84 comments

[ 1.8 ms ] story [ 118 ms ] thread
I know some Windows 7 holdouts, who either prefer the interface or they're against telemetry. That was a defensible position as long as 7 was still under security support, but these findings put an end to that. Time to switch, and -1 trust in Microsoft's lifecycle statements.
But why don't they just switch to Windows 8? It solves all their problems.

/s

Basically are if they’re moving to 10. It’s more or less a re-skin with added telemetry & Cortana. Personally I preferred 8 to 7, I guess the touchscreen oriented metro interface was enough for desktop purists to recoil in horror. Was really only “hardcore” gamers who were holder-outers anyway
On a serious note, it seems like I was the only one who actually liked the Windows 8 start screen. Being able to rearrange your start menu was a killer feature for me, instead of searching for everything or pinning all my stuff to desktop.
Windows 8 is a case study in first impressions and how much people hate change. It is superior to 7 in nearly all regards (the app/store infrastructure being a notable exception), and its UI is nearly identical to 7.

But people couldn't get over the Start screen, even though it can be disabled. It's really amazing how much flack it got.

It's nice to see I'm not the only person who doesn't mind 8.
I liked 8.1 a lot I.0 was a bit rough
It got flak because of the random hodge podge of menu screens that could to decide if they were desktop or tablet oriented. Also getting thrown into full screen apps, the “charms”, and the broken windows store were other favorite targets of criticism. All this for basically no visible improvements if you weren’t using a tablet/laptop hybrid.
I might be downvoted since this is just a random anecdote, but at work I've seen a lot of computers having a specific performance issue on Windows 8. The symptoms were Task Manager showing disk usage at or near 100% with the total throughput being around 2 MB/s on an otherwise idle system. The files being accessed were the swap file (although the system had enough free memory) and sometime Office Click to Run stuff. It also happens when the system is not idle, so it's not a random background job.

I thought it was fixed in Windows 10, but I've just seen it happen on a low-end laptop. My theory is that so many developers have SSDs now and almost nobody tests on an HDD. That $300 laptop feels unusable, much worse than Windows 7 has ever felt.

This issue has been reported in many places (e.g. https://www.drivereasy.com/knowledge/fix-100-disk-usage-in-t...), but most of those solutions don't work.

The other thing that bugs me is the start menu search sometimes not working.

Anyway, my point was that between the Windows and Office telemetry (the latter nobody mentions), random Store apps getting installed automatically and long-standing issues such as these, there are other valid reasons to dislike Windows 8/10 than "fear of change".

Windows 7 still has about 50 % market share. That's more than just some holdouts, over all.
In my experience much of that is corporations which are always slow to switch. Almost all the people who buy windows machines I know have gotten windows 10
Look at the lifespan of a corporate pc. 3-5 years before warranty, risk management end and they’re replaced. Often the OS is not upgraded in between. Plus Corp software that depends on everything down to how obscure system dll versions. So we are looking at 2020 before most are migrated probably
The enterprises I've known have upgraded en mass and 3-5 year hardware cycles are ... generous.
I was guessing the 3-5, for us it 3 and 4(3 laptops/4 desktops). Do you mean the replace HW faster or slower?

It depends on size, we have over 60,000 computers and before End of Support for XP we moved to 7 in under a year. That was a kick in the butt and Win10 has been far quicker. It's the standard and almost everything deployed gets it, but there are always stranglers who are slower. You have to take from other projects to do a mass upgrade and it can be a hard sell when it will happen on the systems renewal schedule anyways.

You can't actually buy new copies of Windows 7 anymore, I don't think, so that doesn't exactly say much.

And well, in this case, corporations aren't just slow to switch, they're also still investigating, if they can actually even use Windows 10 due to the increased telemetry.

For many companies, deploying Windows 10 would mean breaking contract requirements or the law.

Just two weeks ago, the ministry for data privacy of Bavaria released a report, that hey, they can actually legally use Windows 10 Enterprise, given a list of tweaks that have to be made in each deployment.

And then the addendum was that new privacy laws are going to become active next year, so at that point, these results are completely irrelevant, again. I expect the next report on Windows 10 being usable (or not) in two years from now.

The magic version is "Windows 10 IoT Enterprise LTSB", which provides a whole bunch of toggles not available in the regular version.

Despite saying IOT in the name it's really intended for POS systems.

Gp was speaking specifically about some holdouts they know.
We need a cultural shift in this industry away from thinking it’s OK to run outdated and vulnerable software. “Why should we upgrade? $OLD_VERSION works fine!” Yeah, and driving a car with no seatbelts or airbags works fine too... until it doesn’t.
Sure that's great, but air bags and seat belts also come with cameras that record your behavior and report back to the auto manufacturer. And ads.
And the install process has a non-negligible chance of bricking your car until you get it towed back to the dealer.
And uninstall process is like "Burnett deleted the new Paint 3D, a system app, which he is entirely entitled to do. He found the system restored it and added a firewall rule allowing it network access."
But Windows 7 is still being supported (or so they say).
Many people running Windows 7 aren't "in this industry" -- they're ordinary people trying to use their computers to do work, or play games, or keep in touch with other people. What our industry needs to do is stop building software full of crap (ads, spyware, bugs) people don't want. If the software is good, people will upgrade.
If 10 wasn't seen as an enormous downgrade people would treat the vulnerability issues more seriously. Just the other day I saw a huge powershell script whose purpose was to remove all the bloatware (which apparently re-installs itself on its own if you uninstall it normally). I don't want to bother with that stuff...

And on top of that you have the telemetry, endless horror stories of forced restarts for updates, updates resetting settings and/or degrading performance (which took 5 months to resolve in the case of the Creators Update: https://betanews.com/2017/09/11/windows-10-game-performance-...)...7 works like clockwork, with no bullshit.

>And on top of that you have the telemetry, endless horror stories of forced restarts for updates, updates resetting settings and/or degrading performance (which took 5 months to resolve in the case of the Creators Update: https://betanews.com/2017/09/11/windows-10-game-performance-...)...7 works like clockwork, with no bullshit.

And that's why you get LTSB, which have no "feature updates", only security updates for 10 years. Although one disadvantage is that the release schedule is sporadic (there was one in 2015, 2016, and the next one is in 2019). I guess you could also use get the pro edition and choose "defer upgrades", which buys you ~6 months before having to install a feature upgrade.

> And that's why you get LTSB

That's why you wish you could get LTSB, but you can't unless you're a large corporation. For most users, it's not a solution, it's a tease.

You can get LTSB on an Open Business license. That's a minimum 5 license purchase to open the agreement.

I'm not arguing that Windows 10 LTSB is easy to get or economical, but I've put it into a couple pretty small companies. It's definitely not geared toward home users, but it's not just "large corporations" either.

I’ve said it before - large org - they hate LTSB because (at least the first release) was so crippled it was near unusable.
In what respects do you find the LSTB version to be crippled? Most people seem to view it as the version that introduces the fewest unwanted features. What's missing that enterprises (or power users) actually want?
A built in web browser that’s newer than IE11?
Windows 10 LTSB, at least at the pricing level the companies I work with get, is >$300 / seat. That's a steep price to get the basic level of control that came with OEM Windows 7 Professional.
It seems like Microsoft has "learnt" from Chrome and the whole web-apps ecosystem where the users are conscripted into accepting continuous updates. I don't doubt that the average user is better off, but they should be making escape-hatches available for the technical folks who wish to exert a greater level of control over machines they administer.
Except that the average user has moved on to phones and tablets. Desktops stick around for office workers, gamers, and content creators. The last two are the kind of people who want control over their computer to improve their experience/workflow, and the first one is supported by IT that wants control over their users' computers to improve their users' experience/workflow.

Microsoft has done nothing good for their customers with the bullshit path they've taken since Windows 8.

I am happy with Windows 10, as of now. They have done good, in my opinion. But then again, I usually switch OSs once MS has released a service pack or two, so I can't say if it was as big of a shitshow as people claimed it was in the begining.
It's still a shitshow, believe me. If you can't see it it is only because you don't work with it as often as others.

