Might take care of some licencing issues too, I dare say.
Windows doesn't have the best reputation for security, but Microsoft has been outlining a series of improvements in the new operating system that it believes will stymie hackers and leave corporate data more secure. "We're no longer facing an evolution in security threats but a revolution," Chris Hallum, senior product manager …
Wednesday 22nd October 2014 15:13 GMT TheOtherHobbes
Wednesday 22nd October 2014 15:16 GMT Anonymous Coward
Wednesday 22nd October 2014 15:25 GMT ilmari
Around half the people I know of that have bought Win8 machines can't figure out the current authentication system, and thise that do manage to get past the first boot questions are shocked and surprised after the first patch-tuesday enforced boot. "Why do I need a password, this is *my* computer!". Of course they don't remember whatever random keyboard mashing they did a week/month ago to clear "strange questions about my facebook".
Wednesday 22nd October 2014 15:28 GMT Mage
Wednesday 22nd October 2014 15:48 GMT jason 7
Yep you would be surprised how many people when wanting to install say Skype and presented with the following links from 'whatever rogue search engine' they installed -
Will still click on the second one.
"But how do I know?" is what they ask me afterwards.
Thursday 23rd October 2014 09:28 GMT Sean OConnor
Thursday 23rd October 2014 18:52 GMT cambsukguy
Leaving a child (or anyone for that matter) with access to your account which has authority to install software is problematic at best.
I am unsure about other OSs but Windows has had low authority accounts (Basic, child, user, power user etc. depending on the version) for some time now.
I don't leave my machine unlocked and the offspring (and SO) have separate accounts. This includes the tablet (which is a Surface and thus has no problem doing this).
Wednesday 22nd October 2014 17:08 GMT Anonymous Coward
Thursday 23rd October 2014 11:25 GMT Arctic fox
@ tnovelli "............corporate IT departments will disable most of the new security........"
Indeed and at the same time employees in those same IT-departments who are members here at El-Reg will be logging on (behind AC badges naturally) telling us what insecure crap Windows is. Plus ça change, plus c'est la même chose.
Wednesday 22nd October 2014 15:44 GMT jason 7
I worry when I see...
...the word 'encryption' when it comes to user files especially if teamed with 'by default'. It just adds another level of danger when it comes to failed HDDs and data recovery of folks data that doesn't require such levels of protection.
"So you did a back up?"
Of course not. Their tears will sustain me I guess. This also applies to basically re-installing the OS and data too. Just making the support folks job all the harder and economically not viable.
On a side note when will MS enable DEP/SEHOP etc. etc. by default? You know, basically slip EMET into the OS as standard. I would have thought that would be a step in the right direction that should have happened at least 5+ years ago.
Wednesday 22nd October 2014 15:46 GMT Dan Paul
Hopefully the peripherals make it in time for the release?
I have not yet seen any peripheral RFID device that will take the NFC comminications from an Android device and port it into Windows.
Let's not have a replay of Windows 8 being installed on non-touch screen laptops apply for Windows 10. The software and hardware BOTH need to be available and compatible.
I'm not buying a new motherboard anytime soon.
Fingerprints, NFC and Facial recognition all require new hardware to be used.
I don't want to give that kind of info to my computer let alone Microsoft.
Wednesday 22nd October 2014 15:49 GMT wolfetone
Wednesday 22nd October 2014 16:51 GMT Khaptain
Wednesday 22nd October 2014 18:40 GMT Mage
Wednesday 22nd October 2014 19:56 GMT Spoonsinger
Yep!, ignorant peeps believe in a panacea. Not saying I cared for most of those examples you gave, but the platform has kept a roof over my head for the period you stated, and hasn't when applied appropriately over your somewhat short period,(in the scheme of things), provided anything unresolvable, in the sphere of the technology it encompasses then and now.
Yes I hate their internal politics, horrible business practices, and the fact when something is deprecated they manage to remove it from their support sites almost immediately - ignoring the fact that the internet has a memory. Yet they still provide a viable option for peeps who have a life, (both in a development role or support). IGMC -because.
