Hacker News new | comments | ask | show | jobs | submit login
Even when told not to, Windows 10 doesn't stop talking to Microsoft (arstechnica.co.uk)
453 points by gregmolnar on Aug 13, 2015 | hide | past | web | favorite | 257 comments

> And finally, some traffic seems quite impenetrable. We configured our test virtual machine to use an HTTP and HTTPS proxy (both as a user-level proxy and a system-wide proxy) so that we could more easily monitor its traffic, but Windows 10 seems to make requests to a content delivery network that bypass the proxy.

Does this mean a Win10 machine setup to use something like Tor will leak the user's actual IP back to Microsoft? If you're VPN'd, is some traffic still leaking outside of the VPN?

From an engineering perspective, how is this happening? Does Microsoft have a second network interface hidden away using hardcoded settings for DNS, etc?

On a somewhat related note, if a Win10 app is cert pinning, is there a way to force it to use your cert so you can MITM it?

I've been on Windows 10 for a couple of days now.

VPN traffic doesn't leak if the default route is the VPN interface. I tried it and my firewall went silent apart from the tunnel.

I have absolutely no fucking idea what it is sending out though. It's always talking to something. I've turned everything off that is documented and use a local account and remove-appxpackage'd everything. Sorry but this release is a write off. My host/vm relation is being inverted to Ubuntu as a host this week rather than a guest.

If I don't know what it's doing, how can I trust it?

I've been trying to use a software firewall and here's what I've blocked so far...


And this is on a machine running Enterprise with privacy settings cranked, and most stuff disabled via group policy.

I'm trying to avoid blocking updates, but svchost is still out there talking to random microsoft servers. The worst part is that I can't differentiate between the servers used for tracking and the ones used for updates. I might have already blocked necessary stuff for updates.

At this point I'm really tempted to just wipe the machine and go back to 7, I've never felt so little trust in a machine I own. Even when I've run malware, at least I knew or could easily find out what was happening. This is just a big unknown to me. I'm seeing claims that it sends idle mic data even with Cortana disabled too, which is making me very paranoid even though the claims look sketchy at best.

Here’s an image link to your image that actually fucking works: http://i.imgur.com/i4ydV1a.png

Thank you.

Javascript is required to view and upload files.

No, it is definitely not.

Up1 uses client-side crypto, so in this instance it is. No real point here though, but I use ShareX with it, and it's nice to be able to deliver screenshots and stuff like this privately.

What's the point of client-side crypto in a browser? Can't you be served backdoored JavaScript that no longer does proper encryption, and you'd be none the wiser?

Yeah, you have to trust the site and their providers of course. But how do you know your OS provider doesn't serve you backdoored updates? Until it was abused by malware, Windows Update used to accept stuff signed by a 512-bit RSA key. Do you personally reverse engineer every binary you accept?

This will change soon though, they're working on browser extensions which will keep all content client side too.

EDIT: Clarified some points, added a little more detail.

Which is all nice, but doesn’t make it better that the site is almost unusable.

A better solution would be decrypting the image and then loading the image into an image tag with a data: uri in base64 encoding.

I could zoom normally with the browsers own zoom tools, I could right-click save normally, etc.

> that the site is almost unusable.

The site is perfectly usable. More than usable, even, because I get RES-style zooming for free, amongst other things.

You can right-click save normally already - just right-click and save. If you want the browser zoom tools, hit the "View in Browser" button or right-click and open in new tab

Both of which do not work. I can not right-click "view in new tab" or right-click "save as".

Works fine for me. Make sure your browser is functioning properly.

This website works in every browser I've used, and I've never heard of any problem even remotely close to what you say you're running into.

Browser works fine, it only is an issue with his site. Firefox 40.

Nobody else has been able to reproduce it, and you haven't given enough information on what you're doing or what you've tried. Have you tried different machines? Different browsers? Have you tried pressing the various buttons in the UI? What kind of machine do you have? Do you have a very small amount of RAM? Et cetera.

You might say your browser works fine, but I'd put my money on something there being the issue.

I tried 2 different machines, running two different versions of linux, tried Firefox, Firefox Aurora and Firefox nightly, all with clean profiles.

Neither "Save as" nor "View in new tab" work.

I said so on the github issue, too

I saw you tried different versions on 2 different machines -- it certainly suggests something related to your setup: I can zoom, open in new tab, save as, etc on Firefox 41 on Ubuntu 14.04.

Do you have running app for mouse gestures? That's the only thing I can think of that makes sense in your scenario. Try holding the right click for a few seconds, see if the context menu appears.

The context menu appears, but if I click on "Save as" or "View Image", nothing happens. "Image Info" does work, though.

Which browser are you using that you can't use right click-> save on a blob URL'd image? It's using the standard HTML image and appears to be working in Chrome, Firefox and Edge.

Doesn’t work in Firefox 40 on Linux. Tried Firefox, Dev channel and Nightly channel on 2 systems with clean profile. Just does not work.

The service provider isn't able to decode the info because the key is part of the URL that isn't sent to them. This decreases liability (and if nobody visits them, they can't be forced to decrypt it).

This protects you from nothing. It actually makes it LESS secure. Because you now have to enable JavaScript.

The service provider can still decode the info by MitM'ing.

If you are using Google Fiber, for example, your service provider can do whatever they want anyway – they control your browser, they are a CA and they are your ISP.

If not: As we’ve seen with CINNIC, MitM'ing is trivial because CAs give out root certificates far too often, far too easily

This is not to protect you, it's to protect the website.

>The service provider can still decode the info by MitM'ing.

Yes, but as I explicitly mentioned, only if you visit the website. If NSA goes to the website and demands the data, they can't do anything with it until I visit, whereas if it was decrypted, they could. This is a non-trivial difference.

>If you are using Google Fiber, for example, your service provider can do whatever they want anyway – they control your browser, they are a CA and they are your ISP.

Google is not going to risk their entire reputation by abusing their CA. Notice how CNNIC was removed from trusted stores and basically lost their business. Mitm by compromising a CA is far from trivial. Also, certificate pinning can mitigate the CA risk almost completely.

As you’ve probably seen with MEGA, this does not protect the site at all.

Take Megaupload (not MEGA), they had unencrypted data, but complied fully with DMCA and operated fully legally.

Take MEGA, they have to comply with DMCA, too, even though everything is encrypted and they never can decrypt the data, either (MEGA does literally the same as up1.ca)

Additionally, Certificate pinning only works if I visited the site before the MitM started. And some carriers like T-Mobile just strip every Certificate Pinning header anyway, as they use proxies to compress data. (Chrome’s Turbo mode does the same).

Essentially, the site uses JavaScript for showing images without providing any advantage to either the user or the site.

It actually works quite well for MEGA.

MEGA is only able to comply with the DMCA when the link is provided with the full hash.

MEGA is technically unable to remove similar or matching files based on content.

> And some carriers like T-Mobile just strip every Certificate Pinning header anyway, as they use proxies to compress data.

I question the t-mobile thing, unless they're installing certificates on end-user's phones that should not be possible. This is SSL traffic, remember, all those headers are also sent over SSL so unless T-Mobile is performing MITM, this shouldn't be a problem.

As for the Chrome Turbo mode thing, it is disabled for SSL traffic, as are most of these other things.


> Essentially, the site uses JavaScript for showing images without providing any advantage to either the user or the site.

That is a very baseless and false conclusion.

Well, admittedly, in the context of a link on Hacker News, it's pretty true. The link containing the seed is trivial to obtain and could easily be reported to the providers who would have to take it down if deemed legally necessary.

Yep, exactly. Also it's nice to have the extra privacy, especially when linking to images privately amongst friends

> Up1 uses client-side crypto, so in this instance it is.

What crypto? I didn't provide any key, so both the content AND the key came from the same place. Looks like completely useless crypto.

You did in fact provide a key. See that bit after the # in the URL? This is the beauty of Up1. It makes the crypto as transparent to the user as possible.

That part is not sent to the server by your browser. That's a seed, it's run through sha512 then split into parts, including a key, iv and filename to fetch from the server.

Now, as I said, in this instance, since I distributed the link on a public website, it's pretty pointless. But when I link my friends and colleagues on a private XMPP server or via textsecure, it's a pretty nice feature to have, as I can very easily share private screenshots.

"Private", well, it’s not private. Seriously.

There is a reason you do actual crypto differently. Encrypt the image with the public key of your friends and send it to them, that is privately.

Giving a foreign entity control over your data and key is not "privately".

And, worse, I have to activate JavaScript, which decreases security by a lot.

> Giving a foreign entity control over your data and key is not "privately".

Yeah, if you have this concern strongly, well, we're working on browser extensions which will prevent any potential risk here. However, like I said to someone else, unless you reverse engineer every update to your OS, you really shouldn't be commenting. This is just as much "giving a foreign entity control over your data" as using an OS provided in binary form is giving a foreign entity control over your CPU, which would be far, far worse really. Unless you're manually validating the code in all cryptography products you use, there's really no argument to be made here.

> Encrypt the image with the public key of your friends and send it to them, that is privately.

When you do this, say using PGP, PGP generates a static key, encrypts that key to their public key and encrypts the message using the static key.

This is essentially the same thing, the only difference being that the Up1 does only the static key portion and does not provide the public key portion, which you can do out of band using whatever method you prefer, be it PGP, SSL to a private server, OTR, TextSecure, etc.

And it allows the transfer of images and small files in this secure form to be incredibly simple and fast. Pipe into a command line tool or use ShareX, paste that link over a secured protocol and you've securely shared a file.

Of course, if you don't trust the public Up1 instance, feel free to run your own, it's all open source, server included.

> And, worse, I have to activate JavaScript, which decreases security by a lot.

It's a trade-off, privacy for a slightly increased risk of security, these days you're more likely to get exploited by a fucking web font than by a script though.

Worst case, like I said, don't trust the public instance if you don't want to (well, if you're the type who doesn't trust their OS provider at least). You can always run it yourself or wait for the browser extensions.

I’m the type that only runs arch because I can’t be bothered to run Gentoo ;)

Anyway, for posting on a public forum it’s pretty useless, as it provides no benefit and requires the users to have JS enabled, which is, especially on Hacker News, not really a given.

Even the mods complained when an up1.ca link was used as submission link recently.

Using a standard protocol would be an advantage here most definitely.

His link worked for me.

His link requires javascript and decrypts on device. Additionally, it overrides the browsers zoom behaviour and makes it impossible to view the image in a new tab seperately.

The link of the comment I replied to was just as bad as the sites that block right-clicking.

