Is it normal that the 4.35.1 Incremental Installer I downloaded is flagged as unsafe?
-
I downloaded it from the weapondeliveryplanner.nl site using Edge Chromium.
-
Windows SmartScreen has been flagging it as “not commonly downloaded”. Eventually that goes away once a few thousand or so people download something, without ending up with any viruses.
There is a feedback mechanism to declare the file as safe … that may help expedite. Also there’s a button on that feedback page for the owners of weapondeliverplanner.nl to attest, and complain about false-positive warning…
-
ok thank you.
-
Antivirus is not generally very effective software, amusingly enough. Turns out that false positives help their business, so there is little focus on eliminating false positives, and lots of effort on having no false negatives.
That sounds great, until you end up with thousands of hits, and few if any are actual viruses.
-
This is Microsoft builtin antimalware protection … not sure the same economic dis-incentives apply. But yeah it’s a bit over-strong in its warning, to start flagging everything new/unknown as potential malware. It’s a classic “boy who cried wolf” situation (err, no offense, blu3wolf and long term, likely to result in poorer security habits and practices for millions of users.
I actually don’t know what to recommend, for ISVs to avoid this. Code-signing with EV certificates, I guess. That is a fairly expensive, and high-effort process… used to be required only for device-drivers.
-
I suggest the same incentive for Microsoft exists, but its not as immediately obvious.
For them, they benefit greatly from having a ‘boogeyman’ for users to fear, and to turn to M$ for trust.
-
I think they still really struggle to overcome the entrenched notion that MacOS and Linux are “more secure”.
When I was there, working on the trustworthy-computing push in 2002 (when BillG famously stopped all development across the company for a year, after XP was exploited about a week after rtm, for everyone to get our s–t squared away) … I can say first hand, at that time anyway, we were all really just scrambling to try to find ways to not have a billion people owned by malware. The directive from Bill was that people should be able to trust their computers… to be able to perform transactions and e-commerce etc, with confidence.
Up until that time, we tried hard to stay out of the business of antivirus.
Sigh … I remember arguing back then against similar aspects of UAC… incessant prompting == crying wolf. It’s sad to me to think that was almost 20 years ago, and overall user experience hasn’t gotten much better… maybe worse… always one step forward one step back
I actually think the idea of cloud-based reputation monitoring for downloads is great. But it’s not being executed well, and not presented to the user well, and not communicated well to the ISV ecosystem.
-
I think they still really struggle to overcome the entrenched notion that MacOS and Linux are “more secure”.
https://www.winehq.org/pipermail/wine-devel/2007-January/053719.html
Hi!
This weekend my son downloaded a trojan masking as keygen for a Symbian mobile application. After running a trojan, a tooltip in the systray appeared saying something like “Your computer is infected”. After that, I inspected his .wine directory. There were many files added in various directories (system32, windows, even root of c:, they were partly .exe, partly .dll, ane one even .htm :-). I looked
it in the web browser and it displayed a page saying that my comp is full of malware, spyware and various other *ware and that the only cure is to download a specialized application from them :-). They tried to make me shocked by displaying something that “THEY know that your computer has IP address <my real=”" ip=“” address=“”>, you are using Windows XP (hahaha) and your browser is MSIE 6 (hahahaha). However, this page was not displayed by the trojan, so I think that something has failed in it and it was unable to fire the formerly mentioned MSIE6 :-). Two unknown processes were permanently running by wine. After cleaning all this mess, normal wine operation has been fully restored.
With regards, Pavel Troller</my>Its a worry when you get windows malware on your linux OS…
Linux (generally) by default is not really hardened, so to some extent Windows is arguably more secure by virtue of having secure defaults. Some folks argue that you are safer on Linux because most people are on windows, but they overlook that the high value targets dont run Windows… a computer might be windows, but the network, servers etc will be Linux. Linux can be very secure… but then you can harden windows too. Soldering the ethernet and USB ports is a good start.
-
wow Wine has really come a long way! lol
Yeah 90% market share means 99% of bad guys target you. Hopefully in the post-Heartbleed era the entrenched notions about the inherent security of open-source, are not so firmly entrenched.
-
open-source is inherently more secure than closed-source. Security by obscurity is the same as no security at all.
That doesnt mean that open-source is automatically secure. Just like how the only secure system is the one with no users, the only perfect software is the software you imagine.
