About information source: Aeronet.cz is known Russian propaganda website in Czech. Nothing close to credible source. I don't judge content, but this should be noted.
despite being a propaganda rag, they still have brought to light something that should not be happening, as others in this thread have noted. MS wants to collect massive amounts of information from Windows 10 installs.
I don't see how making up lies is a good thing, unless one is pushing an agenda.
Reminds me of the DRM FUD against Windows 7[1] and the fake benchmarks claiming that Windows 7 was eating up memory and was slow[2].
And they end up getting a lot of attention and page hits from sites like this, so it's a vicious cycle, with people repeating this 'information' to others.
MS generated a great deal of FUD about for the linux desktop. And it's always been a favourite of the people who own america's politicians and news organizations.
That's how all that "marijuana causes brains damage" shit got its start. Dr. Heath, "The scientist," and I use that term quite loosely, who published the study, pumped marijuana smoke into breathmasks worn by monkeys. His monkey's suffered brains damage and started dying and he published his government funded study.
What he didn't publish were the details of his flawed methodology.
The monkeys were smoked up with the equivalent of 63 joints over a five minute period. The masks were air tight and the only thing the monkeys could breath was smoke.
He did that repeatedly for 90 days until the monkeys displayed symptoms of brain damage and began dying. Okay! Time to publish!
Playboy and Norml obtained the records via a federal info request and published the truth in 1986.
The monkeys' brain damage and deaths were caused by carbon monoxide poisoning and asphyxiation.
It's in the privacy policy. I didn't believe what I was reading. Windows 10 is unusable for anyone handling any sensitive data. Think doctors, psychologists, anyone under an NDA.
This would be too big an oversight for a company trying to get more business adoption. According to Microsoft, the data is anonymized and run through a virtual shredder before being sent. Here's their statement on it:
“Some of this data is stored on your device and some is sent to Microsoft to help improve these services. Data sent to Microsoft for product improvement is put through rigorous, multi-pass scrubs to remove sensitive or identifiable fields (such as email addresses, passwords and alphanumeric data) and strings are chopped into very small bits and stripped of sequence data to prevent the information from being identified or put back together.”
It amazes me that this information isn't easier to find and I end up being the one defending Microsoft. I definitely recommend using Free Software only if you want to be absolutely sure of confidentiality.
Do I understand this correctly that they are sending back everything you type, but they try to scan the data for things like e-mail addresses or passwords and remove those bits first, and then send the data back in pieces so it can't be reassembled?
If so, that sounds unbelievably error prone. What if your password is of the "correct horse battery staple" form, rather than the standard unreadable scramble? It seems impossible to reliably distinguish that from other text. Does that mean that Microsoft then has your password? Even anonymized, that's a massive problem.
It's not everything you type, just bits and pieces stripped of sequence, and most of what's saved is on your device only. They specify that what they send is only "some," and logically, everything typed into the billion devices they're shooting for would be too much data for even Microsoft to handle.
Passwords and the like are probably identified by the type of field they're entered into, as Windows forms and websites have explicit identifiers for passwords, and it would be easy not to record this. I think this analysis is more for things like analyzing the frequency of terms and which characters tend to follow other characters, but I don't have much more information, and I agree that there needs to be more shared about how this works.
That's what it may be sending today. What about next month after one of the forced automatic updates? If you authorize someone to take your data, that doesn't mean they have to do it right away.
> only "some"
99% is still "some". Regardless, since when is "some" keyloging acceptable?
> too much data
That depends on a lot of factors. Text is small and trivial compared to most stuff on the internet these days. How many kilobytes per day of text does the median windows user even type?
It would be even easier for MS to filter out stuff like video games (DirectInput?) to reduce the size.
> I think
Guessing is useless. What matters is the data going over the wire and what authorized MS to do in the future.
> there needs to be more shared about how this works
No, there needs to be explicit informed consent form the user.
I'm just trying to objectively interpret a really small amount of data here, not make a justification for or against any particular policy. You're right that it's important to have informed consent about this kind of thing. That applies to Google, Facebook, or Amazon too. It does seem like it's pretty obvious here when there are so many statements about how Cortana gets to know you, your speech, your schedules, your flights, your interests, etc., and there's a delete button for everything too.
Most people probably like all that, but I would like to see more robust privacy settings to easily disable tracking whenever it's desired.
> That's what it may be sending today. What about next month after one of the forced automatic updates?
You mean, like this?
# apt-get update && apt-get upgrade
Granted, running that isn't 'forced', but given that OSS users don't _actually_ analyze the code in their software, it's basically the same thing.
There's always a chance of something being slipped in later, no matter what OS you're on. Rampant paranoia and conspiracy theorizing does no one any good.
The "forced" you so easily dismiss is entirely the point. In case you haven't noticed, people choose when (and if) they upgrade, for a variety of complex reasons. One of those reasons is to wait and see if the early adopters complain of any issues.
The problem of inspecting the code itself is a separate issue entirely, though at least in the area of Free Software that inspection is possiblea, and reproducible (deterministic) will simply the problem. Good luck doing the same with Windows (or any other closed software).
> Rampant paranoia and conspiracy theorizing
Now you're simply resorting to either insults (and/or wilful ignorance).
> The "forced" you so easily dismiss is entirely the point.
I think it's you that missed my point.
> people choose when (and if) they upgrade, for a variety of complex reasons
If they're running Gentoo, or maybe a small group of other distros, sure. Otherwise, people (on all operating systems) don't really do a lot of choosing at all. If updates are available, they generally run them. The only picking and choosing I've ever seen from the vast majority of people (including technical folks) is if they don't have the bandwidth/time to update a particularly large piece of software at the moment. Of course, they'll update it later when they are able.
> The problem of inspecting the code itself is a separate issue entirely, though at least in the area of Free Software that inspection is possible
Yes, it's possible, but it isn't done in practice, which is why I said it. That's the reason I said it's 'basically the same thing'. Whether you receive updates automatically or choose when to download them, you are still accepting what the distribution method gives you. There are FAR too many software packages out there for the average person to work out the logistics of reading accounts from early adopters of every single point release.
> Now you're simply resorting to either insults (and/or wilful ignorance).
It's not an insult. It's a factual statement. You claimed in your comment that a multi-billion dollar corporation who has a vested interest in keeping the good will of their customers (some of whom are corporate, some government, but the vast majority are consumers who look to them for help) would willfully send compromised software through forced updates in the future. If that isn't a conspiracy theory, I'd love to know what is.
Apparently you need to get out more, because you seem to have missed that "not upgrading" is so incredibly common that some major software packages (web browsers) and at least one operating systems have decided to force upgrades.
Also, do you really believe that all the IT departments in the world are running current versions of anything? There are entire industries that run "last year's" versions, who only upgrade after extensive testing.
> I'd love to know what is
Did you even read the thread you're replying to? You're knee-jerk application of the paranoid-style[1] ignores the fact that "It's in the privacy policy." There is not secret. MS is telling everyone they will send forced updates (which have already cause stability issues for some people). As for MS keeping "the good will of their customers", again, did your read this thread? Windows 10 has already forced various professionals to drop windows.
Also, "compromised" is your term, not mine. I'm sure any future update they push out will be buzzword compliant. The point is we don't know what future updates will bring, but you agree to run those future versions anyway.
--
Meh. I have better things to do than waste any more time on your distractions. If you want to be the apparatchik that refuses to believe MS would do anything malicious, that's your business.
So, here's a question then, assuming that's true, why send it? If its been so thoroughly anonymized that nothing useful can be gleaned from it, why bother sending it in the first place? If it is possible to derive useful info from it, that seems to directly contradict the idea that no sensitive information is going to be exposed (there being no realistic way to programmatically identity only sensitive information without some very specific domain knowledge). You can't have it both ways, either the info isn't useful in which case they have reason to transmit it, or else it's exposing potentially sensitive information and they shouldn't be transmitting it.
I can only speculate, but I would guess it goes something like this:
You type "the quick brown fox jumps over the lazy dog." You continue typing other stuff. 30 minutes later, there's a queue of random slices like: { "lazy dog", "chocolate donut", "brown fox" }. That gets encrypted and sent into a big pile of other data for a machine learning algorithm to develop better typing prediction.
I would like to know if that's the gist of it or if there are other things happening. Hopefully there will at least be a developer blog or something like that to better explain it.
The trouble is that not every place you type a password will necessarily have something identifying it to the OS as a password field. For example, what if you're entering a sudo password into an ssh client, or saving a password into a text file (saved on an encrypted drive, surely) using a text editor?
I'd like to know too. Maybe they compare typed data to a dictionary and throw away everything that doesn't match so that every slice contains only dictionary words that couldn't be identified as passwords. That's just speculation of course.
It's hard to see the utility in a bunch of individual unassociated dictionary words being sent back. Maybe there is some that I just don't know about. However, my money is on them being more confident in their scrubbing than is warranted. There have been so many cases in the past where companies have scrubbed and anonymized data, only to find that they missed something critical.
Even the frequency of words used might be valuable for typing predicion, but I would guess they would probably group a few words together. I really would love to know how it works.
Because companies haven't failed to anonymize data before with the general public being left to pick up the tab.
If Microsoft was a known moral bastion who had perfect security might not be a problem. But it isn't and it doesn't, so there is only one response: NO!
(OK, there are more responses, but I'm not sure if they are allowed with HN's code of conduct.)
> I definitely recommend using Free Software only if you want to be absolutely sure of confidentiality.
So, has anybody ever audited build farms for Debian, Ubuntu, etc? Have we ever seen a breakdown of their income sources? How do you know that the binaries you install are built from the sources you can browse or download from the net?
Debian and others realize that this is a problem, and you absolutely shouldn't trust anyone at their word. There's an ongoing effort at Debian to make all builds reproducible so that you can verify that they were built from the sources they provide for inspection. This should be completed soon.
For the situation I'm talking about where absolute confidentiality is required, the right way to do it would absolutely be auditing all code and compiling from source, assuming you're working in an organization that has that kind of capacity.
But for most cases, just dealing with an organization you trust is enough, whether they provide source or not.
> "There's an ongoing effort at Debian to make all builds reproducible so that you can verify that they were built from the sources they provide for inspection. This should be completed soon."
Ah, good to know. Do you have any links to articles or discussions about this? Would like to learn more.
FWIW, I believe they try to do these things however, I'm not sure how its technically possible.
Various security measures rename sensitive fields into things that are basically random strings that are stored in a session. [e.g. Fields to change your password? They are set to something like 2ajefklaj23324rk]
There is also the issue of people who write erotica for fun. Or doctors writing down notes for patients.
How do you think Apple gets their spell-check data, or improves Siri's voice recognition?
In any event, during the installation process, you do see a screen where you can turn all this off. It's not off by default, but viewing these settings was part of my Windows 10 installation experience.
I thought the options to turn off defaults were pretty clear during the installation process. Requests to make options more explicit and visual are reasonable, but it bothers me that Mozilla and others are acting like "choose my default programs" or "custom settings" are too obscure for anyone to understand. You also have the option to delete your history.
> In any event, during the installation process, you do see a screen where you can turn all this off. It's not off by default, but viewing these settings was part of my Windows 10 installation experience.
The problem is that Windows 10 does not respect you having this turned off. It will send away your data, even if you turned off all the switches.
