All Windows 10 Kernel Mode Drivers Must Be Digitally Signed By Microsoft (i-programmer.info) 440
"Last year, we announced that beginning with the release of Windows 10, all new Windows 10 kernel mode drivers must be submitted to the Windows Hardware Developer Center Dashboard portal to be digitally signed by Microsoft," reads a MSDN blog post. "However, due to technical and ecosystem readiness issues, this was not enforced by Windows Code Integrity and remained only a policy statement. Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal."
Slashdot reader mikejuk quotes a report from i-programmer.info which argues "the control of what software users can run on their machines is becoming ever tighter," and compares Microsoft's proposal to an XKCD cartoon: Before you start to panic about backward compatibility with existing drivers the lockdown is only going to be enforced on new installations of Windows 10. If you simply upgrade an existing system then the OS will take over the drivers that are already installed... Only new installations, i.e. installing all drivers from scratch, will enforce the new rules from Windows 10 version 1607... Be warned, if you need to do a fresh install of Windows 10 in the future you might find that your existing drivers are rejected.
Slashdot reader mikejuk quotes a report from i-programmer.info which argues "the control of what software users can run on their machines is becoming ever tighter," and compares Microsoft's proposal to an XKCD cartoon: Before you start to panic about backward compatibility with existing drivers the lockdown is only going to be enforced on new installations of Windows 10. If you simply upgrade an existing system then the OS will take over the drivers that are already installed... Only new installations, i.e. installing all drivers from scratch, will enforce the new rules from Windows 10 version 1607... Be warned, if you need to do a fresh install of Windows 10 in the future you might find that your existing drivers are rejected.
It just rolls off the tongue. (Score:5, Informative)
Re: (Score:3)
You have time for boners but not the time to do your TPS cover sheets?
Re: (Score:2)
Emma in Accounting.
Not MS target demographic (Score:5, Interesting)
For 97% of Windows 10 users (yes, I made that figure up) this is a total non-issue. It may even be a benefit to protect them from themselves. Many can't distinguish between safe and not so safe web sites from which to download programs and such. These folks may not even know how to uninstall drivers that don't uninstall automatically when a related piece of software is uninstalled. If you are a registered developer, this isn't an issue either as MS gives you a way around it.
For the rest of us, well, there aren't enough who haven't already migrated to iOS or Linux so MS doesn't give a shit.
Re: (Score:3, Interesting)
Actually I think this is a good thing as It forces device developers to make "driverless" devices.
Re: (Score:2)
Tempted to mod this funny. Not sure if you're serious.
Re:Not MS target demographic (Score:5, Interesting)
Same as I'll do with the rest of the hardware I make: Abuse some USB communications class and roll the logic into the hardware.
Re:Not MS target demographic (Score:5, Informative)
There is no need for hacks. There are two driver-free options available, with cross-OS compatibility.
You can use HID for low speed stuff. Max transfer rate is 64KB/sec, but that's plenty for many applications like sensors and (surprise surprise) human interfaces. If you want more you can use a custom WinUSB interface. All you have to do is add a couple of extra descriptors to your device that tell Windows to attach the WinUSB driver (and optionally what friendly name/icon to use). You can use any endpoint type with it, even composite devices. Naturally Linux just ignores these headers and you can talk to the device by the usual methods (e.g. libusb).
Abusing communication classes (CDC) doesn't work very well on Windows any more. As of Windows 10 you can't just supply a .inf file pointing to usbser.sys, it needs to be signed. You can get free signing keys (and they will still work even after this update, it only applies to code running in the kernel which in this case is usbser.sys which is signed by MS) but you still have to deal with the bugs in Microsoft's implementation.
Re: (Score:2)
HID? Easy to use user-mode APIs available for Windows and Linux, probably other systems too.
CDC? Your user-mode program can simply open a virtual serial port and do its thing.
Mass storage class? Requires buffering and more code on the device but provides a superb interface for the user - simply drag a file containing the data to be programmed into the virtual storage device.
Re: (Score:2, Troll)
Just last week, Windows 7 rejected a driver from modern software. Guess the company was small enough they didn't want to waste the periodic license fee just to license their driver. Which means we did a really goofy workaround that puts the VM image into test mode every time it boots up. Sure, maybe we're in the minority but to have Microsoft as the gatekeeper is ridiculous - they're expensive as well as highly untrustworthy.
