> And finally, some traffic seems quite impenetrable. We configured our test virtual machine to use an HTTP and HTTPS proxy (both as a user-level proxy and a system-wide proxy) so that we could more easily monitor its traffic, but Windows 10 seems to make requests to a content delivery network that bypass the proxy.
Does this mean a Win10 machine setup to use something like Tor will leak the user's actual IP back to Microsoft? If you're VPN'd, is some traffic still leaking outside of the VPN?
From an engineering perspective, how is this happening? Does Microsoft have a second network interface hidden away using hardcoded settings for DNS, etc?
On a somewhat related note, if a Win10 app is cert pinning, is there a way to force it to use your cert so you can MITM it?
VPN traffic doesn't leak if the default route is the VPN interface. I tried it and my firewall went silent apart from the tunnel.
I have absolutely no fucking idea what it is sending out though. It's always talking to something. I've turned everything off that is documented and use a local account and remove-appxpackage'd everything. Sorry but this release is a write off. My host/vm relation is being inverted to Ubuntu as a host this week rather than a guest.
If I don't know what it's doing, how can I trust it?
Change the gateway on the Windows 10 install computer (or "default route" as another commenter calls it) to a computer _you_ control, i.e., a UNIX install, that can do IP forwarding. Turn on IP forwarding. Connect the UNIX install to the internet.
Also change your default DNS servers on the Windows 10 install to point to the UNIX install. If you know how, set up DNS on this computer. I recommend using your own cache listening on 127.0.0.x, not a public one.
Then monitor traffic being forwarded by the UNIX install.
This is not difficult for anyone familiar with UNIX. Plenty of good and bad software to help you.
Do people need instructions? If there is interest in blocking this nonsense I for one would be willing to help.
There are a lot more Windows users than Apple users so this is fun to watch how the Windows users react to the incessant connections to the mothership, which is par for the course with Apple products. Would love to see the stats on how much cumulative user-purchased bandwidth Apple and Microsoft are usurping in order to track the people who have to pay for it.
If you want to block this nonsense, then the easiest way to do it is from another computer acting as a gateway.
Trying to block these connections from the computer on which Windows 10 has been installed will probably be an exercise in frustration for most users and they will give up. (Most Apple users do not know or care so they do not try to block.) I am sure that Microsoft is counting on their users acting like Apple users.
I don't want to be a brat, but what is the possible overlap between people caring to use Tor (for whatever reason) and people using Windows 10 as the host OS ?
You're at the absolute cutting edge of spyware-in-the-home, defective by design, obscured infrastructure that was designed from the ground up to be user hostile in every conceivable dimension. And you're going to run Tor on that.
There's a phrase for this and that phrase is "clown college".
What they are describing isn't necessarily cert pinning, although it's possible there is also cert pinning. It just means there are hard-coded IP addresses somewhere; either a hard-coded DNS server, or the endpoint itself.
Notably, it's still possible to MITM the traffic, just not as easy as if the system respected the proxy settings. You need to spoof the destination IP and try to terminate the TLS with your own trusted cert. If the connection still fails, only then would you know there is a cert pin. I haven't heard if anyone has tried this with the "CDN"-bound traffic, or the persistent bing.com/live.com traffic.
If a VPN was being used, I would expect traffic would still be routed through the VPN interface. The HTTP(S) proxy code is higher up the stack than a VPN interface.
It does raise a huge red flag though, if you are not fully in control of your own network routing using standard tooling, IMO it's not an appropriate OS for any enterprise environment.
Until recently Microsoft had taken a far more reasonable approach to privacy than say Google. Anyone remember the MS "gmail man" ads mocking the way Google inspects your email when MS doesn't? It seems that MS under Nadella has taken a decidedly Google-like turn away from privacy with Windows 10. MS seems as hell-bent as Google and Facebook to collect as much data about you as possible, even if it is for seemingly innocuous purposes.
> Anyone remember the MS "gmail man" ads mocking the way Google inspects your email
Yes, and they were widely mocked. Privacy fears don't really sell, especially when deployed 10 years too late by a company that is the definition of "establishment".
Competition is often a race to the bottom. Chromebooks are a huge threat to Windows hegemony.
Microsoft lost the internet and mobile platforms to Google. They are going to fight tooth and nail for the PC.