> impossible to view the image in a new tab seperately

But it's entirely possible, and there's even a dedicated button to view just the image. ("View in Browser").

Make sure your browser is functioning properly - this isn't an issue with the website.

Still, the result might now work in /some/ browsers, but it won’t magically make it work on most people’s phones.

Hacker News is a site I browse on my phone because it works without eating up RAM or anything.

Works fine for me

Glasswire huh? Good stuff.

Yeah, I'm not the biggest fan actually. Decided to try it out this run, but I used to run Outpost, which I liked a lot more as it could do per-host blocking and stuff.

This feels more like a pretty network monitor than a real firewall.

Agreed. It is useful for monitoring things like system changes, but I wouldn’t depend on just GlassWire alone for a software firewall. In my case, I use a combination of GlassWire and NetLimiter (as mentioned here):


> If I don't know what it's doing, how can I trust it?

It's not enough to examine software: if you don't trust the company, then anything they say or promise is worthless. Automatic updates can change anything, including the TOS! This is the same company that sells a 1984-Telescreen (XBox) with an always-on camera and microphone. _NSA shouldn't be forgotten.

Oracle likes to tout Java as GPL, but what does that matter when we know the company can't be trusted? Who controls a software project is the key, not the licenses or corporate promises. There's no point in trusting iOS because we've examined it, we also have to trust Apple.

The source-code in OpenJDK can be inspected and OpenJDK itself can be forked if Oracle's stewardship goes awry, which is the whole freaking point of open-source, so I don't see how that can compare with Windows or iOS.

> OpenJDK itself can be forked

Tell that to Google.

Android wasn't fork of OpenJDK

but Dalvik was.

No, Dalvik is not a fork of OpenJDK, but a clean room implementation. If it would have been a fork, then Google would be protected by the GPL license.

No. Dalvik was a new implementation and for the android standard library was used a fork of Harmony.

What shouldn't we forget about _NSA?

I think he meant _NSAKEY [0].

0. https://en.wikipedia.org/wiki/NSAKEY

Yes we should forget it.

They worked out it's easier to get at our data out and on home territory (cloud, telemetry) than actually have to break into your kit.

Or as I like to put it, at the end of the day you have to trust someone, somewhere in the chain.

In the case of software vendors, you have to trust the vendor.

You cannot independently verify everything. You do not have the expertise nor the bandwidth.

Edit: and if you have the software audited, are you not then trusting the auditor?

I don't like this argument. It's not necessarily you who has to audit your software. You can pay other people to do it. Big companies can pay for it. Your government's institutions can pay for it. If on the other hand the software is closed-source, then that's not an option. And especially for governments and for big companies Windows is a security liability.

True, but there's no logical fallacy in writing off companies and products if they're consistently untrustworthy.

I'm just about to untangle myself from my last client where I work with MS stuff. And I'm never touching it again.

I think I'll end up putting Win 10 as my host. It's just too annoying worrying about drivers and batteries on Linux.

But I can just disable networking on the host (which shouldn't be running anything anyways), or at worse, route it though a VM.

I'm more concerned about how to run it in a VM, since I need day to day Win dev tools with Internet access.

How can you trust any cloud service then?

You shouldn't. The cloud is just someone else's computer. You can mitigate things by encrypting a lot but there's no way you can't know they don't peek at your data.

So if you can't trust the company offering the service, you shouldn't do business with them. It's the same with food and food supplies: if they can't be trusted to serve/sell you stuff that doesn't make you ill, don't do business with them. Very simple.

Of course, I completely agree. But it is like you say, you either trust the provider or you don't (ceteris paribus encryption issues).

I don't and never have done for personal use.

I literally have an IMAP box and nothing else.

I assume from your answer, that you do use it for professional purposes?

Yes but not on recommendation. In fact the majority of what I do these days is legislative compliance and bringing teams and applications back onshore that the companies have fucked up.

Currently digging a financial company out of a royal mess of 20 years of bad technical leadership leading to sprawling infrastructure and cloud dependencies.

Oh wow. This is a tough task.

In your experience, what are the "worst" cloud dependencies? I'd imagine SalesForce and AWS would have very different impact?

Money is good though so that's some consolation :)

Salesforce is the root of all evil. Once you're in the ecosystem, you're stuffed. You know it's bad when the entire business team start running round clucking when the EMEA salesforce instance goes down hard...

AWS is fine. Most of the platform's concepts have real world parallels for example.

Can't you just redirect all that stuff it sends to by editing your hosts file?

I've read somewhere that it ignores the hosts file for its microsoft communication.

I've read somewhere it respects the hosts file for its microsoft communication.

You can, but we have 450 workstations and about 600 servers.

That somewhat multiplies the problems.

1000+ machines and no way to update a file with a few commands/clicks/whatever-your-configuration-management-system-uses? (Ok, at worst, making a batch file and scheduling its launch.)

If so, I suppose you have big issues with your system administration team.

Yes they're factory pressed Windows administrators who are to be honest fucking useless unless it comes to pointing at someone else but that's another story...they're being replaced piecemeal by bits of Ansible and Linux machines.

Realistically we don't want to deploy a host file and AFAIK it doesn't work anyway; we want to control the network itself which we do via firewalls and DNS but it's a compromise between flexibility (our users still need to use the internet) and security.

If they're using DNS to resolve the name of the "mothership" just put a bogus record (or zone) in your DNS. If they're not using any name resolution protocol and you can isolate the IP addresses they're talking to just blackhole them at your border.

We're already doing that but it's hard work keeping up with it all.

And then Microsoft will fix that, ...

Default deny is the only viable strategy. (It's also completely impractical...)

> somewhat

Yes I can see how that would complicate things a little :)

What do you do about getting updates? You have to connect to hq sometime, and when you do, it will upload its intel.

Change the gateway on the Windows 10 install computer (or "default route" as another commenter calls it) to a computer _you_ control, i.e., a UNIX install, that can do IP forwarding. Turn on IP forwarding. Connect the UNIX install to the internet.

Also change your default DNS servers on the Windows 10 install to point to the UNIX install. If you know how, set up DNS on this computer. I recommend using your own cache listening on 127.0.0.x, not a public one.

Then monitor traffic being forwarded by the UNIX install.

This is not difficult for anyone familiar with UNIX. Plenty of good and bad software to help you.

Do people need instructions? If there is interest in blocking this nonsense I for one would be willing to help.

There are a lot more Windows users than Apple users so this is fun to watch how the Windows users react to the incessant connections to the mothership, which is par for the course with Apple products. Would love to see the stats on how much cumulative user-purchased bandwidth Apple and Microsoft are usurping in order to track the people who have to pay for it.

If you want to block this nonsense, then the easiest way to do it is from another computer acting as a gateway.

Trying to block these connections from the computer on which Windows 10 has been installed will probably be an exercise in frustration for most users and they will give up. (Most Apple users do not know or care so they do not try to block.) I am sure that Microsoft is counting on their users acting like Apple users.

If one can master all this, wouldn't it be easier to use a non-Windows box in the first place?

Of course not. Setting up OpenWRT to do this is a lot less work than migrating your entire workflow to a new operating system.

Right when I have finished porting all of my Autodesk products....

The problem is that it is not an user friendly solution. It will only help those people who do have several OS running or are capable of understanding.

The privacy settings that do not work were pretty good hidden already and many are scared away already. This second level is even worse.

What we need is a simple tool where you set check boxes to fix it all. That would be a solution for the target audience.

Well in the case of the Tor or VPN users, I suspect most of them are probably not the typical user you're implying, and at least have some IT skill.

In the case of other users, I'm not sure because I do not fully understand it, but it seems like this would not be necessary?

I'm sure if they could easily decide whats necessary, many would secure themselves.

Look. Seriously.

I don't want to be a brat, but what is the possible overlap between people caring to use Tor (for whatever reason) and people using Windows 10 as the host OS ?

You're at the absolute cutting edge of spyware-in-the-home, defective by design, obscured infrastructure that was designed from the ground up to be user hostile in every conceivable dimension. And you're going to run Tor on that.

There's a phrase for this and that phrase is "clown college".

> I don't want to be a brat, but what is the possible overlap between people caring to use Tor (for whatever reason) and people using Windows 10 as the host OS ?


There are many journalists who need to cover sensitive topics, who are not particularly technically literate. They need to be able to buy a system off the shelf, do some minimal and easy amount of installation of privacy protection, and be reasonably confident that it will work and they will not be outing their sources to whatever particular despot is listing in.

Of course, Tails is a better solution for that. But in terms of being able to allow them to do their job as easily as possible, it would be preferable for them to be able to install the Tor browser bundle on their existing OS rather than having to learn an entirely new one (and possibly dual boot in order to run some Windows-only software, and not keep it isolated well enough and thus leak information accidentally).

It apparently took a while to teach Glen Greenwald enough of how to use Tor and GPG in order for Snowden to be able to communicate with him. We need to make this process easier, not harder.

The next Snowden will be caught because the next Greenwald was using Windows 10. and we'll probably never know it happened.

Which is why he had to contact Laura in the first place.

Well, looks like they need to get their systems from some seller that is interested on satisfying their needs.

Look. Seriously. Like, totally.

Not everyone interested in Tor is educated enough to reinstall an OS. Or they need Windows for something else they do. Or 50 other things. Or maybe we're concerned about VPN leakage, or any other thing than tor that we might use to obfuscate traffic.

The fact that you run Windows as the OS on your computer means you are not very interested in anonymity or security. Other things are more important. like playing Fallout 4.

Those people make Tor worse for everyone.

Indeed, Microsoft phoning home is on the lower end of your concerns here.

What they are describing isn't necessarily cert pinning, although it's possible there is also cert pinning. It just means there are hard-coded IP addresses somewhere; either a hard-coded DNS server, or the endpoint itself.

Notably, it's still possible to MITM the traffic, just not as easy as if the system respected the proxy settings. You need to spoof the destination IP and try to terminate the TLS with your own trusted cert. If the connection still fails, only then would you know there is a cert pin. I haven't heard if anyone has tried this with the "CDN"-bound traffic, or the persistent bing.com/live.com traffic.

If a VPN was being used, I would expect traffic would still be routed through the VPN interface. The HTTP(S) proxy code is higher up the stack than a VPN interface.

It does raise a huge red flag though, if you are not fully in control of your own network routing using standard tooling, IMO it's not an appropriate OS for any enterprise environment.

Until recently Microsoft had taken a far more reasonable approach to privacy than say Google. Anyone remember the MS "gmail man" ads mocking the way Google inspects your email when MS doesn't? It seems that MS under Nadella has taken a decidedly Google-like turn away from privacy with Windows 10. MS seems as hell-bent as Google and Facebook to collect as much data about you as possible, even if it is for seemingly innocuous purposes.

