Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Wednesday September 02 2015, @11:36AM   Printer-friendly
from the trickle-down dept.

If you have been refusing Microsoft's offer to upgrade your Windows 7 or 8* operating system to Windows 10 due to the oft-reported data and telemetry slurping it seems inclined to do, then it is time to be on your toes as to which updates you allow to be installed on your earlier version of the operating system.

El Reg reports that Microsoft are busy pushing similar functionality to those older operating systems by way of Windows Update. The updates in question can apparently be rolled back if required.

They are however very determined in their function if allowed to be installed, going so far as to ignore such venerable solutions as additions to the HOSTS file, which has historically been a way to knobble phone-home behaviour:

Now Microsoft is revamping the user-tracking tools in Windows 7 and 8 to harvest more data, via some new patches.

All the updates can be removed post-installation – but all ensure the OS reports data to Microsoft even when asked not to, bypassing the hosts file and (hence) third-party privacy tools. This data can include how long you use apps, and which features you use the most, snapshots of memory to investigate crashes, and so on.

The updates are KB3068708 ("Update for customer experience and diagnostic telemetry" and mandatory) KB3075249 ("Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7") and KB3080149 (also an "Update for customer experience and diagnostic telemetry", both optional).


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Informative) by vux984 on Wednesday September 02 2015, @02:59PM

    by vux984 (5045) on Wednesday September 02 2015, @02:59PM (#231286)

    All the updates can be removed post-installation – but all ensure the OS reports data to Microsoft even when asked not to, bypassing the hosts file and (hence) third-party privacy tools.

    Using hosts as a blocking mechanism has never been terribly foolproof. All it does is plug into the local systems name resolution. (DNS) Any system that used static ip addresses renders it moot: if there is no name to lookup there is no DNS involvement at all. This isn't being sneaky to bypass hosts, its just the nature of using an ip address as an address.

    It has also always been possible and easy to resolve DNS from another server to bypass the local DNS resolver, and security tools (and malware) would often do this as a matter of course. Security tools in case the local system was infected and redirecting DNS, and malware to try and dodge local system security software.

    The point is writing that they are "going so far as to ignore such venerable solutions as additions to the HOSTS file" suggests they had to actively do something. All they had to do was use a static ip address or an external resolver. And you know what...using static ip or an external resolver might even be part of the security profile. To dodge malware from modifying the hosts file and easily redirecting microsoft error reporting and telemetry data to a malware server. I feel like a Microsoft shill here, but I'm not. I'm not defending the heavy handed telemetry collection, or the fact that its harder to shut off than it should be, or the fact that the documentation/disclosure is sparser than it should be. I'm just saying that making much ado about "HOSTS" not blocking it is just silly. HOSTS isn't a blocking tool. It never was.

    Starting Score:    1  point
    Moderation   +2  
       Interesting=1, Informative=1, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 4, Insightful) by Hyperturtle on Wednesday September 02 2015, @03:44PM

    by Hyperturtle (2824) on Wednesday September 02 2015, @03:44PM (#231306)

    Nor was the simple lock on my desk, or even what came with the house on the front door. Or my garage door opener.

    But I could change those locks, I could make the code harder. I won't keep out anyone determined, and can direct traffic to what name you want it to go to. The OS should not be hijacking those preferences, but yeah malware abused that relationship. That relationship is still being abused, but it isn't from what is the traditional enemy.

    I never expected the home builder to invade my home by exploiting the locks they provided, though, nor having a master key to the locks that fit in the hardware they provided.

    If I want real security, I have to install 3rd party equipment. I shouldn't have to do that to keep my home builder outside of my house and checking to see if I use all of the rooms and how often and what the thermostat is at or how frequently the water heater turns on and what times of the day I am in and out and... oh i mean windows 10 and the stuff I do on that. And who would have thought that they are breaking into older houses they no longer provide new builds of those models -- and checking into what is going on there, too.

    Maybe they want to see why people refuse to trade up? Maybe they are poor? We could send different marketing to them; with enough effort we can send the right message so they know we care! They may throw away mailings, but they can't avoid it when we flash the lights in their face. They have no choice but to hear our message, which will be catered to their interests since it seems they were not receptive to the free upgrade we offered.

    But you're right. Host files don't really help, especially when the likes of an OnHub are making inroads. I used to trust my router but now that is a stupid ideal to believe. That thing looks like it'll be provided as the "cable modem" for their fiber service; everyone else can play me too and buy one for $200. People will, like that guy from Ars.

    In any event -- as the person with the name on the deed of the home I live it, it seems that I have to presume the occupants of my house are the enemy going forward, but it never used to be like that. I am not even sure how they got in, it used to be so easy to just let things run like it did before, with a few adjustments according to my tastes. My guests used to abide to my wishes and if they asked for too much I was disinclined to invite them to return; I might even yawn and kick them out. But these ones... they won't leave.

    And worse, not only are they not leaving, they ignore my direct requests for them to go! And when I wasn't looking, they let more of themselves in by opening up the windows... and I can't seem to close them with the tools provided by the builder! It's like the latch they provided for the windows only works against my own stuff!

    • (Score: 0) by Anonymous Coward on Wednesday September 02 2015, @05:57PM

      by Anonymous Coward on Wednesday September 02 2015, @05:57PM (#231369)

      But I could change those locks, I could make the code harder.

      You could avoid using non-free proprietary user-subjugating software. Regardless of secondary benefits like quality, you'd be using something that respects your freedoms.

    • (Score: 2) by vux984 on Thursday September 03 2015, @05:09PM

      by vux984 (5045) on Thursday September 03 2015, @05:09PM (#231860)

      Nor was the simple lock on my desk

      That misses the point. Since we're going with a desk metaphor. HOSTS is like a personal phone directory or addressbook or rolodex. If you don't want people to use your desk phone to call the pizza place do you think putting a card in your rolodex for the pizza place and a fake number is security measure? Sure, if whomever was using your phone was actually looking up the number in your rolodex, then it might actually foil them.

      But if someone comes along who just knows what the number is, and they dial it... do you act as if someone "bypassed your security"?

      A desk lock is weak security, but it represents an actual obstacle between the people outside the desk and the stuff inside it. It must actually be breached to get at the stuff inside the desk.

      The HOSTs file is just a rolodex on your desk sitting next to the phone. If you want to restrict people from making calls to people you need to secure the PHONE. Putting fake address cards in the rolodex, and blacking out entries in the yellow pages underneath it might disrupt someone sitting at your desk, but to make the case you expect people not to be able to make calls to the numbers you messed with is ridiculous. You didn't actually put any sort of block on the numbers on your phone at all. All you did was mess with the directory listings on your desk, which they might not even need to use.

  • (Score: 1) by SDRefugee on Wednesday September 02 2015, @08:31PM

    by SDRefugee (4477) on Wednesday September 02 2015, @08:31PM (#231437)

    Block this crap at your external hardware router/firewall.... you *do* have one of those, right???

    --
    America should be proud of Edward Snowden, the hero, whether they know it or not..