Hacker News new | comments | show | ask | jobs | submit login
Updates Make Windows 7 and 8 Spy on You Like Windows 10 (hakspek.com)
362 points by Sami_Lehtinen 670 days ago | hide | past | web | 274 comments | favorite




The list of files modified (to add telemetry hooks?) in kb 3080149 is crazy. NTOSKrnl, NtDll, Lsass, winload.exe etc... Are they really adding spyware/telemetry hooks all the way down to the kernel? What happens next time there's a security patch for the kernel, do we get an ntoskrnl with all these "optional updates" included as well?


Pretty much, yes. As I mentioned elsewhere, they enable spying on kids by default if they're logged in through a Microsoft account. If they're going to spy on kids, adults get the same mechanisms installed.



I remember some months ago where they only claimed fixing something minor (like, something that's not even an executable but some text-based or at least data file) in the patch and the list included also a huge amount of files including cryptwhatever.dll (not the actual name). "Backdoor time" thought I. As little as I checked however, it didn't look like a real smoking gun then.

It seems a common practice somehow that since some time their updates aren't "hand picked" but generated by the computer without too much human control or that the programmers don't have time, or simply nobody cares there anymore.

I'd be glad if somebody would sensibly explain all that. Including these recent "everything you type will be transferred" and "the list of all your files will be made" claims.


It would be interesting to see what someone knowledgable would report back on by taking something like zynamics bindiff onto pre- and post this KB.


I've never seen the proof of the claims from the article discussed here three days ago:

https://news.ycombinator.com/item?id=10099180

"Information transmitted: All text typed on the keyboard is stored in temporary files, and sent (once per 30 mins) to: oca.telemetry.microsoft.com.nsatc.net pre.footprintpredict.com reports.wes.df.telemetry.microsoft.com"

On another side, MSFT never issued the statement what they actually collect, probably because their lawyers will need a month or two to clear that up.

If the quote is true, it's a real full-blown keylogger. It's hard to believe. But there should be the pressure to find out the truth.

The worst thing is that it seems the users also don't care.

Do read kstrauser's top post in this discussion regarding automatic snooping of kids and emailing the parents, implemented by MSFT in Windows 10.

https://news.ycombinator.com/item?id=10111271

He posted the snapshot later. Unbelievable. But it seems they really do this. Built in spying, then sending reports by e-mail.


I've noticed recently that I'll get a weekly e-mail from Microsoft showing my "week in review", with inline copies of photos I took with my phone and uploaded to OneDrive (I have 1TB of space with OneDrive thanks to an O365 account). This just started a few weeks ago.

So, Microsoft is not only rifling through the contents of my OneDrive camera roll, they are then transmitting the photos to my email unencrypted, without ever asking me to opt in to this service. I used to praise Microsoft for being opt-in as opposed to Google's opt-out; I guess that's all out the window now (no pun intended).

I guess it's finally time to flip the switch on the OwnCloud account I've been testing and drop OneDrive.


This seems loosely equivalent to Google's account activity mail, but with invade-by-default. I can see it being useful, though, despite the flaws which you describe.

Also – potentially – incredibly dangerous, as other posters mention. I don't think that we can have the possibility of one without the possibility of the other here.


Reminds me of this: http://www.siao2.com/2011/03/22/10144474.aspx (see comment thread)


Yes, it was something like that "we changed the currency letter in Nowhereislands, list of 30 changed files includes cryptography.dll, well, why not."

The currency letters are since forever nicely separated from the code in the data NLS files, I thought I knew.

Whatever, there are enough problematic actions we're sure of, seen in the other posts here.


Quick check if you have any of these installed:

systeminfo|findstr /LI "3068708 3075249 3080149 2976978"


Some of those look like they'd be used to upgrade to Win10? Compatibility checking, diagnostics, etc.

Nothing seems malicious, but you never know.


I submitted a story to Boing Boing (at http://boingboing.net/2015/08/10/windows-10.html) about the weird experience I had after upgrading my son's laptop from Windows 8.1 to 10. We did this on a Saturday, and Monday morning I had a "family safety report" email from Microsoft detailing which websites he'd visited, which apps he'd used (and for how long), etc. since the upgrade.

According to Microsoft's Family Safety FAQ (https://account.microsoft.com/family/faq/):

> On Windows 10, you’ll need a Microsoft account in order to use Microsoft family whether you’re a part of a family as an adult or a child. When kids are added to a Microsoft family with a Microsoft account, any time they sign in to a Windows 10 device, their settings will be applied and their activity will be reported to the adults in their family. Adults can always turn off activity reporting or remove kids from the Microsoft family at account.microsoft.com/family.

By default, unless you log in and explicitly disable it, Windows 10 collects kids' usage activity and uploads it to Microsoft's servers. Presumably the same mechanism is disabled for adults. Presumably.

I definitely didn't enable it, and I'm sure my son didn't check any "narc me out to my parents" checkbox.

Edit: we already had a family account set up for our Xbox. I suspect that's how Microsoft determined that the emails should go to me.


Abusive parents are going to love this.

(And that's terrifying.)


I wonder how long until Microsoft has that Target moment[1] and tells a father that his daughter is pregnant. I also wonder what happens if someones medical information leaks via this data gathering.

1) http://www.nytimes.com/2012/02/19/magazine/shopping-habits.h...


Thanks for sharing this, that was a great article. Once again, RMS is completely right on a topic: store rewards cards are invasive and allow for significant tracking and you should stop using them if that bothers you.


I know, right? A kid thinks they're safely researching things that are important to them, but that's not at all true.

Statistically, it's almost certain that a kid somewhere has been beaten because of what their parents read in that report. When we're developing new features, we have to take into account ways they'll be twisted and abused. If anyone evaluated this before its development, and they were intellectually honest with themselves, these consequences had to have been dismissed as collateral damage. That makes me sad.


[deleted]


Literally no one in this thread has been calling for these TOOLS to be outlawed: that's entirely your straw man. However, I 100% through and through believe that they should be disable by default and enabled only by those specific parents who want them.

In another comment, you say that I had to enable these TOOLS. That is factually incorrect. I do not want to use them and did not enable them when initially setting my son's Windows 8 laptop. I did not enable them when upgrading to Windows 8.1. I did not enable them when upgrading to Windows 10, but received the spy report the next business day after performing the upgrade.

These TOOLS are on by default, until you explicitly disable them. I am not calling for them to be outlawed. I'm calling for them to be turned off unless and until parents personally and explicitly choose to turn them on.


> If parents fail to monitor their kids and something "bad" happens (e.g. kid gives out too much personal info, kid reads stuff not age appropriate, etc) then when it is discovered everyone online yells that those parents are "bad" and how "it is up to parents to monitor their kids." In fact this is standard practice whenever online censorship for the sake of kids is discussed ("it is up to the parents to parent!!").

Yes, and surveillance of their every activity is not the way to go about preventing such incidents. Parents need to be able to trust their children and allow them privacy. These incidents should be prevented by talking to children and explaining risks.

> People in this thread arguing that TOOLS shouldn't exist for parents to parent are insane.

No, they aren't insane. Parents should not have the right nor the ability to spy on every single aspect of their children's lives.

There are no circumstances where this is acceptable or ethical.

> You want parents to parents? Well sorry then they need TOOLS to do so.

No they don't. They need knowledge of parenting. Children have been parented for millenia without GPS trackers and Internet surveillance.

Tools are actively detrimental to good parenting. Maintaining complete surveillance of a child's activities destroys any trust they might have in their parents.


[deleted]


I don't know about millennia ago, but at least 50 years ago there were smutty magazines for kids to gawk at if they felt like (and probably often did), and as far as bullying is concerned, i'm sure that many a HNer will confirm that pre-internet bullying was definitely a thing, too, and that also happened neatly outside of parents' jurisdiction/view.


And beaten isn't even the worst of it. Kids are sometimes made homeless, or in some (rarer, more often non-Western) cases, murdered.


Better hope the kid isn't GLBT in a right winger christian family.

That would not go over well.

"Microsoft outed me, and now I'm homeless", says 17 year old.


Also parents who's kids accidentally stumble upon a site for predators. It's a tool that can be used for good or bad, but will depend on the parents.


That's true, but I can't justify this being enabled by default. As something parents can turn on if they feel they need to, sure, but not like this.


[deleted]


> It isn't on by default.

