R
Robin Murison
Excess apps that cannot be uninstalled are a security threat.
Windows 10 is way too invasive has loads of features that I would call Apps such as Cortana and Edge I would dearly love to uninstall.
I do not just want to disable them. I want to uninstall them to my mind these examples are both a security risk because they could be hacked. I do not want any applications listening to my microphone unless it is a phone application or a recording application, while I am running the application. By that I do not want to rely on you giving me an option for it not to listen.
For example I enabled dictation as a feature it has an echo feature. If I then disable dictation because I was no longer using it. But I can still here my key clicks through the head phones even though they should be turned off again. I now have to physically unplug the microphone not to hear an echo of what ever is going on in the room.
A hacker would not be so blatant and the fact that this apparent bug is still in your software worries me.
I am sure some hacker somewhere will get around a Boolean check in your software and just listen anyway, I would be very supprised if agencies such as the CIA and the KGB cannot do it already.
If the software can be uninstalled then no one can hack it.
I know, in theory I can uninstall Internet Explorer, but even now funny things happen if I do. It was too tightly linked with how you manage internet connections. They were designed as a part of Internet Explorer not as part of the OS. So dictation; ease of access; Cortana; Edge etc.; should be uninstallable to reduce attack surface.
Automatic Update over the internet is not 100% secure.
Parts of your source code is now Open Source, So we know governments can read it, change it and deploy it as a security patch and you may not know about it and may be you just have to put up with it because you are an American company.
As it means the American Government and anyone else who can successfully deploy a patch can highjack your service. I know because someone did it to me. As I am not a US Citizen and I do not live in the US I do not see why I should suffer from the US legal system.
A few years back I had just turned on my windows machine (XP or 7 I cannot remember which) and immediately did an isolated requested Windows automatic update and restarted the machine as requested and ended up with a severly virus infested machine. I do not know how the attack occured just that it did. The internet is not a safe place and MITM atacks can happen. I formated the machine and reinstalled windows to recover. at least I hope I did. Hower, you are never sure whether there is a Trojan.
Your biggest problem Isolation
A common problem with regards to Windows. A lot of the implementation does not isolate features. e.g. The Registry. It is a place for storing any executable's data. Whether that is OS executables or third party including Microsoft product executables, such as Office.
As a result editing the registry means you can break other people's executables because they no longer have essential data if I delete it. People create registry cleaning tools such as CCleaner, because it gets cluttered with rubbish. I hate to think what happens When they delete the wrong thing. You put a warning "Here be dargons" and then do very little to protect us from our own stupidity or deliberate sabotage.
If you insist and having a standard way of storing executable data; (which you do not (Otherwise what is Program Data for?) Then please keep the data for the different executables in different registries. So, that is impossible for other people to see.
E.g. Anything under HKLM\Software\Microsoft\Windows\CurrentVersion\... contains loads of OS data which users should never have access too.
The part most programmers want to access to is the install, upgrade and uninstall parts which should be stored in a standard structure with the Applications data not open to any programmer in the OS specific data.
It should be more like a database with a many to many relationship
Many applications use MsiExec.exe and similar OS Apps.
Only the two applications sharing the data should have access to the data.
I can go into the Registry and look at any applications uninstall string and change it to "Echo Hello World". I just disabled your uninstall.
That simple attack on the registry is a huge vulnerability. That is one of the least destructive things any programmer could do to the registry.
similarly It is possible to delete restore points.
The registry does not restrict the relationships between different applications. It should.
This leaves the Registry completely open to attack.
ISIS and the Taliban foot soldiers are not great Computer users. It would not effect them nearly as badly as the rest of the business world if the Windows OS stopped working.
Any Virus could destroy your OS just by hacking the registry. This is not for money but industrial/Military/Religious global sabotage.
Given the right carrier it could destroy large parts of the daylight wheels of commerce in about 3 minutes. The whole world with in a day.
The links between different areas of functionality should only be visible where they are needed.
I also miss the Clock Widgets that let me know at a glance what the time it was for my friends. I now need 3 clicks and about 5 seconds to work out the same information.
You have removed what should have been an isolated program, a simple graphic clock with an offset from the system clock to give the various times, I presume because you found an underlying vulnerability in the way Widgets were managed. Why cannot you exclude or fix the widget management and keep the application. My guess is for the very simple reason you do not understand how to isolate the two features. Widgets should not be Widgets but straight forward normal applications that you could managed by any management system you chose or no management system.
Isolation between your products and features, would make your OS so much safer. It would also dramatically reduce complexity and so increase your productivity.
Wasted Bandwidth
You are also wasting huge amounts of band width uploading way too much information, about how I use my computer. It is largely useless to me and to my mind penny pinching by you. Most seriously it seriously damaging the environment.
The fact you know how many billions of hours are wasted on Candy Crush and other games has restricted my use of them and how far humanity has swiped around the games horrifies me.
Windows 10 uses about 84% of the band width my computer uses and that includes streaming videos:
Firefox 10.44%; SMB 3.44%; emails 0.84%; and the rest. About 80% of Firefox is entertainment videos and the most important part of that band width is my emails.
This is a huge waste of bandwidth and more importantly energy including fossil fuels and accelerates the moment when we have to be 100% renewable. It is also a huge burden on our CO2 footprint apart from the 20-30% of energy over heating computers that add directly to the tempreature of the atmosphere.
How to detect a trojan?
Once upon a time we could detect a trojan sending a message because it might be the only thing using the internet. Now it is impossible to isolate individual messages due to the huge volumes being used by you. Unless you use Fiddler or other similar tool to specifically filter out the noise and actively look for a specific message. It is not an easy job to do.
