upvote

points

by lousken4 hours ago |
comments
upvoteby Asmod4n3 hours ago|
next
[-]
Defender warns you this happened.
reply
upvoteby xattt3 hours ago|
prev|
next
[-]
Can this not be blocked with file permissions? Or a symlink to a file in a ro folder?
reply
upvoteby SoftTalker2 hours ago|
parent|
[-]
Most software installers demand to be run as root/Administrator.

The fact that this is largely seen as acceptable or even sensible is rather silly in this day and age.

reply
upvoteby deepsun2 hours ago|
parent|
next
[-]
Yes, and when apps do request many permissios, I just estimate how reputable the company is. A name like Adobe must be ok, right?
reply
upvoteby cmovq1 hours ago|
parent|
prev|
[-]
Software wants to be installed in C:\Program Files so that other software can’t modify their installation without admin permissions. Of course to do that your installer needs to be run as administrator which makes the whole thing rather silly.
reply
upvoteby tredre345 minutes ago|
parent|
[-]
Software installed through the Windows Store seem immutable enough even though they live in the user's AppData.

At least the system prevented me from seeing or modifying the files the last time I tried. I did not try very hard, admittedly, but by contrast modifying something in C:\Program Files is just one UAC confirmation away.

reply
upvoteby raverbashing3 hours ago|
prev|
next
[-]
I wonder how this works on Windows, if any service overrides/resets it
reply
upvoteby gjsman-10004 hours ago|
prev|
next
[-]
The hosts file is not sacred on Windows. Anyone who is administrator can just edit it. I've done it to add domain names to localhost.

For anyone hand-wringing over this, this used to be normal. The hosts file was invented a decade before DNS. The end user, or app, would edit their hosts file purposefully after downloading a master copy from the Stanford Research Institute which was occasionally updated.

reply
upvoteby jacobgkau3 hours ago|
parent|
[-]
> For anyone hand-wringing over this, this used to be normal.

People editing hosts files for other reasons was normal (a long time ago-- and it stopped being normal for valid reasons, as tech evolved and the shortcomings of that system were solved). A program automatically editing the hosts file and its website using that to detect information about the website visitor is not the same thing; that usage is novel and was never "normal."

reply
upvoteby wtallis3 hours ago|
parent|
next
[-]
In particular, manually editing the hosts file was a mostly-obsolete practice by the time the first version of Windows shipped, and certainly by the time Windows actually had a built-in networking stack. And it was always a red flag for a local app to mess with the hosts file.
reply
upvoteby anvuong2 hours ago|
parent|
next
[-]
Obsolete? My team has an onboard document that spells out lines that needed to be add to host file so they can access internal resources. These are machines directly bought/rented and maintained by the team, so we prefer to use host files instead of going through the company DNS, which is maintained by an entirely different team.
reply
upvoteby 2 hours ago|
parent|
[-]
deleted
reply
upvoteby jeffbee3 hours ago|
parent|
prev|
[-]
> manually editing the hosts file was a mostly-obsolete practice by the time the first version of Windows shipped

This claim strikes me as obviously wrong.

reply
upvoteby AnthonyMouse2 hours ago|
parent|
prev|
[-]
Programs adding entries to the hosts file is still pretty normal, e.g. if something that uses a local webserver as its UI and wants you to be able to access it by name even if you don't have an internet connection or may be stuck behind a DNS server that mangles entries in the public DNS that resolve to localhost.
reply
upvoteby mikkupikku1 hours ago|
parent|
[-]
Programs like that should just be shipped with good documentation. And applications built to be used by normies should almost certainly never be built that way in the first place.
reply
upvoteby AnthonyMouse20 minutes ago|
parent|
[-]
That seems like a pretty reasonable way to write a small cross-platform application which is intended to be a background service to begin with. You only have to create the UI once without needing to link in a heavy cross-platform UI framework and can then just put an HTTP shortcut to the local name in the start menu or equivalent. Normies can easily figure that out specifically because you're not telling them to read documentation to manually edit their hosts file.

There are also other reasons to do it, like if you want a device on the local network to be accessible via HTTPS. Getting the certificate these days is pretty easy (have the device generate a random hostname for itself and get a real certificate by having the developer's servers do a DNS challenge for that hostname under one of the developer's public domain names), but now you need the local client device to resolve the name to the LAN IP address even if the local DNS refuses to resolve to those addresses or you don't want the LAN IP leaked into the public DNS.

Or the app being installed is some kind of VPN that only provides access to a fixed set of devices and then you want some names to resolve to those VPN addresses, which the app can update if you change the VPN configuration.

reply
upvoteby hypeatei3 hours ago|
prev|
[-]
Most users won't care, especially if the Adobe installer warns them that a security warning might popup after installation. Besides, in practice, any malware editing the hosts file isn't going to get much because of HTTPS; one cannot simply redirect "google.com" traffic to their own IP without issue.
reply