If the average person doesn't give a shit about privacy (and they truely don't), then Microsoft will not be able to charge for products Google supports for free with spying/ads.
"Anyone remember the MS "gmail man" ads mocking the way Google inspects your email when MS doesn't?"
Did anyone actually fall for that?
Intelligent systems need information to function, and when the intelligence is personalized, it needs personal information. One of the reasons Google has succeeded is because of that personal information, providing services that have enough context that they are three quarters of the way to my destination before I've even started.
It is enormously jarring how over the top Microsoft went with Windows 10, with insane defaults and little justification, but this is the manifestation of the whole "cloud like" platform. Increasingly we expect a world where a device is just a terminal into a platform, and we can jump to different devices and form factors and the world is almost the same. That is what Microsoft is trying for, clumsily.
An algorithm reading your email to look for words to server better ads is hardly spying imho. I rather see ads of things that interest me than ads for casinos. And I'm hardly a MS lover.
Given that it is proven that the NSA spied on European companies for economic reasons, this isn't a good idea. Now the NSA can just tap into Microsoft, either covertly or through court order, and spy on the whole world.
Details of economic spying -- may not be the best article but the easiest to find:
Stupid question, but my Mom lives in a really rural area. Pays quite a bit for internet and is charged by the MB. Can we ask Microsoft to pay for their bandwidth usage?
Since upgrading to Windows 10 she's been hit with $200 in overages.
I worked at an ISP that charges as much as $25/GB for usage, and has tiny monthly usage caps (as low at 10GB/mo) and there is no other choice for our customers.
Every time a large iOS, MacOS or Windows update goes live, we can literally see the difference in the overages people pay. It's a big problem that lots of people don't understand.
This seems to be one of the real costs of upgrading to the latest version of Windows. In this case your mom has to pay the bills, but in general I'm curious how long will it take for ISPs to launch a solid campaign against Microsoft, like they did with Netflix.
I finally saw the bill. From the moment she started downloading Windows 10 to the moment I told her to shut the internet off, she used 20 gigs. That's ridiculous. And there is only one computer in the house. No other devices use internet.
It hasn't even been out that long, so what kind of data amount are we talking about? Century Links 1Gbps has told multiple friends, and friends of friends that they absolutely enforce the 250GB/month limit. That's 33.33 minutes @ 1Gbps before you've hit the cap. That's untenable. XBox games are hitting 100GB each. And now the OS is pushing and pulling maybe 10% of this cap? Umm, yeah, good luck with that.
This highlights what we really lost when consumer operating systems started replacing enterprise-grade operating systems. I would have never imagined this kind of things happening on something like Solaris or Irix, which were the base operating systems of many workstations. At some point when Linux became popular it suggested that the regular consumer would benefit from the robustness, focus, reliability of an entreprise grade OS. Not so..
That large companies accept this state of affair is extremely surprising.
That we accept that our electricity and communication bills are being diverted to serve the interest of an operating system's creator.. that sounds crazy. It's like letting the creator of your fridge eat your food and drive your car.
I was downvoted and criticised a few days ago for defending Microsoft on Windows 10. I am starting to change my opinion after looking into the issue more. I watched a recent Richard Stallman talk on youtube and went through the process of making the tightest privacy settings I could on my iPad, Windows 10 laptop, and Android phone. (I left my Mac and Linux laptops as is since I just use those for development.)
I think that Microsoft looked at the Google Now user experience on Android phones and decided to emulate that type of AI assistent in Windows. Google collects all sorts of user context information and Microsoft decided to do the same.
This is a guess but the difference may be that (some) people are willing to have less privacy on their smartphones but care more about privacy on their computers.
> I think that Microsoft looked at the Google Now user experience on Android phones and decided to emulate that type of AI assistent in Windows.
I don't mind that (Cortana).
I do mind that when Cortana and its supporting options are explicitly disabled, Win 10 apparently still won't stop chattering back with HQ constantly. Not only for privacy reasons either; it seems (though I'm not certain of the relationship) to have a substantial, though intermittent rather than constant, impact on performance.
From the image of the captured data that is sent when telemetry is "off", a few bits are obviously Windows-style UTF-16. The GUID is obvious, and is that an assert error message? Very strange...
prod
e5ff4669-311a-0933-dee2-9444eee86460
instrumentation.cpp
Instrumentation::StartQosExperience
(Utilities::HashMapContains(_qosUXScenarioDataById, scenerioId) == false)
Assertfailed: (Utilities::HashMapContains(_qosUXScenarioDataById, scenerioId) == false):
Instrumentation is active when we try
I have a really hard time understanding how "enterprises" are going to upgrade to Windows 10.
