Windows 8.1 user accounts, you have GOT to be kidding.

On Fri, 26 Sep 2014 18:28:14 +0100, Joe User wrote:

On 26/09/14 17:44, felmon wrote:
On Fri, 26 Sep 2014 09:17:27 +0100, Joe User wrote:

opinion
It's my opinion that you will never get an agreement from an mvp or
indeed any other individual closely associated with Microsoft or
Windows that anything is wrong with the platform.

ok but Linux people (and Mac people and BSD people and Slack people) et
al are also _often_ like that, sensitive to criticism of their favorite
modus operandi and this again takes us off the topic about security.

I know your view about the security issue though I don't have all the
details in mind and it does seem worth having someone who knows
Microsoft security issues address it.

The deafening silence tells me what I guess I already knew.

perhaps but it's worth waiting for winston to chime in. haven't read all
of the posts yet so maybe someone has said something in another subthread.

The hidden unprotected Administrator account can only be there to allow
clandestine access to a machine.

I'm just very glad indeed that neither my online businesses or my home
networks rely on *any* Microsoft products.

Thank whatever God you pray to for free and open source software.

theological issues aside, I am thankful for it though very recent history
demonstrates there be serious insecurities where one least expects them.

nonetheless this Windows one (as it seems) is actually built in which is
a different order of insecurity.

you cited someone saying Microsoft treats 'stand-alone' different from
network. it makes sense to treat them differently but not in this way.

F.

On Sat, 27 Sep 2014 08:21:59 +0100, Joe User wrote:

On 27/09/14 04:50, felmon wrote:
[...]

Yes, there will always be problems with complex systems, I presume you
are talking about the bash issue, it's been in existence for 25 years,
the hysterical reaction of the 'meedja' only serves to expand awareness
which is no bad thing actually. I predict that there will *not* be a
cataclysmic failure of systems using PHP and Apache httpd (among others)
although anyone that uses PHP gets everything they deserve :-)

we better be careful not to veer too far off topic though it seems this
'hidden admin' thread has reached its end. I'll add that I just did some
changes to address the bash issue which also gave me an opportunity (so
to speak) to do some necessary upgrades. to the extent I understand the
issue, I have the sense it wouldn't affect me very much since it wouldn't
be easy to hop onto my ssh sessions some of which are via vpn. I'll have
to see what my webhosting people are doing about it though.

they use php and apache of course.

The difference seems to be that the open source community is only too
happy to have these issues out in the open whereas 'hidden away' is
never a good thing, ever.

from your mouth to the NSA's ears!

it looks like the 'hidden admin' issue can be a trap for the unwary. it
seems Microsoft could handle it with a simply change of policy. but you
can handle it yourself now when you set up your public-access machines.

F.


nonetheless this Windows one (as it seems) is actually built in which
is a different order of insecurity.

you cited someone saying Microsoft treats 'stand-alone' different from
network. it makes sense to treat them differently but not in this way.

On 09/26/2014 11:50 PM, felmon wrote:
On Fri, 26 Sep 2014 18:28:14 +0100, Joe User wrote:

On 26/09/14 17:44, felmon wrote:

The hidden unprotected Administrator account can only be there to allow
clandestine access to a machine.

I'm just very glad indeed that neither my online businesses or my home
networks rely on *any* Microsoft products.

Thank whatever God you pray to for free and open source software.

theological issues aside, I am thankful for it though very recent history
demonstrates there be serious insecurities where one least expects them.


True now there's Shellshock a bash vulnerability that may not go away
for quite awhile.

nonetheless this Windows one (as it seems) is actually built in which is
a different order of insecurity.

you cited someone saying Microsoft treats 'stand-alone' different from
network. it makes sense to treat them differently but not in this way.

F.



--
Caver1

On 27/09/14 22:25, felmon wrote:
On Sat, 27 Sep 2014 08:21:59 +0100, Joe User wrote:

On 27/09/14 04:50, felmon wrote:
[...]