Google "Windows 10 start button stopped working" and spend a good 20 minutes reading forum posts about the problem. What you'll find is typical of Windows 10: there are no good answers for why it happens, the only consistent solution is to reinstall the OS, and it has been a problem for years and still hasn't been fixed. Meanwhile, they did take the time to remove "Control Panel" as an option when right-clicking the start button, and add a feature that begs you to try Edge when you set another browser as default.

I get months of uptime without any issues, and I use it every single day.
You can’t get months of uptime on Windows 10 because it restarts for updates all the time.
Which you can turn off on most versions. (Most people don't need multi-month uptimes either, but the forced reboot thing is bad enough that scheduling the updates manually is the most sane thing to do. I'm not sure what the best UX to get people to keep their systems up-to-date is, but Win10s current one isn't it)
I manually manage updates via the provided configuration options. I think my last reboot was 3 months back.
The initial release was very buggy, but all of the major issues have been fixed by now.
Yeah, and driving a car with no seatbelts or airbags works fine too... until it doesn’t.

People still ride motorcycles, many times more dangerous, which proves that (IMHO fortunately) safety/security is NOT the only thing that everyone cares about.

The general authoritarianism in the comments here, and implication that everyone always and only wants "more secure", while neglecting all the other factors, is a bit unsettling...

As the old saying goes, "Those who sacrifice freedom for security deserve neither."

It is one of the greatest failings of our industry that we are apparently incapable of constructing programs that are in any sense "complete" due to requiring vast amounts of upkeep just to ensure their most basic possible property: that their semantics are defined completely by their source code and not inputs (as is not the case with programs containing remote code execution or escaping bugs like SQL injections, XSS, etc). This constant upkeep not only has an enormous cost in terms of time spent modifying these programs to move them asymptotically closer to a version with clearly defined semantics, but (unlike other classes of bugs which involve incorrect behavior that do not have implications for security) produce an air of mistrust and a general malaise and lack of confidence in all software.

One direct implication of this fact, for programs which must be constantly updated to fix their security flaws, is that because the only semblance of trust and security you can obtain in using this software comes from its popularity and reputation (because these things generally mean a large amount of resources can be spent auditing and testing ("many eyes make all bugs shallow"), and because a large userbase means that any bugs found will be more valuable and more difficult to find, and thus less likely to be used against people who are not profitable to be hacked, which is most people), viably forking large projects becomes impossible without a similar or proportional amount of resources to the original project. Without that, having confidence in the new project becomes much more difficult, because you cannot receive an assurance that bugs found in the original project will be fixed in the fork, and because bugs found in the fork might be easier to find (because of less thorough testing, because of fewer resources) and so of less value, and so have a higher chance of ending up in the hands of low-level skiddies who might use them even less responsibly than e.g. the NSA (who has never directly installed ransomware on anyone's computer, that I know of). None of this of course is mentioning the effect this culture of fear and mistrust (and its basis in reality) has on computer users who truly are valuable targets, and must use computers to do their job knowing full well that they are a mire of both intentional and unintentional security vulnerabilities and that somewhere out there exists a string of exploits that can be used to exfiltrate their IP address and send them straight to the gulags.

Another cost of this unfortunate facet of computer programming is that for programs which cannot be directly updated (for example, their source code is not available), modifying them so that they are closer to a version with clearly-defined semantics is extremely difficult, involves specialized skills which are not possessed by most programmers, and generally just doesn't happen very often. Although one could also make this an argument in favor of source code availability, in any case this is a very common occurrence.

So, I don't think at all that the problem is this culture of foolishly thinking that we actually know how to write programs - the problem is that we can't. The solution then, at least in the long term, is learning how to write complete programs that do not require constant adjustments in order to ensure clearly defined semantics, not to just figure out how to stay afloat better in this horrifying quagmire of shifting quicksand that we've built the foundations of computer software on.

I think the fact that consumers don't feel like they have an alternative is a problem. Also, remember many people use their computers for purposes that require no security measures be taken. Who cares if someone hacks a computer that is only used for excel and casual web-browsing?
it's not about the use-case of the victim, it's about the system resources it adds to the pool for the attacker to use as they wish.

