Reminder: How to get a grip on your files, data that Windows 10 phones home to Microsoft If you don't know how to control the information Windows 10 sends back about you to Microsoft, the Redmond giant has updated its guide on how to do so. Snappily titled "Configure telemetry and other settings in your organization", the page was tweaked on Tuesday, and some corners of the web are rather excited by this …
@Gotno
If you are running software that is designed and advertised to perform a function that you don't want it to, if when your countermeasures fail you have noone but yourself to blame. Microsoft's technology is adaptive to your defenses and you -will- be assimilated.
No argument at that from me, I'm trying to avoid relying on one thing.
Where possible telemetry updates aren't installed (1st line of defence), SBAB confirms their absence but sits ready to block of the tasks should they appear (2nd line). I accept it relies on me correctly identifying and blocking said updates which is a monthly PITA. SBAB edits the hosts file so there is kinda a 3rd line of defence. Since the executables don't exist I can't block them at the firewall but that would be just another line of defence on the machine anyway, as you say Microsoft adapts. One day soon I shall get around to reading the manual for my router and blocking the telemetry hosts there too, a much more acceptable independent line of defence. Still relies on a correct list of telemetry hosts though.
Longer term I'm going Mint* at which point an even bigger learning curve begins. It's the monthly update filtering that has tipped me over that particular edge. Deadline is a year from now when my Action Pack subscription expires.
*Not just yet though.
There's a (slight?) parallel that can be drawn between telemetry reporting crashes and yellow card reporting of adverse effects in pharma.
Underreporting means important issues go unnoticed and more are affected (suffer) before the issue is resolved.
That said, in medicine there are clear society needs to identify and prevent harm to the vulnerable. And that the system is not obvious unless you read all of the medicine leaflet and might be overlooked is less of an issue.
While Microsoft's approach may be important to help its users, and other software might benefit from same approach, that the information has not been clearly set out from the start so that users can make their own informed choice, is detrimental.
While Microsoft's approach may be important to help its users, and other software might benefit from same approach, that the information has not been clearly set out from the start so that users can make their own informed choice, is detrimental.
could so easily be re-written as below for Care.Data
While the NHS's approach may be important to help its users, and other healthcare might benefit from the same approach, that the information has not been clearly set out from the start so that users can make their own informed choice, is detrimental.
Opting OUT of Both.!
If Microsoft was sincere and honest they would give users a clear and full explanation of what data they wanted to collect and allow users to decide how much they wished to share including NOTHING THANKS.
They they would actually do as the user requests.
if they were honest, they would say: We know that people want free lunch, however, as a profit-making business, we do not offer free lunches. What we offer is a lunch in exchange for showing us your privates.
...
on second thoughts, this would NOT work, because on top of a being a profi-making business, they are a business that strives to make the most possible profit, ideally by hook, less ideally, by crook, if they can get away with it. And by lebelling it we'll-give-you-ours-if-you-show-us-yours is less profitable than by labelling it FREE!!!! FOR LIFE!!! COME ALL YA FAITHFUL!!!!*
So, really, it's not their fault that people are such suckers, they only nurture human nature....
* what, it's a little star-like thingy, what did you expect?!
"..they can request extra data from your machine, which Windows 10 will hand over under remote control if management approves."
Presumably if management does not approve Windows 10 will be smart enough to know this and refuse to hand over any data whether the person doing the requesting is a Microsoft engineer, Bob or Alice?
Of course the methods and security around the methods MS Engineers use to remote YOUR Windows 10 install will never be reversed, hacked or leaked. Or indeed sold to support a habit, gambling debt, lavish lifestyle or simple greed.
Sometimes I wish I wasn't quite so cynical but that's very rare these days.
I can confirm Full is the recommended default on Home, as I've just had a shufti at the settings. Which live with Windows Update and Defender - I'm sure that menu wasn't there when I first installed Windows 10, but I could be wrong. I upgraded pretty early, as the PC was on Windows 8. Being a small company we tend to only buy about one PC/laptop a year, so get whatever OS it comes with.
Anyway I'd been through the non-automatic installation, and unticked almost all the telemetery stuff, although I may have left the security/virus reporting stuff on.
MS had interpreted that decision as "Enhanced" in this new (if it is new) menu. And I was given a choice of basic, enhanced or full (recommended).
"we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID,"
"Take steps"!? So they can still work it out then?
I *really* don't like this; there's just too much leeway for them to be able to do/get whatever they want.
Linux all the way now I'm afraid...
Fair enough, though there are a couple of things to take into account here.
The first is that nobody is forcing you to change to Windows 10 besides Microsoft, and there are measures that you can implement to kill that nonsense off. Microsoft are still supposed to stick to their published extended support for Windows 7 and, if you really want, its current support of Windows 8.1 for some years yet.
The second, chances are that the machine you are working on, if it was built with Windows 7, will be well past its prime by the time Microsoft ends support for it.