Yes, there will always be problems with complex systems, I presume you
are talking about the bash issue, it's been in existence for 25 years,
the hysterical reaction of the 'meedja' only serves to expand awareness
which is no bad thing actually. I predict that there will *not* be a
cataclysmic failure of systems using PHP and Apache httpd (among others)
although anyone that uses PHP gets everything they deserve :-)

we better be careful not to veer too far off topic though it seems this
'hidden admin' thread has reached its end.

It's reached the point where nobody with a vested interest will reply
because they know that a hidden unprotected Administrator account is
indefensible and not replying will move the thread down the order and
eventually it will 'go away'

I could bump the thread daily but I probably won't, there are much
better ways of increasing awareness of this issue.

How about www.indefensiblewindowssecurityissues.com :-)

I'll add that I just did some
changes to address the bash issue which also gave me an opportunity (so
to speak) to do some necessary upgrades. to the extent I understand the
issue, I have the sense it wouldn't affect me very much since it wouldn't
be easy to hop onto my ssh sessions some of which are via vpn. I'll have
to see what my webhosting people are doing about it though.

For a non hysterical analysis read this

https://securityblog.redhat.com/2014...ection-attack/


--
Not confused, just ... bewildered

felmon wrote:
On Fri, 26 Sep 2014 18:28:14 +0100, Joe User wrote:

On 26/09/14 17:44, felmon wrote:
On Fri, 26 Sep 2014 09:17:27 +0100, Joe User wrote:

opinion
It's my opinion that you will never get an agreement from an mvp or
indeed any other individual closely associated with Microsoft or
Windows that anything is wrong with the platform.

ok but Linux people (and Mac people and BSD people and Slack people) et
al are also _often_ like that, sensitive to criticism of their favorite
modus operandi and this again takes us off the topic about security.

I know your view about the security issue though I don't have all the
details in mind and it does seem worth having someone who knows
Microsoft security issues address it.

The deafening silence tells me what I guess I already knew.

perhaps but it's worth waiting for winston to chime in. haven't read all
of the posts yet so maybe someone has said something in another subthread.

The hidden unprotected Administrator account can only be there to allow
clandestine access to a machine.

I'm just very glad indeed that neither my online businesses or my home
networks rely on *any* Microsoft products.

Thank whatever God you pray to for free and open source software.

theological issues aside, I am thankful for it though very recent history
demonstrates there be serious insecurities where one least expects them.

nonetheless this Windows one (as it seems) is actually built in which is
a different order of insecurity.

you cited someone saying Microsoft treats 'stand-alone' different from
network. it makes sense to treat them differently but not in this way.

F.


Chime in ? OK

Any attempts to evangelize the issue further is like boarding a runaway
ocean liner plowing through the ice where the captain, crew and
passengers have left and continuing to look for someone to give you a
Drano enema.

Bottom line as noted before - protect all admin accounts (the first one
Win 8.1 creates and the hidden admin account) with a password.

--
...winston
msft mvp consumer apps

On 29/09/14 07:36, . . .winston wrote:
felmon wrote:
On Fri, 26 Sep 2014 18:28:14 +0100, Joe User wrote:

On 26/09/14 17:44, felmon wrote:
On Fri, 26 Sep 2014 09:17:27 +0100, Joe User wrote:

snip

you cited someone saying Microsoft treats 'stand-alone' different from
network. it makes sense to treat them differently but not in this way.

F.


Chime in ? OK

Any attempts to evangelize the issue further is like boarding a runaway
ocean liner plowing through the ice where the captain, crew and
passengers have left and continuing to look for someone to give you a
Drano enema.

Your personal proclivities are of no interest to me and mentioning them
only serve to obfuscate the point ... but wait, that's what you want
isn't it? You want this nasty little issue to 'just go away' as you know
full well it's indefensible to hide an unprotected administrator account
from an unknowing user but just cannot bring yourself to admit that you
are wrong. Epic fail on the integrity front eh?

Bottom line as noted before - protect all admin accounts (the first one
Win 8.1 creates and the hidden admin account) with a password.

OK, I'm going to shout now as once again you are missing the point.

Protecting *any* account is a good idea but ...
and this is the important bit.

