
Microsoft Defender SmartScreen is hurting independent developers - illuminated
https://getimageview.net/2020/06/02/microsoft-defender-smartscreen-is-hurting-independent-developers/
======
gregmac
I get the sentiment here, it's very annoying for developers (including me).
Establishing trust is very hard problem, though.

Let's move this to a productive conversation though. What can Microsoft do, as
an alternative, that doesn't result in an identical or worse situation?

Giving out free code-signing certificates also makes it easier for malware to
get legitimate certificates. This is akin to LetsEncrypt for certs --
[https://yourbank.real-secure-website.xy](https://yourbank.real-secure-
website.xy) can have a valid cert but it doesn't mean it's legitimate. What's
the equivalent to the "URL bar" for software? What's the equivalent to the
ACME domain validation challenge?

The SmartScreen stuff is another attempt at this -- software that's not
frequently seen is flagged as a potential problem. As a developer, this annoys
me greatly. As the de-facto support person for family that don't understand
computers... I don't mind so much. Without this, malware gets executed
directly and now you're dependent on (very imperfect) anti-virus software.

I guess the Store is another way to have "trusted" applications, but you only
have to look at the Google Play or iOS store to see how well this ultimately
works out (for both malware and legitimate authors).

Note this isn't even about admin vs non-admin installations. Obviously malware
running as admin can do more damage that's harder to recover from, but non-
admin malware is just as capable of doing bad things (think: stealing
credentials, running cryptocurrency miners, ransomware), and after being hit
by a randomware attack I doubt your "typical" user is going to really care
much about the distinction between their account vs the entire computer being
trashed.

~~~
ebg13
> _What can Microsoft do, as an alternative, that doesn 't result in an
> identical or worse situation?_

Stop. Reasons for doing it at all are bullshit. If you want to evaluate the
software, do that. I'll happily hand you the source code from GitHub and the
build chain on AppVeyor so you can watch the executables being compiled. If
you want to give me a way to mark my applications so that users know that
they're picking up what I'm putting down, great. I also care about my users,
so I'll happily mark my applications.

But you don't need to take $100/year from me for the right to not have thugs
block access.

> _Giving out free code-signing certificates also makes it easier for malware
> to get legitimate certificates._

Malware exists to make money. Therefore malware authors can easily pay for
certificates as a cost of business. Megacorp software fucks people over all
the time. It exfiltrates their browsing history, MITMs their secure
connections, installs rootkits and backdoors. Please don't pretend that this
increases security.

~~~
fh973
Not that simple to just pay. You need an EV certificate
([https://en.m.wikipedia.org/wiki/Extended_Validation_Certific...](https://en.m.wikipedia.org/wiki/Extended_Validation_Certificate)),
which in turn needs a verified business address.

Not a good plan to distribute malware without going through the effort of
faking a legitimate business aswell.

~~~
ebg13
Oh, yes, so we're supposed to believe that malware outfits bringing in
millions of dollars a year in illicit profit can't afford to set up front
organizations.

And it doesn't even have to be fake! You could be Zoom! Or Avast! Or Trend
Micro! Or Sony! Or Lenovo!

The only person in this story who doesn't have a business address is me.