An operating system that is sending random internal data to random places on the internet seems to violate both a wide selection of national laws related to data privacy, and many corporate policies relating to trade secrets, privacy, internal operations and so on.
Microsoft must have thought of this. What's their plan for continuing to sell to these customers?
Windows 10 seems to transmit information to the server even when OneDrive is disabled and logins are using a local account that isn't connected to a Microsoft Account.
Well there you go. If you ever wondered whether this is happening only on the Microsoft Account(tm).
It's hard to know without inspecting the exact data involved, but I feel like this is dangerously close to a HIPAA or HITECH breach, and I know of several hospitals who are strongly on the Microsoft bandwagon and are considering Windows 10.
The "send search data to an internet endpoint even if it's patently obvious that the search is for local resources" reeks strongly of Ubuntu's Amazon Shopping Lens. Did Mark Shuttleworth switch gears from Canonical to Microsoft when I wasn't looking?
> It's hard to know without inspecting the exact data involved, but I feel like this is dangerously close to a HIPAA or HITECH breach
Perhaps pedantic, but that's redundant; HITECH doesn't define breaches separately from HIPAA, it establishes standards for when HIPAA data is "unsecured" and reporting requirements, etc., related to HIPAA breaches.
Wow. I use Linux and BSD on my own machines, but the rest of the family is on Windows 10. This sort of thing makes me seriously think about trying to get the wife and kids to consider switching :/
I had the Win10 preview on a spare laptop that I just use for Netflix and Pandora, and was planning on just upgrading it to full 10..... until all this came out. Wiped it and installed Xubuntu.
I did like Windows 10 though, but then they kinda ruined it
God forbid Microsoft give 7 the boot for support like they did XP. Windows 7 is standard for workstations at the college administration where I work, and suggestions to switch to 8 are met with laughter across the board. We have trouble enough with China trying to hack us literally thousands of times per day, and there is no reason to trust Windows 10 to be any more secure.
In the post-Snowden era, USA tech corporations, like Microsoft, felt the downturn on trust from non-USA companies and citizens in their online offerings. With Microsoft betting more and more on their cloud services, I find it strange (or maybe it isn't strange, but let's be naive for a minute here) that Microsoft goes against this and actually gives people _more_ reasons to not trust them than less.
As if they're thinking we all don't give a shit. But if we all didn't, why the downturn in trust in USA tech corporations post-Snowden?
I can't help but think that this is either massively naive from their part (people/companies won't care, they will buy our stuff and services regardless) or very short-sighted (as it will hurt their cloud services offerings in the long run, the more they hammer down the trust from their own users in MS' wares.)
Funny, nowadays there seem to be more firewall rules needed for outbound traffic then inbound on Windows. In the old days we had a name for that - spyware.
You agreed to the privacy terms, so you are at the mercy of whatsoever Microsoft implemented. Windows 10 even could totally ignore your settings.
I say this, not because I think that this is OK, but to reflect, that even the change of the settings do not save you from the harm, that was done from the privacy terms!
Why downvoted? When you disagree, than give arguments, not gutless clicks!
Very few people will read the privacy terms. Just because they have a document people clicked 'agree' below without reading doesn't mean that MS should not be held to account for what Windows 10 is leaking. For many users not using Windows isn't an option.
If what a vendor is allowed to do is buried in a EULA that the world knows is never read, then that vendor is hiding something. There's a difference between the letter of the law and truth. Obfuscation is not truth.
[+] [-] bsilvereagle|10 years ago|reply
Does this mean a Win10 machine setup to use something like Tor will leak the user's actual IP back to Microsoft? If you're VPN'd, is some traffic still leaking outside of the VPN?
From an engineering perspective, how is this happening? Does Microsoft have a second network interface hidden away using hardcoded settings for DNS, etc?
On a somewhat related note, if a Win10 app is cert pinning, is there a way to force it to use your cert so you can MITM it?
[+] [-] blackbeard|10 years ago|reply
VPN traffic doesn't leak if the default route is the VPN interface. I tried it and my firewall went silent apart from the tunnel.
