufacturer's fault). Also text rendering is still subpar on Ubuntu.
Windows 10, IMO, provides many nice aspects in terms of UI experience. Not that I'm gonna start developing on Windows in any foreseeable future
As a consultant I find Windows everywhere. A lot of big companies have their end-user computing platforms managed by a big vendor like Dell or HP. The typical attachments passed around in email at BigCorp is probably going to be an Excel, Word, or Powerpoint document.
Personally I don't use Windows anymore but it seems like it's going to take a lot of work to get rid of the Windows platform out of commodity IT.
This is most likely true, and I believe that this is the reason you see MS trying to migrate to being an online provider and moving the .NET framework (and SQL Server for that matter) to work on other platforms.
A couple months ago I tried to ditch windows for linux at work and I failed, mostly because neither Skype nor Hangouts worked properly on it and the client was tired of switching tools, but other than that I think I didn't miss anything.
At home linux is a complete no no, I run into windows only tools every week.
But for a better experience on linux, I recommend changing libre office for wps office.
The problem with skype was that it only worked if everybody involved used old versions of it. Dozens of people had the same issue on the client's office, so they switched to hangouts which worked now and then. There's a new version of skype for linux now that seems to be working fine though.
And people wonder why some of us haven't upgraded from Windows 7.
Win10 tries really hard to make you log into your desktop with your Live Account credentials - you can't use the store without this. Whereas if it were just leaking a local login it would be much less critical.
You can actually have Windows logged in with a local account (normal old school account) and use the store with a different Live account.
But yes, I am quite annoyed by them requiring that I use online credentials to log in to a physical computer. I prefer to separate the two authentication mechanisms.
I seem to remember having a problem with a new Win8 computer and trying to use Skype (I hate Skype but lots of customers of mine use it). It insisted I use a Microsoft live account , which I don't have, to install it. Eventually I somehow managed to get an old version of Skype which stopped asking me.
There's a difference between Skype and Skype for Desktop, the second version is what you should install, and is the classic Skype. The first one is a Metro app.
That would be great - when I most recently tried to use it I was told by the dialog box that entering my Live credentials would convert my local account to the Live account, and I'd need to log in with the Live password not the local one.
I'm not sure who's correct in this particular thread, but sometimes they hide the "unfavoured" approach so well that they convince people to use the new method.
In one case, I unsuccessfully tried to create just a local account in Win 8, because they had hidden it behind 3+ layers of "sign in here with your live account". I was sure that there must be a way to create a local one, but just couldn't find the right path.
Yeah, it's called dark patterns, and Microsoft makes full use of them in Windows 10. And it seems to only get worse with the recent changes they've made in the Anniversary Update, like how they hide how you could disable Cortana in searches (they turned it into a very technical option, that no "normal" person would figure out), and so on.
I for one am glad that the French Data Protection Authority is going after Microsoft, but it remains to be seen if it can lead to major changes in Windows 10 (for the benefit of the users):
Migrated my Windows 7 Home Premium to Windows 10 Home last week (pressurized by the free update ultimatum... so their strategy works !) and my local account stayed a local account and I could use the Microsoft Store with an independent account without converting my local account.
Scott Hanselman had a guide on how to actually create an offline account in Win 8 (see: [1]).
It involves navigating to a "Create a Microsoft Account" screen, and then clicking the well-hidden "Sign in without a Microsoft Account" at the bottom. Quite a well thought out dark pattern, confused me at the time.
I remember that happening a while back and it definitely forced me to log in with my Live account credentials from then on. I was rather miffed, but didn't bother trying to do anything about it then.
My experience of the Windows Store is of the fake knock-offs and similarly named apps that pop up as results in my start menu when I press "Start" and start typing the name of something I already have installed. They always seem to pop up for a couple of seconds before the actual application I'm searching for shows up. As a result I've come to the conclusion that I can't trust anything in the store itself and have never used it.
