413 private links
Basic Authentication is an outdated industry standard. Threats posed by it have only increased with time and we have already deprecated Basic Authentication across numerous products. For more information, go to Improving Security - Together. There are better and more effective user authentication alternatives.
The Settings app has taken over, but Control Panels aren't going anywhere yet. //
What's incredible about some of the Control Panels at this point is how far back some of their designs go. You're never more than a double-click away from some piece of UI that has been essentially exactly the same since 1996's Windows NT 4.0, when Microsoft's more-stable NT operating system was refreshed with the same user interface as Windows 95 (modern Windows versions descend from NT, and not 95 or 98). The Control Panel idea is even older, dating all the way back to Windows 1.0 in 1985.
When running in kernel mode rather than user mode, security software has full access to a system's hardware and software, which makes it more powerful and flexible; this also means that a bad update like CrowdStrike's can cause a lot more problems.
Recent versions of macOS have deprecated third-party kernel extensions for exactly this reason, one explanation for why Macs weren't taken down by the CrowdStrike update. But past efforts by Microsoft to lock third-party security companies out of the Windows kernel—most recently in the Windows Vista era—have been met with pushback from European Commission regulators. That level of skepticism is warranted, given Microsoft's past (and continuing) record of using Windows' market position to push its own products and services. Any present-day attempt to restrict third-party vendors' access to the Windows kernel would be likely to draw similar scrutiny. //
For context, analytics company Parametrix Insurance estimated the cost of the outage to Fortune 500 companies somewhere in the realm of $5.4 billion.
he top ten reasons Eternal Damnation is better than Windows Software Development
Microsoft has open-sourced another bit of computing history this week: The company teamed up with IBM to release the source code of 1988's MS-DOS 4.00, a version better known for its unpopularity, bugginess, and convoluted development history than its utility as a computer operating system.
The MS-DOS 4.00 code is available on Microsoft's MS-DOS GitHub page along with versions 1.25 and 2.0, which Microsoft open-sourced in cooperation with the Computer History Museum back in 2014. All open-source versions of DOS have been released under the MIT License. //
The publicly released version of MS-DOS 4.00 is known less for its new features than for its high memory usage; the 4.00 release could consume as much as 92KB of RAM, way up from the roughly 56KB used by MS-DOS 3.31, and the 4.01 release reduced this to about 86KB. The later MS-DOS 5.0 and 6.0 releases maxed out at 72 or 73KB, and even IBM's PC DOS 2000 only wanted around 64KB.
These RAM numbers would be rounding errors on any modern computer, but in the days when RAM was pricey, systems maxed out at 640KB, and virtual memory wasn't a thing, such a huge jump in system requirements was a big deal. //
Microsoft has open-sourced some other legacy code over the years, including those older MS-DOS versions, Word for Windows 1.1a, 1983-era GW-BASIC, and the original Windows File Manager. While most of these have been released in their original forms without any updates or changes, the Windows File Manager is actually actively maintained. It was initially just changed enough to run natively on modern 64-bit and Arm PCs running Windows 10 and 11, but it's been updated with new fixes and features as recently as March 2024.
cybershow • April 3, 2024 5:23 PM
@ Nick Alcock
Hey Nick, I do appreciate the compliment, but you are too kind, I am not sure it is possible to ever be too paranoid in this
business 🙂 In my tradition we call it radical scepticism.
...
Regardless then the perhaps ridiculous accusation of whether and how Microsoft caused this issue, the question of how could Microsoft benefit from it is a separate, good and worthy one I am pleased you ask.
The story of the backdoor so far is two-fold. It’s a technically great hack one has to admire, with undetectable RCE in the auth phase of the most used critical protocol. Hats-off!
But it’s also a story of sinister social engineering. A dark night. A lonely and isolated maintainer. Some well meaning visitors drop by “to help”…
What we’re left talking about is the very nature of open source development, of supply chains and trust models. Perhaps a long-overdue conversation, no?
But who have positioned themselves “to help”?
Who have replaced the entire pre-2010 ecosystem of individual and autonomous development with a single GitHub?
Who might we expect to soon come riding in on a white stallion with “solutions” to the vulnerability of FOSS supply chains? To protect the lonesome, unpaid, overworked and socially unskilled FOSS maintainer?
most respectfully. //
Winter • April 4, 2024 5:08 AM
@cybershow
Regardless then the perhaps ridiculous accusation of whether and how Microsoft caused this issue, the question of how could Microsoft benefit from it is a separate, good and worthy one I am pleased you ask.
Microsoft ships Linux as part of WSL. The targeted Linux distributions are the main deployments on Azure. Azure generated $45B of revenue (23%)[1]. That is more than Office or Windows. Azure is the biggest growth market for MS. AFAIK, MS have nothing to replace Linux available.
This means that anything that damages Linux will damage Azure and hence, MS’ bottom line. I find your “attribution” rather unrealistic.
[1] 2022 ‘https://www.kamilfranek.com/microsoft-revenue-breakdown/
Former Microsoft programmer Dave Plummer shared some history about one of those finely aged bits: the Format dialogue box, which is still used in fully updated Windows 11 installs to this day when you format a disk using Windows Explorer.