I have absolutely no fucking idea what it is sending out though. It's always talking to something. I've turned everything off that is documented and use a local account and remove-appxpackage'd everything. Sorry but this release is a write off. My host/vm relation is being inverted to Ubuntu as a host this week rather than a guest.
If I don't know what it's doing, how can I trust it?
[+] [-] ised|10 years ago|reply
Also change your default DNS servers on the Windows 10 install to point to the UNIX install. If you know how, set up DNS on this computer. I recommend using your own cache listening on 127.0.0.x, not a public one.
Then monitor traffic being forwarded by the UNIX install.
This is not difficult for anyone familiar with UNIX. Plenty of good and bad software to help you.
Do people need instructions? If there is interest in blocking this nonsense I for one would be willing to help.
There are a lot more Windows users than Apple users so this is fun to watch how the Windows users react to the incessant connections to the mothership, which is par for the course with Apple products. Would love to see the stats on how much cumulative user-purchased bandwidth Apple and Microsoft are usurping in order to track the people who have to pay for it.
If you want to block this nonsense, then the easiest way to do it is from another computer acting as a gateway.
Trying to block these connections from the computer on which Windows 10 has been installed will probably be an exercise in frustration for most users and they will give up. (Most Apple users do not know or care so they do not try to block.) I am sure that Microsoft is counting on their users acting like Apple users.
[+] [-] rsync|10 years ago|reply
I don't want to be a brat, but what is the possible overlap between people caring to use Tor (for whatever reason) and people using Windows 10 as the host OS ?
You're at the absolute cutting edge of spyware-in-the-home, defective by design, obscured infrastructure that was designed from the ground up to be user hostile in every conceivable dimension. And you're going to run Tor on that.
There's a phrase for this and that phrase is "clown college".
[+] [-] zaroth|10 years ago|reply
Notably, it's still possible to MITM the traffic, just not as easy as if the system respected the proxy settings. You need to spoof the destination IP and try to terminate the TLS with your own trusted cert. If the connection still fails, only then would you know there is a cert pin. I haven't heard if anyone has tried this with the "CDN"-bound traffic, or the persistent bing.com/live.com traffic.
If a VPN was being used, I would expect traffic would still be routed through the VPN interface. The HTTP(S) proxy code is higher up the stack than a VPN interface.
It does raise a huge red flag though, if you are not fully in control of your own network routing using standard tooling, IMO it's not an appropriate OS for any enterprise environment.
[+] [-] thescrewdriver|10 years ago|reply
[+] [-] toyg|10 years ago|reply
Yes, and they were widely mocked. Privacy fears don't really sell, especially when deployed 10 years too late by a company that is the definition of "establishment".
[+] [-] redml|10 years ago|reply
With windows 10, I have to pay for the software, and somehow I'm still the product? I don't know their end game, and its really sketchy.
[+] [-] rhino369|10 years ago|reply
Microsoft lost the internet and mobile platforms to Google. They are going to fight tooth and nail for the PC.
If the average person doesn't give a shit about privacy (and they truely don't), then Microsoft will not be able to charge for products Google supports for free with spying/ads.
[+] [-] inversionOf|10 years ago|reply
Did anyone actually fall for that?
Intelligent systems need information to function, and when the intelligence is personalized, it needs personal information. One of the reasons Google has succeeded is because of that personal information, providing services that have enough context that they are three quarters of the way to my destination before I've even started.
It is enormously jarring how over the top Microsoft went with Windows 10, with insane defaults and little justification, but this is the manifestation of the whole "cloud like" platform. Increasingly we expect a world where a device is just a terminal into a platform, and we can jump to different devices and form factors and the world is almost the same. That is what Microsoft is trying for, clumsily.
[+] [-] TsomArp|10 years ago|reply
[+] [-] jammycakes|10 years ago|reply
1. Do the different versions of Windows (Home/Pro/Enterprise/Education) behave differently? If so, how?
2. Do the pro/enterprise versions behave differently when they're connected to a domain?
I'd imagine that the answer to at least one of these questions would be "yes." This kind of behaviour would be a deal-breaker in many enterprises.
[+] [-] bhouston|10 years ago|reply
Details of economic spying -- may not be the best article but the easiest to find:
http://www.hurriyetdailynews.com/nsa-spied-on-french-economy...
[+] [-] likeclockwork|10 years ago|reply
[+] [-] datainplace|10 years ago|reply
Since upgrading to Windows 10 she's been hit with $200 in overages.
[+] [-] grecy|10 years ago|reply
Every time a large iOS, MacOS or Windows update goes live, we can literally see the difference in the overages people pay. It's a big problem that lots of people don't understand.
[+] [-] hebdo|10 years ago|reply
[+] [-] datainplace|10 years ago|reply
[+] [-] cmurf|10 years ago|reply
[+] [-] EugeneOZ|10 years ago|reply
[+] [-] ikeboy|10 years ago|reply
The $200 is likely from the automatic updates, which were pretty big. How much extra in MB was it?
[+] [-] enqk|10 years ago|reply
That large companies accept this state of affair is extremely surprising.
That we accept that our electricity and communication bills are being diverted to serve the interest of an operating system's creator.. that sounds crazy. It's like letting the creator of your fridge eat your food and drive your car.
[+] [-] t0mbstone|10 years ago|reply
[+] [-] mark_l_watson|10 years ago|reply
I think that Microsoft looked at the Google Now user experience on Android phones and decided to emulate that type of AI assistent in Windows. Google collects all sorts of user context information and Microsoft decided to do the same.
This is a guess but the difference may be that (some) people are willing to have less privacy on their smartphones but care more about privacy on their computers.
[+] [-] dragonwriter|10 years ago|reply
I don't mind that (Cortana).
I do mind that when Cortana and its supporting options are explicitly disabled, Win 10 apparently still won't stop chattering back with HQ constantly. Not only for privacy reasons either; it seems (though I'm not certain of the relationship) to have a substantial, though intermittent rather than constant, impact on performance.
[+] [-] pdkl95|10 years ago|reply
[+] [-] jellicle|10 years ago|reply
An operating system that is sending random internal data to random places on the internet seems to violate both a wide selection of national laws related to data privacy, and many corporate policies relating to trade secrets, privacy, internal operations and so on.
Microsoft must have thought of this. What's their plan for continuing to sell to these customers?
[+] [-] cautious_int|10 years ago|reply
Well there you go. If you ever wondered whether this is happening only on the Microsoft Account(tm).
[+] [-] yellowapple|10 years ago|reply
The "send search data to an internet endpoint even if it's patently obvious that the search is for local resources" reeks strongly of Ubuntu's Amazon Shopping Lens. Did Mark Shuttleworth switch gears from Canonical to Microsoft when I wasn't looking?
[+] [-] dragonwriter|10 years ago|reply
Perhaps pedantic, but that's redundant; HITECH doesn't define breaches separately from HIPAA, it establishes standards for when HIPAA data is "unsecured" and reporting requirements, etc., related to HIPAA breaches.
[+] [-] ultramancool|10 years ago|reply
https://news.ycombinator.com/item?id=10037753
[+] [-] jcadam|10 years ago|reply
[+] [-] scuba7183|10 years ago|reply
I did like Windows 10 though, but then they kinda ruined it
[+] [-] jorgecastillo|10 years ago|reply
[+] [-] rm_-rf_slash|10 years ago|reply
[+] [-] gtk40|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] otis_inf|10 years ago|reply
As if they're thinking we all don't give a shit. But if we all didn't, why the downturn in trust in USA tech corporations post-Snowden?
I can't help but think that this is either massively naive from their part (people/companies won't care, they will buy our stuff and services regardless) or very short-sighted (as it will hurt their cloud services offerings in the long run, the more they hammer down the trust from their own users in MS' wares.)
[+] [-] sliverstorm|10 years ago|reply
[+] [-] fumar|10 years ago|reply
[+] [-] jeromegv|10 years ago|reply
[+] [-] jshelly|10 years ago|reply
[+] [-] elcct|10 years ago|reply
[+] [-] tdkl|10 years ago|reply
[+] [-] PythonicAlpha|10 years ago|reply
[+] [-] PythonicAlpha|10 years ago|reply
I say this, not because I think that this is OK, but to reflect, that even the change of the settings do not save you from the harm, that was done from the privacy terms!
Why downvoted? When you disagree, than give arguments, not gutless clicks!
[+] [-] thescrewdriver|10 years ago|reply
[+] [-] a3n|10 years ago|reply
[+] [-] k3d3|10 years ago|reply
[+] [-] w8rbt|10 years ago|reply