> Anyone remember the MS "gmail man" ads mocking the way Google inspects your email

Yes, and they were widely mocked. Privacy fears don't really sell, especially when deployed 10 years too late by a company that is the definition of "establishment".

This is the difference between the HN audience and the general audience.

In general, the average user doesn't care about privacy or security at all.

I develop a network virtualization product, and I spent a ton of time on security aspects of it. Sometimes I feel like that time might have been wasted, because it has thousands and thousands of users and so far not one single person has inquired about anything related to its security. Not one. It blows me away.

Security is like air, you don't even realize its there until its gone.

At least with google I know they're trying to sell me ads and I'm the product.

With windows 10, I have to pay for the software, and somehow I'm still the product? I don't know their end game, and its really sketchy.

Competition is often a race to the bottom. Chromebooks are a huge threat to Windows hegemony.

Microsoft lost the internet and mobile platforms to Google. They are going to fight tooth and nail for the PC.

If the average person doesn't give a shit about privacy (and they truely don't), then Microsoft will not be able to charge for products Google supports for free with spying/ads.

+1 I upvoted you, but dissagree slightly: the web version of Office 365 works great on my Chromebook. Microsoft gets $100/year from me for Office 365 and I am happy enough even though I don't install the desktop versions of Word, Excell, etc. Worth $100/year for a gig per family member of cloud storage and the web versions of Office.

"Anyone remember the MS "gmail man" ads mocking the way Google inspects your email when MS doesn't?"

Did anyone actually fall for that?

Intelligent systems need information to function, and when the intelligence is personalized, it needs personal information. One of the reasons Google has succeeded is because of that personal information, providing services that have enough context that they are three quarters of the way to my destination before I've even started.

It is enormously jarring how over the top Microsoft went with Windows 10, with insane defaults and little justification, but this is the manifestation of the whole "cloud like" platform. Increasingly we expect a world where a device is just a terminal into a platform, and we can jump to different devices and form factors and the world is almost the same. That is what Microsoft is trying for, clumsily.

How is Google scanning massively one's emails a requirement for "intelligent systems" and is OK, but Microsoft sending telemetry data is "over the top"?

While I hardly think you're asking with any sincerity, sharing every keystroke, local system search, application activity, wifi passwords, and so on is over the top. Making that the default, instead of a value-add that you pitch, was profoundly poorly considered.

> profoundly poorly considered

For the handful of people who care deeply about data collection, yeah. For the rest of the 900+ million, it's really not a concern.

Edit: I know it sucks to hear, but your concerns about privacy are hardly shared among the general populous.

Every nontechnical person I told about this seemed quite shocked to learn about it and wanted to know how to avoid having their privacy invaded.

I really don't think most people expect their operating system to be spying on them.

It's one thing if you're on gmail.com or facebook.com and those sites collect info about you. People expect that. Most people probably don't expect Microsoft to install a keylogger on their computer. (Not that Google and Facebook are in the right, but I don't think they are equivalent.)

Labeling anything inconvenient to the narrative as a "conspiracy theory" is so 1990s.

Also, your link does not appear to have been updated on Jul. 29 when the author says the final release should have been available. The Ars Technica article we are discussing is from today, Aug. 13, while the ZDNet article is from almost eight months ago (Jan. 27).

The article we are discussing says nothing about a keylogger.

The concerns of the general populace bear only superficial correlation with what actually matters for the thriving of an enlightened society.

Let's refrain from assuming anything about anyone's sincerity. As far as I can tell, most of the Windows 10 scaremongering on HN is nothing but FUD. The key logger argument is a case in point:


Yet, you unquestioningly repeat it.

Local system search while sharing some basic diagnostics data with Microsoft does not share the search queries.

WiFi passwords could be shared with your Windows 10 using Facebook friends, if you allow it. If you care about privacy that much, don't allow it, or better yet, don't use Facebook.

I couldn't find any evidence that Windows 10 shares any worthwhile application activity data.

Yet, it is somehow perceived as a Watergate-level of betrayal, but at the same time it is ok to praise Google for scanning your entire mailbox.

To me this just looks like a bunch of 90s kids struggling to shake off the "Evil Micro$oft" groupthink.

"Yet, you unquestioningly repeat it."

Why are you quoting an ancient article (one that, humorously, incorrectly claims that the typing data telematics was just some temporary preview release inclusion, when actually it made it to production), when the actual privacy policy of Windows 10, when you install it, tells you that it will monitor and send "typing data" to Microsoft? Microsoft left this very nebulous, but ultimately that simple privacy setting allows them the legal right, and the technical facility, to log every keystroke.

"I couldn't find any evidence that Windows 10 shares any worthwhile application activity data."

Somehow I don't think you actually looked, given how aggressively you have attempted to defend Microsoft in this whole discussion.

No one thinks Microsoft is evil, but rather that they tried to out-Google Google (not very long after their terrible series of anti-Google ads that you even mentioned), taking the basic principal of Google's activities and multiplying it.

Yes, I was wrong about typing data. They collect it: http://windows.microsoft.com/en-us/windows-10/speech-inking-...

Although it is possible to turn it off.

I think it would do them good to be more clear on how exactly they use and collect that data.

In fact I think this page should be read by everyone here: http://windows.microsoft.com/en-US/windows-10/windows-privac...

I didn't find anything huge about application data, I'm sorry. Worst case scenario: your computer crashes and an error report contains a memory snapshot with some of your data. Like any other mainstream operating system today.

This discussion shouldn't defer evidence to either mine or your authority or personality. It doesn't matter if I was aggressive or not. In fact, my defence of Microsoft is relative. In my opinion, it is stupid to feel offended about Microsoft's privacy practices, while supporting an even more invasive behaviour by Google. Among those two it is Google, whose business model of selling targeted ads actually depends on collecting personal data from their users. Yet it seems, they are above any scrutiny.

That's what I've been trying to say. I didn't say anything about any anti-Google ads, because I have no idea what those are.

Finally, seeing people selectively whine about privacy on a social network, even a rudimentary one, like HN, seems absurd.

An algorithm reading your email to look for words to server better ads is hardly spying imho. I rather see ads of things that interest me than ads for casinos. And I'm hardly a MS lover.

Unless, of course they are looking for the words "male", "escort", "date" in e-mails from a (most likely Republican) Senator, married with kids :-)

Joking aside, you realize what you just have said is naive? Any form of privacy invasion can be - and eventually will be - used for nefarious purposes.

Then open-source the algorithms and give security to people!!

In all these discussions about Windows 10 phoning home, there are a couple of things that I haven't yet seen properly discussed.

1. Do the different versions of Windows (Home/Pro/Enterprise/Education) behave differently? If so, how?

2. Do the pro/enterprise versions behave differently when they're connected to a domain?

I'd imagine that the answer to at least one of these questions would be "yes." This kind of behaviour would be a deal-breaker in many enterprises.

We have an enterprise edition VM in test and it appears to react the same as Pro at least. Haven't tried home.

What is scary is the lack of GPOs to turn this stuff off which you'd expect in an enterprise product. Technically we can't apply policy to make this compliant with our data protection requirements.

Their funeral to be honest.

There's actually some GPOs to turn this stuff off. I'm running Enterprise on my desktop... the problem is that many of them don't work or only disable the UI, but still connect out to random Microsoft servers. How the hell does Microsoft think that's acceptable in an "Enterprise" product?

This was something I was wondering about. It seems like any company that has proprietary data to protect or privacy laws to comply with (most) don't even have a choice. I personally don't use Windows a lot, but even knowing that information was being sent out by default would be a deal breaker for me.

Can you give some examples of the stuff that does actually have switches?

> Can you give some examples of the stuff that does actually have switches?

Yeah, if you disable the Search thing in the start menu for example, it _does_ stop sending your queries to Bing. That switch does work. It just sends a bunch of tracking info instead.

On Enterprise, you can also disable telemetry which does appear to work.

You mean this will chase MS out of enterprise? Awesome! It means we don't have to support them anymore!

(Supporting Windows is 10X more work than all other platforms combined due to stupid "can't reproduce here" problems on rotted and unpatched Windows machines and general Windows driver API hell. I am including Android and less-commonly-used OSS operating systems like FreeBSD and OpenBSD.)

I feel your pain. This is my life.

If you're ever in Irvine, California, e-mail support@zerotier.com for a beer.

I'd like to know the difference between free upgrades and Win10 installs with a real product key

There's no difference (obviously).

There _should_ be no difference, but who knows? Who can be sure?

MS probably doesn't even know. I recall reading that there were 6 different versions of the Service Pack update for Office 2000 depending on where you got them from, and they weren't all compatible with each other. Do you think after another decade of Monkey Boy and his winning business strategy of pitting all the departments against each other that they've improved? Nardella actually seems like a grown-up, but he's still a dyed-in-the-wool Microsoft exec.... less stupid certainly, but just as evil.

One of the biggest problems with Microsoft is that they are too big and disorganized. They have no vision, and no guiding principle, other than maintaining the lingering shreds of their monopoly. This is obvious from looking at the designed-by-committee, piecemeal UI for Windows, which is getting worse every release and not better. The best you can hope for for any particular feature from release to release is that it's just arbitrarily different and not broken or hidden or completely removed.

Windows clearly peaked with XP, but their UI peaked with Windows 2000. The only reason 7 is liked is because they backed off most of the bad things they did with Vista, and the only thing, the _only_ thing I think is better in Windows 8 than any previous version is Task Manager, which is not something I use often. But it is nice.

My #1 wish for Windows post-7 is that I could just use the "Classic" theme, but apparently Windows is now too sophisticated to do what it could do 15 years ago. Their UX department has gone totally off the rails or maybe was taken over by wild monkeys. Microsoft used to be _the_ place for good UI design back in the 90s. They were very scientific about it, and their designs were very well-thought out, based on CUA, and an absurd amount of user-testing and most of all, consistent. Not perfect, but they were very good. But as soon as graphics cards could do more than 256 colors and Photoshop was invented, everyone went wild and UI became the lawless, Wild West funhouse it remains today. Except in the past few years, everyone decided that the "flat look" is cool (news flash: it's ugly and hard to make out) and now we have UIs that are as usable and good-looking as Windows 2, but without the consistency.

