Deanna’s Freeware Spotlight: Safe Startup by PrivacyRoot

Welcome to the inaugural Deanna’s Freeware Spotlight, a once-a-week-or-so missive from Randy and Deanna at OlderGeeks.com. They’re passionate about good freeware, and they maintain a download site “without ads, fake download buttons and crapware.”

There are a gazillion startup editing programs out there. You know, the programs that let you disable programs from running when you turn on your computer. But Safe Startup by PrivacyRoot, S.R.O. is different. It runs in your system tray and notifies you when a program gets added to startup so you can kill it dead immediately. Go grab a copy, it’s free!

Microsoft fixes the Zip file mess-up in the (beta version of) Win10 1809

Microsoft just released KB 4464455 to the Windows Insider Slow and Release Preview rings. That KB brings the beta-test version of Win10 1809 up to build 17763.107.

Apparently it shouldn’t be confused with KB 4464455, released on October 16 to the Slow and Release Preview rings, which brings Win10 1809 up to build 17763.104.

The ChangeWindows timeline shows that 17763.104 was out and about on Oct. 16, and 17763.107 first appeared today. Lucky for us they don’t track KB numbers.

According to deskmodder.de (in Google translation):

In addition to the issues already fixed in the first version of the KB, these two bugs have been fixed:

• Fixed an issue where extracting files from a.zip file in File Explorer to a read-only location does not prompt “Do you want to replace these files?” And the background copy action fails.
• We’ve fixed an issue where roaming profiles are not working properly.

… Note: This update is not just for the insiders. If you are on the road with the normal Windows 10 1809, you can also install it.

I’ve seen no confirmation — not even a hint — from any other site that last statement is true.

I wouldn’t be surprised if the Windows 10 October 2018 Update shipped tomorrow, on the last day of October. That’s exactly what happened with the Windows 10 April 2018 Update, version 1803 — it shipped on the last day of April.

But, man, shipping your final build a day before you go live… I mean, what could possibly go wrong?

Thx @teroalhonen

What happened to KB 4462923, the October Win7 Monthly Rollup?

@PKCano has been on a mission to find what it takes to get Windows Update to offer this month’s Win7 Monthly Rollup. It ain’t easy.

Details in Computerworld. Woody on Windows.

Patch Lady – 31 days of Paranoia – Day 29

Today’s topic of paranoia is one that I’m already paranoid over.  While 2017 had the largest number of public data breaches, there is a bigger risk that I’m concerned about.  That of the data breaches that we aren’t aware of.  Just about every day I hear on the radio or TV an ad for identity theft monitoring services that tout the ability to search the “dark web” for sensitive information.  I chuckle a bit a that because for something to be truly found on the dark web, then it’s no longer “on” the dark web but exposed as a known breach.  I don’t buy for one minute that these identity theft companies have the ability to see into the dark web before the bad guys find ways to obfuscate it again.

I’m paranoid that we’re always going to be one step behind the bad guys, with our financial institutions (who already have proven that they can’t be trusted) making security decisions that are good enough.  Good enough for their bottom line, but not good enough for our data.  I’m paranoid that our legislature won’t understand the cyber issues well enough to ensure we have laws in place to disclose breaches and protect our data.

So?  Are you as paranoid as I am?  Do you think we’re doing enough to protect our financial data?  What do you think they should do to make it better?

IBM will buy Red Hat – and look at the price!

I’ll confess I didn’t see this one coming.

Good analysis from Sean Gallagher at Ars Technica:

For IBM, the acquisition is about growing IBM’s business in the cloud—private, public, and hybrid—based on the position of the company as the open source and open standards player versus the “proprietary” models of Microsoft, Amazon, and other major cloud players. For Red Hat, the deal is about scaling up the company’s reach. “We can scale at greater speed,” said Cormier, “not just from a Kubernetes perspective, but even with the RHEL base. We can only reach a certain number of customers right now.”

The offer, $34 billion, is $190 per share, which is 63% more than Red Hat shares were trading for on Friday. IBM’s shares are way down.

Patch Lady – 31 days of Paranoia – Day 28

Today’s paranoia topic is about hardening Windows… and specifically if Windows  7 is really more or less secure than Windows 10.

For all that people do not like about Windows 10 privacy (or lack of) settings and telemetry, Windows 10 does have much more hardware based security that can be enabled than Windows 7 has.

But therein lies the problem, many of this security goodness only kicks in if you have the right hardware, and the right operating system and the right knowledge to set it up right.  Take credential guard for example… it’s only in Enterprise sku.  Others like attack surface reduction rules only kick in as well with the Enterprise version.  1809 was supposed to get block suspicious behaviors but it was pulled at the last minute.

So whenever you hear that Windows 10 is the most secure version of Windows ever… it is.  But…. depending on the version you have, you may not get all the features.

One thing you can do is to “harden” the operating system by uninstalling any software added by the vendor during the OEM process you don’t use, or better yet, reinstalling the operating system from scratch before you use it.  Then you can use various tools to “de bloat” the games and other items from the operating system as well as possibly disable services.

But I don’t recommend following that guidance without making a solid backup of your system before you start tweaking and making changes.

So is Windows 10 the most secure operating system ever?  Sure.  But like most things in security, it takes work and nothing right out of the box is as secure as it can be.

Patch Lady – 31 days of Paranoia – Day 27

I apologize in advance if I’m a bit controversial tonight.  In the last several days we’ve had horrific things occur in the United States and I think some of this bad stuff going on… or perhaps all of this… is enhanced by social media.  I have posted in and on online forums for many years and remember the days of nntp and newsgroups.  There were always good places to hang out and not so good places to hang out.  The anonymous nature of technology tended to encourage some folks to be a bit too brutal, a bit too honest, and a bit… well.. just too much.

Fast forward twenty years to where twitter, facebook, Instagram and other platforms are deemed “mainstream” and I think the same issues we saw twenty years ago in the newsgroups – that where communication is broken down – is now in our daily lives.  And now what used to be a small small group of folks that you could easily ignore is now a much larger problem in society.

In 2016, this page indicates that 87% of kids have witnessed cyberbullying.  Wow.  I wonder what that statistic is now.

So I challenge all of us.. .including me, to do something tomorrow. Instead of using technology tomorrow, glance up at another human being and say Hi to them.  Keep your phone in your pocket and technology away from your fingertips and your head up tomorrow.

Consider this an online hug from me, and here’s hoping something can be done.

Newly discovered data access breach in Win10 UWP (Metro, “Store”) apps

There’s a bug in the UWP API that lets appropriately programmed apps look at all of your data. Günter Born says:

(The malicious UWP) app is not limited to access to files and folders via a file picker or LocalStorage. Microsoft has described the permitted file system accesses in this document (broadFileSystemAccess API). The documentation also states: “On first use, the system prompts the user to allow access”. Microsoft (theoretically) provides security measures for access that intercept unauthorized access attempts. Without user access, a UWP app cannot access files without the user’s consent – at least theoretically …

Unfortunately, there’s a bug that prevents the security prompt from appearing. Microsoft apparently tried to fix the bug in Win10 1809, but the guy who discovered the bug, Sébastien Lachance, says that trying to run the API-calling code crashed the app.

(No details offered about which version of 1809 he tried.)

In the meantime, it appears as if 1803 and earlier are still subject to the bug.

Patch Lady – 31 days of Paranoia – Day 26

Our next topic of paranoia is one that there is more paranoia than there is reality:  Being concerned about automobiles being hacked.  Sure there are headlines about attacks and threats, but is there truth and fact in these attacks?

To be fair there is ample evidence to be concerned about the risks.  There have been clear demonstrations of cars taken over and remotely controlled.  But to be clear these hacks occurred after a long period of investigation.  The risk of cars…to me… is no different than the risk of the internet of things.  We have devices that you don’t normally think of needing updates and patches.  We have devices that are probably hard to patch (one doesn’t normally think of rebooting a car does one?)  We have a thing that most of us can’t service ourselves and must rely on the vendors and “consultants” (car dealers and mechanics) of varying quality that we have to rely on.

Don’t get me wrong, I love the idea of driverless cars, of technology that can drive me automatically to where I want to go, of technology that will ensure that we can be mobile at any age of our lives.  But with every technology we build, there are always people that will want to make that technology not work.

So when you buy a car and there is technology under the hood, ask about how that technology gets serviced.  Is it over the air patching?  Do you have to take the car to the dealer to get boards “flashed”?

It’s time to ask hard questions of all of our vendors.

Three years later, Surface Pro 4 problems persist. Isn’t it time for Microsoft to do something about it?

The old Surface Pro 4 defects keep, uh, resurfacing. There are even more complaints than before about bad TypeCovers and, now, mysterious battery drains in the middle of the night.

Barb Bowman recommends that Microsoft solve the problems by offering refurbished Surface Pro 5s (which is to say Surface Pro (2017)s) to SP4 owners. I think that’s a great idea — and would actually save Microsoft money in the long haul.

Computerworld Woody Rants on Windows.

Is Windows 10 Home ‘good enough’ for the Surface Pro 6?

I can’t believe that Microsoft has convinced otherwise sane industry pundits to parrot this drivel.

No. Windows 10 Home isn’t good enough for anybody — much less anybody who’s forking over $900 for a new computer.

Computerworld Woody on Windows.

Patch Lady – 31 days of Paranoia – Day 25

How many times has this happened to you?  You get a call and the person on the other end of the phone says you have a problem with your [computer, iPhone, apple device, technology].  They usually say that your device is alerting them that it is full of viruses.

Their goal?  To either get on your machine or get your credit card from you and then steal money from you.  As noted on this FTC page,

Ask you to give them remote access to your computer — which lets them access all information stored on it, and on any network connected to it

Try to enroll you in a worthless computer maintenance or warranty program

Install malware that gives them access to your computer and sensitive data, like user names and passwords

Ask for credit card information so they can bill you for phony services or services available elsewhere for free

Try to sell you software or repair services that are worthless or available elsewhere for free

Direct you to websites and ask you to enter credit card, bank account, and other personal information

How many of you try to play along and keep the scammers online?  I know some folks that purposely keep a virtual machine around and let scammers log into that and pretend to be really really dumb in regards to technology to keep the scammers online as much as possible.  I have often dragged them along for a time and then finally asked them if they feel right scamming people.  They promptly hang up.

If you’ve let them on your system, make sure you scan your system with an antivirus program.  Cancel credit cards if you gave them any financial information.

But just know that Microsoft never calls you, unless you’ve called them first.