Review: Microsoft's Surface Laptop running Windows 10 S

I don't often write reviews. But when I do, I write as a "normal" (not a power user or professional reviewer) about products on which I'd consider spending my own money.

The recently introduced Microsoft Surface Laptop is one such product.

Microsoft provided me with a loaner burgundy-colored Surface Laptop 10 days ago. I was eager to try it, as I believe clamshell-type PCs, like laptops and ultrabooks, are still the best computing devices for many of us.

In addition, I was curious if Windows 10 S, the version of Windows with which this device is bundled, could work as my OS flavor of choice.

See also: Microsoft launches Windows 10 S, its Store-centric version of Windows 10 | Making sense of Microsoft's Surface lineup | CNET Review:Microsoft's latest feels like more laptop, less Surface

I haven't been overly enamored of Microsoft's other PC models, including the Surface Pro and Surface Book. I liked the concept of the Surface Laptop: A premium computing device for higher-education students and productivity workers. And I was especially intrigued whether Microsoft might have finally made a laptop that truly is lappable.

Let's get the lappability thing out of the way. I know many folks have claimed and actually believe that the Surface RTs, Surfaces, Surface Pros, and Surface Books work on one's lap. They've snapped pics of themselves using them -- often with legs crossed, legs propped up or balancing precariously these various devices -- to prove they are "lappable."

Some have questioned whether I have unusually short legs or am otherwise configured strangely because I cannot make the existing Surfaces work on my lap. Nope and nope. Sorry guys; I am not holding the Surfaces wrong. And even though Microsoft recently rebranded Surface Pros as the company's "most versatile" laptops, I still consider them to be tablets with kickstands and detachable keyboards. As such, Surface Pros still are not well-made for lap use. Usual disclaimer: YMMV.

So what's my lappability rating on Surface Laptop? I'd give it a 7.5. It's more lappable than I thought it might be when I had a few moments with it at the Surface Laptop launch in early May. But its 3:2 aspect ratio and weight of whatever is behind the screen still leave it a bit more top heavy than I'd like. I also find the screen a bit wobbly when poked/touched and the base a bit slippery, requiring me to hold the device in place firmly with my wrists. All that said, I'd still call this Microsoft's most lappable Surface device to date.

I understand not everyone wants or needs to use a laptop on her/his lap. On a flat surface, the newest Surface is well balanced, even when using touch, which is not the case with the Surface Book in my limited experience. The Surface Laptop also works with Microsoft's pens and Dial, but I didn't try it with either. I am one of the estimated 70 percent of Surface users who don't need or use a pen. I also don't often use touch, as the trackpad on this device is quite good.

The 13.5-inch screen resolution of 2256 X 1504 is excellent. The keyboard, much like the one in the Surface Pro 4, is decent for long bouts of typing. I find the wrist wrest of this laptop to be abnormally long (from the bottom edge to the bottom row of keys) so as to accommodate the large trackpad. It's not just my wrists that are on the keyboard base -- it's part of my forearms as well, which feels strange to me.

The Alcantara fabric that covers the keyboard base (other than the actual keys and trackpad) is definitely going to be a love-hate thing. It feels more like a pool-table cover than a shag carpet, for those wondering about the fuzziness factor.

Microsoft included the covering as a way of differentiating its laptop and giving it a more premium feel. I admit I found myself constantly worrying about staining the cover with food/drink, sweat and tears (not unicorn ones). Officials say the fuzzy keyboard can be wiped clean easily with a damp cloth. But to me, the minuses on this outweigh the potential benefits. During the last few very warm days we've had here in New York, I've found the covering a bit too warm for my liking. And with the way things are going, I'm thinking we'll have more warm days than cold in our futures.

As has been widely reported, there are no USB-C ports on the laptop, but there are USB 3.0, Mini DisplayPort, Surface Connect for power, and a headphone jack. The ports are on the sides of the laptop. Meanwhile, the power button is now on the keyboard, to the left of the delete key. At first, I was a bit concerned about this placement, but I have not accidentally hit the power key at all in 10 days. And I think it's placement on the keyboard might go a long way to stopping inadvertent power-on situations that have plagued users of some other Surface models.

In my 10 days of use of the Intel Core i5 model with 8 GB of RAM running Windows 10 S (Creators Update release, a k a 1703), I didn't approach the14-hour battery life figure Microsoft touted for Surface Laptop. The Microsoft figure is for the non-real-world continuous video playback scenarios. In my intermittent, regular but non-continuous use -- browsing the web, monitoring Twitter, writing posts and emails, watching YouTube videos, and playing music on Groove -- I'd guess I've been more in the seven-plus-hour range, not including time when the machine was unused and in standby. (This is a rough calculation, obviously; I'll update in the next couple weeks as I use the device more.)

Read More

Want ransomware-proof Windows? It won't work against Windows 10 S, claims Microsoft

The Windows 10 S 'walled garden' has a major advantage when it comes to preventing ransomware.

Ransomware is on the rise again, but Windows 10 has you covered, according to Microsoft.

Image: Microsoft

Microsoft boasts that "no known ransomware works against" Windows 10 S, its locked-down and hardened operating system announced in May.

The company made the bold claim in announcing the release of a white paper that details the Windows 10 Creators Update's next-generation protections against ransomware, which also offers an updated snapshot of "ransomware encounters" it detects on Windows machines worldwide.

Throughout 2016 ransomware encounters were steadily declining from a peak in August, but they started climbing again in February 2017 and doubled in number by April.

It hasn't released figures for May, when the WannaCry ransomware attack infected several hundred thousand Windows 7 PCs and Windows 2008 Server machines in a matter of hours.

Microsoft also highlights that "no Windows 10 customers were known to be compromised by the recent WannaCrypt global cyberattack".

Time will tell whether ransomware attackers figure out a way to infect Microsoft's Windows 10 S or whether they consider it worth the effort, given easier and more prevalent targets like Windows 7.

As it is, there are no machines running Windows 10 S in the wild yet. The Windows 10 S Surface Laptop is currently in pre-order and third-party hardware has yet to be announced.

Windows 10 S is undoubtedly more secure because of its iPhone-like walled-garden security model, which restricts installs to verified and sandboxed apps from the Windows Store, cutting off malware threats from the web.

Some have criticized the locked-down concept, but Windows 10 S is for a specific market. Unlike Windows RT, it will run on the same hardware as Windows 10, so it is possible to upgrade to Windows 10 Pro.

It removes the risk posed by some older Win32 apps, and offers a unified update mechanism for all applications it's allowed to run. It also features many of the enterprise security features of Windows 10 Pro to help IT departments manage fleets.

Microsoft's Windows 10 Creators Update white paper notes the sizable decline in drive-by downloads or exploit kits to infect machines with ransomware. Email continues to remain popular, while WannaCry and other ransomware families, such as Spora, are exploring the network to spread infections.

Microsoft breaks down Windows 10 defenses into three categories, including protections off the machine, as well as pre-breach and post-breach on machine defenses.

Off-machine security include features such as Office 365's URL detonation service and Edge browser's reputation-based download blocker.

Pre-breach on-machine defenses include Windows Defender, Device Guard, and the Antimalware Scan Interface. Its enterprise-focused post-breach tools include the Windows Defender AV behavioral engine, andWindows Defender ATP, which offer security operations a range of tools to identify, block and isolate malware before it becomes a major outbreak.

Windows 10's improved security has been central to Microsoft's efforts to convince enterprises and consumers to upgrade from Windows 7. The WannaCry outbreak and ransomware in general offer it the perfect threat to illustrate the benefits of the upgrade.

Read More

Fonction ou faille ? Comment pirater un compte Windows en moins d'une minute

 

Un chercheur en sécurité a publié une technique permettant d'obtenir le plus haut niveau d'accès sur un réseau - sans avoir besoin d'un mot de passe.

Alexander Korznikov a déclaré dans un billet de blog qu'un utilisateur avec privilèges, tel qu'un administrateur local doté de droits et d'autorisations système, peut utiliser des outils de ligne de commande intégrés pour détourner la session d'un autre utilisateur connecté disposant de privilèges plus élevés.

Selon lui, si cet autre utilisateur connecté est un administrateur de domaine, il est possible de détourner sa session, ce qui donne à cet administrateur local un accès complet au réseau, y compris les services de domaine.

L'utilisation de cette technique va éjecter l'utilisateur piraté de sa session, et ce sans avertissement, ajoute-t-il.

Korznikov explique que sa technique ne permet pas seulement d'accéder à un compte avec des privilèges plus élevés. Elle peut également être exploitée par les administrateurs système pour accéder aux comptes inférieurs, avec un accès moindre au système ou au réseau, mais connectés à des programmes hautement sensibles ou des bases de données d'entreprise.

Il détaille (édité pour plus de clarté) :

"Un employé de banque a accès à un système de facturation et à ses informations d'identification pour se connecter. Un jour, il se connecte au système de facturation et commence à travailler. L'administrateur ne devrait pas avoir accès au système de facturation, mais avec quelques commandes intégrées dans Windows, l'administrateur peut détourner le bureau de l'employé, qui est toujours verrouillé. L'administrateur peut effectuer des actions malveillantes dans le système de facturation au travers du compte de l'employé."

Korznikov a qualifié la question de "vulnérabilité à haut risque". De son propre aveu, le chercheur ignore s'il s'agit d'une fonctionnalité de Windows, ou d'une faille sérieuse.

La documentation même de Microsoft explique la portée et les limites des outils de ligne de commande utilisés dans son rapport. Mais, ces éléments stipulent que l'outil devrait échouer faute de mot de passe. La démonstration de Korznikov contredit ce point.

Le chercheur en sécurité Kevin Beaumont a confirmé le bug dans un tweet, affirmant qu'il était"très facile" de détourner des comptes.

Korznikov a déclaré avoir testé le bogue sur Windows 7, Windows 10 et Windows Server 2008 et Windows Server 2012 R2. Toutefois, d'après Beaumont, cette technique fonctionne sur toutes les versions supportées de Windows.

Korznikov n'a pas signalé la question à Microsoft.

"Tout est fait avec des commandes intégrées" dit-il. "Chaque administrateur peut se faire passer pour n'importe quel utilisateur connecté, soit localement avec un accès physique, soit à distance via Remote Desktop" commente le chercheur.

"Malheureusement, je ne sais pas s'il existe une sorte de patch ni quelles recommandations il pourrait y avoir (…) Les signalements à Microsoft peuvent prendre jusqu'à six mois pour être résolus, je voulais en informer tout le monde dès que possible" justifie Korznikov.

Korznikov n'est pas le seul à avoir fait cette découverte. Un autre chercheur en sécurité, à savoir Benjamin Delpy, a écrit une description similaire du bogue de détournement de session en 2011.

Un porte-parole de Microsoft a déclaré que le défaut présumé "n'est pas une vulnérabilité de sécurité car il nécessite des droits d'administration en local sur la machine."

Read More