I cant comment on the article since I don't have any actual data on the subject (it doesn't seem they do either). But I do have a slightly on-topic question for HN readers using Windows in enterprise:
You can run popular Linux distributions off grid and still receive security updates via a local package repository. Can you still do something like this with Windows? Does it require an special Windows 10 version?
I think you need an Enterprise license to customise the update process. Not even Pro will do, although with that you can turn off the forced updates, which Home users can't.
It's far away the best distribution, particularly if you're one of those "everything since 7 is a pile of shit" grognards. So much of the cruft is stripped out, and it only gets security updates.
This is what I use, its amazing but still has the telemetry and all of that. I'm not sure its as stripped down as people think. SME early creators updaters saw one note ads on their ltsb file explorer.
I'm going to be switching to Linux this weekend I think.
Why would Microsoft do such a thing? It does not align with locking in and extracting resources at scale from the third world. How else do you prop up a 60billion dollar bill gates? The math does not work any other way.
I wouldn't worry too much about data leaks though. Microsft isn't the NSA or the Army where Snowden and Manning type characters sign up for patriotic reason. This is an environment much like wall street where self serving geeks sign up to exploit their intellectual dividend over the rest of society. Which as Alan Greenspan told us - it isn't in their self interest to damage the system. So nothing bad is going to happen especially since everyone else is doing it too.
He's talking about the Amazon button, not the search box integration. They do still have a referral link glued to the panel by default. But yeah, that's such a non-issue, that I don't understand either why you'd even bring it up, unless you're really trying hard to find something to cling on.
The Amazon integration in the search box isn't even a thing anymore as of 16.04 (i.e. it's now opt-in, rather than opt-out).
The only thing left from the Amazon deal is that they have a referral link on the panel by default. Takes exactly two clicks to get rid of and does not do any form of telemetry.
Wow, what a dilemma! Which one should I go for: full-bore telemetry including memory contents and keyboard events with RCE capabilities or an Amazon button that just sits there until I click it? Truly, this is like Sophie's Choice /s
I was using (explicitly marked) sarcasm to highlight the false equivalence in parent's post. Obviously the choices of OS is not limited to Windows vs. Unity on Ubuntu
Right, but your response to scummy practices was "which is why I use [other thing with scummy practices]."
I'm sure you can justify why a button isn't as bad as spyware to yourself, but to anyone who puts up with neither, the parent comment makes sense without needing to 'equate' the two. They're both not things you'd put up with; and the 'sophie's choice' (yes, I saw the tag) joke would instead just be a response for a different platform.
> Right, but your response to scummy practices was "which is why I use [other thing with scummy practices]."
This is comparing apples to oranges though: on one side we have a Unity lens that can be turned off and is restricted to searches, and on the other you have what I can only describe as a turnkey APT (RAT,RCE, process spy, device spy, keylogger, memory scraper) that cannot be switched off - how hard do you think it would be for a nation-state to 'enrich' and intercept/redirect this telemetry?
You lose a great deal of detail by intentionally avoiding the nuance of the situation: murder by starvation or Nitrogen asphyxiation is still death, but there is value in discussing the cruelty of persons who would choose one method over the other to kill, especially if one of them lets you opt-out.
Additionally, Ubuntu and Unity (host of the Amazon button) are not equivalent in any case. I use Ubuntu with KDE, others with XFCE or Gnome. So using Ubuntu in no way equates with putting up with scummy practices.
Xubuntu (with xfce instead of Unity) doesn't have that kind of thing. After you've moved panel #0 to the bottom, it's much closer to Window's UI as well.
>Engineers, with permission from Microsoft’s privacy governance team, can obtain users' documents that trigger crashes in applications, so they can work out what's going wrong. The techies can also run diagnostic tools remotely on the computers, again with permission from their overseers.
So in other words: engineering access to your personal documents (and computer) is mediated by a group of people who also shouldn't have access in the first place. Got it.
When I close my eyes, it's almost like I can vividly picture the crappy NSA PowerPoint slides that must exist, detailing "Windows telemetry exploitation" or some such. At the very least, the information has to be incredibly useful for targeting purposes.
Someone should file a mass copyright infringement suit. Did they really have permission to copy those documents? Charge them on the RIAA scale of thousands of dollars per infringing copy.
There's implications for legal discovery here too. Remember the other day when one of the documents in the Uber/Otto case was found on a user's machine? What happens when people start sending in discovery fishing expeditions to get documents from Microsoft?
Do you have a source? This is what I'm going off of.
"How do I know what's legal and what's not when it comes to copying music/movies?
Here's the bottom line: If you distribute copyrighted music/movies without authorization from the copyright owner, you are breaking the law. (Distribution can mean anything from "sharing" files on the Internet to burning copies of copyrighted material onto blank CDs, DVDs, or Flash drives, and selling or giving them to others.)"
"Subject to sections 107 through 122, the owner of copyright under this title has
the exclusive rights to do and to authorize any of the following: (1) to reproduce the copyrighted work in copies or phonorecords"
Reproduction is infringement. Distribution of copies is also infringement but carries separate penalties. There's all sorts of carveouts and caveats, but remember Sony v Betamax: it took a court case to invent the time-shift exemption that making a copy of a broadcast TV program wasn't infringement.
EULA's aren't law in my opinion, and that's what laws are: opinions, collectively. I can't be forced to agree to something that strongly violates other contracts I'm required to be a party to, in my opinion.
All we need are rulings, and the enactment of laws, to support my opinion along with the cessation of wholesale data collection by the OS vendor.
While we're waiting for that all we have is technical solutions.
Although I can run Windows 10, I cannot give them the right to copy some of the documents that I keep on the system. The copyright to those files belongs to someone else.
Correct. Also they have a tendency to revert settings to those which benefit MS more - they claim 'bugs' but their bugs always seem to benefit themselves.
It's enabled by default and it will be re-enabled by patches even if you turn it off. But nice try attempting to blame the user for Microsoft being awful.
Even if someone chose to enable telemetry, it is not reasonable to expect them to predict this level of invasive access.
I looked into this, came to the conclusion that I was screwed, then switched back to Linux.
There are some github projects and commercial programs from various anti-virus companies that try to turn off the backported telemetry, but Microsoft repeatedly thwarted such efforts over the last few years.
You might be safe from Microsoft data slurps if you run Windows XP, but it doesn't get security updates any more. Therefore, you probably shouldn't give it network access. At that point, you may as well run air-gapped windows 10.
If they are actually making copies of my documents, can anyone explain how Microsoft is not in blatant violation of the copyright laws of pretty much every country? They are actually potentially making unlawful copies of my copyrighted works, no?
Not to mention that they are undoubtedly copying trade secrets, state secrets, private patient data from hospitals, and on, and on, and on...
This seems like it should be an actual big deal. How is it allowed to continue?
Laws around copyright and state secrets don't have this idea of "using the data" you refer to. They focus on copying, since "using the data" would involve showing intent, which is hard to do.
ISP's have argued that transmitting data doesn't count as making intermediate copies (even though router buffers do make copies), and the courts have largely bought that argument.
(Also, there are laws specifically covering searching mail; the post office doesn't have to make legal arguments one was or another about it.)
> ISP's have argued that transmitting data doesn't count as making intermediate copies, and the courts have largely bought that argument.
And yet, the only reason EULAs are valid is because some court decided that copying software from the disk to memory for execution counts as making intermediary copies...
"By accepting this agreement and using the software you agree that Microsoft may collect, use, and disclose the information as described in the Microsoft Privacy Statement (aka.ms/privacy), and as may be described in the user interface associated with the software features."
You gave them permission to do all those things when you didn't cleanse your machine with fire after that automatic win 10 upgrade, even though you didn't have the legal authority to do so.
