FUD is what you’re doing right now. Review the changes or claim your spot in the peanut gallery. HN isn’t for whatever you want to call what you’re doing.
It’s been 4 days since the last remote-exploitable, no-auth-needed RCE hole in Windows. If you were running this version of Windows, you would not get the patch automatically delivered to your device.
Bonus thought experiment: this same criticism applies to most Chromium and Firefox forks. (Especially the ones that describe "no automatic updates" as a feature.)
I wouldn't call it criticism. Software at this scale and complexity will have vulnerabilities. I'd be a lot more concerned about someone who claims that their code is fully secure and doesn't need any patching ever.
> Software at this scale and complexity will have vulnerabilities.
Certainly. The question is what provisions the software has made to mitigate those potential vulnerabilities by notifying users that a patch is available and allowing them to automatically apply that patch.
Deliberately removing these mitigations from a piece of software which is highly exposed to exploits, like a web browser or an operating system, is nothing short of irresponsible.
Windows Ameliorated ships with a non-administrator user, thereby requiring a password for temporary admin privilages.
Most no-auth exploits take advantage of the user already being an administrator, and then bypassing UAC for example. The configuration mentioned above would likely mitigate this issue, although I'm not educated enough on this subject to say for sure
What configuration is there? You're either NATing or you're not. There's no "good". It's on or off. What situations have you been in where you weren't NATing between LAN and WAN?
Does VPN subnet translation count as NAT? Because I've definitely seen some footguns come from that.... I've also seen instances where poorly configured NATs ended up allowing victims to be used as proxies. So I'd say there are definite security questions to take into account.
Do you understand why people might get confused? They don't qualify what they mean by "more secure," and it seems reasonable to criticize the project if their idiosyncratic definition of "secure" actually excludes one of the biggest advances in consumer software security in the last 20 years...
In any case, if you wanted security in the way you describe, how would you justify running Windows 10 at all? The onus isn’t on this project to secure Windows when they had no part in making it insecure to begin with. If Windows were open source, these measures wouldn’t be necessary, and wouldn’t result in less security. This is the current best effort that the devs can do to accomplish their goals. It’s fair to criticize the goal or the results, but issues you’re describing are present in stock Windows 10 to begin with.
I’m sure that some kind of auto build script could be created, so that whenever new Windows Updates are released, a new build is created.
The biggest advance I can think of is using security as an excuse to gather and monetize data.
Different people have different attacker models. I can imagine something like this would be perfect for keeping a mostly airgapped machine to access archives of documents created by Windows. (Or to use legitimately licensed, pre-everything as a service software in perpetuity)
This is what happens when people don't understand group policy and are a little too paranoid. This is just a broken version of Windows 10 as far as I'm concerned. You will have far more problems with this than any "forced" Windows update people love to complain about.
It’s an educational release, and one that raises awareness about the issues of Microsoft collecting PII and other telemetry. Even if it’s provably broken in the ways you say, it still serves the stated goals of the creators in these ways.
That's not at all what they say. It's advertised as "a stable, non-intrusive yet fully functional build of Windows 10 to anyone that requires [it]" in which "great effort has been invested in maintaining the subsequent system’s stability, bug-free operation and user experience".
The entire site screams "download this and use it in production". They have big friendly ISO download buttons front and center, with absolutely no disclaimer anywhere that it might be a terrible idea. If it truly is merely "educational", then this is highly irresponsible.
It [being an education release of Win10] is exactly what they say.
> AME is developed for educational purposes only, which emphasizes an effort to reverse engineer, disable or replace components of the Microsoft Windows 10 operating system. The goal is an endeavour to better understand and mitigate the collection of Personally identifiable information (PII), as has been clearly outlined by numerous outlets covering the topic, including comments by famed whistle-blower Edward Snowden. Another goal is to replace included proprietary Windows software, such as the Edge web-browser, with ethically verifiable alternatives using open-source licenses.
There is literally a link titled "ISO Download" at the top of the web site.
Claiming that "oh, that web site isn't actually offering the download, it's actually a torrent file hosted on a Telegram channel" is not the defense you think it is.
> Your legal argument is clearly false, or else torrent sites themselves wouldn’t exist. The Pirate Bay is legal!
Yes, so legal that Gottfrid, Fredrik and three more guys who founded the site got a fine of roughly 3 million USD and one year in jail for helping people commit copyright infringement. So very legal. Wtf dude?
If you think the existence of a site is proof of legality then I don't know what to tell you. Do you believe child porn is legal as well because such sites exists?
As for personal attacks, I'm sorry but this is not a debate. I'm sharing facts with you and you're sharing your ignorance.
It'll probably still work better than some of the insane and dubious things my Citrix customers manage to do to windows in the name of stability and privacy...
Using group policy or registry edits does NOT fully remove Windows spyware or telemetry. Windows Ameliorated is different in this regard, as it actually gets rid of the spyware on an executable level, meaning the functionality of the spyware is not just disabled, but completely removed.
Also, as a personal testimony, my whole family and I have been running AME as a daily driver for awhile now, and haven't run into any significant issues (funnily enough, I've had less issues with Windows Ameliorated than I have with Windows). From my experience it really is stable, and IMO even more stable than stock Windows.
I ask that you actually try out a project before making claims about it.
I do agree removing Windows Update does pose some security risk, however I don't think said risk is nearly as bad as some make it out to be, and I personally think the benefits of Windows Ameliorated greatly outweigh any security downsides.
Also, AME does greatly help to mitigate the attack surface of Windows:
Windows Ameliorated ships with a non-administrator user account by default, which mitigates ~70% of Windows vulnerabilities. (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). Of course you can still do admin actions, it just requires the admin password.
It's hard. I got mine because MS gave me a free Visual Studio Enterprise subscription, which seems like one of the only ways to get it. But I think that thing runs to $3000/year if you're paying for it.
Are there any companies that deploy this internally? I would expect that some law firms adverse to Microsoft, and Microsoft competitors, might want to do so.
Fuck no. You'd be nuts to run this in production. Normal people in an enterprise world use group policy and scripting, they don't rip Windows apart breaking God knows what.
