Why Has No One Mentioned The Prospect Of Dumping Millions Of Incompatible Machines ?

fafhrd said:

There's a lot of hype re: security. There would be little prestige in hacking these half billion Windows 7 users, whose activities probably are no riskier now than when Windows 7 was MS' blue eyed boy.

Click to expand...

fafhrd said:

There's a lot of hype re: security. There would be little prestige in hacking these half billion Windows 7 users, whose activities probably are no riskier now than when Windows 7 was MS' blue eyed boy. Software that is mainstream today does little more than it did 12 or more years ago, and certainly not faster than it did then, although it could. It only takes five minutes to install Office 97 Pro on a machine Running 10 or 11, and most of that time is deselecting stuff you don't want, like Fast Find, Clipart and Clippy. Winword 97 flashes up in a second, and there's lots more screen space for your documents, the document files are tiny, and although Winhlp32 doesn't work any longer, I don't need it since I have had 24 years to get used to using it! The documents print with exactly the same quality as Office 365, and using print to PDF, the files are identical in output. Same with Excel - spreadsheets and graphing still can look the same, using tiny, fast-loading files. There won't be much e-waste, than there is normally, since people won't be frightened into scrapping their devices that remain fit for their purpose. Enterprises will have the same rate of turnover of hardware, and hopefully a good percent will be repurposed, rather than recycled, but even recycling is becoming more important, as natural resources diminish and waste piles up. Modern e-waste contains much smaller and fewer components too, compared to older monster PCBs populated with through mount components rather than SMDs. Windows is not the only fruit!

Click to expand...

I would normally agree with you - except that, thanks to the events of the end of 2019 and last year, we had a pandemic - which resulted in a massive shift in corporate and enterprise employees working from home.

All of a sudden those people with low security on their home networks and unpatched devices were scrutinized under a new, and very different, microscope. Criminal enterprises started targeting the very people you say won't be targeted. And it worked. Too well.

You have to remember that:

The focus on 11 and it's security is not primarily for consumer protection (not matter how hard they try to spin it otherwise). A perfect example?

The release of Windows 365. It is not being developed for consumer use and with consumer protection in mind. It is a strictly business and enterprise facing solution to mitigate the rampant attack vectors that WFH provided for these criminal elements.

Remember, Microsoft got tagged hard by the MitM supply chain attack via the SolarWinds 'hack'.

They aren't trying to protect the consumer, but the corporations that consume their products.

Consumer protection is only a by-product.

johnlgalt said:

All of a sudden those people with low security on their home networks and unpatched devices were scrutinized under a new, and very different, microscope. Criminal enterprises started targeting the very people you say won't be targeted. And it worked. Too well.

Click to expand...

But isn't this mostly hype too?


- brings up many articles on the subject, without many specific exploits that have actually caused damage due to unpatched systems, and vulnerable home networks that have actually succeeded.

I am not a home worker and have experienced many more Phishing attempts via phone, text and the occasional email (on my mails that I have had for many years and I know may be compromised, eg yahoo.com) over the last couple of years. Of course I am not taken in by them, since they expect me to interact with them, which I am not prepared to do.

I am more insecure with a Windows 10 mail notification that opens in Mail if clicked, than opening my inbox with outlook online in my browser as I would have done in Windows 7, so I could choose which items I want to open

If businesses expect their workers to manage their own security from home, on their own devices running unsupported OS versions, then they are probably so cyber-naïve that these businesses are vulnerable in their offices also. If they value their security then at least a work authorised device and a secure vpn should be provided for connection.

It's completely normal for businesses to hide their failures as much as possible, it could be that the number of actual breaches that have occured since the rise in home working are a lot higher than has been reported.

Hopefully the low reporting rate is true and not a case of Businesses protecting their ASSets but I would not be surprised to hear of some serious data breaches in the next few years

The delay can also be an attempt to fix the data security issue responsible for s breach before announcing the issue and letting the hackers know, this is a more valid reason for delay

This is where cloud technologies can really be helpful. Most phishing schemes, etc., work via email. In order for malicious code to be executed, it has to be downloaded on the victim's computer. This is why I don't use any local email client at all, be it Windows Mail or Outlook or Thunderbird. If all my messages are in the cloud, then simply opening them cannot be dangerous to me - they are not on my computer. So now in order to execute their malicious code they would have to convince me to download an attachment - and normally there is no reason to do that at all. I believe that's way more effective that any patching.

fafhrd said:

But isn't this mostly hype too?