I'd thought Microsoft had run out of sharks to jump with Windows 8, but they keep finding more. But here's the thing. I still like Windows. I just wish I could make Windows look at work like it did when it looked and worked well (I'm not referring to the underlying technology, which is presumably improving all the time, although I still think Windows 8 is absurdly slow compared to 7 and much worse compared to XP... and I have empirical evidence. I do a lot of work in a Windows 2003 VM running on VirtualBox (long story) and it's much faster than the Windows 7 host and doesn't suffer from the, oh gee, everything's going to go "Not Responding" for 30 seconds to 2 minutes for no apparent reason that I see with the apps (at least MS apps) on the host.

Discussions about differences in behavior among versions of Windows would not be as informative as a discussion of Windows in comparison to other OS's. Ubuntu bounces stuff off Canonical servers, iOS off Apple's iTunes and in-the-wild Android...well where to begin?

Facilitating high connectivity is what modern mass market operating systems do and Microsoft is playing catchup not leading a charge against anonymity. They couldn't if they wanted to. The commercial internet is built on tracking individuals and their behavior. I guess everyone would feel better if the Windows splash screen said "This OS Uses Cookies, by Continuing You Agree to Our TOS."

Facilitating high connectivity is what modern mass market operating systems do

That's a bold claim, considering that until recently Windows was exactly what you used if you didn't want that kind of always-online emphasis and instead wanted to retain a degree of control and running your software locally.

Like many of the software companies moving in user-hostile directions, Microsoft's biggest competition is still themselves from a few years ago. And we know from both Vista and 8 that even Microsoft do not automatically have sufficient influence to get people to upgrade to a system that is perceived as being worse than what everyone already had.

[Edit: Perhaps instead of numerous people downvoting, someone could actually reply and say what they object to about this post? I don't think either my characterisation of Windows or my characterisation of Microsoft's competitive situation is unreasonable.]

Having owned 3.1, 95, 98, Me, 2000, XP, 7, and 8 boxes and been paid to use 2.0, NT and Vista, my experience has been that each version [except Me which was meh] has been significantly better...and the amount of improvement from version to version has been markedly increasing...that is, 8 a larger improvement on 7 than 7 was on Vista. People can legitimately disagree on the meaning of "user-hostile". If the way in which people have voted with their wallets in favor of convenience over anonymity, then the view that Microsoft's OS is user-hostile appears not to be in an ascendency [which I am not saying makes it wrong].

If well-informed people have voted that way with their wallets, or otherwise, then I agree and of course that's their choice.

However, my big concerns with a lot of modern technologies are firstly that non-geek users don't understand what they are really signing up for and secondly that even if people do understand what they're signing up for it doesn't matter if effectively the only choices available to them all have the same problem.

I've lost track of how many friends and family have said just-plain-wrong things about what social networks do with their data, for example, or think that posting some comment on their Facebook page about how they don't consent to it will actually have any practical or legal effect.

And to pick on another example that's been much discussed recently, it won't matter that you have security and/or privacy objections to your car spying on you and phoning home with your location 24/7, if insurers are all offering car makers serious money to install those features, and since drivers are often required by law to have motor insurance they have no choice but to "opt in" if they want to drive at all. At that point, there is a complete failure of competition in the market, caused by the artificial distortion of having actual laws that constrain even well-informed people from making the choices they might otherwise prefer to make. We are fast heading that way with general computing as well, where for practical or even legal purposes we are required to do some things on-line, yet the only tools being offered to get us on-line come with these strings attached.

I have an email address or two or more. Facebook, Google, Linkedin, Apple, Microsoft, etc. all have nodes in their graph irrespective of my use of their products or services. They have all read some fraction of my emails. There's location data on me going back potentially 18 years since I got my first cell phone. There's potentially IP logs going back to 1993 when I first went on the internet. I'm possibly in direct mail databases dating back to the early 1970's. Following the graph may lead to all last year's credit card charges of someone I worked with in 1987.

Windows 10 is a tempest in a teapot. It's removed the illusion of anonymity for some people. Not staying logged into Facebook just affects the ads that appear when I turn on JavaScript to see some web page. It doesn't remove my node from the graph. It doesn't even mean I'm leaking significantly less information, it just means that what I'm leaking is different.

Everyone thinks they're sophisticated. They're correct. The people collecting data are sophisticated too. That's why they brought an AFV to the shoving match. Running away from the firepower effectively means living the digital life of Stallman. Networks are networks because every resource announces its presence.

Running away from the firepower effectively means living the digital life of Stallman.

Writing as someone who has been the victim of a data-driven screw-up and spent several months of having life turned upside down while trying to fix it, I am increasingly wondering if Stallman has been right all along.

More practically, privacy is not a binary measure. We all interact with other people and organisations, and data gets shared as part of those interactions, and often there's nothing inherently wrong with that; some degree of communication is both desirable and inevitable. That doesn't mean we should just give up and condone covert collection, arbitrary sharing, and unrestricted use of personal data by whichever disproportionately powerful organisations can get hold of it.

For example, Facebook can't effectively follow me around the web. I have installed simple browser plug-ins that mean it is not technically possible using the usual techniques like phone-home Like buttons. The sites I visit would have to actively and covertly send data about my visit to Facebook behind the scenes, and most sites aren't going to do that.

For the record, I do also have a problem with the likes of Google being able to operate a mail service that is actively scanning things I wrote or even blocking messages I've sent to colleagues, which they can do if a recipient of my message uses their service. In effect, they have co-opted someone else to provide data I might have sent that person in confidence, just as mobile apps scan my name and number from a friend's address book often without even their knowledge never mind mine. (Of course that kind of action is probably already against the law in my country, but that doesn't matter very much unless the relevant authorities have the resources to enforce that law effectively.)

I believe almost everything is better when essential infrastructure is neutral and serves a specific purpose. Organisations like Google don't so much blur that line as totally erase it, and because I have no way to know that I am participating in their system in the first place, in practice I can't even choose not to send that e-mail to that recipient. I'm sad that Microsoft now appear to be joining that group.

Privacy is a cluster concept. Implicitly, it includes the idea of constraints on others. The most effective constraint is that others simply don't care and that's most of what privacy boils down to accept in a few corner cases covered by legislation and the existence of legislation implies that in those cases others do indeed care and hence the legal restraint.

It is clear that Stallman was and is right in regards to the technical dimensions. It's not like we can go back to the time when email was private. STMP never was, that's why Stallman chose his course so long ago. Email is more private today thanks to STMPS. The same is true for HTTP/HTTPS. But even in the old days, there was nothing to prevent someone from publishing your love letters in the school newspaper. It was just more difficult.

Privacy generally breaks into security or anonymity. The issues surround either authorization and identification. Both have always been mostly limited by interest more than anything else. Computers have reduced the cost of being interested and so long as we use computers the djinn isn't going back in lamp.

Privacy generally breaks into security or anonymity.

Privacy is much more general than that. It is about having control of what information about you is shared, who has that data, and how it can be used.

The legal protections for privacy cover a lot more than just a few corner cases as well, but they lag behind what technology can do in 2015 and need updating.

Living the Stallman lifestyle is fantastic if you embrace minimalism. It's definitely doable with ARM and MIPS chips, along with (actually secure) cloud storage and encryption.

Should you feel the need to use evil apps like Facebook or Google+, make sure the 3 or 4 account names are random (but pass their filters), and that you make sure LOTS of people use those same accounts. Just understand that social media is a drug, and you are a drug addict.

Perhaps you weren't aware that Microsoft has a monopoly. They've been milking that since the early 90s. Sure, they lost that iron grip on mobile, but they are still a monopoly on the desktop. The number of organizations that aren't part of the Office Hegemony, and therefore Windows, is still a very small number. If you get rid of the Apple marketshare, it's probably in the low single-digits, percentage-wise... if it even breaks 1%.

Only in Enterprise you can fully disable "telemetry", but just in all the other versions expect most of this stuff to call home by default and send data to Microsoft. I wouldn't assume the opposite by default if I were you.

Given that it is proven that the NSA spied on European companies for economic reasons, this isn't a good idea. Now the NSA can just tap into Microsoft, either covertly or through court order, and spy on the whole world.

Details of economic spying -- may not be the best article but the easiest to find:


Embrace, Extend, Eavesdrop.

Stupid question, but my Mom lives in a really rural area. Pays quite a bit for internet and is charged by the MB. Can we ask Microsoft to pay for their bandwidth usage?

Since upgrading to Windows 10 she's been hit with $200 in overages.

I worked at an ISP that charges as much as $25/GB for usage, and has tiny monthly usage caps (as low at 10GB/mo) and there is no other choice for our customers.

Every time a large iOS, MacOS or Windows update goes live, we can literally see the difference in the overages people pay. It's a big problem that lots of people don't understand.

Now you will also see the uplink usage go up, potentially much higher, since Windows 10 is torrenting updates from client machines without asking the user.

This seems to be one of the real costs of upgrading to the latest version of Windows. In this case your mom has to pay the bills, but in general I'm curious how long will it take for ISPs to launch a solid campaign against Microsoft, like they did with Netflix.

How is this a real cost, is there an estimate of how many bytes are sent and received and at what interval? If it was anywhere in the thousands of megabytes regularly, maybe that's the real cost but that's just an assumption.

Not quite sure what is your point here. The amount of megabytes transferred each month does not have to be any particular fixed number to become a burden for the user, or the ISP. We can see that at least in one case (and probably many more) such a cost can exceed $200. All of this without user's consent.

Microsoft, please get your stuff together. Hire some privacy aware people.

I finally saw the bill. From the moment she started downloading Windows 10 to the moment I told her to shut the internet off, she used 20 gigs. That's ridiculous. And there is only one computer in the house. No other devices use internet.

So, are you going to continue supporting Microsoft by installing Windows 7, or are you going to put your mom on an easy linux distro like ElementaryOS [0] or Kubuntu? [1]

0. http://elementary.io 1. http://www.kubuntu.org/

I'd like to switch but she uses Quicken and a few things that won't switch over.

So yes, you are continuing to support Microsoft.

It hasn't even been out that long, so what kind of data amount are we talking about? Century Links 1Gbps has told multiple friends, and friends of friends that they absolutely enforce the 250GB/month limit. That's 33.33 minutes @ 1Gbps before you've hit the cap. That's untenable. XBox games are hitting 100GB each. And now the OS is pushing and pulling maybe 10% of this cap? Umm, yeah, good luck with that.

I'm sure phoning home only uses a small amount of data. But downloading the update and then sharing the update with others is where I think she got in trouble. Sharing is now turned off and the data is starting to normalize.

I know I won't get any money back. But I wonder how many other people ended up paying more for Windows 10 by downloading it then had they been able to purchase it on a DVD.

mobile providers in australia bill in 1MB minimum sessions (with quite short session times) that would add up pretty quickly with these wonderful backend connections.