I think that means you'll be the one going to jail in your hypothetical scenarios.
I haven't read the EULA for windows 10, but I can't imagine the Microsoft legal team didn't think of this.
Jesus fucking christ! What are they thinking! I cannot comprehend how an organization of Microsoft's size was able to deploy this without huge internal pushback.
There's really no excuse for any of the HN crowd to be running this garbage. It's RCE as a feature! Linux, Linux, Linux, guys.
actually, win7 64b should be enough for few more years (till 2020) if one prefers win platform, no? (games, drivers, lightroom and so on... wine is not the proper way for many)
I'm really curious what you're imagining the corporate structure to be like here - what kind of "internal pushback" are you envisioning?
In particular, I don't see engineers as particularly getting paid to or even having access to the parameters of the specs they're fulfilling. Anyone bothering to wonder would likely just assume the system they'd be working on to do this would be fully covered by 'legal' in specific agreements with firms to track that info, or if asked would be told that the spec is what it is and not anything about the use case.
Legal, meanwhile, isn't going to take money to tell MS what they can't or 'shouldn't' do; but rather just to ensure they don't have exposure in doing whatever they want to do.
So I guess that just leaves the leadership - which you could argue you're surprised by, if the board/C-levels/etc were individuals particularly known for being privacy-oriented. (Yeah. At Microsoft.) Meanwhile, you have a likely strong potential profit motive in a platform able to shift that kind of control to devs, though at the 'cost' of potentially losing privacy-concerned users - and their profit motive believes they can just EEE those users out of a market of competing products, so they give the go-ahead.
So if there's a 'pushback' module that failed in this scenario, perhaps I don't see it; but I don't really see at what point you'd expect something like this to be 'stopped' internally.
I seriously hope not. That sounds like a really fucked up culture, that's definitely not normal. Moral integrity as an engineer should cause you to speak up regardless of your salary and with enough internal noise higher ups should rethink their strategy.
"Moral integrity" doesn't really have anything to apply to to the day-to-day work of an engineer. A moral compass can't work without a magnetic field of context.
Considering most engineers' main concern is just to meet a spec and get it shipped, I don't really see how the burden of ethical justification falls to them, when they don't even necessarily know how it'll be used. Can't really see how they could act as moral gatekeepers in a corporate structure.
Engineering tends to assume it works for the "good guys", and I suspect the people that rolled this out did not consider NSL's and the other onerous legal implications of giving themselves access to everyone's hard drives.
I'm not saying it is right, but I suspect a lot of naive engineers and middle management designed the telemetry system.
They produced a product most people cannot use in good conscience; in the long run, it will be Microsoft's loss.
We humans are so lacking in moral integrity that we participate in wars, domestic violence, substance abuse, abuse of power, organised crime, the list of morally reprehensible shenanigans we get up to is as long as you want it to be.
Thinking the average software developer at large-software-company is an angel and prepared to put their head on the chopping block is fanciful.
>We humans are so lacking in moral integrity that we participate in wars, domestic violence, substance abuse, abuse of power, organised crime, the list of morally reprehensible shenanigans we get up to is as long as you want it to be.
What are you getting at? Are you telling me that I shouldn't think poorly of people who participate in wars, domestic violence, substance abuse, abuse of power, and organized crime?
>Thinking the average software developer at large-software-company is an angel and prepared to put their head on the chopping block is fanciful.
Healthy companies don't have a chopping block they put your head against for speaking up. Jesus christ people.
> What are you getting at? Are you telling me that I shouldn't think poorly of people who participate in wars, domestic violence, substance abuse, abuse of power, and organized crime?
Probably just that you should recognize that the human potential for depraved self-interest being what it is, arguing for what "should be and can be" will never supplant what is, because 'what is' has a near-endless supply of eager workers to support it.
> Healthy companies don't have a chopping block they put your head against for speaking up
"The chopping block" equates to being fired and not able to earn enough to pay off student loans/debts/bills, which are potential costs to a person in the software engineering position you describe as the one that 'should be' taking a stand for your ethics. Job market forces will simply replace this person with minimal cost, and the effort will keep humming along without them.
Not everyone has the privilege of being able to think of idealism and earnings as a tradeoff. Many in the field are trying to earn their way to a better life than the one in their past home, for their families, etc. Idealism is several steps beyond what they can (literally) afford to be thinking about.
There's really no excuse for any of the HN crowd to be running this garbage
I wish this were true, but it just isn't, sorry. In reality there are excuses. E.g. we have both old and new hardware lying around which can only be programmed/debugged by Windows. There is no alternative except for maybe spending tons of man-hours trying to reverse engineer the shit out of it and come up with something vastly inferior (but, yay, runs on linux). Or again spending tons of time 'correcting' the original choice of these devices and entire eco-system built around it over the years and switch to something which does have linux support. So: no alternative. Less prominent alternative-wise but still going strong: Visual Studio. And also the pretty-much-everything-just-works principle. Now this doen't really make me love Windows, but does illustrate there are reasons for the HN crowd using it. (next to linux in my case).
give me one example of any legacy system that can only be debugged or accessed by a windows 10 computer and i will send you $100 in bitcoin, right now.
No. You choose to use Windows. You choose to use shitty hardware that doesn't work with free software. You choose to use Visual Studio (protip: dev on Linux is better than on Windows even without VS). You choose, and you have chosen wrong.
Have I really? I'm verry happy with my job so that choice an sich wasn't wrong. Oh yes I started that job and entered into a world where it was mostly Windows (that, and the hardware had been chosen already btw). Well, it's ok for you to have the opinion that the young me was doing wrong by not having looked further for another job where there's no trace of Windows, but given that young me hardly even knew Linux existed that sounds pretty ridiculous. Also, stop making silly assumptions and giving false protips. You have no clue how much of my time is divided between Linux/Windows/Mac nor how much experience I have with developping on Linux, nor what kind of software, so your generalizations have no ear here.
You're making plenty of assumptions about me. I started in the Microsoft world. I was a frequent attendee and speaker at local MS user groups and conferences, a volunteer at TechEd, and I sat on the review board for the C#, ASP.NET MVC, Entity Framework, and Azure certification exams.
I have the same background as you and I still think you're wrong here.
So should we be filtering our applications to companies who are hiring by their dev environment? (Nah man I'm for it, let's kick the platform holy wars into gear again lol)
As I mentioned elsewhere, idealism is all well and good but pragmatic realities are often all that the people 'in the intermediary' can or will concern themselves with. You're not going to make much headway convincing them that an available option that served their purposes was 'wrong'.
Frankly, we're lucky to have Linus Torvalds et al. continuing development of the Linux kernel etc. as FOSS endeavours. Between the pushes for internet fast lanes, against it being a utility here, against hardware hacking, and so on, we're basically on borrowed time from corporate conglomerates having the right-of-way as far as tech governance goes.
I wonder if the folks from the EFF will stick around once they can no longer avoid being outlitigated and outbankrolled at every turn, or if they have a backup country they're heading to.
>So should we be filtering our applications to companies who are hiring by their dev environment? (Nah man I'm for it, let's kick the platform holy wars into gear again lol)
Yes. All your comment is doing is excusing away ethical failures. The most ethical path isn't always the easiest one.
While I don't know how far your advocacy will go in business environments for which nearly every actor - applicants, employers, customers - in the majority operate on pragmatic considerations, and in markets which destroy any non-pragmatic actors for them; but I applaud your efforts and look forward to hearing about any progress you make on this issue.
You've still failed to convince me that there exists a "morality" mechanism that failed in Microsoft's case, per my original question, by the way. The simple fact of the matter is that they're not concerned with morality, and so long as you continue to believe in it as 'existing' in a corporate world without being able to point to 'where', you'll find that shock you felt in your initial comment more often than you'd like.