Click to expand...

I believe that for most consumers who care, it is the uncertainty that can be unnerving. Do you like the idea that your personal info including your wife's and children's might be sold on the darknet?

Spyware only needs a few minutes of undetected time to collect the info and phone home. And no, you are not too small if you are with 1K others, sold may be for a penny a piece

Call me paranoid, but I am VERY grateful that Microsoft (and Apple) cares about Information security - Wikipedia

fafhrd said:

But isn't this mostly hype too?

It exploits on home workers during the pandemic - Google Search

- brings up many articles on the subject, without many specific exploits that have actually caused damage due to unpatched systems, and vulnerable home networks that have actually succeeded.

I am not a home worker and have experienced many more Phishing attempts via phone, text and the occasional email (on my mails that I have had for many years and I know may be compromised, eg yahoo.com) over the last couple of years. Of course I am not taken in by them, since they expect me to interact with them, which I am not prepared to do.

I am more insecure with a Windows 10 mail notification that opens in Mail if clicked, than opening my inbox with outlook online in my browser as I would have done in Windows 7, so I could choose which items I want to open

If businesses expect their workers to manage their own security from home, on their own devices running unsupported OS versions, then they are probably so cyber-naïve that these businesses are vulnerable in their offices also. If they value their security then at least a work authorised device and a secure vpn should be provided for connection.

Click to expand...

Mostly is not completely. Remember the WFH thing was something foisted upon businesses with little to no warning. Businesses had to scramble to set up practices and procedures for users to follow. And, in case you've not been watching, there are plenty of business, as large as credit Monitoring firm Equifax, that are cyber-naive, as you say.

As for them being vulnerable or not on location - who's to say they are not? Regardless of the vector used, if the penetration is successful, then the vulnerability exists, right?

I suppose it depends how much the individual exposes themselves on the various transactions they do via the internet. If their employers fail to keep their employees' data inviolable then presumably they are liable to some legal action.

For instance, who am I?

It may be possible to identify me by name from some post I may have made on Elevenforum, but what does that tell anyone who might wish to compromise me? I am probably more exposed by Facebook, by friends and family, by Google and Amazon and other online marketplaces.

unifex said:

This is where cloud technologies can really be helpful. Most phishing schemes, etc., work via email. In order for malicious code to be executed, it has to be downloaded on the victim's computer. This is why I don't use any local email client at all, be it Windows Mail or Outlook or Thunderbird. If all my messages are in the cloud, then simply opening them cannot be dangerous to me - they are not on my computer. So now in order to execute their malicious code they would have to convince me to download an attachment - and normally there is no reason to do that at all. I believe that's way more effective that any patching.

Click to expand...

Yes, I would put everything that requires Internet connectivity in the cloud PC, and everything that does not require Internet connectivity in the 'earth' PC. I would put the processing of Internet data in the cloud too, a la Windows 365.

As I posted earlier, my split would be 20% to 30% on 'earth' and 70% to 80% in the cloud, which is more secure than the 100% on 'earth' that I (and a billion others) am doing now.

Just peace of mind, of course, for those who don't believe in ghosts

fafhrd said:

I suppose it depends how much the individual exposes themselves on the various transactions they do via the internet. If their employers fail to keep their employees' data inviolable then presumably they are liable to some legal action.

For instance, who am I?

It may be possible to identify me by name from some post I may have made on Elevenforum, but what does that tell anyone who might wish to compromise me? I am probably more exposed by Facebook, by friends and family, by Google and Amazon and other online marketplaces.

Click to expand...

Yeah, humans have been the weakest link since long. Exposing yourself on social media, merely because it makes you feel good, is (or ought to be) avoidable. But humans are not machines, we all can expose ourselves inadvertently, and that's where guard rails are important.

Haydon said:

I believe that for most consumers who care, it is the uncertainty that can be unnerving. Do you like the idea that your personal info including your wife's and children's might be sold on the darknet?

Spyware only needs a few minutes of undetected time to collect the info and phone home. And no, you are not too small if you are with 1K others, sold may be for a penny a piece

Call me paranoid, but I am VERY grateful that Microsoft (and Apple) cares about Information security - Wikipedia

Click to expand...