It means any new device that comes out will be unable to be used on Windows with
Re: (Score:2)
"I mean they're OUR machines, we should be able to do whatever we want with them."
Your machine? Not any more.
Re: (Score:2)
...they're OUR machines, we should be able to do whatever we want with them.
Not in Mordor.
Re: (Score:2)
What if you're a developer but aren't paying tax to Microsoft? Which is a lot of developers. Plus a lot of machines that are needed to develop, test, support, train, and so forth, just for a single device being created. Every device out there started life unsigned by Microsoft.
If Microsoft cared about customers then they'd do something to protect the untrained users, whereas devices and drivers aren't the things that get most users into trouble. Biggest hole are probably web browsers, the service.exe, et
Re: (Score:3, Insightful)
How is it beneficial to *any* users to remove the choice? Why not let the user decide if they want to run a driver that is not signed? It's not like the user is going to be asked every day. If you get a new device, you install the (presumably signed) driver from the CD or manufacturers website or MS website. If you want to run that super old piece of hardware, you can install the unsigned driver. Win-win.
Not really about safety. Mostly about control.
Re: (Score:3)
How is it beneficial to *any* users to remove the choice? Why not let the user decide if they want to run a driver that is not signed? It's not like the user is going to be asked every day. If you get a new device, you install the (presumably signed) driver from the CD or manufacturers website or MS website. If you want to run that super old piece of hardware, you can install the unsigned driver. Win-win.
Not really about safety. Mostly about control.
You still have a choice. From TFA:
Enforcement only happens on fresh installations, with Secure Boot on, and only applies to new kernel mode drivers:
To summarize, on non-upgraded fresh installations of Windows 10, version 1607 with Secure Boot ON, drivers must be signed by Microsoft or with cross-signed certificates issued prior to July 29th, 2015.
Re: (Score:2)
It is beneficial to users that will make the wrong decision when asked to decide if they want to run a driver that is not signed.
Only if the right decision is to not install it. That's not necessarily the case.
The right decision can very well be to install drivers in order to achieve a task.
Like being able to restore from tape, and there aren't any signed or userland drivers for the tape station. Or controlling medical equipment that must run in real time mode. Or any other number of scenarios where installing the driver is the right choice.
Re: (Score:2)
Re: (Score:2)
But you're only given that choice if you're big business. You can't go out and get a single windows license that allow you to run LTSB.
Re: (Score:3)
No amount of user education over the past few decades has stopped users making Brain dead choices.
Umm, we kinda knew that. Just look at the number of win10 installs.
Re:The technologically impaired (Score:4, Informative)
...and all of that is unadulterated bullshit. The underlying operating system is FAR more dangerous because it's a piece of shit engineered to spy on the user. It's always been a piece of shit because Microsoft always puts marketing and other "business" objectives ahead of the product (far ahead). They only reason anyone uses their virus infested product is because they managed to corner the market in the days of MS-DOS.
The fact that the OS is swiss cheese is far more of a problem than "the user making the wrong choice".
If you're gotten to the point of showing such obvious contempt for the end user then you're doing it wrong.
Re: (Score:2, Insightful)
Cost is an issue. And so is the difficulty for non-incorporated individuals, or contractors developing on behalf of a company, to deal with EV certificates. Don't take my word for it, take it from experts in developing NT drivers from the well known NTDEV list:
https://www.osronline.com/showthread.cfm?link=265064
https://www.osronline.com/showthread.cfm?link=268241
https://www.osronline.com/showthread.cfm?link=275593
But hey, I'm sure your snarky ass will dismiss anything anyway.
Re: (Score:2)
MS has mighty powerful crowbars, you know...
There is a solution to Microsoft Kernel control: (Score:2)
Microsoft answer! [kernel.org]
Tied to Secure Boot... (Score:4, Informative)
Right now, if secured boot is off, this policy doesn't kick in. That may change of course. For the vast majority of Windows users, this is fine, but for power users, kind of a pain.
Re:Tied to Secure Boot... (Score:5, Insightful)
One day they will decree that Secure Boot cannot be turned off. It would only be a continuation of an existing trend.
