Windows 11

[California]

More on the Western Digital internet-accessible drives vulnerability.
'Krebs on Security' is a first rate investigator. His writeup goes deeper than the Ars Technica article.

He says the vulnerability exists in some My Cloud models as well as My Book.

MyBook Users Urged to Unplug Devices from Internet – Krebs on Security

 

[PuffyC]

Apparently Win11 needs TPM engaged to turn on your Win11 license and to get any downloads or updates from MS. But the concern is that MS can then control everything about the PC. like is done now in a corporate environment. Not much different than using your PC as a remote terminal.

That’s not what TPM is/does. It’s complicated but really it’s just firmware security. It’s been standard in corporate environments for a while, not because of control but because they tend to take their security seriously.

If you have a system made in the last 10 years or so you should probably be fine, and if the compatibility checker says you don’t have one likely you do but it’s not enabled in the BIOS. For Intel systems it might show up as PPT and for AMD it might be PSP. Also, many of their docs say TPM 2.0 is required but TPM 1.2 will work just fine.

IMO if you care about security then requiring TPM is a good thing. Most people with infected machines don’t know they’re infected (because if they did they’d do something about it) and if your neighbor gets infected and has their PC turned into a zombie it can very much impact you and me and everyone else as well.

 

[rekees4300]

More on the Western Digital internet-accessible drives vulnerability.
'Krebs on Security' is a first rate investigator. His writeup goes deeper than the Ars Technica article.

He says the vulnerability exists in some My Cloud models as well as My Book.

MyBook Users Urged to Unplug Devices from Internet – Krebs on Security

From the article, nothing definitive. Keeping fingers crossed, can't really unplug it because its data is essential for using PC.

"Wizcase said the flaw it found in MyBook devices also may be present in certain models of WD MyCloud network attached storage (NAS) devices, although Western Digital’s advisory makes no mention of its MyCloud line being affected."

 

[rontaki]

I always keep my backup devices disconnected from power or data sources except when I'm actually using them. It's not just being hacked that I'm concerned about, but also power surges and malfunction of the host computers that might destroy the data or device. Rather unlikely, I know, but what's the point of depending on a vulnerable backup device or cloud?

And, to borrow a saying, One is None, Two is One. That way, when one backup source fails due to physical or logical means (it will), you still have the other to copy over to your replacement device.

Most of my career was in IT and user computer support, and losing data was just about the worse thing that can happen. And it's always the IT person's fault, regardless. Boy, was I shocked when I found my predecessor's backups weren't backing much up .

As an aside, for Windows or DOS users, consider using Robocopy to back up your data. It's a native Windows / DOS application that can be scripted (batch file) to update your files on a backup device, in regular file format rather than relying on any particular application, and it costs no extra. If you want to encrypt the backup, set the backup uf for encryption before copying data to it. Makes it easy to access your data on the backup device. The downside is you need to parse all the different command switches to get it to do what you want it to do. The help files for it are detailed and easily available. Once you get it to do what you want, script it and it's easy street after that. Just be real sure not to accidentally erase your original files by using the wrong switches. The likely way that would happen is using the wrong switches with the command, but always test using expendable sources first, no matter what way you back things up. If you have only one copy, be very careful until you have a tested backup of it!

 

[MikeFarm]

Hi all

I have been reading the technical literature on this. Windows 11 will require a chip that is later than about 2017 which will means 10's of millions of PC will not be able to run it. The older chips have the required speed and even if a motherboard has the required memory it will not run. This is the first time that MS has made such a "hard" requirement. Already the MS supplied utility which checks if your PC can run Windows 11 is showing that most home users, and many businesses that don't run on a 3 year hardware lease, will need a new PC.
That is unacceptable.