~~~
haolez
This is in line with my experience. I've worked with cybersecurity in the past
and the "attackers" used to be huge black hat companies that had much more
money and power than all white hat companies combined. We joked that only the
bad guys went to work using suits, since they are very powerful and well
organized :)

~~~
jiggawatts
I know there's a smiley in your comment, but this is a now a very genuine
issue, and working in cybersecurity I feel _helpless_ to do anything about the
situation.

My biggest worry is the endless "telemetry", "customer experience feedback",
"licensing", "opt-out", "tracing", "quality improvement programs", etc. On and
on. There are now a thousand hooks into every data centre by just about every
vendor involved. Every one of them is _exfiltrating_ information. Every one of
them is a data leak waiting to happen. Every one of them could _take control_
at any time.

Huawei isn't doing anything different. The western governments just don't like
it that they're copying them.

------
ameyab
I am one of the creators of SmartScreen application reputation. SmartScreen is
a reputation-based safety feature that allows 'know' downloaded software to
run friction-free but interrupts the execution of 'unknow' downloaded software
with a 'stranger-danger' warning. SmartScreen application reputation was first
launched in IE9 (2010/2011) and then was integrated into Windows (starting
with Windows 8 in 2012). It has been a few years since I have worked on
SmartScreen, but I thought providing some context may be interesting.

Windows 7 made great strides in addressing software vulnerabilities. And bad
guys quickly moved from software vuln exploits to socially engineered attacks.
They tricked users into download and running spurious programs (using a
variety of techniques - ranging from SEO to scare-ware website that tricked
people into thinking that their machines were compromised to running
sophisticated ad campaigns). The problem with traditional anti-virus (AV)
approach was that by the time the AV analysts could get their hands on a new
binary, analyze it, classify it as malicious, write a signature, and
distribute it - it was generally too late. The bad guys monetized the latency
between when they published a new binary on the internet and when the AV
vendors were able to effectively detect it as malware.

SmartScreen tried to flip that dynamic - by using reputation. By volume,
majority of downloads were benign; there was no point in warning users when
the likelihood of future infections from such downloads was nearly zero.
However, for software that had never been seen before - there was a
significant risk associated with it - all the yet-undetected-malware resided
in that set (depending on the situation and context - the risk of future
malware infection could range from 25% to 75%). So, for 'known' software,
SmartScreen eliminated the mostly-useless warning (that everyone had grown
used to clicking through); for 'unknown' software (which the AV companies
still hadn't deemed as malicious; yet-undetected-malware would be 'unknown'),
SmartScreen showed a 'stranger-danger' warning. This was incredibly effective
in stemming the socially engineered malware attacks. In the overwhelming
majority of the cases - users did the right thing; they chose not to run the
downloaded programs that were later detected as malicious. When SmartScreen
was launched, nearly 7% of all downloads were later detected as malware by AV.
In a couple of years, the incidence of socially engineered malware had dropped
significantly (By a ton! By many orders of magnitude. Most bad actors changed
their business model to bundleware - bundling unwanted, non-malicious,
software with popular downloads). An important factor was that SmartScreen had
expansive coverage on (knew about) all executable binaries downloaded from the
Internet - in order to mitigate the risk of users getting used to ignoring the
warnings if they saw those too often. Most users saw one or two SmartScreen
warnings in a year. And, when they saw the warnings, the risk was significant
- and users did the right thing in those cases (not run the downloaded
program). SmartScreen provided highly effective 0-hour protection against
socially engineered malware by helping users make the right trust-decisions.

There was some friction - for developers and advanced users (who downloaded
esoteric, non-very-commonly-downloaded software more frequently). For
developers, reputation came in two forms - either each individual binary that
they published could 'acquire' reputation - or if they had a code signing
certificate - then that certificate could 'acquire' reputation (and any binary
that was signed with the certificate would inherit it; which was a better
option). In either case, if the developer went rogue or published a program
the was malicious - it was straightforward to deal with that problem.
SmartScreen could instantaneously revoke the reputation for the certificate or
the binary. There is a meaningful cost (time, behavior) that the developer
incurred in order to get reputation - and it is hard, expensive, and not-
scalable for bad actors to 'acquire' reputation - and if they did end up
behaving badly after acquiring reputation (e.g. signing malware with code
signing certs that has acquire reputation), that reputation would be lost very
quickly - really hurting their ROI.

So yes - there was some friction. In many / most cases, new executables and
publishers 'acquired' reputation after a short period (typically a few days)
and many advanced users understood why they would occasionally see the
SmartScreen warning and would make the right action choice. But the benefits
to the larger ecosystem were incredibly significant and impactful.

~~~
gorkish
With all due respect, you may have built an effective tool to suppress
malware, but I would be more excited had you addressed the complaint in the
article.

It remains difficult if not impossible for a brand new developer to coordinate
a new launch or for an open source project to release unsigned binaries
without triggering SmartScreen's rather opaque and user-hostile reputation
block. At first glance, the dialog does not give the user any information that
it is even possible to execute the program. Of course it stops malware. It
brings the average Windows user to a dead stop!

Based on the number of regular people I help on a daily basis who download
completely legitimate, "esoteric, non-very-commonly-downloaded software" I
must say that I do not find your arguments very compelling. This tool could
have easily remained in your browser where it belongs.

------
ebg13
Application signing is a mafia protection racket, plain and simple.

If you aren't signed by an "authority", every user is told by default
automatically that your code is unsafe until you pay money.

It is 100% analogous to thugs walking into your store saying "It would be a
real shame if something were to happen to scare people away."

The message is "We Protected You" and "Unsafe". WHY? Because "WE don't
recognize" it.

Application signing certificates cost money. Always. And if you're making
something for free either out of the goodness of your heart or because you
like making things, that money has to come out of your pocket just so the
thugs don't stand in front of your door with bats. Nobody should be ok with
that. AND FUN FACT: malicious or incompetent actors can and do also pay money.

~~~
umvi
First they came for the iOS developers, and I did not speak out, because I
wasn't an iOS developer.

Then they came for the Windows developers, and I did not speak out, because I
wasn't a Windows developer...

I sure wish I could distribute the software I write without paying some rent-
collector (at least) $100 for the privilege.

~~~
danieldk
The problem isn't the rent. It may be an inconvenience for an indie developer,
but to Microsoft, Apple, etc. the cost of a yearly developer account is
peanuts. They are not doing it hoping to make excessive amounts of money. Even
if Apple has a million developers paying $100, $100M is barely a blip on their
radar.

It is all about control. They get to decide whose software gets to run with
and whose without annoyances.

~~~
ebg13
> _The problem isn 't the rent._

Yes and no. I'm making free software for the world, not running a business,
and I don't appreciate getting shaken down by a megabillion$ corporation.

------
NCommander
The entire point of authnicode wasn't to protect users, it was to make sure
software wasn't modified in flight (ala what SourceForge did), and to make
those binaries accountable.

Now we're getting to the point that this feels like a protection racket. It,
at least in theory, is possible for individuals to get EV certificates for
websites. Worst case scenario, you can get a one man business for the
paperwork.

A lot of viruses can hit via either remote code execution, or exploiting a bug
when loaded through a data file. Neither of those scenarios is stopped by
SmartScreen. At best, it stops someone from clicking "WannaCry.exe".

MSFT is basically doing everything to make you use the Store, and it reeked
back with Windows RT, and it reeks even more now.

Unfortunately, it seems MSFT is incapable of creating a version of Windows
that doesn't have live tiles, constantly tracking what applications you run. I
switched to Linux years ago, but I realize that most people live in a Windows
ecosystem, and that they're subject to the whims of MSFT.

------
fierarul
Dear GitHub CEO reading this message on HN: a cool feature would be a GitHub
action to sign binaries _for free_.

It's ridiculous that my open source code is hosted on GitHub, the binary is
created with an action but I have to pay for a certificate and manually sign
it.