>While I don't know how far your advocacy will go in business environments for which nearly every actor - applicants, employers, customers - in the majority operate on pragmatic considerations, and in markets which destroy any non-pragmatic actors for them; but I applaud your efforts and look forward to hearing about any progress you make on this issue.
This doesn't have to be true. What should and can happen is that more people take the high road, especially technical people, and work to lower the barrier of entry and make it more practical to join them on the high road.
>You've still failed to convince me that there exists a "morality" mechanism that failed in Microsoft's case, per my original question, by the way. The simple fact of the matter is that they're not concerned with morality, and you'd be a fool to think otherwise.
I don't think otherwise, obviously. The difference between us is that it matters to me.
> This doesn't have to be true. What should and can happen is that more people take the high road
"Doesn't have to be" is not "is" for a reason. What "is" evolved from what "was", and what 'was' was a system that had such efforts competing with profit-motivated ones.
As I said, the market environment is one inherently toxic to those who do not prioritize profit margins - as those who do not are eventually outmoded, outmarketed, outpriced, or (at net loss) simply outwaited by those who have the bigger bankroll (or the biggest sharks capable of working from 'credit' on the backs of investor confidence).
It's not sustainable because those who 'try and take the high road' are punished with failure (and those who do not rewarded) by the simple 'agnostic' market forces generally aggregating the desire to narrow margins. Efforts to outlive that motive have existed in the past, and will likely exist in the future, but do not last because they cannot compete with that motive.
> I don't think otherwise, obviously.
Yet you believe them to have 'failed' to address the morality issue internally (which you expressed surprise at. Believing they would do otherwise?); which you ascribed to the programmers who worked on the software. They don't necessarily know what the work product's end use/implementation will be; that knowledge is likely 'kept on a need to know basis' away from them; and to somehow escape the market forces they're subject to to 'take a bigger stand' against.
Many people could and would starve taking such a stand, and it would not stop the system or slow it one whit; it would keep grinding on with further applicants to the field who do forego morality in lieu of bread on the table.
As I asked elsewhere [0], if you have some idea for how "morality" can be introduced by such actors into their decision process without jeopardizing their livelihoods - I'm sure they would happily hear you out over your third option which would allow them to have both. But if you cannot, I'd warn that asserting "what matters to them" is not as much as "what matters to you", even knowing that no route exists for them to support the cause you tell them they don't 'care' about. That would only serve to alienate them from your message.
Airgap 7 for debugging/interoperability; refactor on a modern OS that isn't W10. Problem?
If your business relies on legacy software that can't be refactored without prohibitive cost, you're probably about to be 'disrupted' by something anyway.
I have a mission-critical DLL with functionality I can't replicate due to patents. It's not about cost. It's due to the patent holder not wanting an alternative in the market place.
This actually sounds like a good use for WINE. If the DLL has few external dependencies, it could probably be made reliable enough for mission critical stuff.
I'd have to pass validation on a non-conforming platform according to the manufacturers documentation. Good luck with convincing regulatory bodies of that.....
> When I close my eyes, it's almost like I can vividly picture the crappy NSA PowerPoint slides that must exist, detailing "Windows telemetry exploitation" or some such
With approval from the gods-on-high at Microsoft, you can stop imagining and have your application fetch those slides for you! :D
Opt out is much easier for Apple products. Did you know you can't disable cortana? On the other hand, upon enabling Siri in macOS, you're presented with a lengthy warning about privacy policy and such. It's obvious which OS values your privacy more
So the issue is "sometimes software won't respect your privacy, you will be aware of this and can change it or use something else." That's not an issue.
Just compare their privacy policies. Microsoft's makes basically no exceptions for things that they may do with your data. Apple's still reads like it actually tries to outline a sane piece of software.
One Windows 10 version that many people are ignorant of is Windows 10 for education, which is based on the enterprise edition. It has the ability to disable almost all data collecting / advertising features . Cortana doesn't even exist on this version. If you can grab this, and most university or college students should be able to for free, it'll be a big improvement in privacy.
Edit: from what I recall, Microsoft stated that advertising didn't have a place in education, or something to that effect
7 is quite supported. MS just arbitrarily decided a few weeks ago to don't allow Windows Update if you have a too modern processor, which makes absolutely no sense whatsoever from a technical POV (and which, I guess, will trigger development of tools to fake the ID of an other processor for that purpose, if that's possible), but if you have an "old enough" computer you can continue to use 7 until end of extended support, which is January 14, 2020.
This absurd policy decision shows that the Win 10 market share is not as high as they hoped, BTW.
Im sure we all only got ourselves to blame for our victim shame. After all, we could have just stayed away from those computers - or installed Linux, which is ridiculous expensive if you price your own time in at minimum wage.
Microsoft is absolutely out of control with this shit. I was recently flipping through BI articles and came across this [0]. “Using data from millions of its subscribers … The findings come from people who use Microsoft Word and/or Outlook”. WTF? Sure enough, I opted out of telemetry but that apparently doesn’t include the content of business documents and email. 7 clicks to find that option. I guarantee you 99% of Office 365 users have no idea this is happening.
Microsoft customers aren’t getting scroogled, they are getting straight fucked. Not only are they slurping everything imaginable up, but actual people are going through the data and doing stories on business insider.
My problem is I actually like their products. I’m cheering for the day the EU (the US won’t do anything so sadly I have to cheer for a foreign government) wakes up and slaps them around. Hopefully it’s hard enough to get them to change their ways.
I don't think one is better than the other, but it comes down to average user's expectations from cloud software and from desktop software.
My last company was very paranoid about security. Things like never leaving your desktop unattended, changing password every 4 weeks, encrypted disks, encrypted emails, forbidding most of cloud services... All the while happily using Windows and Outlook.
Also, although Google knows everything about me, they have so far managed to prevent security incidents, leaks and embarrassing deals (apart being forced to provide backdoor to NSA). They seem to know what they are doing security-wise.
Ahh, the "Relevant Ads" button. No matter which way it turns, you still get adds. I am tempted to ask "Is this button broken /s?" but I know it's a feature and not a bug.
I wonder how this compares to Android while using Google's services and accepting their terms (admittedly I allow everything by default). Is anyone aware of such analysis?
The problem is you can't really trust that it is actually turning it off. It could literally just be telling you that while shutting nothing off or shutting down some reporting while still keeping others.
There is just no way to know, MS is noe completely untrustworthy in my opinion, and it should be treated as compromised.
Did you try running Little Snitch lately? There's at least 5-6 daemons that keep contacting Apple and reporting on you on mac as well. And pretty much every 3rd party app uploads behaviour analytics without the ability to turn it off as well.
I installed Little Snitch for cracked Adobe suite, but holy fuck the constant barrage of daemons trying to connect made me disable it completely. Albeit most of them seemed to be related to iCloud or app updates
This is my experience as well with Adobe CC. At least 10 different daemons, some of them instances of node.js constantly connecting to adobe-owned IPs. Some of them even using very high amounts of CPU. Turning everything off from the CC settings didn't even make a difference.
I don't want fucking software I paid for to make my PC a part of a botnet, so I deleted all their stuff and tried to cancel my subscription to CC. I couldn't do that because their terms allow them to charge your credit card for the remainder of the year, even if you receive no service. After a few angry emails with a supervisor they finally agreed to cancel my subscription.
It won't work. Switch to a free operating system. Microsoft will just keep pushing updates with more opt-out spyware. If your threat model includes Windows, you have no security.
For ShutUp10 at least (and probably the others): Yes.
Microsoft resets settings when updates happen. The application explicitly warns you about this. And indeed, I ran the application before and after receiving the 'Creators Update' in my VM & some telemetry settings had been reactivated.