You can disable those search results. I'm not on a Windows 10 computer right now so I can't tell you where to look, but I found the settings fairly easily once it gave up trying to search the internet for a "settings" program. Do that and the search function will suck a lot less.
I've been using Windows 10 since it came out too. I tend to have everything on default settings and deliberately allowed Windows and Cortana to do pretty much everything automatically, i even have one on my computers on the fast ring...
I have downloaded Netflix, Audible, tubecast and a whole bunch of other apps from the store
I've poked around in there. Think of live tiles as the latest version of desktop gadgets. I installed the weather channel free app, I now see local weather when I hit start.
The MSN Weather app is preinstalled with Windows 10, and has the same basic capabilities. And since you don't need to install it, doesn't require you sign into a Microsoft account. (I actually like setting up this app on enterprise users' start menu, it's a nice extra. And they don't have Microsoft accounts connected.)
The built-in weather app and tile is solid enough that I find people downloading a third party one kinda surprising.
I think I saw it on a list of windows 10 apps to get somewhere. Clicking on it gets you a radar map. Really it was half weather, half trying out the windows store experience.
I've had windows 10 for a long time and didn't know you couldn't use the store with a local only user. Why? I've literally never clicked on the store button (except to delete it along with heaps of other shit in my start menu).
I genuinely cannot imagine the day that I want a thing and go to the windows store to get it. Last night I installed AutoHotKey and Notepad++ for example (both long overdue admittedly) - all through my browser. Simplez.
Just another reason not to put all your eggs in one basket. Using Firefox as browser, no Hotmail or Outlook, no login at Windows 10 installation, this all seems to have little effect on the installations I've done the past weeks.
> It's not really a surprise if an app store needs an account. Are there any that don't?
Yeah the ones that have existed since forever: GNU/Linux repositories (Ubuntu's, Debian's, etc.). Even Ubuntu's Software Center, which you might find closer to an app store than a command line interface even though it's the same thing, does not require an account until you try to leave comments or review an application.
Then there were browser addon repositories which worked the same way, first from Firefox and later from all other browsers. (Except one of course.)
So yes, no account was the standard. Needing an account is something recent.
How many people don't even have payment info in their Google or Microsoft account? They can't pay anyway and payment info is not required so clearly that's not it.
I'd just like to download apk files from the play store, but that's not possible without an account even though there's no reason for it whatsoever. Moreover, I'd like to contribute to many apps while still not attaching payment info to my account. Currently I bought some pro versions of apps via gift cards, but this doesn't work for subscriptions (even if you have 100 bucks prepaid on your account and the subscription is 1 buck a month, and don't get me started on country locking the credit). They all want to have your data and lock you in.
Isn't it possible to buy something in the Windows Store and login just for this one purchase? Note sure though, but I think I remember doing that with Windows 8.
.. until you try to install an app, at which point you're prompted to switch over your local account. Apparently you can get round this, but it's not the obvious or default path.
Yes. Also, if you start to use Cortana (which is off by default), Microsoft pushes you into converting your local PC account into a Microsoft Account (ie link your PC to your MSA email address).
There's plenty which don't, those are just usually the ones which don't try to make you buy apps and are rather just a service for you to download apps.
The Windows Store or also the Play Store and Apple's App Store could function without account for free apps, too, as far as I understand it they just choose to require an account up-front, so that there's less friction in the moment a user considers buying an app.
It doesn't work smoothly in all cases, though. My existing local account persisted after upgrading in-place from Windows 7 to Windows 10, but not all of my apps worked afterward. The Sims 3, for example, would no longer run on my local account. I had to start using the Live account and reinstall some apps as that user to get them to work again.
In my personal opinion, the reasons for using it don't outweigh the reasons against it, but either way, the reasons for using it ( / an app store in general) are:
1) Convenience:
You don't have to search all over the web for your software and don't have to click through an installer when installing (because everything is packaged in a standardized way and can therefore be installed in a standardized way, too). Also, there's a centralized way of distributing updates now, meaning that not anymore each and every piece of software has to come with an auto-updater.
2) Security:
If you don't install your stuff from the internet, you're also much less likely to install from a wrong source and therefore less likely to catch viruses. If there is a virus-infected app on the Windows Store, it's also possible for Microsoft to remove it. The UWP-apps that Microsoft is pushing along with their store, are also sandboxed, so again, much less likely for software to be able to damage your system.
For what? Everything is available on the Internet. I have used Windows 8, 8.1 and 10 for years now and I have never felt the need to install anything from the Store.
Somehow I'm not surprised, neither by the way it's broken nor the neglect on Microsofts part on this issue...
Pretty much every non-standard Microsoft-only approach to things seem to be broken one way or another, only to be fixed after someone threatens to expose and exploit it. I know it's gotten better in recent years, but the fact that it's still something that seems to be pushing from the outside in, instead of being part of the manufacturer's culture is shining through rather harshly.
You can use several other 2FA apps such as Google Authenticator if you do not trust the Microsoft one, they are compatible.
That said, personally I do like the Microsoft Authenticator app very much, it's just a single tap on the phone to confirm the 2FA login, which is much more convenient than retyping a code. Disadvantage is that the Android version of the Microsoft Authenticator app can only have one account, I could not connect a second 2FA service (LastPass) to it.
MS 2FA fails, you can still use IMAP to fetch email and stuff, without 2FA. So it's only partial implementation. Of course it prevents "completely taking over the account", but even if it's enabled you can still do a lot without providing 2FA code.
Nope. The started with the IE 11 source code and ripped a whole load of stuff dealing with compatibility, and previous rendering engines, out. Once they had completed this step they started adding new features in, but it's still got the legacy of Internet Explorer code in it.
I still don't understand how this myth that they wrote Edge from scratch even came to be.
You don't just quickly write a browser from scratch in this day and age. And if you did, it would be so much better than Edge or the other contemporary browsers, because you could start out with a much better architecture...
> I still don't understand how this myth that they wrote Edge from scratch even came to be.
Because people confuse Microsoft marketing fluff with reality?
"Microsoft Edge is built from the ground up to improve productivity, to be more secure, and to correctly, quickly and reliably render Web pages. While Microsoft Edge is the default browser for Windows 10 and is the best fit for most users, some enterprise customers have line-of-business applications built specifically for older Web technologies, which require Internet Explorer 11." [0]
"We designed Microsoft Edge from the ground up to prioritize power efficiency and deliver more battery life" [1]
"Microsoft Edge is designed from the ground up to provide a modern, interoperable, and secure browsing experience"[2]
People buying into slightly disingenuous marketing. MS described Edge as "build from the ground up" leading people to believe that everything was new, whereas you can build from the ground up but still use parts culled from other older projects.
Marketing: it is all fun and games until you validate the claims.
> And if you did, it would be so much better than Edge or the other contemporary browsers, because you could start out with a much better architecture...
New isn't always better. It's not as if no one on the Chrome/Firefox/IE teams are working on the architecture of the existing browsers. If you had the resources to build a new browser from scratch, you probably would not end up with something better than the existing browsers.
Edge just passes links it can't handle to its default handler, like it should[1]. So a link to \\server1\share\file.docx will be sent to Explorer which will try to auth using cached credentials. The attacker can sniff out the NTLM exchange and put the hashed password into a cracker. If your password is weak, then it'll be cracked. Voila! He has your MS username/password.
The larger issue is the lack of 2fa by default. I think these kinds of attacks are symptoms of a larger problem that a lot of hosted services have been ignoring.
[1] There's probably a good argument that Edge should ignore network links like these, but I imagine businesses would be upset if suddenly no one can browse the intranet or open html/jpg/gif items on a share.
tl;dr: Simply accessing a website with Edge leaks the user name and password hash to the attacker site. They mention that this is also default behaviour in Spartan, Internet Explorer, Outlook (though I do not know how effectively it can be delivered to something like Outlook).
