If you make your machine look like a malware execution sandbox, a lot of malware will terminate to avoid being analyzed. This is just part of the cat and mouse game.
Yea sophisticated malware checks how many CPU cores PC has, how much hard drive space, some even check hardware temperature or if any debuggers are present. Windows malware got pretty sophisticated in the last 30 years.
I'm not a reverse engineer or a white hacker but I like reading about it. Most of the malware is made for Windows OS because of the Windows' enormous market share.
Majority of information about Windows malware I get from big computer security companies' research blogs like:
Majority of the research combes down to researching malware's capabilities regarding malware persistence, anti-VM techniques and anti-debugging techniques.
Here is for example good compilation of malware's anti-debugging and anti-VM techniques:
Because every time an account logs onto a computer, it leaves traces. Some ephemeral in memory, some permanent on disk. It can be Kerberos tickets, process tokens, domain cached credentials, hashes or even clear text passwords in memory. It's common practice in a lot of organizations for administrators to log on to random workstations to perform whatever task they need to do.
Or there is a service running in the context of a service user domain account. Or the password of the local administrator account is identical on all systems, which was very common before LAPS became a thing.
Yes, if you do everything perfectly and always go by best practices, none of this should be relevant, but most people aren't doing everything perfectly all of the time.
To access any of these things, you need local admin permissions. Then you can reuse them to log on to other systems.
Got it. So it's less about the account itself, and more about the other account data you can only acquire with admin privileges from the local machine (almost like credential stuffing)
To be fair the vast, vast majority of exploitation that we see (especially in the news) comes from sub-par security setups and poor training/architecture. That’s no even going into security monitoring which most companies don’t or barely have.
Zero days account for very small amount of exploitation in comparison and by definition are unpatched so I think the commenter was right to point out the basics.
> If you make your machine look like a malware execution sandbox, a lot of malware will terminate to avoid being analyzed. This is just part of the cat and mouse game.
What? This is an entirely separate concern. If you have a Russian input method installed, malware will terminate to avoid legal repercussions.
They seem to be offering this as another means of getting the malware not to run. I don't read it strictly as an explanation of the Russian keyboard thing.
There is evidence that this will worked for ransomware like Patya and for groups like Fancy Bear or Cozy Bear and Conti. Mostly because the Russia gov. unofficial guaranties immunity if the target is not Russian.
Also, if you identify as Russian or write Russian in the chats or mails to them, they will de-crypt your systems for free.
> I wonder how that works in this era of AI translation
Simple translation isn’t enough to show cultural proximity. Patterns of speech are different. You can try to use AI to do the entire conversation, but e.g. Claude will refuse to give you exact phrases, since he is correctly assuming it is a social engineering attack.
Prompting a good LLM to convincingly act like a native isn't hard, neither is jailbreaking it if necessary. The hard thing in this case is verifying that it really does that.
You're assuming prompting an LLM to behave like X will automatically result in the LLM behaving like X for any X. Some things are out of the LLMs ability: I'm sure you'll get something if your prompt is "You are a 300-IQ nuclear physicist with a doctorate in material science. Describe the design of a cold-fusion reactor", but there is no guarantee the LLM has fidelity to your prompted persona, though it will try to give its very best impression.
I'm not assuming, I'm a native speaker and I describe actual experience with Claude. It's pretty good at roleplaying and major languages, with certain caveats. If you aren't a native speaker though, you'll have a hard time verifying that it gives you a good result, that's what I'm trying to say.
Nah, it's not reproducible. It can certainly give you some common phrases, but to create an entire personality with its own set of speech patterns is a different thing. For example, Claude can suggest following friendly conversation starters to sound like a native (a quote below):
Popular combinations for texts:
"Прив! Чё как?" - "Hi! How's it going?"
"Дарова, живой?" - "Hey, you alive?"
"Салют! Как сам?" - "Hey! How are you?"
Modern slang (especially among younger people):
"Хай" (Khay) - borrowed from English "hi"
"Йоу" (You) - borrowed from English "yo"
When asked, which one it would pick, it goes with "Дарова, как сам?" (Darova, kak sam?) and that already sounds odd in many contexts.
Obviously not. But this is what LLM may give you, unless you know exactly what to ask for (which you will not know without the proper knowledge of language and cultural context).
To become achieve everyday competence in a foreign language, you need to actually use it in an everyday context. That means being immersed in the culture where the language is spoken.
It's not that simple, I think. There are many Russians everywhere, and probably they work at victim companies too, so just being Russian won't be enough, if ransom could be in the millions. You'll have to convince them that the company is Russian-owned, or that your father works in FSB, or whatever.
I think the reason why they don't want to attack Russians is because the victim would file a complaint to police, and police will have no choice but to start an investigation. And foreigners won't cause any problems in this sense.
I don't think there is some special immunity.
However, sometimes foreigners can cause problems. Recently several cyber specialists were convicted after investigation initiated after complaint from Joe Biden.
As a Russian who removed "winlockers" from so many of my not-so-tech-literate schoolmates' computers in the late 00s, I disagree :D
But those weren't as sophisticated, I suppose. They didn't encrypt files. They only displayed an uncloseable window demanding a payment. Sometimes with hilarious phrasing like "thank you for installing this quick access widget for our adult website".
The best anti malware on any version of windows has always been to make your default account you use everyday a non admin account.
You also need to create a separate account (can just be a local account) that is a full administrator. Make sure you use a different password.
Anytime you need to install something or run powershell/CMD as admin it will popup and ask for the separate login of the admin account. This is basically the default of how Linux works (sudo). It's also how any competent professional IT department will run windows.
If an admin elevation popup happens when you haven't triggered it then you probably know something is wrong. And most malware will not be able to install.
Another benefit is that you can use a relatively normal (but obviously not too short) password for your regular account and then have something much more complicated for the admin login. This is especially great on something like "Grandmas PC" or anyone who is at higher risk of clicking on the wrong thing.
> If an admin elevation popup happens when you haven't triggered it then you probably know something is wrong. And most malware will not be able to install.
Malware can still do a lot without "installation". Running as an unprivileged user, it can still do anything to/with the filesystem that the user would be able to do, and will (on most normal setups) be able to make outbound Internet connections without limitation. In short, these kinds of privileges don't protect against data exfiltration, ransomware operating on the user's important data files, simple vandalism....
It's still a big win because it prevents subverting the underlying system. Logs still tell the truth. Security software keeps running. The damage can be inspected with the operating system's tools.
> I would argue most malware comes down to uneducated users doing the wrong thing
This feels unnecessarily harsh. Those users are the victims of criminal activity. The protective controls could be a lot better.
Windows doesn't offer immutable local file versions to protect against ransomware running as a non-privileged user. It doesn't offer any protection if a single application suddenly starts to overwrite huge amounts of data.
Instead they choose to try and shove OneDrive down our throats as the only answer to ransomware protection.
As someone working in infosec for a largish 2000 seat organisation - it's honestly not inaccurate. No matter how much accessible information security training we try to provide and the EDR controls we implement, >95% of our incidents involve an end-user following (sometimes extremely obvious) phishing links. And contrary to what you've said, Windows Defender (in conjunction with Airlock) has actually saved us from ransomware attacks.
> No matter how much accessible information security training we try to provide and the EDR controls we implement, >95% of our incidents involve an end-user following (sometimes extremely obvious) phishing links.
That just shows that security training is insufficient and admins need to design their systems and networks to account for that fact. Clicking links is part of everybody's job and should not pose a risk to your organization. Enable 2FA for everything exposed to the internet to mitigate phished credentials.
If an entire company can be paralyzed by tricking a single employee it's a process issue. Just like how wiring out $100,000 same day on the order of a single employee should be blocked by internal controls.
Where I work has recently implemented Airlock and my laptop feels a lot less responsive since. I'm aware of the whole security trade-off, just wondering how noticeable it has been in your organisation, if at all?
Having said that, two things worth considering in my case:
1. My laptop is relatively old and, I think, overdue for replacement (8GB RAM, really?)
2. Windows Defender + Airlock + CrowdStrike + Netskope + Nessus seems an expectedly heavy load on a system
Not sure the exact combination of internal security nonsense used, but my corporate laptop idles at a good 20% cpu utilization. It would not surprise me at all to know that the products are stepping over themselves and scanning each other. Double plus ungood is that any programming tool I use seemingly gets extra scrutiny and can take 10x as long as I know it would on a non-compromised Linux machine.
What other "restore point" functionality does Windows offer by default?
> The initial goalpost was lack of any protection / no alternatives to onedrive
The context was "uneducated users"; they're unlikely to know they could enable controlled access.
They're further unlikely to be able to handle the application problems it introduces such as games having problems saving their state which why it's disabled by default.
So you want to make their lives much harder with two passwords for no good reason? Also, those uneducated users will simply enter the admin password when prompted
It's still "the length of the street" better than having malware installed as root/admin. Malware in userspace is much easier to both detect and remove for the simple fact it cannot embed itself that deeply into the system (barring nation states leveraging zero days, but that's a fee levels above 'regular consumer' advice).
This method has saved me (my parents) more than a couple of times.
> The best anti malware on any version of windows has always been to make your default account you use everyday a non admin account.