In reality you can bet there will be NSL's and other legal tools used to co-opt this stuff for more noble aims, like defending against terrorism and protecting our children via fishing expeditions and secret gag orders.
If you already have access to the things I type and my metadata includes the websites I visit, you don't really need to phish me to get my credentials.
If a service also happens to not support 2FA and doesn't have some sort of account activity section, you can effectively have control of me over that service, without me ever doing anything wrong and me not even suspecting a thing.
Inkling meant fish, as in the legal enforcement sense of using an unrelated charge to obtain a warrant which is then used to fish for evidence of a more serious crime.
Seems like one more reason to let Microsoft be purely for work related stuff, on your work machine, where our network admin (who has a God complex) is already poking through everything I do or save.
It's also scary how easy it is, on any version of Windows, to make a keylogger. Any application can log keystrokes with ease... It's like 20 lines of c# code.
It's a consequence of the old security thinking where programs were installed by a "trusted administrator". Everything run by a user is assumed to be sound. The only way to prevent this is either aggressive limiting of features and sandboxing, like in the web browser.
(Any windows application running as the user can also remote-control and surveil any other windows application through windows messages.)
Google is the master of this. Every piece of software they have keeps logs of everything you do, every key you type and every button you push and what devices you're connecting from and who you talk to and where you are and what you're doing at all times. Neither Microsoft nor Google can be trusted in that department.
The only company that tries at all to respect your privacy is Apple. Google has a photo album with facial recognition and automatic tagging and the ability to search based on what the subject of the picture is, but it requires that you upload all your pictures to their servers so they can search through them. Apple does the same thing but the pictures never leave your device.
You'd never expect to see Microsoft or Google get up on stage and say "we're intentionally giving up an entire revenue stream because we respect your privacy". Instead they subsidize the cost of their software with privacy invasion and then brag about how much better value for the money their products are.
The original title of this post was "The sheer amount of data Windows 10 sends from your PC".
Which was shorted from the article title "Put down your coffee and admire the sheer amount of data Windows 10 Creators Update will slurp from your PC"
But now he HN title got changed to "Official list of phoned-home info revealed by Microsoft" whih is misleading or let's say down-playing the whole story. The story is more than yesterdays HN story, it shades a not so nice picture about what really happen.
The "Official list of phoned-home info revealed by Microsoft" is the subheading from the article, and offers a neutral tone compared to the biased headline of "The sheer amount of data Windows 10 Creators Update will slurp from your PC".
While general consensus will likely be that that it is too much data collection, it's more ethical - from a journalism standpoint - to allow each reader to decide that for themselves based on the facts. I find it odd that The Register used a biased headline, while delegating the unbiased phrase to the role of a subheading. I suspect the neutral subheading was provided by the author of the article, while the headline was manufactured by someone whose job it is to drive traffic/views.
> I find it odd that The Register used a biased headline, while delegating the unbiased phrase to the role of a subheading.
The only thing odd about that is that The Register has a more neutral tone in it's subheading than normal. The main headline is using the default Register style (and if you go to the Reg's front page, you'll see plenty of tabloid-esque subheadings).
I suspect that since this has been the Reg's modus operandi for years, that there's no need for an editor to write headlines by now - the staff writers know what's expected and probably use the house style already. If anything, it's the po-faced subheading that's likely to have been tampered with on an ad-hoc basis.
Isn't it a bit of a pathetic approach to tackle this topic with: How can we turn off this telemetry craziness.
Shouldn't we USE something that just does not scan you're stuff at all. Like Linux or something?
Sure it might not be that well round up like Win. But at least it will not penetrate your bum hole by design and will become round up eventually.
Well, I try to for most applications, but I'm actually moving my wife's laptop back to windows. Linux was fine for most things, but when something breaks or doesn't work, I have to fix it - and I don't have the time. Getting hardware like Bluetooth or external touchscreens to work is an absolute nightmare with the state of driver support.
Try getting enterprise version, no ads nothing and no phoning back home. If you care add a firewall rule for microsoft.com and other datacollection sites.
What do you mean by "doesn't work well on a lot of laptop hardware"?
I'm using Lenovo Yoga 510, not Ubuntu-certified, two-in-one device with a touchscreen and a dedicated graphics card. Sure, there's no such thing as a tablet mode in any of the Linux distributions at the moment, but it works. WiFi works. Touchscreen works. Open source graphics driver works. Battery usage has no noticeable difference compared to Windows.
In my three or four years of running Ubuntu-based distributions, I'm yet to find a single laptop where WiFi / sound card / touch screen or any other piece of laptop hardware that doesn't work.
I'm only using linux, and any company-provided laptop I've been using after 2010, at least a different one every year, was working without any driver issue. This included various models of HP, Dell and Lenovo. I'm currently on a brand new Lenovo Yoga X1, again with absolutely no issue whatsoever.
Does anyone have experience with Linux certified laptops?
I was looking at a Linux-friendly ultrabook at the Microsoft store, and the win 10 trackpad drivers did not support scrolling on the display model. facepalm
I guess my question is whether windows laptops are actually less troublesome than preloaded/known-good linux laptops, in practice.
Well, moving to Linux is kind of too obvious to even discuss, at least on HN. I'm sure, there's a huge number of people who've already moved over to Linux, just silently reading through the comments.
Handling classified data on an unapproved network is both illegal and a serious security violation in every environment I have worked in. If you have that going on, Windows phoning home is the least of your worries.
Oh wow, TIL! On another note, I have some blinker fluid for sale. Guaranteed to lubricate your turn signal or I'll refund double!
It is protocol for classified data to only remain on isolated systems. There are stickers[0] (numbers as standard forms SF-706 through SF-712 if I'm not mistaken) to designate the status of certain media. If you think all of this media stays within its designation (including isolation), you are sorely mistaken.
As I said elsewhere, media being attached to an unapproved network is a serious violation. Once that material hits the lower network it is in serious danger of compromise. The behavior of Windows is irrelevant.
You could also try making your point without being a snarky asshole.
I was referring to the huge controversy over whether Hillary Clinton was storing classified info in regular email (which seems to have resolved as "no" just after the election). The Trump administration seems even more likely to store classified info on regular systems, if they're not passing it directly over to the Russians.
As I said in other places, that is a serious matter and puts such information at serious risk in any circumstances. Whether or not Windows phones home is irrelevant if the people handling classified information are allowed to do so in a careless manner.
The problem of classified information being on a system where it could be set back to Microsoft in the manner described in the article is that the information is on that network in the first place, not that Windows might send it to Redmond. The latter just makes cleanup and remediation a bit harder.
It is probably also a violation of your employment agreement, which almost certainly says you can't send trade secrets to random Microsoft engineers.
I suspect it violates Sarbanes Oxley and various insider trading statutes, assuming you work at a publicly traded company and have access to non-public information that impacts financial results.
Not just foreign governments, but what about highly regulated industries like healthcare or finance.
They're one config error away from having insider trader information or someone's STD test result in a log file that might live forever and be accessible by dozes if not hundreds of in-house devs tasked with improving parts of Windows. Or, even worse, a 3rd party dev given access to the crash reports for their app so they can fix a problem.
I'm sure lots and lots of safeguards in place to prevent the above, but just not collecting the data would be the most comforting approach.
All this on top of the fact that you can't disable the Store unless you have an Enterprise license. I am forced to spend money on a product for employees that includes advertisements for games and other huge distractions. Not to mention all the preinstalled stuff for small businesses who don't buy imaged machines.
There needs to be an "Windows 10 Actually Pro" level that is below enterprise but is what Pro used to mean.
I would be extremely interested in how they maintain HIPAA compliance in insurance shops.
Having worked with universal logging in that context, it was eventually decided to be too much of a risk and we specifically neutered any features that would trigger HIPAA issues out of our product.