~~~
magicalhippo
I guess since Microsoft through GitHub controls the build process, couldn't
they also include the signed source as well as a combined signature?

Idea being that one could, in theory, download the git repo, check out the
relevant commit and verify that this was the source code and this was the
resulting binary, and that matches the exe file I just downloaded.

~~~
fierarul
Yes! I bet there are numerous ways this could be implemented to make things
easier for developers and end users.

With the current setup GitHub has more control on the resulting bits than I
do.

Also, current Microsoft signature rules that a hardware dongle is required to
sign the bits (all non-hardware certificates will be deprecated in time).

So, I'm supposed to take the .EXE that GitHub produced on one of their VMs
running actions then certify _it 's legit_ by signing it with my certificate.

But what am I actually certifying? Well, that to the best of my knowledge this
EXE is the build output of this Git commit that triggered the action.

------
xoail
I recently went through this pain for an electron app. Non-EV code sign cert
kept throwing SmartScreen warnings for most users. Acquiring an EV cert forced
me to register a company and a hefty cert price per year, overall costing
nearly $1500. Not to mention overall delay and added costs.

Meanwhile my $100/y Apple Dev subscription was enough to package the app and
distribute outside App Store.

At this point I am fairly certain EV certs are nothing but rackets supported
by MS.

~~~
mceachen
Oof. Next time you need to renew, check the links from the msft authenticode
dev website for ev certs. A couple providers are much less than $1500/yr.

Also, when I got my renewal bill for something like $1500/yr for
PhotoStructure, I sent an email to their support asking to continue the low
original fee, and they agreed.

------
gorkish
What this really does is train users to bypass protections. As anyone who has
owned a mac can attest, I now basically think nothing of the potential perils
of doing "right click -> open -> ok" because I have to do it ALL THE TIME.

It's getting to the point where it's the same on windows. More info -> run
anyway is becoming a useless annoyance.

I would note that at one point SSL certificates were kind of in the same boat.
Users clicked through web warnings as a matter of course. The thing that
changed is that we were able to reduce the financial barrier to certs to
literally $0. If the same can be done for this nonsense, we will be in much
better shape.

I have already made my choice on risk when I chose to download the software
from the developer and execute it. A prompt for a first time trust might be
the limit of what I'm OK with including, but any stronger warning or making it
difficult to proceed is really only reasonable to do if some 3rd party is
compromising a choice I have already made.

------
AshamedCaptain
I am guessing that they'd want you do distribute your program through their
"App Store" as a UWP, which is likely subject to sandboxing and will never
show the SmartScreen prompts.

Making raw Win32 .exe distribution as user-unfriendly as possible is very
likely to be a goal of MS.

~~~
cptskippy
Honestly I am all for sandboxing by default and scary prompts for anything
that doesn't subject itself to strict sandboxing or that tries to break out of
it. That doesn't mean apps necessarily have to come from a MS curated store
either, just that by default the run in a sandboxed context with access to
dick squat on my system.

I absolutely hate when I install something like Adobe Acrobat and it installs
18 schedule tasks, a startup job to ensure those task exist, a tray icon to
monitor it's services and all the other crap. No thanks.

I also don't want to have to worry about installing some random app I found on
SourceForge that purports to do what I want but might come with the SF
equivalent of News Gator side loaded.

Lock it all down by default in a virtual sandbox by default and if it needs
legitimate access to my files, prompt me to grant it access.

~~~
WorldMaker
MSIX tries to be exactly that. It supports the gamut of Win32 so long as they
can be minimally sandboxed. Win32 apps in MSIX still have access to everything
and can't be entirely trusted, but the installer will warn you about that a
lot less "scarily" than the SmartScreen Defender prompt this author doesn't
like.

MSIX can be sideloaded by default in every supported version of Windows (in
addition to or rather than Store installed) (supported versions of Windows
include 7, 8, 8.1, and 10 after the Anniversary Update). MSIX support _auto-
updating_ even when sideloaded, all it takes is an HTTPS server with some
simple manifests (for those that remember ClickOnce it is reminiscent but a
lot easier/cleaner), or for Enterprises a file share will do.

The only caveat is that MSIX requires Code Signing Certificates for
sideloading. (Note that makes Store install is a "cheaper" option with the
$99/year and Microsoft handles the package signing for you as a part of the
approval process.)