In the early 2000s up thru about 2012 I'd agree with you. Post-Vista malware adapted to UAC and now all malware works well as a normal user. Any data your normal user can access (local or on a remote CIFS server) is fair game for ransomware. Limiting administrator rights doesn't do anything to prevent the malware from getting at your data.
Persistence has moved to per-user, non-Administrator, too. Of course, all the various quasi-malicious customized versions of Chrome that end users inevitably install when they go searching for software to end-run their IT departments operates the same way.
I do think your daily driver Windows users shouldn't have administrator rights. It just isn't going to help much with malware.
I use physically separate boxes for my most sensitive activities (banking, mainly) but you could do nearly as well having separate non-admin Windows logons and compartmentalize your access to data you don't want ransomed. Isolation between different user accounts on Windows is actually fairly good. Just limit the common data the accounts can access.
Personally I've always wanted to use Qubes (and stop using physically separate machines) but I haven't taken them time to learn their contrivances.
Edit: I should have said "quasi-malicious customized versions of Chromium", not Chrome.
It will help stop the spread quite a bit however (even if it can access user local data). There's a reason escalation path attacks are still the gold standard (start small and move up).
You can also run something like applocker and whitelist all the apps you use.
Also instead of separate physical boxes why not just use a VM ?
> It will help stop the spread quite a bit however (even if it can access user local data).
User's should be running limited user accounts for daily-driver Windows machines.
Having said that, today's attacks are all about the data. It's all about exfil/ransomware/blackmail because there's money to be had there. On an individual home user PC there's no lateral movement or bigger targets to attack.
> You can also run something like applocker and whitelist all the apps you use.
That's a bit overkill for a personal machine and it won't be licensed for AppLocker anyway.
AppLocker is also a gigantic pain-in-the-ass on corporate machines. My experience with configuring AppLocker for anything other than very task-specific computers is that it's a huge and unending ordeal of whitelisting, trying again, whitelisting more, trying again. Wash, rinse, get complaints from end users, repeat.
> Also instead of separate physical boxes why not just use a VM ?
Pragmatism. I have a bunch of extra low-spec laptops laying around. My machines are, for the most part, cast-off Customer garbage. I haven't actually spent money on reasonable machine since about 2015. >smile<
> Also instead of separate physical boxes why not just use a VM ?
>Pragmatism. I have a bunch of extra low-spec laptops laying around. My machines are, for the most part, cast-off Customer garbage. I haven't actually spent money on reasonable machine since about 2015. >smile<
But you either need to setup a secure tunnel on each one, or lose access anytime you are away from home.
> But you either need to setup a secure tunnel on each one, or lose access anytime you are away from home.
Mostly isn't a problem for me. On the off chance I'd need the banking remotely I'd just take it with me. Mostly I don't do the sensitive stuff remotely and I rarely travel anymore.
Like I said in the parent post, I should be using Qubes. I'm just lazy.
Edit: I should have said "Chromium", not Chrome. They are repackages of Chromium, usually with functionality to send browsing activity to a third party.
"Wave Browser" is the common one that comes to mind immediately. I have several flagged in the "endpoint security" software I support, though.
The workflow is: (1) User wants some software functionality they don't have, (2) they search-engine using keywords like "convert Word to PDF", (3) they find a program that promises to do the thing they want, (4) they download it and click thru any warnings because they "want the thing", and (5) they end up with persistent per-user malware installed in their "AppData" folder.
It cannot. There are malicious third parties who have made distributions of Chromium that are fully functional browsers, installing in the user's AppData folder w/o Administrator rights, that have additional "functionality" like exfiltrating browsing history or displaying extra t
This is really what any Electron-based app is. It's just Chromium running out of the AppData folder. There's a whole ecosystem of "shadow IT" software that installs out of the AppData folder, meant to end-run IT and central control, that functions great w/o Administrator rights.
I thought that was a pretty common pattern now for a variety of software tools. Was pretty sure that Chrome + Firefox did not need administrator privileges to be available to a user.
There are UAC bypasses. Microsoft has repeatedly stated that UAC isn't actually a security boundary. It's better to run a daily driver account as a limited user and only elevate when you overtly need it. (It's even better to use a separate login, as opposed to "Run As...)
Usually, private individuals are not the target of ransomware attacks by organized criminals. Companies often have to pay a lot more money to get their data back. The Petya ransomware is a good example of this.
Nevertheless, when you are on any machine as an intruder and have normal user rights, you can still actively search the machine and network for admin accounts and steal sessions. The ultimate goal is to gain Domain Admin rights.
Besides that, it is not necessary to have admin rights to delete and encrypt data or to run and hide software.
There are also many ways, besides stealing sessions, to gain admin rights, such as through unpatched software, inappropriate user rights, zero-day exploits, and social engineering.
A common way to get users to install malware or ransomware is to bundle it with useful software that the user wants to install.
I don't see how those links are relevant. Nobody claimed there is no malware on linux.
However the feature and culture of software distribution very much makes it safer. The overwhelming majority of malware gets distributed over ads from websites or search results. Package manager prominently used by all linux distros remove that attack vector or at the very least minimize it.
Ofc it does not prevent somebody from still executing random binaries from the internet if they really want to, nothing does.
Its easy to reinstall the OS. Its a lot more damaging if you lose your childs birthday photos, tax documents and anything you actually care about. This is where the entire PC security fiasco breaks down, since I want my docs directory protected FROM any system installed app/driver. I want an OS that asks for permission when accessing doc directory.
It feels bad to post a link-only response but I really don't have anything to add to it. On a system used by multiple persons, sure, you help prevent that a compromise on sister's account immediately impacts mom's and dad's accounts, but that qualification isn't in the comment and probably most computers that HN readers use are single user. Or on a server, dropping privileges speaks for itself. But if you're on a desktop and you do online banking in your browser and also open email attachments on that computer... Not being admin would only help clean up the situation without needing to make a live boot (namely, you could theoretically trust the admin user and switch to that) but this isn't recommended practice anyway if you're not a malware specialist and can make sure it is fully gone. I cannot think of any situation where a single user desktop system benefits from admin privilege separation
So basically, what the comic conveys
> The best anti malware
Not being admin doesn't prevent malware from running and gaining persistence within your user account...
Most malware I've commonly seen on individuals computers (like the grandma example) comes about when they want to install something and use and installer that has it bundled with legit software. Or they visit a site that's a shady copy of a legit one.
They need this access to be able to use their computer, but even if they don't manage their own computer... maybe read the above comment and then let me know what I've overlooked rather than me repeating the whole thing
This is good advice, but it will not protect you against any malware that has been written in the last 10 years.
Stealer frameworks and dropper frameworks have implemented a lot of bypasses. From using other installed programs (lolbins / gtfobins etc) to using embedded scripting engines to do their bidding up until just reusing signed and installed default drivers to execute their payloads. A lot of drivers have sideloading and execution capabilities due to how the $igning process in Microsoft is constructed.
Additionally, nobody needs "root" access to do anything these days, this is just plain wrong assumption. Most malware will go for your browser profiles which are readable by your user (duh), so a separate privilege escalation exploit avoiding user account won't help you there either.
It's much better to sandbox your applications as good as possible. Even just using firejail profiles will go a long way, especially in regards to electron apps or apps that have remote update and plugin installation capabilities (e.g. discord, slack and the like).
Please, drop some malware binaries through ghidra or other tools before you give advice like this. You might be part of survivor's bias without realizing it.
Unfortunately a lot of modern software triggers UAC popups now. Games (for anticheat and/or network connectivity), development tools (for network connectivity or debugging), updaters for stuff that live-updates like Electron apps, etc.
There's nothing magical about the Linux security architecture, when it comes to malware, aside from abysmal Linux market share. If it were popular it would be targeted.
That's not to say there's no value. It's a case of security by obscurity, at best. The Unix security model is much more simplistic than Windows NT. Everybody disables SELinux so there's no meaningful capabilities functionality.
Assuming you actually do run malware, all your user account's data on a Linux machine ends up being just as vulnerable to exfil or ransom as if you're running Windows as a limited user.
That implies you are probably using a RH jobbie. With no working whatsover, I assert that many more Linux desktops will be rocking apparmor or no kernel security module.
Oh and no I don't disable SELinux, except as a quick check to see if that is what is causing issues. Obviously I'm not everyone, but I am someone.
I haven't used desktop Linux in a number of years, but back when I did I'd see disabling SELinux was a common recommendation. I hope things are getting better.
On the Linux application hosting front the majority of vendor-supported garbage I have the displeasure of supporting that runs outside of Docker disables SELinux as a matter of course.
I haven't daily driven anything but Linux for 15 years or more. I remember when Xorg was the new kid and XFree86 could destroy your CRT (or so "they" said - I never managed it!) Mind you I also remember #make config taking about 20 minutes.
Advice advocating disabling selinux is very similar to SFC /SCANNOW or "turn off your anti virus". As soon as you see advice like that you do have to wonder at the motive.
A quick broad-brush approach to troubleshooting is fine and could be considered the first stage before a binary search is used to get to the real problem. So you make things safe first and then you switch off something like selinux. Does that work? If yes, then you switch it back on and then do your search within selinux and perhaps bother with reading logs.
You obviously have to support a lot of cough enterprise ... RH based stuff or perhaps Oracle's sufferings.