Revolution is for the youngsters - but they will get old eventually and know.
Wednesday 22nd October 2014 15:51 GMT Wensleydale Cheese
Back to vendor lock in
"Microsoft wants to safeguard the data they are using, and so is adding containerisation technology for each file, ensuring it is sandboxed and encrypted."
Add cloud and your data isn't altogether yours any more.
Back in the days when our data was locked up on a mainframe at least we could get our management to do a bit of screaming on our behalf.
Wednesday 22nd October 2014 15:58 GMT Anonymous Coward
> There are no plans for a BlackBerry version as yet but Hallum said Microsoft would be keeping an eye on BlackBerry's popularity (politely declining to add the obligatory "or lack of it").
Talk about damning with faint praise.
If they used popularity as a measuring stick for what to support, perhaps Windows Phone wouldn't that high on the list, although I do know that Windows Phone users tend to quite like it.
Anyone know what the relative numbers are these days?
Wednesday 22nd October 2014 16:19 GMT Anonymous Coward
More security, or more Big Brother?
It may sound wonderful: extra security enhancement to make sure you're safe. But are they really?
Where people say "two-factor authentication for more security" I say "more options for the manufacturer to snoop on the end user". Especially because mobile phones will be the preferred method. Why does Microsoft need my phone number if all I want to do is use Windows?
Second; as I feared they're pushing their software store forward. Sure; I fully agree that it may make things easier for the end user; all they need to do is pick their software from a list, click install, and off you go. But it also locks the market down. And that is not such a good thing IMO.
As I mentioned before: Microsoft launches their new Office version and LibreOffice has just released their latest release. Do you really think LibreOffice would make it into a Microsoft store if there would be a risk that it could take away the spotlight from MS Office?
But most of all I can't help wonder why do we need more "security" like this?
Lets look at that latest PowerPoint attack. What is mentioned, but not as clearly as I'd like, is that end users had to go through several warnings and notices before their systems got infected.
You can apply a 4-way authentication scheme here; lets call the users on their phone to verify that they're really them before allowing them to use Windows. But that won't change the users mentality!
If said user opens a malicious document and clicks on several warnings that they're sure that they want to open it, then what?
The reason I mention this? The more you lock things down, the more the users will rely on the system and the more ignorant some will become. In the end these kind of options may very well lead to even less secure environments than you'd hope for. Because people start to rely on their system to keep things safe.
But, as we all know, a safe computer environment doesn't foremost depend on the system. Its the user who has the final say in all that.
Wednesday 22nd October 2014 16:31 GMT Daniel B.
2-Factor auth... Good!
... Tied to a smartphone ... Not!
... Using an actual token (in the smartphone) ... OK, as long as it works like the Battle.net one
... Not supported in BlackBerry ... BAD. Come on, every other virtual token solution supports it, if they can be arsed into supporting it, so can you! Or maybe MS is still butthurt that BB still has more market share than their failing mobile OS?
Not to mention that a large part of the US Gov, including the DoD only allow BBs on their network...
Wednesday 22nd October 2014 22:52 GMT tom dial
I'm not at all clear about why anyone would expect multifactor user authentication to be very helpful. Has anyone a census of the number of Windows machines hacked by way of password guessing? My hunch is that better than 99% of compromises result from software and wetware errors. The main advantage for users might be that it can simplify login procedures.
Those who administer a large number of systems will want to disable user admin rights as much as politically possible in their organization, so they also may not receive much benefit from multifactor authentication, perhaps using it only for those with administrative rights. I know of one federal agency where everyone has a smart card for access and those with admin privileges, which included many of the application developers, had a second one associated with authority to install and configure software. Management thought that preferable to the cost, which I think was around $50 a call, for the outside provider to do it.
Signed-by-trusted-providers software sounds useful, but might be ignored in part or full unless Microsoft provides a capability for users to add to the list of trusted signers. Wouldn't hurt to make people think a bit about it, so there's no need to make it a simple check box.
Wednesday 22nd October 2014 16:35 GMT Pen-y-gors
2-factor is a very good thing, e.g. when used to authenticate gmail etc. If I'm trying to log in via a previously unknown IP address then it will ask for the 2nd factor. Fine, but a bit of a pain if I don't have my phone with me.
How will this work with Windows? Steal the laptop and plug it in to a strange network and it will quite often end up with 192.168.0.1 (or whatever), or use it normally with WiFi hotspot (or even plug in to corporate LAN) and it gets a different IP every time. I wouldn't want to have to use 2nd factor every time I log in.
So when will it prompt for second token?
Wednesday 22nd October 2014 17:14 GMT Pascal
I wondered the same thing, you have to remember the 2nd factor validation for a certain period at least (a few days / weeks) otherwise users will just turn it off. Typically systems will remember it per location (IP/Network), but then it's easy to emulate the same private network.
I'd then guess, actual public network? Some external check of the internet-facing IP the system NATs to, to ping some (Microsoft-provided) external resource. Then just force 2 factor if no network connection is available. There are certainly quite a few security concerns with that too, but most seem solvable at first glance.
Thursday 23rd October 2014 15:37 GMT Daniel B.
If they are doing it properly, it should be asking for token auth every time you log on, or at least on first logon after power-on and after waking up from sleep. Which would make it impractical for most regular users that aren't used to this.
2FA makes a lot of sense for sensitive stuff, or online services where money is moving, such like e-banking. It doesn't make sense for laptop access, unless you're carrying sensitive data in which case you would already have some extra measures in place anyway.
What's the purpose for 2FA on Windows? I fail to see the usefulness for local logins with 2FA. And I'm saying this as someone who is perfectly OK with 2FA on banking sites (I carry at least 4 physical tokens with me).
Wednesday 22nd October 2014 16:36 GMT Anonymous Coward
Wednesday 22nd October 2014 16:55 GMT dogged
Thursday 23rd October 2014 12:28 GMT Lyndon Hills 1
Re: What about apps I develope
For Windows 8.1 this is no problem. If you want to deploy to a Windows 8.1 Phone, then you have to register the phone as a developer device with MS first. I think you need a dev account to do that, but I might be mis-remembering. You can only install 10 apps at a time in this way.
I guess the story on Windows 10 might be similar to this.
Thursday 23rd October 2014 15:42 GMT Anonymous Coward
Wednesday 22nd October 2014 16:36 GMT Anonymous Coward
Wednesday 22nd October 2014 16:57 GMT Steve Davies 3
Every login will ask the mothership for permission to launch before allowing the user access to their own system.
Well, that has to be there if licensing by subscription is to take off.
Not connected to the interweb? Then 'Computer says bog off'.
That's how I see it all panning out.
Wednesday 22nd October 2014 17:34 GMT IJC
Two phase authentication
Why do so many display such ignorance in public?
Microsoft and Google already have authenticator apps that run on smartphones. These apps follow a standard protocol and are compatible i.e. you can use the Microsoft Authenticator app to generate a key that will work when a key from the Google Authenticator app is expected.
Wednesday 22nd October 2014 17:37 GMT Anonymous Coward
There are two kinds of file encryption: The kind that is easily cracked (and therefore has no advantage over plaintext) and the kind that ensures you will never be able to recover any of your precious data back when you desperately need to.
Either way is doesn't sound like a very good idea to me.
Wednesday 22nd October 2014 17:53 GMT Charlie Clark
Wednesday 22nd October 2014 18:26 GMT Mark 85
I'm going to be a devil's advocate here for a moment... Will this mean that if you don't own a smartphone, you're screwed? There's still a lot of people (in spite of what Apple, Nokia, Samsung, etc.would have us believe) that don't have smartphones. Will this mean that having one will become a condition of employment? A condition to use their home computer? Every "solution" always begats more headaches.
Wednesday 22nd October 2014 18:32 GMT Truth4u
When I get home I enjoy using my Windows machine with no password on the admin account because shockingly I trust the people I live with not to fuck with it plus they wouldn't be stupid enough to make me angry. Who really cares about authenticating users on Windows PCs? If my work makes me use 2 factor I'll resign and find a company that trusts its employees. I don't want to work in a company where people are prone to fuck with each others accounts.
