Windows: Insecure by design

1 Like

Just to add my general thoughts & perspective:

I don’t see any way anyone could trust a Microsoft product or service with their data, especially after after what’s going on with Outlook, which I don’t think was covered enough in the mainstream at all, I guess people are just way too used to this type of data collection at this point. Selling data to over 800 advertising companies is insane. Not to mention every time I hear about this story, the number of ad companies seems to go up - It looks like we’re now at 840.

I think the key in general when it comes to this stuff is finding a balance between privacy & security. Windows does have some neat technical security features… but does it really matter if they’re just going to sell your data to over 800 ad companies? Sure, you can use group policies & regedit to mitigate the damage, but that’s only until the next surveillance feature gets added.

Linux is far from perfect from a security perspective, there’s no denying that (In general the desktop security model is just completely broken & a disaster IMO), but I think it can be a solid and good enough option for most people, especially once hardened. All just depends on one’s threat model and specific situation. It’s also worth noting that there’s a difference between insecure & less secure.

I think sometimes people just get too caught up with technical security features (Ex. seeing people shill Microsoft Edge & ChromeOS), but I’m not sure how you can say something is secure if it’s just sending all of your data to some remote server somewhere anyways. Similarly you of course can’t say something is private if it’s insecure and easy for one to break into. Again, the key is striking the right balance and what works best for you and your needs.

4 Likes

I think security is mostly a config thing now

Windows 11 LTSC with enterprise group policies >>

This is only applicable for free version of the personal Outlook accounts, right? Not Personal Premium or the business versions?

@Bhaelros AFAIK it pertains to ALL Outlook variants. But I may be wrong.

That advertising section which was mentioned on Proton’s blog doesn’t exist on M365 Family

and below is the only thing that is blocked by uBlock
image

Those advertising and data collection is not happening on business plans, that I am sure. You can even select your datacenter with business plans, along with a lot of DLP and compliance configurations. So, I can say with confidence that the advertising and data collection from Outlook happens only with Free and consumer accounts.

2 Likes

It wouldn’t be the first time corporations lie. You still have to trust Microsoft, regardless of what they say.

3 Likes

Then just recently OpenSSH Vulnerability: CVE-2024-6387 FAQs and Resources | Qualys

In Qualys TRU’s analysis, we identified that this vulnerability is a regression of the previously patched vulnerability CVE-2006-5051, reported in 2006. A regression in this context means that a flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue. This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment. This regression was introduced in October 2020 (OpenSSH 8.5p1).

Why isn’t everyone looking at the source code!

3 Likes

Might that be simply because Windows and macOS are proprietary, so security analysis that can be done on Ubuntu cannot be done on Windows or macOS? FOSS allows the study of exploits via source code analysis.

I never said Windows doesn’t have security features, that Linux is secure, or that FOSS implies secure. What good are Windows’ security features if Microsoft can remove/disable them or insert backdoors at their own whim, and the operating system in general is spyware? That seems to be lost on people who have been sucked up into the Microsoft corporate vortex. I don’t believe my Linux operating system is really secure, but I would never ever ever trust Windows with my data or activities.

But yes, the article is obviously biased as evident in its exclusive criticism of Windows. Unless the Linux user is willing to go to extreme lengths to harden their operating system and vet the software that is installed, which is unreasonable to expect users to have to do, Linux is nowhere near as secure as it should be.

1 Like

Yes. For reference, for those starting this journey and looking for some reading on this topic, one can find some information on these sources: Privesec and Madaidan.

Nevertheless, adopt a certain level of criticism when reading because of two reasons: it was created some time ago, and certain deficiencies could have already been fixed or improvements made since Linux is evolving quickly nowadays; second, certain things are exaggerated.

In the Fedora community there are plans or discussions trying to captivate improvements in the security front.

I feel that Linux, in general, is kind of like democracy or capitalism - it has problems, but it’s probably the best system that mankind has available today if you’re looking for a decent balance of security and privacy. Of course, each case is different, and at least for my threat scenario, Linux offers this aforementioned balance.

