Windows 8 - Looks really awsome

No irony. No sarcasm. I'm sure people are paying attention to it. I don't see how that makes it any more secure.

It's never faking statistics. It's twisting statistics. It's how MS can say 96% of malware is caused by the user and Google can say 99% of infections are caused by exploits. Two seemingly contradictory statements that aren't necessarily contradicting.

uh no

reputation has a "25-70"% chance of the user listening to it. Quite the margin of error there.

95% of users see "Oh, it's blatantly malware. I won't run it." That's expected. Most people will listen to a definitive blacklist.

Up to 70% of users ignore reputation warnings entirely.

That's from your own little pic of stats.

"25-70% risk of malware infection when clicking through new application reputation warnings"

I read that as 25-75% don't listen to the warnings. IT's very strangely worded and could mean 25-75% do listen to warnings. Either way, we're looking at ~70-75% users possibly flat out ignoring it. At minimum 25% of users are flat out ignoring it.

And that's in IE9. I can only imagine this getting worse as it's OS-wide because you're exposing it to so many files, not just from the browser.

 

And even if smartscreen has a 100% blacklist if the reputation popups keep coming up people will shut it off. People don't care to do research. Popups annoy them and, just like with UAC, they turn it off even though technically UAC can stop a huge portion of malware.

 

I love how you twist your sentences even more than Microsoft or Google for that matter. You talk about "people" as if this hypothetical people was 100% of users (not even the majority!). Sometimes, it makes me laugh.

 

dude, I can't argue with you, if you refuse to fully read the figures and texts on the links I provide. It goes to a point where I seem to keep repeating myself.

http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9.aspx

 

I used your own facts.

According to this as many as 70% of users flat out ignore reputation warnings.

No twisting on my part. I just hope that MS isn't twisting these because than it's really bad!

 

I must be very a-typical.

Ah I see. That's much better worded. EDIT: In this case they are warning users at minimum 30% of the time, maximum 75% of the time when it's not necessary. That's just the reputation, not talking about the blacklist just the reputation.

Anyways, as a blacklist it's fine. I still think reputation from what I've seen isn't great. If it's purely a factor in heuristics that's another story.

 

ROFL. Finally you see. But you could have seem it much earlier if you fully read the texts on the links I provided. You say you know how it works, but you refuse to fully read where MS explain how it works.

This behavior won't give you a good comprehension, at best an informed guess - because the damm thing is made by Microsoft after all, lol.

As I said before, it's also like UAC on being another pressure on devs to make use of best practices (Digitally sign your programs with an Authenticode signature. / Ensure downloads are not detected as malware. / Apply for a Windows Logo.).

Now, if they manage to make it look different from the "malware detected" warning (seems to be done) and somewhat easier to disable while retaining the other parts of the scan (give them feedback on this!), they achieve the perfect balance on this approach IMO.

 

I've read it before. Nothing's really changed. I've still gotten multiple popups from it and it's not like I'm downloading malware.

One of their main "solutions" as mentioned in the article is "Get a certificate" which isn't much of a solution.

Digitally signing isn't a best practice, it's a way for CA's to get money. CA's are hacked/ don't audit properly often. Even Verisign has messed up and comodo as well (the top two CAs.)

Possibly.

I'll give feedback I suppose. I'm for smart screen but I'm not for application reputation - I think in general it's going to bite them in the ass.

 

That's from http://blogs.msdn.com/b/ie/archive/...plication-reputation-building-reputation.aspx

I hope you will read all the links, lol.

 

Yes in an ideal world every developer can afford a CA and CAs always do intense background checks and never get hacked. If only.

 

Hm. methinks you are putting the blame on the wrong side of the equation.

From: http://blogs.msdn.com/b/ieinternals...lding-smartscreen-application-reputation.aspx

 

Is this still about Windows 8?

 

I'm putting my blame on the CAs who:
1) Don't do thorough enough background checks (Even Verisign has issued certs to malicious programs.)

2) Don't protect their certificates enough (Comodo, the second most popular CA with something like 25% market share was hacked. DigiNotar and multiple others have as well.)

And paying to be whitelisted? Can you see how some devs may object to that?

 

SmartScreen is an integral and system wide aspect of Win8, so I'd say yes.

 

Hungry Man has got a point. When trusting a digitally signed application, you're not trusting the developer; you're trusting that the CA did a background check on whoever requested the CA; and also that the CA wasn't hacked.

This doesn't exclude the possibility that you mentioned, however.

We're doomed... Eat some brownies and have some tea (I like green tea!!)... Enjoy and relax. Also hope that your bank has got a refund plan in action.

 

I haven't heard of a case where the dev lost their own cert but I'm sure it's happened. That's less of a big deal, the dev reports it and it gets blacklisted and they apply for a new one.

Usually what happens is the CA gets hacked and multiple certs are leaked .And, as with DigiNotar, CA's aren't too keen on reporting that they can't even protect their own content.

 

Some incidents happened, I guess pretty much nothing is perfectly secure. However, CAs help to build a reputation and I doubt that an inexperienced cracker would ever be able to fool them. Only the best ones can try and only a few handful of the best ones will ever succeed with some strategy - which will also get blocked for subsequent tries after reports, improving the security of the whole system.

Yeah. That's why the ones who aren't likely to afford money on this should make sure to follow the other possible free step to make their offered downloads reputable (that is - submitting them to several reputable security companies like Kaspersky, Symantec, Microsoft (!), McAfee, Eset, etc, to also make a false positive flag less likely).

 

The problem is that CA's don't really answer to anyone. There's like... a yearly audit of the huge ones and if they screw up big time they might lose some business.

But you're essentially trusting someone to trust things for you and their motivation is money. They want to hand out as many certs as possible.

It's not even just "oh it's not perfect" nothing is perfect. It's just flawed. You hand them money and they hand you... trust.

I like the system and in this case it's not a horrible implementation of it like UAC is.

 

A yearly audit on the CAs by the involved regulatory government agencies seems to be enough for the few incidents that ever happened.

CAs too have a reputation to maintain. If they lose their reputation acting like fools, they will eventually get their business blocked by involved regulatory government agencies.

They aren't doing things to lose reputation - quite the contrary, and the small number of incidents is evidence for that.

Not flawed. Absolutely most times, it works well.

Didn't get what you said here.

 

It really hasn't been "a few." It's just become more popular/ covered recently because DigiNotar was such a big deal. CA hacks/ improperly vetting has been going on for years.

The government doesn't regular that I know of - it's done by a company.

Saying "Here, bypass my security because you paid some company out there" isn't comforting.

I like whitelisting systems. I Think the cert system can work. UAC is a poor implementation, it allows certain certified applications to automatically elevate. At least that's the default in 7 I believe.

I like SmartScreens implementation because certs aren't inherently trusted. They still say "Hey, while this is signed it's not necessarily safe because few people have downloaded it."

 

Windows 8 file system "Protogon" gets upgraded, renamed "ReFS"

http://www.neowin.net/news/windows-8-file-system-gets-upgraded-named-refs

 

Microsoft’s new Windows 8 Resilient File System (ReFS) will be server only

 

Thanks for the info.