-
It has the potential to be more secure… but apparently it has the potential to be horrible too. (Another old saying is, the only thing worse than lack of security, is a false sense of security.) The basis of the argument is about the level of scrutiny… but there needs to be a good process and a metric for reviewing that, not just complacency that “many eyes” will find and fix all bugs. especially in super ugly, old, lowest-common-denominator-portable ANSI C code
-
It has the potential to be more secure… but apparently it has the potential to be horrible too. (Another old saying is, the only thing worse than lack of security, is a false sense of security.) The basis of the argument is about the level of scrutiny… but there needs to be a good process and a metric for reviewing that, not just complacency that “many eyes” will find and fix all bugs. especially in super ugly, old, lowest-common-denominator-portable ANSI C code
The more users there are, the more eyes there are, the more likely that a bug will be found. With enough eyes, the greater the chances that bugs will be found by people who are interested in fixing those bugs, rather than selling them. Closed source does not prevent people finding those bugs, but it does effectively prevent people who would report or fix those bugs from finding them.
Of course, now we are starting to get very philosophical. I suggest that every development should have time spent reviewing it from a security perspective, assessing what risks could exist, whether expertise and a formal process is required… if Im making a small script that automates the running of several other programs I use, I hardly need to spend much time thinking about security other than deciding whether my script needs sudo (it shouldnt). If Im building a multi-user OS with networking, it needs eyes on pretty much every level of it to ensure it is secure.
-
Well my only real point is, that during my years working in the Windows division, there was never any hint of any thinking or feeling from anyone, in leadership or in the trenches, that we benefitted from instilling fear in our customers… it was quite the opposite. Indeed (and to steer this back closer to topic we were all keenly aware that our single biggest paying customer was the US govt … and single biggest departmental segment of that, was the DOD! So the fear was ours… ha. I still remember a reported BSOD on an Aegis missile cruiser (ca. NT4 or Win2k era) that screwed up a training exercise, wasting untold millions of dollars … but what if it hadn’t been a test?
One interesting side note to all this, that is not commonly known … we actually shared* Windows source with several universities and foreign governments (who, understandably, might not want to use our product otherwise). And surely we had to assume it was leaked/shared many times each release cycle, because of those programs, or even by unscrupulous employees. Internally, we all considered Windows as a “source available” product, and behaved accordingly – self-aware that we should never rely on security-by-obscurity. Those of us on the TwC team evangelized both of these points – viz. (a) that our code is running on missile cruisers and (b) that the advanced adversarial militaries that might one day want to attack those missile cruisers, have the source code – every chance we got.
(*I only use past tense because I left there 15 years ago, but I wouldn’t presume anything has changed in this regard. MS seems to be leaning strongly into OSS lately, with the acquisition of github and adoption of Chromium, etc, which is all great imho.)
-
Ah yes, the three Es of open source.
-
Lately it’s embrace, extend and extinguish (their own product) then enrich (others). $7.5B for github, when they already had about a dozen scc systems and even ran competing open-source repositories. Now maybe $10B for discord? when, again, they already own and operate about a dozen web/audio/video chat platforms. Those figures blow my mind. Depending on what monthly-user metrics you believe it’s like $100-200 per customer. No easy way to monetize without driving them away. No obvious moat to keep us locked in. And how much more upside growth could there be, for either github or discord. Ok now I’m way OT but it will be interesting to see how this next phase of MS plays out.
-
MS is sitting on a pile of money gathered through illegal monopoly abuse and very questionable business practises over a few decades (and of course the “nobody ever got fired for buying IBM” mentality so common in IT’s middle management since basically forever), so they can afford the price tags and to play the “we’re nice to open source, see how well we like Linux these days” card.
From a monopoly viewpoint I find Apple to be even worse these days, MS got a slap on the wrist a few years back by the DOJ (much too lenient IMNSHO) and I hope apple, amazon, google and esp. the Zuckerberg crowd will be next on the list.
All the best,
Uwe
-
I assume the recent focus on WSL (Linux subsystem for Windows) is all about courting cloud developers from AWS to Azure. (And to a lesser extent, mobile- and cross-platform UI app devs.)
But seeing them finally give up on IE/Trident and embrace Chromium, has me wondering…
-
Lately it’s embrace, extend and extinguish (their own product) then enrich (others). $7.5B for github, when they already had about a dozen scc systems and even ran competing open-source repositories. Now maybe $10B for discord? when, again, they already own and operate about a dozen web/audio/video chat platforms.
Its no coincidence. They needed to either consolidate their platforms, or acquire an existing one that is competitive.
I’m not sure what I’ll be using if Discord does sell. Maybe TS again?