Re: (Score:3)
Microsoft will use heavy-handed tactics - not on motherboard makers, but on OEMs. Probably starting with laptops. It wouldn't be anything new to them, they've used exactly the same technique to pressure OEMs in the past, including requiring them to include secure boot at all, and to have it enabled by default. It's a very simple technique: There are a list of requirements in order to purchase OEM Windows. As it's practically unthinkable to sell a laptop without Windows preinstalled (goodbuy, mass-market cus
super micro and other will not give in and go MS o (Score:2)
super micro and other will not give in and go MS only. At least if only on server / workstation boards.
Re: (Score:2)
You're right, of course. They won't. But what about the consumer laptops and PCs? All those people who just get something from PC World made by HP or IBM or Asus?
How many people here first learned linux by installing it on a hand-me-down machine? How many repurpose old PCs as media centers, routers or home servers?
It's quite possible that in ten years, if you want to run linux, you'll have to pay extra for parts intended for a real business server.
Gee thanks (Score:5, Insightful)
Thanks for not even giving people the choice to run an unsigned driver, since there's lots and lots of hardware out there that will instantly be made 'obsolete' by this policy.
Re: (Score:3)
It's a trade off between security and supporting fairly old hardware. For most people this is a good decision, because it protects them from malware that uses kernel mode drivers. Such malware can be very hard to detect and get rid of. How is your AV scanner going to find the infected file when calls to the filesystem are intercepted and filtered, and the same with the list of running processes and loaded drivers?
It's pretty rare that I see hardware without a Microsoft signed driver these days anyway. Does
Re: (Score:2)
Daemon Tools
That still has a free option, in case you missed it...
And the reality is the OP is correct, for most users this is a good thing... That it hurts you doesn't change that fact...
Re: (Score:2)
Re: (Score:3)
It's obsolete from Microsoft's perspective.
I don't give a fuck what Microsoft thinks, the lack of an option to run an unsigned driver after a suitable warning is bullshit.
Thankfully I moved to Linux Mint some time ago, and it was heavy-handed horseshit like this from Microsoft that pushed me to abandon Windows entirely.
Re: (Score:3)
1) How MS was going to try to control the used game market (though they later backed off), I went for a PS4 instead of an XboxOne.
I like your overall post, but going with Sony instead of Microsoft? One of those will stab you in the back, the other in the front.
Re: (Score:2)
Yeah, and now we have neither. The used game market is dying because disc sales are way down over digital sales. And while the old Xbone scheme would've allowed digital "used" game sales, the status quo meant no, that's no longer possible.
So yeah, we
Don't be a WINEr (Score:3)
> Any good WINE tutorials out there?
I'm sure there are; yet over 17 years on Linux I've used WINE roughly twice. Normally, its not the best solution.
Do you typically use emulation to run the Linux versions of most programs on Windows, or do you run the Windows version on Windows? Running the Windows version on Linux doesn't normally make sense - on Linux, run the Linux software.
A lot of daily use software brands are compiled for Linux, often developed for Linux FIRST, then ported to Windows. Firefox,
Re: (Score:2)
The single software package most often mentioned as a counter-example is Photoshop. If you're a professional graphic artist, you'll probably be happiest with a Mac.
Have you tried Krita? It has developed amazingly in the last few years, highly regarded by artists and considered competitive with Photoshop for digital painting. (Photoshop still has some functionality for general image processing that Krita doesn't.)
Re: (Score:2)
In your case I think the pitchfork entered your brain...
Locking out open source hardware (Score:5, Informative)
Also, Submitting drivers to the Dev center now requires EV CODE SIGNING CERTIFICATE.
Even though Microsoft will sign the final result, you have to have an EV CERT from a small list of approved CAs to
sign your code before their portal will sign it per the new policy.
In case you have not noticed, the cheapest of the EV Certs is $1000 a Year; Only organizations can obtain these certificates, not individual developers.
Also, all EV Code signing certs require Smartcard/Token-Based Storage of your certificate's private key to ensure credentials cannot be shared, and you cannot automate the digital signing process.
Thus is a move to make sure Open Source software developers and individuals cannot produce Kernel mode drivers.
Re: (Score:2)
If you have a consulting firm you can get an EV. Yes about $1000/year.
Yes it is on a token so it can't be easily shared or stolen. Or if stolen you'll be aware of the fact so you can have it cancelled and get a replacement.
You can login to the token once and then have automated builds that run signtool against it repeatedly. It is still painful as the request/answer from the token is slow, takes a second or two extra to sign anything. So if you are doing multiple signing during your build it will slow down.
Re:Locking out open source hardware (Score:5, Informative)
No. This is a move to further prevent kernel mode malware, because it turns out trusting developers wasn't good enough. That it impacts OSS is collateral damage - and something that can be dealt with, at that - as while OSS is popular here on Slashdot, it's not much more than a blip in the wider Windows world.
The whole reason we're even going this route is that trusting developer signed drivers has proven inadequate. Microsoft started requiring developer signatures (cross-signed) in Windows 7. This significantly cut down on driver based malware, but it didn't eliminate it entirely. It just raised the barrier to entry. Instead malware authors would just eat the cost and buy a certificate, or the especially crafty/evil ones would steal another vendor's keys, as we saw with the Realtek case. Either way Microsoft has had enough of it. and hence Windows 10 requires that they sign off on all drivers so that no one can just ship a (obviously) malware-infected driver.
I don't mean to be snarky/belittling here, but if you think that Microsoft is doing this as a strike against OSS, then you haven't been paying attention to the wider world. OSS on Windows certainly exists, but OSS projects that require kernel mode drivers are exceedingly few and far between. Which is not to say that OSS isn't a threat to MS to some degree, but that threat is from Linux, not OSS projects that require a kernel mode driver running under Windows. MS's prime concern is further reducing the ability of malware to hang out in the kernel space, as once malware makes it there it becomes virtually impossible to identify, contain, and remove.
And yes, this definitely makes signing harder for everyone. By all indications that's intentional, as EV Certs make it harder to hide (you have to provide more information) and are harder to steal/fraudulently use. There are ways to work with that for OSS though, just as was the case with Windows 7, so we'll be okay. As Bruce likes to say, security is a process; it takes more than just the OS vendor to keep Windows machines secure. So this is our contribution to that process (whether we like it or not).
Re:Locking out open source hardware (Score:4, Informative)
The whole reason we're even going this route is that trusting developer signed drivers has proven inadequate. Microsoft started requiring developer signatures (cross-signed) in Windows 7. This significantly cut down on driver based malware, but it didn't eliminate it entirely.
Yes. You're exactly right. You're right because Microsoft themselves signed malware that would otherwise have been ineffectual [slashdot.org].
Anybody who ascribes altruistic motives to this is simply wrong. It's about racketeering developers, not security.
Re: (Score:3)
In case you have not noticed, the cheapest of the EV Certs is $1000 a Year
First hit [globalsign.com] on Google has them for $410/year, and obviously stuff signed doesn't expire after that time (only the ability to sign new stuff does).
Only organizations can obtain these certificates, not individual developers.
Incorrect. The developer of vJoy, for example, recently acquired one to sign his open source kernel mode driver. Did a little fund-raiser to get $475 (he used someone more expensive). He's just an individual, not a company.
Also, all EV Code signing certs require Smartcard/Token-Based Storage of your certificate's private key to ensure credentials cannot be shared, and you cannot automate the digital signing process.
Incorrect, you can configure Visual Studio to auto-sign your driver every time you build it using the USB device they supply included in the cos
Re: (Score:3)
Digicert [digicert.com] has them for $224 for 1 year, or $165/year if you buy a 3 year cert. If you're serious about distributing a kernel mode driver, $165 shouldn't be too big of a hurdle to overcome even for a non-commercial organization.
So, Windows 10 home users get these 'features'... (Score:2, Troll)
1. Upgrade: MS wasted tens of millions of manhours worldwide with their all-but-forced upgrade
2. Telemetry: They listen to you using your computer
3. Ads: They push ads [pcworld.com] at you via the OS, taking over what remains of your attention span
4. Kernel Mode Drivers: No more can your programs manipulate Windows 10 internals (bye bye www.colinux.org)
5. UEFI Secure Boot: No more can you boot another OS on a Windows 10 tablet or mobile device. For now, you can do so on a desktop, but manufacturers now have the 'option' [pcworld.com]
Complaining is easy (Score:3)
While the posters here are correct (at large) please don't forget that at the same time, MS has always been urged to close malware attack vectors. So, as Master Yoda would put it: Do or do not. There is no "/. won't complain".
Re: (Score:2)
While the posters here are correct (at large) please don't forget that at the same time, MS has always been urged to close malware attack vectors. So, as Master Yoda would put it: Do or do not. There is no "/. won't complain".
Don't be daft. Android and macOS by default restrict any third-party installations, but that setting is very easily disabled by the user; thus both of those ecosystems can be simultaneously free and secure.