Yes, it is.

> It is on when you've told Microsoft "hey, this is my kid's account, I am their parent." Seems like a pretty reasonable default in that very specific scenario.

So you're admitting that it's on by default in that scenario. Which scenario did you imagine I was referring to?

This is a horrible, terrible, unreasonable default setting. Also consider that the same mechanisms that make it possible for you to spy on your kid could make it possible for your significant other, employer, or any other interested party to do the same against you.

Face it: Windows 10 is pwned by design and default. It is an unacceptable risk in any situation I can imagine it being used for.


Automatically spying on kids without their knowledge if their parents upgrade the computer to Windows 10... seems reasonable to you?


[deleted]


> Parents have a right and a responsibility to monitor their kids.

You seem to be confusing monitoring with minute scrutiny.


> accidentally stumble upon a site for predators.

So public Minecraft servers, public minecraft forums, and /r/minecraft?

Surely you don't think that kids and pedophiles are meeting on forums specifically designed for it, right? I imagine that kids are preyed on by pedophiles who join spaces that are interesting for kids. How do you prevent that, or even know when it's going on?

The tools they're giving to parents are no more powerful than a browser history.

> It's a tool that can be used for good or bad, but will depend on the parents.

The potential for bad outcomes has been highlighted by other readers. What good can this feasibly do? And is that good worth the potential for abuse and the obvious security concerns that it places in Windows for users who aren't kids? I think not.


Heck, mistype a website name and accidentally get a porn site (ala the old whitehouse.com) and get in trouble.


[deleted]


Probably, but the news is quite full of "zero discussion" parents, plus we are talking about reports that now go to schools with those pesky zero tolerance policies.


[deleted]


For a company waiting for a liability suit, its not a bad idea to look at the extremes. Plenty of one-and-done lawsuits out there.


Also think what impact it's gonna have on organization. Would they have access to everything an employee types? Any website they visit?


In reality, if you're using a machine that's owned by your employer, you should always assume that everything you do is being monitored at all times, regardless of what operating system said machine is running, because chances are in favor of that being the case. Expect at the absolute least some sort of web traffic monitoring (probably via a corporate proxy); in some cases, I've seen companies install keyloggers (and, in fact, this is the "legitimate" use case for keyloggers, remote administration tools, etc.).

You should also expect that any mobile device accessing company resources (including - and especially - email) is effectively giving your employer root access. This is almost certainly the case if you use a mobile device with Microsoft Exchange.

In other words, in the context of employee workstations, Microsoft's spying is effectively a non-factor for employee privacy.

Now of course, this is all describing intra-organizational surveillance. Microsoft's data collection is inter-organizational, which has rather significant implications for healthcare organizations (since now Microsoft is the single-point-of-failure for a HIPAA breach), financial institutions, law firms, the works. That's all a bit of a digression from the point of children being automatically spied on, however.


> In reality, if you're using a machine that's owned by your employer, you should always assume that everything you do is being monitored at all times, regardless of what operating system said machine is running, because chances are in favor of that being the case. Expect at the absolute least some sort of web traffic monitoring (probably via a corporate proxy); in some cases, I've seen companies install keyloggers (and, in fact, this is the "legitimate" use case for keyloggers, remote administration tools, etc.).

It is one thing for a company to do so. I really really doubt that companies are OK with microsoft having a copy of all activity from all their employee's workstations.


Right. But from the context of the employee, it's a distinction without a difference. By using a company computer, the chances of your activities being keylogged and tracked with absurd amounts of granularity go up significantly. If you're not the owner of the hardware (and, hell, sometimes even when you are), all bets are off.

Of course from a company's perspective will the distinction actually be meaningful, but that didn't seem to be what the parent comment was going for.


Installing keyloggers is not legal in all the countries. If you look at the advanced economies, I'd dare to say in very few of them.


Even where illegal, few employers realize this. "It's our hardware, we bought it, so we have the right to monitor it in infinitely-fine-grained detail" often kicks in well before any ethical or even legal implications do.


For parents of kids who are getting themselves into troubling things (physical, mental, social: thinspiration, suicidal temptation, and dangerous "religious" indoctrination, to pick one example from each of those categories) are going to like it too - so while I see your concern I can definitely see why this was considered a good enough idea to implement.

Of course we are still in a position where most kids know more about what goes on inside the computer than their parents[] so many will find ways around this if they need to...

[] though I feel this is changing, at least here, as the 90s (and to an extent 80s) generation have growing families: they grew up with tech around them so were far more attuned to it than their parents, and to many kids these days tech is just commodity items so they can use them well but don't bother to understand them.


Wow that's insane! And I'm glad you're an awesome parent. You should post a anonymised screenshot of that email sometime if you can, this is pretty ridiculous.


Ask and ye shall receive: http://imgur.com/eeBtcIw

Bear in mind that it's nearly empty because we'd only just recently upgraded to Windows 10, but note that it has an entry for "Latest searches". Wouldn't that be one hell of a way for a kid to come out of the closet to his parents, or for someone to find out their daughter's pregnant?

Consider that this data is linked to each kid's email address. When this database is hacked, won't that be an interesting week in all the local schools as everyone learns what their peers are really doing?


No.

The schools provide laptops to the kids. And then make them "kid accounts". Then the school process all of those reports and punishes based on them... or sells them to advertising firms.


You know, a couple of years ago I would have written that off as paranoid ranting.


No, I think it still is paranoid. It's just now provably true as well.

I'm not entirely sure how much I believe the "MS sniffs your keyboard every half hour". However, with that kid-sniffer (search this page for imgur); that's built in. That terrifies me.

And I'm thinking of LGBT, other religions, TOR, abortions and women's health, medical searches, domestic abuse searches, and more. And the allegations that the torrent sites are levying are also insane too.

I'm glad I've been working on Ubuntu and FreeBSD for the last 12 years. Unfortunately, I'm getting a nice writeup to the 2 directors I've passed an Intel Compute Stick to with Win10, alerting them of the situation.


What's really surprised me here is that I haven't seen Microsoft comment on any of the privacy concerns here at all.

They haven't even said they're going to fix the stuff you can't disable ( see http://arstechnica.com/information-technology/2015/08/even-w... ).

I'm worried that they're just going to ignore problems like this and in a few years, there will be no choice but to run this if you want to be able to run the latest versions of other software.


Only played New Vegas for 8 minutes? Please. This is obviously a fake.

:)


Well, that one night. He's logged another 19 hours so far today.


Ah. Well that's more like it, then :)


By default, unless you log in and explicitly disable it, Windows 10 collects kids' usage activity and uploads it to Microsoft's servers. Presumably the same mechanism is disabled for adults. Presumably.

And this is legal under COPPA? If so, the law needs to be fixed sooner rather than later.


This looks like a deliberately misleading and overblown claim to me. Looking at the knowledge base articles, we see that the diagnostics tracking service is enabled only for users who already participate in the customer experience program (a very clear option when setting up Windows for the first time:

- KB3080149: "The diagnostics tracking service collects diagnostics about functional issues on Windows systems that participate in the Customer Experience Improvement Program (CEIP)."

The second update is short on details, but it's specifically targeting the UAC "Run as Administrator" dialog (which is implemented by consent.exe), presumably to collect information on unsigned applications which request admin privileges. Microsoft should provide further details here for sure, but I see nothing nefarious. One might guess that the information collected here might be the hash of the exe requesting admin privileges.

- KB3075249: "This update adds telemetry points to the User Account Control (UAC) feature to collect information on elevations that come from low integrity levels."

Compare this with the ridiculous claim in the article that this is "allowing for remote monitoring of everything that happens within the operating system."


Article text, since the site seems to be down:

Windows 10 has been launched and already installed on more than 50 million computers worldwide. It is now a known fact that Windows 10 user data is being sent back to Microsoft servers back in Redmond, Washington. Well, now new updates that are being deployed to all Windows 7, 8 and 8.1 machines will turn their computers into a big piece of spyware, just like their predecessor, Windows 10.

The updates in question are KB3075249 and KB3080149. if installed, these updates are known to report your data back to Microsoft servers, without user interaction. KB3075249 Microsoft Update adds telemetry points to ‘consent.exe’ in Windows 7, 8 and 8.1, allowing for remote monitoring of everything that happens within the operating system. KB3080149 ensures that all “down-level devices” receive the same updates and treatment as Windows 10 boxes get.