Try not drinking the FSF/Stallman koolaid and be realistic :blush:

2 Likes

I have to say I was never into Stallman, so you’re way off there. Next time, say something constructive. Rather than accusing me of being indoctrinated by someone, why don’t you explain what is off about my argument?

I apologise for assuming that someone making the exact same flawed argument as a particular ideologue was, in fact, following said ideologue. My bad.

And it is a flawed argument because you’re just asserting that a piece of software that is proprietary[1] has or could have backdoors with zero evidence. One could more defensibly argue that any sufficiently large piece of software could sneak in a backdoor at the whim of the main developers, but alas, you did not make such an argument.


  1. which, to be clear, is not an instant “must be malicious!!”, because you can reverse engineer any software to try and figure out what it does. Conversely, you can sneak in a backdoor into open source software – there’s at least 1 known example. ↩︎

I was inclined to go with benefit of doubt at first, but your wording strongly suggests sarcasm and insincerity. Seems like you rather make ad hominem attacks than counter people’s arguments.

FWIW, I believe FOSS / free software / open source software is a good thing, but I’m not convinced of the “GNU/Linux” label of Linux operating systems, opposed to Copyleft which FSF promotes via it’s flagship GPL, and I don’t like Stallman’s mannerisms and aggressive ideological stance. I got into FOSS because: I’ve been concerned about digital security and believe proprietary software is the wrong choice; I don’t want my computing to be restricted or controlled by corporations; and I had no choice but to switch to a Linux-based distro after the proprietary OS that I had installed got corrupted.

I think the “could have” part is true, it looks like you also agree, and I don’t think such a basic claim that anyone can arrive at by deduction requires me to present evidence.

I’ll repeat what I previously said about FOSS vs non-FOSS and security.

You still haven’t made a case as to why my argument is flawed, you’re just using “flawed” in an attempt to equate me with Stallman. Given your ad hominem attacks and sarcastic/insincere comments, I won’t waste any more time with you… unless you contribute with something new and constructive.

You quoted the part where I explain why it’s flawed to argue what you’re arguing, but because I’m nice I will spell it out again: you cannot defensibly argue that the security features of windows are useless (“what good are [they] if… backdoors”) purely because windows is closed source/proprietary as that fact only makes it easier to hide malicious code in software you let people have access to, it does not make it impossible to find any malicious code you may put into said piece of proprietary software. I further made the point that open source is not a guarantee of no backdoors despite being readable, as there is at least 1 known case of it being done (outside of university researchers also doing that).

As for your “buh buh it’s deduction!!”. No. Put up or shut up, you can’t just be like “it could have backdoors!!!” due to faulty reasoning, I’m not really a subscriber of the “if you can conceive of something, it must necessarily exist” – just because something is a logical possibility, doesn’t mean that it is the world we’re in.

also.

is such weasel words when you said

which I hope you can appreciate is not, realistically, that different given the response I provided. You not liking the answer that addresses your fallacious rhetorical question does not make it not an answer. I provided reasons (really, the technologies and features) myself and people far smarter than me who I have the privilege of working with think make windows secure. Don’t try to outpedant me after I’ve clocked out for the day, I am bored and I do not have anything better to do.

Hmm…

I didn’t know everyone has to work on your schedule, and it sounds like you need to get a life.

Can anyone else see anything constructive in this person’s comments that I might have missed, or should we just call this thread done?

okay so no, no evidence just speculation.

I can’t see anything constructive either. Could the mods @dngray close the thread ? I think there has been enough post hidden here for the thread.

Me not providing evidence doesn’t mean speculation. Do I have to provide evidence if I say that objects fall to the Earth?

Hang on, do you have some kind of affiliation to or financial interest in Microsoft? If so, you should have disclosed it.

I agree, this thread is going nowhere. @dngray please close the thread.