This here is Microsoft restricting their platform by racketeering against hardware providers.
br
Re: (Score:2)
Never said something else.
What I said was that if Microsoft wouldn't do that, you just had some other mob complaining that MS makes it too easy for malware to circumvent installation restrictions by including "install instructions" telling the user to disable them so that the malware can be installed....
Agreed, users who fall for THAT probably deserve to have the machines pwned, but nonetheless, some people would require MS to include some foolproof installation restrictions that the users can't duped into
Is this news? (Score:3)
I thought you need signed drivers at least since windows 7 and this is one of the reasons why for example andlinux isn't available anymore?
Re: (Score:2)
You do not "need".
You can still override and install an unsigned driver on Windows 8.1, let alone 7, and the early versions of 10.
On a domain, you can group-policy it out of being an option, but it's an option on all previous versions of Windows to let the user allow unsigned drivers at will.
Paper trail? (Score:3)
This move does have some benefits (Score:4, Interesting)
I am not a fan of the fact that you need to spend big money on an expensive certificate, more money on setting up a legal entity that will satisfy those organizations who can issue the right EV code signing certificate that Microsoft will accept and even more money on all the required hardware to actually test your driver or what it means for open source software but this move DOES have some benefits.
It reduces the amount of crappy drivers out there (both because of the testing and because entities who are making crappy drivers tend to be the ones who dont want to spend the money on certificating and signing).
It also makes it harder for anyone wanting to create kernel level malware since either Microsoft will refuse to sign it in the first place or Microsoft will revoke the signature (and blacklist the creator of those drivers).
The increased requirements in terms of the code signing certificate you need to submit drivers to Microsoft also eliminates problems with rogue code signing certificates (i.e. all the times when a code signing certificate was stolen from a major hardware vendor and used to sign malware or other bad things)
I do wonder what this means for government/law enforcement/intelligence agencies though. We know from various leaks and other things that governments and their agencies have used kernel drivers (or things that can only be done with kernel drivers even if its not actually explicit that kernel drivers are being used) as part of their spying/hacking/law enforcement efforts. Will the NSA be given the ability to sign a kernel driver that can run on a standard Windows 10 install? What about the Chinese Government (the censor-ware they wanted to force PC manufacturers to install on new PCs almost certainly requires kernel-level code to do the things it does). Or the German Bundespolizei? (the spyware they have reportedly used to spy on things like Skype may well need kernel code in order to do its job)
How to check (Score:5, Insightful)
You can run sigverif from CLI to check to see what drivers are currently being used on your system not signed by Microsoft.
I welcome any legitimate reason for this behavior requiring Microsoft cross signing when secure boot is enabled. Currently I'm at a loss to come up with one.
It seems when secure boot is not enabled all signature validation can be bypassed by malicious code one way or another if you have admin rights by changing boot settings using bcdedit and rebooting or a million other approaches given admin level access. Signature checks don't have much bite in the real world with secure boot disabled.
With secure boot enabled any effective bypass of driver signature validation is a security bug. Since only kernels trusted databases are used for driver signature validation (regardless of secure boot setting) cross signing to MS is redundant. This is especially true given the blessings seem to be superficial at best and probably nearly fully automated given cross signing does not currently cost money.
Most likely reason for MS to do this I've been able to come up with is that without MS control anyone who develops a kernel driver and gets it signed by one of the supported CAs can break out of a Microsoft walled garden on systems where secure boot is being enforced against the user.
Even if you believe any and all measures to lock down kernel access improves security and therefore unconditionally good regardless of any other considerations... I still fail to see how any actual locking downing is being accomplished here as the MS blessing is superficial and adds nothing. Any malicious actor able to develop a kernel driver and obtain an EV cert is almost certain to also obtain blessing of Microsoft.
The only "benefit" seems to be MS getting a vote to stop execution of drivers paving way for restricting usermode execution against users. (See Windows RT and Windows Phone)
Re: (Score:2)
I ran this on my Win 10 laptop and came up with only signed drivers.
I think 2012r2 has required signed drivers, and there's some Texas-two-step you can do to put it into developer mode and ignore driver signing, which is only useful trying to get drivers loaded for a marginal use cases. In my case it was to get an Intel non-server OS NIC driver for the motherboard to load in Win2012r2 with a hacked INF file since Intel won't allow the drivers to load in server OSes.