All countries have a major problem with electronic waste and for MS to be doing this is completely irresponsible. It will be interesting to see what the EU decides to do with this latest announcement. Responsibility starts locally. Think globally - act locally. The best you can do here is to NOT upgrade. And tell your friends why they should not be upgrading. Windows 10 is still supported up to 2025. Windows 11 does not provides anything that you do not already have. I'm sure most of you have better things to spend your money on anyways. A tooth bar or quick hitch etc

Mike

 

[BravoXray]

All those requirements make it an easy decision for me not to upgrade to Win11.
Does MS have any clue to what real people want in an OS? It appears not.

 

[LD48750]

Thanks for the link. Hopefully that app will be available in the Fall when Windows 11 becomes available. If Microsoft thinks many folks are going to buy a new PC for Windows 11 then they are delusional.

People buy the over priced i phones as soon as they come out......

A new computer to get Win 11 will be no problem.

 

[MikeFarm]

And now MS have pulled their PC Health Check app as it was showing lots of users that they would need to get a new PC to upgrade to Win 11. Ref here: Microsoft releases Windows 11 Insider Preview, attempts to defend labyrinth of hardware requirements
Also reading the requirements to have 4 GB RAM is a complete joke. You need 8 GB to have it run at any acceptable speed as its is such a memory hog.

 

[PuffyC]

People buy the over priced i phones as soon as they come out......

A new computer to get Win 11 will be no problem.

True, and what's crazy is you can get a new PC for a lot less than the cost of a new iPhone 12 or Samsung Galaxy Sxx. Apple has been pretty good about supporting older handsets but on Android that can be as little as two years. With Win11 support going back to gen7 CPUs that will roughly split the difference between the two.

As to what people want in an OS, security is at the top of the list and that's what all of the Win11 requirements are about. There's a pretty good article about that here: OK Microsoft, you win: I’m buying a Windows 11 PC | ZDNet

Microsoft did a pretty poor job at messaging but all this reminds me of my BIL. He always b1tches about the poor condition of roads with potholes and all that, then if they decide to fix the roads he just b1tches because the roads are under construction. You can't win with some people.

 

[jjp8182]

More security theater and progression in the cybersecurity arms race it is then?

Personally I'd rather not keep anything of personal/irreplaceable value connected to the internet full time as there always flaws (even in the "new enhanced"/"patched" versions). If it's important it (or a backup) should probably be air gapped in my opinion - and preferably with with tightly controlled access to the physical air gapped system/backup.

Seen/heard of too many breaches (to include the OPM breach a several years ago) to have any faith in new software or patches..... particularly given the poor system/software engineering practices I've seen at many companies (of all sizes).

No matter how good a defense, unless it's paired with an effective offense the defense will be overcome sooner or later..... unfortunately it doesn't seem there's much interest/capability in prosecuting cyber-crimes/attacks unless it reaches a "newsworthy" level.....

 

[PuffyC]

More security theater and progression in the cybersecurity arms race it is then?

Personally I'd rather not keep anything of personal/irreplaceable value connected to the internet full time as there always flaws (even in the "new enhanced"/"patched" versions). If it's important it (or a backup) should probably be air gapped in my opinion - and preferably with with tightly controlled access to the physical air gapped system/backup.

Seen/heard of too many breaches (to include the OPM breach a several years ago) to have any faith in new software or patches..... particularly given the poor system/software engineering practices I've seen at many companies (of all sizes).

No matter how good a defense, unless it's paired with an effective offense the defense will be overcome sooner or later..... unfortunately it doesn't seem there's much interest/capability in prosecuting cyber-crimes/attacks unless it reaches a "newsworthy" level.....

I think it's like a lot of things: if somebody wants to steal your car they will, if they want to break into your house they will, and if they want to break into your computer they will. Doesn't mean you shouldn't try to secure those things the best you can.

Prosecution can be hard because while you can usually track down who it is that doesn't mean you can do anything about it, plus it seems our police model is still stuck in the world of geographic jurisdictions, not to mention a general level of ignorance when it comes to digital crime. Unless something gets the attention of the federal government, most other agencies are ill equipped to deal with it. There's also the cost issue for all that. A top cybersecurity expert can make more than a doctor or a lawyer so hiring a team to work those kinds of cases gets pricey real fast.

 

[jjp8182]

I think it's like a lot of things: if somebody wants to steal your car they will, if they want to break into your house they will, and if they want to break into your computer they will. Doesn't mean you shouldn't try to secure those things the best you can.

Prosecution can be hard because while you can usually track down who it is that doesn't mean you can do anything about it, plus it seems our police model is still stuck in the world of geographic jurisdictions, not to mention a general level of ignorance when it comes to digital crime. Unless something gets the attention of the federal government, most other agencies are ill equipped to deal with it. There's also the cost issue for all that. A top cybersecurity expert can make more than a doctor or a lawyer so hiring a team to work those kinds of cases gets pricey real fast.

...and then (a majority of) the cybersecurity experts hired decide locking things down to the point of being nearly useless for their intended function. (Though occasionally it's possible to find some that are willing to think, educate, and work risk-based solutions).

Really comes down to picking your preferred poison - as the best a person can do won't always be good enough. Hence the need to inflict a cost on those who even attempt to engage in such actions... much like if someone breaks into the wrong house they may pay a final price.

Jurisdictions aren't much an issue since many cybercrimes are federal crimes, and thus fall under the jurisdiction of the FBI (granted them being appropriately & consistently resourced is an issue) ...and if it crosses international boundaries then it's still a federal government issue.

If anything, state and local jurisdictions could/should enable local law enforcement to deal with the "minor" local issues (e.g. locals causing problems for other local residents). ...really not that different of a situation than the transport & distribution of illicit drugs (in ways there's potentially more forensic information available for digital crimes given how few tend to happen without one or more networks being involved).

 

[grsthegreat]

dont get me started on fixing roads....but a good spin off of this thread.... there grinding and repaving a road near me that was in 100% perfect condition. not a crack or pot hole on it. but just north of it is a road thats been patched so many times its nearly undriveable and thats not on their list of future road repairs. i have a feeling theres a county commissioner on the road being paved.

 

[rekees4300]

Windows 11 preview:

"Anyone with one of the newer chips should have no trouble installing Windows 11 via the Insider program. Outside of the Insider Program, the latest word is that standard upgrades to Windows 11 from Windows 10 won’t be available until 2022. My take is that Microsoft really doesn’t want users to upgrade to Windows 11—it wants them to buy new PCs."

Microsoft Windows 11 Preview

 

[PuffyC]

Windows 11 preview:

"Anyone with one of the newer chips should have no trouble installing Windows 11 via the Insider program. Outside of the Insider Program, the latest word is that standard upgrades to Windows 11 from Windows 10 won’t be available until 2022. My take is that Microsoft really doesn’t want users to upgrade to Windows 11—it wants them to buy new PCs."

Microsoft Windows 11 Preview

Could be, especially since Microsoft is giving away the Windows 11 upgrade for free like they did with Win10. But then having users on a modern, secure platform creates a lot of savings all by itself.

 

[cdaigle430]

Been a Microsoft Tech\Engineer for 25 years-there is always haters and complainers If you want it upgrade to it, if you dont, you dont. Dont need to preach your whys and whynots to others nor do you need to put them down.

I still dont like Linux very much and unfortunately-Micky soft is going the way of Linux...which I really don't want to happen.

Say good bye to the GUI...say hello to powershell and you will all be fine.

 

[cdaigle430]

...and then (a majority of) the cybersecurity experts hired decide locking things down to the point of being nearly useless for their intended function. (Though occasionally it's possible to find some that are willing to think, educate, and work risk-based solutions).

Really comes down to picking your preferred poison - as the best a person can do won't always be good enough. Hence the need to inflict a cost on those who even attempt to engage in such actions... much like if someone breaks into the wrong house they may pay a final price.

