Sure, It Was Only Four....
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Full-Text Search & Archives

Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2020-01-10 13:17 by Karl Denninger
in Technology , 103 references Ignore this thread
Sure, It Was Only Four....
[Comments enabled]

Jeff Bezos ought to be in prison.

Now.

Amazon's home security company, Ring, admitted to firing four employees for abusing their ability to view customers' video feeds in a Jan. 6 letter to five Democratic U.S. senators.

The January letter came in response to a Nov. 2 letter from the five senators requesting Amazon founder Jeff Bezos to disclose information regarding Ring's privacy practices given its ability to upload "video footage detailing the lives of millions of Americans in and near their homes" to its servers.

Now take a look at the excuse:

"Over the last four years, Ring has received four complaints or inquiries regarding a team member’s access to Ring video data," Amazon Vice President of Public Policy Brian Huseman wrote in the letter. "Although each of the individuals involved in these incidents was authorized to view video data, the attempted access to that data exceeded what was necessary for their job functions,"

Why is anyone at Amazon able to look at any of that data?

Physically able, not "well, they don't have a password."

And this, friends, is also a lie:

Additionally, no Ring employee has complete access to a customer's video footage. Ring only has three employees who currently "have the ability to access stored customer videos for the purpose of maintaining Ring’s AWS infrastructure," Huseman said.

Bull****.

Every AWS employee who has hypervisor access can get at any of the guest instances -- all of them.  In addition any unencrypted data is accessible to anyone with administrative access on that cloud infrastructure.  The number of people with that access, should they decide to try to use it, likely numbers in the thousands if not tens of thousands.

While it would be nice to believe that there is never a "bad guy" the facts are a different matter.  And further, it was a conscious decision in the design of that system to transmit and store that data unencrypted, or effectively so (e.g. where the keys are on the infrastructure itself and thus an administrator can get at them.)

It is entirely possible to choose not to do that; that transmission never happens in unencrypted form and the only person with the key is the customer.

But exactly none of these systems are designed this way.

HomeDaemon-MCP is -- on purpose.  Now if you, as the end user, decide to store the data on an unencrypted volume that's on you.  But that decision is yours, and the transmission to your device (e.g. phone) is encrypted 100% of the time.  Not just the authentication credentials (e.g. via a digest, etc) -- the entire video and audio stream.

Why would you be so crazy as to use a system that by design makes possible the interception, viewing and disclosure of the inside of your home, plus the front door, plus whatever that camera can see from there to a nameless, faceless list of people who you have exactly no ability to discover in terms of their identity or vetting?

Are you out of your damn minds?

Oh, and does this tell you exactly why none of these firms are interested in an actually secure system?  Do you still believe this is about helping you and securing your property when an available alternative hasn't been snapped up and distributed in the market?

Go to responses (registration required to post)
 



 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
User Info Sure, It Was Only Four.... in forum [Market-Ticker]
Amused
Posts: 500
Incept: 2019-04-22

Report This As A Bad Post Add To Your Ignored User List
Between AWS lax security and Google's tendency to kill off products (seriously, there was a story the other day about them considering killing GCP, I was like DaFUK?!?!?! anyone would be a damn fool to use Google after that no matter how good their setup was), if you have to do **** in the cloud, and have any confidence, your options are limited.

Azure is a slight bit better out of the three, in terms of the interface, the support and from what I've heard, the ability to lock down access with dedicated hardware. Both Amazon and AWS have dedicate instances so you are not sharing with other customers that could escape their instances and compromise the hypervisor, ala Heartbleed or Meltdown, so the footprint is just exposed to the provider.

IBM has been working on a solution to do private cloud gear, where they would drop in a rack at your location that would have all the apis and managemnet, compute, disk, network, etc, like a hyperconverged platform like UCS (without the suck of cisco) but it would have all the higher-level apis that are the selling point of cloud, but its been vaporware for a while and hasn't shown up yet.

OpenStack originally started to do that, to provide private on-perm AWS replacement, so if you really need 'The Cloud' its not that hard to build one these days.
Tickerguy
Posts: 161139
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
@Amused - I'm FAR less concerned about another client, since without collusion being able to choose where you "land", and thus try to gain an attack surface, the odds are ridiculously long even if you buy a LOT of instances spread over time.

Does that exposure exist? Sure. But it's extremely small.

On the other hand how many administrators does Amazon (or Azure, or IBM, or whoever) employ? Every one of them can get into supervisory functions, which means they either have authorized access to the Hypervisors or they can get into them through subterfuge. And if you get access there then you can steal anything on a client instance. Encrypting the client or the storage accessed by it doesn't help since the Hypervisor has to be able to load the key, thus it has to have access to it and be able to unlock whatever sort of protective armor you might put around it.

Dedicated instances, provided the hypervisor is still there, do not help one bit. A dedicated machine in a colo is materially better, provided you trust the physical security paradigm and OS. The latter you have to trust at some level; the former can be made reasonably but not completely safe. For instance you could have a chassis intrusion switch that forces a hard reset if the case is opened and nobody has hypervisor access (e.g. it's dedicated hardware, you own it, period) which isn't bombproof but it's pretty good.

But on any system where there's a Ring 0 piece of code on the box you're running on and someone at said company has access to same there is literally nothing you can do with regard to any malicious actor with that access. In fact you can't even detect, as a client, that you were compromised. Now you're reduced to taking the hosting firm's word for it that there are NO malicious or stupid actors and further, that whatever sort of audit trail system they may have (if any) cannot be circumvented or altered, and thus will serve to sound the alarm if someone pulls something. Since you cannot vet those people as they're not your employees and indeed the hosting companies will not detail who they are and, in detail, what they know about them you have exactly ZERO means of even REASONABLE assurance that your data is safe, say much less assurance if it actually matters.

In this PARTICULAR case however it's even more-egregious since at first blush it appears the videos are not being secured with an encryption key that only the customer has. In other words either they're being stored UNENCRYPTED AT ALL or if "secured" it's with some key that Ring possesses. That's as secure as, at best, a 25 cent TSA lock on a suitcase. Thus, unless proved otherwise, we're into the realm where a breach whether by malevolence or stupidity means everyone's video and audio is exposed to anyone who can take advantage of same.

----------
Winding it down.
Exelitepwrlftr
Posts: 2
Incept: 2019-12-16

North Carolina
Report This As A Bad Post Add To Your Ignored User List
I dont know if youre right about Ring and how many folks have access to view video feeds Karl.

Its quite possible to limit who has access and if the security model is designed properly its not difficult to prevent unauthorized access. Im the Linux Product Manager for a Fortune 500 firm with a very large virtual infrastructure that stores extremely sensitive data. Our environment is extremely secure and folks who have standing access to the hypervisor DO NOT have access to anything that runs on it. We have a robust RBAC in place that mitigates those types of concerns but still allows IT personnel to conduct day to day job responsibilities without compromising sensitive data.

I cant speak for Ring and their particular mitigation strategy but I can say its possible to create a fairly robust RBAC that promotes least privilege / need to know/have principles in sensitive areas.
Bodhi
Posts: 1569
Incept: 2008-02-23

Canton, GA
Report This As A Bad Post Add To Your Ignored User List
If I had plans to buy a "security" system like Amazon's Ring I would also buy a separate hard drive with TB storage and stream all the video internally, assuming that's possible. But I suspect even then the Ring would still be phoning home for "quality assurance" or some other bull**** reason.

I'm still irked by the extra services I've found in my Netgear router trying to contact the mother ship. I now know enough about Linux to shut that BS down. The average consumer, not so much.

I used to post articles about security breaches on FB, but it seems nobody really gives a ****.
Amused
Posts: 500
Incept: 2019-04-22

Report This As A Bad Post Add To Your Ignored User List
Yeah, in Ring's case with the video feeds, Amazon ought to shut the damn thing down, it is ridiculous to have customer video streams going out unencrypted. It would be a violation of PCI or SOX to do it for any other sort of traffic, they mandate end to end SSL at every layer, but because of the processing of video, its always been ignored by the vendors.

The Hypervisor problem is not as bad as it used to be before paravirtualization extensions, it used to be in Xen and KVM land, from the host perspective, there was no security between the host and tannate, but x86 stole some ideas from Sparc about how to handle a real 'VM' and effectively partition the data, so you could at least have an audit trail, or restrict access. Linux Namespaces combined with SELinux or some other mandatory access control can be used to build systems like the old Trusted Xenix where to enter one ring of privilege you had to give up another, but I really doubt AWS even attempts to do it.

Sure enough, I spent some time looking in to Amazon's policy on restricting their people, and they offer an audit trail but even on GovCloud there is no way to fully limit them like you could in a CoLo.
Tickerguy
Posts: 161139
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Nope @Exelitepwrlftr

Yes, you can materially improve on the base case with SME/SEV, and AMD has claimed that their "trust store" is secure. Well, maybe it is and maybe it isn't but it has to get its original keying somewhere.

This leads to another problem which is that symmetric (or asymmetric for that matter) encryption can potentially have its key space materially narrowed given enough data of known format. Now about that loader and all the program text on said system (gee, you don't think that's in a known format and handy, do you?)

Can you work around a good part of this risk? Yes, with great care. But we're talking someone who is (1) motivated to break in and (2) an inside bad actor. In this case none of that was necessary, and we know that because of the reported violation.

That Ring's administrators can see the cam data AT ALL means that the principles behind this have been violated and the keying for each customer's cameras reside somewhere OTHER THAN with the customer, IF THE DATA ON THE CLOUD SERVER IS ENCRYPTED AT ALL. It may well not be and in fact probably isn't. After all, how much tougher would it be for (1) the only holder of the key is the customer, (2) the data is transported and stored encrypted and thus (3) EXCEPT BY THE CUSTOMER all anyone else gets back if they grab it is random trash?

Obviously that is NOT the architecture they built, is it?

You don't have to steal anything if you have the key to unlock the door.

Ring claims they use TLS to send the data to the cloud, which is good. But that doesn't speak to the format of the data itself, and at least originally it was plain-vanilla MP4 because some of the other open-source folks were able to grab it before Amazon changed the firmware so you had to have a subscription. I don't have one of these things and never will due to having zippo for control over said firmware and what Spamazon may do to or with it in the future. Maybe you're ok with the idea of them having an archive of everything that goes on in your home with absolutely no reason to believe it's secure in any way, but I'm not.

----------
Winding it down.
Goforbroke
Posts: 7636
Incept: 2007-11-30
A True American Patriot!
The tadpole and I are hunkering down.
Report This As A Bad Post Add To Your Ignored User List
smiley

----------
And yes, I'm not deleting this because despite her appearance to be a new age nutcase, I think this is true ... Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our Light, and not our Darkness, that most frightens us. -- Marianne Williamson
Cobra2411
Posts: 12196
Incept: 2007-06-26
A True American Patriot!
Philly P.a.
Report This As A Bad Post Add To Your Ignored User List
Found a staff photo of the Ring team in action...
Inline

----------
Government: A device that allows you to get blind ass drunk and your children die from alcohol poisoning.
Amused
Posts: 500
Incept: 2019-04-22

Report This As A Bad Post Add To Your Ignored User List
Tickerguy: Regarding the keying for an encrypted guest with SEV or some such solution. I looked at ways you could do it and have a reasonable amount of security, with the TrustStore/TPM model but...

1. None of the Cloud providers go out of their way to secure the hypervisors or if they do, they don't document it

2. They don't offer TPM access in any case, at least Amazon doesn't. I haven't looked recently, but I don't believe Azure or GCP does yet either.
Exelitepwrlftr
Posts: 2
Incept: 2019-12-16

North Carolina
Report This As A Bad Post Add To Your Ignored User List
Fair points Karl however youre making assumptions that large organizations operate similarly to small shops where IT employees wear multiple hats and are responsible for multiple layers in the IT stack.

We have dedicated employees (departments) to every layer of the stack and separation of duties plays are large role in the security model. It may not be 100% cost efficient but it certainly plays a large role in mitigating cyber related security risks. You also assume internal players are motivated to commit fraud against the companies that hire them.

While we both know theres always a potential to have malicious actors attempting to perpetrate nefarious deeds, its a) highly unlikely in a large firms (although it has happened in the past) and b) there are real time detective controls to detect said intrusions as they occur. Ive personally witnessed a DBA fired literally within 5 minutes of running queries against a TOTAL_COMP database during my tenure, all because he was curious.

There are ways to protect data and confidentiality (assuming the company is willing & has interest).

Love your site BTW and thanks for your perspective.
Amused
Posts: 500
Incept: 2019-04-22

Report This As A Bad Post Add To Your Ignored User List
I've known some companies that were as anal about the audit trail as well, and if someone steps outside of their box, they are ****ed.

I've been fighting with someone to do that for their Cassandra system because just because there are accounts and passwords, they don't mean anything if someone compromises one or worse after the fact if they do something wrong and don't know about it.

At least with the audit trail they could send the events to an external store and could either identify nefarious behavior as it happens or repair it after the fact.
Tickerguy
Posts: 161139
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
@Amused - Yep. Further, there are other problems -- such as who/what loads the TPM, and how do you know that thing didn't siphon off the keying? And what tells the TPM it can release a key, and how/to where? Further, the data analysis problem remains, and it's really, really serious. You can get around that with an OS that is aware of this but it has to be not only aware but designed to evade that problem. Are they?

Take for example Windows' "Bitlocker". It can be configured to use a TPM for the whole key, for none of it (password only) or for a composite key of both the TPM and either some sort of external hardware (e.g. smart card, USB stick, etc) or password. A composite key is the most secure because now even if you manage to trick the TPM into releasing what it has you only have half of it. But now unattended, no-person-involved boot is impossible since you're not there to provide the other part. And all of this presumes that when you set up the volume Bitlocker didn't STASH said key components, which are used to derive the session key, somewhere without your knowledge. If you're wrong about that (because it's been tampered with) then it doesn't matter what you did. Oh by the way, Bitlocker actually initializes TWO keys, one a backup recovery key, and guess where it puts that by default? Yep -- on Microsoft's cloud system. The obvious question: If the FBI or NSA comes knocking can Microsoft give it to them because it's not stored in an encrypted format that only YOU have the key to? Of course they can because of course you can "recover" your access to a lost Microsoft login account, so..... yep -- it's not stored in a format where only YOU have the key. It thus CAN be divulged which means some number (thousands) of Microsoft employees can get to it. Next question: Does Bitlocker still put the recovery key there if you tell it to "print" it or store it on an external drive? Are you sure it doesn't send it to, for example, the NSA? How hard would it be for Microsoft to have "arranged" for that to be sent to them (or the NSA, or both) during some random event (e.g. like a "check for updates"?) Hmmm... good question, right?

Are you sure of your answer, considering that Microsoft's software is closed-source and in the past there was a very-suspicious thing that looked, in an image dump, exactly like a 1024-bit RSA back-door key in Windows NT 4? Oh, Microsoft admitted it was in fact a public key but claimed that no, neither the NSA or anyone other than them had the private key half of that and it wasn't for the NSA, even though the symbol in question was CALLED _NSAKEY! Do you believe them, considering that wasn't their primary signature verification key -- it was a second one? It was found, by the way, because Microsoft had forgotten to strip debugging symbols out of a module. In other words it had been there for a nice long time and was only found because they ****ed up.

Incidentally anyone who had that private key half could sign an updated file and infiltrate the operating system permanently with no way for you to know it happened. Are you damn sure only Microsoft had it, especially since they named it what they did, and nobody ever used it?

Uh huh.

By the way Microsoft is one of those "really big companies" that I'm supposed to trust to never screw up, never make a bad hire, and always be honest with me as a customer about what happened, AND I can't look at their source code. Sure.

TPMs in general are a decent mitigating factor to a specific problem -- specifically, where some part of the machine (e.g. its storage) could be stolen. Properly used and assuming they cannot be tricked into releasing the key they effectively "marry" the storage to the system, so now stealing the storage device leaves you with what amounts to a blank storage device, because even with the OTHER part(s) of the key, if any, you still have nothing if you don't have that specific hardware. In theory, and again, assuming no bugs and no intentional back doors, they also prevent tampering with said hardware (e.g. booting a flash drive and re-flashing the BIOS with tampered code in an attempt to obtain the key.) In other words if I steal your laptop I'm forced to deal with whatever it's security system imposes on me; I can't take the disk out of it and attempt to read it in something else, because it's encrypted and, in theory, I cannot force the bits in the TPM out where I can get at them.

Of course this assumes I can't read the RAM and capture the machine when it's already had the key released, and it gets especially nasty with symmetric encryption keys because they're very frequently used and thus rather more likely than not to wind up in CPU cache lines -- which is where all sorts of ****ery can take place if you can infer what's in those from a different process.

Part of the problem with modern machines is always the chain of trust. If I can overwrite that then I can break whatever you did. The premise of "secure boot" is to prevent that, but if I can manage to tamper with the trust store via some mechanism then I can also tamper with the loader, and now you're done.

Some modern cellphones are very well locked down. Blackberry's Android handsets are in that group but again, you're trusting that there's no ****ery in the bootloader and similar. You can't look, so it's all on faith.

@Exelitepwrlftr -
Quote:
You also assume internal players are motivated to commit fraud against the companies that hire them.

No, I presume that the effort an intruder is willing to go to (including whatever he's willing to bribe or blackmail someone with) is directly proportional to the value of the data he gains by doing it. Further, to presume your layering is always effective, that audit trails cannot be defeated by circumvention of the code path that causes them to be written (even if not in a place where the malefactor can change or erase them) is extremely dangerous. In short it's always wrong to believe you're the smartest dude on the planet, no matter how many "dudes" there are, and the problem with large organizations where many people theoretically or actually have said access is that the risk of one or more of them being both smart and able to be compromised scales linearly with each hire.

Now if it's your firm that sets up whatever practices and then it's you who suffer when you **** up then I've no quarrel with it. But in the case of a cloud provider that is NEVER TRUE. The client gets ****ed and the provider gets nothing, especially in today's world where nobody goes to jail if they're an executive of a large company, even when willfully blind, stupid or worse. Witness Boeing, as just one of myriad examples, or the enormous number of people who got ****ed in the 08/09 crash due to fraudulent securitization and despite executives and trading desk individuals being caught on tape calling those securities "vomit" exactly ZERO people went to prison for intentionally screwing their "customers." Those losses were in the BILLIONS. If I, as a small or medium sized business, were to get screwed like that I'd be bankrupted and out of business and there is nothing I could do about it that is lawful.

Given this history I have no reason to ever believe a single ****ing thing that comes out of the mouth of some dickwad like Bezos. Even if he PERSONALLY and INTENTIONALLY gives my data to the Chinese he will NOT go to prison, nor will he EVER be forced to make me whole.

In short the problem that I have as a client of such a business is that I have exactly zero visibility into the vetting that was done on said employees. I don't know who they are, I don't even know if they're US citizens (or, if I'm in another nation, whether they're citizens of the nation where my firm is.) I thus have no idea whether even if caught they can be subjected to criminal sanction, for example. I am forced to take on a pure "trust me" basis that said firm (1) never made a bad hire, (2) if they did it was caught before anything bad happened and (3) if that didn't happen said firm would even tell me if something bad happened, absent being caught red handed.

Finally, even if caught red handed and I do get ****ed, even if due to malfeasance or worse, direct and intentional misconduct, it'll be on me and not on them.

History says that WILL be the outcome.

Further, all of that ALSO ignores the risk of bugs. Various hypervisor code has had its share of them and most have been kept REALLY quiet for all the obvious reasons. Xen, for example, has had a number of latent flaws found, including one that sat out there for seven years.

In THIS SPECIFIC case, however, none of that appears to apply at all because the evidence from the announcement is that the data is either stored unencrypted OR the administrators have access to the keys. Either way for all intents and purposes there's no encryption on the stored data.

In other words they didn't break in -- they had access and used it because that's how the software was designed.

On purpose.

And incidentally in the instant case what these "four" (do you believe it was only four?) did certainly appears to constitute interception of an interstate wire communication without authorization. Since NO party to said communication gave authorization it doesn't matter if you're in a one-party or two-party state; it's a criminal act and, since the data almost certainly crossed state lines it's a federal offense carrying a 5 year prison term. https://www.law.cornell.edu/uscode/text/....

Did Amazon turn over these four for prosecution and insist that the DOJ send them to the slam-slam for a five-year date with Bubba Love-to-pokehim?

Nope.

There's your answer as to the "big company" response when their employees commit what appears on its face to be a felony offense.

