Hacker News new | comments | ask | show | jobs | submit login

Analysis here:


Doesn't look like the original source of the info is very trustworthy, will need other people to verify this.

Agree, this is large enough an issue to verify its validity.

If true, however, it is very problematic and of questionable legality (e.g. unintended HIPAA data disclosures etc).

Apparently people will have to start to invest in configuring outbound firewalls on their network to prevent various phone-home operations.

I have a feeling that there is a grain of truth in some of it, however the wholesale keylogging and what is basically searching for pirated content after keywords are typed is probably not real.

Yeah... the backlash seems kind of predictable even for cartoonishly evil software companies.

I think that depends on what data people manage to sue out of them and then react upon...

The problem is that it's TLS encrypted traffic going from a black box component to a remote black box service so it's pretty hard to determine what is going over the channel. Without extensive and complex reverse engineering, you can only infer what is going over it and draw some hypotheses that need to be tested. I think that the article is spot on with respect to that.

And of course there is no word from the horse's mouth (Microsoft) at all on ANYTHING related to this. Silence is always worrying.

>The problem is that it's TLS encrypted traffic

Unless you can just install a local certificate and proxy it.

Naturally, if they were following "security best practices", they will have pinned the certificates and made no option of overriding them with your own.

It's all "for your security", of course.

Exactly, it takes less than 5 minutes to figure out how to do this with Fiddler or Wireshark...

Taking into account it is Windows, even if it the traffic is "encrypted", I suppose the part of the OS that encrypts it is not obfuscated in any way, so it should be easy to know what it really is doing.

You're right hence the extensive reverse engineering. I think you can expose call graphs and assembly with SoftICE or some product like that and infer which windows API calls are used so that's a starting point. However some of the things that talk are going to be heavily optimised binaries, code signed and difficult to poke inside.

I'm not sure of that, they could even be C# binaries, which are usually easy to disassemble and follow.

Possible. I suspect anything interesting will be C++ however, possibly by design.

Generally speaking you don't need to go to such lengths to intercept client/server communication from your own device. You can even have your wireless devices use your local WiFi, computer and Fiddler (which I think is roughly equivalent to Charles on Linux/iOS) as a proxy to intercept SSL and decrypt communication.

You don't need to bust open the codebase itself to figure out what comms are occurring. You can stage your own MITM attack against yourself with a couple of home made SSL certificates and a router you have the ability to install your own software on.

That's true but then you still have to understand the data that is sent rather than where it is collected from. The of latter is much easier than the former from experience (I've had to reverse engineer a couple of protocols in my time)

Since when does TLS warrant scare quotes around the word "encrypted"?

Why whenever anyone quote anything someone replies criticising them for using "scare quotes?" People commonly use quotations (in English) to emphasise, or to distinguish. It is like a poor man's italics.

Look at the context to decide if someone is using it to imply something is bad/evil/scary, in this case you cannot draw that conclusion. The OP is clearly just using it instead of italics.


We've banned this account for posting abusive, uncivil, and unsubstantive comments.

Or stop using Windows and we can put the final nail in once and for all.

Linux, through Ubuntu, is (IMO) now ready for the prime time.

I say the following as a Linux enthusiast: Ubuntu is absolutely not "ready for the prime time," as you put it.

It's not ready for home users, it's not ready for most businesses, it's not ready for anyone except a small number of users.

Yep. I want to love it (I want to love it so much). I just can't.

Audio still doesn't work on my installation. It can work if I kill Flash or pulseaudio---sometimes---or if I restart my browser or entire machine---sometimes. But it's an atrocious state of affairs to expect end-users to debug basic functionality like that, and they end up having to because there isn't a "Geek Squad" local-service ecosystem to take a malfunctioning Linux machine to (with your own customized distro install) where they can just "make it work."

It's not just a software problem---it's an ecosystem problem. Both in terms of the service / support sector and in terms of the software creation sector (the fact that there isn't just one answer to "How do I do audio on Linux" is absolutely maddening to someone used to writing software on a Mac / Win monoculture [http://braid-game.com/news/2008/08/misc-linux-questions/]).


In comparison to OSX and Windows running on the same hardware, Ubuntu is worse in every meaningful way. Power management is terrible, window management is terrible, the Ubuntu software center is slow as hell and has no selection (amount of useful software is a huge concern, actually). It lacks polish in general, things that people have come to take for granted in their OSs are missing or badly implemented.

I'm sure the argument will come that most home users only need a web browser, so the software selection isn't a problem, but at that point you might as well just use Chrome OS and get something that actually works.

Not for gaming (yet! vulcan will change that), but for everything else I think it's absolutely ready. It does internet perfectly through Firefox, and libre office for document things, plays all file types through VLC, and it's free and can run securely right off a USB stick. What else do I need a computer for? Apps? I have my phone for that.

Once it gets increased adoption more niche and paid for software will naturally migrate.

I say this as a Linux hating Windows lover who lasted 3 hours before reverting Win 10 back to 8.1 on my gaming machine and changing my wifi password, and I plan to never go to Win 10 or any Windows products again.

I hear this for last 15 years, and few things changed. Showstoppers - 100% compatibility with Office will probably never happen, which is deal breaker for most business customers actually paying for licences. second issue is device drivers. users don't care who-what is responsible, they just want to see their strange printer working with scans. Again, in many cases not there

No, it definitely isn't. I'm a software engineer and I've used it as my primary desktop OS for years. A year ago I went and paid $300 for a windows 8.1 box and migrated my whole system back to windows. There were just too many problems that got in the way of my work, things breaking after updates, graphics and printer driver issues, etc. I was spending more time debugging that stuff than a windows license costs. I don't like windows, especially windows 8, but it's stable. I did have to buy a start menu add-on, because Microsoft lost their mind with windows 8. I keep my Ubuntu machines in a VM now, where I can easily back them up, roll them back, or throw them away without affecting my productivity. It's not quite as fluid running an Ubuntu desktop at 4K inside a VM, but still quite usable.

If it's not ready for a seasoned software engineer, it's definitely not ready for my mom.

the problem for me (and people like me) is that I'm running a gaming / game dev rig. I actually need Windows as most of the games I play are windows only - plus my current rig is way more powerful than any mac I can afford. I love linux and attempted to dev my games in pygame so that I would only need Windows to play games, but this isn't a good solution either as I prefer Unity.

Guess I'll stick with 8.1 for now even though it is shit.

Sounds like my situation.

I have been able to put Unity on the back-shelf because it's just a hobby for me. I have been experimenting with Phaser / PIXI / P2 + ScalaJS in the meantime while I wait for the Editor to come to Linux, which will hopefully happen in the near future [1].

As for actually playing games, a surprising amount of the ones I try have been ported over to Linux already. For the rest, I use Steam Live Streaming from a Windows 7 box which works pretty well. Steam can even stream non-Steam games (blizzard ones for example). I tried using it to stream the Unity Editor, but it was just too clunky for my tastes.

1: http://blogs.unity3d.com/2015/07/01/the-state-of-unity-on-li...

Thankfully I have 2 gaming rigs, 1 outdated mac and 2 older custom rigs that are sitting around in pieces. I'm going to build and install a linux box for personal computing (all non-dev non-gaming related computer activity) and just keep it on right next to my gaming / dev rig.

I tried ubuntu last year and the context menu on the desktop was displayed wonky. Time to first bug of 1 click is not ready for prime time. Not to mention it took an hour of trying printer drivers for my common laser printer to find one that would output even distorted barely legible text.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact