
Microsoft forced users to install a password manager with a critical flaw - Deinos
https://arstechnica.com/information-technology/2017/12/microsoft-is-forcing-users-to-install-a-critically-flawed-password-manager/
======
SpikeDad
Guess it's good I remove it in my deployments. Microsoft seems to be throwing
good sense out the window in Windows 10. A number of items I remove get
reinstalled during updates. Options I turn off get turned on as well.

They're obviously playing on the majority of users' ignorance. This is
despicable.

~~~
katastic
I love how everyone tells you "Windows 10 is just fine" every day EXCEPT when
a new, huge, leak or mistake comes out. Then they go silent for a day.

... then they go back to telling you "I've never had a problem with it."

I use Windows 10. I support it professionally. The underlying system is good.
And then someone at Microsoft decided to completely fill all of those kernel
upgrades, with a gigantic pile of spyware, adware, and useless crap. (4 GB+ of
Windows Store videogames?!)

One of my laptops is a "windows 10 ready" work laptop with a 5400 RPM hard
drive. Between defender, indexing, telemetry, and app compatibility scans, it
takes over 60 seconds to get to desktop. If you load the task manager, the
disk usage is 100% for hours. And any time Windows decides to install or
compile something (without warning or even a notification, like rebuilding
.NET) the entire computer becomes a useless brick. I _used_ to be able to make
the machine functional by turning off unnecessary, bloated services like
Defender and Telemetry. Except every Windows Creators update they not only
reset my settings, its disable Classic Shell, UNINSTALLS Core Temp and a
WindowsGadgets re-enabling tool because they're "not compatible" (even though
they work fine), and... they change the menus so that it's harder to find the
button to disable Defender, and they make it harder (if not impossible)
through Group Policy changes to disable those very same, taxing, services.

Try this: Install Windows 10, upgraded from 7/8/old-10. See Windows.old on
your C:\? That's your old windows copy. Try to delete it. After all, it's
useless right?--and takes over 20GB. Nope. Sorry. _You don 't have permission
to delete it._ That's right. Your own hard drive you don't have permission to
touch. And, laughably, Windows will tell me "You're running out of HDD space,
want to delete the old folder?", I say "Yes." Then nothing happens and the
message appears again.

I tried taking "ownership", used admin account, I tried changing permissions.
Nothing. A professional windows IT support employee should not have to look up
countless articles TO DELETE A FREAKING DIRECTORY. Even after I took
"complete" ownership of all that, many files still didn't set, and I couldn't
delete the whole thing.

I'm half tempted to boot into a Linux Live USB and delete it by force. But
then I realize, "I'm going to download an ISO for another OS, burn it to a
USB, then shut down my machine and reboot it... JUST TO DELETE A FOLDER?!"

Oh, and this is Enterprise edition. So I'm running the edition that everyone
says "if you care about tuning Windows, you should have already bought
Enterprise." Thanks for that lie.

~~~
fencepost
> If you load the task manager, the disk usage is 100% for hours.

Load the performance monitor (button on the Performance tab in task manager),
go to Disk and see what process is doing it. You may have something like full
disk indexing going.

Regarding Windows.old,isn't that supposed to auto - clear after ~30 days?
Also, the first two articles on a search for "remove windows.old" appear to
confirm my expectation that the disk cleanup tool will remove it, possibly
without even running it as administrator. Frankly this sounds like it's
getting into "respect mah authoritah" territory.

For the games, are those preinstalled? I haven't seen such, but most of the
Win10 systems in dealing with so far are either upgrades or business class
machines. If you're getting Enterprise systems preinstalled with 4gb of games
someone needs to talk to your supplier.

~~~
katastic
I said what was using disk usage.

App telemetry, defender, compatibilty, etc.

>Frankly this sounds like it's getting into "respect mah authoritah"
territory.

Yeah, it must really suck to have the burden of being able to delete files
that aren't in use on your machine that you own, run, and paid Enterprise
edition for.

What possible use could a professional system administrator need for changing
files on a machine... except the exact use I just mentioned.

If you can't understand why having admin file access is important, then I
suggest you never try Linux (or... Windows 7... or any IT job) because you
will be horrified by the potential control you have over your system.

------
RcouF1uZ4gsC
>If an outsider can find a bug similar to the 16-month-old vulnerability so
quickly and easily, it stands to reason people inside the software company
should have found it long ago

While true, it should be noted that Tavis Ormandy is not just any "outsider"
and is something of a god when it comes to finding vulnerabilities.

~~~
bomb199
I find this line of thinking pervasive among criticisms of all kinds of
developers. Especially in video game forums!

"If they did it, then our game dev can too!" Like large programs are just some
kind of widget you can just move from place to place.

------
partycoder
It's the general direction of the software industry to neglect non-functional
requirements.

I make functional requirement emphasizers starting by product managers
directly responsible for this.

Their fantasy is to be the next Steve Jobs' era Apple but usually they first
become the next Equifax.

------
sergers
Windows 10 LTSB (long term servicing branch) should have been the original
win10 release, with "add-ons" of the extra junk... instead they give you the
most junk filled os and make you pay a premium (and very limited availability)
for LTSB to strip it out and slow down the patches so they aren't forced down
whenever ms wants.

Good like buying it easily if you not a premier partner or msdn subscriber.

We just qualified for our new client machine builds and will be providing that
to customers only going forward for win10 requests.

Have not checked if this password keeper still gets deployed, will have to
check monday. If it's distributed part of Windows store, then it won't be
cause that's stripped out itself

------
bcaulfield
What password managers do HN readers recommend?

~~~
ta98789878
I use KeePassX, because of this:
[https://mobile.twitter.com/taviso/status/817065731703468032?...](https://mobile.twitter.com/taviso/status/817065731703468032?lang=en)

~~~
mehrdadn
Do you know what he thinks of 1Password? e.g. I've seen this comment [1] on
1Password, but do you know what his actual thoughts are? He's not fond of it,
but does he have anything concrete to say about it as to why? I have friends
using 1Password and I would like to be able to tell them and give them
concrete reasons to switch to KeePass if there are security issues with it.

[1]
[https://twitter.com/taviso/status/760231214812844032](https://twitter.com/taviso/status/760231214812844032)

~~~
zie
There aren't security issues with 1Password really, but there are other
issues, mostly around the company AgileBits. From my other comment on this
thread:

These days AgileBits(the 1password people) are doing everything they can to
get everyone onto a subscription plan, and are breaking local vaults slowly.
Most people don't seem to recommend it anymore.

The only security issue really is the online vault(which isn't a security
issue per-say, but is a security weakness since your passwords are no longer
under your direct control). This may or may not be an issue for you, depending
on your security posture.

~~~
mehrdadn
Thanks! So would you know what he meant with that tweet? Was he just annoyed
at the subscription plan...? It seems out of place given that he's a security
researcher from what I gather?

~~~
zie
No, and that tweet was from Aug. 2016 with nothing further from him about
1password, unless I missed it, so clearly he didn't feel compelled to either
continue his research or he didn't find anything worth disclosing. Your guess
as to which is meant.

But other researchers have played with 1password and most have historically
had good things to say about it, except recently when they started pushing
everyone to the online vaults like I mentioned.

And yes, he is a security researcher for Google.