This will make no difference to security as once you login it's still the same shitty Windows kernel that anyone can hack from a cyber cafe in china where they don't even have freedom to use facebook but they can fuck with our PCs and do for fun.
Why would I care about the files on my Windows PC not being encrypted when I know how to run a Linux file server that's better than NTFS in every way?
Do I want to wait an hour for Windows to enumerate the several million files I have, or would I rather Linux did it in seconds? Hmm tough choice...
Wednesday 22nd October 2014 18:51 GMT Truth4u
Do I want to use the Microsoft encryption with the NSA master key that allows FBI et al to unlock all your "encrypted" files whenever you're accused of the heinous crime of copyright infringement? Or would I rather use open source mathematically correct encryption where only I hold the keys. Again it's such a hard choice. Tell you what Microsoft, why don't you take several hundred of my dollars and decide for me, because I'm obviously far too stupid to decide for myself.
And what's the point of encryption if they give the keys to a bunch of corrupt government agencies in a foreign country where I have no vote? Doesn't sound very much like freedom to me.
Wednesday 22nd October 2014 18:43 GMT channel extended
MS approach to two factor.
I can see it now. On your first boot after install there are two questions asked.
MS: Pick a number between one and three.
MS: What is the result of that number divided by two.
That number is now your security token. It will be sent to you if you forget your password as an emergency access numer. Please give us your Name, Address, Age, Sex (yes/no), Phone number,........
Wednesday 22nd October 2014 19:04 GMT Mike Tyler
This should be really funny in say shops, doctors, schools or anywhere with an industrial machine, atm, digital signage, there is an endless list of places it won't work and will be an interesting pain in the arse when say half your employees change their phone in a year or perhaps have an old non nfc iphone or perhaps one of the new ones that may or may not play nice with microsoft. Just how will the enterprise enroll not only a user but their phone.Hyy move to windows 10 increase your support costs and make sure nothing is recoverable when you lose your phone. Lets hope windows seven support stays around for a very long time.
Wednesday 22nd October 2014 21:38 GMT Asok Asus
All is for naught as long as all uses are superusers.
The only way any OS Windows will ever be even close to secure is if Microsoft quits automatically giving superuser privilege to ALL user accounts by default, and instead make all new installation instances of Windows OS default to having an Admin account with superuser privilege and one or more limited-privilege accounts for the user(s) to do their daily work.
In addition, by default, NO .exe or .dll or other binary program should be executable in the context of any limited-privilege account, meaning that all binary software MUST first be installed from a superuser account for the system to use as a whole. It will also most likely be necessary to prevent even non-binary programs from running in the user-context without explicitly granting them permission.
That would solve about 99.999% of the malware problems and until that is done everything else is just adding additional ineffective security band-aids on top of a whole pile of other, older, ineffective security band-aids.
Furthermore, my experience with those piles of security band-aids is that malware finds a way around them every time, and then those "security" band-aids turn into major impediments for removing the malware. In other words, the security measures don't block the malware, but does block the sys admin efforts.
Thursday 23rd October 2014 12:56 GMT Anonymous Coward
Re: All is for naught as long as all uses are superusers.
"The only way any OS Windows will ever be even close to secure is if Microsoft quits automatically giving superuser privilege to ALL user accounts by default, and instead make all new installation instances of Windows OS default to having an Admin account with superuser privilege and one or more limited-privilege accounts for the user(s) to do their daily work."
So its been secure for the last decade then....
"In addition, by default, NO .exe or .dll or other binary program should be executable in the context of any limited-privilege account, meaning that all binary software MUST first be installed from a superuser account for the system to use as a whole. It will also most likely be necessary to prevent even non-binary programs from running in the user-context without explicitly granting them permission."
You mean like say only via a limited access service account - as per the default settings for much of the Windows OS file system for the last decade?
"That would solve about 99.999% of the malware problems"
But it hasn't.
"Furthermore, my experience with those piles of security band-aids is that malware finds a way around them every time"
But that conflicts with what you just said!