Advertisements

Microsoft Has Some Bad News For Windows 10 Haters

uncaptioned

Windows 10 users are plagued by ongoing problems with Windows 10 updates such as systems freezing, refusing to install if USB drives are present and even dramatic performance impacts on essential software. So perhaps it should come as no surprise that there is a large tranche of users who are refusing to make the move from Windows 7 to the Microsoft operating system flagship. According to the latest market share statistics the number of people still using Windows 7 has remained pretty static month on month. What may well surprise you is that while Windows 10 enjoyed a 44.1% share of the overall operating system market in April, Windows 7 still accounted for 36.43%. That figure hasn’t moved much at all from the 36.9% in December last year.

Microsoft obviously wants everyone to move to the latest generation of Windows and has a double-whammy of bad news for Windows 10 haters I’m afraid. Whammy number one is that Windows 7 will reach its end-of-life status on January 14 next year. Whammy number two is that it will cost you as much as $200 per year to get “extended security support” after that period. Assuming, that is, you are not a home user. I guess you could add a whammy number three in that home users will have absolutely zero options for security support post January 14, 2020.

There are plenty of very good reasons why people are reluctant to make the move to Windows 10: the hardware Windows 7 is running on might not be powerful enough or available storage could be problematical for example, but overwhelmingly it is likely to boil down to a simple dislike of Windows 10. In exactly the same way that Windows XP users steadfastly hung onto that obsolete operating system for years and refused to upgrade to Windows 7, I expect that the same will happen again as Windows 10 haters are “gonna hate” as the saying goes. Yet Windows 7 is fast approaching end of life status when free security support will come to an end. After January 14, 2020 it will cost as much as $200 per year, per PC, to upgrade to extended security support to keep it alive. And as I’ve already mentioned that’s for enterprise users only, there is no such option for home users.

The security question was widely dismissed as fake news by XP users for the longest time. I imagine a great many Windows 7 users will likewise insist it is far more secure than Windows 10. While there hasn’t been another WannaCry to highlight the problems of continuing to use unsupported operating systems, that doesn’t make Windows 7 a secure bet. Just last month Google was urging all Windows 7 users to upgrade to Windows 10 after the discovery of two zero-day vulnerabilities that could be used in tandem to take over host systems. Microsoft coughed up additional security updates for XP users in the wake of WannaCry, but Windows 7 users shouldn’t be lulled into a false sense of security by that.

I’m not going to explore all the security arguments for upgrading from Windows 7 to Windows 10, not least as SentinelOne has done a great job of detailing 32 security reasons to move to Windows 10 over at the Security Boulevard blog. I do, however, urge all Windows 7 diehards to go read that article and ponder the potential consequences of sticking with it. In order to finish this bad news story with some potential good news, it is still possible to upgrade to Windows 10 for free if you are a Windows 7 user despite the original Get Windows 10 offer expired in 2016. It’s a little convoluted and involves the Microsoft media creation tool, a USB (or DVD) drive and a pinch of luck, but you can find the full instructions here.

Please follow me on Twitter or connect with me on LinkedIn, you can find more of my stories at happygeek.com

I have been covering the information security beat for three decades and Contributing Editor at PC Pro Magazine since the first issue way back in 1994.

Source: Microsoft Has Some Bad News For Windows 10 Haters

Advertisements

Asus Just Gave You 1 Million Reasons To Switch From Windows To Linux

Cyber-security and antivirus company Kaspersky dropped a bomb on Asus laptop users this week, revealing that malware was distributed through the Asus Live Update utility. It masqueraded as a legitimate security update, and even boasted a “verified” certificate — hosted on Asus servers — to make it appear valid. Kaspersky has deemed this attack “one of the biggest supply-chain incidents ever.” Such attacks spiked 78% between 2017 and 2018. This shouldn’t raise alarms for just Asus users. It should prompt you to seriously consider whether you want Windows on your PC. Because the possibility of this ever happening on a desktop Linux OS like Ubuntu is minuscule.

