Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Don’t Keep Your Personal Or Financial Data On A Windows 10 Machine!
TMO ^ | 2-15-2016 | Paul_Behan

Posted on 02/15/2016 10:52:46 AM PST by blam

Feburary 14, 2016
Paul_Behan

Don’t Keep Your Personal Or Financial Data On A Windows 10 Machine!

Well not if you want to keep it private. Like many people I was surprised at the Edward Snowden revelations a few years ago. Nothing has seemed to change and in many cases things have got worse. Some corporations are in partnership with government agencies in regard to collection of data.

(snip)

According to this an article, (1) even after turning off all the tracking options on a computer, the researcher left the computer on overnight and tracked the traffic. He was surprised to find that Windows 10 had attempted to contact 51 Microsoft IP addresses 5,508 times. Some of the website addresses contacted include: (2)

(snip)

If Windows is left unattended for about 15 minutes, a large volume of traffic starts being transmitted to various servers. This may be the raw audio data, rather than just samples.

If you are still running earlier versions of windows you would think you would be safe from this tracking, but updates have been released that install this tracking into the earlier versions. Fortunately these updates can be removed. I found that these updates were installed on my Windows 7 computer on the 25th of November 2015. The updates in question are: (3)

* KB3068708 – This update introduces the Diagnostics and Telemetry tracking service to existing devices.
* KB3022345 (replaced by KB3068708) – This update adds the Diagnostics and Telemetry tracking service to in-market devices.
* KB3075249 – This update adds telemetry points to the User Account Control (UAC) feature in order to collect data on elevations that come from low integrity levels.
* KB3080149 – This package updates the Diagnostics and Telemetry tracking service to existing devices.

(snip)

(Excerpt) Read more at marketoracle.co.uk ...


TOPICS: News/Current Events
KEYWORDS: internet; microsoft; software; spying; spyware; tech; windows; windows10; windowspinglist
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-73 next last
To: dayglored
I don't need to have access to Microsoft's storage arrays to know that they have stuff in there that is private and personal. A moment's rational thought about what they admit they are collecting makes it obvious that personal stuff gets transmitted as well. There's no way not to have it happen.

I don't doubt they may inadvertently capture personal data with programs like EMET.

Do you know of a way that can be avoided? If it can't be avoided, can you make the case that they should not be running that program and capturing that data?

41 posted on 02/16/2016 6:34:50 AM PST by tacticalogic ("Oh bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 39 | View Replies]

To: tacticalogic

My question would be - do you use online banking? Can’t really avoid it anymore. My local bank only has one location now on the other side of town. I’m sure the government can easily look to see how much I have in my account at any given moment.

File your taxes online? I wouldn’t be surprised if Microsoft or somebody else can capture all the info you input to complete that return. HR Block does. And I only have to pay them $65 for software that allows them to do it.


42 posted on 02/16/2016 6:43:24 AM PST by okkev68
[ Post Reply | Private Reply | To 41 | View Replies]

To: tacticalogic
> Given the installed base, one successful class action suit could easily be fatal.

Fatal? Only if wildly successful, which I doubt it would be, given the modern ubiquity of such collection by others, and the difficulty of proving it without access to storage that Microsoft doesn't have to grant. A decade could go by just in "discovery" in such a class action suit, and by then few would still care.

> Do you know of a way that can be avoided? If it can't be avoided, can you make the case that they should not be running that program and capturing that data?

I don't think it can be avoided without a detailed study of the data before transmission, to cull out obvious things like HIPAA; and it would still make mistakes.

Therefore, since they're going to run -some- sort of such program, I could be satisfied with a simple, honest, complete agree-to statement along the lines of:

"We're going to read everything you have on this computer. Everything you write, read, send, receive, create, and watch. Because we can, and because we want to. We're going to extract from that, whatever information we want about you, your family, your personal habits, your love/sex life, your job, what you buy and sell, what you like and don't like, and anything else that isn't clearly illegal for us to extract. We're going to send it to our data banks where your information will be used to try to make you buy stuff from us and the companies we sell that data to. We'll do our very best not to break the law, but you understand, and you accept by using this software, that nothing is perfect, so you agree not to sue us if we make a few mistakes. We'll apologize, and you'll shut up about it. Deal?"
And that's not hidden away in paragraph 27 of the EULA. It's a banner dialog when the user first logs in that the user has to click "Agree" as part of the initial login process.

And no, I don't expect that to ever happen. It might be the last-ditch fallback offer in case a class action suit came up, but I don't expect one to.

43 posted on 02/16/2016 6:53:45 AM PST by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 40 | View Replies]

To: okkev68
File your taxes online? I wouldn’t be surprised if Microsoft or somebody else can capture all the info you input to complete that return. HR Block does. And I only have to pay them $65 for software that allows them to do it.

