Windows 10 Privacy

Oh sure I know that.
But what I'm saying is that the people in power will not break the laws to prosecute criminals only to further their own goals.
My point was that only because some people act Illegaly that does not necessary allows the rest to do the same.

Well its more complicated than that, you remember the old sorry: https://www.theregister.co.uk/1999/11/05/how_ms_played_the_incompatibility/
and there were many more, M$ does not owe their success only to the quality of their products.

Nowadays the issue of not using Linux for most is not the user interface or general usability, but drivers and software that still does not run on wine.

For example in one of my labs we have a Mass Spectrometer that requires windows xp 32 bit, due to a interface card having only 32 bit drivers, a new interface module not requiring that card using USB costs "only" 5k€. And there is a boatload more of other hardware that does not run on linux at all, but at least works on windows 7.

Microsofts market position is nowadays mostly warranted by the fact that a lot of stuff only runs on windows. Not by windows's quality or features other than backwards compatibility.

In fact I created a few and even hold a patent and have an other in working, but this does not meter to the subject at hand.

no, my neighbour was defending the thief's deeds saying they were legit or even necessary and I just objected to that asserting that the thief's does not have a valid right to violate my privacy no mater what's his excuse might be.

Besides: "Silence gives consent." -- Boniface VIII

 

I feel that this whole 'privacy' thing is a simple matter of understanding what you can do and what you can't do

Example of what you can do: Don't post on social media like Facebook "I'm going to the bathroom/work/store" or your social security number. There you go, that's a level of privacy you can control

Example of what you can't do: Disable all telemetry/Microsoft connection. Relax and don't lose sleep over this.

 

Actually this is something, you can do, no connection = no telemetry (why bother sending anything, if there is no internet, according to Windows).

 

According to my analysis I did in the past few days when I block ports 443 and 80 the windows 10 does not communicate with Microsoft at all.

So apparently I can block it entirely.

 

That's how it seems to me. So I do as I like, practicing good OpSec, with compassion for my peers.

That's the only way I'll use Windows. Microsoft can snoop all it wants, because it has no bloody clue who I am. I treat Windows VMs as disposable. I typically do an install, fully update it, and then use clones for actual work. And I never leave important data on them, for any longer than necessary. And they certainly never see anything related to my meatspace identity.

 

Because only you assume it was a thief, you willingly invited someone (Win10) to live (install) in your house (PC), and then you are upset because he tell with detail how you live with him (telemetry) and most funny , you knew he will do ! Who is the fool in the story? the accused "thief" or the one let him enter willingly then whining about him.

Only you assume he is a spy and thief, you have no valid proof, no one can find one, if they had, they would all sue MS since ages.
Does the informations he collected hurt you? no
Do you received mass spam of commercial ads because of that ? No
Do your accounts credentials were used by MS against you? no
Do your life is all over the net without your authorization? no

So where the privacy invasion? you upset because MS know your hardware spec or how you write? So, please, spare us your pointless unverified rant, and give us a break because all you say is just "assumptions" based on thin air. Until you give me true proof about MS breaking my accounts or collecting real sensitive datas about me, i won't go your way.

Exactly, if you use it and believe it does something wrong , either you leave it or you protect yourself the best you can.

 

Just stop using windows, you will live better

 

As I already wrote this is not a good option unfortunatelly

"If I could get Linux drivers and software for my lab equipment I would switch in a heart beat. And if my laptop wouldn't have 30% less battery performance when using Linux in comparison with windows I would switch here two. But even on mains powered desktop applications its not that easy, for example a CAD software package I use a lot does not run under wine, and the performance in a windows VM is really sub par because of the leak of a real graphics card. Ok, the last point is solvable some expensive graphics card are starting to support virtualisation but than its still a added cost of a few k€."

 

I stopped Linux for those same reason, but contrary of you , i don't mind about privacy because it is a lost war. so instead of complaining at MS , i learnt to hide my track if necessary.

i know how to be totally untraceable on the net, but the procedure needed is annoying and a waste of time for the few benefits i will receive.

 

@Peter2150 hi,

Yes i don't applause the way they pushed Win10, could be better done. About telemetry, it was always there, just less visible than now.

Indeed privacy is a concern but crying to the wolf day and night , will not help at all.

I get tired of some delusional paranoids mistaking telemetry with spying and polluting every MS' thread with that. Those same people that will complain MS isn't fixing issues.
MS implemented more telemetry and will surely do more , it is their right, it is their OS, you don't like it? you still have some tools to hamper it.

I will tell you if MS really want "spy" on you, they have more insidious and invisible ways to do it than using telemetry...

 

You can take telemetry down somewhat but there's a steel wall after. If you block too much, you end up compromising your system. Nothing you can do about the "steel wall." I wouldn't interfere with any "pure" telemetry related to the functions of the operating system but I just don't know where the line is drawn. That's one of the prices you pay for "free" Windows 10.

 

Yes, free and paid for also. Data collection is not limited to free upgrade offer only.

 

In windows 7 the "Customer Experience Improvement Program" was disabled by default, you head to actively enable it.

That is a huge difference, that are almost alternative facts the way you are saying it

A privacy compromising feature being there but disabled by default is an entirely different can of worms than a privacy compromising feature that can not be turned off without resorting to trickery.

Microsoft pushed after windows 10 was released updates for Win 7 and 8 that add win 10 style telemetry but you can uninstall these updates: https://www.ghacks.net/2017/02/11/blocking-telemetry-in-windows-7-and-8-1/

It is their OS but because they have a monopoly it should NOT be their right to push objectionable features.

 

OK, but what proportion of Windows 10 devices employ the paid versions? I couldn't find this info in a quick search. Regardless, the comment was specific for users who installed the "free" version--it's Microsoft's operating system running on my property. Same old infuriatingly moot point, and you're stuck for lack of easy alternatives. So, you're running in place.

How's the ground-breaking class action lawsuit coming along?

 

> OK, but what proportion of Windows 10 devices employ the paid versions?

Well you need to get a licence for every new PC the free Windows 10 was only for upgrading from an older on.

Not everything is about an imminent class action lawsuit, often its enough to start with raising awareness, creating a narrative, etc...

 

Microsoft is currently involved in a class action lawsuit though the subject of that is not telemetry but the destruction of users' machines from forced updates/upgrades. If the Davids are defeated by this Goliath, at least it's no longer an unheard-of, unthinkable thing to sue Microsoft.

https://www.bleepingcomputer.com/ne...t-microsoft-over-botched-windows-10-upgrades/

 

The watershed between W7 and W8-10 is that retail versions (including "Pro") no longer give you all functionality that you get in Enterprise W10. W7 Ultimate at least gave you that equivalence.

W10 is clearly a cloud-oriented OS, a form of browser which happens to have privileged access to your disk. It will also obviously run desktop apps. As pointed out above, MS can do what they want in any version.

The route MS have gone with W10 has at least simplified my choice of host-OS in a virtual machine context. That allows running whatever version of MS Windows as a guest OS in a VM setup as desired, just the same as with any browsing/internet facing technology. I'm not having them having privileged access to my local disks anymore.

I think the point is the migration of their business model rather than the specific technology.

 

Exact, MS clearly mentioned it.

Indeed.

 

You're still wrong, it's not null and void, that's what YOU want but that's not realistic, You ever installed other software? I doubt. It's legit otherwise it wouldn't even possible.

Useless, every software restriction policy is better than this. That's why it never got hyped.

KMSPico and such tools are illegal and detected as 'Threat' with Windows Defender, also for a reason it installs a local certificate on your system. So you trust a unknown certificate more than a Company which is monitored all the time?

Should .. Yes, pls wake up no one SHOULD be hungry on earth but that's not realistic in our world. Again you want to fill in every debug info + necessary meta-data manually? No one want this, that's why Linux got the same function.

Should ! .. Sure... Again I think you not understand that some external connections are necessary to harden the OS.

If you want security or custom things you have to do it manually or trust other corpish. products or solutions. If not you need to write your own software or contribute to a project. Can you prove something that telemetry compromise your security? I doubt.