I imagine how awesome Win10 will be on mobile devices with paid internet...

Did she set the connection as "metered"? I know some things stop then.

The $200 is likely from the automatic updates, which were pretty big. How much extra in MB was it?

It's likely from the automatic _sharing_ of automatic updates.

I think at this point she's has closer to a gig of data. Honestly the only thing I can think is that the download itself plus seeding it to other computers nearby got her to that number. But that's a guess.

This highlights what we really lost when consumer operating systems started replacing enterprise-grade operating systems. I would have never imagined this kind of things happening on something like Solaris or Irix, which were the base operating systems of many workstations. At some point when Linux became popular it suggested that the regular consumer would benefit from the robustness, focus, reliability of an entreprise grade OS. Not so..

That large companies accept this state of affair is extremely surprising.

That we accept that our electricity and communication bills are being diverted to serve the interest of an operating system's creator.. that sounds crazy. It's like letting the creator of your fridge eat your food and drive your car.

Would you let the creator of your fridge eat some of your food, if they gave you the fridge for free?

Maybe, from the stuff in the back that is way past its use-by date.

Well I would let them maybe eat some food once or twice but they certainly would not have the key to my appartment

If I put a lock on the fridge they gave me, should I be taken to jail?

That analogy doesn't hold up... if any it would be if you'd let the creator of the fridge to see which food are you putting in so it can tell Amazon and offering you similar items.

And then you would decide if you take advantage of that or if you would not use it because of fear that the fridge would be sharing more than just the items you bought.

I was downvoted and criticised a few days ago for defending Microsoft on Windows 10. I am starting to change my opinion after looking into the issue more. I watched a recent Richard Stallman talk on youtube and went through the process of making the tightest privacy settings I could on my iPad, Windows 10 laptop, and Android phone. (I left my Mac and Linux laptops as is since I just use those for development.)

I think that Microsoft looked at the Google Now user experience on Android phones and decided to emulate that type of AI assistent in Windows. Google collects all sorts of user context information and Microsoft decided to do the same.

This is a guess but the difference may be that (some) people are willing to have less privacy on their smartphones but care more about privacy on their computers.

> I think that Microsoft looked at the Google Now user experience on Android phones and decided to emulate that type of AI assistent in Windows.

I don't mind that (Cortana).

I do mind that when Cortana and its supporting options are explicitly disabled, Win 10 apparently still won't stop chattering back with HQ constantly. Not only for privacy reasons either; it seems (though I'm not certain of the relationship) to have a substantial, though intermittent rather than constant, impact on performance.

I agree.

From the image of the captured data that is sent when telemetry is "off", a few bits are obviously Windows-style UTF-16. The GUID is obvious, and is that an assert error message? Very strange...


    (Utilities::HashMapContains(_qosUXScenarioDataById, scenerioId) == false)
    Assertfailed: (Utilities::HashMapContains(_qosUXScenarioDataById, scenerioId) == false):
    Instrumentation is active when we try 
(it cuts off after "try")

I have a really hard time understanding how "enterprises" are going to upgrade to Windows 10.

An operating system that is sending random internal data to random places on the internet seems to violate both a wide selection of national laws related to data privacy, and many corporate policies relating to trade secrets, privacy, internal operations and so on.

Microsoft must have thought of this. What's their plan for continuing to sell to these customers?

Windows 10 seems to transmit information to the server even when OneDrive is disabled and logins are using a local account that isn't connected to a Microsoft Account.

Well there you go. If you ever wondered whether this is happening only on the Microsoft Account(tm).

It's hard to know without inspecting the exact data involved, but I feel like this is dangerously close to a HIPAA or HITECH breach, and I know of several hospitals who are strongly on the Microsoft bandwagon and are considering Windows 10.

The "send search data to an internet endpoint even if it's patently obvious that the search is for local resources" reeks strongly of Ubuntu's Amazon Shopping Lens. Did Mark Shuttleworth switch gears from Canonical to Microsoft when I wasn't looking?

> It's hard to know without inspecting the exact data involved, but I feel like this is dangerously close to a HIPAA or HITECH breach

Perhaps pedantic, but that's redundant; HITECH doesn't define breaches separately from HIPAA, it establishes standards for when HIPAA data is "unsecured" and reporting requirements, etc., related to HIPAA breaches.

I'm aware; my point was that there are HITECH implications as well that would be very hard to address with Windows 10 if my suspicions are correct; it would be hard to meet the breach reporting and notification requirements when the operating system may very well be actively siphoning PII even when supposedly configured to do otherwise. The only safe option is to assume that any patient data that exists on a Windows 10 system is unsecured unless that system is entirely disconnected from any kind of network or until Windows 10 is significantly more transparent about what it's doing behind users' backs.

Of course, this is speculation right now, and perhaps my concerns are unfounded, but I can already imagine some old doctor typing "J. Random Hacker biopsy" into that Start Menu search field in the hopes of finding some document and inadvertently sending the fact that J. Random Hacker had a biopsy to Microsoft and potentially some advertising partners (depending on the nature of such transmissions).

Hah, I mentioned this a few days ago. Glad to see someone picked it up and ran it.


Wow. I use Linux and BSD on my own machines, but the rest of the family is on Windows 10. This sort of thing makes me seriously think about trying to get the wife and kids to consider switching :/

I had the Win10 preview on a spare laptop that I just use for Netflix and Pandora, and was planning on just upgrading it to full 10..... until all this came out. Wiped it and installed Xubuntu.

I did like Windows 10 though, but then they kinda ruined it

I am sticking with Windows 7 until I get out of college and after that I am ditching Windows forever.

God forbid Microsoft give 7 the boot for support like they did XP. Windows 7 is standard for workstations at the college administration where I work, and suggestions to switch to 8 are met with laughter across the board. We have trouble enough with China trying to hack us literally thousands of times per day, and there is no reason to trust Windows 10 to be any more secure.

> We have trouble enough with China trying to hack us literally thousands of times per day

you mean you did "tail -f /var/log/secure".

> God forbid Microsoft give 7 the boot for support like they did XP.

god forbid Microsoft try to deprecate OSs after nearly 13 years. note that in 2001, the newest Linux kernel available was in the 2.4 series, with many people still using 2.2.

god forbid Microsoft try to deprecate OSs after nearly 13 years.

You seem to have invented a decade. Windows 8 RTM was just over 3 years ago.

Also, while I have some sympathy with both the idea that software isn't perfect and the idea that Microsoft need a viable business model, I don't think it's unreasonable to expect a product like Windows 7 to come with essential support for a significant period of time, perhaps based on the expected working lifetime of devices where the software is normally installed.

It's true that we don't know how to make perfect software yet, but it's also still the case that those security and bug fixes are only necessary because the product as originally provided was defective. If you're making as much money from a product as Microsoft do from Windows, and if defects in your product cause harm on the scale that bugs in Windows do, I think it's fair to expect you to make good your mistakes for a reasonable period as well.

It also seems to me that Microsoft could do very well from stating a reasonable period of guaranteed support with the purchase but then offering reasonably-priced ongoing support afterwards so it have a real revenue stream to fund long-term maintenance if it turns out that devices running Windows 7 are in use for a long time. This also conveniently removes the incentive to ship successive products that are seen to be worse than what people had before.

> I don't think it's unreasonable to expect a product like Windows 7 to come with essential support for a significant period of time, perhaps based on the expected working lifetime of devices where the software is normally installed.

Under Microsoft's software lifecycle policy, operating systems are normally supported for 10 years. So, for example, we already know that support for Windows 7 ends in 2020, unless it's extended. http://windows.microsoft.com/en-GB/windows/lifecycle

The best LTS on Linux is 5 years, and used to be 3 years. The best lifecycle support on OS X is, oh well, pick a number. A small number.

If you bought Windows 7 in 2009 and took a free upgrade to Windows 10 then you're supported until 2025, if your hardware lasts that long. So you'd have got roughly 15 years' use of an operating system for roughly $40. It's obviously terrible value....

Just to be clear, I'm not arguing that Microsoft's current support periods are somehow bad. On the contrary, I think they have historically been by far the best in the industry, and that this has been a strong argument in favour of building serious software on Windows.

All I'm saying is that a significant period of support -- longer than the 3 years the posts I was replying to seemed to be suggesting -- is a reasonable expectation for this sort of commercial software, because the developers are supplying an imperfect product in the first place.

In contrast, if the new version of Windows with its compulsory updates removes that ability to keep what you actually bought working as well as it was when you bought it, that is not a good thing, any more than it is when Apple have dumped support for old versions of iOS or OS X well before the end of the useful lifetime of devices they ran on. The position that the software industry wants to keep changing things so everyone else should be forced to keep up whether or not it's actually in their interests is not something I can support.

> The position that the software industry wants to keep changing things so everyone else should be forced to keep up whether or not it's actually in their interests is not something I can support.

Oddly enough, Microsoft already tried that. They ended up with people running 14-year-old code (which cost them money both short term and long term) and a major malware problem.

Check out conficker devastating businesses and costing people a fortune ... almost wholly because they didn't install the patch for it. And these idiots are running supposedly-competent businesses or government departments.

The business branches offer more control over taking updates, but this is a consumer operating system.

Again, this is conflating security patches with more general updates.

As a personal anecdote, the only serious malware that has ever hit any system I run, as far as I'm aware, was a zero day exploit. The system was fully patched when it was hit. In contrast, the amount of productive time I have spent over the past few years recovering from problems caused by non-security-related software updates that I didn't particularly want but couldn't avoid if I wanted to keep the security patches is probably measured in weeks by now.

I'm all for keeping systems secure, but when updates start to take priority over keeping systems useful, you have a problem. Most security patches are fairly low risk and have few if any unrelated side effects anyway, but that is certainly not the case with modern software updates more generally. Just look at the frustration of browser users with Mozilla constantly rearranging the UI or Google actively removing functionality from Chrome, or of course the number of users who never moved from Windows XP to Vista or from 7 to 8 because the changes weren't considered improvements.

In the brave new world of Windows 10, the average individual user will be stuck with all the updates, security or otherwise, whether they want them or not. There's really no excuse for that, even in a consumer-focussed OS. Install updates by default, so less technical users get what they probably want? Sure. Block even knowledgeable users from choosing whether to install specific updates? The only time that makes a difference is if Microsoft want to force an update that the user does not want.

> Just look at the frustration of browser users with Mozilla constantly rearranging the UI or Google actively removing functionality from Chrome

Welcome to the brave new world. (Apple removing functionality as well.)

