Posted on 02/15/2016 10:52:46 AM PST by blam
Feburary 14, 2016
Paul_Behan
Don’t Keep Your Personal Or Financial Data On A Windows 10 Machine!
Well not if you want to keep it private. Like many people I was surprised at the Edward Snowden revelations a few years ago. Nothing has seemed to change and in many cases things have got worse. Some corporations are in partnership with government agencies in regard to collection of data.
(snip)
According to this an article, (1) even after turning off all the tracking options on a computer, the researcher left the computer on overnight and tracked the traffic. He was surprised to find that Windows 10 had attempted to contact 51 Microsoft IP addresses 5,508 times. Some of the website addresses contacted include: (2)
(snip)
If Windows is left unattended for about 15 minutes, a large volume of traffic starts being transmitted to various servers. This may be the raw audio data, rather than just samples.
If you are still running earlier versions of windows you would think you would be safe from this tracking, but updates have been released that install this tracking into the earlier versions. Fortunately these updates can be removed. I found that these updates were installed on my Windows 7 computer on the 25th of November 2015. The updates in question are: (3)
* KB3068708 – This update introduces the Diagnostics and Telemetry tracking service to existing devices.
* KB3022345 (replaced by KB3068708) – This update adds the Diagnostics and Telemetry tracking service to in-market devices.
* KB3075249 – This update adds telemetry points to the User Account Control (UAC) feature in order to collect data on elevations that come from low integrity levels.
* KB3080149 – This package updates the Diagnostics and Telemetry tracking service to existing devices.
(snip)
(Excerpt) Read more at marketoracle.co.uk ...
I don't doubt they may inadvertently capture personal data with programs like EMET.
Do you know of a way that can be avoided? If it can't be avoided, can you make the case that they should not be running that program and capturing that data?
My question would be - do you use online banking? Can’t really avoid it anymore. My local bank only has one location now on the other side of town. I’m sure the government can easily look to see how much I have in my account at any given moment.
File your taxes online? I wouldn’t be surprised if Microsoft or somebody else can capture all the info you input to complete that return. HR Block does. And I only have to pay them $65 for software that allows them to do it.
Fatal? Only if wildly successful, which I doubt it would be, given the modern ubiquity of such collection by others, and the difficulty of proving it without access to storage that Microsoft doesn't have to grant. A decade could go by just in "discovery" in such a class action suit, and by then few would still care.
> Do you know of a way that can be avoided? If it can't be avoided, can you make the case that they should not be running that program and capturing that data?
I don't think it can be avoided without a detailed study of the data before transmission, to cull out obvious things like HIPAA; and it would still make mistakes.
Therefore, since they're going to run -some- sort of such program, I could be satisfied with a simple, honest, complete agree-to statement along the lines of:
"We're going to read everything you have on this computer. Everything you write, read, send, receive, create, and watch. Because we can, and because we want to. We're going to extract from that, whatever information we want about you, your family, your personal habits, your love/sex life, your job, what you buy and sell, what you like and don't like, and anything else that isn't clearly illegal for us to extract. We're going to send it to our data banks where your information will be used to try to make you buy stuff from us and the companies we sell that data to. We'll do our very best not to break the law, but you understand, and you accept by using this software, that nothing is perfect, so you agree not to sue us if we make a few mistakes. We'll apologize, and you'll shut up about it. Deal?"And that's not hidden away in paragraph 27 of the EULA. It's a banner dialog when the user first logs in that the user has to click "Agree" as part of the initial login process.
And no, I don't expect that to ever happen. It might be the last-ditch fallback offer in case a class action suit came up, but I don't expect one to.
You have to assume that whoever wrote the OS could have written that capability into it. The only way to be sure would be to write your own, or get the source code for one and then review and compile it yourself.
What I find amazing is this knee-jerk reaction of Linux being the Holy Grail of secure operating systems, when a little research reveals the some of the worst security breaches have been accomplished by compromising Linux servers.
Okay. Now tell me they shouldn't be running EMET or similar programs that upload crashdump information that might contain personal data, because they can't insure that they will never inadvertently capture personal data. That's the logical conclusion all of this is supposed to lead to, isn't it?
Maybe we should sue over this...
Maybe we should sue over this... One large class action suit from the freepers of FreeRepublic...
bfl
I'm not sure we're on the same page here :-)
I don't care what they read, capture, select, and transmit, as long as they're totally upfront about it. Like making the user agree to a brief, readable disclaimer.
There are good reasons why a software company would want to see what happened in a user's machine. I'm a system admin and programmer, I know how important that is. But given the high likelihood of inadvertently transmitting private data, there should be a clear, agreed-to disclaimer.
Now it's true that others would like to see all such transmissions, whatever their purpose or excuse, prohibited. But that's not what I'm saying. I'm only saying that there ought to be:
Oh, and yes of course, if the user does NOT agree to the transmission of potentially personal data, then they don’t get the benefits of the crashdumps and failure diagnoses. Ya pays yer money and ya takes yer choice.
BFL. i haven't checked their pricing recently.
Not difficult to do, but I think it would make accomplishing the objective of collecting that crash dump data nearly impossible. The people most likely to turn it off are going to be the ones most likely to end up compromised.
It's easy to say that what you do with your computer is your business, and that works as long as it's your computer. If it gets compromised, then it's not your computer any more.
Would you be agreeable to holding the users legally responsible for the consequences of that computer becoming part of a botnet that was used maliciously if they do turn it off, or holding sysadmins legally responsible if the fail to patch their servers and they get compromised and used to spread malware that creates the botnets?
LOL! Alas, that process is not just impractical, it's terribly error-prone, and I'm one of those annoying "Better a guilty man inadvertently be judged innocent, than an innocent man inadvertently be judged guilty" folks, so I wouldn't want to be responsible for vetting the process whereby users or sysadmins are put in jail for wanting some privacy.
Rather, I'd like to see Microsoft and other software makers held legally responsible for shipping products that aren't properly vetted.
I work for a company that makes software that checks and validates software very thoroughly. It's damned fancy stuff, and it's really good, and we've got customers whose products are nationally mission critical and life critical. Oh, yes, and it's not inexpensive. :-)
I can't tell you precisely how much Microsoft uses our products (or our competitors'), but I can state that a quick read of the last couple of years of the monthly security updates and what kinds of errors they patch suggests strongly that they aren't using such products nearly enough.
Fix the problem at the source, not out in the wild after the damage of not fixing it has already been done.
Who are you going to hold legally responsible for Linux?
Good question. I suppose when Linux becomes as widespread a vector for botnets as Windows, we'll have to address that with the developers. :-)
In the meantime, Linux is not a significant contributor to those problems, pretty much just a little background noise in the overall landscape.
It's already a major vector for the malware that creates the botnets, and it's already been the source of many data breaches.
If you're going to lay it all on the OS developers, then lay it on all of them.
If by "developers" you include the managers and executives who make the decisions about whether or not to use software validation and flaw-checking tools, then yes. In general I think the Windows programmers -- the designers and coders -- are doing about as well as any other bunch, whether Apple's or Google's or Linux's. But the folks who manage them are the ones with the budgets to pay for expensive but critically important tools to ferret out vulnerabilities BEFORE they get out in a release. The folks who manage are the ones with the Gantt charts screaming that the release has to be done because otherwise they'll miss their Bahamas vacation. It's harder, but not impossible to find them in the Linux community too.
> [Linux is] already a major vector for the malware that creates the botnets, and it's already been the source of many data breaches.
This sounds like a bit of a reach...
If you mean "Windows malware hosted on Linux servers", then sure, Linux servers, especially webservers, are ubiquitous and doubtless are used to distribute malware that runs on other platforms. The only way to avoid that would be for Linux admins to pay for Windows and other OS malware identification tools, and upsize their Linux servers to protect against non-Linux threats. Yes, they could, but really, that's not solving the problem at its source.
I was not referring to Windows botnet (and other non-linux) malware that shows up on Linux servers, any more than Apple malware that shows up on Windows Servers.
I was speaking about malware that -runs- on Linux -- the stuff that Linux programmers could be checking for in their own code. If that's what you meant, could you be more specific about this Linux software that that's a major force in creating botnets of Linux boxes. I'm only aware of a little bit.
Applying the same standard you seem to be expecting from Microsoft, every newly discovered Linux vulnerability is stuff that Linux programmers should have been checking for in their code.
By your account, if a Windows user disables updates and their machine gets compromised because it wasn't patched, then Microsoft is responsible for shipping an insecure OS in the first place.
By the same token, if a Linux sysadmin running a free Linux distro doesn't keep his systems patched and they get compromised, who are you going to hold responsible for shipping an insecure OS, and how do you intend to collect damages?
Just saying...but if you don’t want your file system scanned then don’t install any games with DRM, especially Blizzard Battlenet (World of Warcraft), Origin or Steam. And... Don’t install the Apple itunes app.
Windows 10 is just one of thousands of commonly used things that farm your system and file info.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.