Works on up to date Windows 10 and Edge (there is an online test if you're vulnerable). If you don't use the listed software, you're probably completely safe (maybe there is other Microsoft software that does this, though?). If you don't use your Microsoft Live Account as a Windows account, you're safe (someone then just finds out the hash of your local password).
EDIT: Interestingly, Edge on the Xbox One is not vulnerable. It seems like the behaviour on the console is different.
When it's NTLM, extremely easy. I know NTLMv1 cracks at around 25 billion attempts per second on a high-end GPU, which is MD4 based. NTMLv2 is MD5 based with a longer key, so it's slower, I'm not sure how much slower, but I'll guess 1 order of magnitude. Still, far too fast for a password hash.
Given that far too many passwords can be found with a dictionary attack, it probably only takes seconds for an attacker with "several modern video cards"[1] of hashing power.
Why does he keep repeating "Spartan?" That was Edge's codename. Now its just Edge. Is he's referring to the engine that can be embedded into other applications? If so, its called EdgeHTML.
The articles recommends that you "strengthen your Microsoft Live account password", but if I understand the vulnerability it is only exposing the hash of your password?
If it's only exposing the hash, why should you make your password stronger?
The NT Hash is actually an un-salted MD4 (not 5) hash of the UCS-2 encoded password. The authentication protocol uses the V2 Hash, which is an MD5-HMAC of the user name and domain, using the NT Hash as the key. The authentication protocol then uses the V2 Hash as an MD5-HMAC key for a pair of random nonces.
I've found strengthening my Live account password to be difficult. There is a 16-character limit that makes it impossible for me to use a good passphrase.
There are databases of hashes to common passwords that makes it easy to find the password from hash. If you use weak passwords like "password123", hashing it is not going to make it secure (unless it is salted). And so the general advice is use strong passwords no matter what.
This is fun to write for yourself; small SMB client to couple a unique file request to the credentials and website showing the info retrieved via SMB; I think I found my weekend project :)
Your password hash is not sent over the wire. What is sent over the wire is the NTLMv2 response message. This, simplified, is: HMAC_MD5(Hash | challenge). If you want the gory details, check out MS-NLMP.
That said, a dictionary-attackable password + attacker with fast GPUs can still brute-forcing the HMAC, then attack the password hash (MD4). It's a bit harder than just banging on a simple hash, though not terrifically difficult.
NTLM is designed to do authentication over an unencrypted channel with a shared secret (password). It's also important to appreciate there is no initialization protocol for a new user, it's just "please login user x with y".
As such, the protocol exchanges everything you would need in order to crack the password in the messages themselves. Adding a salt, unless you stipulate a way to share that salt across machines ahead of time, would not prevent cracking a password by intercepting the messages, because the salt would have to be in the message exchange as well. What a public / visible salt in the message exchange does do is eliminate rainbow table (instant) cracking based on intercepting the message.
To answer your question: NTLM is unsalted, and NTLMv2 adds a salt, which is exchanged in the messaging. In this case the salt is applied a bit differently -- MD5(MD5(password), salt) -- because the salt is randomly generated each time, and what's stored in the authentication database is just MD5(password). The salt is only in the challenge-response protocol, so you can still bulk-crack all the passwords in the database if you can steal it.
So, you can think of NTLMv2 as "half-salted" and when you tell people that, you'll have a great story to tell (for values of "great" which include crypto-inclined audiences).
EDIT: I think KMag has it right. The message has the username, domain, salt, and:
MD5(MD5(MD4(password), username || domain), salt)
The nesting is because of their attempts at shoe-horning this in their legacy codebase and trying to remain backward compatible. A more secure way to hash the same data, but not backward compatible, is;
Does this affect Microsoft software on macs? We use Outlook on our macbooks at work and I'm wondering if a single mass email can get everyone's Exchange password, or at least the md5sum of their passwords.
Windows 10 upgrade push made me to realize that that time passed a long time ago. Last time I booted to Windows for other reason than playing a game was seven years ago. LibreOffice works well with MS documents and you can always use them from Google drive.
Windows has lost it's grip for good.