> Are there any companies that deploy this internally?
I should hope not. This is a cracked copy of Windows. The FAQ explains that it can't even be activated properly, as some of the components required for that process have been removed.
Couple of issues with this, the first being a "rudimentarily activated using a Generic Key" ISO that's not from Microsoft. Can you really trust this source and technically at this point, it's piracy. Secondly, once the Microsoft lawyer's get wind of this, expect it to be shut down rather quickly.
I'm okay with providing documentation, tools and scripts to remove the cruft and increase privacy within Windows 10, but the ISO linked from a Telegram channel is dubious at best.
Yeah, my question was around legality too. The FAQ seems to imply that because it was educational or improves interoperability, that it's somehow legal. Not sure how that's supposed to work, but it would be interesting to learn about.
I personally don’t use questionable software because I worry about having ransomware installed but had to laugh at your comment. My question would be who gives a shit if it it piracy especially against Microsoft. They have become so hostile I would argue they no longer have the right to say I’ve taken anything after taking my money for a product then using that product against me to steal my personal information. I’ve given them enough money so I won’t feel bad using this and removing the unwanted stuff they are raping me with. One day I will move to Linux instead of complaining but until then me and Microsoft are not friends. I change a setting and suddenly it comes back. They don’t take no for an answer. Rapist mentality
I looked over the second option and it's a pretty extensive patching process. The 2-3 hours they give for it is generous. Also it appears that they do do windows update manually, so it's still a fully up to date Windows 10 installation. I suspect you could get away with just running their script on a legit, fully updated, Windows 10 install, with presumably the UI modifications they want you to do (says the scripts need you to do that).
I never really looked too deep into Ameliorated Windows, just saw that they have their own ISOs. From memory, nLite came with a slick installer that you just supplied an ISO to and chose some options, and it did everything for you.
Sorry to beat a dead horse, but please use "copyright infringement" or "unauthorized copying" instead of "piracy". Actual pirates commit or threaten physical violence, so this meaning-slippage is just propaganda.
The ISO was merely made for convenience, and for those without the basic technical knowledge required to perform a manual amelioration. Also, Microsoft already tried without success to shut it down in the past, after Linus made a video on Windows Ameliorated.
If you are really that paranoid just get a LTSC license or use a different OS. The whole „cleaning up and shutting up“ windows craze kickstarted a whole new industry of snake oil and malware.
Using LTSC or using policy changes never truly gets rid of the telemetry/spyware.
The main goal of Windows Ameliorated is to restore privacy, and it does this by removing said spyware on an executable level, not by just simply using registry edits or what have you.
Some people desire or require Windows, but they don't want the included spyware. Windows Ameliorated is for those people.
I can imagine the script they've created removes certain DLLs/EXEs (and disables Windows Updates - which is a red bloody flag) but there are numerous ways in which this can break Windows down, so the whole topic is a load of poo and nothing else.
Do not use, do not download, do not touch.
It's based on the premise that Windows is spying on you which has never been proven/shown in the first place. Yes, Windows 10/11 send a ton of DNS queries - it's _not_ spying. Yes, Windows 10/11 send mini crash dumps and EXE files hash sums to Microsoft - that's _not_ spying.
I like AME especially as a statement, but after a few months of running it on my desktop I found it wasn't worth the trouble. Weird things kept not working and most of the time I couldn't figure out why.
It's been quite a while so my memory's a bit hazy, but as I recall the biggest issue was the Start menu behaving oddly. On my typical computers I run OpenShell, but certain things don't show up in the search result list so I have to open the Windows Start and search from there. AME's start menu is very stripped-down and very little shows up with it, though that could've changed since I used it. Now I'm certain there are two or three different ways to do all the things I wanted to do but breaking the habit of "push button, type, hit enter" was tough. If I were going to try it now my concern would be a lack of control over updating. Sure, AME strips WU out so you have perfect negative control, but running LTSC with Windows Update Manager makes it very easy to install the updates I actually want.
I see, thank you for the detailed reply. One solution could have been uninstalling open-shell, that way the start menu would be normal again. Some of open-shells search behavior can be changed, although it can be a pain.
As far as WU goes, personally I think it is overrated. The only real use for them is security, however I've found that even that is really not necessary at all. Just from my own experience I've never seen anyone run into issues/get infected purely because they didn't update, and I think that if you're tech literate it really is unnecessary, to a certain point that is.
It is still a tradeoff, but I personally find the benefits and peace of mind more valuable than missing out on security updates.
Tron is very different from Windows Ameliorated, and doesn't remove all the spyware on an executable level like Ameliorated does.
Windows can be ameliorated completely legally by doing the amelioration process manually and entering the key before running the scripts. (Guide on the ameliorated.info site)
I was today years old when I learned about "generic keys", "ltsb" and "ltsc". So this post was useful after all.
For everyone else: Chris Titus Tech's debloat script is what you want especially if you thought for a millisecond installing Windows from this ISO is a good idea.
Windows Ameliorated does not require installing from an ISO. That was merely made for convenience, and for those without the basic technical knowledge required to perform a manual amelioration. There is detailed documentation for performing a manual amelioration, and it's all open-source. (https://wiki.ameliorated.info/doku.php?id=documentation_21h1)
The script you mentioned does NOT fully disable or remove the spyware within Windows. Windows Ameliorated gets rid of the spyware on an executable level, meaning the functionality of the spyware is not just disabled, but completely removed.
Windows Ameliorated does not require installing from an ISO. That was merely made for convenience, and for those without the basic technical knowledge required to perform a manual amelioration. There is detailed documentation for performing a manual amelioration, it uses fully open-source scripts.(https://wiki.ameliorated.info/doku.php?id=documentation_21h1)
The ISO has been used by hundreds of people, with no sign of malicious intent, so personally I'm willing to trust that as well.
At this point I think we better accept that each operating system has its flaws. Instead of forcing the OS to change, imo it’s better to choose the OS according to the job. I don’t see why anyone would install this and not even consider Linux..
Some people require Windows, or prefer to use it over Linux. And some of those don't want the included spyware that comes with it. Windows Ameliorated is for those people.
It's not always as simple as "want privacy? Switch to Linux!". Some people want Windows as well as privacy.
-In order to secure the system properly, it is strongly advised to revoke administrator privileges from the default user.
-By using any of these images you agree that you have obtained a genuine product key or are able to activate by an other authorized method.
-Can AME be activated with a legit key, like normal Windows? No.
1. ~70% of the Windows attack surface as of 2020 is caused by using an administrator user (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). This does not mean you cannot do administrator actions, it only requires the admin password on each UAC prompt.
2. This is for legal reasons. You're not going to get in trouble if you don't follow it, and many people don't. (Unless you're a business)
3. Windows activation has telemetry, and there's no real reason to have it in the first place.
If you still wish to activate with a license key, you can activate Windows before performing a manual amelioration (Guide here: https://wiki.ameliorated.info/doku.php?id=documentation_21h1)
They disabled windows update because it is spyware? Are they providing their own filtered update channel??
Ok, so PSA: if you don't want "Spyware" don't use windows. In Forensics, you learn there are many many ways windows tracks what you do, some of which can be disabled but it is all architectures into the OS. If you looked at a specific folder in explorer, that can be proven in court, executed a specific program? At least 4-5 ways come to mind . Take a peek at c:\windows\system32\winevt\logs\ (equivalent of /var/log/) and that's just one place.
I mean the spyware has measurable and valuable security benefits. If you wanna really test your malware dev skills, leave cloud submission turned on Defender and write any basic malware (harmful not just undesirable) and avoid detection for longer than a day. It was very hard when I tried it (for legit purposes).
I bash on Linux because of all its problems (only because I love it and want to see it improve) but if you want privacy, use Linux, the cliche holds true. You can always use windows in vbox+seamless mode for most things or on a separate device if you can afford it.
Not defending this thing, but logging events and uploading them to the mothership are two very different things. To your own admission /var/log on linux.
Depends on your definition I suppose. The fact that it is sitting there to be accessed by any program is a problem for some but I agree, sending it over the network is what most people worry about. Most evtx logs are not sent to the "mothership" but other telmetry and security logs like defender logs might be by default. There is also cloud submission which sends MS random suspect files for analysis.
Also, closed source means it is hard for me to be sure which of those logs are sent to MS.
I'd have to check, but I'm pretty sure particular logs are NOT accessible by Builtin\Users. Particularly Security log.
But comparing logging to spyware is nuts.
Event logs are just one of endpoints for event tracing mechanism and event viewer is just one crappy UI for that. You can turn on/off various logging to your hearts desire, including various diagnostic/tracing info. You can go all the way to capture stack traces, cpu context switches and whatnot. Windows is pretty configurable in this regard.
Defender doesn't hide option for cloud based scanning and it is up-front in settings. I dunno if it is enabled by default or not, but in our org, we had to explicitly rollout changes to enable it (we are pretty locked down by default)
First, I never said any of this was hidden or in secret. Second, event logs are just one of many places where activity is tracked. Most of them are harmless but many will keep a record of what is being done on the system in a way that isn't obvious to the user of the system. Lastly, installed programs don't need to be builtin\users they can run elevated or in any group, you are assuming only accidentally opened programs are risky?
The subject here is personal use, not corporate use. For example you might torrent a movie and then uninstall the torrent application, files and downloaded content. If you get sued and (i know it is rare) your windows install is submitted as evidence it can be proven that you executed the torrent program, the torrent program transferred so many bytes and that you opened the folder of the torrented content without looking at any file directly related to the torrent app or windows event logs. Or let's say you downloaded content from a site but then cleared your browing history and uninstalled your browser. Thanks to motw the downloaded files on your pc show the sites frol where you downloaded them and the referrer that lead to you visiting the download link. These are only some examples.
Most operating systems log things —- it’s a feature. Most consumer software collects telemetry —- irrespective of platform.
Have a look at what a typical Android phone sends out! Including your GPS location! Apple isn’t immune either because the Facebook SDK that’s included with everything would make the NSA blush. TikTok even tracks your phone motion sensor.
IMHO raging about 30-year old diagnostic features is misplaced anger. Be angry about how every piece of software now goes through these stages:
1) Opt-out telemetry only collecting the important stuff, we promise!
2) Okay, collecting it synchronously was a mistake and it slowed down everything for everyone that’s not sitting in our head office. We fixed it though, don’t worry!
3) Umm.. apparently some people are behind corporate web proxies which makes the async code leak threads and melt CPUs. We fixed it though!
4) Some people have used the newly added proxy support to inspect the encrypted blob. We promise that it was an honest mistake collecting every single point of information we possibly could about your system including mouse movements and key presses. Don’t worry, we fixed it! We now “anonymise” the information. Don’t worry about why that’s in quotes.
5) Those socialist Europeans sued us when we said we deleted their data but it was still there when they reactivated their accounts. Oopsie! Our bad. We promise to “wipe” your data including telemetry when you request this form. Fill it out in triplicate and fax it to this Cayman Islands number please.
6) We can no longer sell our software in some jurisdictions. Don’t ask why or what that implies about how we treat our customers in other jurisdictions with weaker legal protections.
I was not raging. Doesn't matter what the reasons are (hard to prove either way), foe the unassuming user there are serious and even fatal implications if removing specific files or clearing history or logs does not have the expected effect. I am aware (I hope everyone else is) that mobile operating systems are magnitudes of order worse.
Your list of complaints is whataboutism and is not directly related to OS privacy expectations and reality.
Linux is better at this because it gives you more control over what is logged and the code is open source.
Some of us have windows just to play games, sometimes on our tv’s with a controller but that’s impossible when you have garbage popping up constantly. There’s definitely a demand for windows that can play games and do nothing else.
Proton is incredibly impressive nowadays, even when dealing with highly invasive anticheat services. I think there are only a small handful of games in my steam library where it doesn't work well. Within 5 years I think most of the remaining friction to gaming on linux will be gone.
