
Updates Make Windows 7 and 8 Spy on You Like Windows 10 - Sami_Lehtinen
http://www.hakspek.com/security/updates-make-windows-7-and-8-spy-on-you-like-windows-10/
======
jsingleton
Site seems overloaded.

Here are the KB links from an earlier discussion
([https://news.ycombinator.com/item?id=10110316](https://news.ycombinator.com/item?id=10110316)).
Thanks vetinari.

[https://support.microsoft.com/en-
gb/kb/3068708](https://support.microsoft.com/en-gb/kb/3068708)

[https://support.microsoft.com/en-
gb/kb/3075249](https://support.microsoft.com/en-gb/kb/3075249)

[https://support.microsoft.com/en-
gb/kb/3080149](https://support.microsoft.com/en-gb/kb/3080149)

Also found:

[https://support.microsoft.com/en-
gb/kb/2976978](https://support.microsoft.com/en-gb/kb/2976978)

~~~
0x0
The list of files modified (to add telemetry hooks?) in kb 3080149 is crazy.
NTOSKrnl, NtDll, Lsass, winload.exe etc... Are they really adding
spyware/telemetry hooks all the way down to the kernel? What happens next time
there's a security patch for the kernel, do we get an ntoskrnl with all these
"optional updates" included as well?

~~~
acqq
I remember some months ago where they only claimed fixing something minor
(like, something that's not even an executable but some text-based or at least
data file) in the patch and the list included also a huge amount of files
including cryptwhatever.dll (not the actual name). "Backdoor time" thought I.
As little as I checked however, it didn't look like a real smoking gun then.

It seems a common practice somehow that since some time their updates aren't
"hand picked" but generated by the computer without too much human control or
that the programmers don't have time, or simply nobody cares there anymore.

I'd be glad if somebody would sensibly explain all that. Including these
recent "everything you type will be transferred" and "the list of all your
files will be made" claims.

~~~
0x0
It would be interesting to see what someone knowledgable would report back on
by taking something like zynamics bindiff onto pre- and post this KB.

~~~
acqq
I've never seen the proof of the claims from the article discussed here three
days ago:

[https://news.ycombinator.com/item?id=10099180](https://news.ycombinator.com/item?id=10099180)

"Information transmitted: _All text typed on the keyboard_ is stored in
temporary files, and sent (once per 30 mins) to:
oca.telemetry.microsoft.com.nsatc.net pre.footprintpredict.com
reports.wes.df.telemetry.microsoft.com"

On another side, MSFT never issued the statement what they actually collect,
probably because their lawyers will need a month or two to clear that up.

If the quote is true, it's a real full-blown keylogger. It's hard to believe.
But there should be the pressure to find out the truth.

The worst thing is that it seems the users also don't care.

Do read kstrauser's top post in this discussion regarding automatic snooping
of kids and emailing the parents, implemented by MSFT in Windows 10.

[https://news.ycombinator.com/item?id=10111271](https://news.ycombinator.com/item?id=10111271)

He posted the snapshot later. Unbelievable. But it seems they really do this.
Built in spying, then sending reports by e-mail.

~~~
morganvachon
I've noticed recently that I'll get a weekly e-mail from Microsoft showing my
"week in review", with inline copies of photos I took with my phone and
uploaded to OneDrive (I have 1TB of space with OneDrive thanks to an O365
account). This just started a few weeks ago.

So, Microsoft is not only rifling through the contents of my OneDrive camera
roll, they are then transmitting the photos to my email unencrypted, without
ever asking me to opt in to this service. I used to praise Microsoft for being
opt-in as opposed to Google's opt-out; I guess that's all out the window now
(no pun intended).

I guess it's finally time to flip the switch on the OwnCloud account I've been
testing and drop OneDrive.

~~~
smeehee
This seems loosely equivalent to Google's account activity mail, but with
invade-by-default. I can see it being useful, though, despite the flaws which
you describe.

Also – potentially – incredibly dangerous, as other posters mention. I don't
think that we can have the possibility of one without the possibility of the
other here.

------
kstrauser
I submitted a story to Boing Boing (at
[http://boingboing.net/2015/08/10/windows-10.html](http://boingboing.net/2015/08/10/windows-10.html))
about the weird experience I had after upgrading my son's laptop from Windows
8.1 to 10. We did this on a Saturday, and Monday morning I had a "family
safety report" email from Microsoft detailing which websites he'd visited,
which apps he'd used (and for how long), etc. _since the upgrade_.

According to Microsoft's Family Safety FAQ
([https://account.microsoft.com/family/faq/](https://account.microsoft.com/family/faq/)):

> On Windows 10, you’ll need a Microsoft account in order to use Microsoft
> family whether you’re a part of a family as an adult or a child. When kids
> are added to a Microsoft family with a Microsoft account, any time they sign
> in to a Windows 10 device, their settings will be applied and their activity
> will be reported to the adults in their family. Adults can always turn off
> activity reporting or remove kids from the Microsoft family at
> account.microsoft.com/family.