My own Asus Republic of Gamers laptop — now running Linux

Jason Evangelho

How Serious Is ShadowHammer?

In the long tradition of scary codenames for such attacks, Kaspersky has labeled the attack “ShadowHammer.” The company says that according to its statistics, more than 57,000 users of Kaspersky Lab products (such as Kaspersky Anti-Virus) have already installed it. However, they estimate that its true reach extends to 1 million Asus computers.

To my knowledge this is only eclipsed by the infamous CCleaner attack, which was distributed to 2.7 million Windows PCs.

The motivations for the malware attack are unclear, but it apparently targeted only 600 specific MAC addresses. Once found, the attack would escalate to install more software to further compromise the system. There doesn’t seem to be a reason that the attackers couldn’t have activated this on every single computer affected.

For an informative and detailed discussion on this attack, listen to TechSnap Episode 400.

What’s even more frightening is that Kaspersky discovered the same type of technique used against the Asus Live Update software was also leveraged against three other vendors. The company promised to reveal more substantial information at an upcoming Security Analyst Summit in Singapore.

When contacted by Kaspersky, The Verge reports that Asus evidently denied the attack originated from its servers. In a follow-up press release, however, Asus did acknowledge that this was a “sophisticated attack” on its Live Update servers.

No apology was issued. This is not how you build trust. (Especially since this is far from being the first security blunder Asus has made.)

Asus has since patched the Live Update software and issued a tool for users to determine if they owned one of the specific computers targeted. Given the circumstances, I’m not even going to link to it, but it’s available via this press release page.

An FAQ posted alongside the press release has a stinging piece of advice for users who were affected by the malware attack: “Immediately run a backup of your files and restore your operating system to factory settings,” it states. “This will completely remove the malware from your computer. In order to ensure the security of your information, ASUS recommends that you regularly update your passwords.”

What really rattles my cage about this situation is the fact that Kaspersky uses the word “teaser” in the URL associated with its ShadowHammer post, as if this is some kind of movie trailer. Then the company warns that three other Asia-based software vendors were attacked using the same method without revealing who they are.

But all of this information is just background for the real point I’m trying to make.

Why Ubuntu (And Linux In General) Is Safer

uncaptioned image

Dell put forth considerable effort into making the popular XPS 13 the perfect Ubuntu laptop

Jason Evangelho

Consider how many companies have independent control over the software and hardware inside your Windows PC. Intel, AMD, Dell, Nvidia, Realtek among several others. The vast majority of the code they use running on your computer is not open source. That means it’s not subject to inspection by the hundreds of millions of people using it. The code can’t be independently verified. The code comes from multiple locations across multiple update utilities.

On Ubuntu and other Linux distributions, my firmware updates, software updates and security updates come from a single source: the operating system’s built-in software center.

This next part is important: only a select few individuals at Asus are responsible for ensuring the software and firmware being sent through the Asus Live Update utility is safe. And it’s almost certain no one at Microsoft saw the code before it before it went out to those 1 million Asus laptop users.

Rather than base my entire argument about Linux being safer on personal experience or subjective opinions, I reached out to Alex Murray at Canonical. Murray is the Security Tech Lead for Ubuntu, a Linux distribution used by hundreds of millions. It powers everything from IoT devices to home desktops; supercomputers to the web servers delivering the majority of your experiences on the internet. Netflix is powered by Ubuntu, as is Amazon Web Services. Outside your home, Lyft and Uber are powered by Ubuntu.

My question for Murray was straightforward. Can something like ShadowHammer happen on Linux?

Murray admits that while this sort of attack is a possibility on Linux, it would be a lot harder to pull off.

Ubuntu is based on Debian, one of the the largest and most mature Linux distributions available. “Many of our source packages originate from Debian where we add Ubuntu-specific patches on top,” Murray says.

As such, Murray explains that there are “many, many people who can detect any possible malicious changes to a software package.” That’s the beauty of open source. Changes are submitted publicly, and every line of code can be scrutinized.

Of course, there needs to be a more elaborate system of checks and balances that doesn’t rely solely on community.

uncaptioned image

Alex Murray, Ubuntu Tech Lead at Canonical Ltd.

Alex Murray

“Various teams of Canonical employees are responsible for maintaining the packages in the ‘main’ section of the Ubuntu software archive, and as such we provide further review and oversight of the source code in these packages,” Murray says. “Importantly, only trusted individuals are allowed to publish software package updates, which again raises the bar to prevent this kind of attack. Finally, we have a strong and dedicated community of developers and users who help to provide an even further level of ‘community’ oversight as well – which gives us a good defense in depth approach to detecting this kind of attack.”

In a nutshell, this means even if a trusted developer is compromised, there are various other individuals who will likely take notice.

But even that isn’t enough, so Canonical takes things a step further.

“From an end-user point of view, Ubuntu uses a signed archive approach where each package is cryptographically hashed and the list of hashes signed in such a manner that our package manager will not install packages which fail the signature and integrity checks,” Murray explains.

This means that even if an Ubuntu mirror (an external software source not directly managed by Canonical) was compromised and someone uploaded malicious copies of packages there, it would fail the signature check and would not be installed.

“We offer digital signatures to verify the integrity of the installation ISO images as well,” Murray says. “So together with the repository signatures, users can be confident that the software they are downloading and installing is what is published by Ubuntu, and with all the various reviews outlined above, we have many opportunities to detect any possible malicious changes to the software packages being published.”

Beyond these methods of ensuring security for its users, I’d recommend this article which explains in detail how Ubuntu delivers system updates and why it’s a more elegant and less frustrating experience than on Windows.

Securing Firmware Through The Blockchain

Firmware updates are an often overlooked — but easily manipulated — potential attack source. One of my favorite Linux distributions, Pop!_OS, uses the power of blockchain to ensure that the firmware updates being delivered to its users have no possible way of being manipulated. And they take an amazing approach to their server setup.

“Firmware updates are delivered using a build server, which contains the new firmware, and a signing server, which verifies that the new firmware came from inside the company,” writes parent company System76. “The two servers are only connected via a serial cable. The lack of a network between the two means that one server cannot be accessed if entry is achieved through the other server.”

System76 sets up multiple build servers alongside that primary one. For a firmware update to be verified, it must be identical on all servers. “If even one build server contains a compromised firmware update, this update cannot proceed to signing and will not be delivered to our customers,” System76 says.

This is very similar to how cryptocurrency mining works, and is arguably a more useful and forward-thinking implementation of blockchain.

Choose Linux

The bottom line is that Windows has too many potential attack points, most of which are not directly overseen by the very company who develops the operating system. The vast majority of the code cannot be audited by the community. There are less checks and balances in place to ensure that these attacks are prevented. After seeing how Ubuntu and various other Linux distributions ensure the security of their users, the Microsoft Windows approach starts to seem a lot less sane.

And if you’re wary of Linux because you think its archaic and not user-friendly, here are some articles that may change your mind, including one to help find the perfect OS to suit your needs:

Since joining Forbes in 2012, I’ve contributed to gaming and technology features on PCWorld and Computer Shopper. You can also find me on Jupiter Broadcasting where I h…

Source: Asus Just Gave You 1 Million Reasons To Switch From Windows To Linux

How to Find and Fix Bugs in Commercial Software on Windows

According to Wikipedia, “A software bug is an error, flaw, failure or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways, eventually crashing the application. The process of fixing bugs is termed “debugging” and often uses formal techniques or tools to pinpoint bugs […].”

Source: How to Find and Fix Bugs in Commercial Software on Windows

How to install cPanel on your VPS — Great Online Hosting

A quick guide to installing cPanel on your VPS – click the cog and select HD to watch in high definition! Link to installation code – We offer great value unlimited web hosting, reseller hosting, VPS hosting, hybrid servers, dedicated servers, SSL security and WHMCS licenses. If you are just starting out on the web,…

via How to install cPanel on your VPS — Great Online Hosting

%d bloggers like this:
Skip to toolbar