[cjk2]

Even as a well known "windows hater", this is hyperbole. It's not insecure by design really. In fact in principle it's a lot better than anything Unix side due to the ACL and security model. It did however exist before anyone gave a crap about security, was implemented in a vastly insecure language and runtime and grew to a huge size and surface area and that is hard to fix retrospectively.

I'll give Linux a stab here: half the stuff I can run can write to my ~/.profile if it wants to. Anything which can read ~ is a problem because there's where all my important shit is...

[pdonis]

> It's not insecure by design really.

Sure it is. Features like Recall, which the article mentions, are insecure by design.

> the ACL and security model

I'm not sure how this is any more secure than "Unix side". But in any case the security holes in Windows are not problems with its filesystem (at least not now that FAT is no longer used).

> Anything which can read ~ is a problem

Which in a properly configured Unix system is your user and root, and that's it. So don't run things you don't trust as your user or root. Which should be obvious common sense to anyone who uses a computer.

[cjk2]

> Sure it is. Features like Recall, which the article mentions, are insecure by design.

I'm going to be honest: I'm not bothered about Recall security. It'd be on a single user machine which contains my data anyway. There are many more tasty morsels out there if a keylogger gets on it. Like the contents of my Keepass DB or my online banking PIN, neither of which Recall would be party to but anything that runs as my user shouldn't be able to see. Plus I'd probably turn it off anyway. I mean I do appreciate people kicking them in the balls which is due.

I'm not sure how this is any more secure than "Unix side". But in any case the security holes in Windows are not problems with its filesystem (at least not now that FAT is no longer used).

As for ACLs, check NT kernel architecture, particularly object security descriptors. Particularly Windows 2000 onwards. Quite elegantly put together, but with layers of crap over them.

>Which in a properly configured Unix system is your user and root, and that's it. So don't run things you don't trust as your user or root. Which should be obvious common sense to anyone who uses a computer.

So I'll have to create another user account to run a web browser, my mail client, a software package manager or a compiler?

[firebaze]

Do you think that Microsoft won't use that data in their telemetry somehow? Probably not as raw data, but as a locally AI-distilled version of it? Linked to your microsoft account, which is almost impossible to not link nowadays if you're not an expert?

Don't you agree that the data was in the initial version accessible by all local users on the same machine? Would you consider that a security leak?

Anything which could be exploited will be exploited, the only question is how long it takes.

[cjk2]

I don't disagree with any of those, other than those I have already caveated, but they are additional points.

[pdonis]

> So I'll have to create another user account to run a web browser, my mail client, a software package manager

Not if you trust those things. And if you don't trust them, you shouldn't be using them.

> or a compiler?

On my personal machine, yes, I have a separate user account for development, such as compiling programs. Creating new user accounts on a Unix machine is pretty simple.

[worksonmine]

> So I'll have to create another user account to run a web browser, my mail client, a software package manager or a compiler?

If you can't trust those you have bigger problems than them reading your home directories. If you're paranoid use flatpak.

[pdonis]

> If you're paranoid use flatpak.

I don't think this is a good solution, both because the so-called "sandboxing" isn't all it's cracked up to be, and because you now have to depend on each individual app vendor to push you security updates, instead of just your Linux distro.

The really paranoid would probably be using BSD with jails, which AFAICT is one area in which the BSDs are ahead of Linux.

[cjk2]

They're all written by idiots in C. Why would I trust them?

[pdonis]

By this criterion you shouldn't trust Windows either.

[worksonmine]

Like the rest of the OS from kernel to most of user-space. You're making solid arguments and completely missing my point.

[akira2501]

> it's a lot better than anything Unix side due to the ACL and security model.

Better is subjective. It's maybe more capable. It's also easier to create confusing DACL structures that do not do what you think they do or leave surprising gaps in coverage.

> and grew to a huge size and surface area and that is hard to fix retrospectively.

We added network cards to everything at the same time networks finished moving from being isolated to being permanently globally interconnected. Machines that had a multi user capability (that didn't cost thousands) fared this transition better than those that did not.

> Anything which can read ~ is a problem because there's where all my important shit is...

It wouldn't matter if it's ~ or not. The software runs as you and so can access anything anywhere you have rights to. Which is why chroot, namespaces and pledge all exist, and windows really does not have equally secure equivalents to these technologies. To the extent it does, commercially available software does not seem to take any advantage of it.

Then again, running an agent that actively screen shots your desktop periodically and then saves those unencrypted to any part of the hard drive is a bad idea regardless of the imputed confidence you have in the security of the operating system itself.

[cjk2]

> Better is subjective. It's maybe more capable. It's also easier to create confusing DACL structures that do not do what you think they do or leave surprising gaps in coverage.

There is nothing confusing about it at all. The problem tends to be poor understanding and poor default configuration in all these things. I mean the same can be said for the average linux user, who ambles on in and 777's everything.

We added network cards to everything at the same time networks finished moving from being isolated to being permanently globally interconnected. Machines that had a multi user capability (that didn't cost thousands) fared this transition better than those that did not.

I've run windows terminal services for about 20 years on and off. They did fine. Hell half our clients are still running citrix and terminal services.

It wouldn't matter if it's ~ or not. The software runs as you and so can access anything anywhere you have rights to. Which is why chroot, namespaces and pledge all exist, and windows really does not have equally secure equivalents to these technologies. To the extent it does, commercially available software does not seem to take any advantage of it.

Windows has full virtualization at service and process level if you want to have it. Device guard/credential guard and app-v for example. I agree with your last point that commercial software doesn't take any advantage of it, but neither does firefox which will quite happily shit on your ~/.profile...

Hey I rather like the idea of taking screenshots and dredging them for info. It'll immediately stop MSPs writing all their clients' passwords in a .txt file on their desktop (I've seen this several times)...

[akira2501]

> There is nothing confusing about it at all.

It comes up as an item in our internal corporate audits all the time. The fact that parent and child can have independent access is a surprising one in most mental models and a problem that just doesn't exist in the simpler unix model.

The ability to create permissions for things that don't even exist yet is another surprising thing that catches administrators up. It does not help that the windows GUI tooling is exceptionally inferior compared to the command line tooling.

This is on production servers in sensitive environments. That linux home users chmod 777 is one thing, but I don't see the same types of problems in professional linux environments; granted, you don't see as many comparable linux environments at all. Likewise, explorer makes it easy to just "give permissions to Everyone" and I've seen that just as much in home installations. In any case, these are probably not great comparisons.

[shiryel]

Fortunately tools to fix this issue on Linux exist, like Bubblewrap and Dbus-Proxy, but they require custom configuration per software, so almost no distro uses them directly, but we do have Flatpak that basically uses both of these tools under the hood, unfortunately, it also has its own "limitations", like the amount of packages and some weird behavior in some packages.

I'm trying to solve this issue by using both of these tools with NixOS [1], where I can choose how much security I want for each package, like limiting the files that they can access and/or the entire dbus (practically simulating Flatpak). I mostly use it on proprietary software, like Games, as they have a history with RCEs...

In the end, security is a tradeoff with convenience.

[1] - https://github.com/shiryel/nixjail

[rolph]

i have spent quite some time prowling windows system files,and letme tell you, the windows system is set up to allow processes to pass data, and tags, and alternate execution streams out of band. Read the code for the winAPI and you will see it.

this above, and the corporate behaviour, is why im a not windows guy