You have to assume that whoever wrote the OS could have written that capability into it. The only way to be sure would be to write your own, or get the source code for one and then review and compile it yourself.

What I find amazing is this knee-jerk reaction of Linux being the Holy Grail of secure operating systems, when a little research reveals the some of the worst security breaches have been accomplished by compromising Linux servers.

44 posted on 02/16/2016 6:54:40 AM PST by tacticalogic ("Oh bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 42 | View Replies]

To: dayglored
I don't think it can be avoided without a detailed study of the data before transmission, to cull out obvious things like HIPAA; and it would still make mistakes.

Okay. Now tell me they shouldn't be running EMET or similar programs that upload crashdump information that might contain personal data, because they can't insure that they will never inadvertently capture personal data. That's the logical conclusion all of this is supposed to lead to, isn't it?

45 posted on 02/16/2016 7:00:05 AM PST by tacticalogic ("Oh bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 43 | View Replies]

To: texas booster

Maybe we should sue over this...


46 posted on 02/16/2016 7:22:44 AM PST by GOPJ (Hillary has 416 'superdelegates'... Bernie has 14...Democrats don't trust the people - it's rigged.)
[ Post Reply | Private Reply | To 38 | View Replies]

To: texas booster

Maybe we should sue over this... One large class action suit from the freepers of FreeRepublic...


47 posted on 02/16/2016 7:23:14 AM PST by GOPJ (Hillary has 416 'superdelegates'... Bernie has 14...Democrats don't trust the people - it's rigged.)
[ Post Reply | Private Reply | To 38 | View Replies]

To: Mears

bfl


48 posted on 02/16/2016 7:25:22 AM PST by Mears
[ Post Reply | Private Reply | To 1 | View Replies]

To: tacticalogic
> Okay. Now tell me they shouldn't be running EMET or similar programs that upload crashdump information that might contain personal data, because they can't insure that they will never inadvertently capture personal data. That's the logical conclusion all of this is supposed to lead to, isn't it?

I'm not sure we're on the same page here :-)

I don't care what they read, capture, select, and transmit, as long as they're totally upfront about it. Like making the user agree to a brief, readable disclaimer.

There are good reasons why a software company would want to see what happened in a user's machine. I'm a system admin and programmer, I know how important that is. But given the high likelihood of inadvertently transmitting private data, there should be a clear, agreed-to disclaimer.

Now it's true that others would like to see all such transmissions, whatever their purpose or excuse, prohibited. But that's not what I'm saying. I'm only saying that there ought to be:

  1. A statement like mine above, that personal data is collected and transmitted, and ask the user to agree to it, -AND-
  2. If the user does NOT agree to it, the data is NOT collected and NOT transmitted.
That's not all that difficult, really, is it?
49 posted on 02/16/2016 7:28:51 AM PST by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 45 | View Replies]

To: tacticalogic

Oh, and yes of course, if the user does NOT agree to the transmission of potentially personal data, then they don’t get the benefits of the crashdumps and failure diagnoses. Ya pays yer money and ya takes yer choice.


50 posted on 02/16/2016 7:31:38 AM PST by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 49 | View Replies]

To: Victim O. Circumstance
You can get a linux system preloaded by System76 (Ubuntu systems) or ZaReason

BFL. i haven't checked their pricing recently.

51 posted on 02/16/2016 7:36:39 AM PST by zeugma (Lon Horiuchi is the true face of the feral government. Remember that. Always.)
[ Post Reply | Private Reply | To 24 | View Replies]

To: dayglored
That's not all that difficult, really, is it?

Not difficult to do, but I think it would make accomplishing the objective of collecting that crash dump data nearly impossible. The people most likely to turn it off are going to be the ones most likely to end up compromised.

It's easy to say that what you do with your computer is your business, and that works as long as it's your computer. If it gets compromised, then it's not your computer any more.

52 posted on 02/16/2016 7:39:32 AM PST by tacticalogic ("Oh bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 49 | View Replies]

To: dayglored
Oh, and yes of course, if the user does NOT agree to the transmission of potentially personal data, then they don’t get the benefits of the crashdumps and failure diagnoses. Ya pays yer money and ya takes yer choice.

Would you be agreeable to holding the users legally responsible for the consequences of that computer becoming part of a botnet that was used maliciously if they do turn it off, or holding sysadmins legally responsible if the fail to patch their servers and they get compromised and used to spread malware that creates the botnets?

53 posted on 02/16/2016 7:44:05 AM PST by tacticalogic ("Oh bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 50 | View Replies]

To: tacticalogic
> Would you be agreeable to holding the users legally responsible for the consequences of that computer becoming part of a botnet that was used maliciously if they do turn it off, or holding sysadmins legally responsible if the fail to patch their servers and they get compromised and used to spread malware that creates the botnets?

