Most active commenters
  • soraminazuki(5)
  • charcircuit(3)

←back to thread

Upcoming Windows 11 builds cannot install without internet and Microsoft Account

(infosec.exchange)
268 points tech234a | 28 comments | 29 Mar 25 04:13 UTC | HN request time: 1.236s | source | bottom
1. soraminazuki ◴[29 Mar 25 05:47 UTC] No.43513090[source]
It's such an absurd lie. If Microsoft's idea of security is to force its users to authenticate online for a local account, they should never be allowed in the software industry at all. They're needlessly and dramatically increasing the attack surface of one of the most security critical software running on user devices.
replies(5): >>43513349 #>>43513354 #>>43513571 #>>43513574 #>>43514238 #
2. CrossVR ◴[29 Mar 25 06:46 UTC] No.43513349[source]
And for what? Make number go up? If it's just another data collection scheme the at least I could understand why.
replies(1): >>43513373 #
3. userbinator ◴[29 Mar 25 06:47 UTC] No.43513354[source]
It's an argument for increased security in the same way that they consider uploading the contents of your hard drive to their servers to scan for "malware" (and other undesirable-to-them content) is. Corporate authoritarianism.
replies(2): >>43513512 #>>43513596 #
4. bboygravity ◴[29 Mar 25 06:51 UTC] No.43513373[source]
Because the NSA pays them to.

Why did they do to Skype what they did (first turn it from p2p to centralized and spyable and then just ignore it and let it die)?

Same reason.

replies(2): >>43513535 #>>43513541 #
5. miohtama ◴[29 Mar 25 07:20 UTC] No.43513512[source]
The trick is that most of the users need this service. Before Windows Defender was built in you had to buy an anti virus software from sneak oil Windows security industry, and likely get somehow scammed in process.

The same companies sell anti virus for Android today.

Also most users is not all.

replies(2): >>43513645 #>>43514460 #
6. ashoeafoot ◴[29 Mar 25 07:25 UTC] No.43513535{3}[source]
i wonder if some Estonian could justvrerelease the p2p originals . After all as america deteriorates its own influence , at some point the lawyers of the big 4 will be seen as barely disguised tendril of a hostile power in Europe . Who cares about your sales contracts if the president goes for Greenland . We might see a SkyEarthFireWater-Open source re-release one day. Just another tradewar anecdote .
replies(2): >>43513729 #>>43514100 #
7. sterlind ◴[29 Mar 25 07:27 UTC] No.43513541{3}[source]
(Opinions are my own, I have no inside knowledge.)

I vaguely remember hearing that P2P Skype was the bane of sysadmins' existence. Skype would elect clients on high-bandwidth networks as supernodes. This tended to be business customers - the very organizations MS wanted to attract. Skype's prodigious hole-punching ability made it difficult to throttle, so it got banned from a lot of enterprises. MS essentially hosted the supernodes on Azure, which centralized it.

As for encryption, on the other hand, Wikipedia says MS specifically added the ability to eavesdrop for law enforcement agencies, though apparently Skype had already added a backdoor for the NSA before MS bought them: https://news.softpedia.com/news/Skype-Provided-Backdoor-Acce...

replies(2): >>43513582 #>>43516672 #
8. charcircuit ◴[29 Mar 25 07:33 UTC] No.43513571[source]
Microsoft's idea of security is moving people away from local accounts protected by passwords and to Microsoft accounts protected Windows Hello.

The Windows Hello PIN is protected by the TPM. This means you can't brute force it like a password could be.

replies(2): >>43513581 #>>43513921 #
9. anothernewdude ◴[29 Mar 25 07:34 UTC] No.43513574[source]
If windows is security critical for you, I think you've already shat the bed.
replies(2): >>43513626 #>>43514106 #
10. soraminazuki ◴[29 Mar 25 07:36 UTC] No.43513581[source]
That has nothing whatsoever to do with the topic, which is forcing online authentication. You can't possibly argue that needlessly forcing online authentication makes user safe.
replies(1): >>43513608 #
11. somenameforme ◴[29 Mar 25 07:37 UTC] No.43513582{4}[source]
This [1] is one of my favorite leaks from Snowden revelations, and I regularly bring it up anytime people try to downplay what PRISM is. That's a user manual for NSA agents on how to spy on Skype users (including video and text) in real time. It's informative and also amusing at times. For instance in the FAQ one issue a confused spook might run into is why they're being spammed with the same messages repeatedly. It turns out that when a user logs on to a new device, the recent messages Microsoft sends to the user are also directly forwarded to the NSA, which can result (from their perspective) in messages being repeated.

[1] - https://www.aclu.org/sites/default/files/field_document/Guid...

12. soraminazuki ◴[29 Mar 25 07:41 UTC] No.43513596[source]
I guess Microsoft has to secure their "own" property, the devices the hostile so-called users bought and paid for!
13. charcircuit ◴[29 Mar 25 07:45 UTC] No.43513608{3}[source]
The topic isn't about forcing online authentication. It's about improving security from having users use a Microsoft account. The security improvement of using a Microsoft account comes from Windows Hello.
replies(2): >>43513680 #>>43520247 #
14. soraminazuki ◴[29 Mar 25 07:52 UTC] No.43513626[source]
The problem is that many other people and organizations run Windows and it's absolutely security critical for them. And because we don't live in a vacuum, it's security critical for all of us.
15. badsectoracula ◴[29 Mar 25 07:54 UTC] No.43513645{3}[source]
But this made Windows Defender an actually good and useful feature for the users.

Requiring an online account to use Windows isn't really the same thing.

replies(1): >>43513861 #
16. soraminazuki ◴[29 Mar 25 08:03 UTC] No.43513680{4}[source]
It is. You can check by reading the title.

Your's is a reiteration of Microsoft's preferred talking point that has no basis in reality. Tying local authentication to the cloud tremendously increases the attack surface for those who don't need it. TPMs do nothing to change this fact. The only connection between a TPM and a Microsoft account is that Microsoft chose to tie those two together for their own benefit.

17. bboygravity ◴[29 Mar 25 08:14 UTC] No.43513729{4}[source]
America deteriorates its own influence? wut?

The big 4 will be seen as a hostile power within Europe? The big 4 ARE (mostly) European. What are you talking about?

Sales contracts? What do you mean in what context?

I agree that it would be cool if the original p2p Skype somehow resurfaces, but I can't make any sense of the rest of your post or what it has to do with the subject at hand?

replies(1): >>43515180 #
18. GoblinSlayer ◴[29 Mar 25 08:43 UTC] No.43513861{4}[source]
Except that on Home edition it detects everything as a virus, so all programs have an explanation that if Defender detects it as a virus, then just ignore it.
replies(1): >>43538827 #
19. GoblinSlayer ◴[29 Mar 25 08:55 UTC] No.43513921[source]
To brute force a password, attacker needs full access to the system, guessing the password won't give them more access.
replies(1): >>43517415 #
20. isaacremuant ◴[29 Mar 25 09:37 UTC] No.43514100{4}[source]
Join us back in the real world with no Trump derangement syndrome and you'll find out that European governments want an airtight control on companies so they can surveil them and people absolutely.

They want narrative control and squashing rising political opposition.

21. consp ◴[29 Mar 25 09:39 UTC] No.43514106[source]
Some windows versions have cc certification. Doesn't say much but it ticks the box some people want and call it a day.
22. grishka ◴[29 Mar 25 10:10 UTC] No.43514238[source]
It's the entire industry's idea of security for the last 10 years or so that the company who made the thing is unquestionably more trustworthy than the users themselves.
23. hulitu ◴[29 Mar 25 11:00 UTC] No.43514460{3}[source]
> Before Windows Defender was built in you had to buy an anti virus software from sneak oil Windows security industry, and likely get somehow scammed in process.

And now you get the same from Microsoft. Clearly an inprovement.

24. ashoeafoot ◴[29 Mar 25 12:58 UTC] No.43515180{5}[source]
FANG is definitely not European .
25. jofla_net ◴[29 Mar 25 16:29 UTC] No.43516672{4}[source]
I remember the old supernodes p2p app, was good times.

I used to leave an extra old laptop on with it running, maybe 15 years ago, on a public address.

During the arab spring, tons of traffic could be seen connecting clients in north africa. It truly did route around things.

26. charcircuit ◴[29 Mar 25 18:18 UTC] No.43517415{3}[source]
No, they don't. They can clone your hard disk and use a different computer. A TPM based pin makes that approach impossible and you must have access to the system itself.
27. beeflet ◴[30 Mar 25 01:07 UTC] No.43520247{4}[source]
They couldn't just implement whatever biometric thing that is without making it tied to an account?
28. badsectoracula ◴[31 Mar 25 19:28 UTC] No.43538827{5}[source]
I haven't been using Windows as my main OS for a few years now but at least when i used it with Windows 10 it didn't detect "everything as a virus". In fact i can't even remember a single time i had issues with Windows Defender.

Unless you refer to Windows SmartScreen? That is a different thing - really about how popular some program is (though Microsoft did put it under Windows Defender at some point so it can be confusing) - and isn't about the antivirus (which is what i was referring to).