By default, unless you log in and explicitly disable it, Windows 10 collects
kids' usage activity _and uploads it to Microsoft 's servers_. Presumably the
same mechanism is disabled for adults. Presumably.

I definitely didn't enable it, and I'm sure my son didn't check any "narc me
out to my parents" checkbox.

Edit: we already had a family account set up for our Xbox. I suspect that's
how Microsoft determined that the emails should go to me.

~~~
TazeTSchnitzel
Abusive parents are going to _love_ this.

(And that's terrifying.)

~~~
bargl
Also parents who's kids accidentally stumble upon a site for predators. It's a
tool that can be used for good or bad, but will depend on the parents.

~~~
kstrauser
That's true, but I can't justify this being enabled by default. As something
parents can turn on if they feel they need to, sure, but not like this.

------
jahewson
This looks like a deliberately misleading and overblown claim to me. Looking
at the knowledge base articles, we see that the diagnostics tracking service
is enabled _only_ for users _who already participate_ in the customer
experience program (a very clear option when setting up Windows for the first
time:

\- KB3080149: "The diagnostics tracking service collects diagnostics about
functional issues on Windows systems that participate in the Customer
Experience Improvement Program (CEIP)."

The second update is short on details, but it's specifically targeting the UAC
"Run as Administrator" dialog (which is implemented by consent.exe),
presumably to collect information on unsigned applications which request admin
privileges. Microsoft should provide further details here for sure, but I see
nothing nefarious. One might guess that the information collected here might
be the hash of the exe requesting admin privileges.

\- KB3075249: "This update adds telemetry points to the User Account Control
(UAC) feature to collect information on elevations that come from low
integrity levels."

Compare this with the ridiculous claim in the article that this is "allowing
for remote monitoring of everything that happens within the operating system."

------
mintplant
Article text, since the site seems to be down:

 _Windows 10 has been launched and already installed on more than 50 million
computers worldwide. It is now a known fact that Windows 10 user data is being
sent back to Microsoft servers back in Redmond, Washington. Well, now new
updates that are being deployed to all Windows 7, 8 and 8.1 machines will turn
their computers into a big piece of spyware, just like their predecessor,
Windows 10._

 _The updates in question are KB3075249 and KB3080149. if installed, these
updates are known to report your data back to Microsoft servers, without user
interaction. KB3075249 Microsoft Update adds telemetry points to ‘consent.exe’
in Windows 7, 8 and 8.1, allowing for remote monitoring of everything that
happens within the operating system. KB3080149 ensures that all “down-level
devices” receive the same updates and treatment as Windows 10 boxes get._

 _As you would guess, forums are lit up with speculation on these updates and
more. Below you can find a list of other Windows updates that some users have
questioned. Please keep in mind, avoiding some or all of these updates may
cause your environment to be unstable and /or unsecure._

 _KB2505438_ _KB2670838 – Windows 7 Only (corrupts AERO and blurry fonts on
some websites)_ _KB2952664_ _KB2976978 – Windows 8 only_ _KB3021917_
_KB3035583_ _KB3075249_

~~~
FilterSweep
Just the _name_ "consent.exe" itself sounds malicious (although it's been
around for a while).

~~~
acqq
"The consent.exe is a part of Windows operating system. It is part of the User
Account Control feature which allows or disallows access to administrative
functions based on your preference."

[http://answers.microsoft.com/en-
us/windows/forum/windows_vis...](http://answers.microsoft.com/en-
us/windows/forum/windows_vista-security/consentexe-doesnt-render-processes-
hang-waiting/5a69ebc9-dfa0-40fd-be61-0550a3090b03)

~~~
FilterSweep
It's also a process run whenever you install a new program!

It's the updates _to_ consent.exe (adding telemetry points) which are cited in
this thread that are the issue.

------
tinfoilman
Brilliant, 2 options I see

Never do updates again (which is what I will be doing this evening) and make
system perm insecure

Or let MS and the NSA rape me for even more data than they already have

Go [insert abusive word] yourself Microsoft and to think just last week I got
a 3rd windows 7 license because I was planning to stay on 7 long term and not
upgrade to 10.

Steam hopefully will push linux gaming that i can finally get rid of this
crap.

~~~
ionised
If Steam OS becomes a viable desktop gaming OS that plays most, if not all
games, I'll drop Windows in a heartbeat.

