is Windows 8.1 privacy really that bad?

Discussion in 'privacy problems' started by ChrisFerro3, Oct 1, 2016.

  1. ChrisFerro3

    ChrisFerro3 Registered Member

    Joined:
    Nov 15, 2015
    Posts:
    30
    I have been worried about telemetry in Windows 8.1, but I am starting to wonder if I am worrying for nothing anymore. There are no more Windows 10 Dialogs, are there any real reason to worry if there are strange connections to Microsoft's servers?, I read so much stuff about telemetry and privacy that I don't know what to believe anymore.

    I keep running systems that are based on Windows 7, as I feel that it's safer then running Windows 8, 8.1 or 10 anymore.
     
  2. rossnixon

    rossnixon Registered Member

    Joined:
    Aug 14, 2013
    Posts:
    21
    Location:
    New Zealand
    Windows 10, and 8 I suppose, send far too much information to Microsoft. That isn't too much of a worry, but what if it falls into the hands of malcontents?
    W10Privacy (free) works for me. It is portable, run in Admin mode.
     
  3. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    @ChrisFerro3: My guess is that you are struggling with this because you do not yet "know", in your own mind, what is/isn't of concern from a privacy POV. IMO, gathering subjective personal opinions from others is unlikely to help you. Unless, of course, your true aim is to cherry pick the response you want to hear and use that to try to convince yourself that you've made a sound decision. Which really isn't a helpful thought pattern.

    Since speaking your mind can also help clarify it, I'm going to ask you this: What do YOU consider to be a privacy issue? What concerns you? How do you feel about sharing information with Microsoft? Other companies or entities? Do you believe they handle the information they receive in the ways you want them to? Do you think they will continue to do so in the future? Without allowing others to influence you or thinking about a particular OS, just explore your own feelings on the subject and try to firm things up.
     
    Last edited: Oct 1, 2016
  4. ChrisFerro3

    ChrisFerro3 Registered Member

    Joined:
    Nov 15, 2015
    Posts:
    30
    Ah thank you TheWindBringeth, I will do that.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    From what I understood, there are certain updates that will install telemetry crap on Win 8. But it's probably not as worse as on Win 10. I've installed Spybot Anti-Beacon which also works on Win 8, and will try to block as much as possible.

    https://www.safer-networking.org/spybot-anti-beacon/
     
  6. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Bear in mind that it isn't just telemetry that you want to think about. At least not telemetry in some narrow sense, which is typically how you will see it used. Those writing software, privacy policies, etc will gravitate towards their own definition of what telemetry means (what it does and doesn't include). What is officially collected through a mechanism called telemetry can be of LESS concern than what is collected via some other mechanism that is called something else! So you really need to think for yourself and focus on the types of information you don't want to expose to certain parties.
     
  7. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    This is why FOSS. Like really. You really have no idea what software nowadays will do unless you can see the code.

    We are out of the innocent childhood of commercial software. Nowadays, software has become a EULA sanctified trojan horse...

    Even on something like Windows, if you try to use FOSS apps wherever you can, you can at least ensure those apps do what they say they do.
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Sadly not - when you can't "trust" the underlying OS to subvert the apps (e.g. by KSL) - there is no real protection. The point now being that the areas you can "trust" MS have shifted because of the change in business model and EULA, as you say.

    My take is that you must have a segregated environment giving much less trust to each compartment - practically implemented by having an open source host/hypervisor and running whatever virtual machines you like in each compartment. That way, you have a better level of control over what each VM gets to see, and that it will not get your keystrokes unless you're in that machine. You can also add further compartmentalisation by sandboxing and snapshotting with things like sandboxie, firejail and apparmor for instance.
     
  9. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    Its all moot when you consider the proprietary Intel Management Engine. With AMT (and probably even without it), if this code is backdoored the NSA or whoever has exploits can gain control of your computer, monitor it, etc. It doesnt matter what OS or programs you use...

    Even running Qubes or a grsecurity'd apparmor'd vm'd linux install wont help when you have something like IME running :(
     
  10. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Web browsing isn't safe if you can't trust the browser you use to do so. Mitigation: use multiple browsers and compartmentalize things. Multiple browsers aren't safe if you can't trust the OS they run on. Mitigation: use multiple OSs/VMs and compartmentalize things. Multiple OS's/VMs aren't safe if you can't trust the hardware they run on. Mitigation: use multiple hardware platforms and compartmentalize things. Same basic concept but at different levels I think.

    I think it is important for users to appreciate the importance of "a solid foundation" and compartmentalization techniques ("don't put all your eggs in one basket"). However, when we delve into such subjects we create or at least reinforce the idea that nothing is safe. However true that may be when we examine things in detail and from the POV of choosing lines we think we can manage/defend, it may be good to remind visitors that they should not allow such discussions to drive them into the "well, if nothing is really safe then why bother?" way of thinking.

    We could setup two different software environments on identical hardware where the latter is known to have a component that is of concern (IME, some other controller/firmware, whatever). Then when we do our best to rate/score each of these systems for their infosec/privacy friendliness, find that one achieves a much lower score. Perhaps because it is literally, verifiably, every-time-you-use-it, exposing more sensitive information to more parties... is clearly not configured to block known advertising/tracking parties... etc. We could even compare two different configuration/use scenarios involving the same OS... even something as concerning as Windows 10... and still arrive at significantly different scores because one is loose and one is tight.

    You really can't achieve anything close to ideal privacy using today's technology-reliant life patterns, [mainstream] solutions, business models, etc. So privacy in an absolute sense will surely be less than people would prefer. However, that doesn't mean we can't try to identify approaches that have a relative advantage, that reduce our exposures, buy us some more control over things, etc. I think these are things we should try to do.

    @ChrisFerro3: What are you thinking?
     
  11. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    266
    Location:
    Da mean streets of Brooklyn
    Can you ever know? Unless you work for Microsoft in the higher echelons behind barred and sealed doors, who knows for sure? If Microsoft was a single human being, it would be more paranoid than fifty of us combined. And it would be justified paranoia, cuz they're losing it.
     
  12. ChrisFerro3

    ChrisFerro3 Registered Member

    Joined:
    Nov 15, 2015
    Posts:
    30
    Well TheWindBringeth, It would be hard for me to use multiple devices just to keep my privacy safe, it seems like you said to just emulate several virtual machines with a host OS I like that idea. I also read the EULAs from Windows XP to Windows 8.1? I noticed that when I read how Windows activates it seems it records less information in the older versions but then in Windows 8.0 and 8.1 it also records your BIOS and Hard Drive Volume Serial numbers, Why would Microsoft do that?.

    I actually am waiting for the right moment, I wanted to run ZorinOS based on Ubuntu or any Linux distro that is safe with privacy, I then would also emulate Windows and control what happens, it would be better, I know there are some people here at WildersSecurity.com do some similar things. Thats why I was wondering if running a older version of windows is better, or if Microsoft still collects information from Windows XP or Vista.
     
  13. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Activation/licensing checks often involve uniquely identifying the device on which the software is running. Hardware, and sometimes firmware, information is used for that because it is less likely to change or be tampered with. If you look at the Activation section under features:

    https://privacy.microsoft.com/en-US/windows-8-1-privacy-statement

    you'll see that it says: Volume serial number (hashed) of the hard disk drive. Theoretically, collecting a hash of such an identifier is better than collecting the identifier itself. It would be nice to see even less information collected though.
     
    Last edited: Oct 3, 2016
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Quite agree. But I think that threat would be for specific situations where they'd probably have many other ways of "getting" you. I don't think that form of backdoor is going to be released to the LE masses.

    Regarding licencing and machine fingerprinting, that is becoming a regal PITA apart from privacy in the VM environment because MS Os doesn't recognise that unless you're on an enterprise licence. Each VM instance has to have its very own licence.

    Similarly, many applications now require you to be on the internet for activation, and some check periodically requiring you to be connected (you may not want to be). Some allow out-of-band validation for isolated VMs with no internet access, but the key exchange for validation is still potentially revealing details of your hardware, albeit virtual.

    This but reinforces the advantages of FOSS, and is a primary reason - apart from privacy - for me to switch to a primarily Linux environment.
     
    Last edited: Oct 3, 2016
  15. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    I mean, I totally agree. I would use Linux if I felt its actual security was worse as well as if I preferred a Windows environment, if for no other reason than the fact that the aim of Linux is to do what the user wishes, rather than for the user to do what the OS/corporation wishes. Fortunately, I prefer basically everything about Linux (short of its smaller proprietary software ecosystem), and its security is innately better (and can be made on orders of magnitude better with stuff like grsecurity/MAC/etc).

    However, hardware crap like this- especially if state level actors have official backdoors into it- is a very depressing precedent. It is becoming harder and harder to hold in check the power that corporations and governments have in our personal lives.

    Ultimately, capitalism as a system encourages much technological growth while resources are essentially infinite. Even while this happens though, a competitive dance of wealth aggregation is constantly in motion; inevitably protections of individual power are subverted by corporate interests who use their exponentially increasing power (generally, corporate wealth adjusted for inflation has skyrocketed in a way that if graphed would closely resemble an exponential function) to more effectively grow their wealth. Microsoft's foray into data gathering and the imminent selling of OS space within the private sphere for further profits is a hallmark example of this strategy.

    When I see a technology like Intel ME, I try to look at its potential in terms of its use in the above strategy. The implications of Intel ME or MS spying or or or are all incredibly depressing- perhaps now its scope is limited, but in this exponentially increasing stratification of social and financial wealth, the mere presence of this technology is to be feared. 16 years ago if youd have suggested MS would collect the data it does, sell OS space, that the US patriot act and its successors would exist, etc etc people would have called you a paranoid nut. Today its simply business. Today its simply accepted and normal. Where will we be in another 16 years? Given the exponential stratification we have seen in corporate power (and by proxy governmental power), I wouldnt be surprised if stuff like Intel ME was openly accepted as a "check up" tool. Imagine periodic checkups by the .gov using such a technology to "prevent terrorism." The oppressive and exploitative possibilities are endless.

    Sorry for the rant. I feel like so many of us scream this stuff at the top of our lungs and noone gives a d***. Supremely frustrating...
     
  16. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    DITTO!!
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    I found this article, I'm not sure what to think:

    http://www.techrepublic.com/article/is-the-intel-management-engine-a-backdoor/
     
  18. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    193
    Yup, it really is a big question mark. Without being able to see the code, you simply have to trust the company. If I had known then what I know now, I would have bought a libreboot de-IME'd core2duo computer and lived with the performance concessions. I did get very lucky with my computer as its UEFI implementation is geared towards business, allows for the permanent deletion of AMT, has SED encryption capacity, solid password setting for reboot/setup/boot order etc, can disable devices, etc etc. Still, with proprietary code being something I've just come to distrust lately, and its UEFI and IME implementation proprietary, it is no longer a device I completely trust. It is constantly brought before us today that open-source is the only way we can really trust a product to do only what it claims to do...

    I doubt I'm a target for state-level actors, but the principle of it being under my control is still important to me...
     
Loading...