>DO NOT DOWNLOAD TRON FROM GITHUB, IT WILL NOT WORK!! YOU NEED THE ENTIRE PACKAGE FROM r/TronScript
> Download Tron. The download links are in the top post in /r/TronScript. If you download the self-extracting .exe file, run it and it will extract tron.bat and the \resources folder to the current directory. Copy both of them to the Desktop of the target
Why package a BAT file with an EXE? Even if it has to be distributed in a container, why not a simple ZIP?
And the subreddit literally has a thread with a table that contains download links and a torrent, why would you not include that in the readme?
TronScript is hugely overkill. It makes changes that the vast majority of Windows users, even privacy conscious ones, would not want.
I dread to think how many well-meaning sons and daughters have run it on their parents and relatives PCs and then left, leaving behind a system that is now a nightmare to use.
Also, it takes literally hours to run. I mean, what the hell? ShutUp10 is done in seconds.
Hence, it is clear what benefit they draw from releasing this software for free: Marketing. They are not in the business of brokering user data or mining bitcoin covertly. This tool isn't even installed, it's "run once". To me, that's about as trustworthy as it could be.
For such an intrusive application there are many ways to hide it. Not saying they do it, but I see no way to check it unless looking at the source code.
- Run it in a Windows VM. The program could detect this and not phone home in this case, of course.
- Monitoring on network level (wireshark on same network, Pi-hole, router itself...). This is virtually impossible for the program to circumvent.
You could also audit the changes it made to the system (resorting to stuff like diffing disk images before/after if you really want zero trust) to verify that nothing sneaky was left after running the program once.
Is it possible to circumvent Wireshark, Procmon and the likes? Otherwise those 2 combined give pretty good insight in what an application is doing wrt I/O.
Windows will most likely consider this malware, since it is effectively piracy (removes activation checks) and it does mess with Windows Defender by disabling a bunch of phone-home stuff like malware sample submission. If you're already getting people to disable Windows Defender and/or make an exception for the exe, it's suddenly super easy to also embed some custom C&C into it, either for mass use (eg. using a Windows service to have machines participate in a ddos botnet) or for targeted use - when a specific network block downloads it, the C&C sends a different payload that quietly looks for git credentials or trade secrets and ships them off.
They technically don't have an incentive now, but if they ever get one, it'll be super easy to abuse this position to embed malware. Don't think of the threat as the current company, but someone buying them for $millions and quietly doing this years later.
It is not considered malware by Smart Screen from what I can tell. Kaspersky doesn't have any issues with it either, and I've run both the original and the ++ Version of ShutUp.
This is portable by the way, so I don't really see the point in worrying about rogue company takeovers.
I've not done any in-depth analysis of this app, but have used it on a machine that required windows 10 at the time. My family and friends have also used it. I can say that after they use it, the DNS activity to the Microsoft tracking endpoints appears to stop and other DNS activity is reduced but I am no windows expert so I can not say for sure if 100% of telemetry is truly nullfied. The real time dependencies on the activity DNS/HTTPS endpoints does appear to be removed after usage. From a network perspective it does stop the "chattyness" of Windows 10.
This looks interesting. Is there something like a Vagrant build image for this so that you can easily automate the build process to pick up the updates and adjust the configuration/customization in a json or yaml file?
I prefer the script[0] instead of the hacked ISO since you can install the script in later versions of W10 using your own preferred ISO.
Only caveat: There's no way of telling what versions of W10 it's compatible with (I imagine it breaks some versions). I have an old VM with AME installed and manually enabled updates by hacking the registry. (You could also alter the .BAT script to enable updates, but you have to know what to remove).
This project is cute, but I only ever used it for an offline sandbox for running low resource games and cracked versions of Photoshop. I am scared as shit to connect this thing to the Internet. I only connect to receive updates.
It is sad that things like this are even required in the first place. I would really like to have more trust and confidence in Microsoft. To earn that trust they could provide one page with all PowerShell sub-commands and links from each command to a man/help page with real world examples so I don't have to trawl through technet and google or random github gists.
They could also give people a true option during installation to really for-really-real disable telemetry regardless of what license home, pro, enterprise, ltsc they are using.
Fragmentation is not in ms best interest, but they could actually license just the nt kernel with a bootloader capable of launching it. Then people could build nt based distros with carefully chosen packages. Just like it is done with GNU/Linux.
Maybe some one could write an application to delete as many files as possible from a pristine windows copy to turn it simply into a kernel launched by a bootloader. Is there any project that does that?
That's an appealing idea. From watching the behavior of XBox One and Windows 10, I would be really surprised if they created such a thing. It really seems more like they want people to have dumb terminals with their binaries pseudo-cached and operate more like a mainframe/cloud model.
I can get behind that mindset, but if you're using Windows you've already given up your ability to introspect your system. The same is true for most of macOS/iOS and large parts of the basic feature set found in Android. Most Windows programs, both freeware and paid, are closed source, that's just the way that ecosystem functions.
These companies can exist the same way Winrar can exist: give people the tool for free, wait for them to want to use it at their business and sell the subscriptions there. Businesses are much more wary if pirated software than consumers so Winrar manages to survive to this day. To me, the amount of telemetry collected from modern crapware indicates a lack of trust in the product from even the developers themselves, which in turn proves to me that the product isn't very good on some level I might not be able to see.
Just because something is free doesn't mean it's not reliable if there are business subscriptions funding the product itself. The way programs stalk their customers these days used to be rare and the O&O team seems to follow the old software shop practices rather than "modernising" and adding the very thing they try to block to their own product.
It is possible to use windows as a mere kernel. Much desktop software on a modern linux distro is portable. Even your example, winrar, can be replaced by peazip or 7zip.
I actually saw some people using mostly FLOSS on windows as a step before full migration away from it.
The simplest way to test any software you're suspicious of on Windows is Sandboxie (https://sandboxie-plus.com/downloads/). Any files or registry changes are persisted to a separate location in the filesystem, so it is pretty easy to catch misbehaving software. For software like this, it will negate the utility of the software due to being in a sandboxed environment, but it will least give an idea of the registry keys and files that may be modified.
This is not convenient to do at every update. On a windows system were there is no known concept of built-in package manager it is even more complicated. I've seen windows apps that automatically update themselves.
Also, since it is very intrusive, I don't think running it into a sandbox may give good diagnostics.
If this program has to be run persistently, then it won't provide much, since a malicious program could wait X days prior to downloading a payload. It is mostly useful for looking for one time changes like registry settings and verifying that the program doesn't place a bunch of random .bat or .exe's in obscure folders.
Windows loves to silently update things, even if it ends up breaking everything, too. Especially drivers where it isn't super obvious that it was updated and something just stops working. Windows 10 is _way_ more aggressive with forcing updates than 7/8 were, automatically re-enabling Windows Update after 30 days of disabling. The easiest solution that I've found is just blocking everything at the DNS level. They can obviously use IP addresses as a workaround if they really want telemetry, but I haven't had issues after blocking a bunch of MS domains in the hosts file.
Partners aren't with Microsoft. They're vendors and service providers that live off of scraps from the mothership. If they were to do something malicious, it would potentially cost them their business. I'm sure Microsoft itself doesn't care if under 1% of desktops use tools like this to turn off their telemetry.
Fair enough, though O&O has been around for ages (24 years) and I don't remember hearing anything bad about them (and have used their software in the past).
Iirc this software exist since the release of windows 10, or maybe shortly after, so I guess they can stay "gold partner" forever. There is probably nothing in that program attempting to prevent them to release that kind of software, and MS is not Apple...
> O&O Software GmbH was established in 1997 in Berlin, Germany by Oliver Falkenthal and Olaf Kehrer. The idea for the name “O&O” originated back in 1991 in the form of O&O Systemtechnik GbR, a company offering software specifically for students whilst the two founders were still studying. The name “O&O” came about spontaneously, as both founders first names begin with the letter “O”. In 1998, on the 10th February to be exact, O&O Defrag V1.0 was released, and the company that you see today was born.
With Windows Update removed, and no way to patch the system without a full reinstall, I would not use ameliorated.info in any important capacity. The complete unability to patch zero-days makes it very unattractive. They recommend to just take admin privs from the default user. If you're this serious about privacy, use Linux. If you NEED Windows for a program, use a VM and nothing else. If you NEED Windows as your daily-driver... then you shouldn't be risking your daily driver with this. The ONLY update you can apply is simply to just reinstall the operating system. I do appreciate this kind of stripped-down build procedure, but fail to see a good-enough use case.
> Furthermore, as touched upon on the main page, 94% of critical Windows 10 vulnerabilities can be mitigated by revoking administrator privileges from the default user.
I'd just like to touch upon that 94% figure. It's from this source[0], which actually says:
> Of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year.
It's a very fine line, but they're mitigated by not running stuff as admin, not just removing admin rights from the main user's account. With Ameliorated, people will still want to set up software as admin and install to Program Files, so if they take the advice from the FAQ, they might think they're fine just having a separate Admin account they use for UAC pop-ups to install the programs, while leaving their main as a standard user, which is indeed not going to solve any zero-days compared to users just being able to click 'yes' at UAC.
This reminds me of the old "Windows XP Service Pack 4", or Windows 7 Minimalist ISOs that were going around. Generally, even the idea of using an OS downloaded from a random site (big Linux distributions excepted) is a security nightmare: you're trusting random, anonymous people not to put malware deep enough into the OS image where it won't easily be found. See XcodeGhost that got caught way after the fact.
Same exact reason people should strongly consider staying away from LineageOS builds and other such things, where the dev team of half a dozen non-vetted anonymous forum users is responsible for everything running on your phone. The "open-source means security because code gets vetted" argument only applies to big projects like Chromium, where hundreds of major corporations with world-class software engineers review, and contribute to the source code. Not to Lineage, where every phone model has its own build and dev team, and each build gets used by maybe a few hundred or thousand people, and reviewed by practically nobody. If there was one single Lineage build for all phones, I'd feel much more comfortable with it.
Though I have zero reason to distrust the Ameliorated folks, you generally never want to mess with software (especially OSes) downloaded from anyone other than the official vendor. The risk of using this is much higher than running proprietary ShutUp10, which is already non-zero since it's proprietary.
What a bunch corporate-authoritarian fearmongering BS.
The community is NOT stupid. All it takes is one person to find out someone is trying to be malicious, and mass ostracisation will take place. For most of civilization we didn't need corporate overlords to tell us who to trust --- that's a very very recent development.
where hundreds of major corporations with world-class software engineers
People can get doxxed and ruined in real life. News spreads quickly. If you try to deceive a whole community of intelligent humans you'll get found out sooner rather than later, and unlike the slap-on-the-wrist lawsuit that at best companies get from trying the same, it is much worse for an individual. But of course, that doesn't fit the narrative...
I agree. The winning move is not to play. To fiddle with Windows' privacy settings, and expecting them to respect the users privacy, is like asking an abusive partner nicely to not be abusive. Promises will always be broken, and in new and unexpected situations, the partner will act on their character, not on their promises. And Microsoft has a documented history of this behavior.
everything is closed source, apart from the building blocks that comprise it. all clouds are closed source, most of the finance is closed source, MacOS is closed source, iOS - too. games - closed source, critical infrastructure - closed.
okay...let's think. lets take for example postgresql. all right is opensource, we all love it. but how some company uses it - well this is not open source. only few businesses dare to be open source and typically open the non-critical parts.
why so much pressure on MS?
the idea that the world is embracing opensource is absolutely disconnected with the reality ever since the idea of open source came to existence.
once again - even when the building are open source, the way they are tied together is usually not. and their usage in business systems - also not open source. period.
there is fair chance, that whoever is reading this comment works is paid by a company that is using open source, but is not open sourcing.
Microsoft has faced so much criticism for their approach to telemetry - I don't really understand why they don't at least provide the option to opt out of all telemetry.
If they left it enabled by default, but provided an option to opt-out, realistically only a small segment of users would do so, and most of them would likely be power users who are already taking other steps to try to prevent telemetry being collected and/or sent. So they'd take an insignificant hit to telemetry, but would gain a lot in goodwill.
Telemetry isn't just a tool for product managers, but it's also a goldmine for national security agencies (more than just the NSA; Bing is unblocked in China for a reason).
Anti-government meme made with GIMP at a specific timestamp? One search through the telemetry logs to find who exported a file at that exact moment.
Any data collection is also government surveillance unless proven otherwise.
I don’t work for microsoft anymore but I laugh at these sorts of suggestions. I don’t know much about bing but I do know a decent bit about the telemetry pipeline and the idea of an anti government meme detection is ludicrous at best.
With all due respect, the danger to a telemetry pipeline is almost always downstream effects, like court orders to intercept network data or human assets that knowingly exfiltrate data. Even if you assume that Microsoft has the best of intentions and that all of the telemetry is for the purposes of improving the software experience, it’s a naive assumption that this doesn’t increase the attack surface substantially. With no user accessible kill switch and with all teams operating with good intentions, you still stand to create scenarios like telemtry-for-surveillance, even if the probability of such a scenario is small in the grand scheme of things.
GDPR requires the opposite, data collection has to be opt in. I don't really see why the telemetry they capture doesn't count as peoples personal data honestly, it should given how much behavior information is available from it.
I believe it’s only opt in when it contains user identifying information. Information on did a feature work or not and how long search indexing took isn’t particularly sensitive once you strip off any device identifiers.
I probably still won’t trust it on a critical system without a reputable audit though, I think I’d still prefer to either trust Microsoft or Apple or go run OpenBSD or Linux instead.
Thanks for sharing this. I tried 3 of the tools mentioned in this thread, in addition to having tried the O&O tool before, and https://privacy.sexy/ resonated with me the most. It's the easiest to understand and also makes it much easier to make smaller incremental changes. Due to the "revert" toggles and heavy commenting, it's easy to roll back if anything breaks.
Its funny how Windows and Android, the two most widely used operating systems, are a privacy nightmare and basically spyware at this point. Remember you can install tools and ROMs that are privacy focussed but also realise only a minor percentage of the users bother or are aware of these.
I wonder what the sales pitch would be to sell privacy focussed products to the average Joe.
The “closed source ecosystem” is not nearly as restrictive as people make it out to be and is something that you willingly sign up for when buying apple products.
Not sure where you got the idea of “icloud syncing your every move” but literally every icloud implementation can be disabled at your discretion.
I for one only have my reminders, wallet, calendar and drive synced.
Even with that said, none of this implies a lack of privacy in any way.
"the researchers' iPhone transmitted more kinds of data, including device location, the device's local Internet Protocol (IP) address and the Wi-Fi network identifiers — the MAC addresses — of other devices on the local network, including home Wi-Fi routers."
Both of these are the cheaper option in their respective market. iOS and macOS are expensive because the hardware is expensive (as in, the hardware in part pays for the development of the software), and Linux is expensive in that it's almost always more time-consuming to set up since it doesn't have Windows' first-class driver, hardware, and software support.
> since it doesn't have Windows' first-class driver, hardware, and software support.
Ironically, Linux sometimes has better driver and software support for specialized things like Thunderbolt ethernet adapters, or software if it was written for MacOS but later adapted to Linux because of their similarity within the scope of POSIX. And, because Windows can't run 16-bit software on 64-bit CPUs at all, Linux has the total advantage here because WINE works with 16-bit as well.
Agreed! Just wanted to pile on, the driver thing is a bit hit/miss.
Broadcom/Realtek (sometimes)? Good luck. Intel/AMD/Aquantia? Probably good to go.
There are vendors that give Linux first-class support; buy them.
edit:
Realtek is a little hard to pinpoint, they tend to have drivers... but fairly buggy.
I have to replace the r8169 module or something similar with r8125 for my (onboard) networking to work under stress. If I push too much bandwidth, it'll just drop.
come on. i use an old dell latitude e7440 which i run kde neon on. takes 15 minutes to get installed and i can get surfing in 16. No nonsense, no nothing.
i assume newer devices would be better but "time consuming to set up" is something i have not seen in the last 3-5 years of my using 100% exclusively linux devices.
Not sure why macOS (M1) is expensive here. For the hardware/performance/software you get it’s not really expensive if you compare the alternatives like surface or any of the intel based laptops. Sure, you can get a cheap laptop for under 500$ but that won’t last long either.
Seconding this. LineageOS with microG has been great, combined with Aurora Store's anonymous Play Store for the singular app I require that doesn't have an FOSS alternative.
I don't think it is funny, nor coincidence. A lot of people are poor and have to sell themselves out with privacy. They cannot afford a premium brand like Apple.
I don't trust these tools as any Windows Update can override the setting, or Microsoft can add a new "feature" and continue collecting telemetry data from that. For example; Disk Space Cleanup (cleanmgr.exe) tool has been trying to connect to internet since last year's Windows 20H2 updates. I use Binisoft's Windows Firewall Control (wfc)[0], set level to Moderate and check logs regularly. There is also simplewall tool [1] which has predefined Windows list to block.
Agreed. I would use them to avoid ads and annoyances, but Windows, as a closed system, to me remains untrustworthy. I'd never ever use it for banking, communications or store personal data. But if I'm using music software or games, those utilities would make the experience less annoying.
You do need to remember to re-run this after any major “feature” update on Windows as Microsoft have a way of “forgetting” settings they don’t like or coming up with new ways to violate users’ privacy. This is definitely not foolproof, but it is one of many tools in the arsenal.
Congratulations professional Windows administrator. You are definitely not their target audience. And using group policies to disable the 100 different things this tool disables would be a ton of work... and I'm not even sure you can disable everything this tool does via group policies?
> I'm not even sure you can disable everything this tool does via group policies?
Apparently you cannot:
> On May 2017 a security researcher named Mark Burnett demonstrated that disabling the default data collection toggles, found in Windows 10's settings app, are entirely useless. Furthermore he showed that even through using intensive group policy modifications, in a process heavily scrutinized and iterated upon over several days, he was not able to prevent Windows 10 from sending critical, personally identifiable information with certainty.
In my last job I had contact with Microsoft and I approached them about datamining issues several times. I noticed they simply don't understand the concerns at all. Microsoft is becoming a highly 'data driven' company and every time I approached them about data gathering the response was along the lines of "Oh but we only use this for improving your performance / our products / whatever". They think it matters what the purpose is, they don't understand (or they don't want to!) that some people are against telemetry whatever the reason.