So if you really don't want to use W10, Linux is only one of a few ways out of the situation. If you have W7 or W8.1 and it does what you want it to do, then why change now?
For personal machines, if M$ decided to release a stripped down version of their OS just supportign DX<x> so people could run it for games, I might be tempted.
If not, I'll just bite the bullet and only play games that can be played on Linux*
*Don't talk to me about WINE. It's like black magic getting some games to work, and then I can't work out what I did to sort it out :(
"nobody is forcing you to change to Windows 10 besides Microsoft"
They're only the company people whose products are used the most at work and home...
No real biggie there then.
"there are measures that you can implement to kill that nonsense off"
But you shouldn't need to, that's the whole point. Sure *I* can implement these measures, but the average person isn't going to know any better.
"Microsoft are still supposed to stick to their published extended support for Windows 7..."
A lot of people have had this "OS" practically force itself onto their systems. So even if they did try to stay with Windows 7, they would need to know what they were doing (see "average person" comment above) in order to avoid it installing automatically.
"If you have W7 or W8.1 and it does what you want it to do, then why change now?"
Oh I'm not, believe me :)
You say that like its no big deal that they are trying to force/trick people into upgrading 7 & 8 to 10. Microsoft has added opt-out full data collection as part of the bargain, which you can't even fully opt out of. If the US had any decent laws that sort of thing should be illegal. I don't see how it isn't illegal in the EU under their data protection laws, but they move so slowly it will probably get raised as a case in 2019 when it is far too late.
Since Windows 7 goes out of support in 2020 and Windows 8 was never fit for purpose, anyone who has to use Windows will be forced to upgrade in 4 years. I only use my Windows 7 VM for iTunes and to run the software that interfaces with the OBD-II port in my car, so I will probably keep using Windows 7 forever and not worry when Microsoft stops the security patches.
"nobody is forcing you to change to Windows 10 besides Microsoft"
They're only the company people whose products are used the most at work and home...
No real biggie there then.
I'd change just the one part of that statement. They're the only company people think can be used to run their products. As I've mentioned in the past, while software lock-in can be a problem, in some cases the lock-in is only force of habit.
"there are measures that you can implement to kill that nonsense off"
But you shouldn't need to, that's the whole point. Sure *I* can implement these measures, but the average person isn't going to know any better.
No, you shouldn't need to. Don't belittle the "average person" though as they will often be the first to gripe when X has moved or Y doesn't work the way it used to. Then they take measures to correct that, which is where we come in!
"Microsoft are still supposed to stick to their published extended support for Windows 7..."
A lot of people have had this "OS" practically force itself onto their systems. So even if they did try to stay with Windows 7, they would need to know what they were doing (see "average person" comment above) in order to avoid it installing automatically.
Maybe, maybe not. See my note above about your note.
"If you have W7 or W8.1 and it does what you want it to do, then why change now?"
Oh I'm not, believe me :)
Fair enough. Nor am I. :)
"while software lock-in can be a problem, in some cases the lock-in is only force of habit"
Agreed, although again, the average person generally isn't going to be the one that breaks that habit.
"Don't belittle the "average person" though as they will often be the first to gripe when X has moved or Y doesn't work the way it used to."
The average person isn't to blame or belittle for this. MS are.
"Then they take measures to correct that, which is where we come in!"
First, they have to know it's a problem (most won't), then there's the fact that a lot of us don't *want* the extra work!
Microsofts' Facebook-like "arsing-about" with privacy shouldn't be something that we have to deal with!
There's enough to do with hunting down drivers (which the Win10 updates are terrible at finding btw - another gripe), general software/hardware errors/maintenance etc. Adding the joy of ensuring a customer/friend/family members' privacy isn't being violated too is something that just shouldn't need to be done.
They are causing all of this, why can't they fix it?
"Maybe, maybe not. See my note above about your note."
Hah! well if you'll refer to appendix A, you'll find something in sub-section B that will clearly disprove your argument. (Sorry, it's been a very long day.)
"Then they take measures to correct that, which is where we come in!"
First, they have to know it's a problem (most won't), then there's the fact that a lot of us don't *want* the extra work!
Nobody wants extra work. But then I believe that's where we certainly agree in that MS are the root cause of this whole problem.
Microsofts' Facebook-like "arsing-about" with privacy shouldn't be something that we have to deal with!
There's enough to do with hunting down drivers (which the Win10 updates are terrible at finding btw - another gripe), general software/hardware errors/maintenance etc. Adding the joy of ensuring a customer/friend/family members' privacy isn't being violated too is something that just shouldn't need to be done.
They are causing all of this, why can't they fix it?
Because they probably believe that there is more in it for them by sticking to this, especially now the deed is done. That and the age old problem with Microsoft; they don't like to admit they are wrong.
"Maybe, maybe not. See my note above about your note."
Hah! well if you'll refer to appendix A, you'll find something in sub-section B that will clearly disprove your argument. (Sorry, it's been a very long day.)
Heh! We've all been there! :)
Sorry guys, Windows 10 isn't yours. It's being leant to you for free (for now). At what stage did you think you had the right to prevent this 'telemetry' stuff from happening?
This is one of the things that annoys me so much about W10 - if the product had been managed 'better' people would be falling over themselves to use it (it certainly seems to perform well - from what I've read).
C'est la vie...
You could always set up your router to block outbound connections to MS IP's. You'd need to keep it up to date and keep an eye on it, it also might mean your machine goes on a go-slow if it's timing out loads of connections.
But not from the thought of my privacy being violated by Microsoft. What is concerning here is that IT needs to give a serious thought to what their employees are using in terms which version of Windows they are running (remember, telemetry hooks exist in 7 & 8 unless blocked) and which specific variant (Home, Enterprise,...). Especially the variant. Get together with Legal and make sure both of you are thrashing out the possible sharp-edges here.
Not good. Not that Windows 10 will ever be seen on any bare metal that I own. Hannibal the Cannibal grade muzzled Virtual Machines? Yeah.
Appeasing GUI but, lacks the security with it's hybrid coding according to this article.
http://www.infoworld.com/article/3036600/linux/is-linux-mint-a-crude-hack-of-existing-debian-based-distributions.html
Far safer checking with SHA256 than MD5
(Day in a life lyrics spring to mind but not in Blackburn, Lancashire..)
I don't see why people can't just use the original Ubuntu. If you don't like Unity, don't use the main Distro. There is also Kubuntu (KDE), Xubuntu (XFCE), and a bunch of other varieties. They now even have version that has MATE as the default desktop.
I prefer a Mac/Hackintosh myself cause I consider Linux to still be way too unpolished for my desktop uses, but for people who arn't as fussy as me, ?buntu is perfectly good.
Of course they don't dare to collect much data on businesses or schools PCs, because the following lawsuits could become both costly and very bad PR. Consumer customers can be screwed at will. Nodbody at Nadella's premises thought that home PCs are used by children as well, just like the schools ones?
I would have no problem to turn on crash inspection tools when - and only when - needed and send a report to MS - as long as it doesn let me inspect what it sends, and doesn't attempt to send anything outside the crash perimeter. When repeating a crash, I can be careful not to open other applications that could leave in memory sensitive data. And I may ensure other sensitive data are cleared before. If it is always on, and it does send it automatically without my approval, it can send sensitive data - and in some jurisdiction, it can also break the law.
MS is just making clear Windows 10 is a dangerous operating system when it comes to your privacy. And the level of telemetry looks to go far beyond the crash inspection data - it looks a full user profiling to understand what it uses, when and how. Even if no error occurs.
If I read this correctly, Microsoft acknowleges that it isn't necessarily to collect some information by allowing the "security" level but doesn't make that level available to home users.
So home consumers are denied the right data collection to be limited to that necessary.
"Here come the Belgians", they seem to have a fit-for-purpose data protection department.
If it is for NSA surveillance all of it, if it is for what it says very little.
My argument would be if you don't trust MS to honour your privacy with Windows 10, why would you trust them with Windows 8, 7 or even Vista?
I am using Windows 10, I like it, but I don't download pirate movies or use pirate software.
I think part of the point is that no Corporation should be allowed to gather information about you, me or anyone else in this method. Aside from from the legal privacy problems this doubtlessly creates for Lawyers, Medical Professionals, Accountants, Engineers and private Businesses. Remember there are many private businesses that are not big enough to justify buying WSUS. Then, of course, there is the average home user who still probably doesn't have a clue about this issue, but is still deserving of the normal privacy that they should expect without having to jump through any hoops to attain what should be a normal level of privacy.
As much as I will be turning my win 10 to basic when I actually install it, how bad is it really? I mean we all panic and go off on one but surely people aren't in the banana boat of 'Google don't do this' or any other 'inserttechcompanyherethatprovidefreestuff'. Microsoft aren't interested in you as an individual. Like all other companies, they want the big data.
I admit that they could be a bit...a lot more clear about this, but they know it'll scare people off and everyone would have a massive over reaction to it. We still have a reaction, but at least it isn't in the public eye so MS have scored a win on this one.
Everyone's shown perfectly willing to accept this on phones and tablets. And even TVs and internet of insecure stuff... stuff. So I guess it's just the future.
To be fair to MS, they're also being expected to provide similar reliability to tablets where the hardware and software are much more controlled - so I guess it's no surprise they've tried this on.
I wonder what the diagnostic info is like on Macs nowadays? Given that Apple have total control of iPads and iPhones to collect to their hearts' content.
Also, given normal consumers appalling attitude to security, I'm sort of tempted to say that this improves the privacy for them. In that sure it opens them more to MS, but it protects them more as a herd too, against security threats that might hit them later - as MS are now much more likely to catch and patch them.