Customers are going to screw up configs. And when HIPAA charges you with $damages x number of releases, inadvertent logging can add up fast.
EDIT: Unless MS got their logging center HIPAA certified and has a special contract they sign with insurance shops. Not impossible, but seems improbable.
How does a moral compass help the engineer whose spec says "If DEBUG_SEND_CRASH_INPUT is defined at build time, send the content of all files opened by the crashing process to the telemetry server."? How are they supposed to know that the flag will be enabled in the release build, causing their code to exfiltrate user documents to Microsoft?
I believe this is what nebabyte means by
> A moral compass can't work without a magnetic field of context.
Exactly. It's not like it's even going to be 'a devil in the details' kind of thing; once the mechanisms are built, they could be used securely or maliciously depending on any number of factors such as presets.
The engineer isn't necessarily going to get a play-by-play of the big picture - just what they need to know to get their part built - so expecting some moral stand against the final product they probably weren't part of the meeting on sounds absurd.
Unless you are working in a fully compartmentalized organization (e.g. the NSA), engineering doesn't happen entirely in isolation. I agree that the complexity of computers can obscure what any piece of the whole will eventually responsible for, but engineers should still be considering the ethical implications that are visible, especially the global nature of the project itself.
Regarding "telemetry" specifically, it should be obvious that designing something that automatically exfiltrates random data is a potentially serious security issue. It shouldn't be transmitting anything without explicit permission. It is irresponsible to assume that a preset represents intent and the informed consent of the user. Even when permission has been given, care should be taken to limit collection to only what is needed and log entries about what was sent should be created. Yes, even on debug builds.
> The engineer isn't necessarily going to get a play-by-play of the big picture
Maybe you should ask for that before taking the job. You don't need to know every detail, but it's negligent to work on a project without at least some understanding of what the big picture goals are.
--
My point is that you do know some things about the projects you are working on. You need to consider not only what your designs do, but also how it may be used, which may not be what you originally intended. You no longer have the luxury of pretending engineering work is entirely isolated from political and social consequences. Those consequences will vary greatly in magnitude and are probably good in many situations, but it's irresponsible to ignore them entirely. The entire concept of "disruptive" startups relies on the existence of those consequences and how strongly they impact society.
I encourage everyone to watch this[1] talk from 30c3 (or read the transcript[2]), which discusses this topic.
Hu, you seriously believe Windows is developed like this, with an army of entry level programmers writing code from an ultra-detailed spec for a product they don't know? (and then what, they use Linux and Mac at home, probably?)
At least your theory would explain why some parts of the OS are so shitty :p
How do you envision 'morality' working in the corporate context for an engineer, then?
Do you fault them for not asking their boss each time they are assigned some work how it will be used, with what presets and so on, and refusing to do it if it doesn't meet their standards?
I don't think I've made any mention of the work I do nor will I; I'm just trying to understand why you think the buck of 'morality' even generally exists in a corporate context, let alone why it stops at some likely mid-level engineer, who likely was just given a vague usage model of a mechanism to build without the 'need to know' information that would raise the moral dilemmas.
If you absolutely have to use Windows (like me) is it possible to block all the telemetry at the router level, maybe somekind of hardware firewall? Do we have a list of IPs to blacklist?
Reports from earlier indicate that they don't use the hosts file (or purportedly even DNS) for OS processes like telemetry and update. You'd have to do it at a higher level.
Yes it could, according to reports from people. Separate device (firewall on router e.g.) will help though.
Some low-level hacking could help as well, no guarantees and i didn't hear positive reports yet
I've blocked as many telemetry domains as I can find as well as applied Blackbird and O&OSU10 and I still get minor updates and security updates (Defender included) fine.
I've deferred major upgrades at this point though because the last two hosed a few things on my system and reset a load of stuff I'm probably still in the process of finding out about.
The article doesn't have a full list, it has a set of examples. The technet pages linked in the article don't have a full set of information either.
I have the distinct impression that regardless of settings, some data gets sent.
I also have the distinct impression that the data will be for sale - the usefulness of a good portion of the data is questionable and some would only be useful for application developers.
What the list does have enough of ... is enough information for adversarial parties to want to target it.
It's not that hard to stop using windows. More people should.
For those thinking Enterprise and/or Education may be better, it's only better if you're using it in an environment where privacy settings are enforced via Group Policy or some other method. Standalone (like I'm running it) is really not much better than Pro unless you go through and manually intervene.
For example, the default telemetry level is "Enhanced":
"The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the Basic and Security levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues." [1]
On a fresh install of Windows 10 Enterprise I still have to manually disable updates by disabling/setting permissions on scheduled tasks for updates and I'm still prompted for things like "Use OneDrive!". Cortana is also enabled by default.
It is a real problem for the industry that people are clinging to that embarrassing anti-thesis of an operating system, no matter what is published about it, they still try to find a way to sell some kind of their religious fake believe that it is possible to trick MS in their own house.
It is also very alarming that people from "tech communities" like this one are "defending" their use of an inferior fake operating system instead of just simply shutting up and being ashamed of their technical ignorance. But I hope most of these "it is anyway a great thing" posts are just pro marketing guys, I personally have not met one respectable tech person that would burn its name to propagate that MS anti-os.
If your school or educational institute still depends on that failed OS, please help them to understand the importance of Free Software, thanks!
> It is also very alarming that people from "tech communities" like this one are "defending" their use of an inferior fake operating system instead of just simply shutting up and being ashamed of their technical ignorance. But I hope most of these "it is anyway a great thing" posts are just pro marketing guys, I personally have not met one respectable tech person that would burn its name to propagate that MS anti-os.
Being condescending about Windows pro users will for sure boost the adoption of your preferred OS and raise awareness about the FSF ideals.
You'll have a better chance if you change your tone and use ethical reasons for using alternative operating systems. From a technical point of view Linux is not better or worse than Windows or macOS. Take this from someone that uses all three of them for work.
Some troubling sounding ones;
- All the physical memory used by Windows at the point of the crash
- URL for a specific two second chunk of content if there is an error
- Image & video resolution, video length, file sizes types and encoding
- URLs (which may include search terms)
- Ink strokes written, text before and after the ink insertion point, recognized text entered
- Time and result of each connection attempt (WiFi)
- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
- Whether the user clicked or hovered on UI controls or hotspots
221 comments
[ 5.6 ms ] story [ 192 ms ] threadYou can run popular Linux distributions off grid and still receive security updates via a local package repository. Can you still do something like this with Windows? Does it require an special Windows 10 version?
I'm going to be switching to Linux this weekend I think.
I wouldn't worry too much about data leaks though. Microsft isn't the NSA or the Army where Snowden and Manning type characters sign up for patriotic reason. This is an environment much like wall street where self serving geeks sign up to exploit their intellectual dividend over the rest of society. Which as Alan Greenspan told us - it isn't in their self interest to damage the system. So nothing bad is going to happen especially since everyone else is doing it too.
Here are some other sources: http://www.omgubuntu.co.uk/2016/01/ubuntu-online-search-feat...
https://www.howtogeek.com/188589/5-things-you-need-to-know-a...
The only thing left from the Amazon deal is that they have a referral link on the panel by default. Takes exactly two clicks to get rid of and does not do any form of telemetry.
I'm sure you can justify why a button isn't as bad as spyware to yourself, but to anyone who puts up with neither, the parent comment makes sense without needing to 'equate' the two. They're both not things you'd put up with; and the 'sophie's choice' (yes, I saw the tag) joke would instead just be a response for a different platform.
This is comparing apples to oranges though: on one side we have a Unity lens that can be turned off and is restricted to searches, and on the other you have what I can only describe as a turnkey APT (RAT,RCE, process spy, device spy, keylogger, memory scraper) that cannot be switched off - how hard do you think it would be for a nation-state to 'enrich' and intercept/redirect this telemetry?