My biggest gripe with WinGet as a project (and no, the article is wrong it's
not intended to replace the Store) is that it isn't doing _way_ more to
bootstrap MSIX packages instead of "downloading and running EXEs like always
before".

~~~
ripley12
> MSIX can be sideloaded by default in every supported version of Windows

Is that true? I thought MSIX sideloading was only enabled by default in the
recent Win10 2004 release (better late than never!).
[https://www.windowslatest.com/2019/08/12/windows-10-20h1-imp...](https://www.windowslatest.com/2019/08/12/windows-10-20h1-improves-
apps-sideloading-adds-msix-support/)

~~~
WorldMaker
APPX sideloading has been enabled by default since at least the Anniversary
Update. Not every MSIX will sideload if just renamed to APPX, but many will
(including many Win32 applications). Microsoft has stated that every actively
supported Windows 10 feature update from the Anniversary Update forward will
receive updates to enable the rest of MSIX and the MSIX file extension,
including sideloading.

~~~
contextfree
You're both partly right - it was enabled by default in Home and Pro editions
since 2016, but is just now being enabled by default in the Enterprise edition
in the new version 2004 update.

------
rock_artist
I work for a company that develops audio software. The market itself isn’t
that huge so our products triggered even on Windows 7. Once we got the first
reports, we’ve bought a code sign certificate.

But still... if your software isn’t common... you’ll trigger the SmartScreen.

Even if your app managed to pass SametScreen, you’ll soon discover that many
users got Anti-Viruses that with the same assumption about non-common app is
bad.

I’ve ended up contacting a lot of Anti-Virus companies and I whitelist our
installers also on their end.

While the process itself is much simpler than notarizing with Apple. On
Windows you need to contact much more parties to make your app “just work” for
the non-tech-savvy user.

------
ripley12
I asked the MSIX team about code signing at Build recently, they said they
will be previewing "Azure Trust Service" this summer which makes code signing
easier:
[https://twitter.com/jvintzel/status/1262794128351322114](https://twitter.com/jvintzel/status/1262794128351322114)

The current code signing situation on Windows is painful. It's especially
galling how the code signing requirements apply to modern _sandboxed_ Windows
applications as well - an MSIX-packaged application with minimal capabilities
is subject to the same requirements as an EXE that can do anything.

~~~
kevingadd
I think there's an argument to be made that sandboxing shouldn't exempt you
from security restrictions. Unless the sandbox is entirely impossible to
penetrate (making apps borderline useless), a malicious app still has many
opportunities to trick the user or exploit security vulnerabilities. Revocable
signing certificates are a useful tool for fighting back against hostile
actors.

The certs should be much cheaper, though, and it would make sense for
sandboxed applications to perhaps be _easier_ to sign.

~~~
ripley12
That makes a lot of sense - I think making signing easier should be the goal,
not removing signing requirements entirely.

Part of my frustration comes from this paradox: it's harder than it used to be
to share a native application with others, even though we now have sandboxing
that makes it significantly safer.

It feels like most of the pieces are in place, MSIX has matured to the point
where it's pretty easy to distribute an application that runs in a sandbox
with auto-updating. If Microsoft can just make the signing part easier, I
think we'll see a much more vibrant community around native app development.

------
echelon
More walled gardens. Hooray.

This is why we need WASM and web-first development. If the platforms won't
empower us to develop and distribute without levying their tax, we need to
take our business back to the open web and spend our money on making it the
best platform.

Besides, it's a nightmare to have to develop for every single platform when
the web is universal. Platforms should pay the cost of making things work on
their devices and operating systems, not tens of thousands of independent
developers and engineers paying this price N-many times for each walled
garden.

We also need to get Google's claws out of the open web (AMP, standards
balkanization, etc.)

~~~
danieldk
_This is why we need WASM and web-first development._

This is only going to make things worse. If everything is a web application,
why would users even need access to their hardware or be able to modify their
operating system? Boot from an locked bootloader that only loads a FAANG-
signed shim OS, that only loads a FAANG-signed web browser. Next, disallow
extensions and ad blockers and we are in the brave new web world were a small
number companies more powerful than nation states continuously monitor your
behavior for ad impressions.

Sure, now you can install a web browser on your Linux or BSD machine. But once
they are in that position, they will make sure that it will be a miserable
experience without necessary DRM, disabling or not investing in hardware
acceleration, breaking random things on 'unsupported combinations', etc.
Moreover, as usual on the web, any competitive player the becomes a threat
will be bought by the increasingly large FAANG companies, ending their
'incredible journeys'.

Even though it will probably never happen, what we need is Linux on the
desktop, with good native applications, plus a truly open mobile platform.

~~~
lodovic
Interesting. How are we going to block annoying content if it is implemented
in WASM?

------
Wowfunhappy
At least for standard apps, the user can bypass the warning. For drivers, it
gets much worse.

On 64 bit versions of Windows, there is _no way_ for me to permanently allow
unsigned drivers. Every time I want to install an unsigned driver, I have to
reboot my computer while holding down shift, select advanced startup options,
and then hit "7" on a USB keyboard _which I lug out of the closet because my
Bluetooth keyboard won 't work_. The effect only lasts until the next time I
restart.

I understand that the kernel is sensitive, but this is overkill. Please let me
install the software I want on my own machine!

~~~
falcolas
And yet videogames can easily install Ring-0 “anti-cheat” software with no
special privileges or steps required.

~~~
snuxoll
Because they get signed.

------
wronex
Please note that EV code signing certificates are not the magic bullet they
first appear. SmartScreen is reputation based. An EV code signing certificate
does not grant immediate access. You will have to build reputation regardless.

There is no pay to win solution. I've learnt this the hard way.

You can however place the executable in a Zip archive to bypass SmartScreen.
An unzipped file won't bear the mark of the web.