Windows 10 is moving to a continuous update process that is exactly like Gmail, Facebook and all web apps, and for exactly the same reasons.

At least this avoids the "big bang" updates that left incompetent organizations running buggy, insecure 14-year-old code. (The buggy insecure new code actually does work a lot better ;-)

> Block even knowledgeable users from choosing whether to install specific updates?

How many are of those exist? As far as I can see, the number is between very, very small and zero, and even the best know far less about updates than Microsoft (because Microsoft can see tens of millions of PCs, and it has the source code).

That very small number has a problem because Microsoft is trying to cater to a billion users who don't even pretend to such arcane knowledge.

Otherwise, there's a business branch where you can delay updates for a few months, and one where you can effectively delay them forever.

> god forbid Microsoft try to deprecate OSs after nearly 13 years.

> You seem to have invented a decade. Windows 8 RTM was just over 3 years ago.

> > God forbid Microsoft give 7 the boot for support like they did XP.

I mean China literally doesn't stop. Every college, every department, they're all under attack, all the time. Whether it's sanctioned cyber-theft by the Chinese government or one of their thousands of "patriot hackers" they are ALWAYS trying to penetrate our networks and steal our research, personnel information, and so on. This is an indisputable fact, and my university is not alone.

Can you not block all incoming traffic from China assigned blocks?

A lot of these attempts come through proxies. Shut one down, another comes in its place.

Anyone have statistics or percentages?

I'm more wondering for my own selfish reasons (I'd like to stop the majority of this junk effectively if possible).

I too got rid of Windows as soon as I graduated. It's been a nice feeling.

In the post-Snowden era, USA tech corporations, like Microsoft, felt the downturn on trust from non-USA companies and citizens in their online offerings. With Microsoft betting more and more on their cloud services, I find it strange (or maybe it isn't strange, but let's be naive for a minute here) that Microsoft goes against this and actually gives people _more_ reasons to not trust them than less.

As if they're thinking we all don't give a shit. But if we all didn't, why the downturn in trust in USA tech corporations post-Snowden?

I can't help but think that this is either massively naive from their part (people/companies won't care, they will buy our stuff and services regardless) or very short-sighted (as it will hurt their cloud services offerings in the long run, the more they hammer down the trust from their own users in MS' wares.)

Or maybe when nobody trusts you anyway, that ship has sailed? :)

I'm not savvy enough to discern whether OSX os iOS does this. Does anyone know if iDevices also ping back to Apple?

OSX only does for Spotlight & Safari search, but you can disable it (and it actually disables it). Details here: https://fix-macosx.com

Little snitch indicates OSX does, but I'm not savvy enough to discern in what capacity or the content

As I understand it, Little Snitch is a process-level network firewall that uses a kernel extension to monitor and report all outgoing traffic. I have used it for about a week on a Mac running OS X 10.11, and I'm seeing lots of undocumented traffic from apps and daemons signed by Apple. By undocumented, I mean that the built-in docs in Little Snitch can't explain what the sender is doing.

Is Microsoft paying for that traffic?

In canada that's a big concern

Maybe in Ontario. It's uncapped out east.

I don't know about the rest-of-Canada.

I stayed in Ontario (Mississauga) last year for six mo. and I was on Rogers, capped at 80 Gb/month. My alternative was Bell. Same price. Same cap. Week-long activation date.

I was paying what I had been paying for in the US for unlimited data. There were uncapped plans available, but they're pricier. Considering the building was hooked up to fiber (at least Bell suggested it was), getting 80 Gb seemed a bit stingy.

The best way to illustrate how broken our system is to our American friends is to point out that, when I returned to the US, I was thankful to return to Comcast.

Which is like being thankful to getting reinfected with Ebola.

Not even... I am on an uncapped plan in Ontario.

It's a concern anywhere with caps, which increasingly includes much of the US as well. FWIW I'm in Canada and recently my provider (Cogeco) switching my 120Mbps plan to unlimited data per month, which is nice.

This actually brings up a great point which is that systems need some sort of bandwidth conservation setting. We recently were traveling and had a couple of laptops and pads with us. Having no data connection at the hotel we were at, I enabled tethering on my smartphone.

Last than an hour later I got a warning that they had blown through my 5GB. This wasn't active use, but literally was largely laptops auto downloading patches (they hadn't been turned on in a couple of weeks, backlogging GBs) and browser updates, pads pulling a tonne of updates, etc. It is becoming completely unmanageable.

The problem isn't limited to bandwidth caps and pay-per-byte; bandwidth usage can be a problem anywhere bandwidth is finite. Any heuristic that tries to hide the bandwidth usage based on a single computer can fail when there are other computers using the same network.

That's without setting the connection as a metered connection, right?

Once i saw that option, I immediately set it because I also use my mobile data connection for access.

Funny, nowadays there seem to be more firewall rules needed for outbound traffic then inbound on Windows. In the old days we had a name for that - spyware.

The name today is "cloud" ;)

You agreed to the privacy terms, so you are at the mercy of whatsoever Microsoft implemented. Windows 10 even could totally ignore your settings.

I say this, not because I think that this is OK, but to reflect, that even the change of the settings do not save you from the harm, that was done from the privacy terms!

Why downvoted? When you disagree, than give arguments, not gutless clicks!

Very few people will read the privacy terms. Just because they have a document people clicked 'agree' below without reading doesn't mean that MS should not be held to account for what Windows 10 is leaking. For many users not using Windows isn't an option.

We need a complete rework of our entire legal system in regards to consent to contracts. The problem is that it'll never happen because there is so much of an advantage given to the capital owners by having it so the rest of the population doesn't really understand what they are signing up for.

Yet, I believe he has a point, and he had pointed to the very core problem.

If you hadn't read the EULA/ToS/Privacy Policy/etc, but had consented to those (by clicked "agree" in case of click-wrap packaging thingy), the fact is Microsoft is very unlikely to be held accountable if their actions are perfectly conforming to the agreement you had agreed without even reading. Something is surely not right with this whole situation.

EULA, ToS, etc do not apply in Europe if they contain terms that the user can not reasonably expect.

An OS sharing all your data even with snooping disabled falls under this regulation, and multiple EU data privacy officials are already investigating and preparing a case.

Could be, but also could not.

Microsoft once already was under EU investigation and the whole thing was settled with minimal efforts for Microsoft (the only thing I remember was, that they had to provide a browser selection screen).

When the OS sends encrypted data to their servers, who will prove, that their is an offense made? Even when the terms are troublesome in the EU, they will just make some cosmetic changes to the terms for Europe. There are other terms, that are not valid in the EU, but Microsoft did even not change them yet (as much I know), even when it gets problems to enforce them on the courts.

Privacy might be a issue in Europe, more than in the US, but don't forget: the privacy officers in Germany have nearly no power, and are laughed at or ignored by most politicians.

Microsoft has nearly nothing to fear, IMHO from the EU, so long the US jurisdiction is also holding its peace. In Germany/the EU, nobody has the guts to fence to hard against a large US corporation -- but that is my opinion.

It would be nice, when the EU would act on it, but I don't trust it!

Look up Thilo Weichert, or, his replacement and long-years assistant Marit Hansen (Dipl.-Inf.)

They fought many battles, especially against Facebook, which led to court rulings in the manner of "Instant change of terms, instant destruction of data, or 6 months jail for the CEO".

Internationally, many might laugh about the ULD, but you do not risk a fight with them. And now, with them starting to look at Microsoft, I would not want to be in Microsofts place.

The other thing to note is that they've changed the terms during an automatic update.

The terms that they changed had several opt-out (as opposed to off-by-default opt-in) features that are mentioned in OP's article.

So, Microsoft did unethical but legal move.

That's almost exactly what he said - Legally, user is at MS' mercy, ethically that's not OK.

Even if people were to read it, how many are able to understand legalese ?

Am I supposed to consult a lawyer each time I want to install a software ?

With such an argumentation, you could just trash any terms. As long as they are not against any law, they are valid, as long as they do not contain something that is totally unexpected (for example that you must pay Microsoft additional fees above the normal price).

I also think, that Microsoft should be held accountable -- but it starts with those terms!

I think, many people just rushed into Windows 10, because it was free. But free, seldom means free in deed. A clever trick of Microsoft to trick people into this.

As long the privacy terms are not effectively changed and the OS stops to send coded data to servers, this OS can not be trusted.

Terms and conditions as a requirement to use a product you've already purchased shouldn't ever count for anything. So I think you should trash any terms. And I'd hope in a civilized country if a company tries to use mandatory-accept 300 page terms and conditions to abuse their customers a judge would step in and say "no."

And this is absolutely unexpected. That's why there's a very popular post on ars technica and hacker news and reddit with tons of well-informed technical people surprised about it and pretty pissed off.

> in a civilized country if a company tries to use mandatory-accept 300 page terms and conditions

If you don't like 300 pages of ToS then don't buy Windows. It's your free choice. Software should be protected speech. I don't like Windows 10, but then I also think that Microsoft should have the right to write Windows however they like as long as they don't factually lie in their privacy statement and other documents.

> to use a product you've already purchased

The person who sold you Windows should've informed you of the license.

> It's your free choice.

No, it isn't. Very few choices in a very capitalist society are actually free, they are free in the sense that choosing to comply or not with a gun to your head is "free". Which is why regulation is necessary. Burying anything significant in a ToS is in our society meaningless, because if it actually had teeth it would be fraud.

I've currently got a system with the Windows 10 downloaded, but I am hesitant to actually proceed with the (up?)grade. Like many people I assumed that it was just the same old Windows with more enhancements, not something with batshit crazy privacy defaults, that even when disabled still leak data.

That is the point. People are tricked into this and most of them did not read the terms or just ignored them.

But Microsoft is on the secure side, because you confirmed the terms -- and not many judges in the world will blame Microsoft in this situation, even when you argue, that you haven't read the terms. When you sign an other contract, you also can not argue, you haven't read the terms (even when they are in very small letters).

When you sign an other contract, you also can not argue, you haven't read the terms (even when they are in very small letters).

Sure you can. And if it's a contract of adhesion between a business and a consumer where the terms are unreasonably loaded in favour of the business, you might actually win, too.

(I am not a lawyer, your jurisdiction may vary, etc. I have however worked with real lawyers on real terms and conditions documents, and have been consistently advised that it's preferable to avoid surprising terms and that if any do need to go in then they should be early and prominent to maximise the chance of them standing up if anything ever got to court.)

Sure, you can try with any contract -- and go to trial.

But I have seen worse contracts and the companies are coming threw with it most of the time, but maybe in your country the juristic system is better and not the size of the company or the number of lawyers are important.

I for my side, would not bet on winning a trial against Microsoft in such a case.

In reality it probably wouldn't be an individual customer against Microsoft anyway. It would be someone like the national data protection regulator or European authorities, acting on behalf of the population as a whole, and they would probably be looking at the actual behaviour of Microsoft and whether it violated data protection laws. If Microsoft attempted to argue that weasel words in their terms permitted their behaviour but the evidence showed that in the real world users didn't know or understand the implications, I doubt that would work out very well for Microsoft. Those authorities are generally more pro-privacy than the US, and they have handed serious financial penalties to big tech companies before.

It would be nice, if it would be that easy.

See my answer here: https://news.ycombinator.com/item?id=10055866

Can you name examples, where big corporations got "Serious" penalties for privacy issues? I don't know any. I only know, that in Germany, we always say, how important the issue is, but at least under our current government, privacy issues and the officers are laughed at by the big politicians. They might say different, but that is the reality (in Germany, everything is double-correct, until you look under the carpet!).

The trouble is, besides the juristic impact here, when you go on this level, it gets political and many influential German politicians don't want to mess with the US and with big corporations (their motto: "Sozial ist, was Arbeit schafft!"), particularly in the current government! And don't think, that the EU is an independent entity -- the German government likes to make it look as such, but in reality, the EU does nothing, what the governments of the most influential countries do not want.

(I also don't think, that the current German government will change soon -- it is a mess!)

Can you name examples, where big corporations got "Serious" penalties for privacy issues?

Not yet, but I would argue that's because organisations like Google and Facebook have changed their behaviour when challenged to avoid things going that far.

However, Europe has imposed heavy fines in the past on the likes of Microsoft, and various nations in Europe have also formally investigated and taken legal action against major tech firms in relation to privacy concerns. For example, see http://www.bloomberg.com/news/articles/2015-05-06/facebook-p..., which is about an ongoing investigation.

Right. Investigations. But most of them are settled with a rather small fee for the corporations or with some small changes in the behavior (like the browser selection screen, that already was changed again in Windows 10, as much I heard).

That are the cosmetic changes I mentioned. I know nobody in the EU, that really wants to mess to much with the big corporations (I mean, the really big ones). And privacy concerns are mostly laughed at -- in Germany, the government itself even forces new privacy troubles without need on the people (like the "smart meter" or the "health card").

Uninformed consent is not consent. This needs to be applied to the business world and all other legal contracts.

You are right. But I have seen so many cases, where companies come away with it.

This is something, that definitively should be changed in our legal systems, but they are far from perfect, even when there are sometimes some honorable judges around (much to seldom in my country!).

> Uninformed consent is not consent.

Better way of arguing for your point would be to say that you cannot consent if you are uninformed, but if you were presented with the privacy statement then whose fault is it that you are uninformed and still went ahead agreeing to something you don't understand. Do you also take candies from strangers? I don't think what Microsoft is doing is ethical, but then I think it would be much more unethical for us to take Microsoft's right to free speech. I think you are arguing for nanny state.

>whose fault is it that you are uninformed and still went ahead agreeing to something you don't understand.

There is no practical way for the average person to have a significant enough understanding of privacy policies due to the wordings and the 'as provided by law' type clauses that require understanding of even more complex documents (and possible even court cases). That people agree to it anyways is because it cuts one out of so much to not agree to privacy policies. Even going to the doctor involves a policy that includes 'as allowed by law' that makes it very difficult for anyone other than a specialized lawyer to understand.

Microsoft knows that people aren't understanding this and using it to their advantage. A ban on taking advantage of this is no more a nanny state than already existing bans on many cons and scams (those that don't rely on lying but on confusion and misleading others). For example, I can't hand out checks for $100 that include really nasty terms of repayment ($200 due in one month, else I get to seize any items I wish from your possession). This isn't a ban on any freedom of my own except my freedom to take advantage of others.

To relate it to your example of taking candies form strangers, if I'm handing out bad candies and someone else is eating them, who is at fault? Even if they should know better (which with these being complex legal candies that means most people shouldn't know better) I'm still at fault for handing out bad candies.

> There is no practical way for the average person

And I'm arguing that this should not be a concern. If you do not understand something then you shouldn't agree to it. People should ask their lawyer, consult Microsoft, consult websites dedicated to such issues, etc. Unless you can prove that privacy statement is misleading to laypeople then it should be user's fault for not bothering to inform themselves.

> A ban on taking advantage of this is no more a nanny state than already existing bans on many cons and scams

I'm arguing for this (even though I severely disagree with choices Microsoft made) because it's a slippery slope that leads to precedents for government to introduce regulations that clearly aren't in public's interest.

Software as protected speech was established at the end of crypto wars, when encryption programs stopped being classified as munitions and restriction on strength of cryptography were lifted.

If we let Microsoft not exercise their right it might set a trend for the governments to go back in other areas like cryptography, using old scare tactics to reverse what was achieved before in the name public's interest by appealing to the fear of terrorism. You fight for Windows to not be compromised for its users, but it could be that this fight would lead to other curtailments of speech that would not only paradoxically harm Windows but any other reasonable alternative that we currently have.

If what a vendor is allowed to do is buried in a EULA that the world knows is never read, then that vendor is hiding something. There's a difference between the letter of the law and truth. Obfuscation is not truth.

That doesn't make it okay

I did not say that, but I wanted to make clear, how people are tricked into this situation, where they can not trust even the OS.

Windows 10 reminds me of a saying an old co-worker of mine used a lot, "Vendors lie... packets don't."

Of course this is true. Companies make money by spying on their customers. Did we really imagine that flipping the “Stop making money” preference was going to work?

well...yes. I fully expect when I opt out of something, anything, that it isn't still doing what I just thought I opted out of.

that's probably my fault for being so naive.

Maybe I'm just jaded, but does that really surprise anyone? Most “developments” at MS have been nothing but successive layers of lipstick-on-a-pig. No amount of lipstick can make the pig underneath go away.

The underlying OS is actually decent, the dev tools they provide are good and the dedication to backwards compatibility is better than anyone else.

Unfortunately, the OS is then loaded with so much extra crud, like all the privacy snooping problems, the crapware (even an ISO downloaded from MS contains junk adware-loaded 3rd party games and software), and so on.

From a technology standpoint, the base OS is far more than lipstick-on-a-pig. Windows XP -> 7 -> 10 has been a decent progression.

I'd still never recommend Windows 10 to anyone though. The evil outweighs the good.

I'd say Microsoft is more pig-on-lipstick, if you see what I mean. Some of the core technology is rather nice. The devotion to platform stability is generally welcome. The problem is that it comes chained to restrictive business practices, and now privacy invasions.

It doesn't surprise me. Moves in this direction were likely as soon as Nadella was chosen to be the new CEO and all but certain as soon as they announced the free upgrade push for Windows 10.

It does disappoint me, though. Microsoft was one of the few major players in IT that could realistically have offered an antidote to the always-online, spy-on-everything, everything-is-a-service, subscribe-not-buy, force-updates-you-don't-want madness of recent years. Instead, they seem to be throwing good money after bad in what I'm already expecting to be a repeat of Vista/8 level failure. They have about as much chance of actually out-Googling Google as Mozilla do with Firefox, yet like Mozilla they persist in trying and in doing so alienating the substantial user base who valued their products precisely because they weren't like that.

>> Microsoft was one of the few major players in IT that could realistically have offered an antidote to the always-online, spy-on-everything, everything-is-a-service, subscribe-not-buy, force-updates-you-don't-want madness of recent years.

I felt the same way after they came out and said they really believe in protecting data and people's privacy. This is the exact opposite of all the big talk over the past few years. Disappointing for sure.

I tried upgrading to Win 10 this past weekend and it was a disaster. My 3 year old video card wasn't supported (no dual monitors) and then after I reverted back to 7, it killed all my network adapters so I couldn't connect to the internet. I had to nuke my entire OS and start fresh. I'm not upgrading anytime soon.

Here's some of those articles:




> I felt the same way after they came out and said they really believe in protecting data and people's privacy. This is the exact opposite of all the big talk over the past few years. Disappointing for sure.

But, that's pretty much a well-established pattern (Microsoft has done it with lots of things before, but so has Apple and lots of other companies, its not particular to Microsoft) -- if someone realizes an opportunity you didn't, you attack them for it and try to get the market to see the product as unnecessary or even abusive, right up until you are ready to push something that exploits the same opportunity.

they clearly don't care about their business customers, since this kind of childish behavior is a strict no-go for most companies with at least slightly decent IT.

Fair enough, they actually create big holes in the market that startups can eventually fill in. Albeit it won't be easy (replacing Active directory, Exchange and Office suites), rewards are worth it. With that, Microsoft as desktop and server solution provider is a history.

Still not getting why they want to copy Google's revenue stream, when they have solid base in vastly different areas...

I'm sure Microsoft care very much about their business customers, which is why this seems such an odd strategic move. As you say, why try to copy a company like Google's business model when they have their own well-established one?

I'm half-wondering whether the plan has always been to prioritise the consumer market with Windows 10, and they're taking a reasonable punt on the fact that most businesses won't upgrade for a considerable time anyway, giving them enough opportunity to push out updates that address those businesses' concerns based on the early feedback before it really makes much difference. If that is the case then it's still possible that they have misjudged their market and they'll never fully recover from the negative initial reaction they've been receiving in recent weeks, but the strategy itself would be reasonably logical.

Agreed. Windows 7 is still a current Microsoft product and I don't think Microsoft is expecting the bulk of enterprises to move until 2020, if not later.

And since Windows 10 is to a large extent a move into remote PC management, Microsoft obviously wants to manage them with as much info as possible. Telemetry is the quid pro quo for free upgrades for the life of the device.

The handful of geeks (somewhat less than a billion users) who are capable of managing their own systems obviously don't like this. However...

> the negative initial reaction they've been receiving in recent weeks

Public interest has been phenomenal, the reviews have been overwhelmingly positive, and most people seem to be very happy with it.

Telemetry is the quid pro quo for free upgrades for the life of the device.

This is where I start to challenge what Microsoft should (as a matter of law and/or regulation) be allowed to get away with. As I've stated in other posts in this discussion, I think there is a reasonable expectation of support for a significant period for this kind of software product given that the only reason those updates are actually necessary is that the original product someone paid for was defective. We don't know how to write perfect software yet, but I don't think software companies should be allowed to ship defective software and then change the deal retrospectively in exchange for putting right what was their own mistake in the first place.

Public interest has been phenomenal, the reviews have been overwhelmingly positive, and most people seem to be very happy with it.

