I was thinking the same. It's not been a good few weeks for them. They're quickly losing trust which was hard to acquire in the first place given their history. Maybe a timely reminder to mention Halloween [1] ?
Are they losing trust though? Many young developers don't remember the height of the EEE days in the 90s and 00s when MS was trying very hard to extinguish free software. These are just stories to them.
Now, MS runs the world's largest source code sharing service and many of these young developers launch proprietary MS code editing tools daily.
We old timers always knew what the end game was, but young people lack the context and so many are already hooked on MS now. It's not obvious to me that they will ever care enough to switch no matter how hostile MS behaves.
> young people lack the context and so many are already hooked on MS now. It's not obvious to me that they will ever care enough to switch no matter how hostile MS behaves.
Not all of us. I had just barely started being willing to trust Microsoft again, and they've repeatedly shown themselves to be hostile since the initial "Github is cool! And WSL! And VSCode!", enough is enough.
I've read the Halloween documents, I know where this goes.
Young free software advocates exist - I'm one. I know about EEE and agree we're in a sorry state.
I have a feeling MS will continue to dominate due to network effects and vscode/wsl being a nice enough experience. It'll take them resting on their laurels or some great act of user hostility to change this status quo.
I remember. It’s also hard to turn down WSL and VSC. They are wonderful products and I’m fairly certain I’m sadly contributing to all this nonsense but I also need to get my day job done and pay the bills.
One day large corporations I hope will allow Linux. But at least mine it’s windows or macOS and apple is far behind the wsl/vsc curve right now and apparently doesn’t have any motivation to catch up. They rely on “you have to use Xcode” right now which is unfortunate.
They've always been acting as a strong monopolistic corporation with a "fuck you" attitude. Here's a summary of Microsoft attitude these part 5 years:
- rebrand as open-source friendly, only open-source whatever narrow side-projects they barely care about but could be run on other systems (VSCode, Powershell); distribute official packages with spyware
- monopolize the education system by offering bribes including gratis hardware devices to whoever in State education will work with them to pretend Microsoft loves kids and kids need computers (with Microsoft software, obviously) to learn anything in the 21st century
- force manufacturers to deploy "TPM v2.0" on their new machines so they can run Windows 11, continuing the push so that people have 0 understanding and control over the machines they own (instead are controlled by the machines), and don't have a choice of system because "SecureBoot" [0]
- love Linux! let them integrate all your POSIX/Linux APIs in a VM on their system, so that you never have to use anything else than Windows ever again (embrace...) ; it's just like reverse-Wine (execute Windows program on free systems) except they have an army of developers with $$$$ and don't have to waste time reverse-engineering anything because they have the source code to both systems... how convenient!
- viruses are such a huge problem, if only we had some sort of digital signatures for software, and trustworthy places to get it from?! sure let's have a Microsoft market where you can buy adware/spyware signed by Microsoft, with two key advantages: 1) it's super faster because signed software is not inspected real-time by Windows defender 2) noone else can make their own "appstore" repository with their own signature keys (like we do with Flatpak/APT/nix/guix) ; very soon they can start to hide how to run programs unapproved by Microsoft like Android or MacOS [1] have been doing... and it's all for security, right? because app-store monopoly has definitely stopped malware (oooh that's a nice flashlight app you got there Google Play) without harming FLOSS/hobbyist devs (yeah sure)
It's just *washing (openwashing here) straight out of marketing textbooks. If you know/learn anything about capitalism and public relations, you won't be tricked next time!
[1] There was even this worrying story at some point that MacOS would refuse to open applications (whether signed or not) because their centralized server could not be reached: https://news.ycombinator.com/item?id=25074959 <-- Soon coming to your Windows setup
Ah, I don't really care about telemetry, but their amazing outlook.com SMTP service rejects mail from small senders, and there's no way to successfully appeal.
Hello,
My name is [Kumar/Numan/Punith/Suresh/Sachin] and I work with the
Outlook.com Sender Support Team.
I do not see anything offhand for the IP (xx.xx.xx.xx) that would
be preventing your mail from reaching our customers.
Good bye and fuck off.
In response to complaining that their servers say -
550 5.7.1 Unfortunately, messages from [xx.xx.xx.xx] weren't sent.
Please contact your Internet service provider since part of their
network is on our block list (S3150).
At least you got a response! Most people don't. According to some previous blogposts and threads on this topic, apparently if you just contact them often enough, they will after a few months escalate the problem to the competent team and get you unblocked.
- is the exact same message being sent to many users?
- does it look like previous spam?
- are messages from this host being reported as spam by users?
We have plenty of techniques to filter out spam (those above and technical ones like DKIM to enable host reputation systems) and they mostly work great. What Google/Microsoft are doing is just monopolistic attitude and has nothing to do with spam filtering. Spam from big email servers is still common, but legit emails from smaller servers will not reach intended recipients, and will not produce any indication of that on either side of the communication. It's just silently going in the trash.
If there was at least a decent way to get allowlisted on their side, we could give them the benefit of the doubt and accept that email ecosystem has turned to an opt-in federation model. But the way they do it and prevent recourse is a clear abuse of dominant position to crush the competition.
What's similar between them? A spam host will likely be high volume of similar-looking email sent to users who will never reply and most probably trash/spam-categorize the email. A small, single-user sender will likely be *very* low volume of fairly different-looking email sent to users who will likely answer and otherwise interact with the mail. They have literally nothing in common.
Before I moved to fastmail, my email was consistently getting nullrouted by microsoft. Everything was setup correctly (SPF, DKIM, DMARC, ARC, etc...), and every other mail host I tried would receive my mail correctly. I send out a very low amount of email (3-4 per month?).
My old university mailbox got migrated to Microsoft, and now people who don't use a professional mail provider (gmail, yahoo, etc..) basically can't send to that address.
We (small devshop + some hosting + self-hosted email) hosted a few things for a foundation for years, and about two years ago they migrated the mail stuff to MS. (We continue to host a few sites, domains, DNS.) Now when they need something and send us an email we can't reply, because our IP is "listed".
Okay, I know spam can be bad, and fine-tuning spam filters is a PITA, so let's go through the delisting process, surely with enough perseverance eventually MS will tolerate us into their graces.
Well, it has been more than a year now, and still no luck.
---
We have completed reviewing the IP(s) you submitted. The following table contains the results of our investigation.
Not qualified for mitigation
x.x.x.x
Our investigation has determined that the above IP(s) do not qualify for mitigation.
Re: app store. That's not quite fully correct. It's obscure and not well known but actually, Microsoft isn't doing what you claim.
1. Any signed app with good reputation will be ignored by Windows Defender and other AV tools. That's how Windows security works: the anti-virus programs focus their attention on activity by code that they don't recognize. Signatures are how to handle "good" polymorphic code like app updates whilst stopping "bad" polymorphic code like viruses that constantly rewrite themselves. This isn't connected to the app store.
2. You can in fact make your own app store. Windows 10 comes with something called App Installer. You put an MSIX file and a .appinstaller file on your web server, and open the XML file with a special protocol handler. The app is downloaded, installed, lightly sandboxed (but not aggressively so: win32 apps will work fine), and Windows keeps it up to date for you. This is basically the same experience as the App Store itself, but decentralized.
Note that secureboot does have a minor advantage for encryption at rest. Making much weaker passwords acceptable. I am happy my work laptop has secureboot.
And I get why they lock down their device for me to use.
For devices I own, I gotta control the secure boot, or I simply don't own it.
In theory, yes. In practice, what control do you have over the hardware? Can't basically anyone with a few million dollars to throw at the problem compromise any form of Secure Boot? If you're NSA, no need to go so far... they've probably got access to the Microsoft root signing key.
If the schematics and code to the TPM were free and there were "tamper evidence" mechanisms in place, we could argue secure boot had some benefits for security. But in its current forms, it's just preventing users from owning their devices with little evidence for security for determined attackers.
Machines should be simpler and auditable: that's how reliable security works. Adding piles of shit on top the other piles of shit is just producing more overall shit.
> Can't basically anyone with a few million dollars to throw at the problem compromise any form of Secure Boot?
Probably. But if my laptop gets stolen I would rather have the thief needing to spend a few million dollars in order to defeat Secure Boot.
Now if I were to worry about state level espionage I would combine the secure boot with a strong password for device theft, and not bring the device anywhere a long-term evil maid attack might occur. But in that case I am still happy if my stolen laptop requires a few million dollars, and that an evil maid also needs to somehow defeat secure boot before being able to do anything to some of my device.
Secure boot isn't perfect. But no practical security measure is. Secure boot is effective at making attacks more difficult, and that means it has value.
It just so happens that such value is most relevant for company-based security. And sadly it seems to be pushed on private devices for other reasons. But the move towards abuse of secure boot does not mean we should ignore the security benefits it gives to company-issued laptops.
Yup, we're still far from having open source Windows, Active Directory, SQL Server, Teams, Github, Office... or any "central" product essential to their business offers.
I was thinking the same. It's not been a good few weeks for them. They're quickly losing trust which was hard to acquire in the first place given their history. Maybe a timely reminder to mention Halloween [1] ?
[1] https://en.wikipedia.org/wiki/Halloween_documents