NSA, BND, GAHQ, Chinese, Japanese,... Sorry don't bring this argument, Windows can't do anything here. They are forced and they not need to compromise the OS to grab the Data. Even if MS would not disallow it they would compromise the cables directly. so I prefer to give them meta-data which are useless compared to giving them unlimited access. SO you take at least a little bit control. You can work with them or not. I prefer first. This also isn't an argument because this needs to be changed by the government.

I agree in most of your things except this, when the encryption would be strong that not even your ISP/NSA/others could see what you doing then this wouldn't matter at all. The thing is this will never be happen because the gov. and some other organisations never want this. The only thing someone can do is to use alternative software/OS or look at the protocols (insecure ones) to fix it or mention it so that it get hyped/attention. FTP is weak AF and known but every Router still supports FTP/telnet. We in general need to re-think about certain things and should do changes more faster so that there is less time to build 'spying' tools because if the attacker knows that it get changed very often he might give up earlier.

Can you prove that this so called 'spying' compromise you? I ask again here. I want proof from you and not links to pseudo experts which have no clue what they talking about?! Again i checked WIndows and found NOTHING. Android, Apple and others sending even more (also related because they are used for Phone-calls/GSM/...). Imho it starts with the user, if you not like why do you support it? Are there alternatives or tools to bypass the 'spying' like e.g. -> OneDrive <-> SpiderOak?! It starts with the user not the OS. Even if the OS not use any telemetry how long do you think every other application includes it? nVidia did it, most apps like BulkCrapUninstaller also offering such options.... It's necessary if you want to improve the product.

I give up now it's more and more OT now to explain one single user how some things working.

Again as long no one decrypted the 'spying' traffic it's all FUD.

 

well the sources I provided support my claims, now its up to you to provide sources for yours

That is how Antivirus products worked for decades.
You know in the past only the least users head a permanent internet connection.

For once legality is irrelevant. Second its up to the user to chose whom he trusts more, a company that is a prime target to governmental coercion or non profit pirates that protect their identity as if their live would depend on it
I'm simply saying users have choices.

No I never said that that is a strawman argument.
Its enough to have one single switch to disable it competently. On Linux you can disable it fully.

Sure I do, but do you understand that it should be up to the user if he wants this additional hardness payed for with his metadata?

Did I said that it definitely do? I only said that it definitely could and even gave some examples cases how telemetry could be used to compromise some once security if M$ or a state that can coerce then would choose to do so.

And that's the point I'm not claiming it gets abused right now just saying that it has a huge potential for abuse and those should be optional such that if it would to get abused and the media (any media) report on that people can protect them selves at least a bit.

Compromise the cables directly is still less an invasion of privacy than Compromise the OS itself.
Strong encryption is present and very likely the NSA and others can't break it, as the Snowden leaks show. Hence they are trying to compromise everything else.
Also you shouldn't choose a compromise and work with the oppressor you should defy him wherever you can.

Well you agree that features like windows defender send hash sums of opened files, downloaded files to M$ to be compared against an online threat database. Right?
These hash sums are unique, so if M$ ever got the a file a particular hash sum belongs to it could know all the other people that handled these exact file.
Now if these file would be for whatever reason legally problematic (for example a confidential governmental document that got leaked) M$ could tell the US Government whom and in what order handled the file in question.
In fact M$ does not even have to get the content of the file from the Gov they have just to give M$ a hash sum and ask to monitor whom is/was handling it.

As simple as that.

I of cause can't prove yet that it compromise me directly, but as you see from the above I can show how easily such a feature can be abused to compromise for example whistle-blowers and reporters involved.

I can think of many other scenarios how such security features and telemetry features can be abuse to compromise users that according to a general moral consents should not be persecuted.




I do not dispute the potential usefulness of such features for your average dumbest assumable user.
I only point out how much harm such features can potentially inflict if abused and M$ being especially big being a prime target for coercion.
And I'm arguing that features which have a high potential of abuse must be optional and should not be made mandatory.



David X.

 

Wikipedia is and never will be a source, Wikipedia is a community controlled page. You can create or fake articles and edit whatever you want. That's why you need to shows the reference links + article revision when you do a serious article/dissertation. My prove is that this already exist 25 years and if someone had claimed it it would be already changed. END ... If you want to talk about this pls go in a lawyer forum and ask why no one in 25+ years had complained and then also ask how to change this? It's not possible.

It's illegal and not up to the user. That has nothing to do with trust, the trust come when you might get big problem because you provide illegal activation servers or in this case illegal certificates.

On Linux there is only one toggle. Oh, yeah you talk about compiling yourself. You ever did that? I doubt. It's not reliable for 99% of all users not even the government or high security areas doing this the effort for an audit and the costs are not worth.

Again meta-data are protocol based. If you don't want it use protocols and files without any meta-data .. they are rare and not for the mass. Your argumentation isn't reliable for 99% of all users.

Potential, yes. You know that the power of fake news also has a huge potential to fake a lot of stuff. Like the entire MS is spying on you hoax. Show prove or I can't take you/websites serious. I never found anything and I did gave my proof for that only thing what I couldn't check right now was the encrypted stream because whireshark can't decode it (yet).

You're wrong and naive in so many ways. Compromising the cables is more dangerous. YOu can test and check the OS against attacks but not what leaves your home. You not know if the traffic isn't captured, manipulöated. I see hardware based attacks more problematically since a normal user can't find the manipulation or only with huge effort/research and money. What if Intel/AMD manipulated the hardware (CPU's) in first place which makes every encryption weak - You can't prove that since you have not the tools/hardware and the research to prove if 1+1 is 2. You only can check what the OS tells you and this can be different from what you're hardware offer. As an example a lot of (especially chinese ones) routers are compromised/manipulated with 'fake' hardware/'chips'. This is real. And how many user you think open their hardware to check this? Especially because warranty is void then? So OS is a lot of easier to check here. And again no one ever found something in Windows. In fact Android has currently more security holes (according to cvedetails and over pages).

Spying and checking are different things, if you use an AV you agree in that otherwise (as yourself said) it doesn't matter because it's well known or you need to opt-out.


Sorry to say but you see a lot of things simply wrong because you are naive. NSA and other agencies not need the OS, they lower the encryption or downgrade to a weaker one and then they can grab the data. This works without that the user has any control of it or that MS/OS knows from it. The only thing what you can do is check yourself and try to verify things in e.g. a VM. But again for 99% of all users this isn't possible. They better relay then on a VPN (if there is common distrust). And even most of all VPN providers still using weak configurations (because they don't care, don't know it or really 'spying').

I don't see how MS should abuse meta-data without that you not know from it?! I never heard of a story a user got emails (because telemetry) or from other companies because of that?! You might only get fake emails from bots/groups because phishing and other things. But this would be first time I ever heard this, and it's difficult to prove anyway because MS/Google/.. would deny this.

So this entire 'MS grabs all my data sell it to others and then my security is compromised' is simply wrong. If the third-party user would directly use the data you would notice it, what I agree is that they use such things for common stats. But go into supermarked and by with your credit card or use payback points, then your bank and others know when you payed and how much for a product. It's nothing new.


The facts is MS constantly change something on Windows (as service) and that's what you get, if you don't like it better use Linux or Mac OS. Imho the recently changes MS did are all okay. Of course there are some things which could be tweaked, but that applies to all OS I know.

I guess there is no point to talk about now, when there is no prove except wasting time. I totally got your point and you got my point now.

 

Here you have a original source: https://shop.heise.de/katalog/bundles-bytes-und-paragrafen costs just 2,5€
the source is also cited here https://www.heise.de/ct/artikel/Entfesselt-290296.html free access

saying:
"Die gefürchtete EULA-Klauselwüste (End User Licence Agreement), die jedem PC mit vorinstalliertem Windows beiliegt und die man bei jeder Neuinstallation per Zwangs-Mausklick abnicken muss, hat übrigens keine vertraglich bindende Kraft - auch wenn Microsoft das gern so sehen möchte. Ein Käufer eines Komplett-PC hat vor dem Kauf in der Regel keine Kenntnis von ihrem Inhalt. Sie wird somit auch nicht zum Bestandteil des Kaufvertrags, sondern bleibt eine einseitige Willenserklärung der Urheber, die als Verständnis- und Auslegungshilfe heranzuziehen ist, wenn es etwa um die Frage geht, wozu das Betriebssystemexemplar geeignet und bestimmt ist. [6]."

Your nick name suggests to me that you should know German, right?

Its illegal,
but why wouldn't it be up to the user? He can do it or not its up to him. If its permitted under the law its not relevant.
The user is able and capable to use it if he wants .

Well if it turns of the telemetry completely that is already all that is needed.

Yes and that is the point on windows you can not fully opt-out.

Sure I can ofcause not for some stupid blog post or facebooking,
but when sending a encrypted confidential mail to a friend we can use GPG to ensure confidentiality and integrity.

Sure I can, for example I can compare the encrypted output using a standardized cipher generated using C functions on my Intel and my AMD CPU, than i can write a implementation in JavaScript and compare it against that, and if that is not enough I can write a javascript engine in python and execute my test code there.
Now the manipulated would have to be impossibly sophisticated to be able to manipulate the Math inside interpreted script language executed by a program compiled to some bytecode.

Sure the onboard means of generating random numbers, those you cant trust that easily, but than you just go for real randomness, from user input or a hardware you build yourself with an Arduino and etc.....

These they can do for users surfing the web with SSL etc. but they can not "downgrade" a arbitrary connection.
If you have a OS you trust you have options to ensure your encryption will work as expected by you,
if your OS is compromised you are entirely powerless

Where did I sayed that? You are fighting here a straw men of your own making...
I'm just saying that through telemetry, error reporting, and online based malware protection, the company behind that can obtain informations which can be used to harm the user.
Those such features must always be optional and a full opt-out must always be possible.

Its everything, and that is why I always use cash wherever possible.

David X.

 

You point to an articles which explaining how you make an Windows ISO (unattended) which has nothing to do with the law. Besides this it's still possible with Windows 7/8/10 same like on Windows XP times, it's even more simpler now.

That's entire (own) topic, because it mention that you need to buy one PC (I guess they mean OEM PC) and then they're bundled with an OS. This also has changed, you can also buy PC's (even OEM) without any OS pre-installed. 'In der Regel' is also not a lawyer term. In fact most people if not all know what they buy especially in XP times because there was an huge sticker, since Windows 8 this sticker/key is now directly bundled within the BIOS. Which is also another own topic.

This has absolutely nothing to do with EULA itself is null and void .. EULA, OEM, PC bundle, XP sticker are own separate topics. Heise also not mention any source here, it's written from someone like you and me which is definitely not a lawyer here. The only null and void I see here is your 'source' since this is just a comment.

Again I don't see what's wrong with KMS. How else you activate 100 Pc's you complain but never come with solution(s). And this is where the discussion ends. You can also do it manually, that would be an 'solution'. Good luck telling your Boss you need 1 year to activate all PC's which could be done in one day.

No audit - no proof. Linux is not better here. It's community vs MS word. I don't trust both.

I already mentioned the necessary of basic telemetry and it's full documented.

No you can't. You can't check file integrity when traffic was encrypted. Which is currently the fact when it comes to telemetry. Mailing is another topic created by you now.

You can't because one single mistake in 1000 lines of one single encrypted word and the effort would be useless. Especially because there are some 'tricks', you can't see the different between cyrillic a and a geek a. They looking almost the same. Chiper has nothing to do with the possible malfunction/manipulation, which works on hardware level. You only see the OS output.

They can downgrade you. OpenSSL was one known attack vector last year.

And what if in 50 years they decide to remove cash, Bitcoin is already an example.

I give up here, it's talking with someone which has lack of knowledge and distrust MS without own research.

I'm not saying MS is an angle or perfect but complaining without providing own solutions or own research .. that's one way discussion and more OT now.