As you would guess, forums are lit up with speculation on these updates and more. Below you can find a list of other Windows updates that some users have questioned. Please keep in mind, avoiding some or all of these updates may cause your environment to be unstable and/or unsecure.

KB2505438 KB2670838 – Windows 7 Only (corrupts AERO and blurry fonts on some websites) KB2952664 KB2976978 – Windows 8 only KB3021917 KB3035583 KB3075249


The links to the Microsoft's KB articles of the two updates:

https://support.microsoft.com/en-gb/kb/3080149

"This package updates the Diagnostics and Telemetry tracking service to existing devices. This service provides benefits from the latest version of Windows to systems that have not yet upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights."

https://support.microsoft.com/en-gb/kb/3075249

"This article describes an update that adds telemetry points to consent.exe in Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1."


Just the name "consent.exe" itself sounds malicious (although it's been around for a while).


"The consent.exe is a part of Windows operating system. It is part of the User Account Control feature which allows or disallows access to administrative functions based on your preference."

http://answers.microsoft.com/en-us/windows/forum/windows_vis...


It's also a process run whenever you install a new program!

It's the updates to consent.exe (adding telemetry points) which are cited in this thread that are the issue.


Brilliant, 2 options I see

Never do updates again (which is what I will be doing this evening) and make system perm insecure

Or let MS and the NSA rape me for even more data than they already have

Go [insert abusive word] yourself Microsoft and to think just last week I got a 3rd windows 7 license because I was planning to stay on 7 long term and not upgrade to 10.

Steam hopefully will push linux gaming that i can finally get rid of this crap.


If Steam OS becomes a viable desktop gaming OS that plays most, if not all games, I'll drop Windows in a heartbeat.


There are over 1,900 games on Steam that run in Linux.

https://steamdb.info/linux/


Many of the games I have in my library do not run at all unfortunately.

Sometimes I like to go back and play old stuff too.


Many Steam games work great under WINE, both on Linux and OS X desktops!


Wine is always a viable option, especially for older games. With DirectX 11 support coming later this year, almost every Windoze only game should hopefully work.


What about the games that have no entry in the WINE database? Are they just untested or do they not work at all?


it's still slower mostly. Mostly since they don't have any specification at all.


It is? I've personally seen better performance with Wine + Linux than with Windows.

Now, this isn't to say that Wine is totally up to par with Windows in terms of compatibility, but performance hasn't been a significant issue for quite some time.


I searched for a few games I'm playing now and have played recently and out of 10 there were 4 that had no entry on the WINE database.

This might be enough of a barrier to stop me using it right now.


That happens, particularly on really new (or really obscure) software. Really, though, that ought to be an encouragement; sure, you're left in the dark, but it means that those games could use some test coverage. Your contributions to the AppDB could help quite a few others.


Parent's post has so many qualifiers, it says nothing at all.

I do not see a performance penalty at all with WINE. Most games that work play at speeds matching or better than windows. WoW is usually a big example of that, as are emulators.


WoW and emulators are both fairly trivial for a modern system to run well. There is definitely a significant performance hit if you are running something in WINE that nearly maxes your performance in windows


someone's never used Higan before. I've made Stunt Race FX and Yoshi's Island peg a Core i7. Running Tekken 4 on MAME is just as intensive.

Running either in wine is a fine benchmark on performance.


I updated to Windows 10 and found it to be so painfully slow that I switched to Ubuntu 14.04 for gaming. I've honestly had a pretty good experience playing everything from low-fi indie titles (like Terraria) to AAA releases (like Shadow of Mordor). Try it out!


> I updated to Windows 10 and found it to be so painfully slow

I initially had that problem, but it seemed to be the fact that (on top of some phoning-home options that I missed disabling originally, which seemed to play some role in the slowness -- disabling them helped) the Windows 10 update from Windows 8.1 also, for some unknown reason, rolled WLAN drivers back to the versions that were several years old (pre-Win8.1 at least) and fairly broken and couldn't automatically locate new ones; redownloading the latest (for Win8.1 -- no Win 10 specific drivers were available for the hardware in question) drivers (which is what had been installed prior to the update) resolved the slowness problems.


I can't say I've had any issues with performance on Win10. Some games seem to actually run a bit better for me.


Will games that run on Steam OS be compatible with regular linux ?


Yes. If you look at the Steam search you'll see that Linux is paired with SteamOS.[1]

[1] http://store.steampowered.com/search/?os=linux


Same. I would really like it to accommodate old Windows games as well, but that's too much to ask for right now.


Steam is owned by Valve and Valve is a US company. Using steam will not change anything since it is the US laws allowing/requiring companies to comply with the NSA.


The difference being that I want to use Windows only for games without all this other cloud integration crap that comes with it.

Steam OS is a Linux-based OS designed primarily for gaming. Any and all cloud-integration will be specifically gaming-focused.

Can you not see the difference between that and a general purpose OS like Windows harvesting data everything you do on your system?

I won't be using Steam OS to do anything very sensitive like sending or receiving personal e-mails, editing word documents or spreadsheets, or browsing the internet for whatever reason.

Unless you consider firing up a shooter or a city-building sim sensitive.

The two OS's have very different purposes and use-cases.


> Using steam will not change anything since it is the US laws allowing/requiring companies to comply with the NSA.

There's a big difference between 'allowing' and 'requiring'.


Telemetry is clearly not a legal requirement. It's only data stored on steam servers (including chat logs) which you have to worry about.


Partition your system: Linux for browsing, typing, etc. swindows for gaming and being raped...


Parent post is willing to sacrifice his liberty and privacy because not doing so will cut him off from games.

Can we all just be honest with each other and call this behavior an addiction already?


kb3075249 - "...adds telemetry points..." (https://support.microsoft.com/en-us/kb/3075249)

kb3080149 - "...Telemetry tracking service..." (https://support.microsoft.com/en-us/kb/3080149)

kb3068708 - "...Telemetry tracking service..." (https://support.microsoft.com/en-us/kb/3068708)

kb2976978 - "...performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program..." (https://support.microsoft.com/en-us/kb/2976978)

kb3021917 - "...Telemetry is sent back to Microsoft..." (https://support.microsoft.com/en-us/kb/3021917)

kb3035583 - "...installs the Get Windows 10 app..." (https://support.microsoft.com/en-us/kb/3035583)

kb2952664 - "...ease the upgrade experience to the latest version of Windows..." (https://support.microsoft.com/en-us/kb/2952664)


Here is a more in-depth analysis of windows 10 and what is sent to MS

http://aeronet.cz/news/analyza-windows-10-ve-svem-principu-j...

For those who don't speak Czech: -It sends all text you type anywhere (not just into search) every 30 minutes to MS. If you type about a holiday to your blog, next day you'll see holiday ads.

-Every 30 minutes it sends your geo-location and network information.

-If you type a telephone number into Edge it sends it to MS after 5 minutes.

-If you type anywhere in Windows a name of some movie, Windows will start indexing all your media files after a while and will send it to MS after 30 minutes of your inactivity.

-After installing W10, it will send about 35MB of data once.

-After turning on your webcam for the first time it sends data to microsoft once.

-Everything you say is transferred to MS, it works even if you disable and remove and uninstall cortana. Parts of Cortana are needed for the core of the OS to run.

-Voice is transferred every 15 min, 80MB of data.

-After 15 minutes of your inactivity or when screensaver is on, network activity ramps up and everything else is being sent to MS.

-Blocking in hosts doesn't work, IPs are hardcoded into their code and DLLs.


Is any of this verified? During a previous posting of this it was largely dismissed as propaganda [1]. If someone has reproduced these findings that would be very interesting.

What would be even more interesting would be for someone to intercept the spying data that is being sent back so we know for sure what's being sent.

[1] https://news.ycombinator.com/item?id=10053420


Was about to ask for an alternate source too. Last time this was posted, people pointed out this website was not reliable at all. A nice analysis by a well-known security researcher should exist to confirm that.


Here's a nice analysis by a well-known security researcher in response to that article. He could not confirm the results.

https://systemoverlord.com/blog/2015/08/16/so-is-windows-10-...


[flagged]


You can call it a key logger, and I understand why you would object, but sending search terms typed into a search box to a search engine is pretty much what people expect. Ubuntu does it. GNOME does it. Android does it. iOS does it. OS X does it. Windows is very nearly the last one to do it.