~~~
sschueller
Steam is owned by Valve and Valve is a US company. Using steam will not change
anything since it is the US laws allowing/requiring companies to comply with
the NSA.

~~~
ionised
The difference being that I want to use Windows only for games without all
this other cloud integration crap that comes with it.

Steam OS is a Linux-based OS designed primarily for gaming. Any and all cloud-
integration will be specifically gaming-focused.

Can you not see the difference between that and a general purpose OS like
Windows harvesting data everything you do on your system?

I won't be using Steam OS to do anything very sensitive like sending or
receiving personal e-mails, editing word documents or spreadsheets, or
browsing the internet for whatever reason.

Unless you consider firing up a shooter or a city-building sim sensitive.

The two OS's have very different purposes and use-cases.

------
rbx
kb3075249 - "...adds telemetry points..." ([https://support.microsoft.com/en-
us/kb/3075249](https://support.microsoft.com/en-us/kb/3075249))

kb3080149 - "...Telemetry tracking service..."
([https://support.microsoft.com/en-
us/kb/3080149](https://support.microsoft.com/en-us/kb/3080149))

kb3068708 - "...Telemetry tracking service..."
([https://support.microsoft.com/en-
us/kb/3068708](https://support.microsoft.com/en-us/kb/3068708))

kb2976978 - "...performs diagnostics on the Windows systems that participate
in the Windows Customer Experience Improvement Program..."
([https://support.microsoft.com/en-
us/kb/2976978](https://support.microsoft.com/en-us/kb/2976978))

kb3021917 - "...Telemetry is sent back to Microsoft..."
([https://support.microsoft.com/en-
us/kb/3021917](https://support.microsoft.com/en-us/kb/3021917))

kb3035583 - "...installs the Get Windows 10 app..."
([https://support.microsoft.com/en-
us/kb/3035583](https://support.microsoft.com/en-us/kb/3035583))

kb2952664 - "...ease the upgrade experience to the latest version of
Windows..." ([https://support.microsoft.com/en-
us/kb/2952664](https://support.microsoft.com/en-us/kb/2952664))

------
inevitable2
Here is a more in-depth analysis of windows 10 and what is sent to MS

[http://aeronet.cz/news/analyza-windows-10-ve-svem-
principu-j...](http://aeronet.cz/news/analyza-windows-10-ve-svem-principu-jde-
o-pouhy-terminal-na-sber-informaci-o-uzivateli-jeho-prstech-ocich-a-hlasu/)

For those who don't speak Czech: -It sends all text you type anywhere (not
just into search) every 30 minutes to MS. If you type about a holiday to your
blog, next day you'll see holiday ads.

-Every 30 minutes it sends your geo-location and network information.

-If you type a telephone number into Edge it sends it to MS after 5 minutes.

-If you type anywhere in Windows a name of some movie, Windows will start indexing all your media files after a while and will send it to MS after 30 minutes of your inactivity.

-After installing W10, it will send about 35MB of data once.

-After turning on your webcam for the first time it sends data to microsoft once.

-Everything you say is transferred to MS, it works even if you disable and remove and uninstall cortana. Parts of Cortana are needed for the core of the OS to run.

-Voice is transferred every 15 min, 80MB of data.

-After 15 minutes of your inactivity or when screensaver is on, network activity ramps up and everything else is being sent to MS.

-Blocking in hosts doesn't work, IPs are hardcoded into their code and DLLs.

~~~
Achshar
Shit, that may just have changed my opinion on this. Is the first one really
correct? Anything we type on a PC anywhere? So if I open up tor and load a
site it's basically useless because any url I type in tor will go to ms
anyways? WTF? Each and every one of those is completely unacceptable.

Anyone know about any good unix distros that wont be too much of a culture
shock to someone who has used windows his entire life?

~~~
anonbanker
KDE is the closest to windows. Start with Chakra[1] or KaOS [2] if you want it
to "just work" (both are Arch-based). If you want to tinker, go Manjaro KDE.

If you want to have to earn back every single piece of hardware in your
computer, and end up becoming a Linux superhero when you're done, install
Gentoo.

If you're concerned about privacy or rights, avoid Ubuntu and Redhat distros,
as they have a history of exploiting both users and the free software licenses
they purport to honor.

The most software-compatible is Debian, but games/steamOS run on all x86-based
distributions.

1\. [http://chakraos.org/](http://chakraos.org/)

2\. [http://kaosx.us/](http://kaosx.us/)

~~~
thaumaturgy
I ran Chakra for a while -- although it's been a few years -- and wouldn't
recommend them to people looking to switch from Windows. Unfortunately they
weren't careful enough with their rolling updates and they would
intermittently break installed applications, including at one point smb. So
one day I could connect to Windows shares, the next day I couldn't.

~~~
anonbanker
If it's been more than a year since you've used a distribution, your opinion,
positive or negative, is likely innacurate. The Linux community iterates at an
order of magnitude faster then the windows or Mac ecosystem. The Chakra of
today is far smoother than the ones a few years back.

~~~
thaumaturgy
True. I wasn't clear, but it was more a criticism of the project's management,
which iterates far more slowly. But still, that's why I mentioned it had been
a few years -- so anybody could dismiss my experience as they wished.

fwiw though I took a quick look at their -stable forums
([http://chakraos.org/forum/viewforum.php?id=32](http://chakraos.org/forum/viewforum.php?id=32))
and there are several recent threads related to updates breaking things. I
realize that will to some extent be a problem on any platform, but it seems
disproportional on Chakra.

And in any case, that probably makes it a poor recommendation for Linux
novices switching from Windows.

~~~
anonbanker
fair enough. then switch to KaOS. :)

------
cakeface
I've seen a lot of posts about people worrying about personal privacy, as they
should be! Right now I'm actually curious about the business implications. Is
data going back to Microsoft? Should we be banning Windows for developers,
finance, customer support? I'm worried about personally identifiable
information (PII) leaking out of our company. Also developers still handle
credentials with access to production systems, AWS, sometimes SSL certs. This
data cannot be sent out of the network. What is the impact for businesses?

------
aikah
That's what happens when a single vendor has more than 95% shares of a market.
There is no competition , where the hell people using Windows software are
going to run ? I'm really angry at this. What's the difference between this
and a spyware / key logger / trojan ? there is none conceptually.

I sincerely hope it backfires because it's just insane. If MS wants to collect
on my hard drive or log my key strokes , it should ask for my approval first
and not hide it behind a license.

People are outraged with the AM hack scandal, well nothing guarantees that MS
will never be hacked. And when a database like this get hacked , every windows
user data will be in the wild. That's just crazy. Is the the "new microsoft" ,
a lot of HNers like to boast about ? Same as the old one.

------
fiatpandas
I have my windows 7 PC set up to automatically install "important" updates.
Are these telemetry updates considered "important" or "recommended"?

~~~
marvy
Just check if you already have them installed or not

------
beloch
Microsoft has already raised our suspicions by offering Windows 10 upgrades
for free. As a result, we're perfectly primed to believe the worst about these
updates.

Microsoft needs to do something convincing to reassure it's users or Windows
10 will likely become synonymous with "Big Brother" regardless of what's
actually going on.

To reiterate, we're leaving territory in which it would have been reasonable
to "do nothing and hope it all blows over". MS needs to respond quickly or
they're going to have another dud release on their hands, in spite of giving
it away for free.

------
Navarr
2016 is the year of desktop linux.

For the kind of people who care about this sort of thing.

Also puts "Scroogle" into perspective.

~~~
Lendal
1) Internet web sites have always been "lit up with speculation".

2) Microsoft's "spying" has been going on since Windows Vista was released,
and speculation has gone along with it.

3) Since the 1990's, next year has always been "the year of desktop Linux."

~~~
Aoyagi
People keep saying that there was spying going on from XP or Vista, but
"spying" isn't a binary state. The amount of intended data-slurping has
increased incomparably.

~~~
yuhong
You can choose between telemetry levels in Win10 though.

------
fataliss
Maybe a chance for the Linux gaming scene? Finally a window (see what I just
did?) for an other gaming OS? Hail Unix.

------
throwaway77632
No wonder they intend to no longer describe what's in an update... Only using
Windows in a VM still. Just set the network connection host-only. Didn't
really need internet there anyway, and given these circumstances, I might as
well get rid of it completely. I guess any inclination I had to think
Microsoft is on the way up just vanished again. Too bad it also means I'm
probably going to throw away my plans of diving into F#. Open source, but
still too tied to this company I'd better just give up on.

~~~
kefka
If you want to get into functional programming, check out Haskell or Erlang.

Both run well on Linux.

------
jimeh
Google cache of the article as the site seems down:
[http://webcache.googleusercontent.com/search?q=cache%3Awww.h...](http://webcache.googleusercontent.com/search?q=cache%3Awww.hakspek.com%2Fsecurity%2Fupdates-
make-windows-7-and-8-spy-on-you-like-
windows-10%2F&oq=cache%3Awww.hakspek.com%2Fsecurity%2Fupdates-make-
windows-7-and-8-spy-on-you-like-
windows-10%2F&aqs=chrome..69i57j69i58.1629j0j4&sourceid=chrome&es_sm=91&ie=UTF-8)

------
SpikedCola
Found a useful script on SuperUser that removes KBs as well as hides them in
the future. Just need to change the list slightly

    
    
        FOR %%X IN (3075249 3080149 3068708 2976978 3021917 3035583 2952664) DO ...
    

[http://superuser.com/questions/922068/how-to-disable-the-
get...](http://superuser.com/questions/922068/how-to-disable-the-get-
windows-10-icon-shown-in-the-notification-area-tray/922921#922921)

------
mosselman
I put this in a file called something.bat and ran it as administrator to
uninstall (I hope) most of the KBs. Any feedback would be great:

    
    
        wusa.exe /kb:3075249 /uninstall /norestart
        wusa.exe /kb:3080149 /uninstall /norestart
        wusa.exe /kb:3068708 /uninstall /norestart
        wusa.exe /kb:2976978 /uninstall /norestart
        wusa.exe /kb:3021917 /uninstall /norestart
        wusa.exe /kb:3035583 /uninstall /norestart
        wusa.exe /kb:2952664 /uninstall /norestart

------
minthd
If that's true - doesn't this expose microsoft legally ? I mean we paid for
win 7 under certain terms, and now they're changing them.

~~~
coldpie
One of those terms was that they can change the terms at any time without
notice.

~~~
minthd
:) .Is that even legal ?

~~~
anonbanker
Consent is cemented 72 hours after a contract has been agreed-upon, unless
fraud is involved. In this case, agreement to future contract
amendments/changes is consent.

Your fault for clicking "Agree". Didn't anyone watch the Human Cent-iPad
episode of South Park?

~~~
minthd
IANAL , but:

" Unilateral modifications are not supposed to alter the material or important
terms of the original contract. "

[http://www.faircontracts.org/contract-
provisions/unilateral-...](http://www.faircontracts.org/contract-
provisions/unilateral-modification)

~~~
anonbanker
Unless you've bilaterally agreed or acquiesced to it, of course. Consent(.exe)
is everything.

You have 72 hours (10 business days by mail) to undo your consent to the
Windows license changes after clicking "Agree". Did you submit your notice in
a timely fashion, or did you let the clock run out?

------
DrNuke
This news is another nail in the coffin. The pattern I can see among my peers
and my small market is that people are more and more uneasy with using the web
for sharing valuable info and data, both on public and private networks. They
prefer face-to-face meetings and paper docs. Food for thought and some ground
for new startups maybe.

------
bung
Been waiting for an article like this but even though it points to two items,
KB3075249 and KB3080149, it doesn't seem like "firm" information as there is a
huge list of "maybe" items as well as a warning that removing things can mess
up your computer.

How likely is it that we'll ever have a "firm" finite list?

------
mtgx
What an unbelievable lack of respect and a big FU to Microsoft's own
customers. At least using Windows 10 is a _choice_ (I think - do they force it
on Windows 7 machines?), but to do this to all existing customers - wow, just
wow.

Behold everyone - this is the "new" Microsoft, worse than it ever was.

~~~
marcosdumay
> I think - do they force it on Windows 7 machines?

No, but they keep nagging you every time you turn your computer on.

~~~
logfromblammo
You can turn off the nagging by uninstalling update kb3035583. Then hide the
update so it doesn't helpfully install it again for you.

------
ptx
Parents spying on their children's communications seems hard to reconcile with
the principles in the UN Convention on the Rights of the Child[1] which most
countries are signatories to, in particular articles 13 and 16:

"Recognizing that the United Nations has, in the Universal Declaration of
Human Rights and in the International Covenants on Human Rights, proclaimed
and agreed that everyone is entitled to all the rights and freedoms set forth
therein, without distinction of any kind, such as race, colour, sex, language,
religion, political or other opinion, national or social origin, property,
birth or other status,

...

"The child shall have the right to freedom of expression; this right shall
include freedom to seek, receive and impart information and ideas of all
kinds, regardless of frontiers, either orally, in writing or in print, in the
form of art, or through any other media of the child's choice.

...

"No child shall be subjected to arbitrary or unlawful interference with his or
her privacy, family, or correspondence, nor to unlawful attacks on his or her
honour and reputation.

"The child has the right to the protection of the law against such
interference or attacks."

Given that Microsoft is a US company and the US is one of very few countries
that hasn't ratified the convention[2], the concept of children having human
rights might seem strange and foreign to them, but almost everywhere else, the
state is (it seems to me) obligated to protect children from this kind of
intrusion. (Maybe the EU could look into forcing them to release a special
spyware-free edition...)

[1]
[http://www.ohchr.org/EN/ProfessionalInterest/Pages/CRC.aspx](http://www.ohchr.org/EN/ProfessionalInterest/Pages/CRC.aspx)
[2]
[http://www.unicef.org/crc/index_30225.html](http://www.unicef.org/crc/index_30225.html)

------
SwimAway
Where are the security researchers? Credible, elaborate, and well-documented
articles? Has this not captured their attention or is it a lack of concern?

------
toufka
Installing spyware via a software update is a huge moral hazard for Microsoft.
It incentivizes people to maintain an unpatched operating system.

------
mosselman
So I just started my windows and it seems that I am 'infected' with this anti-
privacy stuff. How do I get rid of it? Re-install from the installation disk
and disable updates, or can I still remove the updates?

~~~
saint_fiasco
You can remove updates via the control panel.

~~~
mosselman
But does that really work in this case? It seems as if these new privacy
things go pretty deep.

~~~
saint_fiasco
I'm not sure. I have seen spam that has unsubscribe buttons that actually
work, as well as adware that uninstalls properly from the control panel.

I hope Windows doesn't do worse than spammers and malware programmers.

~~~
mosselman
Lol, thanks.

I will at least give it a try ;). But before that I am moving all my personal
files to my NAS and I will only be using windows for playing a game or 2.

------
tacone
I wonder how any IT corporation of decent size, with internal data policies
will be able to live with something this.

------
JustSomeNobody
So, does this mean MS has lost all their good will points earned from
releasing all the open source code recently?

------
hfpn
Microsoft's got even bigger balls then I thought they had... I hope this is
the beginning of the end.

------
IkmoIkmo
I think it's time that we don't ask of users to protect themselves by reading
hundreds of pages of EULAs, and then ostracising themselves from mainstream
electronics use (both at home, as well as at work) because they refuse to use
software that's loaded with insane levels of spyware (record and transfer all
voice and every keystroke). That's a large burden. It's perhaps time this
becomes a legal matter rather than purely a user-choice matter.

In society we have all kinds of protections for people that make a lot of
sense, that take away individual responsibility. For example, even if a person
wanted, you're not allowed to become a slave, it's simply not allowed. Even if
a person wanted in most of the developed world, you're not allowed to work for
less than minimum wage, or in a toxic environment. Similarly even if a person
says 'I don't mind if people are misogynistic towards me at work, or
discriminatory, I just want this job no matter what because I need the money',
that's not allowed, either.

Similarly, I think it's time we start to think of legal protections again this
level of spyware. We shouldn't put the burden of acceptance on individuals
when you'll have millions of people who'd prefer to live in a world where they
don't have to use this software at home or at work, but have no choice
(particularly at work), and thus accept spyware because the loss of their job
works as a blackmailing force, just like in the above examples.

That doesn't mean I'm saying there is no legal place for software like this
under any conditions. But the notion that it _can 't be turned off_ is insane.
Even 'on by default' is a step too far, but now Windows is saying whether you
use windows 7, 8 or 10, we're spying on you, and you can't turn it off, and if
you tamper with our software manually you'll fail because we've hardcoded it.
That's not acceptable and my point is, it shouldn't fall upon users to boycott
such harmful parts of software they paid for (in the case of Windows 7, half a
decade ago).

It should fall upon the rule of law to prevent this and allow at least an opt-
in, a choice, a choice that isn't 'use any Windows product, or use no Windows
product'

If OSs were more free like say, the automotive industry, I wouldn't mind as
much. Like if Toyota one day decided to record audio in cars, that's one
thing. You can switch to more than a dozen top-quality car manufacturers who
don't do this, and it wouldn't affect your jobs or anything like that. But
we're talking about a desktop/laptop market where <2% of marketshare is Linux
and OS X is ~10%, the remainder is virtually all windows and its got hardcoded
spyware features.

~~~
makecheck
There are a few practical issues to solve first.

Rules must apply over time. A "turn everything off" request shouldn't be able
to transform into "except these new on-by-default features added in patch
1.01".

Software has bugs, including "off switches"; as such, even if there _appears_
to be a way to shut everything off, I always assume that these may fail. The
"over time" problem applies here, too; a year from now, some poor new guy
tasked with maintaining these protection switches might screw up an update and
break an off-switch that used to work fine.

Information is currently too valuable. As a society we _really_ have to get to
the point where the value of bits of data is so low that leaks don't matter.
We sure as heck shouldn't have ways for criminals to screw you by knowing a
_single number_ that belongs to you!

Information is inherently hard to protect. Photos are very hard to protect;
even if you had a new file format, encryption, low-level hardware that was
physically incapable of accessing pixels without a key, memory that could not
cache plain-data versions of the image, etc. there is _still_ an easy way for
someone to take out an iPhone and snap a copy of what they see on their screen
and keep it forever. True photo security would practically require what is
mandated for photocopiers with respect to counterfeiting; all cameras and all
displays would have to be equally mandated to use watermarked images that
encode encryption keys (e.g. your camera can only take a picture of another
image if the associated key is one that has granted you access). And of
course, that level of assurance could also be abused.

Ideally the average citizen would be able to grant and revoke keys for any and
all organizations like Facebook or Microsoft, and systems and formats would be
such that information is _impossible_ to use once a key expires or has been
revoked.

------
ausjke
Happy linux desktop user here, I only need windows for turbotax once a year,
so I will worry about this in Feb/Mar, anyone provides a cloud-based tax
filing service?

~~~
gvb
H&R Block does: [http://www.hrblock.com/online-tax-
filing/](http://www.hrblock.com/online-tax-filing/)

Disclaimer: I have not used their online version so I don't know how well it
works. I have been running their Windows version in a VM the last few years
because I'm not wild about putting any more of my tax information "in the
cloud" than I have to.

I would expect TurboTax to support online filing too, but did not see it on a
quick search.

~~~
nacs
> I don't know how well it works

I've used H&R Block's online service for filing federal and state taxes for
the past few years with no issues.

------
superskierpat
Well I can see Russia putting alot more money into ReactOs

~~~
yellowapple
Or GNU/Linux, or OpenBSD, or something else privacy-aware.

But yes, ReactOS could certainly use some love, from Russia or otherwise.
Can't wait for 0.4.0 to come out; should be a nice push toward general
usability.

~~~
superskierpat
I've just finished installing arch linux after nuking my ubuntu/windows
install, I've been doing a hell of alot of configuration but I'm pretty happy
with I have.

More on point, I've been planning to buy a cheap laptop to test more
experimental oses, like react and harvey.

~~~
yellowapple
Hadn't heard of Harvey before. Looks like an interesting take on Plan 9; I'll
definitely have to try that one out.

------
CamperBob2
The lack of public disclosure, commentary, and, yes, outrage surrounding
Windows 10's privacy policy is a lot more disturbing than Windows 10 itself.

------
nly
Easiest way to block this for sure is probably going to be harvest a list of
hostnames and/or IPs microsoft are using and block them at your border
gateway/router.

I've recently considered setting up a separate wifi SSID where everything
outbound except DNS, and tcp 80/443 is blocked, as well as TLS SNI and plain
HTTP logging just so this sort of thing can be monitored.

~~~
JadeNB
It's not what you said, but note that some of the phone-home behaviour is very
deep rooted, ignoring proxy settings ([http://arstechnica.com/information-
technology/2015/08/even-w...](http://arstechnica.com/information-
technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-
microsoft)):

> We configured our test virtual machine to use an HTTP and HTTPS proxy (both
> as a user-level proxy and a system-wide proxy) so that we could more easily
> monitor its traffic, but Windows 10 seems to make requests to a content
> delivery network that bypass the proxy.

------
leonatan
Archived version until the site is up:
[https://web.archive.org/web/20150824023803/http://www.hakspe...](https://web.archive.org/web/20150824023803/http://www.hakspek.com/security/updates-
make-windows-7-and-8-spy-on-you-like-windows-10/)

------
mizzao
People who use their google accounts and Chrome ubiquitously already get spied
on by GA at a much bigger scale through all the sites they visit in their
browser.

Why is it a big uproar when it happens at the OS level? Seems like it's pretty
much the same thing. We always have the option of using Linux if we don't like
it.

~~~
kardos
Chrome -- as far as we know -- doesn't transmit all of your keystrokes to
Google, nor does it transmit the contents or indexes of your local
filesystem(s) back to Google.

~~~
McGlockenshire
You're posting FUD.

Those permissions are required in the context of Cortana, so Cortana can work.
Keep Cortana off and turn off the services, and nothing gets transmitted.

It's literally no worse than the conditions you agree to when using Siri or Ok
Google / Google Now.

~~~
kardos
If you'll allow Wikipedia to define FUD [1],

> FUD is generally a strategic attempt to influence perception by
> disseminating negative and dubious or false information.

What part is dubious or false? Do you need me to quote the Win 10 privacy
policy?

[1]
[https://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt](https://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt)

------
alimbada
There's been a number of revelations about the invasion of privacy prevalent
in Windows 10 (and now according to this article/thread 7 and 8 too), but
curiously Microsoft have been very silent on the matter which is only making
things worse for them as users will naturally take that as a confirmation of
the relevant findings.

It's also strange to see Microsoft making this move given that this invasion
of privacy is probably illegal in many ways in countries that are forward
thinking enough to have laws against this type of thing.

Maybe they see it as a short term ploy to try and collect as much data as they
can before there is a big enough uproar against it and then decide to pull the
"feature(s)". They may see it as worth the controversy if they can gather
enough data for future products/improvements.

------
yuhong
FYI, you can't disable telemetry on Win10 unless you have enterprise edition,
but you can select levels.

~~~
archimedespi
You sort of can, see things like
[https://github.com/10se1ucgo/DisableWinTracking/](https://github.com/10se1ucgo/DisableWinTracking/).

~~~
A010
It's easy to blackhole those domains and remove reg keys, but I wonder if M$
will add new ones in later updates.

~~~
nullsmack
That's okay, they can just use their p2p technology and route their spying
through other people's computers.

------
antaviana
Curiously, the net effect is that now there is one reason less to skip
upgrading to Windows 10!

------
rileyteige
If I could figure out my wireless card/GPU drivers, I'd swap to Linux in a
heartbeat. Plug-n-play drivers is the only reason I'm still on that closed-
source OS. Just don't have the patience to hunt down third-party drivers.

~~~
keithpeter
Boot off a live CD (e.g. Ubuntu) and run lspci from a terminal session then
post it here.

You may find the drivers you need are available in a separate 'restricted' or
'non-free' repository. It is unusual these days on desktop/laptop oriented
installs to have to 'hunt down' anything.

 _Very very_ recent hardware can still be problematic mind you.

------
lewisl9029
What exactly is going on with the decision making at Microsoft?

With all the backlash that has resulted from the Windows 10 privacy issues,
you'd think their next thought wouldn't be "we should piss off our customers
with more of the same".

------
dmfdmf
When KB3035583 GWX/Win10 Spam came out I removed it and put my updates into
manual because I figured it won't be long before MS put out another updated to
push Win10. This is much worse, now I find out there are a number of updates
that I have to track down and uninstall. Going forward I will always have to
lag a month or so behind updates to make sure MS is not installing a key
logger on my Win7 computer. I guess my move to Linux is sooner that I thought.

------
rdudek
I have a question that I can't seem to get a straight answer anywhere. If I
were to use Win 10 Enterprise edition, could I theoretically disable all the
spying and telemetry?

It also now seems like we need two computers. One that is open for "spying" so
the government looks at my usage and white-lists me as a "good citizen" and
another computer that basically is encrypted and hides anything I don't want
anyone to know about.

~~~
kardos
Or just one that runs open software...

------
fsloth
If we try to apply the principle of charity - could there be seen any
advantages that this telemetry data would provide to the end user?

I can't come up with any at least.

~~~
xrstf
If you ever get acused of having illegal images on your PC, you can ask
Microsoft to prove that you never had .jpg files in C:\Windows\Fonts.

------
vmp
I wrote an utility in C# to make it easier to uninstall the offending updates:
[https://github.com/schumann2k/UpdateAntiSpy](https://github.com/schumann2k/UpdateAntiSpy)

Feedback & pull requests welcome. :)

------
archimedespi
Is there any tool like DisableWinTracking for Windows 7?

~~~
mnw21cam
A Linux machine with two ethernet cards acting as a firewall to the internet?

~~~
simonh
Do we even know how you'd need to configure the firewall to block the specific
traffic that's the problem?

~~~
morganvachon
There's a list of domains that came up in a previous discussion on HN (sorry,
I don't recall it right away), and was also trending on pastebin.com, which
contained all of the known domains Microsoft was using to report back from the
OS. Presumably you could route those to "null" or the equivalent on your
router and you'd be good to go.

Edit: Here's the pastebin link:
[http://pastebin.com/RZW74Npk](http://pastebin.com/RZW74Npk)

~~~
scott_karana
You could always just do that in Windows' hosts file, too.

~~~
morganvachon
You can, and I'm sure most would. There may come a time, however, when a
future Windows update rewrites or works around the hosts file for telemetry.
Doing it at the router or external firewall avoids that possibility.

~~~
kardos
Such an update could also add new data harvesting hosts, which would bypass
your router's blacklist.

~~~
morganvachon
That's a given. The rabbit hole goes as deep as Microsoft is willing to dig
it. Like any other vulnerability, there will always be security researchers
out there who find and report on new ones.

------
tacone
I'm with Ubuntu/Gnome3 and it's pretty fine. It took some plugin installing
(very easy btw), but it feels pretty good. Time to switch?

------
hadeharian
Windows, now like AOL but better!

------
balabaster
.... aaaand Windows Update Automatic Updates is getting disabled.

------
Raed667
Every-time Microsoft releases a new Windows (Since XP SP1) I saw quantifiable
performance decline with every update I installed. I think Microsoft pushes
people to change OSs using this technique.

------
komicsans
As far as I know, these updates are optional.

------
rasz_pl
Cant wait for new EU fine, lets hope its orders of magniture more significant
this time. Cool 10 Billion Euro should be enough to stop MS from screwing
people over.

~~~
Hjugo
Or that they finally fund a project that could replace windows

~~~
endymi0n
Given their dysmal track record of funding anything remotely successful and
other than ivory tower projects, I wouldn't hope too much.

[https://en.m.wikipedia.org/wiki/Quaero](https://en.m.wikipedia.org/wiki/Quaero)
Or look at Stratosphere/Apache Flink, basically they cloned Spark in much
worse for millions of dollars.

------
miralabs
can they be sued for doing this?

------
mamon
It seems that Microsoft was right when calling Windows 10 "The Last Windows"
\- after such insolent violation of privacy people will switch to Linux or Mac
OS just to avoid it. Microsoft is doomed, let's celebrate! :)

------
jsingleton
Not sure why this is being down-voted. Just trying to be helpful in case
people want to avoid these optional updates or uninstall them. Maybe I should
just delete the comment?

~~~
dang
That helpful comment got two downvotes and well over a hundred upvotes. This
is an extreme example of why HN has a guideline asking people not to comment
about being downvoted. Most of the fluctuation is ephemeral, and most comments
about it soon become inaccurate.

We've detached this subthread from
[https://news.ycombinator.com/item?id=10110543](https://news.ycombinator.com/item?id=10110543)
and marked it off topic.

~~~
jsingleton
sorry :(

~~~
dang
Please don't feel bad! Your contributions are overwhelmingly positive, and
we're grateful. The reason I post stuff like the above is not to reprimand
anyone, it's to feed reminders about the guidelines into the community.