Continue reading...
Windows 10 is way too invasive has loads of features that I would call Apps such as Cortana and Edge I would dearly love to uninstall.
I do not just want to disable them. I want to uninstall them to my mind these examples are both a security risk because they could be hacked. I do not want any applications listening to my microphone unless it is a phone application or a recording application, while I am running the application. By that I do not want to rely on you giving me an option for it not to listen.
For example I enabled dictation as a feature it has an echo feature. If I then disable dictation because I was no longer using it. But I can still here my key clicks through the head phones even though they should be turned off again. I now have to physically unplug the microphone not to hear an echo of what ever is going on in the room.
A hacker would not be so blatant and the fact that this apparent bug is still in your software worries me.
I am sure some hacker somewhere will get around a Boolean check in your software and just listen anyway, I would be very supprised if agencies such as the CIA and the KGB cannot do it already.
If the software can be uninstalled then no one can hack it.
I know, in theory I can uninstall Internet Explorer, but even now funny things happen if I do. It was too tightly linked with how you manage internet connections. They were designed as a part of Internet Explorer not as part of the OS. So dictation; ease of access; Cortana; Edge etc.; should be uninstallable to reduce attack surface.
Automatic Update over the internet is not 100% secure.
Parts of your source code is now Open Source, So we know governments can read it, change it and deploy it as a security patch and you may not know about it and may be you just have to put up with it because you are an American company.
As it means the American Government and anyone else who can successfully deploy a patch can highjack your service. I know because someone did it to me. As I am not a US Citizen and I do not live in the US I do not see why I should suffer from the US legal system.
A few years back I had just turned on my windows machine (XP or 7 I cannot remember which) and immediately did an isolated requested Windows automatic update and restarted the machine as requested and ended up with a severly virus infested machine. I do not know how the attack occured just that it did. The internet is not a safe place and MITM atacks can happen. I formated the machine and reinstalled windows to recover. at least I hope I did. Hower, you are never sure whether there is a Trojan.
Your biggest problem Isolation
A common problem with regards to Windows. A lot of the implementation does not isolate features. e.g. The Registry. It is a place for storing any executable's data. Whether that is OS executables or third party including Microsoft product executables, such as Office.
As a result editing the registry means you can break other people's executables because they no longer have essential data if I delete it. People create registry cleaning tools such as CCleaner, because it gets cluttered with rubbish. I hate to think what happens When they delete the wrong thing. You put a warning "Here be dargons" and then do very little to protect us from our own stupidity or deliberate sabotage.
If you insist and having a standard way of storing executable data; (which you do not (Otherwise what is Program Data for?) Then please keep the data for the different executables in different registries. So, that is impossible for other people to see.
E.g. Anything under HKLM\Software\Microsoft\Windows\CurrentVersion\... contains loads of OS data which users should never have access too.
The part most programmers want to access to is the install, upgrade and uninstall parts which should be stored in a standard structure with the Applications data not open to any programmer in the OS specific data.
It should be more like a database with a many to many relationship
Many applications use MsiExec.exe and similar OS Apps.
Only the two applications sharing the data should have access to the data.
I can go into the Registry and look at any applications uninstall string and change it to "Echo Hello World". I just disabled your uninstall.
That simple attack on the registry is a huge vulnerability. That is one of the least destructive things any programmer could do to the registry.
similarly It is possible to delete restore points.
The registry does not restrict the relationships between different applications. It should.
This leaves the Registry completely open to attack.
ISIS and the Taliban foot soldiers are not great Computer users. It would not effect them nearly as badly as the rest of the business world if the Windows OS stopped working.
Any Virus could destroy your OS just by hacking the registry. This is not for money but industrial/Military/Religious global sabotage.
Given the right carrier it could destroy large parts of the daylight wheels of commerce in about 3 minutes. The whole world with in a day.
The links between different areas of functionality should only be visible where they are needed.
I also miss the Clock Widgets that let me know at a glance what the time it was for my friends. I now need 3 clicks and about 5 seconds to work out the same information.
You have removed what should have been an isolated program, a simple graphic clock with an offset from the system clock to give the various times, I presume because you found an underlying vulnerability in the way Widgets were managed. Why cannot you exclude or fix the widget management and keep the application. My guess is for the very simple reason you do not understand how to isolate the two features. Widgets should not be Widgets but straight forward normal applications that you could managed by any management system you chose or no management system.
Isolation between your products and features, would make your OS so much safer. It would also dramatically reduce complexity and so increase your productivity.
Wasted Bandwidth
You are also wasting huge amounts of band width uploading way too much information, about how I use my computer. It is largely useless to me and to my mind penny pinching by you. Most seriously it seriously damaging the environment.
The fact you know how many billions of hours are wasted on Candy Crush and other games has restricted my use of them and how far humanity has swiped around the games horrifies me.
Windows 10 uses about 84% of the band width my computer uses and that includes streaming videos:
Firefox 10.44%; SMB 3.44%; emails 0.84%; and the rest. About 80% of Firefox is entertainment videos and the most important part of that band width is my emails.
This is a huge waste of bandwidth and more importantly energy including fossil fuels and accelerates the moment when we have to be 100% renewable. It is also a huge burden on our CO2 footprint apart from the 20-30% of energy over heating computers that add directly to the tempreature of the atmosphere.
How to detect a trojan?
Once upon a time we could detect a trojan sending a message because it might be the only thing using the internet. Now it is impossible to isolate individual messages due to the huge volumes being used by you. Unless you use Fiddler or other similar tool to specifically filter out the noise and actively look for a specific message. It is not an easy job to do.
Continue reading...