If you can, call someone's bluff: Insist on a standard. PCI DSS is involved as soon as a payment card is involved - that will soon sort things out. In the UK, we have Cyber Essentials and the plus form. Non UK Europe also has similar standards. The US will have Freedom versions of any standards and the rest of the world will have theirs.
Go in with standards if you can. As soon as you permanently switch off a security mechanism you have failed (yourself and your customer).
On Linux one typically runs third-party (not coming from official repositories) software in a sandbox which is a great pain (good luck sandboxing an Electron app) but at least possible. Unless you own exploits to bypass kernel restrictions you cannot do much.
Right tool for the job. Linux for deploying stuff to, Linux or mac for working on the stuff you’ll deploy. Windows for games and everyday use. They’re all superior in their category and it’s too obvious to spend time arguing about.
Windows is bad for everyday use because it sends all your data to Microsoft, you need to get a cloud account and can get banned from your system at any moment, it can install changes at any time etc. So basically you get humiliated every time you use your computer.
Windows is good for work though because if it starts updating during the work day, or breaks, you can do nothing and still get paid. And if it leaks your company data, it is not your problem also.
You have been living under a rock. Wine and proton are significantly faster than native windows. With valve's partnership with Archlinux last year, it's going to get even better
Not really if you ever tried. Barely playing music, games obviously don’t work if you ever tried playing games. (hint, game x not beeing terrible doesen’t mean ”it works”). like I said at the start this is fairly obvious.
There are many reasons someone might have to use Windows. I have a Windows box because a number of games I play don’t support Linux, even with WINE and Proton.
I've got a snap installed, I think it's for the google command line tools. It will quite often at random times pop up a window in KDE asking for the admin password, and there is nothing in that window that tells me what or why the admin password is needed.
Decided it was a risk to just be typing the admin password whenever a random popup asked me to, so disabled all snap automatic updates.
Every couple of years I give daily driving Linux a try. I still find that old joke about "Linux is only free if your time is worth nothing" to be quite apt.
Every few years someone forces me to use Windows and I find that my data is apparently worth nothing since it being one giant anti-pattern wastes my time.
I agree, I switched to Mac last fall with the incessant Windows 10 popups that my CPU is not supported and I can't upgrade to Windows 11, so buy a new PC chump or you'll be EOL! Okay, I bought a new PC Mr. Nadella, it just doesn't run Windows.
That ended up being the last straw in a long line of complaints with data privacy and things being forced on me in Windows. Somehow that stupid Bing toolbar would constantly re-enable itself and re-appear on my desktop after every update despite being disabled everywhere I could find a setting for...
I wasn't very happy with Apple's bizarre UI or out of date libraries.
The easiest way to make an OS with ideal support on one platform is to only support Apple's hardware instead of the PC cosmos, so I will be interested if Asahi getting the relatively little resources it needs will gradually make it the least waste of time choice to use Linux on Apple hardware.
I don't know what your use case is, so what I'm about to say may not be relevant.
When you're making the transition from one operating system to another, there is going to be an investment of time. It doesn't matter whether you are moving from Windows to Linux or from Linux to Windows. When it comes to getting things done, each operating system is going to have its own strengths and weaknesses. Our attention is going to be drawn towards the weaknesses of what we are trying out because that is what we are going to spend the most time addressing. Our attention is going to drift away from the weaknesses of what we are familiar with since we have long since learned to circumvent or ignore them.
What I am suggesting is that I would spend as much time learning how to daily drive Windows as you would learning how to daily drive Linux. Unfortunately, I cannot draw upon quips like "Windows is only free if your time is worth nothing" since Windows is not free. I have a copy of Windows 11 Professional that cost significantly more than any given component of the computer it runs on.
I switched to Ubuntu "skinned" with Omakub a few months ago. Never looked back. Work with Windows on my work machine and use my *nix box as my daily dev driver and machine for surfing the net, doing emails and documents. I actually use it for nearly everything except vector graphics/dtp & images, as I am still too used to the affinity suite.
Will try out Omarchy just for the fun of it - not that I expect it to become my daily driver.
But - depending on your needs - I think Linux can be on par (for me it is way better, longer battery life, better configuration, better tools, smoother workflows, but YMMV).
Please don't use that horrible script. It makes no sense to install such bloatware on top of an already bloated distro, which adds unnecessary attack surface. I would recommend fedora or arch, both are perfect for beginners with minimal bloat
Do you mind elaborating a bit on what went wrong? Like, were you installing on a recent MacBook, or something else not well supported? In my experience, installing and running a popular distro is absolute cake. Easier than Windows, even, since you aren’t forced to create cloud accounts and answer a million privacy questions; you basically install then boot right into your new desktop.
Used it on various devices. A Dell laptop (with power switching between dedicated and iGPU, what a nightmare that was for Linux display drivers), a desktop I built myself, a Raspberry Pi running RPi OS.
I find most things fine in Linux and I'm fairly comfortable with the terminal. However it's the 10% or so of things that are very cumbersome in Linux but instant in Windows/Mac that drive me away.
Example: There is no Google Drive client for Linux. Spend an hour dorking around in rclone and get it set up and working with bidirectional sync. The token still expires weekly and needs to be renewed. Yeah, I get a potential solution is "don't use Google Drive" but the little projects to get my current workflow functioning on Linux, or change my workflow to fit Linux's constraints, end up adding up into a bunch of wasted time.
The point is that Linux is not worse it is just different. What you do on Windows or iOS will not be the same as on Linux. How you adapt and if you want to is the point.
I am horribly ineffective on Windows even if I am forced to use it. The only reason for me to use it is to play multiplayer games though, and it is the default install on new laptops before installing Linux. So Windows sucks because it does not have what I need, and I see no reasons to change my ways to Windows.
Almost all distros have an ARM version. KDE can also handle online services such as google drive. There are also a couple of other projects to deal with it if you don't like KDE or Gnome. What you claim is trivially untrue.
I would recommend giving Linux Mint a try. It's very newbie friendly with a desktop like environment of Windows, automatic backup creation, and a store to install pretty much any software you need from. I got my elderly parents to try it & they were both able to figure it out quite quickly!
I also hear good things about ZorinOS as it's built as a full fledged Windows alternative with built-in WINE to run native Windows apps in
You can play with them both at this link without having to install anything:
I don't find it to be that way at all. I've used Debian as my daily driver for almost 10 years and I spend maybe... 30 minutes per year dealing with setup and configuration and stuff?
Much less than I needed to back when I mainly used Windows.
Sure, there's a learning curve. But Windows has a learning curve too, you just already climbed that hill.
Judging from the rest of the thread, they were referring to setup and configuration. For the most part, I consider this to be one of the strengths of Linux.
On the other hand, the operating system is the means rather than the end to most people. If a person is transitioning from Windows to Linux, they will probably have a substantial number of new programs to learn in the process. That is going to factor into most people's impressions of the operating system as a whole.
But if this is your first time using Windows or Mac, you will also need time to get used to it. I've tried using a Mac, and so far I'm not used to it. :)
It has always been this way and will continue to be. Russia along with north korea consider ransomware to be legitimate economic activity. It's part of their hybrid warfare strategy.
Well yeah, because that's not what the person they were replying to was asking about. They were asking a "when" question of sorts, tangential to the root topic, not a why.
I don't think this is done on purpose at the state level in Russia or China, It's just that sometimes government don't pay attention to those who do it if this is done in relation to somehow unfriendly countries. But the US also uses hacking for hostile purposes. For example, Stuxnet and some other cases. Yes, it's not ransomware, but the difference is not that huge. Western-backed countries like Ukraine are also doing the same. Anyway Just use Linux and you'll be fine for a while.
Foreigners won't go to Russia to file a complaint to police. Without a complaint, there is no reason to investigate anything. I think this is the explanation.
Also it is 100x more difficult to make Russian pay for something, including a ransom. So attacking fellow Russian is a high-risk, low-return move.
In the past US LE has tried to work with Russia to arrest ransomwarw groups but it didn't work out. Russia demands extradition of political prisoners or some such in exchange so it falls through.
When Russia arrests a hacker they're turned over to the GRU and told who to target. Western governments use hacking for intelligence gathering not economic warfare. The ochko123 fraudster was very connected with the Russian government, it's state policy.
Yes, absolutely. This is mostly a legal/enforcement decision. If you avoid Russian authorities, they avoid you. Also Russia is nowhere near as fertile ground as the US. There are plenty of low paid entry level office workers in the US who will gladly update their AP payment information for business email compromise (BEC). $2.77 billion lost to BEC in 2024, the most lucrative category. Total losses in the US were $16 billion from 859,532 complaints.
One investigation I worked a threat actor in China socially engineered their way into getting an employee account in a US company created for them. They were so persuasive they also got their account inserted into the approval process as a manager for creating other new employee accounts (at a specific location) in the identity workflow. They did this only for the purpose of siphoning discounts that are available to employees, and they resold those which resulted in about one million dollars loss over a period of a couple of years.
> But is there really a downside to taking this simple, free, prophylactic approach? None that I can see
One that I immediately can think of is increased support costs due to end users unintentionally changing their keyboard. The shortcuts to change keyboards are usually not too hard to accidentally hit, and most users (especially in the US) would be unfamiliar with what they did or how to change it back.
As someone using a Russian keyboard, I still got my fair share of viruses back in the day, before I knew the basics of cybersecurity. I wonder how prevalent that actually is in the grand scheme of things, or if it's overblown in the article.