I don't know, how about using a dictionary and doing research?
Otherwise wouldn't every commonly misspelled word show up incorrectly in spellcheck?
There is quite a bit of work in the field of speech recognition, too, and it's entirely possible to create a functional model without recording every user's voice and storing that information on a server. Even if they require speech samples, or samples from different languages, they should at least pay someone for that information.
I was disappointed when I learned that the voice recognition feature in Siri wasn't local to the phone.
Turning those things off still doesn't prevent Windows 10 from sending tracking and usage data to Microsoft though, even when you're only using a Local Account instead of a Microsoft Account.
I can confirm: I bought a Surface Pro 3 the other day, and when I first booted it up, the setup screens explicitly asked me which privacy settings I'd like to enable.
I'm not sure this is what Beltiras is referring to, but in the privacy FAQ for Windows speech, inking, and typing [1], it says this:
"When you interact with your Windows device by speaking, writing (handwriting), or typing, Microsoft collects speech, inking, and typing information—including information about your Calendar and People (also known as contacts)—that helps personalize your experience. This information improves your device’s ability to correctly recognize your input, such as your pronunciation and handwriting. You can turn the Speech, inking, and typing setting (which is called Getting to know you) on or off in Settings.
Note: If you want to use Cortana, you must have Getting to know you turned on.
We also collect your typed and handwritten words to improve character recognition and provide you with a personalized user dictionary and text completion suggestions. Some of this data is stored on your device and some is sent to Microsoft to help improve these services. You can turn the Send Microsoft info about how I write setting on or off in Settings."
I think you mean, during the install process you selected the tiny "Customize settings" and manually disabled this option, after scrolling down on the page that (on my smaller screen) doesn't have a scrollbar enabled:
If this is true, then it really does flabber my gaster.
I've no problem with them doing this sort of thing, but it must be opt-in rather than opt-out. Like you say, this isn't just about individual privacy concerns, it's about important legal obligations that people may unwittingly be violating if they use Windows 10.
This is my point. I do not care one iota under what sort of black-box privacy scheme they maintain they employ. It's a black box and through it all generated information can be passed to Microsoft. "Trust us" is not a good reply by someone with their track record.
I'm curious: Are doctors, psychologists, and anyone under an NDA forbidden from using the Google search engine or Android voice recognition under a logged-in account?
I'd think that the security concerns would be functionally identical.
> I'm curious: Are doctors, psychologists, and anyone under an NDA forbidden from using the Google search engine or Android voice recognition under a logged-in account?
Android voice recognition might raise similar problems; the Google search engine less so. You can use Google Search without putting any protected information into it; OTOH, if an OS is capturing all of your typing and inking and sending it to another party, anything you do by typing or inking that involves protected information is being sent, so (in the HIPAA case) unless you have a BAA in place, and both parties have both the technical and administrative safeguards required under HIPAA, using it for PHI is going to involve regular illegal disclosures.
The major difference is if I'm looking up drug Apraximine to give to fixermark for his PTSD resulting from embarrassing secret, I would just google (or whatever professional service they use) Apraximine. Google only sees that and know knows I have some interest in this drug. It can't even attach your name to it. But if I write in an electronic file that fixermark is being given Apraximine for PTSD resulting from embarrassing secret, Microsoft know has all that information. More so, hackers have a much easier time getting such information.
They would be if they're entering actual patient data into Google, which would be silly (Android voice recognition would be less silly, since doctors do use voice recognition software for dictation, though in my experience this is usually something locally-installed on a PC, like DragonSpeak).
The problem is that, by way of Windows 10 effectively having a keylogger installed, pretty much any EMR accessed via a Windows 10 machine is automatically insecure, since the data entered into said EMR is being sniffed and sent to a third party. If Microsoft experiences any sort of data breach, hospitals throughout the U.S. will be having a HIPAA/HITECH hell-day.
They are forbidden from disclosing confidential data to those services, which is still somewhat under their control, as opposed to the OS deciding to disclose all the data for them.
So would a logged-in search for, say, "rheumatoid arthritis" or specific drug names be out of the question if it's in the context of finding treatments for a patient? And does HIPAA also block a family practitioner from using Drive to track patient histories?
Swinging back to topic: Microsoft has traditionally had a good rapport with the business / government space, so I'll be shocked if they don't already have a plan for addressing the need to protect private data. Maybe the enterprise solution version of Windows 10 will have this feature off by default?
There is a nod to Enterprise. The minimum value for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry is 0 on win10 Enterprise, and 1 on consumer editions. (I believe the default value is 3. Lower is more private, but lowest is not offered to consumers)
Like people mentioned there are different settings for Enterprise SKU's including different settings for different verticals (e.g. education or health industry).
For example Office 365 for Healthcare which is HIPAA compliant has probably quite a different privacy policy and out of the box authentication, encryption and right management settings than what you would get as an individual or even by buying Office 365 for business editions.
Not saying that's right, but most companies that provide free/subsidizes consumer services including companies like Google tend to have quite a different SLA and service terms for corporate customers.
Microsoft has no business to send out anything without consent.
I will not waste my time to MITM SSL traffic and break down binary blobs to find out, whether it contains something I just typed. It sends out unwanted traffic when I type into start menu --> onus is on Microsoft to be transparent, what it sends out. And to allow user to disable that behavior.
> Cortana is your personal assistant. Cortana works best when it can learn about you and your activities by using data from your device, your Microsoft account, third-party services and other Microsoft services. You can choose whether to enable Cortana, and you can turn Cortana off at any time.
> Windows 10, rather than residing as a static software program on your device, key components of Windows are cloud-based, and both cloud and local elements of Windows are updated regularly, providing you with the latest improvements and features. In order to provide this computing experience, we collect data about you, your device, and the way you use Windows. And because Windows is personal to you, we give you choices about the personal data we collect and how we use it.
