[theoa]

You are only as good as your weakest link:

> A Microsoft spokesman said it cannot legally wall off its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint. In 2009, Microsoft agreed it would give makers of security software the same level of access to Windows that Microsoft gets.

https://www.wsj.com/tech/cybersecurity/microsoft-tech-outage...

[usr1106]

It's not Microsoft that should wall off the operating system. It's banks, airlines, health care providers that should not use Windows the way they currently do.

No employee there needs the possibility to install any software themselves. Without the possibility to install software you don't need anti-virus software. These systems should just run immutable images, in A/B deployment, just in case the new image is broken.

Of course that does solve the supply chain security. How do you make sure that the images contain know malware? But the problem does not not need to be addressed on millions of machines with millions of employees. It gets reduced to thousands.

[xqt40]

Your suggestion simply shows that you have no understanding of how things work. Terminals already does not allow users to install anything. As for rest of workstations and work laptops - users already don't install anything on them. The issue with Crowdstrike is not with users but with service that is maintaing these computers. A very frightening thing that all those companies are dependant on the f*ck off of their service provider and it costs them all their business.

No viruses need installation - in fact it would be easiest thing if viruses were listed among installed programms. Are yiu representing your whole generation or you are only one such strange person?

Also your suggestion os outdated by at least 60 years as it assumes that hardware that has no software update capabilities can't be hacked...

[wpm]

Presumably, these employees probably need email, web access, and file sharing.

There you go. Those are your threat vectors now.

[sunaookami]

That's just Microsoft's incompetence blaming the EU. MS should start making their products not full of security holes.

[WorldMaker]

The predecessor anti-virus to Windows Defender was originally meant to be released in-box with Windows XP. Due to pressure from both the US and the EU (themselves pressured by massive lobbying by Mcafee and Symantec/Norton) Microsoft was not allowed to ship the anti-virus with XP and had to release it separately on a web page as an "optional" download. This gave the anti-virus vendors an additional "free decade" (just about exactly) of being able to advertise that Windows was insecure by default and pretend like this was Microsoft incompetence.

Today a lot of average users (and as CrowdStrike has indicated, many large enterprises) still believe that Windows doesn't have built-in anti-virus because of "Microsoft incompetence" despite Defender having been bundled with Windows since Vista (2007).

Microsoft has spent decades removing security holes but doesn't get even half the credit for it because it still has to deal with an open Kernel because people want to pay for security blanket "products" like CrowdStrike's and Symantec/Norton's bloatware. That's in part because the US DOJ and the EU in trying to do the "right thing" for anti-trust reasons did the exact "wrong thing" for consumer protection reasons and left all these shady vendors with too much "everyone knows Windows has no anti-virus out of the box" PR based on Microsoft forced to remove it from Windows XP to an "optional download" and that still being the benchmark version of Windows in many minds.

[sunaookami]

Microsoft made a market for these snake oil products because of their incompetente to make a secure operating system. Not because of governments. Things such as Defender wouldn't even be necessary (well they are still not necessary today, but people believe they are and you can't disable Defender anyways).

[WorldMaker]

Linux still has AV scanners. MacOS still has AV scanners, the most common ones are just built-in and unbranded.

Everyone needs Ransomware scanners. Some Linux users and MacOS users rely on security through obscurity, which isn't actual security.

Even with the most rock solid and secure kernel, as long as software is allowed to run in userspace you need to detect when the user accidentally ran software they didn't intend to and/or that is trashing that user's space. You can't just delete a bad userspace, people store their files and increasingly their whole lives there.

You likely will never agree with me on this, but from what I've seen the NT Kernel is one of the most secure kernels on the planet in active mainstream usage. It doesn't have that reputation because the NT Kernel also paradoxically has to be the most open to plugins and third party drivers. People blame the NT Kernel for things the plugins and third party drivers get wrong. Every time Microsoft closes plugin APIs and moves drivers to userspace: companies and users get angry even as the overall security goes up. (That was the real "Vista problem": it moved too many drivers to userspace at once and hurt a lot of third party feelings and seemed to break a lot of hardware for a bit while things caught up.)

But you also don't really care how secure the kernel is because you don't live in kernel space, you live in userspace. You and everybody else also want to be able to run whatever software you want in userspace because you should be in control. (Yes, it's good to have control of your own userspace, that's a lovely freedom.) So Windows doesn't have a working central App Store today and users can still install software from anywhere they find it. That's considered a useful freedom. Things like Defender (ClamAV) and UAC (sudo) and more are still desirable tools that need to exist to protect userspace. (Tron fights for the users!) That's not a failing of OS security, that's a tool to protect user freedom. We know for a fact from mobile OSes that the alternative is locked down app stores, locked down file systems, and a lot less freedom in your userspace. Those are trade-offs we make every day now in which devices we prefer to which tasks. Neither is necessarily the best solution and it is nice being able to pick between systems with more user freedom for some tasks and systems with less for other tasks.

I don't expect you to agree with me and this discussion is close to arguing in circles at this point, but I still believe the reputation of Microsoft's "incompetence" is sorely over-exaggerated, in part by third parties that have always benefited from the platform's openness and predilection towards user freedoms over kernel lockdowns (and also some governmental oversight decisions that claimed to be for user freedom but mostly just lined the pockets of third parties while moving userspace security features out of the normal install for too long).

[jpgvm]

Microsofts products aren't full of security holes. If you have an 0day on fully patched Windows that is worth a pretty penny, which implies they aren't they easy to come by.

They aren't worth quite as a much as an iOS 0day but they are by no means cheap.

Of course if you think otherwise you can be making 7 figures per bug (assuming you are OK selling to brokers for the 3 letter agencies) so go dig some up?

[sunaookami]

>Microsofts products aren't full of security holes

They are though, just look at Exchange[1] and what problems Microsoft itself has.[2] There is no such thing as a "secure Microsoft product". Microsoft is single-handedly responsible for making the IT world worse because they do not care and have a monopoly.

>If you have an 0day on fully patched Windows that is worth a pretty penny, which implies they aren't they easy to come by.

It's what the market pays for it, not what it's actually worth as you have already pointed out. Three-letter agencies buy these 0-days themselves for a big sum and support the black market so the prices go even higher because they have infinite money.

[1] https://en.wikipedia.org/wiki/2021_Microsoft_Exchange_Server...

[2] https://edition.cnn.com/2024/04/02/tech/us-government-micros...

[ikekkdcjkfke]

Are there any guard rails against an npm package install script reading cookies from chrome data folder?

[kevincox]

Maybe Windows Defender should also not have the ability to crash the kernel. Instead Microsoft can provider proper hooks to pluggable drivers that can be used by both themselves and third party AV.