Our own company is thinking along similar lines, with the exception of the German parts of the business, for whom we had to make some exceptions. I'm not German but I'm heavily aligned with their thinking on this.
Very nice that I turn off everything I want one time, but what about the next update that will randomly toggle some settings back? How about new settings for new features that are added?
I think it's foolish to go use software like this, and expect some privacy to happen. Windows and its user are just not on the same page.
What refreshed my hope in IT is the FOSS ecosystem. Where software is passively uncaring about me, the user, instead of working actively against me, which is the case in most of proprietary stuff nowadays.
I think it's a pretty good idea to automate this sort of software and schedule it to run whenever the OS restarts, or at the same time every day (or multiple times, depending on usage patterns).
I don't think it's possible to (easily) figure out when to run something right after the updates change any settings, but it's a good idea to automate away manual work as much as possible!
The person that you're replying to certainly has a point about having to run the tool manually being a hassle. Sadly, at the moment there are also no ways to automate running the tool (that i know of), since it's GUI only, as opposed to offering CLI functionality or silent launch options.
The most constructive answer is to stop using/supporting/supplying demand for software that doesn't respect the user. Rather than people trying to remove the same warts over and over, progress could be made on a more permanent solution; namely, identifying gaps in the open source ecosystem where the only current solutions are proprietary.
I did not take the comment in the same light. I think it is great that people are creating such software. Seems useful for many users.
But looking at the broader context npteljes has a point.
Why fight an insecure tool (let's say Windows is insecure for the sake of the argument, I do not have a strong opinion about it) then patch the security on top. Surely the obvious choice is to stop using the insecure tool.
Sometimes people want a technical answer, when the answer is to do the obvious. I don't think that is pessimism.
I'm quite a pessimist otherwise, but I don't think my comment really reflects that. I just reported that as a human being, I'm tired of, and fed up with fighting a system that disrespects me, belittles me, overrides my decisions.
For the longest time I felt that I have the upper hand. That I could install a software for my every need, limit this, change that, bend the whole system to my will. But the realization grew on me, that me and the system are wanting two very different things. And whatever I do, I won't win. At most, we can be engaged in a cat-and-mouse game, as long as I'm up for fighting for it. If I'm not, then my cause is lost.
With this realization, I felt betrayed by the entity I otherwise liked very much. And this is the feeling I wanted to convey with my previous comment.
Then perhaps this tool and this operating system are not for you... Windows is good for some things, privacy ain't one of them, and you need to either live with it, work hard to protect your privacy within it, or leave it.
Assuming you mean trust in MS in general and not in what the OS does: broken trust isn't easy to fix, and this tool indeed doesn't do much in that regard, but it does fix some of the things which lead to the broken trust i.e. what the OS is doing.
Historically tools like these were broken by windows updates and could not keep up with Microsoft's violent efforts in breaking them. You can't even turn off windows defender in the registry anymore, which is the sole reason windows performs terribly on low end devices. It sends the CPU and 5400rpm disk to 100% use all the time.
Windows is a threat to national security and Microsoft must be sanctioned. Business if they wish to avoid crypto lockers and actually care about "cyber security" will drop windows in favor of Mac/Linux.
My friend just put Windows 11 on his (original) Surface Go (Pentium Gold 4415Y, 8GB RAM, 128GB), and he cannot stop raving about how fast it is. He said he was considering putting Linux on it, but he isn't feeling the need to now. To be sure, that's not a 5400rpm desk, though, yeah, I haven't had to suffer through one of those in over a decade!
It will be slow in the coming months. Windows has very fast UI response on fresh installs and degrades over time. It's really not an achievement to have responsive UI in 2021, Microsoft just hires the bottom of the barrel and bases everything on group studies, which yields the worst outcomes.
I agree. Windows is malware. Its good or bad bits are irrelevant, it's perfectly usable as an OS, but in the meantime it's loaded with malicious intent and its business advantage is ruthlessly exploited at every turn. So I don't think that the tool itself is that much useful either. It's good popularity for their creators, that's for sure, who very successfully jumped on the Win10 telemetry paranoia bandwagon.
And who I think should change to Linux or BSD is not just business, it's governments especially. How they enable an auto-updating system of another superpower is beyond me.
I have to use Windows once in a while (circumstances).
Best way to forget about the existence of spyware (aka telemetry) that I found is to not connect a Windows box directly to internet. I configured my router to give it a gateway and DNS IPs which don't exist in the network. Eat that, Microsoft. And I can still connect to internet by manually setting a SOCKSv5a proxy to the router in Firefox and other software that I trust (make sure there is no automatic proxy discovery mechanism in the router).
Since the 21H1 update you might start noticing connection drops since a new wlan autoconfig feature has been added: if windows can't ping home reliably, it will restart your nic.
Thanks for the link! I'm searching for 'reboot' and 'restart' but I don't see anything mentioned about rebooting -- only a restart of the network service. Are you sure it actually reboots the PC?
Link please? I run Windows for work, which includes connecting to industrial networks with no Internet connectivity. If this happens, it's going to be a nightmare.
I don't think the reason for this is malicious. Back in 2012-2018 many Windows laptops belonging to friends and relatives had frequent WiFi issues. The only reliable way to fix the issue was to restart the NIC.
Wow! Thank you for that tip. Block the machine's internet access with a firewall but connect the browsers over a SOCKS proxy.
I mean, I do have a couple of containers up and running on a Raspberry Pi offering nothing but intranet SSH services while the containers are connected via OpenVPN to differnt VPN servers, so that I can use different browsers which connect via SOCKS each to one container in order to have one browser per country on one machine.
It never occurred to me that I can use this same technique (but without OpenVPN) in order to disallow that machine to connect to the internet but still have a working browser...
For some of us (me), tools like this are the difference between no privacy oversight and some oversight. I aspire to be a privacy-aware person rocking Linux, but in the meantime...
I appreciate this aspect of the ShutUp10. By its existence and popularity, it spreads the message that there is such a thing as privacy, and that it's important.
A screenshot of the application on the website shows this option. I don't understand; are advertisements via Bluetooth some kind of Windows functionality and how does it work?
Perhaps they mean BT Beacon advertising? A small BT device can broadcast a notification to other BT devices nearby. It is used in some places for marketing.
Its not magic. Its windows update happening in the background
I went from perfect system health , progressively into blue screen death, it got so bad that it happened every 2 hours after spiking my i7 to 100% cpu use. The decline happened within a month of a win10 update back in Aug/Sept.
A couple of MS support tickets and a windows reinstall later, I finally gave up had to do a complete fresh PC install to fix.
No issues since but i still get the occasional 100% cpu clock.
Ive also turned on windows10 selective update download.
I went from perfect system health, progressively ... it got so bad ... decline happened ... I finally gave up had to do a complete fresh PC install to fix
Sounds like every Windows since 3.1. Instead of telemetry I wish they'd focus on making an OS that stays robust and performant indefinitely.
That AMD-"raid" is Software too..the same as linux.
~pure Hardware raid's never need drivers, because you tell the hardware (raid controller) to present the hard-disks as one (or whatever you want) device to the Operating-system. Some management tools are sometimes used (start raid scrubbing etc).
BTW: Don't use Raid5 if you don't have a UPS (if you use software raid), or a battery buffered write-cache (hardware raid) aka write-hole:
There are a lot of open source scripts and tools on GitHub for accomplishing the same goal (in various state of being out-of-date, abandoned, etc.); I started collecting the ones that appear somewhat active here: https://github.com/TemporalAgent7/awesome-windows-privacy
I plan on going through them to weed out duplicates and duds. You shouldn't trust any of those blindly, but definitely read through the code; I'm particularly interested in coming up with a list of services and scheduled tasks that can be safely disabled without impacting any of the applications and services I'm using (I want Windows Update, OneDrive, Office, Defender, Store and store apps, MS Account login and Xbox Gaming for example, which most tools want to disable).
I noticed a media disk drive grinding away the other day, nothing made sense to be causing it. Turns out Chrome now scans all your drives and sends executables back to Google by default or something (software_reporter_tool.exe), even if you are a software developer in competition with them (practically all software developers since Google are essentially all-encompassing at this point).
Is it intuitive to anyone that a third party web browser would be doing this by default?
Someone might post a binary build there soon with 94 (until yesterday they only had the ancient 89), but you can build it yourself as well (on my 32-core 5950x with 64Gb RAM it took 2.5+ hours to build, just to be prepared for that).
If you're sure that's actually Google's application doing it, and can show it happening with clear evidence, then I recommend reporting it to the media and everyone else you can think of. That sort of behaviour is essentially espionage and I'm sure it would be enough to get Chrome banned from many places which were previously happy to use it.
> In addition, if you have opted in to automatically report details of possible security incidents to Google, Chrome will report information about unwanted software, including relevant file metadata and system settings linked to the unwanted software found on your computer.
I don't think I ever opted in to this but they may have have had tricky wording or I just didn't catch it. From searching around, there seems to be no way to opt out of the scan itself (not the submission) except denying read permissions to the software_reporter_tool.exe's folder. So if you have spinning drives that you want to keep idle when not in use, for power and longevity reasons, you are SOL without remembering each time you setup a machine.
After installation, programs should not engage in deceptive or unexpected behavior. Some examples of deceptive or unexpected behavior include:[...]Preventing the user from controlling the software[...]The user must have a meaningful opportunity to review and approve any principal and significant updates or settings changes.
Disclosure is especially important if data collection is a non-obvious feature of the software.
Pure unadulterated hypocrisy. Not surprising coming from Google.
> Don't scare the user. Software must not misrepresent the state of the user's machine to the user, for example by claiming the system is in a critical security state or infected with viruses.
Yet Google Chrome continues to tell users that many harmless executables are malware even after they have been informed of the false positive many times.
Maybe they should prevent people from downloading Chrome instead.
It has done this for years. Its not new behavior. Also why I use Firefox and Comodo Firewall. I would remove all privs on the file in Windows to stop it. Deleting will only be temporary.
are there recommendations for a powerful Windows firewall that can be run locally? I have noticed there are DNS calls often resolving from my machine (via pihole), but my local firewall is oblivious to those connections and never alerts me to local application making those calls.
Thank you, found it. It looks like it's not a new thing, it's been around for at least 6 years; it's possible they recently expanded its scope to scan more of one's disk which would be unfortunate. Found some details here for how to disable it: https://www.ghacks.net/2018/01/20/how-to-block-the-chrome-so...
It seems this is the same engine as ESET antivirus scanner:
>As applied in Chrome Cleanup, ESET’s technology is used by Google to alert users about unwanted or potentially harmful software attempting to get on users’ devices through stealth, for example, by being bundled into the download of legitimate software or content. Google Chrome, using ESET’s security technology, then provides users with the option to remove the unwanted software. Chrome Cleanup operates in the background, without visibility or interruptions to the user. It deletes the unwanted software and notifies the user once the cleanup has been successfully completed.
> Due to the fact that the script includes more than 150 functions with different arguments, you must read the entire Sophia.ps1 carefully and comment out/uncomment those functions that you do/do not want to be executed.
(The easiest Debian install experience might be to ignore the scary official documentation, simply burn that hybrid installer image raw to a USB stick or DVD+R, boot it on your target PC, and have an Ethernet cable handy until you boot your installed pristine Debian and then can enable install of "non-free" firmware. If you need help, I'd use Web search.)
211 comments
[ 3.6 ms ] story [ 280 ms ] threadhttps://www.reddit.com/r/TronScript/
https://github.com/bmrf/tron/blob/master/README.md#use
Or
https://old.reddit.com/r/TronScript/
If you have trouble opening any reddit website on mobile change "www" with just the letter 'i' or 'old'.
Once they don't allow these workarounds I am leaving reddit for good.
https://libredd.it/r/TronScript/
I will leave reddit too if they remove the old version.
>DO NOT DOWNLOAD TRON FROM GITHUB, IT WILL NOT WORK!! YOU NEED THE ENTIRE PACKAGE FROM r/TronScript
> Download Tron. The download links are in the top post in /r/TronScript. If you download the self-extracting .exe file, run it and it will extract tron.bat and the \resources folder to the current directory. Copy both of them to the Desktop of the target
Why package a BAT file with an EXE? Even if it has to be distributed in a container, why not a simple ZIP?
And the subreddit literally has a thread with a table that contains download links and a torrent, why would you not include that in the readme?
The reason is present the software as open-source while in reality it's closed source with unimportant data files being published on GitHub.
I dread to think how many well-meaning sons and daughters have run it on their parents and relatives PCs and then left, leaving behind a system that is now a nightmare to use.
Also, it takes literally hours to run. I mean, what the hell? ShutUp10 is done in seconds.
You're replacing an abusive part with another with the same potential of abuse and you can't check of modify either of them.
They have a clear business model: Develop software for Windows that companies need. See their About page: https://www.oo-software.com/en/company
Hence, it is clear what benefit they draw from releasing this software for free: Marketing. They are not in the business of brokering user data or mining bitcoin covertly. This tool isn't even installed, it's "run once". To me, that's about as trustworthy as it could be.
Now.
It is not a matter of having incentives. It is a matter that they can abuse and you simply have no way to check or control it.
- Run it in a Windows VM. The program could detect this and not phone home in this case, of course.
- Monitoring on network level (wireshark on same network, Pi-hole, router itself...). This is virtually impossible for the program to circumvent.
You could also audit the changes it made to the system (resorting to stuff like diffing disk images before/after if you really want zero trust) to verify that nothing sneaky was left after running the program once.
They technically don't have an incentive now, but if they ever get one, it'll be super easy to abuse this position to embed malware. Don't think of the threat as the current company, but someone buying them for $millions and quietly doing this years later.
This is portable by the way, so I don't really see the point in worrying about rogue company takeovers.
because it does not run as a service/persist, it will be undone by the next big windows update anyways.
I'll leave this here: https://ameliorated.info/
No Windows Update for you, so security is debatable.
Only caveat: There's no way of telling what versions of W10 it's compatible with (I imagine it breaks some versions). I have an old VM with AME installed and manually enabled updates by hacking the registry. (You could also alter the .BAT script to enable updates, but you have to know what to remove).
This project is cute, but I only ever used it for an offline sandbox for running low resource games and cracked versions of Photoshop. I am scared as shit to connect this thing to the Internet. I only connect to receive updates.
[0] https://wiki.ameliorated.info/doku.php?id=documentation_20H2
What do you mean by that? AME 21H1 was released just the other day.
> This project is cute, but I only ever used it for an offline sandbox for running low resource games and cracked versions of Photoshop.
It's perfect for VM use, but I would never use it as my main OS.
Thanks for the update!
If it was open source, then maybe there would be some reason to trust it.
They could also give people a true option during installation to really for-really-real disable telemetry regardless of what license home, pro, enterprise, ltsc they are using.
Maybe some one could write an application to delete as many files as possible from a pristine windows copy to turn it simply into a kernel launched by a bootloader. Is there any project that does that?
These companies can exist the same way Winrar can exist: give people the tool for free, wait for them to want to use it at their business and sell the subscriptions there. Businesses are much more wary if pirated software than consumers so Winrar manages to survive to this day. To me, the amount of telemetry collected from modern crapware indicates a lack of trust in the product from even the developers themselves, which in turn proves to me that the product isn't very good on some level I might not be able to see.
Just because something is free doesn't mean it's not reliable if there are business subscriptions funding the product itself. The way programs stalk their customers these days used to be rare and the O&O team seems to follow the old software shop practices rather than "modernising" and adding the very thing they try to block to their own product.
I actually saw some people using mostly FLOSS on windows as a step before full migration away from it.
Also, since it is very intrusive, I don't think running it into a sandbox may give good diagnostics.
Windows loves to silently update things, even if it ends up breaking everything, too. Especially drivers where it isn't super obvious that it was updated and something just stops working. Windows 10 is _way_ more aggressive with forcing updates than 7/8 were, automatically re-enabling Windows Update after 30 days of disabling. The easiest solution that I've found is just blocking everything at the DNS level. They can obviously use IP addresses as a workaround if they really want telemetry, but I haven't had issues after blocking a bunch of MS domains in the hosts file.
"Gold Microsoft Partner"
To attain a competency, partner must:
$4,730https://www.oo-software.com/en/company
> Furthermore, as touched upon on the main page, 94% of critical Windows 10 vulnerabilities can be mitigated by revoking administrator privileges from the default user.
> Of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year.
It's a very fine line, but they're mitigated by not running stuff as admin, not just removing admin rights from the main user's account. With Ameliorated, people will still want to set up software as admin and install to Program Files, so if they take the advice from the FAQ, they might think they're fine just having a separate Admin account they use for UAC pop-ups to install the programs, while leaving their main as a standard user, which is indeed not going to solve any zero-days compared to users just being able to click 'yes' at UAC.
0: https://web.archive.org/web/20170310043706/https://www.avect...
Same exact reason people should strongly consider staying away from LineageOS builds and other such things, where the dev team of half a dozen non-vetted anonymous forum users is responsible for everything running on your phone. The "open-source means security because code gets vetted" argument only applies to big projects like Chromium, where hundreds of major corporations with world-class software engineers review, and contribute to the source code. Not to Lineage, where every phone model has its own build and dev team, and each build gets used by maybe a few hundred or thousand people, and reviewed by practically nobody. If there was one single Lineage build for all phones, I'd feel much more comfortable with it.
Though I have zero reason to distrust the Ameliorated folks, you generally never want to mess with software (especially OSes) downloaded from anyone other than the official vendor. The risk of using this is much higher than running proprietary ShutUp10, which is already non-zero since it's proprietary.
The community is NOT stupid. All it takes is one person to find out someone is trying to be malicious, and mass ostracisation will take place. For most of civilization we didn't need corporate overlords to tell us who to trust --- that's a very very recent development.
where hundreds of major corporations with world-class software engineers
LOL. The same "world-class software engineers" who brought us https://news.ycombinator.com/item?id=18189139 and are constantly fighting against the user?
It makes no sense to compare how we live and behave in real life with the Internet.
okay...let's think. lets take for example postgresql. all right is opensource, we all love it. but how some company uses it - well this is not open source. only few businesses dare to be open source and typically open the non-critical parts.
why so much pressure on MS?
the idea that the world is embracing opensource is absolutely disconnected with the reality ever since the idea of open source came to existence.
once again - even when the building are open source, the way they are tied together is usually not. and their usage in business systems - also not open source. period.
there is fair chance, that whoever is reading this comment works is paid by a company that is using open source, but is not open sourcing.
"WPD 1.5 and DashboardX 1.0 with Windows 11 support coming in mid-October!"
Older versions of Windows were the product, and the customer was the end user
With New versions of consumer Windows, user data is the product, companies and advertisers are the customer, and end users are the data source.
Commercial/Server versions of Windows not so much.
If they left it enabled by default, but provided an option to opt-out, realistically only a small segment of users would do so, and most of them would likely be power users who are already taking other steps to try to prevent telemetry being collected and/or sent. So they'd take an insignificant hit to telemetry, but would gain a lot in goodwill.
Any reason not to do this?
Anti-government meme made with GIMP at a specific timestamp? One search through the telemetry logs to find who exported a file at that exact moment.
Any data collection is also government surveillance unless proven otherwise.
https://blogs.windows.com/windowsexperience/2018/01/24/micro...
I don’t work for microsoft anymore but I laugh at these sorts of suggestions. I don’t know much about bing but I do know a decent bit about the telemetry pipeline and the idea of an anti government meme detection is ludicrous at best.
That's a fun strawman you made, but the actual idea in the post was that telemetry might note when different programs do events like save.
I probably still won’t trust it on a critical system without a reputable audit though, I think I’d still prefer to either trust Microsoft or Apple or go run OpenBSD or Linux instead.
I wonder what the sales pitch would be to sell privacy focussed products to the average Joe.
Not sure where you got the idea of “icloud syncing your every move” but literally every icloud implementation can be disabled at your discretion.
I for one only have my reminders, wallet, calendar and drive synced.
Even with that said, none of this implies a lack of privacy in any way.
And it’s sole purpose is to help people find their devices, it’s saved many people i know from a very large catastrophe.
Ironically, Linux sometimes has better driver and software support for specialized things like Thunderbolt ethernet adapters, or software if it was written for MacOS but later adapted to Linux because of their similarity within the scope of POSIX. And, because Windows can't run 16-bit software on 64-bit CPUs at all, Linux has the total advantage here because WINE works with 16-bit as well.
Broadcom/Realtek (sometimes)? Good luck. Intel/AMD/Aquantia? Probably good to go.
There are vendors that give Linux first-class support; buy them.
edit: Realtek is a little hard to pinpoint, they tend to have drivers... but fairly buggy.
I have to replace the r8169 module or something similar with r8125 for my (onboard) networking to work under stress. If I push too much bandwidth, it'll just drop.
[0] binisoft.org/wfc
[1] https://github.com/henrypp/simplewall
> Wieso ist die Software nicht Open-Source? "Die Community" könnte mithelfen, die Software weiterzuentwickeln etc. …
"Why is this software not Open-Source?"
Apparently you cannot:
> On May 2017 a security researcher named Mark Burnett demonstrated that disabling the default data collection toggles, found in Windows 10's settings app, are entirely useless. Furthermore he showed that even through using intensive group policy modifications, in a process heavily scrutinized and iterated upon over several days, he was not able to prevent Windows 10 from sending critical, personally identifiable information with certainty.
From: https://wiki.ameliorated.info/doku.php?id=faq
In my last job I had contact with Microsoft and I approached them about datamining issues several times. I noticed they simply don't understand the concerns at all. Microsoft is becoming a highly 'data driven' company and every time I approached them about data gathering the response was along the lines of "Oh but we only use this for improving your performance / our products / whatever". They think it matters what the purpose is, they don't understand (or they don't want to!) that some people are against telemetry whatever the reason.
Our own company is thinking along similar lines, with the exception of the German parts of the business, for whom we had to make some exceptions. I'm not German but I'm heavily aligned with their thinking on this.
I think it's foolish to go use software like this, and expect some privacy to happen. Windows and its user are just not on the same page.
What refreshed my hope in IT is the FOSS ecosystem. Where software is passively uncaring about me, the user, instead of working actively against me, which is the case in most of proprietary stuff nowadays.
Well, you run the tool again. It even tells you to do that after making changes.
Great credit to the authors of the tool. I used it many times when I was stuck with windows - and I'm grateful that they did all the work to make it.
I don't think it's possible to (easily) figure out when to run something right after the updates change any settings, but it's a good idea to automate away manual work as much as possible!
The person that you're replying to certainly has a point about having to run the tool manually being a hassle. Sadly, at the moment there are also no ways to automate running the tool (that i know of), since it's GUI only, as opposed to offering CLI functionality or silent launch options.
But looking at the broader context npteljes has a point.
Why fight an insecure tool (let's say Windows is insecure for the sake of the argument, I do not have a strong opinion about it) then patch the security on top. Surely the obvious choice is to stop using the insecure tool.
Sometimes people want a technical answer, when the answer is to do the obvious. I don't think that is pessimism.
For the longest time I felt that I have the upper hand. That I could install a software for my every need, limit this, change that, bend the whole system to my will. But the realization grew on me, that me and the system are wanting two very different things. And whatever I do, I won't win. At most, we can be engaged in a cat-and-mouse game, as long as I'm up for fighting for it. If I'm not, then my cause is lost.
With this realization, I felt betrayed by the entity I otherwise liked very much. And this is the feeling I wanted to convey with my previous comment.
Windows is a threat to national security and Microsoft must be sanctioned. Business if they wish to avoid crypto lockers and actually care about "cyber security" will drop windows in favor of Mac/Linux.
My friend just put Windows 11 on his (original) Surface Go (Pentium Gold 4415Y, 8GB RAM, 128GB), and he cannot stop raving about how fast it is. He said he was considering putting Linux on it, but he isn't feeling the need to now. To be sure, that's not a 5400rpm desk, though, yeah, I haven't had to suffer through one of those in over a decade!
And who I think should change to Linux or BSD is not just business, it's governments especially. How they enable an auto-updating system of another superpower is beyond me.
Best way to forget about the existence of spyware (aka telemetry) that I found is to not connect a Windows box directly to internet. I configured my router to give it a gateway and DNS IPs which don't exist in the network. Eat that, Microsoft. And I can still connect to internet by manually setting a SOCKSv5a proxy to the router in Firefox and other software that I trust (make sure there is no automatic proxy discovery mechanism in the router).
Yep.
https://www.tenforums.com/network-sharing/178379-disable-wla...
And it appears it may be part of 20h2, not 21h1 update.
https://www.tenforums.com/network-sharing/178379-disable-wla...
And it appears it may be part of 20h2, not 21h1 update.
[1] https://wiki.archlinux.org/title/NetworkManager#Checking_con...
I mean, I do have a couple of containers up and running on a Raspberry Pi offering nothing but intranet SSH services while the containers are connected via OpenVPN to differnt VPN servers, so that I can use different browsers which connect via SOCKS each to one container in order to have one browser per country on one machine.
It never occurred to me that I can use this same technique (but without OpenVPN) in order to disallow that machine to connect to the internet but still have a working browser...
A screenshot of the application on the website shows this option. I don't understand; are advertisements via Bluetooth some kind of Windows functionality and how does it work?
Some Bluetooth LE devices use advertising as a way to constantly send out payloads without a direct receiver.
I went from perfect system health , progressively into blue screen death, it got so bad that it happened every 2 hours after spiking my i7 to 100% cpu use. The decline happened within a month of a win10 update back in Aug/Sept.
A couple of MS support tickets and a windows reinstall later, I finally gave up had to do a complete fresh PC install to fix.
No issues since but i still get the occasional 100% cpu clock.
Ive also turned on windows10 selective update download.
Sounds like every Windows since 3.1. Instead of telemetry I wish they'd focus on making an OS that stays robust and performant indefinitely.
Unfortunately I can only use windows 10/11 as AMD has no driver for RAID on Linux. https://www.amd.com/en/support/chipsets/amd-socket-strx4/trx...
Using Asus hyper with 4 nvme drives on RAID. Anyone else in this situation?
https://raid.wiki.kernel.org/index.php/RAID_setup
That AMD-"raid" is Software too..the same as linux.
~pure Hardware raid's never need drivers, because you tell the hardware (raid controller) to present the hard-disks as one (or whatever you want) device to the Operating-system. Some management tools are sometimes used (start raid scrubbing etc).
BTW: Don't use Raid5 if you don't have a UPS (if you use software raid), or a battery buffered write-cache (hardware raid) aka write-hole:
https://serverfault.com/questions/844791/write-hole-which-ra...
I plan on going through them to weed out duplicates and duds. You shouldn't trust any of those blindly, but definitely read through the code; I'm particularly interested in coming up with a list of services and scheduled tasks that can be safely disabled without impacting any of the applications and services I'm using (I want Windows Update, OneDrive, Office, Defender, Store and store apps, MS Account login and Xbox Gaming for example, which most tools want to disable).
Is it intuitive to anyone that a third party web browser would be doing this by default?
I have a single remaining windows box that is completely idle with a rust disk and it's started spinning up for no apparent reason
how did you figure out it was Chrome?
edit: going to try procmon with the filter set to the disk
Someone might post a binary build there soon with 94 (until yesterday they only had the ancient 89), but you can build it yourself as well (on my 32-core 5950x with 64Gb RAM it took 2.5+ hours to build, just to be prepared for that).
Note that it won't have the Google Chrome Store, so the process for installing extensions (ahem, uBlock Origin) is a bit more involved: https://ungoogled-software.github.io/ungoogled-chromium-wiki...
Nvidia is another culprit, Geforce Experience scans all your drives constantly to look for new games or something like that.
https://www.google.com/chrome/privacy/whitepaper.html#unwant...
> In addition, if you have opted in to automatically report details of possible security incidents to Google, Chrome will report information about unwanted software, including relevant file metadata and system settings linked to the unwanted software found on your computer.
I don't think I ever opted in to this but they may have have had tricky wording or I just didn't catch it. From searching around, there seems to be no way to opt out of the scan itself (not the submission) except denying read permissions to the software_reporter_tool.exe's folder. So if you have spinning drives that you want to keep idle when not in use, for power and longevity reasons, you are SOL without remembering each time you setup a machine.
which says
After installation, programs should not engage in deceptive or unexpected behavior. Some examples of deceptive or unexpected behavior include:[...]Preventing the user from controlling the software[...]The user must have a meaningful opportunity to review and approve any principal and significant updates or settings changes.
Disclosure is especially important if data collection is a non-obvious feature of the software.
Pure unadulterated hypocrisy. Not surprising coming from Google.
> Don't scare the user. Software must not misrepresent the state of the user's machine to the user, for example by claiming the system is in a critical security state or infected with viruses.
Yet Google Chrome continues to tell users that many harmless executables are malware even after they have been informed of the false positive many times.
Maybe they should prevent people from downloading Chrome instead.
I fixed it by replacing the software_reporter_tool.exe with a blank file named "software_reporter_tool.exe" and setting it to read-only.
>As applied in Chrome Cleanup, ESET’s technology is used by Google to alert users about unwanted or potentially harmful software attempting to get on users’ devices through stealth, for example, by being bundled into the download of legitimate software or content. Google Chrome, using ESET’s security technology, then provides users with the option to remove the unwanted software. Chrome Cleanup operates in the background, without visibility or interruptions to the user. It deletes the unwanted software and notifies the user once the cleanup has been successfully completed.
https://www.eset.com/int/about/newsroom/press-releases/compa...
https://github.com/farag2/Sophia-Script-for-Windows
IMO the best and most holistic solution for debloating and de-botnetting Windows.
> Due to the fact that the script includes more than 150 functions with different arguments, you must read the entire Sophia.ps1 carefully and comment out/uncomment those functions that you do/do not want to be executed.
https://benchtweakgaming.com/2020/11/12/windows-10-debloat-t...
> Gold Microsoft Partner
Why would MS partner with a company that makes software to "bypass" their spyware?
Why would O&O partner with a company that has spyware in the OS, then proudly display the Gold MS partner badge on the same page?
Why is the source code obfuscated?
Think about it.
Gold competency: To attain a competency, partner must:
$4,730It seems less malevolent in that light
https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/
(The easiest Debian install experience might be to ignore the scary official documentation, simply burn that hybrid installer image raw to a USB stick or DVD+R, boot it on your target PC, and have an Ethernet cable handy until you boot your installed pristine Debian and then can enable install of "non-free" firmware. If you need help, I'd use Web search.)