Now add "offline" to your list and i'd agree. Every online node is a potential threat not to just the direct victim but to potentially anyone else on the net.

(comment deleted)
(comment deleted)
I've been watching my friend deal with Windows 10 shenanigans for over a year. Occasionally he'll get it to a frozen point where it won't secretly update and break everything, won't transmit all sorts of information to HQ, and won't reinstall Candy Crush. He's convinced that most malware would be more respectful with his hardware resources than that OS. When you make the prevention worse than the disease, don't be surprised that the disease gets an upper hand.
> Who cares if someone hacks a computer that is only used for excel and casual web-browsing?

I’d say most users would care if all their Excel documents got encrypted by some ransomware. Backups help, but they’re not a silver bullet, and the type of unsophisticated user you’re depicting probably doesn’t have them anyway.

Aside from that - does that casual web browsing include anyone checking their email? If so, now the attacker can probably get full access to their email account(s). Even a purely automated attack can send spam or scams to the user’s contacts, which is bad, though arguably not the end of the world. If a human attacker is targeting the user individually, they can do much worse - starting with using the email account as a stepping stone to all their other accounts, and limited only by their imagination. I suppose that most users aren’t likely to be targeted in that way, but you never know.

You can always switch to Ubuntu.
But Windows 7 is still under security support and will be till Jan 2020. (See here: https://support.microsoft.com/en-us/help/13853/windows-lifec...)
Misparse, I think. Both "was"es refer to the state of using 7 being defensible. Maybe a better phrasing: Using 7 would have remained defensible as long as it had security support, but now even that's insufficient. Alternatively, the parent argues that 7 is de facto unsupported now no matter what Microsoft claims.
This is a great breakdown. Are you using any specific cognitive techniques or patterns/habits that help you do this?
I suspect reading... and Poe's law.
Less crunchy than Cole's Law.
That’s some delicious snark and all, but if it were only that simple. In general, most people tend to be oblivious to—perhaps even motivated to miss—when the source of a disagreement might be linguistic confusion rather than actual disagreement.
Time for class action.
Telemetry was backported to 7/8.

I imagine it's not as bad as the 10 telemetry, but still, it's there.

Removing the telemetry on Windows 7 (or 8.1, where I'm at) is far easier than the questionably effective flaming hoops you have to jump through to do the same on 10. It's a matter of uninstalling a few updates and that's more or less it. I've disabled automatic updates as well, but check daily to make sure I'm up to date as far as security is concerned.
I've long suspected that Microsoft (and other large players) only most eagerly support their latest product. Long-term support is only done begrudgingly. In Microsoft's case, I recall a few Office updates over the past 2yrs that boned up Outlook 2013 for some folks but relatively few affected Outlook 2016.
Windows 7 is still supported. Geez. It came out in >>2009<<.

Also, Windows 10 bricks every one of my lower end computers. Windows Defender, Telemetry, and more eat 100% disk usage. It's indefensible. Worse, Windows 10 refuses to let you CORRECT the problem. They make new user accounts that are ABOVE the user's top permissions so you have to go to insane lengths to disable a service.

And I say all of this as someone who professionally supports Microsoft installations. There's NO need to defend Microsoft in places that don't need it. They're big boys. They should just get their shit together and handle criticism.

Like why did it take 15+ years to get proper rescalable command prompt, or virtual desktops? I've got literally dozens upon dozens of stories of Microsoft products being half invented, half completed and half reliable, and MSDN documents that companies rely on for $$$ decisions that end up being erronious or conflicting with other KB articles.

I don't get this recent usage of "brick." Unless it cooks the CPU or is otherwise non-bootable after installing 10, persisting even through other boot media, that isn't a brick. I've seen upgrades fail due to many issues including prior OS corruption and failing storage media, but clean installs of Windows 10 work nearly every time on nearly any hardware that supports ACPI. Driver issues notwithstanding, I don't see anything to support your assertion that Windows 10 bricks lower end PCs. And if the hardware is older than that, it isn't worth your time to even install any other OS on, is it? Diminishing returns.

Not meant to be a criticism, I'm just curious what specific issues you were having that you articulate as bricking.

Does someone know a reliable source of the windows telemetry story today. Googling gives a huge bunch of articles which are out of date, or filled with random assertions from random people. I would be very gratefull for: * Exact, technical-level details of what each windows version (7-8-10) is monitoring ('Basic Health and Quality' says nothing). * How to disable it. So it stays off * And some kind of technical proof (Like a wireshark trace or something)
Things tend to change anyway. You never know what Microsoft will roll out tomorrow.

> Microsoft has responded to claims that its Windows 10 Enterprise operating system ignores user preferences in Group Policy with the advice that, basically, it does and you shouldn't meddle with it.

> On Monday, we revealed that a security researcher had used a packet sniffer to show that many settings designed to prevent access to the internet were being ignored with connections to a range of third-party servers

https://www.theinquirer.net/inquirer/news/3010547/microsoft-...

It's more than just telemetry or the interface. It's about taking some step forwards, and many more steps backwards.

Sure, they made an OS that was better for the world because it forces options that mitigate the damage computer illiterate users were doing but at the expense of usability for power users.

For example, picking and choosing windows updates is a much worse process in Windows 10. There's a lot more bloat in general that is a lot harder/more annoying to turn off than the bloat in previous versions of Windows.

There are design choices that make working around bugs harder. For example, my friend currently has a serious performance hit if Windows Defender's real time monitoring is on. Windows 10 can automatically turns real time monitoring back on if you turn it off, even if you set a group policy and registry settings to disable it.

He'll probably end up disabling Windows Defender entirely just because Microsoft can't trust users to manage their own settings.

> For example, picking and choosing windows updates is a much worse process in Windows 10.

That’s because this is a bad idea for almost all users: it increases the odds of updates not being installed or people having problems due to an untested combination of updates which wouldn’t have happened if they’d installed everything.

Similarly, if Windows Defender does have a notable performance issue beyond what’s typical for AV as a class, the right way to avoid it is to install a separate AV rather than running an Internet-connected system without it.

What increases the odds of people not installing updates is low quality. Microsoft can’t be trusted anymore not to break two things for every one problem they fix.
I agree that the risk is real but your second sentence is unhelpful hyperbole. Yes, there’s room for improvement but that’s just not true – and I say that as someone who stopped personal use of Microsoft’s operating systems when I switched to DR-DOS.

Exaggerating the scale does nothing other than lower your credibility.

Does it happen that Microsoft breaks two things when they fix one thing?
Seems like a good question for the person making that claim to answer with data.
This isn’t Wikipedia. Google it for yourself, and if you don’t believe me, keep on not believing.
Wikipedia doesn’t have an exclusive license for evidence-based discussion. If you can’t back a big claim up, ask what value you’re really contributing.
I see that the two they fixed disclosed more memory than expected - but is that enough reason to fix it? It seems like you’d probably want a complete POC before fixing them. Or are there common POCs that these obviously fall into?
Kernel memory disclosure pretty much always provides an easy way to bypass kernel address randomization (KASLR).
For those not fully aware of why; if you can get a copy of a section of the kernel stack (which should have been zeroed but wasn't) you'll get the kernel memory (which is different from user memory) addresses of function calls, data structures, etc which then allow you target where to insert your own code / data. In other words it allows you to accurately hijack kernel functions and/or compromise kernel data structures, e.g. change the owner of a kernel object, process or task. It's half of what you need to compromise the kernel (you now know where to inject code/data). The other is having a way to inject code/data.

EDIT - grammar fix.

I'm still trying to work out when they fixed this:

https://bugs.documentfoundation.org/show_bug.cgi?id=62764

They got memory dumps from me, but never got back to me about it. It was incredibly poor form, I literally rebuilt systems from scratch to get them the memory dumps, and they never even told me if it helped.

Pretty shitty really. I found a nasty issue, and all I wanted was to know if they were going to fix it. Hell, I didn't even want credit - just knowing it was fixed would have been great.

They probably didn't even realize they were fixing it. That happens sometimes.
Not just these. First Tuesday is RCE disclosure day.