The sky does not seem to be falling (Score:3)
From Microsoft's FAQ: "Enforcement only happens on fresh installations, with Secure Boot on, and only applies to new kernel mode drivers"
In other words, disable secure boot and it's business as usual.
From my point of view, this increases security for the vast majority of users who just buy a computer in a store and need to be protected from themselves. If you don't know enough to disable secure boot, you probably have no business installing unsigned kernel mode drivers anyway. But if you do, you can.
OpenVPN (Score:2)
iPhone users rejoice (Score:2)
Microsoft is getting closer and closer to the walled garden.
but since this is Slashdot:
M$ = bad
Apple = good
Re: (Score:2)
If the submitter is proposing that the xkcd comic about having your admin account be separate from your user account...
He's not. And you don't log in as Administrator to do your online shopping, either. At least, I hope that you don't.
Re: (Score:2)
That's what's so ridiculous about the whole thing. The stuff that's insecure is left wide open. It's like making sure the shed door is triple bolted but only having a chain latch on the front door.
Re: (Score:2)
But I'm worried I'll be completely screwed next time I need to do a Windows reinstall.
Thank goodness that sort of thing never happens. No one EVER finds it necessary to reinstall Windows!
Re: (Score:2)
I'm trying to think when was the last time I re-installed Linux. It's... ah... um... actually, never. Except for experimenting with alternate distributions, entirely my choice.
Re: (Score:3)
Re: (Score:3)
I reinstall Windows as often as I do Linux. No, thinking about it in fact I reinstall Linux more often.
Re: (Score:2)
"So run an older build?"
I'm not a gamer, so I was able to ditch Windows many years ago. But my impression is that if you have network cable attached to your Windows PC, MS is likely to sneak in in the middle of the night and upgrade your older build to a newer, shinier, more secure, version whose only problem will be that it won't work. (Nothing more secure than a computer that won't run, right?).
Not so?
Re: (Score:2)
But my impression is that if you have network cable attached to your Windows PC, MS is likely to sneak in in the middle of the night and upgrade your older build to a newer, shinier, more secure, version whose only problem will be that it won't work.
You can always block Windows Update completely and stay frozen at your current version. So if you don't want the Anniversary Update, then you have block all updates in the future. As the OP said, it is worrying what would happen if a reinstall was required though. Keeping an backup image would be the best bet.
Re: Worse and worse (Score:2, Insightful)
No. MS wants to "xbox" Windows. MS actually hates lusers. So, rather than teying to find a happy medium, where we lusers still feel like we have a modicum of control of our systems, no. MS wants to control it all, just like Xbox.
how much independent Xbox apps are there? I'll argue, none. MS could snuff Netflix. right now, Netflix attracts users, so it isn't in MS interests to hijack Nwtflix too bad on Xbox. But Netflix writes to MS' rules on Xbox. Comcast (aka Universal Studios...) as a content license owne
Re: Worse and worse (Score:5, Interesting)
I can't speak for the original Xbox, but the Xbox 360 has a pretty respectable library of indie third-party games that can be installed through Xbox Live. In fact, the third-party indie games on my 360 outnumber the retail-boxed games about 3 to 1.
Unholy Heights is a riot.
http://xbox.com/indiegames [xbox.com]
Re: (Score:3)
Did you check that link before you posted it? I'm getting page not found errors on it. (kind of ironic)
Re: Worse and worse (Score:5, Insightful)
Actually I think they are in cahoots with the movie and music ownership industry. This move is all about enforcing DRM.
Intel and AMD want Microsoft to make the OS have CPU busting features .. Like I dunno 3D animated window management, voice control, fingerprint recognition etc.
But this driver move, it seems entirely dreamt up by the DRM crowd. The don't want you to play any video or music that may be similar looking or sounding to anything they own. I mean the browser industry sold out already. How come when ads play in a browser the player controls are limited?
Re: Worse and worse (Score:5, Insightful)
Or, you know, it's to prevent viruses and other such garbage that has plagued windows for years and years, to be able to boot up with windows by masquerading as a driver?
I see nothing wrong with this. If anything it will force manufacturers to get their sh*t together and stop releasing buggy half baked drivers.
Re: (Score:3)
I really doubt that's it. The next version of Windows 10 includes a provision to kill off the ability to disable certain "features" (or more specifically, annoyances) and it would make sense if they want to enforce that, and things like telemetry, by banning CA signed drivers.
Re: (Score:3)
No. If that were the goal, then it would merely require that drivers be signed by the machine's admin or whatever parties they have signed as delegates, not such a distant third party as Microsoft.
Re: Worse and worse (Score:5, Interesting)
Or, you know, it's to prevent viruses and other such garbage that has plagued windows for years and years, to be able to boot up with windows by masquerading as a driver?
Actually the GP is right, and Microsoft calls it out themselves [microsoft.com]:
To play back certain types of next-generation premium content, all kernel-mode components in Windows Vista and later versions of Windows must be signed. In addition, all the user-mode and kernel-mode components in the Protected Media Path (PMP) must comply with PMP signing policy.
Besides, the only way to install kernel mode drivers is to be running as administrator. If malicious code is allowed to run on your computer with administrative credentials, you're already screwed in any number of ways. Installation of a kernel driver is just one avenue.
I see nothing wrong with this.
I see everything wrong with this. Microsoft is now dictating what software can be run on my computer. That alone is enough of a reason to vehemently reject this, but think also of the F/OSS software impacted. There are plenty of software tools out there which run a driver as part of their operation and not all of these will want to or be able to get their drivers signed.
I have been trying to decide lately if I'll ever bite the bullet and move from Windows 7 to Windows 10, or if I'll start looking migrating to Linux. The decision just got a lot easier.
Re: Worse and worse (Score:5, Funny)
That's a really nice [graphics|printer|pointer|raid] driver you've got there.
Would be a shame if something ... happened to it.
Re: Worse and worse (Score:4, Insightful)
Drivers as a source of viruses? Talk about unreasonable. The fact that Microsoft's is Hollywood's BITCH is far more plausible.
Re: Worse and worse (Score:4, Insightful)
Just who are you trying to kid? Do you know who you're talking to? A rootkit doesn't need anything quite that low level.
This entire approach to the "problem" is like putting a band-aid on a bullet wound after the victim has already been shot full of holes. He never should have gotten shot to begin with.
Re: (Score:3)
I was talking to an anonymous coward. Most rootkits I've dealt with intercept file-system calls to hide the files and the signature of the modified file. That requires kernel-level access. And they've usually been a modified ntfs.sys - tell me that's not kernel-mode. Sometimes kbd.sys.
FYI - you don't need Kernel-level drivers to do that. It helps but it's not necessary; there's enough hooks into the kernel from user-space it can be done in userspace without issue.
Re: (Score:2, Flamebait)
Re:Worse and worse (Score:4, Insightful)
Re: (Score:2)
You are allowed to disable theirs though. It's two separate options afaik, but you can turn off both the protected filesystem and signed kext requirements.
Re: (Score:2, Insightful)
Re: (Score:2)
I'm just waiting for hacks to circumvent this.
But this strategy can mean that you can end up in a Catch-22 situation for some computers - if you need an unsigned driver for the specific computer in order to install Windows 10 because you do it on a computer with unusual hardware.
The lock-down will soon cause more trouble than it's worth for many, even smaller companies. Desktop Linux will start to look more interesting now.
Re: (Score:2)
"Nadella has altered the bargain, every couple of weeks for the past two years. What the fuck makes you think he won't alter it farther?"
So Nadella is Darth Vader? Does that mean Gates was Palpatine?
Re: (Score:2)
And Ballmer was a shaved wookee.
Re:Breaks TrueCrypt? (Score:4, Informative)
You should use Veracrypt [codeplex.com] instead, but your question still stands open.
Re: (Score:3)
Re:How do I change a user's password (Score:5, Informative)
I'm using windows 10 and I cannot figure out how to change a user's password.
The Anonymous Cowards who responded to you have given you the correct answers. It should be noted that the method for administering other local accounts has not changed since Windows 2000. You still use Control Panel->User Accounts as you did back then, although the method of getting to the control panel has changed over time. In Windows 10 you right click on the start button and choose it from the pop up menu.
The command line version of "net user username NewPassword" has not changed at all since Windows NT 4.0 (19 years ago). Of course, if you are not used to Windows then it is quite reasonable that you wouldn't know the command to use, any more than a Windows admin would magically know to misspell the word password on Linux.
Re: (Score:2)
I'm using windows 10 and I cannot figure out how to change a user's password. If I were on linux or mac, I'd just type passwd username. But there seems to be no way for an admin to change a users password in Win 10. Am I missing something?
