They can claim admin-to-kernel is not a security boundary all they want, so long as driver signing and Windows side secure boot is supported, it is a security boundary.
They do this quite a bit like with powershell exec policy or many uac bypasses. According to msrc policy, only non-admin user accounts where the user does not know the admin password have a security boundary between them and the kernel. But in reality they offer many security features users rely on and most users don't have a choice but to admin their pc in some capacity
Between this kind of feet dragging behaviour, the total lack of QA (especially with microsoft), and some of the murmurings on how people have been screwed over with bug bounty programs, it kinda feels like the end to me.
It's not just microsoft. The "throw it over the wall and let QA find my bugs" mentality is going strong everywhere these days. It's like devs don't care anymore. Throw in the fact that most devs can't even be bothered to learn their tools (such as git) beyond simple incantations ...
Yeah, software has gone to shit, yet it powers the world.
I don't think that's a good example. While Apache devs are volunteers and Microsoft devs are employees, they were nevertheless criticized for their slow response time and perceived lack of urgency until it was far too late.
I call out microsoft specifically because of their flat out destruction of their QA teams and their pioneering of normalising totally broken software amongst tech people, power users, and the generally clueless alike. Things couldn't be this bad across the board without microsoft and such hits as that time a windows update somehow started deleting people's files, or one that changed all printers to one specific model. That's even ignoring the gaming side of microsoft and they fully support the release of games they publish that are varying shades of unplayable at launch, like Forza Horizon 5.
I strongly disagree that devs as in software engineer/software developer titled people are the problem, though. Devs as in the companies, like Playground Games as the developer of FH5, are though. The companies don't care. Why would they? Release garbage, get a bunch of money, and maybe tidy up a few bugs ...eventually. Maybe. Why have staff learn their craft and know their tools when the company priorities don't need it? Why respect the craft as a craft at all when all you want is code monkeys to do what they're damned well told? That culture hasn't come from software developers the people, it comes from the staff at these companies who realise it's cheaper in the short term to just burn people out to slap something together as quickly as possible and rake in the cash. On to the next steaming pile of garbage and a totally new team because the last lot left the industry entirely after suffering under that shit. Even better if you can get a bunch of bright-eyes, bushy-tailed, single, childless interns who don't yet have the experience to know how bad it all is. Why hire someone who has been in the industry for more than a couple of years who wants to bother with things like source control, QA, BA, mentoring the newbies, or anything else that slows everything down when you can just ...not do that and still get money?
It's not the software devs whose passion is selling in-game currencies, live service slot machine garbage, or lovingly reinstalling candy crush every time you update windows; that's the realm of 'infinite' growth fetishising weirdos. They don't need artist/wizard/god-tier problem solving software engineers who can squeeze an unimaginable amount of value out of every single bit of memory on the PS1 to bring the world of Crash Bandicoot to life. They don't need an operating system that is thoughtfully engineered. They don't need an office suite that actually works. They want ongoing revenue and that is the only thing that matters.
Pardon my ramble, but unfortunately, right now we all have bills to pay, and there's just not enough great jobs doing great things (in at least a thoughtful way) for all of us.
I agree completely. The “move fast and break things” mantra did more damage to the industry than anything. A big company saying that is fine, they have the resources to fix it. A small company doesn’t have the resources to fix something because they’ve already moved on to the next feature/project.
You’ve pointed out the cause for the reason devs are the way they are, at least a sound reason. I disagree that it’s entirely the company’s fault though. In the real world, if you hire a guy to wire your house up, he has an obligation to do it correctly: to keep his license and protect you from the hidden dangers of bad electrical wiring. We are those electricians. The owners of the house have very little idea what we are doing and the consequences of doing a poor job.
If the company dictates that no, we aren't going to do code reviews; no, we are not going to do source control; no, we are not going to gather requirements; no, we are not going to have any testing at all, that's what they want. They are not hiring people to do things properly. They do not want that. That is not their definition of correct and that is not what they say your job is. It is completely immaterial that all of that is certifiably insane. I have worked in a shithole that said all those things. Yes, really. I did fight against it at first but it is futile. They're not hiring decent sparkies to do decent sparky work, they're hiring people who don't know what the company is like, or first year apprentices, who will do it the way the company dictates, without question, for a quarter of the pay cash in hand. When the house burns down because of that work, it doesn't matter; the company will never be found liable, and on the off chance they do, they have insurance and other protections. Good work is a setback to these companies.
They have no incentive, sitting in the giant walled gardens of their monopolies.
What is needed is a "zero friction transition" law. As in everything you have gets exported to neutral formats, allowing easy eco system transitions. Aka competition. That most hated word at cooperate.
> To work with supported versions of Windows, third-party drivers must first be digitally signed by Microsoft to certify that they are trustworthy and meet security requirements.
Your link is about AVs implementing signature verification of binaries incorrectly, not Windows implementing signature verification of drivers incorrectly.
I mean seriously, what good does microsoft actually do?
There is exactly one thing i found a pleasant surprise when i had to use microsoft windows: Trying to paste something and accidentally finding an easily manageable clipboard history turned on by default. I mean until today a big part of my day on other systems is undo/redo hoping not to accidentally pressing another key to screw up the history when going back to the future (not sure why i can't just use some clipboard manager, maybe the risk my workflow introduces gives me the thrill i need)... ehh back to topic: other than that, i have never seen anything from Microsoft where i don't think it's trash.
Even WSL which i thought was a good solution for people forced to work with MS crap by their companies, they somehow managed to make it worse with every unnecessary change. I only had to use a windows PC for a couple of months in the last 10-15 years, but it showed me: nothing missed. Still the same. MS is somehow still evil & bad software. No matter how much the leadership changes. It seems to be in their DNA.
They do this quite a bit like with powershell exec policy or many uac bypasses. According to msrc policy, only non-admin user accounts where the user does not know the admin password have a security boundary between them and the kernel. But in reality they offer many security features users rely on and most users don't have a choice but to admin their pc in some capacity