Privacy is important, and I don't think either I or David Tomaschik would ever argue otherwise, and there should definitely be an opt-out, but I think there are more serious problems with Windows that would be more worth objecting to than searching the Web from a search box.


> sending search terms typed into a search box to a search engine is pretty much what people expect. Ubuntu does it.

And Canonical has received a barrage of flak for it as a result. I outright stopped using Ubuntu as a result. Users expect the search box on their computer to search their own computer, not bombard them with ads.

> GNOME does it.

By default? Which distro? Last I checked, the GNOME search tool is limited to local objects. Maybe if you've explicitly integrated an online account, but I've yet to encounter that if that's the case.

> Android does it. iOS does it.

These systems aren't nearly as oriented around local file access, so the online-first approach for search (while I personally disagree with it) is not as jarring. Siri and Google Now are specifically marketed for online searches as well.

> OS X does it.

Again, by default? Because I've yet to actually see online results when searching for things in, say, Finder. Not that I wouldn't hold it above Apple to pull such shenanigans, of course; they love fucking over their users for the sake of a "more beautiful" (please) product.

> Windows is very nearly the last one to do it.

Hardly. None of the BSDs (that I know of) do it - even the desktop-oriented ones like PC-BSD. None of the KDE-based GNU/Linux distros (again, that I know of) do it - that category includes Kubuntu, openSUSE, and quite a few others. KDE itself certainly doesn't do it, nor do LXDE or Xfce, last I checked, and nor do the distros which use those particular DEs by default. I'm pretty sure none of the GNOME-based distros do it; in particular, I'd be very surprised if Debian stooped anywhere close to such a level of depravity.


> > OS X does it.

> Again, by default? Because I've yet to actually see online results when searching for things in, say, Finder. Not that I wouldn't hold it above Apple to pull such shenanigans, of course; they love fucking over their users for the sake of a "more beautiful" (please) product.

It's in Spotlight from at least OS X Yosemite.

> > Windows is very nearly the last one to do it.

> Hardly. [...]

These are not consumer-oriented products.


> These are not consumer-oriented products.

PC-BSD certainly is. openSUSE arguably is (while it has quite a few enterprise features, it has plenty of consumer features, too, especially when paired with KDE or GNOME). Kubuntu certainly is. KDE certainly is.

And we haven't even gotten into the other consumer-oriented operating systems that don't compromise privacy to the same degree as Ubuntu+Unity, iOS, Android, or (now) Windows. I haven't even mentioned Linux Mint (with Cinnamon, MATE, KDE, or Xfce), which is certainly consumer-oriented (it sure as hell ain't enterprise-oriented, in my experience). Then there's ElementaryOS, PCLinuxOS, Mepis, Vector, GhostBSD, AmigaOS, RISC OS... the list goes on. Said list goes on even further once you factor in some more experimental - yet still designed to be consumer-oriented - systems, like Haiku and ReactOS. As far as I know, zero entries on this here list have fallen into the trap of siphoning user data by default.


GNOME searches whatever you want it to, but they heavily advertise integration with online sources as a feature. OS X Spotlight does online by default. Finder and Windows Explorer search local files. I said very nearly since, although they're great, BSD, KDE, etc. have very few users.

I'm not arguing that having control over your computer is important. I think people should be using exclusively free software, but it's really hard to sell them on that. Just about the only thing going for it is honesty and consistency. I'm worried that if people start exaggerating issues and get exposed for it, the free software side will lose credibility.


> GNOME searches whatever you want it to, but they heavily advertise integration with online sources as a feature.

Right, and so does KDE (to an extent), but I don't recall either actually using those online sources for searches. Maybe GNOME3's managed to get worse since last time I tried it, however ;)

> OS X Spotlight does online by default.

TIL. I guess I don't use Spotlight enough to notice...

> but it's really hard to sell them on that.

It depends on the approach. I've managed to get quite a few people switched over to openSUSE (for example) on the simple grounds of "your Windows XP machine can't handle Windows 7 very well; here's something better that will save you the cost of a Windows license and the cost of upgrading your machine and won't slow down after a few months of use".


You didn't know that in Windows 10 until the news hit that disabling Cortana doesn't prevent that. Hell, I've never even seen Cortana since I'm in Dragon land (perhaps that's on the positive side for once) and I would've never thought the Start menu search isn't local only. Can I opt-out ? Nope. I can on Ubuntu, Android and iOS though.


It's really not that hard to opt out. The search is just a default program, and you can replace it with whatever you want, like Classic Shell.

You could argue as others have that there should be a default search which is local only, but why is it so important that everyone uses Microsoft's default programs rather than the millions of third party programs available? There seems to be a double standard where people say that it's important that Microsoft not push its own software over alternatives but also that Microsoft's default programs should fit every need of every user.

There's plenty that Microsoft does wrong, but providing a search that uses their search engine while allowing users to install whatever search they like is not so bad. You are already contacting their servers for updates and other things. Having to install an alternative search is really no worse than having to install a web browser. Now you might say that the menu is basic functionality but the browser is not, but what's really the difference?


The issue I see with it is transparency about it. If an user updates from Win7/8 who didn't have this explicit functionality, it doesn't know that it sends the queries online, nor is he immediately shown how to easily opt-out. I mean, where's a section in Control panel that's titled "Windows 7/Classic mode" ? FFS, I'd pay for that Service pack or edition.

At least now we know why they're offering the update for free.


It says "Search Windows and the web" right on the search box and displays web results. You don't have to pay for an alternative. When Windows 8 came out 3 years ago, lots of alternative start menus became available. If you haven't found out about them in that time, you probably don't care, but maybe they could be featured in the Windows Store or something like that under customization.


[deleted]


Yes, it does. A fictitious list presented as fact does not contribute to the discussion. We know that Win 10 transmits lots of data to various hosts, and their recent privacy policy outlines a plausible, yet vague description of what is being sent. It is quite possibly deliberately incomplete/vague, and legitimate account of what is being sent would contribute greatly.

As for being safe and maintaining privacy, it is well established that the solution is to move to an open system.


>Does this even need to be verified ?

Of course not. We should make blind, fear-based assumptions about businesses and reject the "rudder of rationality", so that we can be blown about by the winds of whatever viral fearmongering hits the top of our feeds for the day!!


Errrrr, are you saying that if someone is making up random accusations which are not true, we should treat them the same as facts?


Well, seeing that 80 MB every 15 minutes is over 35 Tb/s (at only 50 million Win 10 users [1]), and 12 Tb/s was the reigning speed record...

[1] http://www.winbeta.org/news/there-are-now-over-50-million-pe...


No, that's actually 0.8 Mb/s


Yes, per person. At 50 million users, you need a 35 Tbps pipe to take in all that data.


That can conceivably be split across multiple datacenters in multiple countries - something which Microsoft almost certainly has access to.


Even breaking it across multiple datacenters you're still hardpressed to do those speeds over a short period (weeks), let alone constantly over time [1]. My point was the physics in the parent don't work.

1. http://blog.streamingmedia.com/2015/07/windows-10-launch-hug...


Shit, that may just have changed my opinion on this. Is the first one really correct? Anything we type on a PC anywhere? So if I open up tor and load a site it's basically useless because any url I type in tor will go to ms anyways? WTF? Each and every one of those is completely unacceptable.

Anyone know about any good unix distros that wont be too much of a culture shock to someone who has used windows his entire life?


KDE is the closest to windows. Start with Chakra[1] or KaOS [2] if you want it to "just work" (both are Arch-based). If you want to tinker, go Manjaro KDE.

If you want to have to earn back every single piece of hardware in your computer, and end up becoming a Linux superhero when you're done, install Gentoo.

If you're concerned about privacy or rights, avoid Ubuntu and Redhat distros, as they have a history of exploiting both users and the free software licenses they purport to honor.

The most software-compatible is Debian, but games/steamOS run on all x86-based distributions.

1. http://chakraos.org/

2. http://kaosx.us/


I ran Chakra for a while -- although it's been a few years -- and wouldn't recommend them to people looking to switch from Windows. Unfortunately they weren't careful enough with their rolling updates and they would intermittently break installed applications, including at one point smb. So one day I could connect to Windows shares, the next day I couldn't.


If it's been more than a year since you've used a distribution, your opinion, positive or negative, is likely innacurate. The Linux community iterates at an order of magnitude faster then the windows or Mac ecosystem. The Chakra of today is far smoother than the ones a few years back.


True. I wasn't clear, but it was more a criticism of the project's management, which iterates far more slowly. But still, that's why I mentioned it had been a few years -- so anybody could dismiss my experience as they wished.

fwiw though I took a quick look at their -stable forums (http://chakraos.org/forum/viewforum.php?id=32) and there are several recent threads related to updates breaking things. I realize that will to some extent be a problem on any platform, but it seems disproportional on Chakra.

And in any case, that probably makes it a poor recommendation for Linux novices switching from Windows.


fair enough. then switch to KaOS. :)


Or Kubuntu if you like to get help from then now abundant Ubuntu/Debian "how to" stuff on internet.

Also, avoid the problem of "privacity" with normal Ubuntu, as not use Canonical desktop stuff.


If you read up on Jonathan Riddell's (and the FSF and SFLC's) spat with the Ubuntu Community Council [1], you wouldn't touch Kubuntu with a 10-foot pole.

1. https://lwn.net/Articles/645973/


> Anyone know about any good unix distros that wont be too much of a culture shock to someone who has used windows his entire life?

Try openSUSE:

* UI is designed to be very familiar to Windows users, with a Windows-looking taskbar complete with start menu and system tray (if you pick KDE, Xfce, or LXDE for your desktop environment; GNOME is a bit... well, out there).

* openSUSE ships with YaST, which provides rather extensive graphical system-wide configuration. It's arguably the closest thing to a proper and fully-featured Windows-style Control Panel you'll find in the GNU/Linux world. Thanks to YaST, it's pretty rare that you'll ever need to touch the command line for the vast majority of tasks.

* If you're running in an Active Directory environment, openSUSE's builtin support for joining AD domains is abso-fucking-lutely phenomenal; the YaST-based configuration blows even Windows out of the water, let alone other GNU/Linux distros.

* Pretty stable (openSUSE is the testbed for SUSE Enterprise) without being totally behind the times like Debian Stable tends to be.

I've set it up on the formerly-XP-running machines of multiple elderly, computer-illiterate people with effectively zero issues (other than one user complaining about the default desktop background; I showed him how to change it, and he since managed to figure out how to set up his own without further intervention on my part). If computer-illiterate old people can figure it out, I'm confident that someone who knows that Hacker News even exists can figure it out ;)


I think the one I would most recommend for a newbie is Linux Mint. I don't feel strongly about this. If you don't like it, try something else. But expect some migrating pains regardless; you're used to Windows's warts, now you need to get used to another operating system's warts.


I guess I am not a linux newbi. I know my way around a unix box I just haven't used it as my primary work station ever. So things like compatibility with all the popular stuff comes into play.


If you're familiar with the command line, then the only OS I like personally is Arch Linux. You start with nothing more than a Bash shell (seriously, it doesn't even have an installer), install your OS onto a disk with a couple commands, and then install whatever software you want. I install the XFCE desktop environment and Firefox, and go from there. Arch doesn't try to babysit you or do things for you; you will be editing lots of plaintext config files from the shell. But it almost never breaks, because it only does what you explicitly tell it to. Very simple OS, great package management, cutting edge software, wonderful documentation.

To be clear, I do NOT recommend it for folks who don't want a learning curve. But once you've over that curve, it is a haven from shitty operating systems.


I second this. I used Arch for around four years and it was a wonderful experience.

Funnily enough, I recently switched back to Windows from Arch. Linux's ecosystem was just too depressing for me. Windows 10 makes me sad though because it had the potential to be great were it not for all the privacy issues.


That sounds exactly like what I was looking for. Thanks! I'll have a look.


Make sure to check out the Arch Wiki[1]. If you use DuckDuckGo you can easily search it using !AW.

[1] https://wiki.archlinux.org/index.php/Main_page


It was my first Linux distro 8 years ago, and it's still the only operating system I can stand today. Again, it has a big learning curve, but I love it :) Hope it goes well for you.


ElementaryOS is the closest to OSX you will find. It's based off Ubuntu/Debian too.


No one has verified this. Sorry, but this list is just fearmongering. It would be good if we could focus on the facts here. There's a real issue here and it helps to be honest.


Sounds too crazy to believe. If true, I think I would be forced to stop using windows all together.


If you haven't stopped yet, this won't change anything.

Edit: bury me if you want, it doesn't make what I say any less true.


I've never heard of MS key-logging everything you type and broadcasting it to their servers. If that were true, I would 100% not use windows. I only use my windows box for steam games and that's mostly for dota2 these days which has a linux client.

I don't know why you would assume to know me so well.


If you are seriously claiming ignorance to everything Microsoft has done since Palladium [1], Maybe you have a leg to stand on. But you seem like a smart guy, who has probably seen all the controversies (even if just with the Xbox One), so I think my original statement stands.

1. https://en.wikipedia.org/wiki/Next-Generation_Secure_Computi...


are you using google or facebook? might want to consider dropping those, too.


It's expected for Internet-based services that make their living on advertising. It is not expected for my operating system.


No to facebook and I'm working towards moving away from gmail. Still using google search though for now.


>-If you type anywhere in Windows a name of some movie, Windows will start indexing all your media files after a while and will send it to MS after 30 minutes of your inactivity.

This one really hard to believe. All the others are kind of believable.

>-After 15 minutes of your inactivity or when screensaver is on, network activity ramps up and everything else is being sent to MS.

But what is everything else?


Call me naive, but some of these, especially the first, seem borderline illegal and I doubt that even in their greediest hour Microsoft would dare to implement this shit. If this is true, I'm sure they could be sued on quite a monumental scale.


That's a security nightmare.


I've seen a lot of posts about people worrying about personal privacy, as they should be! Right now I'm actually curious about the business implications. Is data going back to Microsoft? Should we be banning Windows for developers, finance, customer support? I'm worried about personally identifiable information (PII) leaking out of our company. Also developers still handle credentials with access to production systems, AWS, sometimes SSL certs. This data cannot be sent out of the network. What is the impact for businesses?


That's what happens when a single vendor has more than 95% shares of a market. There is no competition , where the hell people using Windows software are going to run ? I'm really angry at this. What's the difference between this and a spyware / key logger / trojan ? there is none conceptually.

I sincerely hope it backfires because it's just insane. If MS wants to collect on my hard drive or log my key strokes , it should ask for my approval first and not hide it behind a license.

People are outraged with the AM hack scandal, well nothing guarantees that MS will never be hacked. And when a database like this get hacked , every windows user data will be in the wild. That's just crazy. Is the the "new microsoft" , a lot of HNers like to boast about ? Same as the old one.


I have my windows 7 PC set up to automatically install "important" updates. Are these telemetry updates considered "important" or "recommended"?


Just check if you already have them installed or not


Microsoft has already raised our suspicions by offering Windows 10 upgrades for free. As a result, we're perfectly primed to believe the worst about these updates.

Microsoft needs to do something convincing to reassure it's users or Windows 10 will likely become synonymous with "Big Brother" regardless of what's actually going on.

To reiterate, we're leaving territory in which it would have been reasonable to "do nothing and hope it all blows over". MS needs to respond quickly or they're going to have another dud release on their hands, in spite of giving it away for free.


2016 is the year of desktop linux.

For the kind of people who care about this sort of thing.

Also puts "Scroogle" into perspective.


I doubt there are enough people who care. Google has already proved that seemingly benevolent spying is a highly profitable business model. Most people aren't bothered, or even know, that they are being "Scroogled". Microsoft is just following suite. Sadly it seems to be a sign of things to come.


The potential big difference here is that it affects people's work computers, where they do things for organizations that have a strong interest in keeping information from leaking out. Such companies probably were never happy with corporate data passing through Android smartphones, and might have forbidden it. Now they know they can't trust Windows workstations either.


Win10 enterprise has the no telemetry option for a reason.


Because every small business uses Win10 enterprise?


Most enterprises that care probably is. And it is possible for small businesses to get, just costs a bit more (including Software Assurance renewal) and it also gets you access to things like LTSB.


Maybe some small businesses don't care, but the people whose data they are handling might not agree with that stance.


And don't some of the same companies store all their company documents, email etc. on Google Apps? Or on Dropbox?