I wouldn't know. Among people I actually know personally in real life, whether professionally or friends and family, geeky or not, I'm aware of literally no-one who has actually installed Windows 10 other than for testing purposes. On the other hand, I do know plenty of people, again both professionally and personally and both geeks and not, who seem quite convinced that they don't want it for now in light of things like forced updates, privacy concerns, hesitation after being disappointed by the Windows 8 touch-biased UI, hearing about paying to hide ads just to play a game, and other negative aspects. Moreover, so far no-one I've talked to seems to have found any good, concrete reason to upgrade, other than the not-really reasons like "it's free" and "it's the new version". The occasional gamer mentions DirectX 12 and the occasional web developer mentions Edge as something they might need to test with, but the general reaction seems to be a resounding "meh" in the circles I move in. YMMV, of course.

I'm also curious about where these positive reviews are, because the Internet I've been reading for the last few weeks has been one disaster story after another as far as Windows 10 coverage is concerned. In light of my previous point, I assume the Internet all those other people have been reading has looked similar. But again, YMMV.

I don't understand your opening para. Either way, I don't think defective software has anything to do with it. Microsoft keeps writing new versions for all sorts of reasons that have nothing to do with defects. Some are to add useful functionality, or ease of use, or to keep up with a changing world. Some are essentially changes in fashion.

A quick google....

Windows 10 review: Why the new Start menu, Edge browser, new apps and Cortana make Windows 10 the best Windows yet http://www.pcadvisor.co.uk/review/operating-systems-software...

Windows 10 review: The OS upgrade we've all been waiting for http://www.pocket-lint.com/review/134797-windows-10-review-t...

Windows 10 review http://www.techradar.com/reviews/pc-mac/software/operating-s...

Microsoft Windows 10 review 5 stars http://www.expertreviews.co.uk/software/operating-systems/14...

Are you a Windows 8 user? Still using Windows 7? Either way, you'll love Windows 10. http://money.cnn.com/2015/02/22/technology/windows-10-review...

I don't understand your opening para. Either way, I don't think defective software has anything to do with it.

That seems where we disagree.

With other kinds of product I buy, at least in my country, there are consumer protection laws about the being of sufficient quality and fit for their intended purpose. If a product doesn't live up to those standards, I am entitled by law to have the situation put right or compensated one way or another, for example through repair, replacement, or ultimately a refund of some or all of the money I paid to buy the product. If a product is so bad that it causes other harm as well then in some cases I would also have grounds for further compensation. (The situation is also somewhat different when selling to businesses vs. private individual in my country, so I'm oversimplifying here.)

With software, developers have historically been given a lot of slack, in part because none of us know how to write bug-free programs so expecting everyone to achieve that standard before being able to sell anything is unhelpful. However, the same basic legal principles do still apply, and they have sometimes been used in practice. Part of the reason that big software developers like Microsoft don't fall foul of those rules more often and wind up paying back a lot more in refunds and/or other compensation is that they do make reasonable efforts to fix defects in their software for a reasonable time after purchase.

My point is that providing a reasonable degree of support is not really optional for them and they are not really being generous in providing it. If they stopped doing so, and their customers then started suffering real damage because of bugs or vulnerabilities in Windows, then Microsoft would risk being sued until either they fixed the problems or their business failed.

This has absolutely nothing to do with any other kind of update. Microsoft has, to my knowledge, no obligation after a customer has already purchased their copy of Windows to provide ongoing development of new features, drivers for other vendors' hardware, or their UI. They might choose to do that, and they might choose to offer those things to customers in return for money, data, or any other agreed form of compensation.

But whether or not they do that, it doesn't change the basic obligation they do have to provide a decent product if they're charging real money for it, and to make reasonable efforts to fix defects or compensate for them if their original product is flawed. The customer is entitled to get what they paid for, not a broken version of what they paid for, and not a version where a defect was fixed but some other unwanted change was also made so it's still not what the customer was originally supposed to be buying.

A quick google....

I'm not sure how much credibility I'd give reviews from that kind of source. Of course they look favourable, because they seem to make little effort to be at all critical of anything and almost completely gloss over the widely reported problems and backward steps in favour of... ooooh, shiny!

For example, several of them highlight robustness as a big point in favour of Windows 10. Given the huge amount of negative comments from people who were in the beta/preview programme and the multiple, widespread, system-breaking forced updates that have already been pushed out within just a few days of launch, I don't see how any unbiased review could possibly conclude that stability is a strong point for Windows 10 so far, and I see no basis for the blind faith several reviewers seem to have that Microsoft will fix the fundamental risk of bad updates bricking boxes. Few of the reviews make a big deal of removed features like Media Center, or hardware incompatibilities with older devices, which are the kinds of issues that won't trouble the majority of users but will be very bad for those who are affected. I don't see much mention there of clunky search tools or the confusing division of what used to be in the control panel into multiple areas. None of the reviews that I looked at even mentioned things like privacy concerns, or spamming ads at you unless you pay subscription money to turn them off, or the WiFi Sense security concerns.

Try Googling a few other relevant terms, like say "Windows 10 laptop reboot loop" or "Windows 10 WiFi Sense security" or "Windows 10 search", and see how overwhelmingly positive the commentary looks then.

> My point is that providing a reasonable degree of support is not really optional for them and they are not really being generous in providing it.

Compared to who?

They're selling Home OSes for roughly $10 to $40 (sometimes free with Bing) and even a trivial support incident costs 2x to 3x revenue.

Further, most people have never actually bought anything from Microsoft. They "buy" it from the PC manufacturer, who is actually responsible for supporting their product.

> I'm not sure how much credibility I'd give reviews from that kind of source.

They're the sources most people use.

"Windows 10 laptop reboot loop" doesn't apply as it came after the launch; "Windows 10 WiFi Sense security" just shows a lot of ignorance, and "Windows 10 search" doesn't show anything very much. Paranoia, maybe? I looked that one up on Google, which probably now means "sending personal information to Alphabet without my consent".

They're selling Home OSes for roughly $10 to $40 (sometimes free with Bing) and even a trivial support incident costs 2x to 3x revenue.

That's their problem, just as it is the chair maker's problem if he sells defective products on tight margins and then has to repair them at an overall loss when someone sits on them and they break. They're perfectly entitled to sell their software for more, if people are willing to pay more for it, but whatever the price, the buyer is entitled to have the working software they reasonably expected to receive in return for their money.

Further, most people have never actually bought anything from Microsoft. They "buy" it from the PC manufacturer, who is actually responsible for supporting their product.

That is basically true, though as soon as Microsoft start arguing anything about EULAs being binding agreements they're probably going to be on the hook as well. Third party rights and liabilities are an interesting area of the law, particularly when it comes to software.

But yes, if you buy a PC then the shop that sold it is primarily responsible, if you get a phone with your plan then the shop/network that provided it is primarily responsible, etc.

"Windows 10 laptop reboot loop" doesn't apply as it came after the launch

OK, but you were arguing that "most people seem to be very happy" with Windows 10. I suspect those people were not.

"Windows 10 WiFi Sense security" just shows a lot of ignorance

That is unfortunately true. However, it also shows quite a few people dismissing a genuine security concern because as long as everyone who ever uses a network fully understands the implications of the feature and makes no mistakes in configuring it (i.e., they leave the entire feature turned off), no harm should be done.

Of course, the moment a single person in your company accidentally hits share instead of don't share, your sysadmins can look forward to a fun day changing all the credentials and notifying everyone of the new arrangements, and your executives can look forward to explaining the resulting regulatory investigation and fines for not security data properly to the shareholders.

"Windows 10 search" doesn't show anything very much.

That's funny. When I googled it before writing that post, it found a rather lengthy list of articles and blog posts commenting on how poorly the new search feature actually works, mentioning several different points about the order results are shown in, not searching parts of the local network that were searched in previous Windows versions, and generally more work being required to find useful things that search found before. Plus there's the less favourable perception of Bing search results, and the privacy concerns, of course.

> OK, but you were arguing that "most people seem to be very happy" with Windows 10. I suspect those people were not.

Most people are happy, as far as I can tell. Clearly some are not, but if 50 million people were unhappy they'd be making a lot more noise....

>Of course, the moment a single person in your company accidentally hits share instead of don't share, your sysadmins can look forward to a fun day changing all the credentials and notifying everyone of the new arrangements, and your executives can look forward to explaining the resulting regulatory investigation and fines for not security data properly to the shareholders.

I'm assuming companies are run by people who are not complete idiots. There's a simple way to make sure your corporate (or other) network is never shared, and it's covered at in the FAQ.


I wasn't kidding when I said the coverage "showed a lot of ignorance". I was too polite to mention the incompetence.

> blog posts commenting on how poorly the new search feature actually works, mentioning several different points

Works fine here, for what I use it for....

Well, I'm happy for you that Windows 10 seems to meet your needs and apparently doesn't cause you any problems. But I stand by my original position that Microsoft may have misjudged the business market if their strategy is to go consumer first and aim to fix any business concerns later. (Please also remember that I'm not saying they necessarily have misjudged, I'm just saying it's a risk if that's their strategy.)

Regardless of your opinion or mine, the corporate sysadmins and decision-makers evaluating a possible move to Windows 10 aren't going to be forming their opinions based on the kinds of reviews you linked to before, and they're going to be well aware of the kinds of issues raised by the less favourable coverage. What really matters isn't whether you can convince me that, say, changing a corporate WiFi SSID used by hundreds or thousands of people is no big deal, it is whether Microsoft can convince the sysadmins and the team running the help desk. And based on the reactions I've seen so far from people who are in those kinds of positions, Windows 10 certainly isn't making a great first impression, so I do think Microsoft has left themselves a bit of a mountain to climb.

> apparently doesn't cause you any problems

Not quite. It doesn't cause me any problems that I regard as unsolvable for what I get in return. Android, for example, is a much tougher proposition. That's a bigger privacy leak and the only real alternative is to go to an AOSP-based ROM.

Just using the web requires some effort (Ghostery, uBlock Origin, Google Search link fix etc).

> so I do think Microsoft has left themselves a bit of a mountain to climb.

We shall see. I expect Microsoft has actually talked to its business users, and it doesn't expect them all to defect (though, as I said, it's got until 2020 before it becomes critical).


Bank of America CTO Talks Windows 10 Plans, Security http://www.informationweek.com/strategic-cio/executive-insig...

Reilly promised a Windows 10 upgrade is on the horizon for Bank of America. "We're looking to adopt as early as we can," he said. Such a project will be a massive undertaking given the sheer multitude of Windows devices within the organization, but he appears optimistic about the process.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact