WingNews logo WingNews
top | item 43511180

(no title)

jwoglom | 11 months ago

> We’re removing the bypassnro.cmd script from the build to enhance security and user experience of Windows 11. This change ensures that all users exit setup with internet connectivity and a Microsoft Account.

"enhancing security and user experience" -- what a ridiculous, bold-faced lie. Bravo Microsoft.

discuss

order

glenstein|11 months ago

Well, it's bald-faced lie but I wouldn't disagree that it's bold.

The idea that you need to confirm you're connected to the internet and that creating a Microsoft account is merely for that purpose is preposterous on its face.

Not that I was ever a regular on windows, but I think I've at least found there to be a necessity to be on windows for certain desirable games or for PC apps. So I've always kind of recognized a necessity, but I do think I can't imagine myself ever intentionally signing up for this. The Linux-based gaming experience is now so advanced, and there's nothing I truly need on Windows. I know it's a cliche indulge in a kind of performative version of a goodbye cruel world post so I don't want to go that far, because I think I would considered the contract to have been broken a while ago, but I don't think I have ever considered myself forever away from Windows, perhaps until just now.

WD-42|11 months ago

I'm with you. The very few games I play work great on Linux. As a professional dev, there's absolutely no reason to choose Windows (or any OS, for that matter) over Desktop Linux at this point.

I'm convinced Windows is mainly for people that buy computers at Best Buy and corporate IT that are unfortunately funneled into the ecosystem (hats off salute to all you).

soraminazuki|11 months ago

Yeah, not only are they lying about their intentions, but they are also absurdly wrong from a technical standpoint too. How in the world can an online account provide more security than a local one? Online has way, way much more attack surface. It's not even close.

Online is more about convenience than security. Though with Windows, it looks more like convenience for M$ and not for its users.

dhx|11 months ago

Windows 11 24H2 enabled BitLocker full disk encryption by default for all new installations (including OEM) after a user has logged in with a Microsoft Account.[1] By default the BitLocker "recovery key" (everything one needs to decrypt a BitLocker device) is surrendered to Microsoft (uploaded automatically for storage with the associated Microsoft Account). This situation is similar to the Clipper chip[2] or Ki key programmed into mobile phone SIM cards during manufacture[3] where a user does not control the key for its full lifetime and has little to no assurance of who else may have a copy of the key.

Recall when Microsoft lost control of a Microsoft Account OpenID token signing key a year and a half ago?[4] I can't find a reference to confirm if attackers could have obtained BitLocker recovery keys by logging into any Microsoft Accounts with an OpenID token signed with the compromised key, but a reasonable assumption would surely lean towards "almost certainly". After this attack, Microsoft still had not conclusively determined 10 months later how the key was compromised, and no further news appears to be published since then.[5]

[1] https://learn.microsoft.com/en-us/windows-hardware/design/de...

[2] https://en.wikipedia.org/wiki/Clipper_chip#Key_escrow

[3] https://nickvsnetworking.com/transport-keys-a4-k4-keys-in-ep...

[4] https://msrc.microsoft.com/blog/2023/09/results-of-major-tec...

[5] https://www.bleepingcomputer.com/news/security/microsoft-sti...

colordrops|11 months ago

It's standard practice for corporations to lie about their motivations for decisions. Why is this acceptable?

bigstrat2003|11 months ago

It's not. But not all unacceptable things are illegal. And just as immoral people will do legal-but immoral things, immoral corporations will do the same.

anal_reactor|11 months ago

Because it's how the entire society functions. There's an entire class of lies that are not only accepted, but actually expected. Case in point: imagine saying "Hi, how are you?" and someone replying "I hate living like this".

sunshowers|11 months ago

It is standard practice to stretch the truth to a breaking point. In this case, Microsoft could argue that a connected account leads to a better experience. It also (more tenuously) argue that it leads to better security, in terms of protection against ransomware via OneDrive backups.

I hate this practice.

AlecSchueler|11 months ago

The only way to limit it would be with regulations and regulations are a bit taboo.

p0w3n3d|11 months ago

Can't it be added again by users? Cmd does not sound like a complicated piece of binary code

vbezhenar|11 months ago

This script just added single key to the registry and rebooted the machine (restarting the installer). The underlying functionality which allowed to use local user, if registry key was present, was coded into the installer itself.

So if they just removed that 2-line bat file, it's not a big problem. You still can add that entry to the registry, just with more complicated command.

Here's its code:

    @echo off
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v BypassNRO /t REG_DWORD /d 1 /f
    shutdown /r /t 0