Many do, but many don't. For those that don't, suddenly having the dominant desktop OS turn on them is going to be a big deal.


> And don't some of the same companies store all their company documents, email etc. on Google Apps? Or on Dropbox?

Storing company confidential information on services not controlled by the company is explicitly forbidden at many large corporations. They run their own email servers (not Google Apps), and often ban & block things like Dropbox outright.


1) Internet web sites have always been "lit up with speculation".

2) Microsoft's "spying" has been going on since Windows Vista was released, and speculation has gone along with it.

3) Since the 1990's, next year has always been "the year of desktop Linux."


People keep saying that there was spying going on from XP or Vista, but "spying" isn't a binary state. The amount of intended data-slurping has increased incomparably.


You can choose between telemetry levels in Win10 though.


I think Navarr is fully aware of the Linux desktop meme. It's clearly tongue-in-cheek


Yes, thank you. Though honestly the people who really do care about this will see the coming year as year of the Linux desktop.

And to me it seems like a lot of HNers care that Windows is sending all this telemetry. (Aren't we the same group that is obsessed with A/B tests and recording analytics on everything a user does on our website?)


Agree. There seem to be hundreds of analytics services. Use of those is totally correct, obviously. The more specific the merrier.


I'm inclined to agree, albeit begrudgingly. I am more-or-less happy with the usability of Win 8.1, but I'm not willing to have my machine turned into a permanent outpost of the NSA.


First, the website is down. Second there is always overblown paranoia that runs with every release of Windows. I wish if EFF or atleast ArsTechnica would cover so atleast it will be a proving point for these independent blogs. For all I know is that these updates could be for someone who has already signed up for "Sent diagnostics to Microsoft for product improvement" on their existing Windows. Else it has to be the dumbest spyware that comes with a release note, description and a self describing name.

>2016 is the year of desktop linux.

I don't care if it is Linux, Apple or Windows. As long as someone can guarantee a certain degree of usability and a common sense of privacy, I wouldn't mind switching. However at this point where even open source is taking a nose dive (eg: "Ubuntu and Amazon Search", "Chrome and proprietary blobs", "Firefox with Hello and Pocket"), I am not sure anymore. If it keeps up this rate, in the future people might look back and see privacy as a silly idea /sad.


It's since 2006 that every year is gonna be the year of linux on the desktop. Except it never happens.


I guess you haven't witnessed Corel Linux, Wordperfect for Linux or Loki Entertainment. It's been predicted way longer than 2006.

Ps. Sorry for the accidental downvote :(.


Can attest. Used Linux as primary OS for last 2-3 years in college, then got a job doing development on Linux, then worked for a Linux startup in early 2000's (we hired a couple ex Loki employees). Linux on the desktop has been a roller-coaster movement since not long after it's inception, likely around the time KDE and Gnome were released with some level of maturity. There was always the ported desktop managers but I don't think it's had much viability for dominance until OpenOffice came along.


Oh! Someone that remember Corel OS. I have one disc yet somewhere...


Yeah :). I was mostly using Slackware Linux at the time, but my brother bought a Corel Linux box at the time. If I remember correctly, it came with an inflatable Tux.

I also had a separate copy of WordPerfect for Linux for a long time. It still worked fine until I sold it on eBay, thanks to libc5 compatibility in most distributions. Even though I stopped using it at some point, I continued to use the Type 1 fonts that came on the CD.


Maybe a chance for the Linux gaming scene? Finally a window (see what I just did?) for an other gaming OS? Hail Unix.


No wonder they intend to no longer describe what's in an update... Only using Windows in a VM still. Just set the network connection host-only. Didn't really need internet there anyway, and given these circumstances, I might as well get rid of it completely. I guess any inclination I had to think Microsoft is on the way up just vanished again. Too bad it also means I'm probably going to throw away my plans of diving into F#. Open source, but still too tied to this company I'd better just give up on.


If you want to get into functional programming, check out Haskell or Erlang.

Both run well on Linux.


Last I checked, F# works perfectly fine on non-Windows platforms with Mono.


Google cache of the article as the site seems down: http://webcache.googleusercontent.com/search?q=cache%3Awww.h...


Found a useful script on SuperUser that removes KBs as well as hides them in the future. Just need to change the list slightly

    FOR %%X IN (3075249 3080149 3068708 2976978 3021917 3035583 2952664) DO ...
http://superuser.com/questions/922068/how-to-disable-the-get...


I put this in a file called something.bat and ran it as administrator to uninstall (I hope) most of the KBs. Any feedback would be great:

    wusa.exe /kb:3075249 /uninstall /norestart
    wusa.exe /kb:3080149 /uninstall /norestart
    wusa.exe /kb:3068708 /uninstall /norestart
    wusa.exe /kb:2976978 /uninstall /norestart
    wusa.exe /kb:3021917 /uninstall /norestart
    wusa.exe /kb:3035583 /uninstall /norestart
    wusa.exe /kb:2952664 /uninstall /norestart


If that's true - doesn't this expose microsoft legally ? I mean we paid for win 7 under certain terms, and now they're changing them.


This is my reaction. I don't want cloud connections and MS/NSA surveillance and key loggers in my OS, so I won't be going to Win10. Hopefully there is enough backlash that MS is forced to allow user to opt out of this garbage on Win7, at least.


You don't have to update if you don't want to. That is how they get you.


One of those terms was that they can change the terms at any time without notice.


:) .Is that even legal ?


Consent is cemented 72 hours after a contract has been agreed-upon, unless fraud is involved. In this case, agreement to future contract amendments/changes is consent.

Your fault for clicking "Agree". Didn't anyone watch the Human Cent-iPad episode of South Park?


IANAL , but:

" Unilateral modifications are not supposed to alter the material or important terms of the original contract. "

http://www.faircontracts.org/contract-provisions/unilateral-...


Unless you've bilaterally agreed or acquiesced to it, of course. Consent(.exe) is everything.

You have 72 hours (10 business days by mail) to undo your consent to the Windows license changes after clicking "Agree". Did you submit your notice in a timely fashion, or did you let the clock run out?


This news is another nail in the coffin. The pattern I can see among my peers and my small market is that people are more and more uneasy with using the web for sharing valuable info and data, both on public and private networks. They prefer face-to-face meetings and paper docs. Food for thought and some ground for new startups maybe.


Been waiting for an article like this but even though it points to two items, KB3075249 and KB3080149, it doesn't seem like "firm" information as there is a huge list of "maybe" items as well as a warning that removing things can mess up your computer.

How likely is it that we'll ever have a "firm" finite list?


What an unbelievable lack of respect and a big FU to Microsoft's own customers. At least using Windows 10 is a choice (I think - do they force it on Windows 7 machines?), but to do this to all existing customers - wow, just wow.

Behold everyone - this is the "new" Microsoft, worse than it ever was.


> I think - do they force it on Windows 7 machines?

No, but they keep nagging you every time you turn your computer on.


You can turn off the nagging by uninstalling update kb3035583. Then hide the update so it doesn't helpfully install it again for you.


Parents spying on their children's communications seems hard to reconcile with the principles in the UN Convention on the Rights of the Child[1] which most countries are signatories to, in particular articles 13 and 16:

"Recognizing that the United Nations has, in the Universal Declaration of Human Rights and in the International Covenants on Human Rights, proclaimed and agreed that everyone is entitled to all the rights and freedoms set forth therein, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status,

...

"The child shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of the child's choice.

...

"No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, or correspondence, nor to unlawful attacks on his or her honour and reputation.

"The child has the right to the protection of the law against such interference or attacks."

Given that Microsoft is a US company and the US is one of very few countries that hasn't ratified the convention[2], the concept of children having human rights might seem strange and foreign to them, but almost everywhere else, the state is (it seems to me) obligated to protect children from this kind of intrusion. (Maybe the EU could look into forcing them to release a special spyware-free edition...)

[1] http://www.ohchr.org/EN/ProfessionalInterest/Pages/CRC.aspx [2] http://www.unicef.org/crc/index_30225.html


Where are the security researchers? Credible, elaborate, and well-documented articles? Has this not captured their attention or is it a lack of concern?


Installing spyware via a software update is a huge moral hazard for Microsoft. It incentivizes people to maintain an unpatched operating system.


So I just started my windows and it seems that I am 'infected' with this anti-privacy stuff. How do I get rid of it? Re-install from the installation disk and disable updates, or can I still remove the updates?