Plummer says he wrote the Format dialog in late 1994, when the team was busy porting the user interface from the consumer-focused Windows 95 (released in mid-1995) to the more-stable but more resource-intensive Windows NT (NT 4.0, released in mid-1996, was the first to use the 95-style UI).
Formatting disks "was just one of those areas where Windows NT was different enough from Windows 95 that we had to come up with some custom UI," wrote Plummer on X, formerly Twitter. Plummer didn't specify what those differences were, but even the early versions of Windows NT could already handle multiple filesystems like FAT and NTFS, whereas Windows 95 mostly used FAT16 for everything.
"I got out a piece of paper and wrote down all the options and choices you could make with respect to formatting a disk, like filesystem, label, cluster size, compression, encryption, and so on," Plummer continued. "Then I busted out [Visual] C++ 2.0 and used the Resource Editor to lay out a simple vertical stack of all the choices you had to make, in the approximate order you had to make. It wasn't elegant, but it would do until the elegant UI arrived. That was some 30 years ago, and the dialog is still my temporary one from that Thursday morning, so be careful about checking in 'temporary' solutions!"
The Windows NT version of the Format dialog is the one that survives today because the consumer and professional versions of Windows began using the NT codebase in the late '90s and early 2000s with the Windows 2000 and Windows XP releases. Plenty has changed since then, but system files like the kernel still have "Windows NT" labels in Windows 11.
Plummer also said the Format tool's 32GB limit for FAT volumes was an arbitrary decision he made that we're still living with among modern Windows versions—FAT32 drives formatted at the command line or using other tools max out between 2TB and 16TB, depending on sector size. It seems quaint, but PC ads from late 1994 advertise hard drives that are, at most, a few hundred megabytes in size, and 3.5-inch 1.44MB floppies and CD-ROM drives were about the best you could do for removable storage. From that vantage point, it would be hard to conceive of fingernail-sized disks that could give you 256GB of storage for $20. //
Red Zero Ars Praetorian
12y
510
"Nothing is more permanent than a temporary solution." - Attribution Unknown. Having encountered this in the work environment many, many times, I know the truth of this. //
While the flexible security model employed by Windows NT-based systems allows full control over security and file permissions, managing permissions so that users have appropriate access to files, directories and Registry keys can be difficult. There's no built-in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you find security holes and lock down permissions where necessary.
Musk's problem was that his laptop was automatically connecting to the local Wi-Fi, which doesn't have a password. If a user can install without connecting to the internet, it is still possible to get Windows 11 up and running without using a Microsoft account. //
On a sacrificial PC, we found that Windows 11 can indeed be installed without a Microsoft account. We used Shift + F10 to drop to a command line at the network connection page and entered OOBE\BYPASSNRO to force a reboot and make the "I don't have internet" option appear. To be fair to Musk, it is quite convoluted.
Running a personal Windows 11 device without a Microsoft account is not a great experience, however. Some elements of the operating system simply do not work, and Microsoft is clearly keen for customers to have an account. If that's not a path you wish to tread, there are plenty of alternatives to Windows 11 out there.
In the early days of microcomputers, everyone just invented their own user interfaces, until an Apple-influenced IBM standard brought about harmony. Then, sadly, the world forgot. In 1981, the IBM PC arrived and legitimized microcomputers as business tools, not just home playthings. The PC largely created the industry that the …
COMMENTS
1/11/24 update added below.
Windows 10 users worldwide report problems installing Microsoft's January Patch Tuesday updates, getting 0x80070643 errors when attempting to install the KB5034441 security update for BitLocker.
Yesterday, as part of Microsoft's January 2024 Patch Tuesday, a security update (KB5034441) was released for CVE-2024-20666, a BitLocker encryption bypass that allows users to access encrypted data.
However, when attempting to install this update, Windows 10 users are reporting getting 0x80070643 errors and the installation failing. //
When installing the KB5034441 security update, Microsoft is installing a new version of the Windows Recovery Environment (WinRE) that fixes the BitLocker vulnerability.
Unfortunately, Windows 10 creates a recovery partition, usually around 500 MB, which is not large enough to support the new Windows RE image (winre.wim) file, causing the 0x80070643 error when attempting to install the update. //
Microsoft releases script to install fix
Microsoft has released PowerShell scripts that automate the installation of the BitLocker CVE-2024-20666 security patch to the Windows 10 Windows Recovery Environment (WinRE).
These scripts do not install the KB5034441 update but rather mount the WinRE partition, copy over the images from a dynamic update, and unmount the partition again.
The WinRE partition will now contain the latest files, including the BitLocker fix, effectively eliminating the need for the KB5034441 update on these machines.
Windows is live on Git
Over the past 3 months, we have largely completed the rollout of Git/GVFS to the Windows team at Microsoft.
As a refresher, the Windows code base is approximately 3.5M files and, when checked in to a Git repo, results in a repo of about 300GB. Further, the Windows team is about 4,000 engineers and the engineering system produces 1,760 daily “lab builds” across 440 branches in addition to thousands of pull request validation builds. All 3 of the dimensions (file count, repo size and activity), independently, provide daunting scaling challenges and taken together they make it unbelievably challenging to create a great experience. Before the move to Git, in Source Depot, it was spread across 40+ depots and we had a tool to manage operations that spanned them.