~~~
mehrdadn
Wait really? How do you unzip your files? I thought files unzipped inside with
Windows's built-in unzipper still keep the attachment manager metadata that
Windows stores?

~~~
wronex
You are correct.

I've been using 7zip. It does clear the flag. Windows built-in unzipper does
not.

------
AdmiralAsshat
> “Developers, developers, developers!” was a cry from Steve Ballmer and one
> of the speeches that defined him as CEO of Microsoft. These infamous words
> were uttered back in 2006.

The famous YouTube video of it was uploaded in 2006, but my sources say the
event in question was from Microsoft's 25th Anniversary Event in September
2000.

I could use a more authoritative source than knowyourmeme, though, so someone
else is free to chime in there. There's a newsletter referencing it as early
as 2001[0], so that seems to suggest well ahead of 2006.

[0][http://www.ntk.net/2001/08/03/](http://www.ntk.net/2001/08/03/)

~~~
cm2187
Well the message is now "get off our platform so we can switch it off".
Everything Microsoft does goes in the direction of phasing out Windows.

------
ilaksh
This racket and Microsoft's hostility to independent developers (and apparent
attempt to force them to use their Windows store?) is one of the reasons that
I just can't go along with people who think that Microsoft is a "champion of
open source" now or benign actor in the business world. They are fundamentally
corrupt and cutthroat.

I recently wiped Windows and loaded up Pop! OS. It works great. And I never
get a message saying "this software is suspicious" just because it's not in an
official Deb package or something. If I add a PPA or download a binary or
whatever I do, there are basic permissions required, but it does not
automatically say "this is probably dangerous so I stopped it" just because
the distro doesn't recognize the software. That is ridiculous.

------
vanilla-almond
Another tale from a developer on their experience getting a code signing
certificate from a certificate authority:

[https://twitter.com/hanspagel/status/1262317935898566658](https://twitter.com/hanspagel/status/1262317935898566658)

~~~
kbenson
Eh, honestly, that's what getting an SSL cert used to be like 15 years ago.
They can knock it all they want, but really, the process functioned pretty
much as expected.

Like a lock on your front door, the purpose is not to prevent unwanted people
from ever getting inside (no lock will ever accomplish that), but to both make
it take long enough the likelihood of being noticed is high, and to put enough
hurdles in place that the attacker looks for a more lucrative target.

This is done through time, capability, and money. It takes time to jump
through the steps. This presents risk to an attacker as it leaves them exposed
for much longer, and susceptible to being tracked down in various ways as they
expose themselves. It takes capability to jump through the steps, requiring
the attacker having compromised the target in multiple different ways (phone
system, employee, etc). This increases the complexity of the attach and thus
the risk to the attacker. It takes money. This helps the providing company
recoup the cost of verification (and if it's anything like web SSL certs is
also about insurance), but money also provides another path to racking down an
attacker, and provides a cost to them that isn't just their time. It also
makes it less feasible to attempt a bunch of these attacks at once, as it's
expensive.

People can complain about the inconvenience all they want, but the
inconvenience is part of the point, so I doubt you'll see it change all that
much.

~~~
falcolas
Funny how Let’s Encrypt is so popular because it doesn’t inconvenience people,
and as a result more websites than ever have been secured, to the betterment
of society.

~~~
fh973
There is a huge difference of what kind of identity is established: Let's
Encrypt tells you basically that you are actually talking to the right server,
whereas EV certs for signing binaries tell you which company that actually
exists in the real world owns the certificate.

~~~
kbenson
Also, for a lot of sites they've outsourced their payment systems (which was
the main reason for SSL certs in the past), so you can place less importance
on the SSL cert if the payment gateway is PayPal, or Amazon, or Squarespace,
and they are essentially providing the same assurance (and are a responsible
party you can contact to reverse charges if you suspect fraud).

At this point, I'm very hesitant to enter any credit card info into a site
itself, even if it's secured through an SSL cert. It doesn't really signify
what it used to.

------
sequence7
This is really hurting Microsoft's ecosystem, I'm trying to add the latest
version of QuickLook [0] to the winget package manager at the moment but
because the msi installer isn't signed my pull request is doomed to
failure[1].

If Microsoft want Windows to be an awesome developer platform this kind of
friction with the tooling helps no-one.

[0] [https://github.com/QL-Win/QuickLook](https://github.com/QL-Win/QuickLook)
[1] [https://github.com/microsoft/winget-
pkgs/pull/1241](https://github.com/microsoft/winget-pkgs/pull/1241)

------
iwalton3
I always tell users to Mark the file as trusted before running it, which is
easier to do and less subject to difficult to navigate dialogs. I use a
message like this:

> To avoid getting security warnings each time you launch the application,
> right click and select "Properties". Click "Unblock" towards the bottom of
> the page, and click "OK".

------
sireat
This was a problem already a few years ago.

I was working for mid-level corp writing a C# Windows program that would be
used by a few hundred people tops.

Even after going through the signing process, there were still false positives
from some major anti-virus vendors.

I had to submit and resubmit to multiple vendors to get the program off the
false-positives. Some smaller vendors still triggered.

Microsoft Defender was one of those that I had trouble with even after the
signing.

So if you write software for a smaller audience you are going to get screwed.