You can remove updates via the control panel.


But does that really work in this case? It seems as if these new privacy things go pretty deep.


I'm not sure. I have seen spam that has unsubscribe buttons that actually work, as well as adware that uninstalls properly from the control panel.

I hope Windows doesn't do worse than spammers and malware programmers.


Lol, thanks.

I will at least give it a try ;). But before that I am moving all my personal files to my NAS and I will only be using windows for playing a game or 2.


I wonder how any IT corporation of decent size, with internal data policies will be able to live with something this.


So, does this mean MS has lost all their good will points earned from releasing all the open source code recently?


Microsoft's got even bigger balls then I thought they had... I hope this is the beginning of the end.


I think it's time that we don't ask of users to protect themselves by reading hundreds of pages of EULAs, and then ostracising themselves from mainstream electronics use (both at home, as well as at work) because they refuse to use software that's loaded with insane levels of spyware (record and transfer all voice and every keystroke). That's a large burden. It's perhaps time this becomes a legal matter rather than purely a user-choice matter.

In society we have all kinds of protections for people that make a lot of sense, that take away individual responsibility. For example, even if a person wanted, you're not allowed to become a slave, it's simply not allowed. Even if a person wanted in most of the developed world, you're not allowed to work for less than minimum wage, or in a toxic environment. Similarly even if a person says 'I don't mind if people are misogynistic towards me at work, or discriminatory, I just want this job no matter what because I need the money', that's not allowed, either.

Similarly, I think it's time we start to think of legal protections again this level of spyware. We shouldn't put the burden of acceptance on individuals when you'll have millions of people who'd prefer to live in a world where they don't have to use this software at home or at work, but have no choice (particularly at work), and thus accept spyware because the loss of their job works as a blackmailing force, just like in the above examples.

That doesn't mean I'm saying there is no legal place for software like this under any conditions. But the notion that it can't be turned off is insane. Even 'on by default' is a step too far, but now Windows is saying whether you use windows 7, 8 or 10, we're spying on you, and you can't turn it off, and if you tamper with our software manually you'll fail because we've hardcoded it. That's not acceptable and my point is, it shouldn't fall upon users to boycott such harmful parts of software they paid for (in the case of Windows 7, half a decade ago).

It should fall upon the rule of law to prevent this and allow at least an opt-in, a choice, a choice that isn't 'use any Windows product, or use no Windows product'

If OSs were more free like say, the automotive industry, I wouldn't mind as much. Like if Toyota one day decided to record audio in cars, that's one thing. You can switch to more than a dozen top-quality car manufacturers who don't do this, and it wouldn't affect your jobs or anything like that. But we're talking about a desktop/laptop market where <2% of marketshare is Linux and OS X is ~10%, the remainder is virtually all windows and its got hardcoded spyware features.


There are a few practical issues to solve first.

Rules must apply over time. A "turn everything off" request shouldn't be able to transform into "except these new on-by-default features added in patch 1.01".

Software has bugs, including "off switches"; as such, even if there appears to be a way to shut everything off, I always assume that these may fail. The "over time" problem applies here, too; a year from now, some poor new guy tasked with maintaining these protection switches might screw up an update and break an off-switch that used to work fine.

Information is currently too valuable. As a society we really have to get to the point where the value of bits of data is so low that leaks don't matter. We sure as heck shouldn't have ways for criminals to screw you by knowing a single number that belongs to you!

Information is inherently hard to protect. Photos are very hard to protect; even if you had a new file format, encryption, low-level hardware that was physically incapable of accessing pixels without a key, memory that could not cache plain-data versions of the image, etc. there is still an easy way for someone to take out an iPhone and snap a copy of what they see on their screen and keep it forever. True photo security would practically require what is mandated for photocopiers with respect to counterfeiting; all cameras and all displays would have to be equally mandated to use watermarked images that encode encryption keys (e.g. your camera can only take a picture of another image if the associated key is one that has granted you access). And of course, that level of assurance could also be abused.

Ideally the average citizen would be able to grant and revoke keys for any and all organizations like Facebook or Microsoft, and systems and formats would be such that information is impossible to use once a key expires or has been revoked.


My UK govt. is trying the backdoor / ban all encryption and is complicit in our "security services" getting unfettered access to citizen data. As was the previous govt. And all govts before it, and all govts in all countries.

Getting them to enact and defend the opposite will take a Herculean effort to make the citizens aware, let alone care.

I despair.


Happy linux desktop user here, I only need windows for turbotax once a year, so I will worry about this in Feb/Mar, anyone provides a cloud-based tax filing service?


H&R Block does: http://www.hrblock.com/online-tax-filing/

Disclaimer: I have not used their online version so I don't know how well it works. I have been running their Windows version in a VM the last few years because I'm not wild about putting any more of my tax information "in the cloud" than I have to.

I would expect TurboTax to support online filing too, but did not see it on a quick search.


> I don't know how well it works

I've used H&R Block's online service for filing federal and state taxes for the past few years with no issues.


Doesn't turbotax provide just that? I did my taxes with them last year and never left the browser.


Yeah, TurboTax does. I've done my taxes several times now entirely from Firefox+Linux. TurboTax will nag you about using an unsupported browser/OS combo, but you can just click the link saying "yeah, whatever, I know what I'm doing, sod off and let me do my bloody taxes" and it'll work perfectly fine.


The most you need to get turbotax to work online is a user agent spoof.


Turbotax.com


taxact.com is entirely online too. No app required.


Well I can see Russia putting alot more money into ReactOs


Or GNU/Linux, or OpenBSD, or something else privacy-aware.

But yes, ReactOS could certainly use some love, from Russia or otherwise. Can't wait for 0.4.0 to come out; should be a nice push toward general usability.


I've just finished installing arch linux after nuking my ubuntu/windows install, I've been doing a hell of alot of configuration but I'm pretty happy with I have.

More on point, I've been planning to buy a cheap laptop to test more experimental oses, like react and harvey.


Hadn't heard of Harvey before. Looks like an interesting take on Plan 9; I'll definitely have to try that one out.


The lack of public disclosure, commentary, and, yes, outrage surrounding Windows 10's privacy policy is a lot more disturbing than Windows 10 itself.


Easiest way to block this for sure is probably going to be harvest a list of hostnames and/or IPs microsoft are using and block them at your border gateway/router.

I've recently considered setting up a separate wifi SSID where everything outbound except DNS, and tcp 80/443 is blocked, as well as TLS SNI and plain HTTP logging just so this sort of thing can be monitored.


It's not what you said, but note that some of the phone-home behaviour is very deep rooted, ignoring proxy settings (http://arstechnica.com/information-technology/2015/08/even-w...):

> We configured our test virtual machine to use an HTTP and HTTPS proxy (both as a user-level proxy and a system-wide proxy) so that we could more easily monitor its traffic, but Windows 10 seems to make requests to a content delivery network that bypass the proxy.


That's a fragile solution at best. One update could change the IP/hosts of the data harvesting servers.

Surely the data will be transmitted using TLS or equivalent; HTTP logging won't do you much good unless you can (a) MITM the TLS setup, or (b) extract the keys that the spyware is using.


Windows internal firewall blocks everything just fine. So far there are no secret allow lists present.

Enable 'Deny all outgoing' and start adding your own Egress filtering rules.



People who use their google accounts and Chrome ubiquitously already get spied on by GA at a much bigger scale through all the sites they visit in their browser.

Why is it a big uproar when it happens at the OS level? Seems like it's pretty much the same thing. We always have the option of using Linux if we don't like it.


> Why is it a big uproar when it happens at the OS level?

Because you paid for it and because it's a tradition and because it's the way it should be™. Chrome is bad enough with url bar suggestions, sign in for syncing is equally bad, but at least you are aware of it and you didn't pay for it. But Chrome being bad isn't a reason Windows should become bad as well.


Chrome -- as far as we know -- doesn't transmit all of your keystrokes to Google, nor does it transmit the contents or indexes of your local filesystem(s) back to Google.


I don't think Win10 likely is doing so either.


You're posting FUD.

Those permissions are required in the context of Cortana, so Cortana can work. Keep Cortana off and turn off the services, and nothing gets transmitted.

It's literally no worse than the conditions you agree to when using Siri or Ok Google / Google Now.


If you'll allow Wikipedia to define FUD [1],

> FUD is generally a strategic attempt to influence perception by disseminating negative and dubious or false information.

What part is dubious or false? Do you need me to quote the Win 10 privacy policy?

[1] https://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt


> literally no worse than Siri

Now who is posting FUD? Apple would never do something so egregious as to upload a copy of all the filenames on my computer.


Because the pressure should go in the opposite direction -- they should have to find users that want to be spied on, we shouldn't have to find operating systems that don't spy on us.

I wouldn't otherwise have used Windows had I known they'd be shoving their telemetry reporting down my throat.


GA doesn't record all my keystrokes and voice like W10 (and now W7-8) have been accused of doing in this thread. And there was an uproar when iirc Chromium was doing something similar with voice a few months back, which was pulled later.


You can turn Cortana off in Win10 too.


Which (allegedly) doesn't actually stop the data collection.


> People who use their google accounts and Chrome

whataboutism and has nothing to do with a current discussion. Chrome the browser is not an operating system.


Because it is easier to switch a browser then a OS and many just can't switch to linux.


Because we use our computers for different things, not only browsing the web.


There's been a number of revelations about the invasion of privacy prevalent in Windows 10 (and now according to this article/thread 7 and 8 too), but curiously Microsoft have been very silent on the matter which is only making things worse for them as users will naturally take that as a confirmation of the relevant findings.

It's also strange to see Microsoft making this move given that this invasion of privacy is probably illegal in many ways in countries that are forward thinking enough to have laws against this type of thing.

Maybe they see it as a short term ploy to try and collect as much data as they can before there is a big enough uproar against it and then decide to pull the "feature(s)". They may see it as worth the controversy if they can gather enough data for future products/improvements.


FYI, you can't disable telemetry on Win10 unless you have enterprise edition, but you can select levels.


You sort of can, see things like https://github.com/10se1ucgo/DisableWinTracking/.


It's easy to blackhole those domains and remove reg keys, but I wonder if M$ will add new ones in later updates.


That's okay, they can just use their p2p technology and route their spying through other people's computers.


Curiously, the net effect is that now there is one reason less to skip upgrading to Windows 10!


If I could figure out my wireless card/GPU drivers, I'd swap to Linux in a heartbeat. Plug-n-play drivers is the only reason I'm still on that closed-source OS. Just don't have the patience to hunt down third-party drivers.


Boot off a live CD (e.g. Ubuntu) and run lspci from a terminal session then post it here.

You may find the drivers you need are available in a separate 'restricted' or 'non-free' repository. It is unusual these days on desktop/laptop oriented installs to have to 'hunt down' anything.

Very very recent hardware can still be problematic mind you.


> Just don't have the patience to hunt down third-party drivers.

For most modern distros, you don't have to hunt down third-party drivers; at most, you might need to enable some first-party or second-party "restricted" repo, at which point you can install the necessary drivers from there. And last I checked, Ubuntu and Linux Mint (among others) provide a "restricted hardware wizard" in the normal settings screen to do precisely this.


Just get the right hardware with good Linux support, it all just works then. You won't find any lasting happiness by digging deeper into the third party drivers swamp. (all-Intel for wifi and graphics is the safest bet)


Mainstream hardware is decently supported, if you don't have special claims. Ubuntu live cd/usb?


Broadcom and nVidia?


What exactly is going on with the decision making at Microsoft?

With all the backlash that has resulted from the Windows 10 privacy issues, you'd think their next thought wouldn't be "we should piss off our customers with more of the same".


When KB3035583 GWX/Win10 Spam came out I removed it and put my updates into manual because I figured it won't be long before MS put out another updated to push Win10. This is much worse, now I find out there are a number of updates that I have to track down and uninstall. Going forward I will always have to lag a month or so behind updates to make sure MS is not installing a key logger on my Win7 computer. I guess my move to Linux is sooner that I thought.


I have a question that I can't seem to get a straight answer anywhere. If I were to use Win 10 Enterprise edition, could I theoretically disable all the spying and telemetry?

It also now seems like we need two computers. One that is open for "spying" so the government looks at my usage and white-lists me as a "good citizen" and another computer that basically is encrypted and hides anything I don't want anyone to know about.


Or just one that runs open software...


If we try to apply the principle of charity - could there be seen any advantages that this telemetry data would provide to the end user?

I can't come up with any at least.


If you ever get acused of having illegal images on your PC, you can ask Microsoft to prove that you never had .jpg files in C:\Windows\Fonts.


I wrote an utility in C# to make it easier to uninstall the offending updates: https://github.com/schumann2k/UpdateAntiSpy

Feedback & pull requests welcome. :)


Is there any tool like DisableWinTracking for Windows 7?


A Linux machine with two ethernet cards acting as a firewall to the internet?


Do we even know how you'd need to configure the firewall to block the specific traffic that's the problem?


There's a list of domains that came up in a previous discussion on HN (sorry, I don't recall it right away), and was also trending on pastebin.com, which contained all of the known domains Microsoft was using to report back from the OS. Presumably you could route those to "null" or the equivalent on your router and you'd be good to go.

Edit: Here's the pastebin link: http://pastebin.com/RZW74Npk


You could always just do that in Windows' hosts file, too.


You can, and I'm sure most would. There may come a time, however, when a future Windows update rewrites or works around the hosts file for telemetry. Doing it at the router or external firewall avoids that possibility.


Such an update could also add new data harvesting hosts, which would bypass your router's blacklist.


That's a given. The rabbit hole goes as deep as Microsoft is willing to dig it. Like any other vulnerability, there will always be security researchers out there who find and report on new ones.


Ah, fair point.


That's assuming that Windows doesn't circumvent such things because "well we know what we're doing and you don't".


I'm with Ubuntu/Gnome3 and it's pretty fine. It took some plugin installing (very easy btw), but it feels pretty good. Time to switch?


Windows, now like AOL but better!


.... aaaand Windows Update Automatic Updates is getting disabled.


Every-time Microsoft releases a new Windows (Since XP SP1) I saw quantifiable performance decline with every update I installed. I think Microsoft pushes people to change OSs using this technique.


As far as I know, these updates are optional.


Cant wait for new EU fine, lets hope its orders of magniture more significant this time. Cool 10 Billion Euro should be enough to stop MS from screwing people over.


Or that they finally fund a project that could replace windows


Given their dysmal track record of funding anything remotely successful and other than ivory tower projects, I wouldn't hope too much.

https://en.m.wikipedia.org/wiki/Quaero Or look at Stratosphere/Apache Flink, basically they cloned Spark in much worse for millions of dollars.


Something like ReactOS or Longene would be a feasible target for such efforts. Or even just a commitment to GNU/Linux or one of the BSDs.


can they be sued for doing this?


It seems that Microsoft was right when calling Windows 10 "The Last Windows" - after such insolent violation of privacy people will switch to Linux or Mac OS just to avoid it. Microsoft is doomed, let's celebrate! :)


Not sure why this is being down-voted. Just trying to be helpful in case people want to avoid these optional updates or uninstall them. Maybe I should just delete the comment?


That helpful comment got two downvotes and well over a hundred upvotes. This is an extreme example of why HN has a guideline asking people not to comment about being downvoted. Most of the fluctuation is ephemeral, and most comments about it soon become inaccurate.

We've detached this subthread from https://news.ycombinator.com/item?id=10110543 and marked it off topic.


sorry :(


Please don't feel bad! Your contributions are overwhelmingly positive, and we're grateful. The reason I post stuff like the above is not to reprimand anyone, it's to feed reminders about the guidelines into the community.


In general I'd say the inclination to delete a comment because it's being down-voted is... not good. Don't try so hard to conform to what appears to be the local public sentiment.

(EDIT: or, if it's a threat to delete if you don't get upvotes, also lame)


Please don't


OK, just didn't want to add to the clutter if it was unhelpful. A load of links without context isn't a great comment. :)

BTW these updates all appear to be "Optional" and are part of the Customer Experience Improvement Program (which in my experience is always opt in and you get a notification in the system tray).


They are currently optional - different than "Important Updates" and "Recommended Updates." I checked my windows update panel in Windows 7, mind you, (Start --> Control Panel --> Windows Update), and saw it listed as an optional update. I believe these optional updates, in windows 7 at least, are defaulted to be listed, but not downloaded or installed. I clearly won't be installing these, haha.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: