Windows 10 telemetry not actually controllable?
RDL2004
Posts: 2,554
I ran across this at SevenForums.com - a post titled "Tests Reveal Windows 10 Spying Is Out Of Control".
Sorry for this convoluted link to the horrible Forbes site, but the article has some revealing information.
http://www.forbes.com/sites/gordonkelly/2016/02/09/windows-10-data-tracking-spying-levels/?utm_campaign=yahootix&partner=yahootix&ref=yfp#6e250eeb7aa9
Microsoft's response when asked for an explanation?
“I’m afraid we are not able to provide a comment on this.”
Sorry for this convoluted link to the horrible Forbes site, but the article has some revealing information.
http://www.forbes.com/sites/gordonkelly/2016/02/09/windows-10-data-tracking-spying-levels/?utm_campaign=yahootix&partner=yahootix&ref=yfp#6e250eeb7aa9
Microsoft's response when asked for an explanation?
“I’m afraid we are not able to provide a comment on this.”
Comments
Sadly, most people don't understand or don't care so the Windows cruise liner will continue for some time.
I'm about to blow a thousand dollars of my bosses money on a Surface Pro 4. At his insistence. Then I can see what it really does.
It's long past being "just a conspiracy", they don't have to be covert about intent any longer since it's expected of them - to protect from the terrorist bogeyman of course. The modern version of The Forever War. Starship Troopers anyone?
I have read around the net many time that MS is a different company now. Since the days of Bill and Steve. The new guy, whatever his name is, has made them a nice friendly company.
Since I spent a day at an MS developer conference I'm convinced that it is more of the same.
Only now it's even more sick and twisted.
They are leveraging the attraction of open source software to woo developers. See https://github.com/Microsoft/ChakraCore and the use of node.js in Azure cloud services, etc.
That is "Open Source" previously described as a "cancer" by Bullmer.
They are more two faced than ever. Like the worst used car salesman you ever met.
Still, I got a nice lunch and two free beers for the day out
Yeah, the hardware gets top marks. You should have a great experience.
Right now, I think the Surface is the only 16GB tablet top type machine out there too.
Whilst at that developer day I tried to access my experimental web app from one of the many Surface Pros they had around for general use.
It did not work.
Poking around in the dev tools of the Edge browser on Win 10 I saw that it did not like one of the security measures I had in place.
Not a good start.
You can try it for yourself here: https://xn--2-umb.net
Windows 10 won't be so nice for you initially. Most of the machines I'm responsible for are Win 7, and it's all pretty fine, no worries. Same mostly goes for the two 8.1 boxes.
We've got one Win 10 machine in the building, and it's definitely going to require some quality time. I hope to get it in my hands for a few days to clear out issues like that.
If I were you, I would expect to work through whatever it is you do, and google the trouble, one issue at a time, and keep a log. That's gonna turn into your, "getting setup proper" on Win 10 document. Won't be pretty, but once you have it done, it's likely to be reasonable. I've got these for the enterprise apps I end up doing pre-sales for a few times per year. Haven't done one for 10 yet. I get another year on 7 before I have to go do it all again.
For me, it's a couple of days before everything is settled.
At that point, it's just little annoyances like drive letters, slashes, etc... no big deal.
There is no way I'm letting that beast of Win 10 on to the internet without a firewall blocking everything it does, except what I want.
It's kind of Smile backwards that you now need your firewalls to protect you from the malware on inside. As opposed to keeping the outside out.
From time to time I have tried to do useful work on a Win machine. It does not go well...
Block all outbound traffic regardless of OS
I think you are right. Block all outbound traffic regardless of OS. Unless you specifically allow it.
I'm pretty confident that my OS (Debian) does nothing bad. We would soon hear about it if it did.
But that still leaves the issue of the web browsers. Which don't care who they sleep with. Even visiting this very august site results in your activity being broadcast to Facebook and gravatar.com.
It is of course much worse with all the advertising malware we get subjected to.
I have never understood why it is a browser visits all kind of URLs other than the one I asked for. Without ever asking me if it's OK.
Madness.
Because that data and it's volume can confirm AD impression targeting, they can get 10 dollar cost per click rates! Higher even.
An average sote, maybe just serving Google ADS may get a single digit percentage as much, if that.
In the AD world, data is golden.
Although much of the time it is not the site that is sharing my visit all over the place. It's my frikken browser!
Example: Visit forums.paralax.com. Those pages fetch and/or send data to Facebook and gravatar.
It's not Parallax servers doing that. It's your browser.
My question is: Why is my browser accessing sites I did not ask it to access? Why is it doing so without asking me? Who ever thought this was a good idea?
Well of course it's all in the WWW standards. So it has to be. It's nice that if you post a link to an image here I get to see it in the thread without having to do anything I guess. But that same mechanism is leveraged by all the advertising and tracking guys.
Oh @heater.
I guess you do not really ask WHY. I just assume you already know. If not, you might need a doctor to check you for dementia.
So the 'free' browser (any of them) will provide you with things you do not want at all. Besides tracking all the pages you visit, and keeping a history for 'your convenience' most of the websites you will visit ALSO want to track you down.
It is all about money and profiling. ALL of them servers do cost money, ALL of the providers of information in the WWW want to earn money for the services they provide. So you get profiled, bombed with related ads, tricked into buying stuff you do not need, because it is all about money.
But I guess you are aware of that and your question was just rhetorical.
Mike
Young man, what day is it?
Here is what has been bugging me:
Recently I took an interest in how one actually goes about creating a secure website and web app. So I read lots of stuff, watched a bunch of YouTube vids, and started to code something that implemented the advice.
So, we need HTTPS, naturally, then:
Set Content Security Policy headers.
Set X-Frame-Options to prevent click jacking.
Remove X-Powered-By header so the bad guys don't know what your server is.
Set Public Key Pinning headers to make HTTPS more secure.
Set Strict-Transport-Security to ensure HTTPS is actually used on all requests.
Set X-Download-Options to make IE secure.
Set X-Content-Type-Options to stop JS hidden in images etc being executed.
And a bunch of other headers.
There is more:
Take care of Cross-Origin Resource Sharing (CORS) so that stuff can't be fetched from any old server.
Take care of cookies. We don't want anything running in the web page to be able to read them.
Use Jason Web Tokens for user session management. Not the cookies themselves.
Then we can get down to actual user authentication, sign up, log in, log out etc. Be sure to hash those passwords.
Oh, and all the user input will need sanitizing to stop them injecting rogue JS or SQL etc.
After all that you still have a sneaking suspicion that you may have missed something and left a gaping hole. Which you probably have, the
web application security check list is huge: https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
Now, the annoying thing is that a lot of the above seems to involve disabling dangerous server and browser behaviours.
One scratches ones head wondering why the safe options aren't the default? !
Being secure is good. Having it work is better.
When Tim Burners Lee came up with this WEB idea it was intended as a simple, quick, way to navigate through huge amounts of open data by the means of hyperlinks. If that includes inlining images, animation, JS code from wherever so be it.
We could say the WEB is working as intended.
Advertisers and others of course see "navigate through huge amounts of open data" as a great opportunity to get their ads in front of your face and malware into your system.
All the networked computer hassles are the cost of being connected and we all can make our choices. One is keeping some data and machines completely offline, another might be moderate security as opposed to the best, etc....
All ordinary artifacts of how we are as humans.
This Win 10 chatter isn't a choice, and that is what has people annoyed. Closed systems do not present a balanced opportunity for people to navigate it all. Forced trust and compliance just doesn't work for everyone.
Frankly, they can have the data for many of my use cases. I don't care, until I do, and there is the rub.
At that point, it all becomes a more hostile, low or zero trust affair, and a lot of options and value is lost.
For example, hook the server end up to a Propeller. The buttons in the web page activate outputs on the Prop. If anyone can login or otherwise light some LEDs I know I'm hacked.
Perhaps something of a reward for "capturing the LED". I can't fathom the details of what a reward might be, nothing too grand I'm afraid, or how to make sure the right person gets it.
I guess if they know what they are doing they just deface the page to identify themselves
Any ideas?
Ended up reading, "Top marks for you getting this far. More remains however." Something like that.
I formatted that machine.
Maybe you could incorporate something gratifying like that for them, and that's reward enough.
You are in a twisty maze of passage ways, all alike....
So maybe offer em a treat! Port the old adventure...