Have you not pressed control-alt-delete and clicked on change password? Or right click on computer and go to manage/local users and groups/Users and then right click on the user and select Set Password? [though this option was removed from home edition LONG ago]
Re: (Score:2)
Win+X -> select control panel -> user accounts -> user accounts -> change your account name (if it is the logged in account you want to change, else: -> manage another account -> select account -> change the account name)
Why MS doesn't have the alternative in the settings app I don't know. Probably afraid to confuse users?
Re: (Score:2)
No, it won't improve the quality of the drivers, it's not unusual that drivers provided from Microsoft have more bugs than the drivers provided by the hardware vendor. It will also slow down the deployment process of bug and security updates of the drivers.
Re: (Score:2)
Except that you're missing the socio-political angle.
Sadly, 90% of users won't care, and will continue on without the slightest awareness that control of their computers is being stolen from them. As long as NetFlix and their pr0n still works, they won't care.
Once a certain point is crossed, open-access systems
Re: (Score:2)
The MBAs at Microsoft are not stupid. They have seen how successful the walled garden model was for Apple. They pushed "Apps" a bit too hard in Windows 8, have learned, and it will take a good few years before it becomes difficult to deploy non "App" applications. But it will happen. It is the way of the world.
Incidentally, I assume that Enterprise customers will have a back door to the driver signing issue.
Re: (Score:2)
"But I need Windows for..." *SMACK!* [kym-cdn.com] NO! You don't!
LOL! You should typeset it. The Gimp [gimp.org] works really well, although most popular Live distros have it by default.
But I still like this one for anime fans [itsfoss.com] and this one for dog lovers [imgur.com]. :-)
Re: (Score:2)
I'm more of an Inkscape [inkscape.org] guy...
Re: (Score:2)
Re:some questions (Score:4, Interesting)
1) Unlikely. I've seen lots of WHQL drivers that just crash-and-burn but more likely they are "stable" but atrociously useless. Because of the faffing and back-and-forth on them, lots of simple devices (e.g. printers etc.) get one WHQL driver and then just release unofficial ones for everything else. If you're lucky and it's a big printer, they might update the WHQL one every year or so. With ten other releases between.
2) No. They won't know what's going on and things will just stop working. They won't be able to update drivers when suggested and will still have all the problems that they have now. And everything cheap they buy on Amazon just won't work, it's as simple as that.
Re:you can also turn off secure boot (Score:4, Insightful)
What makes you think you still can come next patch?
This is a big deal, but not the Apocalypse (Score:4, Informative)
https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607
Trust me, as a driver developer, this has been causing me an immense amount of headaches, and Windows 10 is only part of the story.
But the blog entry has a key detail which nobody here seems to understand. Existing Drivers signed by a certificate that was issued prior to July 2015 will still be accepted by the kernel. What this means is that the new rollout is not going to cause the entire ecosystem of Windows legacy drivers to implode. If they were signed correctly for 64-bit Windows before, they will continue to work on Windows 10. Really, truly, I've tested this myself on preview editions of the Windows 10 AE
Where you get screwed is when a vendor needs to update a driver going forward. Then things get to be hairy. Logistically, signing became much harder, everything from obtaining a certificate to performing the actual signing. Pain. In. The. Ass.
Our company just released an update of our product just under the wire of when our legacy "get's a free pass" certificate expired so that we'd have some runway to incorporate the new driver signing nightmare into our tool chain. So we're good up until the next showstopper bug comes along, which fortunately is rare. You'll be able to use our latest release just fine on AE, even though it didn't get signed by Microsoft.
Re: (Score:2)
Or just realize how often shitty drivers fuck up Windows installations. The reason Windows have bettered its reputation of being unstable isn't so much that MS code quality have improved, it is because MS have tightened up the driver situation. The vast majority of bugs causing crashes are in 3rd party device drivers.
So instead of making things up in your mind how about following logic and accept that too many lusers install unsigned* crappy as shit drivers and then blame MS when their system becomes as sta
Re: (Score:2)
Doesn't it violate US antitrust law or some other anti-monopoly regulations?
In the New Amerika, no reasonable prosecutor would bring a case against Clint^W^W^WMS.
Welcome to the Corporate-Political Oligarchy.
(new word suggestion: "Corpoligarchy")
Strat