It's what I'll probably end up doing when I have the energy but my wife is a bit techphobic and enjoys playing some games since setting up the PC on the TV but will abandon everything if linux starts getting in the way :D
Yes, but like always this is dependent on hardware and drivers. Which is a reason I'm excited about the Steam Deck and potential future devices. Hardware built by Valve has most likely the best compatibility.
It's "impossible" to play games on Windows because "you have garbage popping up constantly"? Sorry what are you talking about? I, like millions of people, play games all the time on my Windows PC and don't encounter this problem. It's most certainly not "impossible".
> There’s definitely a demand for windows that can play games and do nothing else.
It's called a "games console". Microsoft makes one called XBox.
Good point on the Switch, I own both and would agree there. PC is defintely better than XBox (Account on PC is frequently required to purchase, but not to play).
XBox I actually called out specifically because when we got an XBox 1, we discovered there is no way to do anything - setup of the console, launching a game, etc - without having an XBox Live account per user of the machine.
I say this as a console guy since the 1980s: There’s also a huge chunk of PC games that have not and will not find their way across to console. Classic games, indie titles, niche tastes, etc. If I want to play Stalker, CDDA, Cogmind, Caves of Qud, DCS World or even the (extremely popular) Escape from Tarkov, I can’t do any of that on Xbox.
PC gaming is a weird and wonderful ocean; console gaming more like a highly curated pond.
I was the steamlink app on Apple TV and I haven't had any issues with garbage popping up and interrupting me, and I haven't made any tweaks to Windows. Just letting you know in case you'll find it useful.
Yeah, I can't say I've noticed any latency though, as long as I've got an ethernet connection set up. Also a good idea to turn on whatever your "game mode" is on the TV. I use one of those flat ethernet cables and run it under my living room rug to my TV.
I imagine using steam in big picture mode would be equivalent if you're not streaming though. Maybe it's something else, I just can't remember a Windows pop-up ever interrupting my gaming whether I'm playing on my TV or not.
My rudimentary Win10 setup is such a gaming-only system, only Apps installed are Steam, GoG, Epic and Origin. The Spam that comes from those apps aside (mostly sales popup banners/notifications), I still receive the occasional "Your windows is at risk because you don't use OneDrive", or "Windows Defender has not found anything" or "Hey, this is our new Edge browser we installed and placed a shortcut on your desktop, want to make it your default browser now?" spam.
Some of that can be disabled with "O&O ShutUp10" or with some of the debloating scripts various people have created over time also mentioned in this thread.
Yes you can alaways mod the system, but please re-read the thread. I answered to the question what spam windows generates. Saying there is no spam because you can run a script to minimize, is like saying you don't receive spam mails because you run a spamfilter.
I get what you mean. I fought a similar battle back in 2013 when a document was proposed to the IETF, never ratified but yet network engineers everywhere adopted it and the anti-spam industry exploded. I somethings think these things are under-engineered on purpose so that friends of friends can create new business models.
Driver popups. I made the mistake of buying a razer keyboard and microsoft update itself is pushing to download their companion app each time it does an update. It's a thing, look it up. There are workarounds but they don't survive multiple rounds of updates.
Then I envy you. It’s not some big secret but it definitely happens with my keyboard. Maybe it’s loading it from the keyboard itself? Either way it only happens during windows updates
So you play games with Windows security updates turned off? Why don't you just post all of your passwords and bank accounts on the internet and save yourself the trouble of waiting to get hacked.
Hope there's no microphone or webcam connected to your computer, because an attacker can listen or watch. Also, your firewall is worthless because attackers have a foothold inside your network. Also, hope you don't use the same user/password combination on any windows machines or SMB shares on your network, because those are now pwned too. Buy a game, credit card info stolen.
I run a wire to the unit next door and use my neighbor's internet and all the microphones have been covered with blue tapes and the webcams are pointing at my bird cage.
IDK about other folks, but very few of my passwords and nothing that'd get you direct access to any of my bank accounts touches my Window gaming machine (which is also my only Windows machine)
Important account credentials are on macOS or iOS. Local copies of my important files are on a system running Linux, and the Windows machine doesn't have access to that (doesn't need to, all I do on it is play games, if I didn't PC game I wouldn't have Windows at all).
[EDIT] However, mine does have Windows Update turned on.
What bank accounts do you think are on that machine? Perhaps it's risking credentials to ex. Steam and such, but again, if all you run is games where are you getting malware from?
Edit: Actually, to steel man the argument: If you pirate a game and get a keylogger that way, and then type in your credit card to buy a game (ex. on Steam), then you'd have a problem. I maintain that it's perfectly possible to maintain a... "DMZ PC" for games, but there are ways for it to end badly.
I don't think there's a need to dramatize and exaggerate. Once you get setup on Windows and uninstall the stuff you want to uninstall that’s pretty much the end of it.
Object access auditing has been around in NT since the mid-1990s, if not from the beginning. It's not some secret spyware, it is literally a feature that is widely used and is a requirement for high-security environments (e.g. government systems) when you need to be able to log or prove if someone did or did not access some sensitive information. E.g. insider threat scenario.
Others also seem to think I am pointing out some secret feature. None of this is a secret, just not obvious to people who didn't think to look for it. Defaults matter.
History clearly shows us about tenth of all updates from Microsoft are bogus, if not malicious. I only install those I downloaded and checked manually.
I don't agree that not keeping up with Windows Update is always a security risk, if one is behind NAT and only browses trusted websites (which rules out webmail, BTW.)
I do agree that trying to make a consensual OS out of Windows is an uphill battle. If you're stuck using it, however, for whatever reason, a patchkit like this is better than nothing.
It's not whataboutism. Windows has a ton features spanning decades and privacy was never a priority given their paying customers' priority. Linux on the other hand was made by individuals and allows a lot more control and input from users. If privacy is your priority then Linux wind the race. If managable corporate workstation is your priority then windows wins the race.
>> If you looked at a specific folder in explorer, that can be proven in court, executed a specific program?...
You'll find most if not all of these in `.bash_history`, wouldn't you?
Probably, it's possible to setup an install of Linux in such a way, that the user won't leave any traces in the system, but this is definitely not the default behavior. And the system setup in this way is likely a pain to use. But if you have a specific need, by all means, go for it. After all, with Linux you're in control.