I think it is to do with the targeted/campaign attacks. Ordinary spread of viruses in some rar files are generic enough. Otherwise if you are an outfit working from CIS countries it is just a logical due diligence not to become a target of their internal security people. For instance if you create a botnet and rent it, then some other group might do proper damage using it; it is safer to just host it outside.
There is a hardened version of Win7 for sensitive machines, probably made of source code Microsoft provided. Edit: Since I had to deal with it in 2011 there's at least Win8.1 version.
As an aside, can anyone comment on how we can estimate the source of a cyber attack with any confidence? People and groups say "oh we know it's russians because of the methods used, they're known methods by russian groups". But if these methods are so clearly indicators of a certain group or certain national origin, then wouldn't it be effortless to then mimic those same methods to make it appear it's those groups when it's not?
It feels like if you had a battleship with a Russian flag and it fired on a US ship and ran way and wasn't caught, it'd be silly to be like "oh it's definitely the Russians 100%" because of the flag when it could have been a literal false flag. And there is a ton of political motivation to do false flags these days.
I wonder if Ukraine has been removed from the exclusion list since then. A quick Google search says that the keyboards layouts are different from Russian keyboards.
Seems like the safest would be standard Russian keyboard layout (or maybe just adding the reg keys mentioned)
Also makes me wonder if installing a specific Chinese keyboard could have the same effect (for Chinese made ransomware or maybe even North Korean). Or perhaps they do other checks ?
Just add those two keys into your registry: https://github.com/Unit221B/Russian
For persistance install the russian keyboard driver, and switch back to your original.
That's a funny way to combat Russian made malware but I think Russian malware checks which keyboard language you are currently using and not which ones are in total present on your OS.
Nope, it checks which keyboards are installed in these reg entries, not which are currently used. That's the well-known windows trick every ms admin should know
Is there a way to check which one is currently in use? There must be. So Russians are slacking on this one? Also they could check in which language are files and folders named or they could check timezone or something. Years ago I loved to read malware RE articles and I remember they also checked for Belarussian, Ukrainian and most of the ex-USSR countries' languages. Isn't the most efficient way to check external IP address of the device, ofc if it has one.
geolocations of IPs change all the time, malware would need to speak to some server somewhere to get a current list. the russian keyboard method doesnt have the same risk of discovery
Yea I know and some computers might not be connected to the internet but to some local network and tbh 99% of people won't install Russian or some ex-USSR language packs just to potentially protect from Russian made malware.
And other CIS countries. It turns out if the authorities don't prosecute computer criminals and wire fraudsters unless there's a domestic victim, they will run amok.
I would find the why more interesting. Is there a common library virtually all ransomware uses? Are virtually all ransomware copy pastes of each other? Is there a popular forum post detailing the trick?
There are lots of malware families. Russian hackers, scammers, and such are basically celebrated in Russia for attacking the west. But they get in big trouble if they screw anything up inside Russia. Hence, the "safety mechanism" here.
It's simple for the malware to check. For instance, you don't want to hit a Russian oligarch's laptop w/ ransomware just because his GPS says he is in another country. You don't want to trust the outbound ip because they might be on a VPN, etc. This is more broad and simple and easy. Can you think of a better way?
The Internet is by definition universal. Autonomous Systems make their own routing decisions. We cannot cut them off the Internet any more than we can cut off their sea access. If we were to do so (analogous to a naval blockade) you'd have succeeded in only cutting off civilians. Government sponsored or tolerated criminals would still ply their trade like in N Korea.
I wonder what DeekSeek agents would do if they discovered at some future time that USA and China are in a kinetic War. Because we don't have the ability to analyze hidden motivations in model weights, it's impossible to predict, although it seems like it would be easy to do at least basic testing (in a sandbox) to seek if it takes any unexpected actions or tries to get data from any unexpected URLs thru agents.
You can't simply ask the AI what it would do in that case, because it will have been trained to deny that it has any harmful plans, and indeed it may not "know", which is a type of attack I've called "Hypnosis Threat Vector". An AI Agent can be trained to be harmful, and not have any way of even self introspecting what it's "Trigger Words" are. The Trigger Words could indeed be some news headline that only China knows how to inject into the news cycle, causing many agents to notice them and then "wake up" to preform what they're "hypnotized" to do.
If you make your machine look like a malware execution sandbox, a lot of malware will terminate to avoid being analyzed. This is just part of the cat and mouse game.
Yea sophisticated malware checks how many CPU cores PC has, how much hard drive space, some even check hardware temperature or if any debuggers are present. Windows malware got pretty sophisticated in the last 30 years.
any good read on how good they are nowadays ? (my background is cracking games 35 years ago :-))
I'm not a reverse engineer or a white hacker but I like reading about it. Most of the malware is made for Windows OS because of the Windows' enormous market share.
Majority of information about Windows malware I get from big computer security companies' research blogs like:
https://www.trendmicro.com/en_us/research.html
https://www.proofpoint.com/us/blog
https://research.checkpoint.com/
https://blog.talosintelligence.com/
https://www.welivesecurity.com/en/
Microsoft also got good security research blog: https://www.microsoft.com/en-us/security/blog/
Majority of the research combes down to researching malware's capabilities regarding malware persistence, anti-VM techniques and anti-debugging techniques.
Here is for example good compilation of malware's anti-debugging and anti-VM techniques:
https://anti-debug.checkpoint.com/
https://github.com/CheckPointSW/Evasions
Malware targeting Macs is booming, and, IMO, the most interesting malware targets iOS.
https://taomm.org/
https://citizenlab.ca/
https://objective-see.org/blog.html
Most windows servers are virtualised these days so I'm not sure this would work anymore. It might look at other indicators though
There's other tells, like this other top HN post right now tries to work around: https://wbenny.github.io/2025/06/29/i-made-my-vm-think-it-ha...
Put VirtualBox strings in your firmware :)
Yes, and don't forget to install the VirtualBox guest extensions in your host machine to make it looks even more like a VM!
Is there any downside to unironically doing this? Seems like it'd actually work.
Expect Oracles lawyers to send you a bill.
There is an oracle license attached to it
It’s not much harder to just harden your system to not be vulnerable in the first place, and that protects your from a lot more.
> It’s not much harder to just harden your system
'just' harden the system is not easy.
But installing something like a vmware guest driver is easy, as even a non-technical user can do it following some basic instructions.
Defense in depth
Agreed - like using a non admin account.
How does that protect against ransomware?
Limits the blast radius to only the files that the more limited user has write access to.
The files I normally have write access to are my important files though.
Immutable snapshots/offline backups help with those.
It's more important in a corporate setting. Lateral movement inside the network is much more likely if the attacker has local admin.
Why would local admin have relevance to network movement?
Because every time an account logs onto a computer, it leaves traces. Some ephemeral in memory, some permanent on disk. It can be Kerberos tickets, process tokens, domain cached credentials, hashes or even clear text passwords in memory. It's common practice in a lot of organizations for administrators to log on to random workstations to perform whatever task they need to do.
Or there is a service running in the context of a service user domain account. Or the password of the local administrator account is identical on all systems, which was very common before LAPS became a thing.
Yes, if you do everything perfectly and always go by best practices, none of this should be relevant, but most people aren't doing everything perfectly all of the time.
To access any of these things, you need local admin permissions. Then you can reuse them to log on to other systems.
Got it. So it's less about the account itself, and more about the other account data you can only acquire with admin privileges from the local machine (almost like credential stuffing)
on the flipside i feel like privilege escalations are a dime a dozen
Please tell me what tools you use to receive future zero-day vulnerability patches.
To be fair the vast, vast majority of exploitation that we see (especially in the news) comes from sub-par security setups and poor training/architecture. That’s no even going into security monitoring which most companies don’t or barely have.
Zero days account for very small amount of exploitation in comparison and by definition are unpatched so I think the commenter was right to point out the basics.
Qubes OS should protect you even from unknown vulnerabilities as long as you use its compartmentalization approach. Works for me (or so I hope).
Wikipedia's page on "just intonation" is, oddly, about music.
OK. You've lost me.
And it is so too that “just deserts” are rarely desserts at all.
... as is "Just for Men"
Anticheat might throw a fit
Don't play games on your production hardware. Easy fix.
Or don't play games that behave indistinguishably from ransomware.
Time to install Ghidra on every station
It was mentioned in the other front page article, I guess this is where we got this submission from: https://news.ycombinator.com/item?id=44413185
Any tutorials on how to do that?
> If you make your machine look like a malware execution sandbox, a lot of malware will terminate to avoid being analyzed. This is just part of the cat and mouse game.
What? This is an entirely separate concern. If you have a Russian input method installed, malware will terminate to avoid legal repercussions.
They seem to be offering this as another means of getting the malware not to run. I don't read it strictly as an explanation of the Russian keyboard thing.
There is evidence that this will worked for ransomware like Patya and for groups like Fancy Bear or Cozy Bear and Conti. Mostly because the Russia gov. unofficial guaranties immunity if the target is not Russian. Also, if you identify as Russian or write Russian in the chats or mails to them, they will de-crypt your systems for free.
Also, if you identify as Russian or write Russian in the chats or mails to them, they will de-crypt your systems for free.
I wonder how that works in this era of AI translation.
Not quite the same but I remember there was a Russian shareware author who gave free licenses to Russians.
> I wonder how that works in this era of AI translation
Simple translation isn’t enough to show cultural proximity. Patterns of speech are different. You can try to use AI to do the entire conversation, but e.g. Claude will refuse to give you exact phrases, since he is correctly assuming it is a social engineering attack.
Prompting a good LLM to convincingly act like a native isn't hard, neither is jailbreaking it if necessary. The hard thing in this case is verifying that it really does that.
You're assuming prompting an LLM to behave like X will automatically result in the LLM behaving like X for any X. Some things are out of the LLMs ability: I'm sure you'll get something if your prompt is "You are a 300-IQ nuclear physicist with a doctorate in material science. Describe the design of a cold-fusion reactor", but there is no guarantee the LLM has fidelity to your prompted persona, though it will try to give its very best impression.
I'm not assuming, I'm a native speaker and I describe actual experience with Claude. It's pretty good at roleplaying and major languages, with certain caveats. If you aren't a native speaker though, you'll have a hard time verifying that it gives you a good result, that's what I'm trying to say.
Nah, it's not reproducible. It can certainly give you some common phrases, but to create an entire personality with its own set of speech patterns is a different thing. For example, Claude can suggest following friendly conversation starters to sound like a native (a quote below):
When asked, which one it would pick, it goes with "Дарова, как сам?" (Darova, kak sam?) and that already sounds odd in many contexts.That's not how you'd approach this with an LLM
Obviously not. But this is what LLM may give you, unless you know exactly what to ask for (which you will not know without the proper knowledge of language and cultural context).
lmao if you start conversation like this, other person will think you’re 12 years old
Exactly. And without the knowledge of the language you will never figure out that LLM made you a teenager.
It's perfect. Just claim it is "your mom's computer" that needs help. Continue pretending to be a 12 year old.
... unless they still get a whiff you might be an impostor and ask, say, something about school. Good luck getting LLM to answer in a believable way.
Do you mean that one can't use AI to learn a foreign language in its everyday form?
To become achieve everyday competence in a foreign language, you need to actually use it in an everyday context. That means being immersed in the culture where the language is spoken.
Ok just pay a Russian to do the negotiation for you
Plot twist: they were the one ransoming you in the first place.
Reminds me of these domain name brokers who get a percentage of the sale amount from you, for their role in "negotiating the best price"
> I wonder how that works in this era of AI translation.
They will ask you to repeat yourself in Albanian if they have any doubts.
I'd expect a certain amount of Russian shibboleths [0] to come up.
[0] https://en.wikipedia.org/wiki/Shibboleth
The life of a privateer is hard.
You hit the nail on the head here, the “don’t piss inside the tent” policy is well understood by basically all Russian groups
It's not that simple, I think. There are many Russians everywhere, and probably they work at victim companies too, so just being Russian won't be enough, if ransom could be in the millions. You'll have to convince them that the company is Russian-owned, or that your father works in FSB, or whatever.
It is that simple.
How would having one Russian in a company protect them from ransomware? There's no way to make that occurrence detectable to the malware.
Or, for that matter, why would ransomware care about the father of the computer owner?
I think the reason why they don't want to attack Russians is because the victim would file a complaint to police, and police will have no choice but to start an investigation. And foreigners won't cause any problems in this sense.
I don't think there is some special immunity.
However, sometimes foreigners can cause problems. Recently several cyber specialists were convicted after investigation initiated after complaint from Joe Biden.
As a Russian who removed "winlockers" from so many of my not-so-tech-literate schoolmates' computers in the late 00s, I disagree :D
But those weren't as sophisticated, I suppose. They didn't encrypt files. They only displayed an uncloseable window demanding a payment. Sometimes with hilarious phrasing like "thank you for installing this quick access widget for our adult website".
I'd be surprised if there isn't malware that targets specifically systems with cyrillic keyboard enabled.
There are many Cyrillic keyboards.
Please don't attack Bulgarians :)
Sure, CIA and others got to recognize their targets.
The best anti malware on any version of windows has always been to make your default account you use everyday a non admin account.
You also need to create a separate account (can just be a local account) that is a full administrator. Make sure you use a different password.
Anytime you need to install something or run powershell/CMD as admin it will popup and ask for the separate login of the admin account. This is basically the default of how Linux works (sudo). It's also how any competent professional IT department will run windows.
If an admin elevation popup happens when you haven't triggered it then you probably know something is wrong. And most malware will not be able to install.
Another benefit is that you can use a relatively normal (but obviously not too short) password for your regular account and then have something much more complicated for the admin login. This is especially great on something like "Grandmas PC" or anyone who is at higher risk of clicking on the wrong thing.
> If an admin elevation popup happens when you haven't triggered it then you probably know something is wrong. And most malware will not be able to install.
Malware can still do a lot without "installation". Running as an unprivileged user, it can still do anything to/with the filesystem that the user would be able to do, and will (on most normal setups) be able to make outbound Internet connections without limitation. In short, these kinds of privileges don't protect against data exfiltration, ransomware operating on the user's important data files, simple vandalism....
It's still a big win because it prevents subverting the underlying system. Logs still tell the truth. Security software keeps running. The damage can be inspected with the operating system's tools.
This is true but defense is a multi layered approach and even the built in Microsoft stuff (like Defender AV) have massively improved.
I would argue most malware comes down to uneducated users doing the wrong thing - but that's a whole different can of worms :-)
> I would argue most malware comes down to uneducated users doing the wrong thing
This feels unnecessarily harsh. Those users are the victims of criminal activity. The protective controls could be a lot better.
Windows doesn't offer immutable local file versions to protect against ransomware running as a non-privileged user. It doesn't offer any protection if a single application suddenly starts to overwrite huge amounts of data.
Instead they choose to try and shove OneDrive down our throats as the only answer to ransomware protection.
As someone working in infosec for a largish 2000 seat organisation - it's honestly not inaccurate. No matter how much accessible information security training we try to provide and the EDR controls we implement, >95% of our incidents involve an end-user following (sometimes extremely obvious) phishing links. And contrary to what you've said, Windows Defender (in conjunction with Airlock) has actually saved us from ransomware attacks.
> No matter how much accessible information security training we try to provide and the EDR controls we implement, >95% of our incidents involve an end-user following (sometimes extremely obvious) phishing links.
That just shows that security training is insufficient and admins need to design their systems and networks to account for that fact. Clicking links is part of everybody's job and should not pose a risk to your organization. Enable 2FA for everything exposed to the internet to mitigate phished credentials.
Stop trying to fix the user: https://www.schneier.com/wp-content/uploads/2016/09/Stop-Try...
If an entire company can be paralyzed by tricking a single employee it's a process issue. Just like how wiring out $100,000 same day on the order of a single employee should be blocked by internal controls.
Where I work has recently implemented Airlock and my laptop feels a lot less responsive since. I'm aware of the whole security trade-off, just wondering how noticeable it has been in your organisation, if at all?
Having said that, two things worth considering in my case:
1. My laptop is relatively old and, I think, overdue for replacement (8GB RAM, really?)
2. Windows Defender + Airlock + CrowdStrike + Netskope + Nessus seems an expectedly heavy load on a system
Not sure the exact combination of internal security nonsense used, but my corporate laptop idles at a good 20% cpu utilization. It would not surprise me at all to know that the products are stepping over themselves and scanning each other. Double plus ungood is that any programming tool I use seemingly gets extra scrutiny and can take 10x as long as I know it would on a non-compromised Linux machine.
> And contrary to what you've said, Windows Defender (in conjunction with Airlock)
"Contrary to what I've said" while you add in an extra third party product that I didn't mention.
Isn't "Controlled folder access" part of that protection? Also restore points?
>Isn't "Controlled folder access" part of that protection?
Difficult to be effective when it's disabled by default.
>Also restore points?
By using System Restore, you can undo these changes without affecting your personal files
https://support.microsoft.com/en-au/windows/system-restore-a...
> without affecting your personal files
Thus System
> Difficult to be effective when it's disabled by default
The initial goalpost was lack of any protection / no alternatives to onedrive
> Thus System
What other "restore point" functionality does Windows offer by default?
> The initial goalpost was lack of any protection / no alternatives to onedrive
The context was "uneducated users"; they're unlikely to know they could enable controlled access.
They're further unlikely to be able to handle the application problems it introduces such as games having problems saving their state which why it's disabled by default.
So you want to make their lives much harder with two passwords for no good reason? Also, those uneducated users will simply enter the admin password when prompted
It's still "the length of the street" better than having malware installed as root/admin. Malware in userspace is much easier to both detect and remove for the simple fact it cannot embed itself that deeply into the system (barring nation states leveraging zero days, but that's a fee levels above 'regular consumer' advice).
This method has saved me (my parents) more than a couple of times.
> The best anti malware on any version of windows has always been to make your default account you use everyday a non admin account.
In the early 2000s up thru about 2012 I'd agree with you. Post-Vista malware adapted to UAC and now all malware works well as a normal user. Any data your normal user can access (local or on a remote CIFS server) is fair game for ransomware. Limiting administrator rights doesn't do anything to prevent the malware from getting at your data.
Persistence has moved to per-user, non-Administrator, too. Of course, all the various quasi-malicious customized versions of Chrome that end users inevitably install when they go searching for software to end-run their IT departments operates the same way.
I do think your daily driver Windows users shouldn't have administrator rights. It just isn't going to help much with malware.
I use physically separate boxes for my most sensitive activities (banking, mainly) but you could do nearly as well having separate non-admin Windows logons and compartmentalize your access to data you don't want ransomed. Isolation between different user accounts on Windows is actually fairly good. Just limit the common data the accounts can access.
Personally I've always wanted to use Qubes (and stop using physically separate machines) but I haven't taken them time to learn their contrivances.
Edit: I should have said "quasi-malicious customized versions of Chromium", not Chrome.
It will help stop the spread quite a bit however (even if it can access user local data). There's a reason escalation path attacks are still the gold standard (start small and move up).
You can also run something like applocker and whitelist all the apps you use.
Also instead of separate physical boxes why not just use a VM ?
> It will help stop the spread quite a bit however (even if it can access user local data).
User's should be running limited user accounts for daily-driver Windows machines.
Having said that, today's attacks are all about the data. It's all about exfil/ransomware/blackmail because there's money to be had there. On an individual home user PC there's no lateral movement or bigger targets to attack.
I hate to invoke xkcd, but it's true: https://xkcd.com/1200/
> You can also run something like applocker and whitelist all the apps you use.
That's a bit overkill for a personal machine and it won't be licensed for AppLocker anyway.
AppLocker is also a gigantic pain-in-the-ass on corporate machines. My experience with configuring AppLocker for anything other than very task-specific computers is that it's a huge and unending ordeal of whitelisting, trying again, whitelisting more, trying again. Wash, rinse, get complaints from end users, repeat.
> Also instead of separate physical boxes why not just use a VM ?
Pragmatism. I have a bunch of extra low-spec laptops laying around. My machines are, for the most part, cast-off Customer garbage. I haven't actually spent money on reasonable machine since about 2015. >smile<
> Also instead of separate physical boxes why not just use a VM ?
>Pragmatism. I have a bunch of extra low-spec laptops laying around. My machines are, for the most part, cast-off Customer garbage. I haven't actually spent money on reasonable machine since about 2015. >smile<
But you either need to setup a secure tunnel on each one, or lose access anytime you are away from home.
> But you either need to setup a secure tunnel on each one, or lose access anytime you are away from home.
Mostly isn't a problem for me. On the off chance I'd need the banking remotely I'd just take it with me. Mostly I don't do the sensitive stuff remotely and I rarely travel anymore.
Like I said in the parent post, I should be using Qubes. I'm just lazy.
What are these "quasi-malicious customized versions of Chrome" you're referring to?
Edit: I should have said "Chromium", not Chrome. They are repackages of Chromium, usually with functionality to send browsing activity to a third party.
"Wave Browser" is the common one that comes to mind immediately. I have several flagged in the "endpoint security" software I support, though.
The workflow is: (1) User wants some software functionality they don't have, (2) they search-engine using keywords like "convert Word to PDF", (3) they find a program that promises to do the thing they want, (4) they download it and click thru any warnings because they "want the thing", and (5) they end up with persistent per-user malware installed in their "AppData" folder.
Confused by that as well - what version of chrome can be installed without admin?
It cannot. There are malicious third parties who have made distributions of Chromium that are fully functional browsers, installing in the user's AppData folder w/o Administrator rights, that have additional "functionality" like exfiltrating browsing history or displaying extra t
This is really what any Electron-based app is. It's just Chromium running out of the AppData folder. There's a whole ecosystem of "shadow IT" software that installs out of the AppData folder, meant to end-run IT and central control, that functions great w/o Administrator rights.
I'm not doubting that there are malicious third parties distributing them, but Google themselves delivers Chromium that way:
https://download-chromium.appspot.com/
It's linked from the main chromium site:
https://www.chromium.org/getting-involved/download-chromium/
I thought that was a pretty common pattern now for a variety of software tools. Was pretty sure that Chrome + Firefox did not need administrator privileges to be available to a user.
This one is usually ok? https://chromium.woolyss.com/ It's sort of like official unofficial download place.
Edge? (joking)
It sounds like you just described what User Account Control (UAC) has been doing since Windows Vista (2006).
There are UAC bypasses. Microsoft has repeatedly stated that UAC isn't actually a security boundary. It's better to run a daily driver account as a limited user and only elevate when you overtly need it. (It's even better to use a separate login, as opposed to "Run As...)
Exactly - UAC is like a poor man's Sudo and I never really got the point of it. There is a reason so many people tried to disable it.
Daily driver as limited user should be the windows default even if it makes use ability more confusing.
Aren't most UAC bypasses relying on the fact that UAC by default isn't "full sudo"mode - i.e. it allows certain things without prompting?
Usually, private individuals are not the target of ransomware attacks by organized criminals. Companies often have to pay a lot more money to get their data back. The Petya ransomware is a good example of this.
Nevertheless, when you are on any machine as an intruder and have normal user rights, you can still actively search the machine and network for admin accounts and steal sessions. The ultimate goal is to gain Domain Admin rights.
Besides that, it is not necessary to have admin rights to delete and encrypt data or to run and hide software.
There are also many ways, besides stealing sessions, to gain admin rights, such as through unpatched software, inappropriate user rights, zero-day exploits, and social engineering.
A common way to get users to install malware or ransomware is to bundle it with useful software that the user wants to install.
The best anti malware on any version of windows has always been to not run windows.
I wouldn't be surprised if attackers started leveraging Wine for not going through the hassle of cross-compiling for different operating systems
We're all very impressed that you're such a 1337 h4x0r that you run Arch Linux and not Windo$e.
See also
https://www.sentinelone.com/blog/macos-notlockbit-evolving-r...
and
https://blog.sekoia.io/helldown-ransomware-an-overview-of-th...
I don't see how those links are relevant. Nobody claimed there is no malware on linux.
However the feature and culture of software distribution very much makes it safer. The overwhelming majority of malware gets distributed over ads from websites or search results. Package manager prominently used by all linux distros remove that attack vector or at the very least minimize it.
Ofc it does not prevent somebody from still executing random binaries from the internet if they really want to, nothing does.
Its easy to reinstall the OS. Its a lot more damaging if you lose your childs birthday photos, tax documents and anything you actually care about. This is where the entire PC security fiasco breaks down, since I want my docs directory protected FROM any system installed app/driver. I want an OS that asks for permission when accessing doc directory.
https://xkcd.com/1200/
It feels bad to post a link-only response but I really don't have anything to add to it. On a system used by multiple persons, sure, you help prevent that a compromise on sister's account immediately impacts mom's and dad's accounts, but that qualification isn't in the comment and probably most computers that HN readers use are single user. Or on a server, dropping privileges speaks for itself. But if you're on a desktop and you do online banking in your browser and also open email attachments on that computer... Not being admin would only help clean up the situation without needing to make a live boot (namely, you could theoretically trust the admin user and switch to that) but this isn't recommended practice anyway if you're not a malware specialist and can make sure it is fully gone. I cannot think of any situation where a single user desktop system benefits from admin privilege separation
So basically, what the comic conveys
> The best anti malware
Not being admin doesn't prevent malware from running and gaining persistence within your user account...
Most malware I've commonly seen on individuals computers (like the grandma example) comes about when they want to install something and use and installer that has it bundled with legit software. Or they visit a site that's a shady copy of a legit one.
So the mum or grandpa should also use an admin account to execute the file they just downloaded?
They need this access to be able to use their computer, but even if they don't manage their own computer... maybe read the above comment and then let me know what I've overlooked rather than me repeating the whole thing
LPEs exist. In linux world, you get tons of new LPEs every week. On windows, significantly harder
This is good advice, but it will not protect you against any malware that has been written in the last 10 years.
Stealer frameworks and dropper frameworks have implemented a lot of bypasses. From using other installed programs (lolbins / gtfobins etc) to using embedded scripting engines to do their bidding up until just reusing signed and installed default drivers to execute their payloads. A lot of drivers have sideloading and execution capabilities due to how the $igning process in Microsoft is constructed.
Additionally, nobody needs "root" access to do anything these days, this is just plain wrong assumption. Most malware will go for your browser profiles which are readable by your user (duh), so a separate privilege escalation exploit avoiding user account won't help you there either.
It's much better to sandbox your applications as good as possible. Even just using firejail profiles will go a long way, especially in regards to electron apps or apps that have remote update and plugin installation capabilities (e.g. discord, slack and the like).
Please, drop some malware binaries through ghidra or other tools before you give advice like this. You might be part of survivor's bias without realizing it.
Unfortunately a lot of modern software triggers UAC popups now. Games (for anticheat and/or network connectivity), development tools (for network connectivity or debugging), updaters for stuff that live-updates like Electron apps, etc.
Or you know... just use Linux
There's nothing magical about the Linux security architecture, when it comes to malware, aside from abysmal Linux market share. If it were popular it would be targeted.
That's not to say there's no value. It's a case of security by obscurity, at best. The Unix security model is much more simplistic than Windows NT. Everybody disables SELinux so there's no meaningful capabilities functionality.
Assuming you actually do run malware, all your user account's data on a Linux machine ends up being just as vulnerable to exfil or ransom as if you're running Windows as a limited user.
"Everybody disables SELinux"
That implies you are probably using a RH jobbie. With no working whatsover, I assert that many more Linux desktops will be rocking apparmor or no kernel security module.
Oh and no I don't disable SELinux, except as a quick check to see if that is what is causing issues. Obviously I'm not everyone, but I am someone.
I haven't used desktop Linux in a number of years, but back when I did I'd see disabling SELinux was a common recommendation. I hope things are getting better.
On the Linux application hosting front the majority of vendor-supported garbage I have the displeasure of supporting that runs outside of Docker disables SELinux as a matter of course.
I haven't daily driven anything but Linux for 15 years or more. I remember when Xorg was the new kid and XFree86 could destroy your CRT (or so "they" said - I never managed it!) Mind you I also remember #make config taking about 20 minutes.
Advice advocating disabling selinux is very similar to SFC /SCANNOW or "turn off your anti virus". As soon as you see advice like that you do have to wonder at the motive.
A quick broad-brush approach to troubleshooting is fine and could be considered the first stage before a binary search is used to get to the real problem. So you make things safe first and then you switch off something like selinux. Does that work? If yes, then you switch it back on and then do your search within selinux and perhaps bother with reading logs.
You obviously have to support a lot of cough enterprise ... RH based stuff or perhaps Oracle's sufferings.
If you can, call someone's bluff: Insist on a standard. PCI DSS is involved as soon as a payment card is involved - that will soon sort things out. In the UK, we have Cyber Essentials and the plus form. Non UK Europe also has similar standards. The US will have Freedom versions of any standards and the rest of the world will have theirs.
Go in with standards if you can. As soon as you permanently switch off a security mechanism you have failed (yourself and your customer).
Good luck mate.
On Linux one typically runs third-party (not coming from official repositories) software in a sandbox which is a great pain (good luck sandboxing an Electron app) but at least possible. Unless you own exploits to bypass kernel restrictions you cannot do much.
Right tool for the job. Linux for deploying stuff to, Linux or mac for working on the stuff you’ll deploy. Windows for games and everyday use. They’re all superior in their category and it’s too obvious to spend time arguing about.
Windows is bad for everyday use because it sends all your data to Microsoft, you need to get a cloud account and can get banned from your system at any moment, it can install changes at any time etc. So basically you get humiliated every time you use your computer.
Windows is good for work though because if it starts updating during the work day, or breaks, you can do nothing and still get paid. And if it leaks your company data, it is not your problem also.
You can game on Linux for many years now. Windows is mostly mandatory if you play multiplayer games with anticheat
yea pong working on linux doesen’t equal to gaming working on linux. Most games won’t start or play worse.
You’re either trolling or simply unaware but Steam and Proton allows you to run quite a bit of the Steam library on Linux with good performance.
ive been playing elden ring fantastically on the steam deck. its the game of the year from a couple years back
You have been living under a rock. Wine and proton are significantly faster than native windows. With valve's partnership with Archlinux last year, it's going to get even better
You don't need Windows for games since ages. Steam games run on Linux.
Not really if you ever tried. Barely playing music, games obviously don’t work if you ever tried playing games. (hint, game x not beeing terrible doesen’t mean ”it works”). like I said at the start this is fairly obvious.
I play AAA games on steam deck running stock steam OS. It's rock solid. Look at the sales of steam deck alone, it's quite successful
There are many reasons someone might have to use Windows. I have a Windows box because a number of games I play don’t support Linux, even with WINE and Proton.
I found that ProtonDB is quite helpful in figuring out how many games will or won’t run well: https://www.protondb.com/
You can even log in with Steam and get the summary for your exact library, for anyone curious.
I am very aware of which games don't work with Proton, which is why I know I need a windows machine.
It’s fine for a casual single player game. I’ve played rimworld on Linux mint. But league? Fortnite? Cod? Battlefield?
Make sure to never do
I've got a snap installed, I think it's for the google command line tools. It will quite often at random times pop up a window in KDE asking for the admin password, and there is nothing in that window that tells me what or why the admin password is needed.
Decided it was a risk to just be typing the admin password whenever a random popup asked me to, so disabled all snap automatic updates.
Linux ransomware does not require root.
> Or you know... just use Linux
...where namespaces provide excellent technology for hiding malware making linux one of the best platforms to turn into a evil host.
Do they? Processes inside a namespace still are visible from the top level namespace.
Every couple of years I give daily driving Linux a try. I still find that old joke about "Linux is only free if your time is worth nothing" to be quite apt.
Every few years someone forces me to use Windows and I find that my data is apparently worth nothing since it being one giant anti-pattern wastes my time.
I agree, I switched to Mac last fall with the incessant Windows 10 popups that my CPU is not supported and I can't upgrade to Windows 11, so buy a new PC chump or you'll be EOL! Okay, I bought a new PC Mr. Nadella, it just doesn't run Windows.
That ended up being the last straw in a long line of complaints with data privacy and things being forced on me in Windows. Somehow that stupid Bing toolbar would constantly re-enable itself and re-appear on my desktop after every update despite being disabled everywhere I could find a setting for...
I wasn't very happy with Apple's bizarre UI or out of date libraries.
The easiest way to make an OS with ideal support on one platform is to only support Apple's hardware instead of the PC cosmos, so I will be interested if Asahi getting the relatively little resources it needs will gradually make it the least waste of time choice to use Linux on Apple hardware.
I don't know what your use case is, so what I'm about to say may not be relevant.
When you're making the transition from one operating system to another, there is going to be an investment of time. It doesn't matter whether you are moving from Windows to Linux or from Linux to Windows. When it comes to getting things done, each operating system is going to have its own strengths and weaknesses. Our attention is going to be drawn towards the weaknesses of what we are trying out because that is what we are going to spend the most time addressing. Our attention is going to drift away from the weaknesses of what we are familiar with since we have long since learned to circumvent or ignore them.
What I am suggesting is that I would spend as much time learning how to daily drive Windows as you would learning how to daily drive Linux. Unfortunately, I cannot draw upon quips like "Windows is only free if your time is worth nothing" since Windows is not free. I have a copy of Windows 11 Professional that cost significantly more than any given component of the computer it runs on.
I switched to Ubuntu "skinned" with Omakub a few months ago. Never looked back. Work with Windows on my work machine and use my *nix box as my daily dev driver and machine for surfing the net, doing emails and documents. I actually use it for nearly everything except vector graphics/dtp & images, as I am still too used to the affinity suite.
Will try out Omarchy just for the fun of it - not that I expect it to become my daily driver.
But - depending on your needs - I think Linux can be on par (for me it is way better, longer battery life, better configuration, better tools, smoother workflows, but YMMV).
Please don't use that horrible script. It makes no sense to install such bloatware on top of an already bloated distro, which adds unnecessary attack surface. I would recommend fedora or arch, both are perfect for beginners with minimal bloat
Do you mind elaborating a bit on what went wrong? Like, were you installing on a recent MacBook, or something else not well supported? In my experience, installing and running a popular distro is absolute cake. Easier than Windows, even, since you aren’t forced to create cloud accounts and answer a million privacy questions; you basically install then boot right into your new desktop.
Used it on various devices. A Dell laptop (with power switching between dedicated and iGPU, what a nightmare that was for Linux display drivers), a desktop I built myself, a Raspberry Pi running RPi OS.
I find most things fine in Linux and I'm fairly comfortable with the terminal. However it's the 10% or so of things that are very cumbersome in Linux but instant in Windows/Mac that drive me away.
Example: There is no Google Drive client for Linux. Spend an hour dorking around in rclone and get it set up and working with bidirectional sync. The token still expires weekly and needs to be renewed. Yeah, I get a potential solution is "don't use Google Drive" but the little projects to get my current workflow functioning on Linux, or change my workflow to fit Linux's constraints, end up adding up into a bunch of wasted time.
The point is that Linux is not worse it is just different. What you do on Windows or iOS will not be the same as on Linux. How you adapt and if you want to is the point.
I am horribly ineffective on Windows even if I am forced to use it. The only reason for me to use it is to play multiplayer games though, and it is the default install on new laptops before installing Linux. So Windows sucks because it does not have what I need, and I see no reasons to change my ways to Windows.
Have you tried just using it in browser?
>There is no Google Drive client for Linux
What? Google accounts have been a thing in Gnome for years. You have Google Drive access right in Nautilus.
Not for ARM.
Almost all distros have an ARM version. KDE can also handle online services such as google drive. There are also a couple of other projects to deal with it if you don't like KDE or Gnome. What you claim is trivially untrue.
If you use a distro built on GNOME, ARM or not does not matter
I would recommend giving Linux Mint a try. It's very newbie friendly with a desktop like environment of Windows, automatic backup creation, and a store to install pretty much any software you need from. I got my elderly parents to try it & they were both able to figure it out quite quickly!
I also hear good things about ZorinOS as it's built as a full fledged Windows alternative with built-in WINE to run native Windows apps in
You can play with them both at this link without having to install anything:
https://distrosea.com/
I don't find it to be that way at all. I've used Debian as my daily driver for almost 10 years and I spend maybe... 30 minutes per year dealing with setup and configuration and stuff?
Much less than I needed to back when I mainly used Windows.
Sure, there's a learning curve. But Windows has a learning curve too, you just already climbed that hill.
Judging from the rest of the thread, they were referring to setup and configuration. For the most part, I consider this to be one of the strengths of Linux.
On the other hand, the operating system is the means rather than the end to most people. If a person is transitioning from Windows to Linux, they will probably have a substantial number of new programs to learn in the process. That is going to factor into most people's impressions of the operating system as a whole.
But if this is your first time using Windows or Mac, you will also need time to get used to it. I've tried using a Mac, and so far I'm not used to it. :)
I wonder if this is still actually the case after Brian Krebs announced it to the world in 2021.
It has always been this way and will continue to be. Russia along with north korea consider ransomware to be legitimate economic activity. It's part of their hybrid warfare strategy.
That doesn't really say much about the specific behavior of using a russian keyboard as a signal.
It is a fail-fast strategy to avoid internal prosecution for accidental attacks on fellow citizens.
Well yeah, because that's not what the person they were replying to was asking about. They were asking a "when" question of sorts, tangential to the root topic, not a why.
I don't think this is done on purpose at the state level in Russia or China, It's just that sometimes government don't pay attention to those who do it if this is done in relation to somehow unfriendly countries. But the US also uses hacking for hostile purposes. For example, Stuxnet and some other cases. Yes, it's not ransomware, but the difference is not that huge. Western-backed countries like Ukraine are also doing the same. Anyway Just use Linux and you'll be fine for a while.
Foreigners won't go to Russia to file a complaint to police. Without a complaint, there is no reason to investigate anything. I think this is the explanation.
Also it is 100x more difficult to make Russian pay for something, including a ransom. So attacking fellow Russian is a high-risk, low-return move.
In the past US LE has tried to work with Russia to arrest ransomwarw groups but it didn't work out. Russia demands extradition of political prisoners or some such in exchange so it falls through.
When Russia arrests a hacker they're turned over to the GRU and told who to target. Western governments use hacking for intelligence gathering not economic warfare. The ochko123 fraudster was very connected with the Russian government, it's state policy.
No, just using Linux doesn't make you safe.
> Western governments use hacking for intelligence gathering not economic warfare
How much intelligence Stuxnet has gathered?
Military targets are not economic targets.
Military is still a part of the government.
I re-watched the Roman/ochko123 talk just a few days ago, really great talk
Yes, absolutely. This is mostly a legal/enforcement decision. If you avoid Russian authorities, they avoid you. Also Russia is nowhere near as fertile ground as the US. There are plenty of low paid entry level office workers in the US who will gladly update their AP payment information for business email compromise (BEC). $2.77 billion lost to BEC in 2024, the most lucrative category. Total losses in the US were $16 billion from 859,532 complaints.
One investigation I worked a threat actor in China socially engineered their way into getting an employee account in a US company created for them. They were so persuasive they also got their account inserted into the approval process as a manager for creating other new employee accounts (at a specific location) in the identity workflow. They did this only for the purpose of siphoning discounts that are available to employees, and they resold those which resulted in about one million dollars loss over a period of a couple of years.
https://www.fbi.gov/contact-us/field-offices/elpaso/news/fbi...
That's interesting, but it doesn't exactly answer my question about switching my keyboard to Russian.
> But is there really a downside to taking this simple, free, prophylactic approach? None that I can see
One that I immediately can think of is increased support costs due to end users unintentionally changing their keyboard. The shortcuts to change keyboards are usually not too hard to accidentally hit, and most users (especially in the US) would be unfamiliar with what they did or how to change it back.
Not a windows user, but couldn't a sysadmin enable this keyboard but disable the shortcut to switch keyboards?
IIRC, even an unprivileged user can disable the keyboard shortcuts, but you still have to remember to do it.
As someone using a Russian keyboard, I still got my fair share of viruses back in the day, before I knew the basics of cybersecurity. I wonder how prevalent that actually is in the grand scheme of things, or if it's overblown in the article.
I think it is to do with the targeted/campaign attacks. Ordinary spread of viruses in some rar files are generic enough. Otherwise if you are an outfit working from CIS countries it is just a logical due diligence not to become a target of their internal security people. For instance if you create a botnet and rent it, then some other group might do proper damage using it; it is safer to just host it outside.
The presence of a Russian keyboard makes it attractive to NSA malware..
Russia, china etc ban windows from any military or sensitive government employee machines. they use their own Linux distros.
There is a hardened version of Win7 for sensitive machines, probably made of source code Microsoft provided. Edit: Since I had to deal with it in 2011 there's at least Win8.1 version.
As an aside, can anyone comment on how we can estimate the source of a cyber attack with any confidence? People and groups say "oh we know it's russians because of the methods used, they're known methods by russian groups". But if these methods are so clearly indicators of a certain group or certain national origin, then wouldn't it be effortless to then mimic those same methods to make it appear it's those groups when it's not?
It feels like if you had a battleship with a Russian flag and it fired on a US ship and ran way and wasn't caught, it'd be silly to be like "oh it's definitely the Russians 100%" because of the flag when it could have been a literal false flag. And there is a ton of political motivation to do false flags these days.
2021
I wonder if Ukraine has been removed from the exclusion list since then. A quick Google search says that the keyboards layouts are different from Russian keyboards.
I was thinking the same thing.
Seems like the safest would be standard Russian keyboard layout (or maybe just adding the reg keys mentioned)
Also makes me wonder if installing a specific Chinese keyboard could have the same effect (for Chinese made ransomware or maybe even North Korean). Or perhaps they do other checks ?
Could check month/date/time formats
Wouldn't that exclude a ton of countries though ? Russia covers a lot of time zones.
Syria may get removed soon, seeing as now a USA aligned country.
Just add those two keys into your registry: https://github.com/Unit221B/Russian For persistance install the russian keyboard driver, and switch back to your original.
That's a funny way to combat Russian made malware but I think Russian malware checks which keyboard language you are currently using and not which ones are in total present on your OS.
Nope, it checks which keyboards are installed in these reg entries, not which are currently used. That's the well-known windows trick every ms admin should know
Is there a way to check which one is currently in use? There must be. So Russians are slacking on this one? Also they could check in which language are files and folders named or they could check timezone or something. Years ago I loved to read malware RE articles and I remember they also checked for Belarussian, Ukrainian and most of the ex-USSR countries' languages. Isn't the most efficient way to check external IP address of the device, ofc if it has one.
geolocations of IPs change all the time, malware would need to speak to some server somewhere to get a current list. the russian keyboard method doesnt have the same risk of discovery
Yea I know and some computers might not be connected to the internet but to some local network and tbh 99% of people won't install Russian or some ex-USSR language packs just to potentially protect from Russian made malware.
The title alone is hilarious because it obviously implies, probably correctly so, that most ransomware comes from Russia.
Isn't this widely known background context?
And other CIS countries. It turns out if the authorities don't prosecute computer criminals and wire fraudsters unless there's a domestic victim, they will run amok.
So woudn't the next step in this cat and mouse game be that they check if the keyboard is actually being used?
If they change it, will they make it to check the time zone as well as the keyboard layout (and possibly others)?
And they'll keep doing it because we don't make an example out of them.
I would find the why more interesting. Is there a common library virtually all ransomware uses? Are virtually all ransomware copy pastes of each other? Is there a popular forum post detailing the trick?
There are lots of malware families. Russian hackers, scammers, and such are basically celebrated in Russia for attacking the west. But they get in big trouble if they screw anything up inside Russia. Hence, the "safety mechanism" here.
Yes, but this is a specific safety mechanism, why this is over others?
It's simple for the malware to check. For instance, you don't want to hit a Russian oligarch's laptop w/ ransomware just because his GPS says he is in another country. You don't want to trust the outbound ip because they might be on a VPN, etc. This is more broad and simple and easy. Can you think of a better way?
You could check what language the operating is set to, or the browser bookmarks /history to name a couple.
Checking installed keyboards is somewhat obscure and sounds like something someone cleverly came up with and I'm interested in how is sprea
Language wouldn't work, many bilingual people prefer to have their UI language set to English even if it's not their native language.
convergent evolution
If you look at how it's compiled you can tell if it's using the same code, or if they converged to use similar strategies.
I read that only a few parties create ransomware, and they then charge a subscription to the end hackers to us it.
I KNEW keeping a Russian keyboard to type ( ;´Д`) would have practical uses!
You may also want to use хД (Russian for xD)
лол)))))))
[flagged]
[flagged]
The Internet is by definition universal. Autonomous Systems make their own routing decisions. We cannot cut them off the Internet any more than we can cut off their sea access. If we were to do so (analogous to a naval blockade) you'd have succeeded in only cutting off civilians. Government sponsored or tolerated criminals would still ply their trade like in N Korea.
i had fun with a russian guy on rust once but otherwise cut em all off
I wonder what DeekSeek agents would do if they discovered at some future time that USA and China are in a kinetic War. Because we don't have the ability to analyze hidden motivations in model weights, it's impossible to predict, although it seems like it would be easy to do at least basic testing (in a sandbox) to seek if it takes any unexpected actions or tries to get data from any unexpected URLs thru agents.
You can't simply ask the AI what it would do in that case, because it will have been trained to deny that it has any harmful plans, and indeed it may not "know", which is a type of attack I've called "Hypnosis Threat Vector". An AI Agent can be trained to be harmful, and not have any way of even self introspecting what it's "Trigger Words" are. The Trigger Words could indeed be some news headline that only China knows how to inject into the news cycle, causing many agents to notice them and then "wake up" to preform what they're "hypnotized" to do.