------
johnchristopher
> By this time most users have deleted the .exe already thinking it is a
> malware, but SmartScreen can be bypassed by clicking on “More info” then
> “Run anyway”.

What typically happens is people don't even click on more info. They
redownload the files and then give up and the files are now collecting bit
dust. Source: me.

Also, I think it has been going on for more than a year now.

~~~
WorldMaker
SmartScreen Defender has been in every version of Windows 10 since launch.

------
nominated1
I ran into this issue when writing a small automation tool for a friends
business.

The workaround for now:

Right click .exe → Properties → at bottom of the General tab check “Unblock”

Microsoft – same wolf, different clothing.

------
replyifuagree
Meanwhile, all bad actors know the best way to deliver malicious code is via
javascript exploits in a browser.

~~~
jpalomaki
It might be the best way, but distributing your malware as executable - maybe
bundled with some other app - is easy. Plenty of bad actors out there who
can’t pull the fancy tricks.

Smartscreen may protect against cases where somebody has for example
repackaged WinSCP and distributes it with malware.

------
ksm
We have been bitten with this one, multiple times now over the years but seems
to have gotten worse.

Our otherwise SaaS product requires an installable component for our customers
PCs, from installation package (MSI and/or EXE) that we generate on the fly
per customer -basis in order to customize data inside the installer for each
tenant. For this reason, the timestamping of digital signature varies between
packages as does the hash [of the content], and for _months_ after we have
renewed our signing certificate we get support messages about both Smart
Screen "scary warnings" as well as from some AV products as well. Despite
number of downloads for runs for the package(s) signed with one and the same
signature.

As the article mentions, it does not matter if you have had previous
certificate; each renewal (=new certificate technically) starts this
reputation process from zero. What's worse, since the signing happens on the
[Windows] server as part of the product itself we really cannot use EV
certificates either as those require physical USB dongles to be attached to
machine doing the signing.. so we are left only with option of using regular
certificate that gets this treatment. Sure, 10 year certificate would postpone
the issue for a long time, but for security purposes we actually want to
recycle those signing certificates with one to two year interval so the
problem always resurfaces regularly.

------
munchbunny
The part that is insane to me is the idea that there is no way as a developer
to get a "this product was reviewed and certified clean" label to guarantee a
clean installation UX, _even after buying a code signing certificate._

SmartScreen seems like a great idea for protecting the end user, but without
ways to remediate "reputation" problems with some form of prior review, this
makes the software ecosystem shitty _especially_ for individuals and small
software outfits.

~~~
WorldMaker
SmartScreen has a manual review submission process:
[https://docs.microsoft.com/en-us/windows/security/threat-
pro...](https://docs.microsoft.com/en-us/windows/security/threat-
protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-
overview#submit-files-to-microsoft-defender-smartscreen-for-review)

------
jedberg
As is typical for Microsoft, they again are trying to copy Apple, but failing
to get the details right, turning it into a disaster. This behavior used to
just be limited to their UI, but now it seems to have passed into their
business practices.

I suspect this happened because they were trying to be more secure, but all
the Microsoft employees have free access to signing certificates that bypass
the checks, so they never ran into these problems.

------
nerdjon
Can someone break down how this compares to what Apple does with Mac?

The basic gist I have is for Apple you have a yearly fee of $100(USD) but that
covers all of your apps.

Where Microsoft is per app and looks to be about $100 a year (depending on how
far in advance you pay) and then also have another piece on top of it
regarding how often its used.

Is there more to what Microsoft is doing or areas where what Apple is doing is
shady?

~~~
mikewhy
One big difference is that this $100/yr (ish) for MS side of things doesn't
actually bypass smart screen on its own. Smart screen stops showing up if more
people eventually install and use your app (black box). If you want to bypass
it out of the gate, you need an EV Cert. Which are hundreds more (further down
this article quotes one at $700), and require more effort on the business side
of things.

------
samcat116
Interesting that they aren't doing it the same way as Apple, where you pay to
be part of the program and they provide all the certificates. Certainly seems
cheaper at $100/yr compared to the prices of these certs.

Also why are these certs so much more expensive compared to a normal SSL
certificate?

~~~
WorldMaker
Microsoft provides an _option_ to do exactly that. Microsoft Store will handle
all the certificates for you for $100/year _and_ their Store cut is smaller
than Apple's if you decide to sell through the Store.

~~~
contextfree
if I'm not mistaken it's a one-time (not annual) fee of $19 for an individual
account or $99 for a company account (required for Win32 apps)

[https://docs.microsoft.com/en-
us/windows/uwp/publish/account...](https://docs.microsoft.com/en-
us/windows/uwp/publish/account-types-locations-and-fees)

------
luord
I like to think that these stupid corporations would try harder at solving the
problems they create if whenever those problems are mentioned, those
corporations didn't get dozens of apologists. Or maybe I'm just frustrated.

Microsoft doesn't need some oddly loyal developers defending them nor the free
publicity they provide. Developers affected by stuff like this don't need some
guy asking _them_ what they would do better. It's not indie developers' job to
fix microsoft, it's microsoft's.

