[quotemstr]

> The Windows ecosystem typically deployed in corporate PCs or workstations is often insecure, slow, and poorly implemented

Yes, but that's not because of Windows itself (which is fast and secure out of the box) but because of an decades-old "security product" culture that insists on adding negative-value garbage like Crowdstrike and various anti-virus systems on the critical path, killing performance and harming real security.

It's a hard problem. No matter how good Windows itself gets and no matter how bad these "security products" become, Windows administrators are stuck in the same system of crappy incentives.

Decades of myth and superstition demand they perform rituals and make incantations they know harm system security, but they do them anyway, because fear and tradition.

It's no wonder that they see Linux and macOS as a way out. It's not that they're any better -- but they're different, and the difference gives IT people air cover for escaping from this suffocating "you must add security products" culture.

[mr_mitm]

> which is fast and secure out of the box

Disagree. At least in the context of business networks.

My favorite example is the SMB service, which is enabled by default.

In the Linux world, people preach:

- disabling SSH unless necessary

- use at least public key-based auth

- better both public key and password

- don't allow root login

In Windows, the SMB service:

- is enabled by default

- allows command execution as local admin via PsExec, so it's essentially like SSH except done poorly

- is only password-based

- doesn't even support MFA

- is not even encrypted by default

It's a huge issue why everyone gets encrypted by ransomware.

I always recommend disabling it using the Windows firewall unless it is actually used, and if it is necessary define a whitelist of address ranges, but apparently it is too hard to figure out who needs access to what, and much easier to deploy products like Crowdstrike which admittedly strongly mitigate the issue.

The next thing is that Windows still allows the NTLM authentication protocol by default (now finally about to be deprecated), which is a laughably bad authentication protocol. If you manage to steal the hash of the local admin on one machine, you can simply use it to authenticate to the next machine. Before LAPS gained traction, the local admin account password was the same on all machines in basically every organization. NT hashes are neither salted nor do they have a cost factor.

I could go on, but Microsoft made some very questionable security decisions that still haunt them to this day because of their strong commitment to backwards compatibility.

[quotemstr]

You don't need Crowdstrike to disable any of these things. You can use regular group policy. I'm not saying Windows can't be hardened. I'm saying these third party kernel hooks add negative value.

[mr_mitm]

I know, I even said you should rather use the tools that the OS is providing, like the firewall.

All I did was challenge the statement that Windows is secure OOB.

[arzig]

Fun fact, these negative value garbage offerings are often “required” by box checking certifications like SOC2. Sure, if you have massive staffing to handle compliance you might be able to argue you’ve achieved the objective without this trash. The rest of us are just shrug and do it.

Some of the “compliance managers as a service” push you in this direction as well.

[bdw5204]

Why do companies need these "box checking certifications"? I imagine the answer, as usual, is that either they or one of their customers is working with the government which requires this for its contractors. That's usually the answer whenever you find an idiotic practice that companies are mindlessly adopting.

[shinecantbeseen]

Pretty much. We’re in the healthcare space and most of our customers are large hospital systems. Anything except “SOC2 compliant, no exceptions on report” will take an already long deal cycle (4-18 months) and double or triple it.

If you’re a startup it also means that your core people are now sitting in multiple cycles of IT review with their IT staff filling out spreadsheet after spreadsheet of “Do you encrypt data in transit?”

[Avamander]

> Windows itself (which is fast and secure out of the box)

That's a really bold claim. I'd say Windows comes with a lot of unsafe defaults OOB.

[sys_64738]

> Yes, but that's not because of Windows itself (which is fast and secure out of the box)

I think what you're really saying is that a Windows system is secure until you apply power to the computer.

[rlanday]

> > The Windows ecosystem typically deployed in corporate PCs or workstations is often insecure, slow, and poorly implemented

> Yes, but that's not because of Windows itself

Come on. There’s a reason Windows users all want to install crappy security products: they’ve been routinely having their files encrypted and held for ransom for the last decade.

[didntcheck]

And Linux/BSD generally would not help here. Ransomeware is just ordinary file IO and is usually run "legitimately" by phished users rather than actual code execution exploits

I have a similar disdain for security bloatware with questionable value, but one actually effective corporate IT strategy is using one of those tools to operate a whitelist of safe software, with centralized updates

[consteval]

I think having a Linux/BSD might be helpful here in the general case, because the culture is different.

In Windows land it's pretty much expected that you go to random websites, download random executables, ignore the "make changes to your computer?" warnings and pretty much give the exe full permission to do anything. It's very much been the standard software install workflow for decades now on Windows.