You lose a great deal of detail by intentionally avoiding the nuance of the situation: murder by starvation or Nitrogen asphyxiation is still death, but there is value in discussing the cruelty of persons who would choose one method over the other to kill, especially if one of them lets you opt-out.
Additionally, Ubuntu and Unity (host of the Amazon button) are not equivalent in any case. I use Ubuntu with KDE, others with XFCE or Gnome. So using Ubuntu in no way equates with putting up with scummy practices.
edit: expanded and split 2nd paragraph
So in other words: engineering access to your personal documents (and computer) is mediated by a group of people who also shouldn't have access in the first place. Got it.
When I close my eyes, it's almost like I can vividly picture the crappy NSA PowerPoint slides that must exist, detailing "Windows telemetry exploitation" or some such. At the very least, the information has to be incredibly useful for targeting purposes.
There's implications for legal discovery here too. Remember the other day when one of the documents in the Uber/Otto case was found on a user's machine? What happens when people start sending in discovery fishing expeditions to get documents from Microsoft?
"How do I know what's legal and what's not when it comes to copying music/movies?
Here's the bottom line: If you distribute copyrighted music/movies without authorization from the copyright owner, you are breaking the law. (Distribution can mean anything from "sharing" files on the Internet to burning copies of copyrighted material onto blank CDs, DVDs, or Flash drives, and selling or giving them to others.)"
http://dmca.ucr.edu/faqs.html
"Subject to sections 107 through 122, the owner of copyright under this title has the exclusive rights to do and to authorize any of the following: (1) to reproduce the copyrighted work in copies or phonorecords"
Reproduction is infringement. Distribution of copies is also infringement but carries separate penalties. There's all sorts of carveouts and caveats, but remember Sony v Betamax: it took a court case to invent the time-shift exemption that making a copy of a broadcast TV program wasn't infringement.
EULA's aren't law in my opinion, and that's what laws are: opinions, collectively. I can't be forced to agree to something that strongly violates other contracts I'm required to be a party to, in my opinion.
All we need are rulings, and the enactment of laws, to support my opinion along with the cessation of wholesale data collection by the OS vendor.
While we're waiting for that all we have is technical solutions.
I installed Windows 10 on a computer last week and every single privacy option was set to the more invasive default. I had to change them all.
Nope. I don't care how much MS pretends to change. They are still scum.
* Defender slows my compile time down by a good 30-50%
* No interest in providing contents of my files to Microsoft.
Antivirus are terrible pieces of software that prevents triviality you shouldn't have downloaded in the first place.
Edit: sorry quoted wrong article.
Although the change from previous versions is that you get the "Full-Basic" switch on the initial setup screen.
edit: it's the same setup screen that is shown in the article (The Register). I guess you must have been reading some other article.
Even if someone chose to enable telemetry, it is not reasonable to expect them to predict this level of invasive access.
I permanently have this remove_crw.cmd to uninstall some windows 7 update on my desktop and I'm unclear whether it could be outdated.
There are some github projects and commercial programs from various anti-virus companies that try to turn off the backported telemetry, but Microsoft repeatedly thwarted such efforts over the last few years.
You might be safe from Microsoft data slurps if you run Windows XP, but it doesn't get security updates any more. Therefore, you probably shouldn't give it network access. At that point, you may as well run air-gapped windows 10.
Not to mention that they are undoubtedly copying trade secrets, state secrets, private patient data from hospitals, and on, and on, and on...
This seems like it should be an actual big deal. How is it allowed to continue?
ISP's have argued that transmitting data doesn't count as making intermediate copies (even though router buffers do make copies), and the courts have largely bought that argument.
(Also, there are laws specifically covering searching mail; the post office doesn't have to make legal arguments one was or another about it.)
And yet, the only reason EULAs are valid is because some court decided that copying software from the disk to memory for execution counts as making intermediary copies...
Go figure.
"By accepting this agreement and using the software you agree that Microsoft may collect, use, and disclose the information as described in the Microsoft Privacy Statement (aka.ms/privacy), and as may be described in the user interface associated with the software features."
I think that means you'll be the one going to jail in your hypothetical scenarios.
I haven't read the EULA for windows 10, but I can't imagine the Microsoft legal team didn't think of this.
There's really no excuse for any of the HN crowd to be running this garbage. It's RCE as a feature! Linux, Linux, Linux, guys.
I'm really curious what you're imagining the corporate structure to be like here - what kind of "internal pushback" are you envisioning?
In particular, I don't see engineers as particularly getting paid to or even having access to the parameters of the specs they're fulfilling. Anyone bothering to wonder would likely just assume the system they'd be working on to do this would be fully covered by 'legal' in specific agreements with firms to track that info, or if asked would be told that the spec is what it is and not anything about the use case.
Legal, meanwhile, isn't going to take money to tell MS what they can't or 'shouldn't' do; but rather just to ensure they don't have exposure in doing whatever they want to do.
So I guess that just leaves the leadership - which you could argue you're surprised by, if the board/C-levels/etc were individuals particularly known for being privacy-oriented. (Yeah. At Microsoft.) Meanwhile, you have a likely strong potential profit motive in a platform able to shift that kind of control to devs, though at the 'cost' of potentially losing privacy-concerned users - and their profit motive believes they can just EEE those users out of a market of competing products, so they give the go-ahead.
So if there's a 'pushback' module that failed in this scenario, perhaps I don't see it; but I don't really see at what point you'd expect something like this to be 'stopped' internally.
Considering most engineers' main concern is just to meet a spec and get it shipped, I don't really see how the burden of ethical justification falls to them, when they don't even necessarily know how it'll be used. Can't really see how they could act as moral gatekeepers in a corporate structure.
I'm not saying it is right, but I suspect a lot of naive engineers and middle management designed the telemetry system.
They produced a product most people cannot use in good conscience; in the long run, it will be Microsoft's loss.
We humans are so lacking in moral integrity that we participate in wars, domestic violence, substance abuse, abuse of power, organised crime, the list of morally reprehensible shenanigans we get up to is as long as you want it to be.
Thinking the average software developer at large-software-company is an angel and prepared to put their head on the chopping block is fanciful.
What are you getting at? Are you telling me that I shouldn't think poorly of people who participate in wars, domestic violence, substance abuse, abuse of power, and organized crime?
>Thinking the average software developer at large-software-company is an angel and prepared to put their head on the chopping block is fanciful.
Healthy companies don't have a chopping block they put your head against for speaking up. Jesus christ people.
Probably just that you should recognize that the human potential for depraved self-interest being what it is, arguing for what "should be and can be" will never supplant what is, because 'what is' has a near-endless supply of eager workers to support it.
> Healthy companies don't have a chopping block they put your head against for speaking up
"The chopping block" equates to being fired and not able to earn enough to pay off student loans/debts/bills, which are potential costs to a person in the software engineering position you describe as the one that 'should be' taking a stand for your ethics. Job market forces will simply replace this person with minimal cost, and the effort will keep humming along without them.
Not everyone has the privilege of being able to think of idealism and earnings as a tradeoff. Many in the field are trying to earn their way to a better life than the one in their past home, for their families, etc. Idealism is several steps beyond what they can (literally) afford to be thinking about.
I wish this were true, but it just isn't, sorry. In reality there are excuses. E.g. we have both old and new hardware lying around which can only be programmed/debugged by Windows. There is no alternative except for maybe spending tons of man-hours trying to reverse engineer the shit out of it and come up with something vastly inferior (but, yay, runs on linux). Or again spending tons of time 'correcting' the original choice of these devices and entire eco-system built around it over the years and switch to something which does have linux support. So: no alternative. Less prominent alternative-wise but still going strong: Visual Studio. And also the pretty-much-everything-just-works principle. Now this doen't really make me love Windows, but does illustrate there are reasons for the HN crowd using it. (next to linux in my case).
I have the same background as you and I still think you're wrong here.
As I mentioned elsewhere, idealism is all well and good but pragmatic realities are often all that the people 'in the intermediary' can or will concern themselves with. You're not going to make much headway convincing them that an available option that served their purposes was 'wrong'.
Frankly, we're lucky to have Linus Torvalds et al. continuing development of the Linux kernel etc. as FOSS endeavours. Between the pushes for internet fast lanes, against it being a utility here, against hardware hacking, and so on, we're basically on borrowed time from corporate conglomerates having the right-of-way as far as tech governance goes.
I wonder if the folks from the EFF will stick around once they can no longer avoid being outlitigated and outbankrolled at every turn, or if they have a backup country they're heading to.
Yes. All your comment is doing is excusing away ethical failures. The most ethical path isn't always the easiest one.
You've still failed to convince me that there exists a "morality" mechanism that failed in Microsoft's case, per my original question, by the way. The simple fact of the matter is that they're not concerned with morality, and so long as you continue to believe in it as 'existing' in a corporate world without being able to point to 'where', you'll find that shock you felt in your initial comment more often than you'd like.
This doesn't have to be true. What should and can happen is that more people take the high road, especially technical people, and work to lower the barrier of entry and make it more practical to join them on the high road.
>You've still failed to convince me that there exists a "morality" mechanism that failed in Microsoft's case, per my original question, by the way. The simple fact of the matter is that they're not concerned with morality, and you'd be a fool to think otherwise.
I don't think otherwise, obviously. The difference between us is that it matters to me.
"Doesn't have to be" is not "is" for a reason. What "is" evolved from what "was", and what 'was' was a system that had such efforts competing with profit-motivated ones.
As I said, the market environment is one inherently toxic to those who do not prioritize profit margins - as those who do not are eventually outmoded, outmarketed, outpriced, or (at net loss) simply outwaited by those who have the bigger bankroll (or the biggest sharks capable of working from 'credit' on the backs of investor confidence).
It's not sustainable because those who 'try and take the high road' are punished with failure (and those who do not rewarded) by the simple 'agnostic' market forces generally aggregating the desire to narrow margins. Efforts to outlive that motive have existed in the past, and will likely exist in the future, but do not last because they cannot compete with that motive.
> I don't think otherwise, obviously.
Yet you believe them to have 'failed' to address the morality issue internally (which you expressed surprise at. Believing they would do otherwise?); which you ascribed to the programmers who worked on the software. They don't necessarily know what the work product's end use/implementation will be; that knowledge is likely 'kept on a need to know basis' away from them; and to somehow escape the market forces they're subject to to 'take a bigger stand' against.
Many people could and would starve taking such a stand, and it would not stop the system or slow it one whit; it would keep grinding on with further applicants to the field who do forego morality in lieu of bread on the table.
As I asked elsewhere [0], if you have some idea for how "morality" can be introduced by such actors into their decision process without jeopardizing their livelihoods - I'm sure they would happily hear you out over your third option which would allow them to have both. But if you cannot, I'd warn that asserting "what matters to them" is not as much as "what matters to you", even knowing that no route exists for them to support the cause you tell them they don't 'care' about. That would only serve to alienate them from your message.
[0] https://news.ycombinator.com/reply?id=14059446&goto=item%3Fi...
If your business relies on legacy software that can't be refactored without prohibitive cost, you're probably about to be 'disrupted' by something anyway.
Obviously. But by that time we'll have switched to something better already.
With approval from the gods-on-high at Microsoft, you can stop imagining and have your application fetch those slides for you! :D
Also imagine the bandwidth requirements, for many people such a backup would run forever without completing.
Edit: from what I recall, Microsoft stated that advertising didn't have a place in education, or something to that effect
This absurd policy decision shows that the Win 10 market share is not as high as they hoped, BTW.
Hardware Firewall on a separate machine it is.
This used to be the case, but it's no longer so. The latest version of Education (1703) includes Cortana.
Microsoft customers aren’t getting scroogled, they are getting straight fucked. Not only are they slurping everything imaginable up, but actual people are going through the data and doing stories on business insider.
My problem is I actually like their products. I’m cheering for the day the EU (the US won’t do anything so sadly I have to cheer for a foreign government) wakes up and slaps them around. Hopefully it’s hard enough to get them to change their ways.
http://www.businessinsider.com/microsoft-data-the-most-confu...
My last company was very paranoid about security. Things like never leaving your desktop unattended, changing password every 4 weeks, encrypted disks, encrypted emails, forbidding most of cloud services... All the while happily using Windows and Outlook.
Also, although Google knows everything about me, they have so far managed to prevent security incidents, leaks and embarrassing deals (apart being forced to provide backdoor to NSA). They seem to know what they are doing security-wise.
I've seen various lists on reddit, HN etc - but they all seem to have different bits.
Perhaps a GitHub Gist that can be crowdsourced to help people ensure they get every single hidden option turned off?
2. It's one option clearly in the setup and system preferences and easily disabled.
Neither of those is true for Windows 10.
I don't want fucking software I paid for to make my PC a part of a botnet, so I deleted all their stuff and tried to cancel my subscription to CC. I couldn't do that because their terms allow them to charge your credit card for the remainder of the year, even if you receive no service. After a few angry emails with a supervisor they finally agreed to cancel my subscription.
What a shady POS company.
http://getblackbird.net/
and
https://www.oo-software.com/en/shutup10
and
http://winaero.com/comment.php?comment.news.1836
Microsoft resets settings when updates happen. The application explicitly warns you about this. And indeed, I ran the application before and after receiving the 'Creators Update' in my VM & some telemetry settings had been reactivated.
>events generated by the operating system, and your "inking and typing data."
Sounds like a key logger virus, but then built-in the OS? Is this for real?
In reality you can bet there will be NSL's and other legal tools used to co-opt this stuff for more noble aims, like defending against terrorism and protecting our children via fishing expeditions and secret gag orders.
If you already have access to the things I type and my metadata includes the websites I visit, you don't really need to phish me to get my credentials.
If a service also happens to not support 2FA and doesn't have some sort of account activity section, you can effectively have control of me over that service, without me ever doing anything wrong and me not even suspecting a thing.
It's a consequence of the old security thinking where programs were installed by a "trusted administrator". Everything run by a user is assumed to be sound. The only way to prevent this is either aggressive limiting of features and sandboxing, like in the web browser.
(Any windows application running as the user can also remote-control and surveil any other windows application through windows messages.)
The only company that tries at all to respect your privacy is Apple. Google has a photo album with facial recognition and automatic tagging and the ability to search based on what the subject of the picture is, but it requires that you upload all your pictures to their servers so they can search through them. Apple does the same thing but the pictures never leave your device.
You'd never expect to see Microsoft or Google get up on stage and say "we're intentionally giving up an entire revenue stream because we respect your privacy". Instead they subsidize the cost of their software with privacy invasion and then brag about how much better value for the money their products are.
Which was shorted from the article title "Put down your coffee and admire the sheer amount of data Windows 10 Creators Update will slurp from your PC"
But now he HN title got changed to "Official list of phoned-home info revealed by Microsoft" whih is misleading or let's say down-playing the whole story. The story is more than yesterdays HN story, it shades a not so nice picture about what really happen.
While general consensus will likely be that that it is too much data collection, it's more ethical - from a journalism standpoint - to allow each reader to decide that for themselves based on the facts. I find it odd that The Register used a biased headline, while delegating the unbiased phrase to the role of a subheading. I suspect the neutral subheading was provided by the author of the article, while the headline was manufactured by someone whose job it is to drive traffic/views.
The only thing odd about that is that The Register has a more neutral tone in it's subheading than normal. The main headline is using the default Register style (and if you go to the Reg's front page, you'll see plenty of tabloid-esque subheadings).
I suspect that since this has been the Reg's modus operandi for years, that there's no need for an editor to write headlines by now - the staff writers know what's expected and probably use the house style already. If anything, it's the po-faced subheading that's likely to have been tampered with on an ad-hoc basis.
Ubuntu LTS is really hard to break unless you're constantly screwing around. The same happens on windows.
Don't complain about community-supported distros. Buy a commercially supported distribution with long term releases, and you're set.
I'm using Lenovo Yoga 510, not Ubuntu-certified, two-in-one device with a touchscreen and a dedicated graphics card. Sure, there's no such thing as a tablet mode in any of the Linux distributions at the moment, but it works. WiFi works. Touchscreen works. Open source graphics driver works. Battery usage has no noticeable difference compared to Windows.
In my three or four years of running Ubuntu-based distributions, I'm yet to find a single laptop where WiFi / sound card / touch screen or any other piece of laptop hardware that doesn't work.
I was looking at a Linux-friendly ultrabook at the Microsoft store, and the win 10 trackpad drivers did not support scrolling on the display model. facepalm
I guess my question is whether windows laptops are actually less troublesome than preloaded/known-good linux laptops, in practice.
They're one config error away from sending classified data to Microsoft.
That being said, I would prefer to be able to block telemetry on my paid Professional version too.
No they aren't, because classified data is only handled on isolated networks.
classified data should only be handled on isolated networks.
It is protocol for classified data to only remain on isolated systems. There are stickers[0] (numbers as standard forms SF-706 through SF-712 if I'm not mistaken) to designate the status of certain media. If you think all of this media stays within its designation (including isolation), you are sorely mistaken.
[0]: https://c1.staticflickr.com/3/2519/4092997449_c37ceb0491_b.j...
You could also try making your point without being a snarky asshole.
The problem of classified information being on a system where it could be set back to Microsoft in the manner described in the article is that the information is on that network in the first place, not that Windows might send it to Redmond. The latter just makes cleanup and remediation a bit harder.
I suspect it violates Sarbanes Oxley and various insider trading statutes, assuming you work at a publicly traded company and have access to non-public information that impacts financial results.
They're one config error away from having insider trader information or someone's STD test result in a log file that might live forever and be accessible by dozes if not hundreds of in-house devs tasked with improving parts of Windows. Or, even worse, a 3rd party dev given access to the crash reports for their app so they can fix a problem.
I'm sure lots and lots of safeguards in place to prevent the above, but just not collecting the data would be the most comforting approach.
All this on top of the fact that you can't disable the Store unless you have an Enterprise license. I am forced to spend money on a product for employees that includes advertisements for games and other huge distractions. Not to mention all the preinstalled stuff for small businesses who don't buy imaged machines.
There needs to be an "Windows 10 Actually Pro" level that is below enterprise but is what Pro used to mean.
Having worked with universal logging in that context, it was eventually decided to be too much of a risk and we specifically neutered any features that would trigger HIPAA issues out of our product.
Customers are going to screw up configs. And when HIPAA charges you with $damages x number of releases, inadvertent logging can add up fast.
EDIT: Unless MS got their logging center HIPAA certified and has a special contract they sign with insurance shops. Not impossible, but seems improbable.
I believe this is what nebabyte means by
> A moral compass can't work without a magnetic field of context.
The engineer isn't necessarily going to get a play-by-play of the big picture - just what they need to know to get their part built - so expecting some moral stand against the final product they probably weren't part of the meeting on sounds absurd.
Regarding "telemetry" specifically, it should be obvious that designing something that automatically exfiltrates random data is a potentially serious security issue. It shouldn't be transmitting anything without explicit permission. It is irresponsible to assume that a preset represents intent and the informed consent of the user. Even when permission has been given, care should be taken to limit collection to only what is needed and log entries about what was sent should be created. Yes, even on debug builds.
> The engineer isn't necessarily going to get a play-by-play of the big picture
Maybe you should ask for that before taking the job. You don't need to know every detail, but it's negligent to work on a project without at least some understanding of what the big picture goals are.
--
My point is that you do know some things about the projects you are working on. You need to consider not only what your designs do, but also how it may be used, which may not be what you originally intended. You no longer have the luxury of pretending engineering work is entirely isolated from political and social consequences. Those consequences will vary greatly in magnitude and are probably good in many situations, but it's irresponsible to ignore them entirely. The entire concept of "disruptive" startups relies on the existence of those consequences and how strongly they impact society.
I encourage everyone to watch this[1] talk from 30c3 (or read the transcript[2]), which discusses this topic.
[1] https://media.ccc.de/v/30C3_-_5491_-_en_-_saal_1_-_201312272...
[2] http://opentranscripts.org/transcript/no-neutral-ground-burn...
At least your theory would explain why some parts of the OS are so shitty :p
But I'm not buying it anyway.
I don't think I've made any mention of the work I do nor will I; I'm just trying to understand why you think the buck of 'morality' even generally exists in a corporate context, let alone why it stops at some likely mid-level engineer, who likely was just given a vague usage model of a mechanism to build without the 'need to know' information that would raise the moral dilemmas.
Looks like 'my data' will soon be something strange, and suspicious.
A slightly safer version of Windows is Enterprise LTSB but I don't think you can legally buy it as an individual.
edit*: and it's extraordinarily expensive
I work at Microsoft, though have nothing to do with the development of Windows*
//edit: typo
https://github.com/MichiMunich/Windows10-Privacy
Looks like it has been updated to include some additional functionality (like update control) since I last used it.
I've deferred major upgrades at this point though because the last two hosed a few things on my system and reset a load of stuff I'm probably still in the process of finding out about.
https://news.ycombinator.com/item?id=13344318
I have the distinct impression that regardless of settings, some data gets sent.
I also have the distinct impression that the data will be for sale - the usefulness of a good portion of the data is questionable and some would only be useful for application developers.
What the list does have enough of ... is enough information for adversarial parties to want to target it.
It's not that hard to stop using windows. More people should.
I mostly used it to block the Windows 7 telemetry that they backported.
I don't know how up-to-date they're keeping it, though. I fear Microsoft is adding more hooks faster than Spybot can block them.
Then again, with IME etc, who siphons more? We've gone wildly wrong somewhere that this is the norm. Wildly wrong.
For example, the default telemetry level is "Enhanced":
"The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the Basic and Security levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues." [1]
On a fresh install of Windows 10 Enterprise I still have to manually disable updates by disabling/setting permissions on scheduled tasks for updates and I'm still prompted for things like "Use OneDrive!". Cortana is also enabled by default.
[1] https://technet.microsoft.com/en-us/itpro/windows/configure/...
It is also very alarming that people from "tech communities" like this one are "defending" their use of an inferior fake operating system instead of just simply shutting up and being ashamed of their technical ignorance. But I hope most of these "it is anyway a great thing" posts are just pro marketing guys, I personally have not met one respectable tech person that would burn its name to propagate that MS anti-os.
If your school or educational institute still depends on that failed OS, please help them to understand the importance of Free Software, thanks!
Being condescending about Windows pro users will for sure boost the adoption of your preferred OS and raise awareness about the FSF ideals.
You'll have a better chance if you change your tone and use ethical reasons for using alternative operating systems. From a technical point of view Linux is not better or worse than Windows or macOS. Take this from someone that uses all three of them for work.
- Image & video resolution, video length, file sizes types and encoding
- URLs (which may include search terms)
- Ink strokes written, text before and after the ink insertion point, recognized text entered
- Time and result of each connection attempt (WiFi)
- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
- Whether the user clicked or hovered on UI controls or hotspots