Haydon said:

Yes, I would put everything that requires Internet connectivity in the cloud PC, and everything that does not require Internet connectivity in the 'earth' PC. I would put the processing of Internet data in the cloud too, a la Windows 365.

As I posted earlier, my split would be 20% to 30% on 'earth' and 70% to 80% in the cloud, which is definitely more secure than the 100% on 'earth' that I am doing now.

Just peace of mind, of course, for those who don't believe in ghosts

Click to expand...

It's interesting (and refreshing) to see your PoV re: Cloud services, versus some people who do not understand what Cloud services offer, much less how much it actually is a benefit.

Teaching CompTIA cert classes, Cloud Essentials (now CloEss+, CLO-002), in particular, and Cloud+, also, really open people's minds as to what "the Cloud" really is (from a corporate / enterprise PoV) and how the various types work.

I wish there were more people actually interested in learning about it in general, such as the information provided in this article from CompTIA, even if they don't focus on any particular provider, so they would be better informed as to what really entails Cloud services.

In the end, though, most people are not technically savvy enough to really care. As long as what they want to do works, they, for the most part, really don't care how it works. And that's a point of contention with me, as I always like to know the why and how about most things around me.

Yeah, educate the user, that's where the biggest leverage is.

Actually, I never read this one before, much less made use of it in classes - a good place for those who want to start from the basics.

johnlgalt said:

Actually, I never read this one before, much less made use of it in classes - a good place for those who want to start from the basics.

Cloud Types, Solutions and Vendors (AWS) | Cloud Computing | CompTIA

www.comptia.org

Click to expand...

Thank you, John. I updated a CompTIA manual many years ago, bringing it up to date, and correcting errors, so I'm well aware of what it's all about. However, this will help me update my knowledge.

And no, Wynona had nothing to do with the manual . . . Will the real Wynona stand up . . . Nope! :)

I did look it up online and my "contribution" is still listed.

This discussion made me search for who is responsible for the security of the cloud PC. So far, I did NOT find any express commitment that MS will keep the cloud PC free of spyware, for example. I would think that at least for a one man business, such a commitment would be an essential service attribute.

If the consumer edition came without such a commitment ...

Why would you trust your security to people you never met running servers someplace far away? Why don't you secure your "personal data" yourself? It's not really hard, to some extent.

Of course, first you have to go beyond the media circus and try to understand what exactly "personal data" is.

As an example, here in Germany I'm signing "data protection waivers" right and left. Why? Nobody, and I mean really nobody (doctors, schools, hotels, banks, insurance, car dealerships, etc, etc) will work with you before you sign one. If your kid is in kindergarten, he won't be able to go to some excursion with the rest of the kids unless you sign some piece of paper on data protection. Why? Because on that trip they might take pictures and that's personal data that you have to allow them to process (as in take pictures and put them on the wall in the kindergarten). Go to any school's website, you'll see pictures with kids' faces. Well, now that's personal data and you have to give the school permission to process them. And this is how it is with every service imaginable - you want to buy a car, they need you name, address, bank information, etc.; you want health care, they need you name, address, insurance information, etc. In fact, they actually do need that information, they always did (just try to register a car without giving your name), but up to few years ago there was no "data protection" laws and nobody thought twice about it.

What does that tell you - even if you did not have a computer at all, your personal data (basically all of it) is out there on some kind of servers. More importantly, you don't even know where these servers are, whether or not they are secure (based on the constant stream of news about data leaks - not secure at all), and whether you have any recourse in case of a data leak/loss (my guess is none whatsoever).

Now we come to your PC: do you really have any information there that is not otherwise available "out there"? My guess is, if you are like most "ordinary" people, the answer is no.

All very good points but there is additional personal data that is directly related to computer use, the Usernames, and related passwords this information is by necessity held on data servers controlled by others - the systems would not work otherwise

The only way I know of to solve this issue , as you say there are too many data breaches for security needs to be met, is to accelerate the use of Biometrics, preferably in combination with two factor authentication My last few Smartphones have had fingerprint readers and also face recognition and when a PC request for access requires the user to confirm via either/or Fingerprints or even retinal pattern, [there is even work going on with the use of our unique heart rate characteristics] the other thing is that the actual authorisation token is a one off generated and encrypted large token.