In the Linux/BSD world, while you can do the above, people generally don't. Generally, they stick to trusted software sources with centralized updates, like your second point. In this case I don't think it's a matter of capability, both Windows and Unix-land is capable of what you're suggesting.

I think phishing is generally much less effective in Max/Linux/BSD world because of this.

[BobaFloutist]

Until a a lucrative contract requires you to install prescribed boutique windows-only software from a random company you've never heard of, and then it's back to that bad old workflow.

[boolemancer]

Yeah, because no one on Linux or Mac would clone a git repo they just found out about and blindly run the setup scripts listed in the readme.

And no one would pipe a script downloaded with wget/curl directly into bash.

And nobody would copy a script from a code-formatted block on a page, paste it directly into their terminal and then run it.

Im not going to go so far as to claim that these behaviors are as common as installing software on Windows, but they are still definitely common, and all could lead to the same kinds of bad things happening.

[consteval]

I would agree this stuff DOES happen, but typically in development environments. And I also think its crappy practice. Nobody should ever pipe a curl into sh. I see it on docs sometimes and yes, it does bother me.

I think though that the culture of robust repositories and package managers is MUCH more prominent on Mac/iOS/Linux/FreeBSD. It's coming to Windows too with the new(er) Windows store stuff, so hopefully people don't become too resistant to that.

[rlanday]

A developer is much more likely to be able to fix their computer and/or restore from a backup than a typical user is. A significant problem is cascading failures, where one bozo installing malware either creates a business problem (e.g. allowing someone to steal a bunch of money) or is able to disable a bunch of other computers on the same network. It is not that common for macOS to be implicated in these sorts of issues. I know people have been saying for a long time that it’s theoretically possible but it really doesn’t seem that common in practice.

[codebolt]

I'd wager if Linux had the same userbase as Windows, you'd see more ransomware attacks on that platform as well. Nothing about Linux is inherently more secure.

[pid-1]

Yeah I don't get where this "Linux is more secure" thing comes from.

Basically any userspace program can read your .aws, .ssh, .kube, etc... The user based security model desktops have is the real issue.

Compare that with Android and iOS for instance. No one needs anti-virus bloatware, just because apps are curated and isolated by default.

[cesarb]

> Yeah I don't get where this "Linux is more secure" thing comes from.

It comes from the 1990s and early 2000s. Back then, Windows was a laughingstock from a security point of view (for instance, at one point connecting a newly installed Windows computer to the network was enough for it to be automatically invaded). Both Windows and Linux have become more secure since then.

> Basically any userspace program can read your .aws, .ssh, .kube, etc... The user based security model desktops have is the real issue. Compare that with Android and iOS for instance. No one needs anti-virus bloatware, just because apps are curated and isolated by default.

Things are getting better now, with things like flatpak getting more popular. For instance, the closed-source games running within the Steam flatpak won't have any access to my ~/.aws or ~/.ssh or ~/.kube or etc.

[quotemstr]

What fraction of ransomware attacks would these security products have prevented exactly? Windows already comes with plenty of monitoring and alerting functionality.

[bombcar]

Probably close to none at some point. They may block some things.

But most of Windows falling to this is that it’s what people use. The only platform that is somewhat actually protected against attacks is the iPhone - the Mac can easily be ransomwared it’s just the market is so small nobody bothers attacking it; no ROI.

[quotemstr]

Yeah. The mobile ecosystems are what real security design looks like. Everything is sandboxed, brokered, MACed, and fuzzed. We should either make the desktop systems work the same way or generalize the mobile systems into desktops.

[skydhash]

The mobile ecosystem is what corporate IT should be. Centralized app store, siloed applications, immutable filesystem (other than the document part for each application), then VM and specials computers for activities like development. However locked iOS can be, most upgrades happen without an hitch, and no need for security software.

[lbadmin]

Hard to say, but windows defender doesn't stop as many as EDR's can. There are actual tests for this, ran by independent parties that check exactly this. Defender can be disabled extremely easily, modern EDRs cannot.

[qwytw]

> There’s a reason Windows users

Yes, average Windows users are significantly less tech literate due to obvious reasons and there are way more of them. This create a very lucrative market.

How is desktop Linux somehow inherently particularly more secure than Windows?

[lbadmin]

did you really just say windows is secure out of the box?

[recursive]

You can just scroll back up and read it again.

[lbadmin]

okay so i did and he defs claims windwos was secure out of the box. so again, i ask if he really said that ahaha, with a straight face.

SMB 1.0 is enabled, non admin users have powershell access, defender can be disabled with a single command, user is admin by default, passwords can be reset via booting to a bootable media device and then swapping its CLI to c:

there are so many basic insecurities out of the box in windows.