Could you point in what part they explicitly say so? I just skimmed through the text and couldn't find any reference to keylogging, in whatever "legal terms-friendly" way they could write it.
It's right there, thank you. It says it can be turned off, and that Cortana will not work after you do that. Considering I live in a Cortana-less country, it shouldn't be a problem if I ever migrate to Win10. However it's be best to see how they handle this.
I've stopped gaming on PC about 5 years ago and couldn't be happier. Consoles don't have this constant hardware upgrade cycle and you're free of Windows. In the long run I think I've actually saved a bunch of money; I used to buy high-end graphics cards easily worth two consoles and now I spend that money on more games :)
Took me a few weeks to completely replace my Windows workflow in OSX and Ubuntu but I'd say the broader perspective of knowing all three platforms when being a programmer is well worth the investment!
I'd have to say, Uncharted played a small role in this transition; I've been blown away by this series and they're not available for PC, so there :)
I personally like to mod my games, though, which is borderline-impossible on modern consoles. There are also quite a few games - like Kerbal Space Program - that aren't available for consoles and that I enjoy playing.
I personally just game on a Linux box (running Slackware, specifically). I don't get the best selection in the world, but most of the indie games seem to be paying attention to Linux/SteamOS, and said games tend to be the better ones anyway.
> "Consoles don't have this constant hardware upgrade cycle and you're free of Windows."
Do you own an Xbone? I hope not for your sake as Windows 10 is coming to that too.
(If I'm being pedantic, other consoles have used Windows in some way. I'm not sure about the Xbox 360 but IIRC the OS for the original Xbox was based on Windows 2000. The Dreamcast also had limited support for Windows CE, I don't think the main OS was based on it, but a few games used it).
I am using the setup you describe since about two years now. I mean, my Arch-Linux machine is bugging me off sometimes, especially when a update cracked something, and I have to downgrade again. But everytime I read news like that, I am glad to have it as my primary machine (where I know exactly what goes on under the hood)...
Er... reading the "Learn More" option under the "Personal Data We Collect" heading sends up giant red flags... why would anyone agree to this, ever?
I don't care how good your data gets anonymized; time and again, it's been shown that anonymized data can be fingerprinted and de-anonymized over time.
Whether or not this is happening, this should raise legitimate concerns with people who are considering, or who have already upgraded to Windows 10.
Why is it unusable for those people? Will they be held legally liable if something were to leak? Seems like Windows 10 is one of many services collecting anonymous information, what makes it different?
You can opt-out of services, if you run Windows you can't opt-out of your operating system. That's basically the line I see.
I'm fairly certain things under NDA won't go near Windows 10, even if anonymous the data is still leaked. Just like these things currently stay far away from 3rd-party services.
I have a feeling that there is a grain of truth in some of it, however the wholesale keylogging and what is basically searching for pirated content after keywords are typed is probably not real.
The problem is that it's TLS encrypted traffic going from a black box component to a remote black box service so it's pretty hard to determine what is going over the channel. Without extensive and complex reverse engineering, you can only infer what is going over it and draw some hypotheses that need to be tested. I think that the article is spot on with respect to that.
And of course there is no word from the horse's mouth (Microsoft) at all on ANYTHING related to this. Silence is always worrying.
Naturally, if they were following "security best practices", they will have pinned the certificates and made no option of overriding them with your own.
Taking into account it is Windows, even if it the traffic is "encrypted", I suppose the part of the OS that encrypts it is not obfuscated in any way, so it should be easy to know what it really is doing.
You're right hence the extensive reverse engineering. I think you can expose call graphs and assembly with SoftICE or some product like that and infer which windows API calls are used so that's a starting point. However some of the things that talk are going to be heavily optimised binaries, code signed and difficult to poke inside.
Generally speaking you don't need to go to such lengths to intercept client/server communication from your own device. You can even have your wireless devices use your local WiFi, computer and Fiddler (which I think is roughly equivalent to Charles on Linux/iOS) as a proxy to intercept SSL and decrypt communication.
You don't need to bust open the codebase itself to figure out what comms are occurring. You can stage your own MITM attack against yourself with a couple of home made SSL certificates and a router you have the ability to install your own software on.
That's true but then you still have to understand the data that is sent rather than where it is collected from. The of latter is much easier than the former from experience (I've had to reverse engineer a couple of protocols in my time)
Why whenever anyone quote anything someone replies criticising them for using "scare quotes?" People commonly use quotations (in English) to emphasise, or to distinguish. It is like a poor man's italics.
Look at the context to decide if someone is using it to imply something is bad/evil/scary, in this case you cannot draw that conclusion. The OP is clearly just using it instead of italics.
Yep. I want to love it (I want to love it so much). I just can't.
Audio still doesn't work on my installation. It can work if I kill Flash or pulseaudio---sometimes---or if I restart my browser or entire machine---sometimes. But it's an atrocious state of affairs to expect end-users to debug basic functionality like that, and they end up having to because there isn't a "Geek Squad" local-service ecosystem to take a malfunctioning Linux machine to (with your own customized distro install) where they can just "make it work."
It's not just a software problem---it's an ecosystem problem. Both in terms of the service / support sector and in terms of the software creation sector (the fact that there isn't just one answer to "How do I do audio on Linux" is absolutely maddening to someone used to writing software on a Mac / Win monoculture [http://braid-game.com/news/2008/08/misc-linux-questions/]).
In comparison to OSX and Windows running on the same hardware, Ubuntu is worse in every meaningful way. Power management is terrible, window management is terrible, the Ubuntu software center is slow as hell and has no selection (amount of useful software is a huge concern, actually). It lacks polish in general, things that people have come to take for granted in their OSs are missing or badly implemented.
I'm sure the argument will come that most home users only need a web browser, so the software selection isn't a problem, but at that point you might as well just use Chrome OS and get something that actually works.
Not for gaming (yet! vulcan will change that), but for everything else I think it's absolutely ready. It does internet perfectly through Firefox, and libre office for document things, plays all file types through VLC, and it's free and can run securely right off a USB stick. What else do I need a computer for? Apps? I have my phone for that.
Once it gets increased adoption more niche and paid for software will naturally migrate.
I say this as a Linux hating Windows lover who lasted 3 hours before reverting Win 10 back to 8.1 on my gaming machine and changing my wifi password, and I plan to never go to Win 10 or any Windows products again.
I hear this for last 15 years, and few things changed. Showstoppers - 100% compatibility with Office will probably never happen, which is deal breaker for most business customers actually paying for licences. second issue is device drivers. users don't care who-what is responsible, they just want to see their strange printer working with scans. Again, in many cases not there
No, it definitely isn't. I'm a software engineer and I've used it as my primary desktop OS for years. A year ago I went and paid $300 for a windows 8.1 box and migrated my whole system back to windows. There were just too many problems that got in the way of my work, things breaking after updates, graphics and printer driver issues, etc. I was spending more time debugging that stuff than a windows license costs. I don't like windows, especially windows 8, but it's stable. I did have to buy a start menu add-on, because Microsoft lost their mind with windows 8. I keep my Ubuntu machines in a VM now, where I can easily back them up, roll them back, or throw them away without affecting my productivity. It's not quite as fluid running an Ubuntu desktop at 4K inside a VM, but still quite usable.
If it's not ready for a seasoned software engineer, it's definitely not ready for my mom.
the problem for me (and people like me) is that I'm running a gaming / game dev rig. I actually need Windows as most of the games I play are windows only - plus my current rig is way more powerful than any mac I can afford. I love linux and attempted to dev my games in pygame so that I would only need Windows to play games, but this isn't a good solution either as I prefer Unity.
Guess I'll stick with 8.1 for now even though it is shit.
I have been able to put Unity on the back-shelf because it's just a hobby for me. I have been experimenting with Phaser / PIXI / P2 + ScalaJS in the meantime while I wait for the Editor to come to Linux, which will hopefully happen in the near future [1].
As for actually playing games, a surprising amount of the ones I try have been ported over to Linux already. For the rest, I use Steam Live Streaming from a Windows 7 box which works pretty well. Steam can even stream non-Steam games (blizzard ones for example). I tried using it to stream the Unity Editor, but it was just too clunky for my tastes.
Thankfully I have 2 gaming rigs, 1 outdated mac and 2 older custom rigs that are sitting around in pieces. I'm going to build and install a linux box for personal computing (all non-dev non-gaming related computer activity) and just keep it on right next to my gaming / dev rig.
I tried ubuntu last year and the context menu on the desktop was displayed wonky. Time to first bug of 1 click is not ready for prime time. Not to mention it took an hour of trying printer drivers for my common laser printer to find one that would output even distorted barely legible text.
Is there any other reliable source for this? Extraordinary claims require extraordinary evidence. Having a keylogger in the system by default sounds like a move that would exclude MS from competing in any businesses in the future.
A move that seems illogical.
So it would be nice to back that story up with some more information.
"Go to Start, then select Settings > Privacy > General, and then turn Send Microsoft info about how I write to help us improve typing and writing in the future on or off."
Does anyone know if this stops Windows 10 from sending typing data across?
What is it lately with Windows 10 privacy issues blowing up in Hacker-news since windows 10 came out? I know most of you guys are Apple/Linux guys (I myself love Linux like the rest of you) but come on, Apple does this, your smartphone does this, most services you use do this. Just getting tired of the big bad M$ hate bandwagon. This isn't even a credible article and people are already going off about it. This is no different than Yosemite which logs your location and searches that you make with Spotlight and Safari. Yet, I don't recall seeing articles constantly on the front page about that? Seems a little biased to me.
NOTE: Not that I condone what Microsoft is doing, just a little hypocritical to think that big bad Microsoft is doing anything new in the industry, especially when the products you guys are talking about jumping ship to, have the same problems. This is nothing new
It's new for Microsoft, which is what makes it news. MS seems to be finding its way into the consumer-level big-data world slower than its competitors, but now that they're going in that direction---yeah, people should care that their assumption that the OS they use at home (the OS itself, not the myriad applications they run atop it) isn't keyboard-logging them might very well be false.
Yet we are basing this hype around a non-credible article that doesn't really offer much in terms of proof? There have already been a few people including myself who have done HTTPS/HTTP sniffing who haven't found any "keylogging" like evidence other than for Cortana/search related tasks. At this point it's a witch hunt.
1. I don't use my smartphone for work. I have to use Windows for work, and some of this is dealing with confidential information.
2. I don't use my smartphone to write sensitive documents. I use my PC to write all kinds of documents, some of them sensitive and confidential.
3. I am not aware of my Android smartphone or tablet sending all my typing to the cloud. If this is so in Android I'd like to learn about it, same as if it's true for Windows. I wouldn't be comfortable with it.
I understand that, but the article is not credible in the slightest, and there have already been HTTPS/HTTP snooping done by multiple users that show no evidence of an active keylogger. It's annoying that an article like this makes it to the front page with a click bait title and everyone is going crazy about it because it fits the agenda for M$ bashing.
Finally someone who isn't a hypocrite and speaks the truth. The same people who are complaining about Microsoft data mining are the same people who don't have issues using Google.
It's just so ridiculously stupid and it's as if it's funny.
> Finally someone who isn't a hypocrite and speaks the truth. The same people who are complaining about Microsoft data mining are the same people who don't have issues using Google.
Nope. You're making assumptions based on nothing.
I have an issue with both (or any) companies doing it, as do many other people.
I don't even use Google search anymore, and I certainly don't want my Windows searches consulting Bing.
> The same people who are complaining about Microsoft data mining are the same people who don't have issues using Google.
I would bet cash money that this is false. There is more than one type of person on HN. If you interpret the actions of multiple people as if they were a monolithic entity, of course they're going to seem contradictory.
Many people welcomed the apparent change of course Microsoft made under the new management and they're probably a little disappointed. Anyway, I try to handle more sensitive content (production ssh keys, customers' information) on my laptop (running Ubuntu) and not a mobile device precisely because I only have weak control over the phone.
as somebody who never uses apple products and probably never will, i don't find it OK that my device, any device would do such nasty things.
to put it as simply as I can - wrong behavior is wrong, and it's good to not be OK with it. just because other assholes in the block are doing it too doesn't make it any more right.
I understand that it's wrong, but I see a constant trend to backlash against big bad M$, while other companies are not held to the same standard. The article posted isn't even slightly credible, yet it makes it to the front page, the witch-hunt begins. That's my problem.
Google and Apple are no saints, but there is a much larger history of bad behavior from MS. Given their attempts recently to about-face and be the good guys it shouldn't be surprising that many people are quick to point out actions that seem to indicate this behavior is not representative of their core agenda.
And besides, these things tend to come in waves. I've read basically the same comment about Google ad Apple here: "Why is everyone picking on Google and giving MS a free pass? They've done much worse!" "Why is everyone hating on Apple? Android has most of the same problems too!"
That makes sense. They do come in waves. I do think that Apple does get a free pass a majority of the time though because of their monolithic following. But overall I agree.
> This is no different than Yosemite which logs your location and searches that you make with Spotlight and Safari.
No, if this is true it is massively different. This article claims that Microsoft is keylogging everything for keywords; this is not in the same universe as one app sending data for search results. Did you not rtfa?
The article is moot, Did you also read the article about MH370 getting shot down by an Israeli missile? Clearly not credible, Look at some articles where people have done HTTPS/HTTP snooping and you can find out pretty quick that there are no indications that there is an active key-logger other than Cortana/Search data being sent off.
I wasn't commenting on the credibility of the article, I was commenting on your claim that it (the article's claims) are equivalent to what Spotlight does, which is bullshit.
Sorry If I wasn't clear, I was trying to say that the article in itself is bullshit, and that from credible sources, and if you do some HTTPS/HTTP snooping yourself, you'll turn up with evidence that suggest it does the same thing that Spotlight does.
This sounds like the reasonable interpretation is, they are reading the passwords for MS accounts like hotmail. But IANAL, perhaps one should use the most hostile interpretation possible.
When reading a privacy policy from a company like Microsoft, I think assuming the "most hostile interpretation possible" is a safe bet. If it was only for MS accounts, why wouldn't they say so?
That's not what they were asking. They were asking about if TYPED passwords are sent (meaning keylogger style). You're talking about password manager syncing.
To just give one example, if typed passwords are sent them passwords typed into Chrome are sent, if only the password manager is synced then that only impacts IE or Edge users.
However this will turn out (for now it looks like the source not very trustworthy) I wonder if there's a small little tool you can install on a fresh Windows 10 that will let you disable all the various privacy related setting in one screen. Just a list of checkboxes with short descriptions of the setting and what feature you will lose when disabling it.
Theoretically it should be possible to do this even if MS don't provide the configuration options by patching files, but there is a ton of signing and verification which gets in the way, not to mention things like Secure Boot. Hopefully the crackers are still interested in breaking through all this and giving the masses such a tool, like they did before with signed drivers.
> Do you type passwords and other private information directly into GDocs?
Of course! Why on earth would I trust passwords in some random third-party password locker when I can instead store them in a heavily-secured Drive doc behind the one account I have with a regular password rotation schedule and two-factor authentication?
It's where I keep my bank account numbers and last will and testament too. ;)
What is with these privacy violations? Lenovo just got caught out installing a BIOS root kit on a wide range of laptops [0], now Microsoft is phoning home?
First of all, as others have said, this source may be slightly dubious, but I have seen a handful of similar sources saying similar things, but I have yet to see an extensive reverse engineering effort. For the time being though, because of the variety of similar reports and side effects, I am considering Windows 10 an surveillance state approved operating system.
For example, in another HN submission where someone posted a tool to delete/disable tracking services and add ip lists to the hosts file, a user has reported startup errors. To me this indicates Windows 10 is trying to communicate even during boot without the users knowledge! That's a big deal in my book... I don't know about yall.
The one reason I have suffered the slings and arrows of Windows so long is for gaming purposes, more recently because I wanted to release my hobby side-project, a game in Unreal Engine 4, on Windows and so I have kept one of my computers on Windows 8.1.
Last night that machine was compromised, and despite my fairly extensive malware fighting abilities, I couldn't get rid of it. That means a complete wipe and only moving data over that I must have, and not trusting that data, not to mention never trusting the HDD again (going to have to throw it away). I also question my bios, so I'll need to flash bios too.
I run three main computers, Windows on a Asus laptop, OSX on a Mac Air, and Linux/DragonFlyBSD dual boot on a Macbook Pro 2014. I think Windows 10 just might be the excuse I need to push myself completely away from the MS ecosystem. I've been talking about it for years, but the power of their tie-in is not to be trifled with.
I also fear for the state of linux in the same way though. At >10 million lines of kernel code, I think the many eyes theory has a weakness, namely that complex and huge codebases are antithetical to the many eyes theory working. that's why I personally think the future of computing will be in code simplicity and pairing down existing codebases. A good example of a try at this is Minix 3. <10k loc. (of course lacks many features).
That's also why, even thought I'm a huge GPL/GNU guy, I am increasingly leaning towards the top down ecosystem of the BSD's.
I think there are a lot of fundamental issues in personal computing that many of us just ignore and don't want to discuss because the implications of the conclusions could be uncomfortable. I think it's time for those of us who are considered power users to start having this difficult discussions more often and in more public ways.
Windows 10 and previous versions are known to be SIGINT enabled either by design, or by accident. It would be very cloak and dagger to say by design, but certainly more plausible to say by accident. There are numerous ways to harden Windows however, and depending on how much time and money you're willing to invest; you can get a pretty robust setup. Personally I use Zemana Antilogger (try to get an older copy - the new one is possibly backdoored). Download this: http://hardenwindows8forsecurity.com/ (Some of the settings still apply on Win10 I think). And buy the new version of Glasswire: https://www.glasswire.com/ (Super handy utility that stops all the phone behavior of Win10 that can get quite intrusive/invasive). There are many other hacks to harden Windows but I won't go into them here. But you can have those ones for free...
Here's Antilogger: https://www.zemana.com/AntiLoggerFree Please avoid the new version, as it's probably weakened by ICs. I'm sure an older copy is lying around the net somewhere.
I have a hard time trusting either Glasswire and Antilogger without seeing the source (especially since you mentioned possible backdoors in the same breath as your recommendation).
Your first link looks like it's just a pack of local policies, so I suppose there's some value, if that's the case, for people who don't want to go through with learning how to set that up.
It might be closed source, but that does not equate to 'bad'. It doesn't contain too many smaller parts it is easy to analyze what the binary is doing. It does attempt to update, but this behavior can be blocked. Binary blobs do not have to be a black box, and it is trivial to open up Antilogger in OllyDBG and see what it is doing under the hood. It might sound like I'm fumbling around in the dark here, and I admit I am; but Antilogger is one of the first ten programs I install on a fresh Windows install.
Regular electronics consumers are not going to buy a Thinkpad with FreeBSD on it, and then house the laptop in a Faraday cage to airgap it. It. Does. Not. Happen.
> Regular electronics consumers are not going to buy a Thinkpad with FreeBSD on it, and then house the laptop in a Faraday cage to airgap it. It. Does. Not. Happen.
Nobody said it would but "regular electronics consumers" also aren't reading this thread and don't have much to do with the post you're replying to.
Oh now I can finally install the OS that will try everything to unearth what I do on my computer... Oh wait, of course I wont.
This is such nonsense. It is like saying 'Hey, there is no problem with living in a glass house where everyone can see you go to the bathroom, you can just put up some curtains.'
I'm not defending M$ here at all. I'm just saying if people are going to use WinAll, there are rudimentary and basic things to install before using it. Otherwise it's like sex without a condom...
Why should I trust Zemana more than Microsoft? You're already suggesting at least the latest version is compromised. Then the other question becomes how I know the older copy I get is genuine and not also compromised.
Off-topic, and please believe me I'm not trying to start a flame war, but I'm really concerned about this and I think it could be time to switch -- is OS X any better in this regard? I had heard it has been phoning Apple since forever. (I'm not going to consider Linux for a desktop)
Linux is totally ok for a desktop, I would say much better than anything else! You have several desktop environments you can choose from and you can customize it to make it work exactly like you want it to. Once everything setup to your liking, the configuration can be easily copied to any other system because it is just files in your $HOME folder.
If you are a Hacker, you will be overwhelmed by the great amount of development tools that are much easier to handle than on any other system.
There are very few reasons nowadays not to use Linux.
I moved to Linux Mint for the very reason that I saw many comments in places like this. But I have to say, I have been seriously considering moving back. I love the stability and reliability of Linux. And By God it's fast, but the user experience is not the least bit as polished as people keep making it out to be. It's not intuitive, and half the things aren't as easy as people say they are. I lost a whole afternoon trying to get Photoshop to work through WINE and in the end resorted to setting up a virtual machine and installing windows. Less than ideal. I like Linux for what it is, but lack of compatibility with major apps is a major deal breaker. I've not been able to get a single windows app to work through WINE and I've tried a fair few. I would be less inclined to go back if more major app makers were willing to create native Linux apps. Take Quip or 1Password for example. No native Linux support.
I understand your frustration, I've been there too.
However, I think it's very important to understand, and go into it with the mindset as follows:
You're not going to have the same programs. You'll have similar programs and very good alternatives (Photoshop/GIMP, 1Password/KeePass, etc.)
Once I realized that I probably shouldn't try to shoehorn a program written for only a specific OS into what I was doing, I found the experience much better.
Sure, some of the alternatives aren't as good. If you really need them, then you should re-evaulate why you're switiching.
It's an alternative in some restricted circumstances. Calc.exe is an alternative to Wolfram Mathematica. People who didn't just pirate Photoshop probably don't use the small subset of functionality that GIMP provides because if they were they'd be using GIMP before switching to Linux.
Exactly! Why do the Linux people try to "take over" every Windows thread? The Windows folks don't barge into every Linux thread.
Windows 10 is excellent. We moved our all-mac company (~20 developers) off Macs and onto Windows over the past year, because Apple no longer supports the high end. We do GPGPU programming, and you can't plug a high end NVIDIA card into a MacPro. (The Mac Apologists will say you can, but you can't -- not in any useful performant reliable way.)
It's hardly "barg[ing] into" when somebody explicitly asks about alternatives. And yes, they said they wouldn't consider Linux, but that does mean they're the ones who brought it up!
If you are a Hacker, there are very few reasons nowadays not to have access to Linux. I run my development profile as a VM on my Windows machine. It's nice to have the distro packages to pull in any esoteric tool I need to solve problems.
But I play too many videogames to run it as my primary machine.
Genuine question: What are the equivalent easy to use development tools that map to sysinternals tools such as procexp, procmon, tcpview, ....? If it is just lsof, ps, top, netstat then I'm seriously missing some thing. It is one of my personal pain points with linux.
I would be quite interested to learn what it is you would like to see that lsof does not show? (yes, this is a genuine question, I do not know Windows tools)
games, games, games, just 3 reasons, very good for quite a few.
and let's not forget the whole corporate global space, where Exchange+Office suite rules unchallenged. whenever i try to see some excel in what gmail has for previews, i cry and run away (and those are simple excels out there, without any complex scripts for example).
Why not at least consider it? I run Arch + GNOME3 on my desktop and I haven't had any insurmountable problems, nor any that would be easier to solve in Windows.
That is a fair question. However, it all depends on your personal use case and because of that Linux just isn't an option for most people. If you value gaming you can fine tune wine till the cow comes home ... it will never feel (always) right. If you're into music production Linux gives you another "screw you!" Then, there is this huge amount of software for which it seems as if Linux offers reasonable alternatives. But if you really consider what a user actually wants Linux doesn't cut it. For example, Word could be replaced with Libre Office or (my personal favorite) an intriguing combination of markdown and pandoc. If, however, Word is what you want to use (even though I do not understand that) then every click that is different poses as a minor frustration that together with all the other minor frustrations adds up to a huge disappointment.
I tried using LibreOffice last year and it was a total joke. Almost nothing worked the way it was supposed to, and it crashed often. When it came time to give my speech and output slides to a projector, that just didn't work at all. My presentation had to be saved by someone letting me use their Mac. It was the worst software experience I have ever had, and I've had a lot of bad software experiences in my 43 years.
It's so bad that I believe it's unethical to offer it for download as working software because people with work to do on short timescales (as I had) may choose to rely on it and then get screwed.
Have you looked at UbuntuStudio or other similar distributions? I'm not running a professional studio, but I do a fair amount of audio recording and production entirely in Linux for bands I plan in and personal projects.
When you tell OS X to shut up, it does. (It phones home as much as you heard or maybe even more so, but you can stop it from doing so too.) Dunno about Windows, I avoid using it for everything besides 3D or LabVIEW.
Could you explain why you wouldn't consider Linux for the desktop? Wine isn't horrible, if you want Windows compatibility, and it offers a huge range of functionality otherwise. It's the best platform for compiling and running stuff, for sure.
It has all the same sorts of Web features as recent versions of Windows, so I guess it depends on how credible the "always-on keylogger you can't disable" stuff turns out to be.
Not to defend them, but in modern world my assumption is that everything I do on the machine is recorded by someone. As long as my bank account is not affected, not sure I care.
It's not giving up; it's embracing a set of risks for a reward. The question is whether one feels the set of risks and the reward are too ill-defined to make the trade worth it.
Microsoft appears to be in the business of trying to build a fully-functioning virtual assistant. If they're solving that problem with big data, they need a full stream of the user's behavior to operate on. But the tradeoff---an actual, working virtual assistant---could very well be worth it to people for whom that personal information is not worth hiding from a corporation with no vested interest in undermining their customer base by irresponsibly divulging that data.
If anything's sad, it's that we live in a world where some people do not have the freedom to treat their private info so loosely. That's a true tragedy, because there will increasingly be technologies they can't take advantage of.
I think they should definitely have the freedom to treat their private info loosely, but I think that the decision itself should be an Opt-in rather than an Opt-out affair. We shouldn't have to build our own tools to turn this off.
As a hacker news reader you should know that this is extremely simple to disable / uninstall. Ubuntu is ok for a desktop, because you will find a lot of software ready to be installed on Ubuntu without having to dig into details of software packaging / compilation etc. This is especially true for all kinds of media software.
Linus Torvalds shit all over Ubuntu for the feature (and rightly so)... but I don't see the need to boycott the system (as he does) since it is fairly easy to disable.
edit: just wanted to mention that when I first installed ubuntu I forgot to disable the feature, performed some very innocuous searches, and was shown loads of porn results from Amazon. That alone makes the feature completely worthless and frankly dangerous (depending on the environment that you're using ubuntu in).
I ditched Ubuntu when it became clear that their goals did not align with mine. I care about privacy, so I will not support an operating system which leaks personal data by default, on purpose.
Cyanogenmod. I use privacy guard to limit which apps get access to various sensors and data on my phone. I then use a combination of OrWall, Orbot and OpenVPN so I can choose on a per app basis one of three options:
1.) No Internet access (the default)
2.) Route through Tor
3.) Route via VPN to a server at home and out through my broadband connection (I trust my broadband ISP slightly more than my mobile network provider). This protects me on untrusted WiFi networks too.
[edit] I wish I didn't have to do all this, but the smartphone OS market doesn't give me non-leaky OS options in the same way that the Desktop market does.
After falling with the locations' UI trick[1], I've decided to move away from Google's Android.
Luckily Cyanogenmod supports my phone. I will attempt the installation soon. Any piece of advice, or something you would like have known when at my situation?
I assume the same sort of stuff is happening on Ubuntu today, but I stopped using Ubuntu on the desktop/laptop when this came out and started using Debian instead.
As long as your aren't the current group it is popular to pick on and you don't anger (or make fall in love) anyone with significant power, you'll probably be fine. I'm sure there were plenty who didn't care about slavery as long as they weren't the slaves.
Just try
https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...