----------
Winding it down.

Amused
Posts: 500
Incept: 2019-04-22

Report This As A Bad Post Add To Your Ignored User List
@tickerguy

So the solution I was trying to come up with wouldn't prevent a State actor if they compromised the key generation, but would help limit to Cloud Providers managing the hardware from being able to do much with your instances, but it would depend on a couple of factors

1. Running something like Linux/FreeBSD with a distro you trusted with untainted libraries, assuming the NSA and friends haven't compromised OpenSSL

2. The provider running some sort of hardware that you could audit, like buy off the shelf and make sure the TPM did what it said and there was no sort of backdoor.

3. Each system would be key'd with a variation on Shamir's Secret Sharing, where by nodes could only instantiate when you had a given number of the parts of the key holders turning their keys at the same time AND a given number of systems being instantiated at the same time.

4. It would have to be a SME/SEV system that would only boot them image once enough of the key holders had unlocked the vault, and a sufficient number of the members had swarmed. The idea would be you would actually have two VMs, one that was a sidecar that would do the online validation, and then only it could instantiate the other instance once the swarm was alive and unlocked.

Initially I looked at (1-3) for User Space applications to protect secrets like DB passwords or keys to third parties, but started looking at a way to do it for 1-3 and had a simple proof of concept, but never could try to apply it with step 4 because none of the Cloud providers give you TPM access. Having one VM be authorized to boot another and do the decryption once the unlocking was verified could have been emulated in software but I am too lazy to try to engineer a solution.

The Cloud **** is good enough these companies just don't care.

It still wouldn't protect against a host that was buggy or misconfigured, but could add a few layers to make it a hell of a lot harder for one of them to just dump your data or even to try to capture traffic in the middle.

But again, it's just not worth my effort to add a few more layers of security to an already questionable model.

But they don't give a ****. We will have more Equifaxes. Amazon and Azure have GovCloud now so our whole lives will be in the Cloud and since it's Government, we won't have a choice like we could with a private company we are buying services from.

I can't let it get my blood pressure up, I'm still too pissed about Healthcare and the raping there, if I add in being raped on Privacy and Security for Personal Information, I'll likely have a heart attack so I had to give up caring about something.
Bodhi
Posts: 1569
Incept: 2008-02-23

Canton, GA
Report This As A Bad Post Add To Your Ignored User List
Hopefully not off-topic. Speaking of Microsoft's intentions, I have a laptop with Win7 and automatic updates were turned off from day one. Not even supposed to check for updates. A couple of days ago I powered it on and it was trying to download over 40,000 updates. When it finally finished I checked the update log and they had all failed because I had the MS update sites blocked in the hosts file and in my router. So WTF was going on? I rechecked my settings and auto updates were still turned off. Of course there must be a site I missed blocking if it knew I "needed" updating. Going to be switching that laptop to Linux.
Tickerguy
Posts: 161139
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Win7 has been "retired" in terms of updates but anyone who believes Microsoft will honor your settings as other than "polite requests" is nuts.

IMHO if said laptop EVER connects outbound you need to get that software off of there. I hate Microsoft with a white-hot passion but IMHO if you're going to run any software written for Windows Win10 is the only reasonably sane choice, along with an "off-machine" (e.g. to a Samba file server or detachable volume) backup plan using something like Macrium (NOT Windows "built-in" backup facilities.) Win7 has a plethora of actively-exploited security problems that makes it about as sound to run today as would be WinXP.

I would run FreeBSD/Gnome on my desktop but for a handful of applications that will not run under Wine, and since I use those literally daily and a couple of them either have severe performance problems when run under virtualization or won't run at all I put up with it on my desktop. My laptop is dual-EFIboot Win10/FreeBSD-Gnome.

----------
Winding it down.
Bodhi
Posts: 1569
Incept: 2008-02-23

Canton, GA
Report This As A Bad Post Add To Your Ignored User List
This laptop is in my bedroom and I primarily use it only for streaming audios and videos. Any flavor of Linux can also do this easily with no reason to install Wine. I basically just need a browser and an FTP client to connect to my internal FTP server for transferring files. Thanks for the recommendations.
Login Register Top Blog Top Blog Topics FAQ