I'm amazed they've allowed themselves permission to operate tools (even the limited subset of OS tools they say). I can't see how that's legal, given that they've sought absolutely no permissions whatsoever. And no, the ticked by default request for diagnostic info definitely doesn't count as permission to actively run a piece of software on the computer. Particularly given how sensitive everyone's been when they've been trying to take down botnets, and I don't believe anyone has yet tried to clean up the affected PCs remotely.
"Normal events are not uploaded on metered networks. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks."
Change your network settings to metered and the power source to battery. That'll stop 'em dead, right?
But how do they determine "metered"? If my ISP charges per byte between my router and 'net, how (or why) would this necessarily manifest on some hypothetical W10 machine talking (only) via the router?
Does "metered" really mean "mobile/data"?
too easy with Enterprise version.
It's just an ISO file and likely can be downloaded straight from MS (without much trouble). It'll install. It'll run. It'll just keep remind at logon to activate it, but you can ignore it. It's beta after all and you just keep testing it. I've had 8.1E running like this for ~2 years. 10E is past 6 months mark on another test box. Fire, use, shut down. Running on "metered connection" so possibly not getting updates (but not leaking my limited usage data either). I'd not pay MS for this system - it's just not worth it. Nothing on it out of the box (not that I planned to sign in with MS account just to get "good stuff"). Actually not using any of MS services is another common sense step in keeping your stuff private from MS. If anything at least it'll fragment your data across different services and make bid data work harder to make any sense out of it.
Go google
Windows 10 telemetry blocker
There are a number of results that will show you just how many IP addesses that your W10 installe wants to talk to even if you have set the Telemetry to OFF.,
Barstewards
Oh, and a report on /. yesterday seemed to indicate that the latest set of updates wlaks all over your user settings when it comes to default Browser and email client.
They really must be getting desperate for your data.
{Posted from a windows 10 free Environment}
>Sensitive info is stored in a separate data store that’s locked down to a small subset of Microsoft employees in the Windows Devices Group. The privacy governance team permits access only to people with a valid business justification
Is the NSA a business?
Who vetted the "subset of Microsoft employees"?
Who is the privacy governance team and who vetted them?
> Who vetted the "subset of Microsoft employees"?
> Who is the privacy governance team and who vetted them?
Hey, I work in that part of the IT industry (not for Microsoft). I'm what's called an "external auditor". So, to answer your questions...
The Microsoft executive team should have created a policy specific for the subset of Microsoft employees. the policy should cover, at a minimum, what roles within the organization constitute that subset, and some form of vetting. Vetting would generally involve the sort of background check one expects when one applies for any IT job and possibly a few more. Background checks, such as verifying references, employment history, financial/credit checks, and criminal background checks, are generally the ones used. Most companies only do this as part of the hiring process, although a few industries (such as audit and finance) perform these checks periodically on existing staff (generally annually).
The privacy and governance team are most likely responsible for monitoring the systems and activity to ensure that it follows Microsoft's policy regarding this data. Similar to an audit but generally less intrusive and more cooperative with the people who actually have access to the data. In a large organization, like Microsoft, the governance team is usually in a separate reporting structure from the teams that they monitoring (often reporting up to a CTO or even the CEO directly).
Un-used, idle Windows 7 with all new telemetry talks back 4 times per hour.
NOT F**** ACCEPTABLE!
Snort Logs following some of the vortex and settings IPs
Date Pri Proto Class Source SPort Destination DPort SID Description
02/24/16
10:41:45 2 TCP Potentially Bad Traffic 10.10.3.1 5969 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted
02/24/16
10:41:42 2 TCP Potentially Bad Traffic 10.10.3.1 5968 191.232.139.254 443 136:1 . (spp_reputation) packets blacklisted
02/24/16
10:11:39 2 TCP Potentially Bad Traffic 10.10.3.1 5964 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted
02/24/16
10:11:36 2 TCP Potentially Bad Traffic 10.10.3.1 5963 191.232.139.254 443 136:1 . (spp_reputation) packets blacklisted
02/24/16
09:26:44 2 TCP Potentially Bad Traffic 10.10.3.1 5934 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted
02/24/16
09:26:41 2 TCP Potentially Bad Traffic 10.10.3.1 5933 65.55.44.109 443 136:1 . (spp_reputation) packets blacklisted
02/24/16
08:41:43 2 TCP Potentially Bad Traffic 10.10.3.1 5674 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted
02/24/16
08:41:41 2 TCP Potentially Bad Traffic 10.10.3.1 5673 191.232.139.254 443 136:1 . (spp_reputation) packets blacklisted
02/24/16
08:11:43 2 TCP Potentially Bad Traffic 10.10.3.1 5634 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted
SNIP
02:11:37 2 TCP Potentially Bad Traffic 10.10.3.1 5471 65.55.44.109 443 136:1 . (spp_reputation) packets blacklisted
02/24/16
01:41:34 2 TCP Potentially Bad Traffic 10.10.3.1 5280 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted
02/24/16
01:41:32 2 TCP Potentially Bad Traffic 10.10.3.1 5279 191.232.139.254 443 136:1 . (spp_reputation) packets blacklisted
02/24/16
00:56:39 2 TCP Potentially Bad Traffic 10.10.3.1 5209 191.232.139.253 443 136:1 . (spp_reputation) packets blacklisted
It is naive in the extreme to think that mobile comms with computational power that smartphones have are not going to do lots of data analyzing and report that to base camp. But where is that base camp, who does it belong to and are there other wannabe, dodgy, improper, wstinking wrotten wrats basecamps huh?
But that could be in the users favor?
For example will the Happle, Ms or Big G let someone else slurp their (as in T-H-E-I-R) data for free?
Uh-huh - once those analytics have become proprietary someone needs to look after their interest no?
(Just trying to look at data slurping positively that's all)
I hope the EU or the like step in like they did with IE and Media Player and force MS to deliver WIndows 10 TF (Telemetry Free), because it looks it's capable of breaking a lot of EU privacy laws by collecting data it is not allowed to.
But I'm afraid that's just a dream...
For some folks, still stuck with a low bandwidth connection (e.g. dial-up, cellular, or even 2400 bps Iridium) to the 'net, the crashes are probably caused by their connection being completely plugged up with all this 'telemetry' data.
Does setting a 'Metered Connection' flag automatically turn off all this rubbish?
It really should be fully integrated in the OS. Set one (for example) 'Dial-Up (56kbps) Connection' flag, and the OS should configure itself and installed apps to minimize traffic.
It should have been implemented decades ago.
Not siding with, just pointing out, this is nothing new. And not just Microsoft, but pretty much everyone and everything. I know I can point to several devices around my home and work, along with tons of programs and apps that are excellent products but send data back to somewhere for whatever reason, or have options to deselect such intrusion, opting out, and even then by monitoring network traffic, you can still see these things doing.....something that makes me wonder, hell, the opt out really do anything? Makes me want to crawl the internet and read the fine print.
And with Windows I feel people are sounding this warning, pointing, screaming "look! It's horrible what they are doing!" While at the same time using their phones and apps and having no option or concern for what data is being sent back.
"And with Windows I feel people are sounding this warning, pointing, screaming "look! It's horrible what they are doing!" While at the same time using their phones and apps and having no option or concern for what data is being sent back."
The difference is, most of those other companies (Google included) are willing to disclose what they do with the information.
MS has and is still playing coy. Not only that, but let's bring up the giant elephant in the room, which is the Windows Update sneakiness they're trying to pull on anyone with 7 or 8/8.1 into updating to 10....so, trust in MS is in the toilet. They say what they do, but they've already been proven untrustworthy, so why believe what they say? The bigger issue is what they're NOT saying.
Two wrongs don't make a right. You also (most likely) have less personally identifiable information on a mobile device than you do on a personal computer. I couldn't care less if Google wants to crawl my email for a small one line text based ad, but I sure the hell don't want MS cataloging the files on my computer including tax forms with social security numbers. Hands off my computer. Google has access to what I allow them to have access to; MS wants access to everything on my computer. No.
Step 1: Install Windows 7
Step 2: Disable telemetry updates
Step 3: Enjoy!
Alternative --
Step 1: Install Windows 8.1
Step 2: Install Classic Shell
Step 3: Disable telemetry updates
Step 4: Enjoy!
Another Alternative --
Step 1: Purchase Mac
Step 2: Enjoy!
Another Alternative --
Step 1: Download a Linux distro
Step 2: Install that Linux distro
Step 3: Enjoy!
"Step 1: Install Windows 7"
Good luck with that. I did a fresh install of Windows 7 from DVD last weekend, for a family member. The last stage of the install is an unattended compulsory Windows Update. When this finished there was a reboot and TADA! Windows 10 was installed. At no point was I asked if that was what I wanted. The version of Windows 7 I installed was paid for, so they downgraded to a free OS without asking.
There might be a rollback option to the Windows 7 that never showed its desktop. Also, I suppose I could reinstall after disabling the PCs network connection. In the end I ran out of time so all I could do was set the spy level to Basic and leave it.
I'm still W7 at home and the revelations about remote access to personal files in this article mean I will never go W10. It can only be a matter of time before this Microsoft Remote Access Trojan© gets hacked.
Whaat ?!! You did a Windows 7 installation while connected to the network ? Man, you like living dangerously, don't ever do that again. Always run the installation without network connection, configure update settings to your taste so you can be able to chose and only after that go get the updates. I've been doing this since I was a Windows XP user and it never failed me.
On my home network I have a lonely Windows 10 installation shackled inside a VM just to take a look at the beast, the rest is a mix of XP, 7, 8.1 and various Linux.
-- than you probably think.
I'm not minimizing Microsoft's expanding grasp on user data. I don't run Windows at home.
But I do run Intel's Management Engine. I have to. It's a chip-set embedded operating system that boots before my OS, boots before my BIOS, and has robust phone-home, encryption/decryption, and remote-control capabilities. It's outside my control, and outside the control of my OS. If it doesn't run, neither does my PC or my Macs, because it orchestrates CPU activity. Among other necessary tasks. (Not just Intel -- AMD has its own version of the ME.)
http://www.theregister.co.uk/2015/12/31/rutkowska_talks_on_intel_x86_security_issues/
And also see:
http://www.slideshare.net/codeblue_jp/igor-skochinsky-enpub
So yes, switch off MS telemetry. Wipe the hard drive and install Arch. Install Qubes. Install OpenBSD. You are still running hardware that can capture your encryption keys and phone home. At least, that seems to be part of its capabilities -- it's closed-source, proprietary code which is carefully guarded. See the slideshare above, esp slides 6, 7 and 8.
Regardless of Microsoft, we haven't "owned" our PCs for a decade or so.
*sigh* Not this canard again.
On all recent Intel PC systems, the ME is responsible for:
- monitoring fan speeds / voltages / temperatures
- running the secure enclave for SGX secure guard extensions
On vPro-branded systems ONLY, the ME runs a more complex firmware that includes a network stack.
Consumer, non-vPro PCs don't have a large enough SPI flash chip to run this firmware - that's one small reason why vPro systems are more expensive, the extra $0.02 or whatever for the larger flash chip, multiplied by the system vendor's usual mark-up. The network stack also relies on the presence of a specific Intel ethernet controller and/or a specific Intel Centrino WiFi card - again, most consumer systems don't use Intel networking parts, and certainly wouldn't use the more-expensive vPro ones for no benefit.
So unless your system says "vPro" on it, nothing below applies:
Out of the box, the network stack ("Active Management Technology" or AMT) on the ME is disabled. Shut off. Inaccessible.
None of it can be used until the owner of the PC (either you, or in a corporate environment, your IT dept) has taken the action to "provision" the AMT capability and switch it on.
That involves: setting access credentials, configuring the IP address etc, and choosing the level of user notification.
Provisioning can only be done from the local PC via the BIOS, or across the LAN (not WAN) with appropriate certificate-based provisos (e.g, if the machine sending the provisioning info is on the kontoso.com domain, your machine must be too, and must have a cert from a recognized provider, valid for the *.kontoso.com domain, embedded in its BIOS at time of deployment).
TL;DR: Hackers from China or Fort Meade aren't going to remotely enable AMT without your knowledge.
Once the provisioning's done, then AMT gives you remote power-on/power-off capabilities, and a built in KVM redirection server (based on the VNC protocol with secure extensions).
If a KVM session is initiated, a great big flashing icon appears in the top-right corner of the screen the whole time, and the screen border changes to a yellow/red stripe pattern. You WILL be aware that the PC is being controlled.
There is so much security built into AMT that it's a PITA to provision and use it. I honestly sometimes wish that the security wasn't so robust - it'd make it a darn sight easier to deploy this stuff. AMT is very cool.
Short version: does your PC say "vPro" on it? Then yes, it has "robust [...] remote control capabilities". For the PC's owner, by their choice.
If not, it doesn't. It physically can't.
I've added what I think are the relevant spy domains, from the list in BlockWindows on Github, to my router's domain filter, because I don't trust any software solution on a Windows 10 machine to be 100%, including the hosts file.
#1. Any Windows UX / Spyware components uninstallable through Add / Remove programs?
#2. List of sneaky Scheduled Tasks to cripple (Home OS versions especially...)
#3. Likewise for sneaky Services (services.msc)...
#4. Sneaky IE / Edge Browser Add-ons (run w/o permission etc)?
#5. Sneaky Run / Runonce commands...
#6. Sneaky DLLHost spawned COM objects..
#7. Other Registry Key nasties not covered already above?
#8. New forms of app launching in Win10 not covered above... (Lenovo Superfish / Dell type stealth sneakiness (pre-OS / UEFI / BIOS etc)?
#9. Which subsystems do we need to run a Win2000 emergency repair disk on and force kill: c:\%windows%\system32\*.dll %windows%\system32\*.exe
#10. Disable search indexing of files? Firewall: Can we still block all inbound / outbound traffic unless a rule is explicitly created by the user in WF.msc, or only trust 3rd party Firewalls?
As an example, Microsoft knowing the total number of Firefox / Google Chrome installations across Windows 10, or seeing a App/Program has become / is rapidly becoming popular, means Microsoft can target resources at those areas, develop their own competiting Apps/Software 'anti-competitively' using this insider knowledge/Telemetry data much quicker, it's therefore Anti-competitive.
You see it with the default Application behaviour, an extra step has been put in place, when an Application like Firefox asks if you want to set it as Default, this instead opens a panel, where you then have to explicity change the default Edge to Firefox. Its all designed so the average user doesn't switch away from the default MS Applications.
In fairness, Google Privacy checkup, for the web makes it as difficullt as possible to opt-out of Google's data collection across Search,Advertising,Youtube. Its confusing, far too many steps involved and truely, designed to obfuscate. Clear your cookies/advertising id- you're completely opted-in again. They really don't want you to opt-out.
I think a lot of people seem to forget that Microsoft have been collecting and using telemetry data since at least Windows Vista, this is nothing new here.
Organisations have always had the option to disable this via Group Policy and with Windows 10 consumers can rightly turn these options off from the get go.
This is just another case of the tech journalists blowing things out of proportion again without properly doing their research first.
FYI 1511 is the version number of the Windows 10 November update not the build number. 10586 is the build number.
"collecting and using telemetry data since at least Windows Vista"
and enabling remote access by default, and scraping up any and all of your documents 'just in case' they might have a bearing on a bug?
"This is just another case of the tech journalists blowing things out of proportion"
What, exactly, would you consider proportionate? Perhaps you don't just leave your front door open when you go out, but actively distribute leaflets with your address, vehicle access and a list of goods not already stolen.
I doubt you do, so why wouldn't you consider the equivalent for your PC an issue worthy of being reported?
"I think a lot of people seem to forget that Microsoft have been collecting and using telemetry data since at least Windows Vista, this is nothing new here."
Except it was opt-IN and not a requirement of using the OS.
You can also refuse to install the updates that add or modify CEIP and Telemetry in Vista-8.1 as well.
Big difference.
Yep. And what's to stop them pushing update in the future to add new servers etc, meaning that (potentially) constant monitoring and router rules change is necessary if you're at all creeped out by Win 10.
Is all rather too much effort for me, and so after 18 odd years, I am shifting to Linux.
Microsoft has had its sticky fingers in RedHat for quite a while now, and the practices of said Beast seem to have filtered through already.
For example, have you noticed the concerted groan that goes up every time systemd is mentioned? Guess who is pushing that particular bit of crap?
It's possibly the only reason why I might consider replacing openSUSE with Mint, though Mint hasn't ruled out using systemd in the future so I'm holding my horses and trying a few options in the meantime.
Oh yes, and talking of systemd and pulseaudio.... F*** POETERRING!!!
Just how much did Microsoft pay El Reg to write this article? The privacy concerns of Windows 10 are so watered down it is absurd.
Windows 10, even in basic mode IS spying. Don't believe me: go do a search about how much the FBI and CIA love the metadata of internet traffic. And what you bothered to list in this joke of an article goes way beyond what is available from metadata of Internet traffic.
After Bill Gates' anti-Apple rant where he states that Microsoft complies with government requests for software back doors without hesitation, I'm just done trusting Microsoft. The Windows 10 push has been going on for 7 months and it's far from a success. Windows 7, as a PAID upgrade, was a success. For a free upgrade, it is doing marginally better than Windows 7. As several news articles have said, it is a hollow, forced victory, and I can't believe anyone honestly trusts them unless they are Windows fanboys. Microsoft has repeatedly shown that what they say and what they do are quite different things, and I'm certain that dichotomy extends to privacy policy, update descriptions, and telemetry collection.
Couldn't you just set up the hosts file so that MS telemetry ends up @ 127.0.0.1? At least most of the time?
Or does that interfere with checking that you have a valid license and therefore lock you out somehow? Still, I assume Windows 10 doesn't stop working when it's disconnected.
You know, you could almost tolerate this crap if they actually acted usefully on the info. Such as:
1. allowing users to get rid of ribbons everywhere, if so desired. don't need no telemetry to tell them how many of us dislike ribbons.
2. getting rid of Windows 8 style system settings dialog.
3. etc..., etc...
As it is, it seems like a lot of spying without much user benefit. And I really wonder why MS picked another fight with its user base.
From Microsoft phone me up to fix stuff for me. Apparently my computer was reporting all sorts of stuff back to base and they were really sorry about that. Having gone through Windows R we had to use SupremoControl, which I was informed was Microsofts free version of something that sorts stuff out. Then some kind bloke called LogMeIn paid a visit and installed Chrome for me so I suppose Microsoft and Google must be mates. Anyway, long story short, once everything was fixed I filled out my details on a Microsoft provided form and was told the £49 fix it fee would be waived and I would be credited with £690 for all the stress they had caused me. They sorted that one out through Microsoft's preferred banking service, Western Union, and were even kind enough to set up the account for me so they could transfer the money. I am presently talking to my bank about how they should be using Western Union because my banks rubbish software appears to have taken £800 out of my account rather than crediting it and my computer does not really work properly any more ever since I visited their online banking service. Anyway, at least my computer is not reporting much if anything back to Microsoft because my mates from India have not phoned back to say so so everything must be cool... RESULT!!1!!
> they can request extra data from your machine, which Windows 10 will hand over under remote control
I would be interested to know how they do that. I have several computers here (none are Windows) behind my router which has a fixed IP. The only way to access a specific machine from outside is via the 'virtual servers' that I have set up: port 80 and 443 go to my web server; port [redacted] goes to sshd on another machine, and that is it. So no one could connect to this machine at all. And that is with a fixed IP, many computers wind up with varying IP addresses that change when they reconnect to their ISP.
It must be that the Windows 10 machines connect to MS at regular intervals to receive instructions, such as 'send me your documents'. How hard would it be for a blackhat to intercept that connection and send their own request for private data?
I'm not sure what they mean by 'remote control' but in principle there will already be a TCP connection from your PC to them so they can potentially do what they want with it. Your setup stops external TCP sessions being initiated but can't protect you from sessions initiated from your machine. You would need to block all of the outgoing 'telemetry' traffic at your router to stop internally initiated sessions.
What they can actually do depends on the 'telemetry' system that is installed, which can in turn be updated at will.
What could possibly go wrong with that?
I mean, why bother setting anything by hand. Just go and download O&O ShutUp 10 , and additionally to prevent Windows from "forgetting" your settings install Spybot Anti-Beacon.
Or one could just not use Windows 10 at all (there are reasons why one might want to - but then see above)
Microsoft has a lot of problems with WIN10 not the least of which is security, privacy and functionality issues. Their latest issue if you didn't notice the trial balloon launched last month is that MS has decided it will NOT support new CPUs from Intel, AMD and Qualcomm that are being released this year and next so use on Win 7-8 even though these versions of Windows are fully capable of running the new processors. MS has decreed that the world must upgrade to WIN10 or you will not be able to use any new processors on Windows at all.
Seeing as though consumers and enterprise has very valid reasons for not upgrading to WIN10, such as security, privacy, functionality, etc. I see this deal headed for a Federal court system in the U.S. and national courts in countries around the world. I wonder if the EU beaks have seen the trial balloon that MS posted last month on the mandatory upgrade of all Win 7-8 users to WIN10? I hope the EU is not going to allow this unilateral and arbitrary decision by MS to shut out 90% of the world that uses Windows for work or personal use.
Who cares, other than paranoid commercial environments that must have the latest and greatest hardware / os and slavishly install all patches because microslop say they need them ?. Once you get a system installed and stable, there's a good argument for locking it down frozen at that spec for good... As for performance, there really has been little advancement in processor performance over what is actually needed in years and most users would be quite happy with 5 year old or even older hardware to run their os and apps.
None of the hardware here is less than that in age and we are using 7 and even Xp for some work. All updates are switched off after install of the initial service packs and all machines are running only the services that are required to actually get the job done Windows is actually pretty good stripped down to essentials and we haven't had any malware probles for as long as I can remember..
Why does anyone need windows 10, when erlier versions are quite capable of running all the usual apps and will do for the forseable future ?...
Don't worry, some of the next update will remove/disable all the known anti-spyware software. MS controls the OS, so as along as you use Windows 10 it has the advantage. And as long as you use Windows 10 because it's free, you're telling MS it did the right thing - sooner or later you will be defeated and all these untilities will be rendered useless.
Only if MS understand Windows 10 becomes a failure because of its spyware capabilities, there's a chance they will be removed (unless one day some privacy enforcing agency awakes and tell MS to stop it if it wants to sell Windows 10 legally...)
You have to remembe that, regardless of Microsoft's stated intent and regardless of the setting you choose, undepinning this is the fact that all USA companies which deal with customer data are outsourced branches of the NSA, who can plunder anything these companies are able to collect.
In addition, the idea that NSA will IN ANY WAY respect the mere software privacy settings of your operating system ("Oh no, they put the security on 'basic' - we can't peer through their documents now!") belongs to a pre-Snowden age (otherwise known as the fool's paradise).
Windows 10 appears to be insecure by design.
Trust a company that doesn't disclose or even admit that Windows 10 is sending information back to Microsoft for months after release? SERIOUSLY!! Trust Microsoft after the malware style upgrade campaign used to for Windows 10? WHAT THE....?!
Leasing their software should not by any law allow Microsoft the kind and breadth of access to private data that Windows 10 EULA and privacy agreement allows. The software (Windows 10) is owned by Microsoft, the hardware running the software and the information stored on that hardware is NOT.
I suspect diagtrack and the bypassing of the host file is only the tip of the iceberg to the extent that Microsoft has backdoor-ed Windows 10. Given the breadth of access they give themselves in the EULA and privacy agreement, there are other undocumented subverted system processes running in Windows 10.
To be fair though, it isn't just Windows 10 spying on customers. Nvidia geforce graphics drivers send telemetry back to Nvidia. This can be disabled using the autoruns program from Microsoft.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