------
gigel82
I agree in general with what SmartScreen tries to do. There are a lot of non-
technical folks clicking on stuff willy-nilly so adding barriers to prevent
spyware / virus infections for totally unknown binaries is a good thing. A
"Let's Encrypt" for code signing may be a good idea, but the cost of a
certificate is itself a barrier for spyware distributors, so i'm conflicted on
that... not sure what the right fix is.

~~~
fh973
The barrier is actually bigger than just money: for an EV certificate you need
to prove that you are a registered business. So there is a name and an address
behind it, which is kind of a barrier for malware.

~~~
donmcronald
What’s that? An extra $50 in Delaware?

------
mgamache
Too bad we can't have a Lets Encrypt for desktop. Also the EV certs are
effectively dead for the web.

[https://www.bleepingcomputer.com/news/software/chrome-and-
fi...](https://www.bleepingcomputer.com/news/software/chrome-and-firefox-
changes-spark-the-end-of-ev-
certificates/#:~:text=Chrome%20decides%20to%20drop%20the,for%20release%20on%20September%2010th).

------
dzonga
walled gardens ever increasing assault on independent developers never stops.
seems microsoft is following Apple's trend of shitting on indies. my take is
folks develop your apps to be browser based, if you can. if we can have a
browser app, like Figma. a lot of apps, could do. the ones that need to deal
with os n files etc, might be non-starter. take your talents to open
platforms.

~~~
fenwick67
I was under the impression Figma was an executable, not a web app.

~~~
filoleg
it is a web app. You can run it fully in the browser. Local executable is just
an Electron app iirc. I don't have it install on my work machine, but I
frequently access and manipulate Figma files from Chrome just fine.

------
jpalomaki
If you click ”more info” on the SmartScreen notice you should be able to
bypass it (unless you are in environment where admin has blocked this).

------
wvenable
I developed some absolutely free Windows software as a hobby. I specifically
didn't want to change for it because then it's a job. Smartscreen was
definitely a problem; end users were absolutely afraid of my software.

Eventually a user who was also software developer offered to sign the binaries
for me with his certificate and that's how I've operated since.

~~~
donmcronald
Lmao. We should all pitch in $20 and set up a shell company to buy 1 code
signing certificate to share. It would definitely pass SmartScreen if a couple
hundred apps were signing with it.

------
jaquers
I can certainly empathize with the author. How many executions are we talking
about though? 10, 100, 1000?

Seems like a dev w/ a new certificate could post a build of said application
to a dev-friendly space to "bootstrap" the process.

Certainly not practical in many scenarios, but that's why I was curious about
how many it takes.

~~~
Wowfunhappy
I don't think it's such a bad system either, but the certificates themselves
should be _much_ cheaper, if not free. I mean, they don't even _do_ anything
until a critical mass of users lets the app through smart-screen.

------
shirian
All the open source developers/publishers here should get together and pitch
in to get one long lasting certificate to sign all of their respective
binaries (of course, really important that they vet each other's code, so has
to be open source) Edit: typo.

~~~
donmcronald
AppGet or Chocolatey are already on the system and (I think) could unblock
binaries from SmartScreen. AFAIK user level programs could run with zero
prompts.

------
guitarnick
Can this be worked around with UX?

Show clear steps with images on the download page that direct them to click
"More Info" to run the app. Eventually the app builds up reputation (at least
until the cert expires). How effective would this approach be?

~~~
bentcorner
You can but you'd need to account for every OS/update combination to make sure
you get the UX right. Many apps do something similar for teaching people how
to click through the trust dialogs when running the installer when downloading
with chrome/ie/edge/firefox/chrome-edge/etc.

Not impossible but it's definitely a hassle and probably non-trivial to get
right.

------
diego_moita
> The digital signature racket

> The price range is wide but a certificate only valid for a year will
> typically go for about $100.

This is hypocrisy, smells like Apple-fanboy trolling. MS stimulates
competition on the code signing certificates and it is free to deploy through
their appstore. And you can bypass Smartscreen right from the warning.

Certificates cost $59.00 at codesigncert[0], not "about $100.00". Established
developers with reputation don't need certificates.

Now compare that with Apple's (much more walled) approach: only Apple sells
the certificate at the price of $99,00, even to deploy on their Mac store
(where they'll also take a cut) and it is not trivial to bypass their screen.

[0] [https://codesigncert.com/comodo-individual-code-
signing](https://codesigncert.com/comodo-individual-code-signing)

Edit: I don't like MS codesigning implementation, but they are not the worst
on this game.

~~~
vxNsr
$59 if you pay for 3 years, so actually $177 up front or $75 for one year, and
again, this doesn't actually help bec after x years your app will need to
build a reputation again.

This is ridiculous and as others have said is meant to funnel devs to using
the broken Microsoft Store.

~~~
xoail
This is so true. When you renew, you get back to square one with reputation.

------
z3t4
Why not add a protective layer to the OS, kinda like Apparmor on Linux!?
Because of the monopoly status of the Windows platform, instead of making a
better product, you invent things to make more money.

------
m0xte
Completely agree. Just a rebuild of an MSI the other day turned up a false
positive in windows defender and it’s still stuck in smartscreen today despite
MSFT fixing the AV definitions.

Cost me three days.

------
ima_banana
Second instance on the front page today of false positives / false negatives,
the other being the walmart shoplifting story.

Edit: possibly also the MLK one and police v journalists one...