Jurisdictions aren't much an issue since many cybercrimes are federal crimes, and thus fall under the jurisdiction of the FBI (granted them being appropriately & consistently resourced is an issue) ...and if it crosses international boundaries then it's still a federal government issue.

If anything, state and local jurisdictions could/should enable local law enforcement to deal with the "minor" local issues (e.g. locals causing problems for other local residents). ...really not that different of a situation than the transport & distribution of illicit drugs (in ways there's potentially more forensic information available for digital crimes given how few tend to happen without one or more networks being involved).

Businesses have to protect itself in many ways, external threats, internal threats and disasters. Lock down is a must...my last organization was locked down so much that to work on a server or server issue you had to have a valid trouble ticket. then you logged into a vault app using a token app and valid cert. Once you are approved you use the vault to remote into the server with the valid tokens and password that is only good for up to 7 hours. Once you logged everything you do is recorded

No more super users or root admin gods! That is if your origination is up to date on security...if not god help you-especially with ransomware on the rise.

People at home need to be aware and as a minimum use two step security....We are ALL being watched. Always remember your conversions on your phones are being recorded and monitored for keywords by software bots. Its not just your computer..Even our TV is watching us lol.

 

[jjp8182]

Businesses have to protect itself in many ways, external threats, internal threats and disasters. Lock down is a must...my last organization was locked down so much that to work on a server or server issue you had to have a valid trouble ticket. then you logged into a vault app using a token app and valid cert. Once you are approved you use the vault to remote into the server with the valid tokens and password that is only good for up to 7 hours. Once you logged everything you do is recorded

No more super users or root admin gods! That is if your origination is up to date on security...if not god help you-especially with ransomware on the rise.

People at home need to be aware and as a minimum use two step security....We are ALL being watched. Always remember your conversions on your phones are being recorded and monitored for keywords by software bots. Its not just your computer..Even our TV is watching us lol.

very, very true -- though I've also seen cases where the lock down has been such that the core functions of the organization have been so negatively impacted that any opposition the organization may have could only wish they could be so effective.

E.g. attempting to require a system to go to a login screen (obscuring all other information) for changing users ....even though the system was actively being used to remotely control a vehicle in motion/flight.

While the cyber-landscape isn't always the friendliest of places, there's also no reason to blindly apply "solutions" that can cause worse (potentially life-threatening) problems. ...and when it comes to some items the end-user needs to be able to assess the risks of updating (or not) -- or when to update. ...which in my experience isn't something most designers (or even all "leaders") seem to consider.

Granted most home users aren't going to be using their personal computers for such uses (I'd hope ), but outsourcing personal security (whether physical or cyber) decisions always seems like a bad idea to me.

 

[lman]

Been a Microsoft Tech\Engineer for 25 years-there is always haters and complainers If you want it upgrade to it, if you dont, you dont. Dont need to preach your whys and whynots to others nor do you need to put them down.

I still dont like Linux very much and unfortunately-Micky soft is going the way of Linux...which I really don't want to happen.

Say good bye to the GUI...say hello to powershell and you will all be fine.

I thought they were restricting the update to newer pc's. It sounds like you're saying anybody that wants it can get it. My desktop is older with an i7 cpu, but w11 is not an option. The irony is they are probably claiming to be environmental, but this policy will send a large amount of electronics to the trash heap.

 

[PuffyC]

I thought they were restricting the update to newer pc's. It sounds like you're saying anybody that wants it can get it. My desktop is older with an i7 cpu, but w11 is not an option. The irony is they are probably claiming to be environmental, but this policy will send a large amount of electronics to the trash heap.

The upgrade will eventually be available to anyone who wants it but you can stay on Win10 if you want. It'll be supported until 2025 which will be 10 years since it's release. Nobody is sending a PC to the landfill because it won't run the yet-unreleased Windows 11.