The hardware and software is in existance and is under continual development [which is important as you do not want to allow the criminals time to work around systems]

Yeah, pretty well all computers of consumers have kids' photos (or similar) and pretty well all computers of even one man businesses have client contracts, etc.

Intuitively, MS provides the cloud PC with 'secure data at rest and secure data in motion' (MS has the technology) but I have not seen what MS' liability will be when the kids' photos or the client contracts have been exposed in a data breach.

Maybe there is no commitment because nothing is unbreakable.
Maybe there is a commitment somewhere, just that I have not seen it.

Edit: In any case, with no (or only weak) commitment, the value proposition of the cloud PC is diminished, and vice versa, the value proposition of the cloud PC becomes more attractive with a strong commitment.

Haydon said:

This discussion made me search for who is responsible for the security of the cloud PC. So far, I did NOT find any express commitment that MS will keep the cloud PC free of spyware, for example. I would think that at least for a one man business, such a commitment would be an essential service attribute.

If the consumer edition came without such a commitment ...

Click to expand...

Because it is still up to the Enterprise offering the CloudPC to their employees to maintain the system.

The way I read it, (and I may be wrong), is that Azure only provides the actual hosting, your business or enterprise configures the Cloud PCs and deploys them to users to suit its needs. Just as the Business or Enterprise has to buy seats when using enterprise licenses of Windows Servers, So to there is a per-user fee. From Windows 365 Business Plans and Pricing | Microsoft - yo u can see the prices are the same, but the limitations are different. Business (focused on SMBs) is limited to 300 users, and has no access to Endpoint Manager, whereas Enterprise does have access and also has unlimited number of users. A more complete pricing list is at Windows 365 Plans and Pricing | Microsoft

From the blog post from last week: Introducing a new era of hybrid personal computing: the Windows 365 Cloud PC | Microsoft 365 Blog

Cloud security powered by Zero Trust​

With a focus on a Zero Trust architecture, Windows 365 also helps solve for today’s critical security challenges by design, storing and securing information in the cloud, not on the device. Multifactor authentication (MFA) works to explicitly verify any login or access attempt to a Cloud PC through integration with Microsoft Azure Active Directory (Azure AD). And within Microsoft Endpoint Manager, you can pair MFA with dedicated Windows 365 conditional access policies to assess login risk instantly for each session. We’ve also designed the user and admin experiences around the principle of least privileged access. For example, you can delegate specific permissions, like licensing, device management, and Cloud PC management using specific roles, so you don’t need to be a global administrator. You can use the security baselines for Windows 10, Microsoft Defender for Endpoint, and Microsoft Edge, just like you would for your physical devices now, and we’ve built a cloud PC-specific security baseline to help you get started quickly.

If you use Microsoft Defender for Endpoint to protect your devices, it also works seamlessly with your Cloud PCs. You can use Microsoft Endpoint Manager to quickly onboard your Cloud PCs just like your other devices with Defender for Endpoint. It not only protects your Cloud PCs, but also gives you security recommendations to lower risks, and helps you quickly discover and investigate any security incidents.

Finally, encryption is used across the board. All managed disks running Cloud PCs are encrypted, all stored data is encrypted at rest, and all network traffic to and from your Cloud PCs is also encrypted.

Click to expand...

Getting back on topic, though, I'm really hoping that the coolest thing about Windows 365 is that it won't care what the underlying hardware is that you're using to access it - TPM, no TPM, UEFI, no UEFI, whatever. And if that is the case. all these

Millions Of Incompatible Machines​

Click to expand...

may not actually get dumped.

On the first issue, MS also offers the cloud PC to businesses of one (solo entrepreneur)
That's the reason for the focus in my previous post.

Businesses of one and consumers share common InfoSec concerns, for the former it's client contracts, for the latter it's kids' photos. For the former, the business can go belly up if the data is exposed to dirty competitors. For the latter, your kids can go belly up (sorry) if you live in walking distance of a pedophile rehab facility.

On the second issue, I don't think that MS will allow access to your cloud PC with an insecure client machine, e.g. those that are no longer supported. Incompatible (with what?) or compatible is moot, as long as they are secure and don't wreak havoc on MS' servers. Windows 365 itself will always be the most up to date version of Windows (10, 11, 12, ...) without any effort on the customer's part which is a big plus (like Office 365 is always the most up to date version of Office without any effort on the customer's part which is a big plus too)