LOL! Alas, that process is not just impractical, it's terribly error-prone, and I'm one of those annoying "Better a guilty man inadvertently be judged innocent, than an innocent man inadvertently be judged guilty" folks, so I wouldn't want to be responsible for vetting the process whereby users or sysadmins are put in jail for wanting some privacy.

Rather, I'd like to see Microsoft and other software makers held legally responsible for shipping products that aren't properly vetted.

I work for a company that makes software that checks and validates software very thoroughly. It's damned fancy stuff, and it's really good, and we've got customers whose products are nationally mission critical and life critical. Oh, yes, and it's not inexpensive. :-)

I can't tell you precisely how much Microsoft uses our products (or our competitors'), but I can state that a quick read of the last couple of years of the monthly security updates and what kinds of errors they patch suggests strongly that they aren't using such products nearly enough.

Fix the problem at the source, not out in the wild after the damage of not fixing it has already been done.

54 posted on 02/16/2016 8:09:36 AM PST by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 53 | View Replies]

To: dayglored
Rather, I'd like to see Microsoft and other software makers held legally responsible for shipping products that aren't properly vetted.

Who are you going to hold legally responsible for Linux?

55 posted on 02/16/2016 8:14:15 AM PST by tacticalogic ("Oh bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 54 | View Replies]

To: tacticalogic
> Who are you going to hold legally responsible for Linux?

Good question. I suppose when Linux becomes as widespread a vector for botnets as Windows, we'll have to address that with the developers. :-)

In the meantime, Linux is not a significant contributor to those problems, pretty much just a little background noise in the overall landscape.

56 posted on 02/16/2016 8:41:40 AM PST by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 55 | View Replies]

To: dayglored
Good question. I suppose when Linux becomes as widespread a vector for botnets as Windows, we'll have to address that with the developers. :-)

It's already a major vector for the malware that creates the botnets, and it's already been the source of many data breaches.

If you're going to lay it all on the OS developers, then lay it on all of them.

57 posted on 02/16/2016 8:58:29 AM PST by tacticalogic ("Oh bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 56 | View Replies]

To: tacticalogic
> If you're going to lay it all on the OS developers, then lay it on all of them.

If by "developers" you include the managers and executives who make the decisions about whether or not to use software validation and flaw-checking tools, then yes. In general I think the Windows programmers -- the designers and coders -- are doing about as well as any other bunch, whether Apple's or Google's or Linux's. But the folks who manage them are the ones with the budgets to pay for expensive but critically important tools to ferret out vulnerabilities BEFORE they get out in a release. The folks who manage are the ones with the Gantt charts screaming that the release has to be done because otherwise they'll miss their Bahamas vacation. It's harder, but not impossible to find them in the Linux community too.

> [Linux is] already a major vector for the malware that creates the botnets, and it's already been the source of many data breaches.

This sounds like a bit of a reach...

If you mean "Windows malware hosted on Linux servers", then sure, Linux servers, especially webservers, are ubiquitous and doubtless are used to distribute malware that runs on other platforms. The only way to avoid that would be for Linux admins to pay for Windows and other OS malware identification tools, and upsize their Linux servers to protect against non-Linux threats. Yes, they could, but really, that's not solving the problem at its source.

I was not referring to Windows botnet (and other non-linux) malware that shows up on Linux servers, any more than Apple malware that shows up on Windows Servers.

I was speaking about malware that -runs- on Linux -- the stuff that Linux programmers could be checking for in their own code. If that's what you meant, could you be more specific about this Linux software that that's a major force in creating botnets of Linux boxes. I'm only aware of a little bit.

58 posted on 02/16/2016 9:32:13 AM PST by dayglored ("Listen. Strange women lying in ponds distributing swords is no basis for a system of government.")
[ Post Reply | Private Reply | To 57 | View Replies]

To: dayglored
I was speaking about malware that -runs- on Linux -- the stuff that Linux programmers could be checking for in their own code.

Applying the same standard you seem to be expecting from Microsoft, every newly discovered Linux vulnerability is stuff that Linux programmers should have been checking for in their code.

By your account, if a Windows user disables updates and their machine gets compromised because it wasn't patched, then Microsoft is responsible for shipping an insecure OS in the first place.

By the same token, if a Linux sysadmin running a free Linux distro doesn't keep his systems patched and they get compromised, who are you going to hold responsible for shipping an insecure OS, and how do you intend to collect damages?

59 posted on 02/16/2016 9:58:46 AM PST by tacticalogic ("Oh bother!" said Pooh, as he chambered his last round.)
[ Post Reply | Private Reply | To 58 | View Replies]

To: blam

Just saying...but if you don’t want your file system scanned then don’t install any games with DRM, especially Blizzard Battlenet (World of Warcraft), Origin or Steam. And... Don’t install the Apple itunes app.
Windows 10 is just one of thousands of commonly used things that farm your system and file info.


60 posted on 02/16/2016 2:00:12 PM PST by miliantnutcase
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-73 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson