
Fix Windows 10 - xDola
https://fix10.isleaked.com/
======
ksk
I think Microsoft messed up the messaging and wording of their features,
bigtime. Many products these days are integrating analytics to see how their
users use their products. Personally, I prefer to disable such tracking, but I
don't view it as malicious.

MS should have realized by now that people don't quite trust them with this
stuff, and they should have make it clear at the outset that they are never
going to use this data for "sharing with their partners" or any purpose other
than explicitly as a signal for improving specific Windows features.

They used legal language that allows them much more latitude than what they
require. This is most likely intentional (probably for future competition with
Google), but IMO they should have gone with a very narrow data use policy.

~~~
McGlockenshire
> They used legal language that allows them much more latitude than what they
> require.

It's the same trap that people fall in to when site terms of use ask for
worldwide, royalty-free, irrevocable license to content that you post. Yeah,
that sounds like it's a horrible nastyness, but from a legal point of view
that wording is a safety net for the company, not an attempt to claim actual
rights over contributed content.

MS has completely failed to control the message here, and everyone's working
themselves into a groupthink riot, just like they did over the Ok Google
binary blob nonsense.

~~~
throwawayaway
I think in both the examples you give, what starts out as 'innocuous' and
'well meaning' will inevitably be subverted for something far more nefarious.

Not everyone with a different opinion to you is incapable of forming their own
conclusions, or susceptible to groupthink.

Is Bruce Schneier also a victim of this 'nonsense'?

------
dijit
I look at this list and I think of my grandmother, who would never do this,
never even think to do it.

"The windows" is her friend, and she's relatively tech savvy for a person of
her generation.

Heck, people my mothers generation would not think to do this.

Heck, even my brother would not think to do this, or to look for this. If it's
not a single place, if you have to open the command line (on windows) then the
ability for a reasonable user to gain privacy is nonexistant.

the option might as well be a toggle switch in the middle of Tanzia, it will
be noticed all the same.

~~~
Someone1234
Frankly your "grandmother" is better off not doing this anyway.

She needs the anti-phishing filter, the anti-malicious app & URL filter, and
will want useful features like Cortana, predictive search, page compatibility
modes, allowing websites/apps to ask for her location (e.g. Google Maps), and
her files to be backed up when her computer fails.

You can argue if certain things help your "grandmother" (e.g. telemetry,
advertiser IDs, etc) but this seems like to throws the baby out with the
bathwater.

PS - Windows 10's defaults could be better. But this takes it to the other
extreme, disabling legitimately useful functionality (in particular security
focused functionality).

~~~
zxcvcxz
>will want useful features like Cortana, predictive search, page compatibility
modes, allowing websites/apps to ask for her location (e.g. Google Maps), and
her files to be backed up when her computer fails.

Have you ever had a grandma? My grandma literally plays solitaire and checks
her email, that's it. She wants nothing to do with cortana.

I set my grandma up with Ubuntu and set the homepage of firefox to her email.
I've never had a problem.

~~~
Someone1234
My grandma also mostly plays games and checks her email/Facebook, but she also
occasionally has to search the web and has used Siri on her iPad, I don't
think Cortana would be that big of a stretch to get her into (e.g. I've seen
her use Siri semi-regularly to check the local weather).

To be frank, she would likely be better off with a Chromebook. But
unfortunately she has a few games she plays which are Windows binaries (e.g.
those $5 CDs containing "2500 card games").

Cortana is no more or no less accessible than Siri.

~~~
hfpn
The problem with Cortona and Siri is that they process everything on remote
servers while it could easily be done on a local machine. They do this to be
able to save all that data (and take away your privacy).

Apple saves Siri's audio for 2 years for example... not sure what Microsoft's
policy is on this...

~~~
urda
> The problem with Cortona and Siri is that they process everything on remote
> servers while it could easily be done on a local machine.

Please enlighten the HN crowd and provide a reference for this claim.

~~~
hfpn
sorry I was thinking mostly about voice recognition... which would already be
a big plus if it was done locally.

------
deanclatworthy
Not the first attempt I've seen to summarise all the fixes for the privacy
leaks. But given I've seen 2-3 articles on the HN homepage so far this week
that MS still sends all kinds of crap and of course has the ability to patch
these workarounds - consider me sceptical!

This is a game people are going to lose. If MS cared about privacy this
wouldn't have happened in the first place. Just don't use Windows. Use your
favourite Linux distribution.

~~~
sb057
Microsoft has had the ability to push updates without user consent since XP!

[http://www.informationweek.com/microsoft-updates-windows-
wit...](http://www.informationweek.com/microsoft-updates-windows-without-user-
permission-apologizes/d/d-id/1059183)

------
w0000t
In my opinion, if those privacy issues bother you, the first step should be an
overview of non-Microsoft operating systems.

~~~
gcb0
and the alternatives are?

osX invented all this. MS is just catching up. and apple don't even allow you
to disable things.

android? chrome alone sends more info than whole windows 10+edge.

now, you could say Linux. but sadly your grand mother has no publicly
available product she can buy with that OS.

~~~
pdkl95
> no publicly available product

Yes. Sometimes doing the right thing to protect your rights and the rights of
others _requires sacrifice_. Freedom is not always free (as in beer).

As long as you insist that any potential alternative have the same features,
you might as well give up. The incumbent can always create and market a new
"feature" guaranteeing any alternative is always playing catch-up.

As time goes on, the lock-in increases and the cost of change becomes more
expensive. Do you want to pay this cost now. or do you want to pay an even
higher cost in the future after Microsoft - emboldened by the profits from
selling user data to their "partners" \- decides to make the spying even more
invasive?

Do you even want to own a General Purpose Computer? You better make a decision
quickly; when Intel's SGX instructions become widespread, it will be next to
impossible to disable these "important security features".

~~~
listic
Thanks for bringing SGX into my attention!

I thought I was more or less following the development of PC hardware, but I
never heard of this one, and it's not very new already. Wikipedia article [1]
on the subject is surprisingly concise, and only quotes Intel homepage on the
subject.

Do you have any pointers to independent discussion or analysis of this
technology? As with all such new technologies, it might require more than just
reading its name or manufacturer's description to understand its implications:
like e.g. with Trusted Execution Technology, it takes some research to form an
opinion: is it actually about me, the computer's user, or someone else who is
going to trust this computer?

[1]
[https://en.wikipedia.org/wiki/Software_Guard_Extensions](https://en.wikipedia.org/wiki/Software_Guard_Extensions)

------
slg
I can't help but feel like some of this is fear mongering. There are some good
features in there that are being disabled for the sake of "privacy" like
sharing of Windows updates with other computers to speed up downloads. And how
do we expect things like Windows Defender or Microsoft's handwriting and voice
recognition to improve if we refuse to share back any anonymized information
with Microsoft?

~~~
drdaeman
> And how do we expect things like Windows Defender or Microsoft's handwriting
> and voice recognition to improve if we refuse to share back any anonymized
> information with Microsoft?

By opt-in approach and full transparency on what data's sent.

Seriously, ask me "hey, can you help us?", provide an option to let me see
what data _exactly_ was, being and will be sent (NOT some multi-page legalese
with notice that everything in there could change at company's discretion) -
and unless you're sending something I really don't want to share (like actual
raw texts I typed instead of processed statistical data), you're very likely
to have my help. And, given the current situation, even praise the approach
and suggest other to help the noble intent.

There's a giant difference between this and a pre-installed black box that
sends some data which contents I don't even know.

~~~
wldcordeiro
You often hear the phrase "It's better to ask for forgiveness than to ask for
permission" especially hear on Hacker News and around start-ups. Microsoft is
taking the same approach. I agree that opt-in and full transparency would be
the best in an ideal world. But the reality is that people don't care enough
and most people wouldn't opt-in willingly or wouldn't realize what they could
opt-in to.

~~~
dragonwriter
> You often hear the phrase "It's better to ask for forgiveness than to ask
> for permission"

The more common phrase is _easier_ rather than _better_. (Which is why the
initialism form is EAFP rather than BAFP.)

And it _is_ easier. Also, however, more prone to adverse consequences when the
answer to what you ask is "no".

------
QuantumRoar
From what I can see, this blog post has approximately the same length as the
beginners' guide for installing Arch Linux [1]. What a user experience...

[1]
[https://wiki.archlinux.org/index.php/Beginners'_guide](https://wiki.archlinux.org/index.php/Beginners'_guide)

~~~
w0000t
Apples, oranges...

[https://wiki.archlinux.org/index.php/FAQ#Why_would_I_want_to...](https://wiki.archlinux.org/index.php/FAQ#Why_would_I_want_to_use_Arch.3F)

~~~
Eiriksmal
> "you believe an operating system should configure itself, run out of the
> box, and include a complete default set of software and desktop environment
> on the installation media."

Can't get more orange than Arch, for the sake of that comparison!

~~~
w0000t
Just a note. The quote Eiriksmal posted is from the section: _Why would I NOT
want to use Arch?_

------
karn09
I wish the steps were this straightforward for my android phone.

~~~
dublinben
They are:

1\. Install an AOSP ROM without the proprietary Google Apps or Google Play
Services.

2\. Install the F-Droid market to download whatever programs you like.

3\. Enjoy using an Android phone without the anti-privacy Google tracking.

~~~
thescrewdriver
Unfortunately 90% of useful apps aren't on F-Droid.

~~~
dublinben
That's just your opinion. 90% of the apps in Google play are junk that don't
respect user rights or privacy.

I'm perfectly content using only the apps available in F-Droid, and have been
for years.

------
maaaats
> _7\. To disable telemetry (...)_

Why should I disable that? What does it do? My understanding is that it's only
statistics on data usage, which I find useful?

~~~
UK-AL
Nearly all of the windows privacy issues come from useful features.

If cortana wants to automatically recommend appointments from emails? Guess
what? She has to read your emails.

If you want to be blocked from downloading malware? Guess what? You have to
check with a central db first.

etc

Apple, Google devices etc have had this stuff on for ages.

~~~
pmontra
> If you want to be blocked from downloading malware? Guess what? You have to
> check with a central db first.

Or it could download the db and do the checks locally. There wouldn't be
privacy concerns about MS knowing which sites one's browsing.

~~~
Someone1234
You realise Chrome, Firefox, and Microsoft all use Google's database[0] for
this and have for at least seven year. Why is this anti-phishing blacklist all
of a sudden an issue in 2015?

[0] [https://developers.google.com/safe-
browsing/developers_guide...](https://developers.google.com/safe-
browsing/developers_guide_v3)

~~~
drdaeman
As far as I know, that should be okay. Browsers don't query the database
online like some RBL, but download it locally and check visited sites against
a local copy. No URLs are sent to Google.

Which is - as far as I know - is very different from how Windows anti-malware
system works. At least I think I saw a network requests from Windows 8 machine
when "untrusted" applications (.exe) were started.

------
nailer
This would be better as a Windows app (with a single step, and an undo) rather
than a blog post.

~~~
gawa
[https://github.com/10se1ucgo/DisableWinTracking/](https://github.com/10se1ucgo/DisableWinTracking/)

No undo function, but you can choose between disabling or permanently removing
tracking features.

It only removes the most "controversial" features of the OS (the "keylogger"
part), but it may be of interest for those who still want some features, like
everything related to security and/or the cloud.

Maybe it can serve as a basis for a more advanced software which will offer
more cleaning options. Or maybe such a software already exists (I didn't
search much).

------
muraiki
Unfortunately, the ad under "Does this banner show ads based on your
interests? If yes, you have been tracked" is a link to what I can only imagine
is malware, given that it's an "Update Drivers Now" ad. As such, this site
isn't really appropriate to send to the average non-technical user, as given
my experience from working at an IT help desk years ago, people will end up
clicking that ad and installing the malware...

~~~
tokenizerrr
That's Google Ads. So I guess most of the internet isn't really appropriate to
send to the average non-technical user?

~~~
jarcane
Pretty much, no, really.

This is why I consider an ad-blocker part of any standard security suite.

~~~
digi_owl
I keep going back and forth about installing one for my parents, after having
had to deal with a couple of full screen "ads" that mimicked Windows having a
security crisis.

I say "ads" because while the thing was a obvious (to me) scam, it came while
browsing Facebook of all places. As such, the only way i could see it happen
was via the Facebook advertisement system.

~~~
krisdol
Why do you go "back" on it? The internet is a better, safer, faster experience
without ads.

~~~
digi_owl
I wonder what it will bork up for them.

------
gecko
I get where some of this is coming from, but I'm not sure that "fixing"
Windows by disabling automatic security updates is actually a good idea.

~~~
thescrewdriver
The guide shows how to disable sending updates from your computer to other
computers on your LAN or on the Internet. It doesn't suggest disabling updates
anywhere...

~~~
jonathonf
I don't understand why you would want to disable LAN distribution of Windows
10 updates to your other Windows 10 machines. It seems like a great way of
avoiding multiple downloads of the same thing, and I'd love something similar
for Linux (aptorrent or something; manual rsync of /var/cache/apt/archives
isn't quite the same, neither is apt-mirror).

Disabling uploads to other external machines does make sense to me, though.

~~~
thescrewdriver
Probably not much point in disabling that. Disabling downloads from other
machines on the web makes more sense if you have a data cap or are charged per
MB, which is common in some countries. It's not really a privacy-related
change as far as I can see.

------
kpcyrd
Ubuntu in comparison: [https://fixubuntu.com/](https://fixubuntu.com/)

~~~
zxcvcxz
I thought this was taken out in the latest releases?

------
Aissen
The "Fix Firefox" version: [https://support.mozilla.org/en-US/kb/how-stop-
firefox-making...](https://support.mozilla.org/en-US/kb/how-stop-firefox-
making-automatic-connections)

~~~
Aissen
Replying to self: Microsoft would have more credibility (especially to
enterprise users) if they were to provide this kind of one-stop documentation
themselves.

------
rebootthesystem
I had been looking forward to deploying Windows 10 as well as using the
opportunity to update all of our hardware. Instead I find myself disappointed
and, frankly, confused.

Why? Well, mainly because we do not have the time and cannot afford the risk
of dealing with and navigating through a security and privacy gauntlet.

We need an operating system, not Facebook, running our systems. Before anyone
suggests it's no big deal please consider the idea that, when it comes to an
OS used in a business/professional context privacy must be a non-negotiable
default.

If Windows 10 had a single "Private Mode" switch that turned off all data
leaks and monitoring it would be fantastic.

Some might suggest it isn't a big deal because it is annonymized data. The
fact that a question exists means we have a problem. It's that simple. And,
yes, some of it is FUD.

Suggesting a change to another OS simply isn't reasonable. For one thing, in
our case we have a number of engineering applications that will only run on
Windows, and that is the case for many professional users.

~~~
unstatusthequo
What I really want are all these annoying fixes rolled up into a tool or
PowerShell script so each time a family/friend tells me how wonderful/shitty
Win10 is, I can at least quickly deploy this for them.

------
hackuser
I expect Microsoft provides their corporate customers with a solution that
includes confidentiality and end-user control (i.e., IT department control) of
machines. Many business users would not and could not share this info with
Microsoft.

Instead of trying to discover and disable each confidentiality threat in the
consumer version, the best solution probably is to obtain of that corporate
version. Likely you also need to read up on how to configure those featues on
TechNet, but generally Microsoft's documentation is complete (if sometimes
difficult).

~~~
yuhong
Yep, Win10 enterprise edition has the no telemetry option for example and it
is not difficult to get for businesses who pay for volume licensing (though
there is the mandatory software assurance that costs a bit more). It also has
other goodies like the Long Term Support Branch for critical systems.

------
sugarfactory
How naive it is to believe that Microsoft will obey these settings? It is very
time-consuming to make sure if they fulfill the promise because that requires
reading disassembly as Windows is closed-source. And, even if they were caught
not following the settings they could use the word "bug" as an excuse.

Also, it should be emphasized that providing options to disable privacy-
invasive features doesn't justify invading the privacy of the non-tech savvy
people, who cannot disable privacy-invasive functionalities.

------
rcarmo
Two things that irked me: \- child accounts need to have an e-mail address to
be manageable under Familiy Safety (which in turn requires you to go to a web
site instead of setting time limits locally) \- to complain about a mis-
feature (like the above) you are directed to use the Windows Feedback app,
which in turn will only work if you set diagnostics to on.

------
AnthonBerg
There is something deeply aggravating about having human hands manually
adjusting these settings, when we should have some mechanism to automate it.
Compters - our tools for automation - are not automated! It's ridiculous,
demeaning, disheartening, and sad.

------
MikeTV
Any scripts out there that go on the offensive, rather than just opting me
out? Something that sends reams of plausible data to Microsoft so that any
semblance of usefulness is lost in the chaff.

------
digi_owl
The number of options related to easing network access and location awareness
demonstrates that Win10 is more aimed at laptops and tablets than desktops
etc.

------
iokanuon
Uhm..

As someone who havn't used Windows for a long time, can't you just create a
PowerShell script to do all these things?

~~~
SippinLean
Yep, this one does all that and more:
[https://github.com/Ugion/Win10PrivacyForGits](https://github.com/Ugion/Win10PrivacyForGits)

~~~
lqdc13
I thought it was shown that Windows ignores the hosts file when sending the
data. So wouldn't this fail?

------
listic
How does on normally set up a number of computers according to the template
like this one?

------
charlesray
The bulk of these options were in 7 and 8 as well.

------
thebiglebrewski
Or just use a Mac. Or Ubuntu.

...sorry, it had to be said :)

~~~
SippinLean
>Mac

Which sends search queries via “Spotlight Suggestions” and “Bing Web Searches”
by default?

>Or Ubuntu

Which sends all your search queries to Canonical by default (via the shopping
lens)?

~~~
Retra
I've been using a Mac for over a year now and I can count on one hand the
number of times I've used Spotlight. (And when I did use it, it was useless at
solving my problems.)

However, on Windows the start menu search is actually useful to me, and I use
it regularly.

~~~
doodpants
I hear you. I've been a Mac owner for over 19 years. I tried using Spotlight
once a couple of weeks ago, and found it completely useless. The classic (pre-
OS X) Mac OS had a great search feature, though it didn't use a content index.

------
andrewmcwatters
This is just a FUD article.

~~~
bmn_
Without an explanation which part of the article sows FUD, it makes me think
you just don't even know what that acronym means.

------
leonatan
Fix Windows 10: Say no to Microsoft and don't install it. Don't tell them this
model is successful.

~~~
dijit
they're pushing these things to windows 7 and 8 though.

~~~
leonatan
Don't install. Gladly, WU is broken beyond repair in those.

------
drzaiusapelord
Shutting off smartscreen is short sighted and wrong. Its no different than the
lists Chrome and FF use to block malicious sites. These lists are shared via a
shared security initiative between the major browser makers. Disabling this is
a good way to make sure you get cryptolocker.

Shutting off cloud-based protection in Defender is equally stupid. Now you're
not getting instant and up to date virus definitions from the cloud-based
system of honey pots, third party hashes, etc. All you have then is day or
days old virus defs that are pretty much useless against modern polymorphic
threats.

I really hate it when people purposely conflate security and privacy to win
political points. None of the above is controversial and if you run any AV or
use any browser, you're already doing this and you didn't have a problem with
it before. I think its pretty clear that the person who made this list just
found all the sliders for 'no' and doesn't realize what he's doing from a
security perspective. If you use Windows, you should be using all the security
features you possibly can (on top of running behind a router doing IPS/IDS and
making sure to use a standard non-admin account - the UAC fails in many places
limited standard users don't). Signed, a Windows sysadmin.

edit: really downvotes? Telling people to disable security features in an OS
shouldnt be applauded, especially on a tech forum. This is "grandpa" level IT
advice here.

~~~
arca_vorago
Let's clarify: disabling smartscreen for privacy reasons is different that
keeping it enabled for security reasons. Smartscreen sends urls you visit to
Msoft, and since Win8, it sends filenames of downloaded files to Msoft too.

As for the security argument, smartscreen only works in IE, so for those of
use who don't want any of that turned on, and use FF (instead of chrome),
where we download the blacklist instead of sending it outside our network, we
can still maintain the same level of security while adding a layer to our
privacy.

The same for cloud based Defender. There is no reason I shouldn't be able to
turn it off if I have an approriate replacement that protects my privacy.

Which also means you are wrong when you say "if you run any AV or use any
browser, you're already doing this". Nope, not at all, and either you are
unaware of what you speak of or you are being disingenuous.

~~~
drzaiusapelord
>The same for cloud based Defender. There is no reason I shouldn't be able to
turn it off if I have an approriate replacement that protects my privacy.

Your AV is doing exactly what Smartscreen does and so do many security
products. Its a common feature, where are the privacy guides for that? Oh
right, there's a double standard for MS.

Also, the author didn't disable Defender because he is using a different AV.
He left it on and just disabled the cloud definitions feature, meaning he's
not going to be up-to-date on definitions. Cloud defs are a bit different than
what you get via WU. Its a dynamic list of suspicious hashes that's constantly
being updated via honeypots and such. The author clearly does not understand
what he is recommending.

~~~
arca_vorago
"Your AV" you don't know what AV I'm using, and you're wrong. I have setup a
local update server which regularly downloads updates from the vendor and then
updates endpoints on the LAN with no traffic going from LAN->Cloud for that.

"so do many security products. Its a common feature" That also is why I don't
use those products, and many others would agree.

"where are the privacy guides for that?" I don't know, but are you trying to
pretend there are none? If you are asking did you even do a couple of
searches? I doubt it.

"Oh right, there's a double standard for MS." Nope, same standard for all
things. I don't like it if you send any of my or my computers info to servers
without my knowledge of the content or purpose and I explicitly approve.

"Also, the author didn't disable Defender because he is using a different AV.
He left it on and just disabled the cloud definitions feature, meaning he's
not going to be up-to-date on definitions."

Once again... wrong. The cloud feature is for sending info about what is on
your computer to MS so they can use it to update the definitions, it does not
provide the definitions itself.

"Cloud defs are a bit different than what you get via WU. Its a dynamic list
of suspicious hashes" if this is true, then I would be wrong on the previous
section, but I have seen no documentation that specifies this. Care to provide
a source for this info?