But saying Windows is spyware because it logs your activity locally is stretching it.
The OP called it spyware, not I. I pointed those out as examples of what artifacts windows logs. Bash_history much like your browing history you can clear it and be done with it. But due to the seemingly endless subsystems (new ones get discovered all the time, see my other replies) if you clear security.evtx and your browsing history there are still many reliable (as in court tested) artifacts that can prove you browsed specific sites and ran specific programs.
I don't know how much of this MS collects and anyone who says they do, I would challenge them for evidence because there are many plausibly deniable and benign reasons to extract this information from the host.
I would say at best windows is spyware-friendly.
If I workes for the CCP and was instructed to get a list of people that used Signal so they can be sent for re-education, I would not even look to see if Signal.exe is installed in windows, I would just check prefetch and srum.
I do agree removing Windows Update does pose some security risk, however I don't think said risk is nearly as bad as some make it out to be, and I personally think the benefits of Windows Ameliorated greatly outweigh any security downsides.
Spyware is not the same as local system logs. Spyware in this case is software that sends unnecessary or intrusive information to Microsoft. The goal of Windows Ameliorated is to remove spyware, not prove your innocence in court.
You used Windows Defender as an example of a security benefit. There are alternatives to Windows Defender, and IMO If you're a tech literate power user, an AV isn't useful in most cases.
If you have the time, consider reading this: https://wiki.ameliorated.info/doku.php?id=antivirus
Personally I believe antivirus software in general does more harm than good, as they are generally quite resource hungry and privacy intrusive.
Also, AME does greatly help to mitigate the attack surface of Windows:
Windows Ameliorated ships with a non-administrator user account by default, which mitigates ~70% of Windows vulnerabilities. (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). Of course you can still do admin actions, it just requires the admin password.
> Are they providing their own filtered update channel??
You can even update Windows offline if you want to.[0]
It's quite refreshing to be able to prep a USB stick containing all the updates for a clean install of a certain build of Windows and be able to deploy them without needing to connect to the internet.
How is it impossible to access? Telegram is a pretty popular messaging app, and if you don't already have an account it's easy to make one. You can use a google voice number or similar to sign up if you prefer not to give your real one.
Forcing people to create or sign in with an account is bad, particularly when one considers that the ISO is of questionable legality.
What would be infinitely more useful would be a program which directly modifies an ISO image that the end user can download herself directly from Microsoft.
This probably deserves the new top spot in the 'security theater' competition.
Cracked Windows, no security updates since 2018, iso distributed through some telegram channel. This is the software equivalent of trying to buy a homemade vaccine from craigslist because you're afraid that Bill Gates is going to microchip you.
A WFP firewall like simplewall (by henry++, not the corporate one) can block everything by default, including services like Windows Update, and is IMO the most straightforward option.
It has all of the SSU and cumulative updates since 21H1. But anyway I doubt they put anything in there, should be easy enough to look at the scripts on the ISO or just patch it yourself. The ISO is just an 'easy' way to distribute it.
Windows Ameliorated does not require installing from an ISO. That was merely made for convenience, and for those without the basic technical knowledge required to perform a manual amelioration. There is detailed documentation for performing a manual amelioration, it uses fully open-source scripts, and is legal if you use a license key before running the scripts. (https://wiki.ameliorated.info/doku.php?id=documentation_21h1)
I do agree removing Windows Update does pose some security risk, however I don't think said risk is nearly as bad as some make it out to be, and I personally think the benefits of Windows Ameliorated greatly outweigh any security downsides.
Also, AME does greatly help to mitigate the attack surface of Windows:
Windows Ameliorated ships with a non-administrator user account by default, which mitigates ~70% of Windows vulnerabilities. (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). Of course you can still do admin actions, it just requires the admin password.
Technically using AME from the pre-built ISO is illegal, however realistically no one will ever go after you for it, unless you're a business.
You can however legally do it by self-ameliorating and entering a key before the amelioration process.
It does lack Windows Update yes, as WU is a threat to privacy. Windows Ameliorated helps mitigate this by shipping a non-administrator user account by default. Of course you can still do admin actions, it just requires the admin password. ~70% of Windows vulnerabilities are caused by using an admin user (Source: https://web.archive.org/web/20210618023509/https://www.beyon...)
P.S. Personally I think security updates are a bit overrated, as in all practicality, there's extremely little chance of getting attacked unless you download FreeFortniteVbucks.exe
For some it is necessary to use Windows. Windows Ameliorated is for those who both need (or desire) Windows, but don't want the intrusive spyware that comes with it.
Windows Ameliorated does much more than what O&O ShutUp does. It completely removes spyware on an executable level, not by just using registry or policy edits.
The only way to use Windows 10 truly securely is by running it in a QEMU virtual machine as a guest with local-only networking for QEMU native Samba file sharing between host and guest. Zero internet connectivity. Booted off what QEMU calls a temporary snapshot after setting everything up on the base QCOW2 image. This way any changes to the virtual drive after boot are trashed after shutdown. This solution is robust and reliable.
Can you actually do an airgapped Windows install these days? I used to work in the defence sector in the days of Windows 2000 and that was easy but I have no idea how it works since. Our corporate stuff is all remotely managed with InTune and all sorts of horrible shit that hammers the network all day.
The Windows 10 installation ISO downloaded directly from microsoft.com does not need the internet to install correctly under any circumstances.
You also don't need to do anything special to get it working. However, I opted for the inclusion of a completely optional disk driver during install time to improve performance and sustainability.
You can provide a QEMU virtual CDROM with drivers during installation if necessary, and do the rest of your setup with QEMU native Samba file transfers followed by software installation.
I use the QEMU virtual CDROM to provide VirtIO drivers during Windows installation for super fast virtual drive I/O and DISCARD support.
discard=unmap is absolutely essential to keep your QEMU QCOW2 file on your host from growing excessively as you delete stuff in your Windows guest. This is the main reason I use VirtIO.
To learn more about QEMU I recommend the Arch Wiki page on it
Microsoft will have to maintain Win10 perpetually, unless it gets the ability to ungroup the taskbar again. Keeping me and thousands of others from updating to Win11.
But I don't see how this version is more secure? Yes, no telemetry and lots of services disabled. But will lack updates, right?
I mean, I stuck on Vista for forever even while Microsoft incentivized my university to install 7 on student laptops for free, just because 7's taskbar forced windows to be grouped (*), but that didn't stop Vista from dying.
(*): To be precise since "grouped" means different things: In 7's taskbar, multiple windows of the same application would be forced to be adjacent. I preferred my windows to be ordered by context, not by which application they belonged to, eg VS-terminal-explorer-browser for project 1, then VS-terminal-explorer-browser for project 2, and so on. Eventually 7 Taskbar Tweaker became a thing that allowed this, so I switched.
231 comments
[ 3.2 ms ] story [ 261 ms ] threadCertainly. The question is what provisions the software has made to mitigate those potential vulnerabilities by notifying users that a patch is available and allowing them to automatically apply that patch.
Deliberately removing these mitigations from a piece of software which is highly exposed to exploits, like a web browser or an operating system, is nothing short of irresponsible.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...
Most no-auth exploits take advantage of the user already being an administrator, and then bypassing UAC for example. The configuration mentioned above would likely mitigate this issue, although I'm not educated enough on this subject to say for sure
I can't imagine this is more secure than standard Windows 10.
Secure in literally any other way: outside the scope of the project
What is a good NAT as opposed to a bad one?
"Dude the DHCP on this network is AWESOME" lol
https://docs.netgate.com/pfsense/en/latest/nat/index.html
In any case, if you wanted security in the way you describe, how would you justify running Windows 10 at all? The onus isn’t on this project to secure Windows when they had no part in making it insecure to begin with. If Windows were open source, these measures wouldn’t be necessary, and wouldn’t result in less security. This is the current best effort that the devs can do to accomplish their goals. It’s fair to criticize the goal or the results, but issues you’re describing are present in stock Windows 10 to begin with.
I’m sure that some kind of auto build script could be created, so that whenever new Windows Updates are released, a new build is created.
Different people have different attacker models. I can imagine something like this would be perfect for keeping a mostly airgapped machine to access archives of documents created by Windows. (Or to use legitimately licensed, pre-everything as a service software in perpetuity)
The entire site screams "download this and use it in production". They have big friendly ISO download buttons front and center, with absolutely no disclaimer anywhere that it might be a terrible idea. If it truly is merely "educational", then this is highly irresponsible.
> AME is developed for educational purposes only, which emphasizes an effort to reverse engineer, disable or replace components of the Microsoft Windows 10 operating system. The goal is an endeavour to better understand and mitigate the collection of Personally identifiable information (PII), as has been clearly outlined by numerous outlets covering the topic, including comments by famed whistle-blower Edward Snowden. Another goal is to replace included proprietary Windows software, such as the Edge web-browser, with ethically verifiable alternatives using open-source licenses.
https://wiki.ameliorated.info/doku.php?id=faq#legal_consider...
This isn’t the pwn you think it is, lol
Claiming that "oh, that web site isn't actually offering the download, it's actually a torrent file hosted on a Telegram channel" is not the defense you think it is.
Yes, so legal that Gottfrid, Fredrik and three more guys who founded the site got a fine of roughly 3 million USD and one year in jail for helping people commit copyright infringement. So very legal. Wtf dude?
If you think the existence of a site is proof of legality then I don't know what to tell you. Do you believe child porn is legal as well because such sites exists?
As for personal attacks, I'm sorry but this is not a debate. I'm sharing facts with you and you're sharing your ignorance.
If you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules when posting here, we'd appreciate it.
If you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules when posting here, we'd appreciate it.
Also, as a personal testimony, my whole family and I have been running AME as a daily driver for awhile now, and haven't run into any significant issues (funnily enough, I've had less issues with Windows Ameliorated than I have with Windows). From my experience it really is stable, and IMO even more stable than stock Windows.
I ask that you actually try out a project before making claims about it.
Also, AME does greatly help to mitigate the attack surface of Windows:
Windows Ameliorated ships with a non-administrator user account by default, which mitigates ~70% of Windows vulnerabilities. (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). Of course you can still do admin actions, it just requires the admin password.
Are there any companies that deploy this internally? I would expect that some law firms adverse to Microsoft, and Microsoft competitors, might want to do so.
I should hope not. This is a cracked copy of Windows. The FAQ explains that it can't even be activated properly, as some of the components required for that process have been removed.
https://wiki.ameliorated.info/doku.php?id=faq#can_ame_be_act...
I'm okay with providing documentation, tools and scripts to remove the cruft and increase privacy within Windows 10, but the ISO linked from a Telegram channel is dubious at best.
However i had to chuckle at "is dubious at best", since all the spyware shipped with Windows nowadays... is perhaps equally dubious.
This already happened when Linus Tech Tips posted a video regarding Ameliorated [0].
https://linustechtips.com/topic/1243421-windows-10-ameliorat...
There is detailed documentation for performing a manual amelioration, it uses fully open-source scripts. (https://wiki.ameliorated.info/doku.php?id=documentation_21h1)
The main goal of Windows Ameliorated is to restore privacy, and it does this by removing said spyware on an executable level, not by just simply using registry edits or what have you.
Some people desire or require Windows, but they don't want the included spyware. Windows Ameliorated is for those people.
Do not use, do not download, do not touch.
It's based on the premise that Windows is spying on you which has never been proven/shown in the first place. Yes, Windows 10/11 send a ton of DNS queries - it's _not_ spying. Yes, Windows 10/11 send mini crash dumps and EXE files hash sums to Microsoft - that's _not_ spying.
What makes you think most people would be better off running LTSC? For privacy, Windows Ameliorated is by far the best option.
If you have the time, I am curios about what stopped working. Thanks for your input nonetheless
As far as WU goes, personally I think it is overrated. The only real use for them is security, however I've found that even that is really not necessary at all. Just from my own experience I've never seen anyone run into issues/get infected purely because they didn't update, and I think that if you're tech literate it really is unnecessary, to a certain point that is.
It is still a tradeoff, but I personally find the benefits and peace of mind more valuable than missing out on security updates.
Windows can be ameliorated completely legally by doing the amelioration process manually and entering the key before running the scripts. (Guide on the ameliorated.info site)
For everyone else: Chris Titus Tech's debloat script is what you want especially if you thought for a millisecond installing Windows from this ISO is a good idea.
The script you mentioned does NOT fully disable or remove the spyware within Windows. Windows Ameliorated gets rid of the spyware on an executable level, meaning the functionality of the spyware is not just disabled, but completely removed.
I'll take my chances with Microsoft-sanctioned telemetry over whatever this is.
It's also warez and no one but microsoft can distribute Windows ISO images.
The ISO has been used by hundreds of people, with no sign of malicious intent, so personally I'm willing to trust that as well.
It's not always as simple as "want privacy? Switch to Linux!". Some people want Windows as well as privacy.
1. ~70% of the Windows attack surface as of 2020 is caused by using an administrator user (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). This does not mean you cannot do administrator actions, it only requires the admin password on each UAC prompt.
2. This is for legal reasons. You're not going to get in trouble if you don't follow it, and many people don't. (Unless you're a business)
3. Windows activation has telemetry, and there's no real reason to have it in the first place. If you still wish to activate with a license key, you can activate Windows before performing a manual amelioration (Guide here: https://wiki.ameliorated.info/doku.php?id=documentation_21h1)
Ok, so PSA: if you don't want "Spyware" don't use windows. In Forensics, you learn there are many many ways windows tracks what you do, some of which can be disabled but it is all architectures into the OS. If you looked at a specific folder in explorer, that can be proven in court, executed a specific program? At least 4-5 ways come to mind . Take a peek at c:\windows\system32\winevt\logs\ (equivalent of /var/log/) and that's just one place.
I mean the spyware has measurable and valuable security benefits. If you wanna really test your malware dev skills, leave cloud submission turned on Defender and write any basic malware (harmful not just undesirable) and avoid detection for longer than a day. It was very hard when I tried it (for legit purposes).
I bash on Linux because of all its problems (only because I love it and want to see it improve) but if you want privacy, use Linux, the cliche holds true. You can always use windows in vbox+seamless mode for most things or on a separate device if you can afford it.
Also, closed source means it is hard for me to be sure which of those logs are sent to MS.
But comparing logging to spyware is nuts.
Event logs are just one of endpoints for event tracing mechanism and event viewer is just one crappy UI for that. You can turn on/off various logging to your hearts desire, including various diagnostic/tracing info. You can go all the way to capture stack traces, cpu context switches and whatnot. Windows is pretty configurable in this regard.
Also telemetry is well documented and configurable: https://docs.microsoft.com/en-us/windows/privacy/configure-w...
Defender doesn't hide option for cloud based scanning and it is up-front in settings. I dunno if it is enabled by default or not, but in our org, we had to explicitly rollout changes to enable it (we are pretty locked down by default)
The subject here is personal use, not corporate use. For example you might torrent a movie and then uninstall the torrent application, files and downloaded content. If you get sued and (i know it is rare) your windows install is submitted as evidence it can be proven that you executed the torrent program, the torrent program transferred so many bytes and that you opened the folder of the torrented content without looking at any file directly related to the torrent app or windows event logs. Or let's say you downloaded content from a site but then cleared your browing history and uninstalled your browser. Thanks to motw the downloaded files on your pc show the sites frol where you downloaded them and the referrer that lead to you visiting the download link. These are only some examples.
Have a look at what a typical Android phone sends out! Including your GPS location! Apple isn’t immune either because the Facebook SDK that’s included with everything would make the NSA blush. TikTok even tracks your phone motion sensor.
IMHO raging about 30-year old diagnostic features is misplaced anger. Be angry about how every piece of software now goes through these stages:
1) Opt-out telemetry only collecting the important stuff, we promise!
2) Okay, collecting it synchronously was a mistake and it slowed down everything for everyone that’s not sitting in our head office. We fixed it though, don’t worry!
3) Umm.. apparently some people are behind corporate web proxies which makes the async code leak threads and melt CPUs. We fixed it though!
4) Some people have used the newly added proxy support to inspect the encrypted blob. We promise that it was an honest mistake collecting every single point of information we possibly could about your system including mouse movements and key presses. Don’t worry, we fixed it! We now “anonymise” the information. Don’t worry about why that’s in quotes.
5) Those socialist Europeans sued us when we said we deleted their data but it was still there when they reactivated their accounts. Oopsie! Our bad. We promise to “wipe” your data including telemetry when you request this form. Fill it out in triplicate and fax it to this Cayman Islands number please.
6) We can no longer sell our software in some jurisdictions. Don’t ask why or what that implies about how we treat our customers in other jurisdictions with weaker legal protections.
Your list of complaints is whataboutism and is not directly related to OS privacy expectations and reality.
Linux is better at this because it gives you more control over what is logged and the code is open source.
> There’s definitely a demand for windows that can play games and do nothing else.
It's called a "games console". Microsoft makes one called XBox.
I like being able to use emulators. Can XBox do that?
I like being able to use mod's for any given game. Can XBox do that?
I use Linux for my gaming these days because I just don't like Windows, but even Windows is much more powerful for gaming than a console.
There's a place for console's, but they don't replace everything.
I suspect XBox isn't good for this, but the Nintendo Switch is actually probably better than a PC for this particular usecase.
The general-purpose stuff (emulators, mods) I agree with, though.
XBox I actually called out specifically because when we got an XBox 1, we discovered there is no way to do anything - setup of the console, launching a game, etc - without having an XBox Live account per user of the machine.
PC gaming is a weird and wonderful ocean; console gaming more like a highly curated pond.
I imagine using steam in big picture mode would be equivalent if you're not streaming though. Maybe it's something else, I just can't remember a Windows pop-up ever interrupting my gaming whether I'm playing on my TV or not.
Bonus: disabling autorun is better security!
This is just such a preposterous way to operate.
I can't wait to install this.
Important account credentials are on macOS or iOS. Local copies of my important files are on a system running Linux, and the Windows machine doesn't have access to that (doesn't need to, all I do on it is play games, if I didn't PC game I wouldn't have Windows at all).
[EDIT] However, mine does have Windows Update turned on.
>> Some of us have windows just to play games
What bank accounts do you think are on that machine? Perhaps it's risking credentials to ex. Steam and such, but again, if all you run is games where are you getting malware from?
Edit: Actually, to steel man the argument: If you pirate a game and get a keylogger that way, and then type in your credit card to buy a game (ex. on Steam), then you'd have a problem. I maintain that it's perfectly possible to maintain a... "DMZ PC" for games, but there are ways for it to end badly.
I don't think there's a need to dramatize and exaggerate. Once you get setup on Windows and uninstall the stuff you want to uninstall that’s pretty much the end of it.
https://docs.microsoft.com/en-us/windows/security/threat-pro...
You can make it log everything, but the performance hit is noticeable.
Next thing you’re going to start complaining about dtrace spying on you.
https://www.sans.org/posters/windows-forensic-analysis/
Im a Dev. But outside of reversing games for hacks and cheats I havent done anything with Windows specifically.
Any links, books, articles, etc.. you can provide to learn more about this?
I do agree that trying to make a consensual OS out of Windows is an uphill battle. If you're stuck using it, however, for whatever reason, a patchkit like this is better than nothing.
Good luck if explorer previewed wrong file.
Good luck if trusted website has been hacked and serves malicious content.
Good luck if you do npm install.
You'll find most if not all of these in `.bash_history`, wouldn't you?
Probably, it's possible to setup an install of Linux in such a way, that the user won't leave any traces in the system, but this is definitely not the default behavior. And the system setup in this way is likely a pain to use. But if you have a specific need, by all means, go for it. After all, with Linux you're in control.
But saying Windows is spyware because it logs your activity locally is stretching it.
I don't know how much of this MS collects and anyone who says they do, I would challenge them for evidence because there are many plausibly deniable and benign reasons to extract this information from the host.
I would say at best windows is spyware-friendly.
If I workes for the CCP and was instructed to get a list of people that used Signal so they can be sent for re-education, I would not even look to see if Signal.exe is installed in windows, I would just check prefetch and srum.
Spyware is not the same as local system logs. Spyware in this case is software that sends unnecessary or intrusive information to Microsoft. The goal of Windows Ameliorated is to remove spyware, not prove your innocence in court.
You used Windows Defender as an example of a security benefit. There are alternatives to Windows Defender, and IMO If you're a tech literate power user, an AV isn't useful in most cases. If you have the time, consider reading this: https://wiki.ameliorated.info/doku.php?id=antivirus Personally I believe antivirus software in general does more harm than good, as they are generally quite resource hungry and privacy intrusive.
Also, AME does greatly help to mitigate the attack surface of Windows:
Windows Ameliorated ships with a non-administrator user account by default, which mitigates ~70% of Windows vulnerabilities. (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). Of course you can still do admin actions, it just requires the admin password.
You can even update Windows offline if you want to.[0]
It's quite refreshing to be able to prep a USB stick containing all the updates for a clean install of a certain build of Windows and be able to deploy them without needing to connect to the internet.
[0] https://download.wsusoffline.net/
Forcing people to create or sign in with an account is bad, particularly when one considers that the ISO is of questionable legality.
What would be infinitely more useful would be a program which directly modifies an ISO image that the end user can download herself directly from Microsoft.
Cracked Windows, no security updates since 2018, iso distributed through some telegram channel. This is the software equivalent of trying to buy a homemade vaccine from craigslist because you're afraid that Bill Gates is going to microchip you.
[1] https://github.com/farag2/Sophia-Script-for-Windows
I do agree removing Windows Update does pose some security risk, however I don't think said risk is nearly as bad as some make it out to be, and I personally think the benefits of Windows Ameliorated greatly outweigh any security downsides.
Also, AME does greatly help to mitigate the attack surface of Windows:
Windows Ameliorated ships with a non-administrator user account by default, which mitigates ~70% of Windows vulnerabilities. (Source: https://web.archive.org/web/20210618023509/https://www.beyon...). Of course you can still do admin actions, it just requires the admin password.
Also since it disables updates, doesn't this mean I run a vulnerable system 'frozen in time', as it were, impervious to the latest patches?
It does lack Windows Update yes, as WU is a threat to privacy. Windows Ameliorated helps mitigate this by shipping a non-administrator user account by default. Of course you can still do admin actions, it just requires the admin password. ~70% of Windows vulnerabilities are caused by using an admin user (Source: https://web.archive.org/web/20210618023509/https://www.beyon...)
P.S. Personally I think security updates are a bit overrated, as in all practicality, there's extremely little chance of getting attacked unless you download FreeFortniteVbucks.exe
https://wpd.app/
You also don't need to do anything special to get it working. However, I opted for the inclusion of a completely optional disk driver during install time to improve performance and sustainability.
You can provide a QEMU virtual CDROM with drivers during installation if necessary, and do the rest of your setup with QEMU native Samba file transfers followed by software installation.
I use the QEMU virtual CDROM to provide VirtIO drivers during Windows installation for super fast virtual drive I/O and DISCARD support.
-drive file=windows.qcow2,index=0,media=disk,if=virtio,discard=unmap
discard=unmap is absolutely essential to keep your QEMU QCOW2 file on your host from growing excessively as you delete stuff in your Windows guest. This is the main reason I use VirtIO.
To learn more about QEMU I recommend the Arch Wiki page on it
But I don't see how this version is more secure? Yes, no telemetry and lots of services disabled. But will lack updates, right?
(*): To be precise since "grouped" means different things: In 7's taskbar, multiple windows of the same application would be forced to be adjacent. I preferred my windows to be ordered by context, not by which application they belonged to, eg VS-terminal-explorer-browser for project 1, then VS-terminal-explorer-browser for project 2, and so on. Eventually 7 Taskbar Tweaker became a thing that allowed this, so I switched.