------
thefounder
Look at this from anither angle: on MacOS it is worse. You can "buy"
certificates/approval only from Apple. If Apple doesn't like you, you are
screwed!

~~~
duskwuff
OTOH: On macOS, you pay $100/yr and you're set -- any apps you notarize will
launch with a simple confirmation dialog. On Windows, you can spend hundreds
of dollars on a security certificate and _still_ get blocked by SmartScreen
and/or antivirus software.

I'm not aware of any situations where Apple has declined to offer a developer
certificate to a developer, outside of situations where they are legally
barred from doing so (e.g, for developers in countries subject to US economic
sanctions, who would probably be unable to obtain a software signing
certificate either).

~~~
thefounder
>> On Windows, you can spend hundreds of dollars on a security certificate and
still get blocked by SmartScreen and/or antivirus software.

You are wrong. As described in the OP if you buy EV certificate($70) [0] you
are all set.

>> I'm not aware of any situations where Apple has declined to offer a
developer certificate

I can see that. Still there are such cases. Monopoly on the approval process
is bad anyway. Even if acting in good faith, mistakes happen.

[0] [https://www.ssl2buy.com/comodo-positivessl-
ev.php](https://www.ssl2buy.com/comodo-positivessl-ev.php)

~~~
donmcronald
That’s an SSL certificate. Anyone who pays for that is dumb. Anyone that tries
to use it for code signing is dumber.

~~~
thefounder
Sorry for the wrong link. Below is the correct one to an EV Code Signing
Certificate offer. For the dumb people who can't find a better price it's just
$300. Enjoy!

[https://comodosslstore.com/code-signing/comodo-ev-code-
signi...](https://comodosslstore.com/code-signing/comodo-ev-code-signing-
certificate)

------
pippy
How long will it be before Google, Apple, and Microsoft start pulling
certificates for apps governments deem unacceptable, such as organizing
protests or communicating?

------
fortran77
It's wrong to call it "malware". They should say it's unknown and you
shouldn't install it unless you're certain about the creator.

------
bitL
Welcome to the world of macOS! Both MS and Apple went insane with their creepy
security imposed on "unknown" developers. Use Linux I guess...

------
michaelsbradley
Are there any zero-cost options for code signing open source Windows apps that
are free to use and will never generate revenue of any kind?

------
projektfu
Sandboxing would help a lot.

Is it this hard to publish on the Microsoft Store? Is this a play to make the
Store more relevant?

------
mimi89999
Apple was doing the same thing.

~~~
ridiculous_fish
While there are some similarities, the key difference is that Apple doesn't
impose a "reputation requirement." Signed apps and installers work the same no
matter how many other users have run them.

------
tomc1985
It's like the JRE all over again

------
stephc_int13
This is clearly a warning, among others, that the bad Microsoft is back.

Using certificates and app signing is OK as long as it is done properly, with
as much clarity as possible, and an inexpensive way to get our apps signed.

~~~
skrebbel
Back, how? I don't disagree with the gist of this article, but that
SmartScreen window has looked like that for many, many years. It's not new,
nothing is back. Microsoft was never fantastic.

The only thing that's new about this article is the bit about WinGet, which is
so beta that it's hard to assume that its "SmartScreen means malware" behavior
will remain like that.

I do agree with it btw, it's just like how Gmail's spam filters make it super
hard to self host email. This is monopolistic behavior under the guise of
protecting users, plain and simple.

~~~
Anon4Now
> but that SmartScreen window has looked like that for many, many years

It changed a year or two ago. The "Run Anyways" button used to be on the main
dialog. Now the user has to click the "More Info" button to see that option.

~~~
WorldMaker
That particular dialog has been the same since Windows 10's launch, though it
is "adaptive" in that _as_ the reputation slowly builds it will show the Run
Anyways button at something like "medium reputation".

~~~
Anon4Now
Ahh, that explains it. I had a screenshot of the SmartScreen dialog on my
download page. After releasing a new version last fall, I noticed the dialog
changed to the hidden Run Anyways option. My error, apparently, was including
the major version number in the setup file name. When that rolled, the
reputation reset.

------
repiret
I call BS. This might be hurting some hobbyist projects, but anybody who earns
their living publishing software, and gets even a small amount of those
earnings from Windows apps, can afford $100/year for a code signing
certificate.

There are a lot of people trying really hard to trick users into installing
software they don't want. There's big money in it. Authenticode strikes me as
an entirely reasonable step to provide more signal to the systems trying to
identify and block crapware.

~~~
colde
But why even require payment for these certificates, since Microsoft according
to the article doesn't actually place any value on the certificate itself. You
still have to build up reputation separately. In that case, it seems entirely
unnecessary to require a paid certificate.

~~~
repiret
Because it costs money to do the identify verification? Its not like a DV
certificate where the volume is very high, and the verification isn't hard to
automate.

I paid $400/yr for my employers first Authenticode certificate back when they
were a new thing and you could only get them from Verisign. Now there's a
handful of providers and competition has brought the price down, but the
volume is lower than DV certs, and verification is harder, so the prices won't
go down to zero.

Why do identity verification at all, you could ask? A reasonable question; if
all I need to start earning reputation is a private key, the costs could go to
zero. But letting the scammers make as many identities as they like at no cost
changes the prior on a previously unseen identity. It seems MS isn't granting
a very strong prior anyway though, so... my argument certainly is weak here.