================ Read this ================
YOU HAVE TO KNOW IT EXISTS FIRST DON'T YOU?
===========================================

It really isn't that hard to grasp the concept.
Would you like me to explain it to you *again*

--
Not confused, just ... bewildered

Joe User wrote:
On 29/09/14 07:36, . . .winston wrote:
felmon wrote:
On Fri, 26 Sep 2014 18:28:14 +0100, Joe User wrote:

On 26/09/14 17:44, felmon wrote:
On Fri, 26 Sep 2014 09:17:27 +0100, Joe User wrote:

snip

you cited someone saying Microsoft treats 'stand-alone' different from
network. it makes sense to treat them differently but not in this way.

F.


Chime in ? OK

Any attempts to evangelize the issue further is like boarding a runaway
ocean liner plowing through the ice where the captain, crew and
passengers have left and continuing to look for someone to give you a
Drano enema.

Your personal proclivities are of no interest to me and mentioning them
only serve to obfuscate the point ... but wait, that's what you want
isn't it? You want this nasty little issue to 'just go away' as you know
full well it's indefensible to hide an unprotected administrator account
from an unknowing user but just cannot bring yourself to admit that you
are wrong. Epic fail on the integrity front eh?

Bottom line as noted before - protect all admin accounts (the first one
Win 8.1 creates and the hidden admin account) with a password.

OK, I'm going to shout now as once again you are missing the point.

Protecting *any* account is a good idea but ...
and this is the important bit.

================ Read this ================
YOU HAVE TO KNOW IT EXISTS FIRST DON'T YOU?
===========================================

It really isn't that hard to grasp the concept.
Would you like me to explain it to you *again*


No explanation necessary. Now that you're the captain of that unmanned
'look what I found ship' do let us know of it's success. Maybe the drano
will help thaw the upcoming iceberg.


--
...winston
msft mvp consumer apps

On 29 Sep 2014, Joe User wrote in
alt.comp.os.windows-8:

Protecting *any* account is a good idea but ...
and this is the important bit.

================ Read this ================
YOU HAVE TO KNOW IT EXISTS FIRST DON'T YOU?
===========================================

It really isn't that hard to grasp the concept.
Would you like me to explain it to you *again*

So now those few who read this tiny newsgroup who didn't already know
it before know it. Now it's time for you to move on.

Maybe Fox News would be interested.

On 29/09/14 19:56, Nil wrote:
On 29 Sep 2014, Joe User wrote in
alt.comp.os.windows-8:

Protecting *any* account is a good idea but ...
and this is the important bit.

================ Read this ================
YOU HAVE TO KNOW IT EXISTS FIRST DON'T YOU?
===========================================

It really isn't that hard to grasp the concept.
Would you like me to explain it to you *again*

So now those few who read this tiny newsgroup who didn't already know
it before know it. Now it's time for you to move on.

I moved on days ago, I just like poking the nest and seeing what
scuttles out ... and it doesn't get any less sickening.

--
Not confused, just ... bewildered

On 29 Sep 2014, Joe User wrote in
alt.comp.os.windows-8:

I moved on days ago,

Obviously not.

I just like poking the nest and seeing what
scuttles out ... and it doesn't get any less sickening.

On 29/09/14 20:37, Nil wrote:
On 29 Sep 2014, Joe User wrote in
alt.comp.os.windows-8:

I moved on days ago,

Obviously not.

What you actually mean is 'forget about it'

Never happen.


--
Not confused, just ... bewildered

On 29 Sep 2014, Joe User wrote in
alt.comp.os.windows-8:

On 29/09/14 20:37, Nil wrote:
On 29 Sep 2014, Joe User wrote in
alt.comp.os.windows-8:

I moved on days ago,

Obviously not.

What you actually mean is 'forget about it'

Never happen.

That's what your paranoid mind wants you to think I meant.

I did not.

On Mon, 29 Sep 2014 02:36:30 -0400, . . .winston wrote:

Chime in ? OK

Any attempts to evangelize the issue further is like boarding a runaway
ocean liner plowing through the ice where the captain, crew and
passengers have left and continuing to look for someone to give you a
Drano enema.

Bottom line as noted before - protect all admin accounts (the first one
Win 8.1 creates and the hidden admin account) with a password.

Winston, you are pretty sharp. You must have figured out by now that JU
isn't going to understand any of this.

But truth to tell, I did get a kick out of a recent post of his, where
he said:

"It's reached the point where nobody with a vested interest will reply
because they know that a hidden unprotected Administrator account is
indefensible and not replying will move the thread down the order and
eventually it will 'go away'"

You realize that this means that if you answer, you're clearly trying to
mislead or lie to him, and if you don't answer, you're still trying to
mislead or lie to him.

And that's my misleading lie for today :-)

--
Gene E. Bloch (Stumbling Bloch)

Gene E. Bloch wrote:
On Mon, 29 Sep 2014 02:36:30 -0400, . . .winston wrote:

Chime in ? OK

Any attempts to evangelize the issue further is like boarding a runaway
ocean liner plowing through the ice where the captain, crew and
passengers have left and continuing to look for someone to give you a
Drano enema.

Bottom line as noted before - protect all admin accounts (the first one
Win 8.1 creates and the hidden admin account) with a password.

Winston, you are pretty sharp. You must have figured out by now that JU
isn't going to understand any of this.

But truth to tell, I did get a kick out of a recent post of his, where
he said:

"It's reached the point where nobody with a vested interest will reply
because they know that a hidden unprotected Administrator account is
indefensible and not replying will move the thread down the order and
eventually it will 'go away'"

You realize that this means that if you answer, you're clearly trying to
mislead or lie to him, and if you don't answer, you're still trying to
mislead or lie to him.

And that's my misleading lie for today :-)


I prefer to just look for more info on the subject.

http://technet.microsoft.com/en-us/m...07.06.acl.aspx

If the account is hidden, then you cannot log into it. If it is
unhidden, then you should set a password. If the system
is operating normally, an account belonging to the
administrators group (mine), prevents the hidden one from being
used. So the interesting scenario would be, how do you
lose all the administrator group accounts, then sit around
for years and years, with that hidden one showing in
recovery console.

And if someone has the password to an administrator group account,
the jig is up anyway. It doesn't matter at that point, what happens
to the hidden administrator account. So in a "normal" operating
state, there seems to be basic coverage.

Even if they removed that account entirely (as Jesper says,
"deprecated"), there will still be programs out there to
erase the password, so you can get in. So it's not like
the OS was a model of iron clad security in the first place.
What would be a more ugly scenario, would be if all the
accounts were removed. I don't think password hacking or
cracking would help at that point. But a hidden administrator
account that pops up out of no-where, that would be your
life line.

Paul

Gene E. Bloch wrote:
On Mon, 29 Sep 2014 02:36:30 -0400, . . .winston wrote:

Chime in ? OK

Any attempts to evangelize the issue further is like boarding a runaway
ocean liner plowing through the ice where the captain, crew and
passengers have left and continuing to look for someone to give you a
Drano enema.

Bottom line as noted before - protect all admin accounts (the first one
Win 8.1 creates and the hidden admin account) with a password.

Winston, you are pretty sharp. You must have figured out by now that JU
isn't going to understand any of this.

But truth to tell, I did get a kick out of a recent post of his, where
he said:

"It's reached the point where nobody with a vested interest will reply
because they know that a hidden unprotected Administrator account is
indefensible and not replying will move the thread down the order and
eventually it will 'go away'"

You realize that this means that if you answer, you're clearly trying to
mislead or lie to him, and if you don't answer, you're still trying to
mislead or lie to him.

And that's my misleading lie for today :-)


That was one of the op's finer replies and just like a thread long
forgotten or ignored so will that ship with it's new captain, and the
ship's tone, tenor and hierarchy - even the background music - of little
consequence since no on else is on board to listen.

We've all seen and/or conversed with posters in this forum that appear
as capricious, raving, self-serving, alternative agenda-driven, Doogie
Howser wannabe iceholes yet that doesn't mean they are not entertaining.
Usenet breeds iceholes: its principle export. In the long run this
forum is nothing more than entertainment, and if we haven't come to that
conclusion then maybe we should all be misleading iceholes, too.



--
...winston
msft mvp consumer apps