← Back to context

Comment by joe_mamba

15 hours ago

>I don't know what Microsoft is thinking even allowing and enabling this sort of thing

This has been a feature since Windows 7, and it worked great since it would pull all necessary drivers after installation without you going hunting on the internet like in the Windows XP days.

Just that no HW manufacturer thought to push spyware in their driver repos at that point to improve some team's KPIs.

>and it worked great since it would pull all necessary drivers after installation without you going hunting on the internet like in the Windows XP days.

A driver shouldn't be a front-facing program that shows ads of any kind. It should be sandboxed and follow strict APIs to talk to the OS and that's it - any extra options should be shown inline in the main e.g. printer or mouse dialog.

  • And then what, ever single gaming mouse/keyboard config is going to appear in the Windows UI dialog? I think extra options in an app is fine, but you should have to download it. At which point who knows what you’ve opened yourself to but at least you chose to do it.

    • > And then what, ever single gaming mouse/keyboard config is going to appear in the Windows UI dialog?

      Actually, why not? The driver could declare a list/tree of extra configurable options, and windows could generate a configuration dialog for them. I think this is already is thing in Windows for NICs, I remember seeing TCP offload options when I go into properties for a NIC in the device manager.

      You just need to make it a bit more accessible to non-tech users and with more modern control options such as colour wheels for RGB.

      And the Linux software for these sort of devices (when such software exist) don't tend to be as bloated. Usually the driver just exposes some control files under /sys and someone else builds a GUI or such on top. But there is no reason you couldn't also expose a schema that describes what the options do to make a more generic GUI for those.

      2 replies →

    • Configurable peripherals should store their configurations entirely on-board, and they should be configurable using a well-understood protocol. Users can then use either the vendor's application, a common third-party application, or the configuration interface native to their desktop environment to configure them. When they plug them into a new machine, they should just keep working without having to install any configuration software.

      Many generations of Roccat peripherals were usable this way on Linux, thanks to the work of one generous volunteer who reverse-engineered them.

      Companies like Logitech don't store their devices' configs in firmware in a way that "forces" you to run some additional shit to use all of their features (some features aren't implemented in software). It's a convenient excuse that allows them to push their spyware onto users, but it's totally unnecessary.

      A vendor that was actually "user friendly" in the deep sense (opposite of "user hostile") would do this themselves; configuration would be upstream-first via libratbagd or whatever, and then they'd provide their own configuration interface as a value-add for a uniform cross-platform experience, or in areas where they thought they could provide a better UI than the design principles of KDE and GNOME, or so that they could have a uniform interface to refer to in their documentation.

    • >And then what, ever single gaming mouse/keyboard config is going to appear in the Windows UI dialog?

      Yes. Via some standard protocol to show checkboxes, radio buttons, drop down selections, etc.

    • Drivers should just make my stuff work. If I want to configure my hardware, I download the app from the manufacturer's website.

  • Linux users think of a driver as the thing that makes my silently hardware do the existing things its supposed to do like every other item in its class.

    Windows users think of the driver as what makes the hardware do what everything in its class does but subtly different and somehow glued to a command center with its own unique and bad GUI auto started, in the tray, with its own update schedule, and ads.

  • How exactly do you propose to sandbox drivers running in kernel space? Do you even know how drivers work? (I'm guessing no, based on this comment)

    • There are people working on this problem honestly. The general solution 10 years ago was a micro kernel. Today, I’m not sure. The linux model is starting to look dated, with similar problems elsewhere. Modern hardware design looks less and less like classic textbook design, with all kinds of random chips having direct memory access to memory the cpu uses on some shared bus. Where even things like on board blue tooth chips can become attack vectors on the system.

      There was a good keynote on the topic 5 years ago By Timothy Roscoe

      https://www.usenix.org/conference/osdi21/presentation/fri-ke...

      1 reply →

    • Microsoft has a program to do static and dynamic analysis of drivers... not a sandbox, but better than nothing. Of course, wonky drivers plus wonky hardware can still do bad things (io-mmu can help, a bit).

      The problems tend to be in the userspace software that's also installed with the driver. Sometimes there's also some pretty derpy stuff where the driver wants to talk to the userspace software but there's no validation/verification and that opens up a big hole.

    • First of all, drivers don't have to run in kernel space. Do you know that? I'm guessing no, based on your comment.

      Second, we're not talking about the drivers per se, as those aren't what shows you ads, it's the configuration software and accompanying crapware. Did you get that? I'm guessing no, based on your comment.

      Third, there are capability-based kernels, microkernels, drivers that are allowed into as restricted bytecode, IOMMU, and several other layers of security. Do you know that? I'm guessing no, based on your comment.

      6 replies →

> Just that no HW manufacturer thought to push spyware in their driver repos at that point to improve some team's KPIs.

Except for every printer, some popular GPUs, Microsoft's peripherals...

Auto-run when inserting a CD worked great, until people realized you could do bad stuff with it. User action must be required to run or install new software.

  • OK so you get a pop-up that says "install driver or it won't work" and so you do and then you're at the same situation.

    • Or you don’t and you return this piece of garbage for a refund. I hope you can see how this is much superior to auto-installing malware.