"Recently Reddit user "sammiesdog" posted claims that Visual Studio's C++ compiler was automatically adding function calls to Microsoft's telemetry services."
https://www.infoq.com/news/2016/06/visual-cpp-telemetry
The screenshot accompanying their post showed how a simple 5 line CPP file produced an assembly language file that included a function call titled "telemetry_main_invoke_trigger".
The ensuing discussion then revolved around how to disable this unannounced "feature" while also speculating its purpose. "sammiesdog" noted that this appears in release builds, while user "ssylvan" also indicated that it appeared in debug builds too. The telemetry function is intended to communicate with ETW (Event Tracing (Windows)).
The ensuing controversy and conversation about the discovery of this function led to a response from Microsoft's Steve Carroll, Development Manager for the Visual C++ team. First and foremost in his response is the unequivocal statement that this functionality will be removed in Visual Studio 2015's Update 3. Carroll goes on to explain Microsoft's thought process behind including this functionality:
...what the code does is trigger an ETW event which, when it's turned on, will emit timestamps and module loads events. The event data can only be interpreted if a customer gives us symbol information (i.e. PDBs) so this data is only applicable to customers that are actively seeking help from us and are willing to share these PDBs as part of their investigation. We haven't actually gone through this full exercise with any customers to date though, and we are so far relying on our established approaches to investigate and address potential problems instead.
.... according to a Microsoft spokesperson while this behavior does currently exist in "[VisualStudio20]15", it will be removed in a future preview release.
Could we expect any less?
(Score: 4, Insightful) by Anonymous Coward on Saturday June 11 2016, @02:19PM
"We need to know what you do, when you do it, how you do it, for how long you do it. We need to know it now and we need to store it forever so we can then predict what you will do, when you will do it, how long you'll be doing it in order to make the decision as to whether you should be allowed to continue doing it. Anything less and the terrorists win."
(Score: 0) by Anonymous Coward on Saturday June 11 2016, @02:45PM
We need to know it now and we need to store it forever so we can then predict what you will do, when you will do it, how long you'll be doing it in order to make the decision as to whether you should be allowed to continue doing it. Anything less and the terrorists win.
Can confirm. Source: I'm an expert at playing Counter Strike.
(Score: 0) by Anonymous Coward on Saturday June 11 2016, @04:17PM
And here is their reason [soylentnews.org] for providing this type of thankless service.
(Score: 1, Insightful) by Anonymous Coward on Saturday June 11 2016, @02:19PM
Anyone want to bet if "removed=no longer present", or if "removed=obfuscated to the point you can't tell its there"?
Microsoft certainly isn't taking any pains to shore up their questionable credibility.
(Score: 1, Insightful) by Anonymous Coward on Saturday June 11 2016, @02:26PM
You're forgetting "removed == 'replaced with something touted as a new feature but still doing the same'"
(Score: 0) by Anonymous Coward on Saturday June 11 2016, @04:58PM
"Remove" means renaming Telemetry to "Debug" Done!
(Score: 5, Insightful) by Anonymous Coward on Saturday June 11 2016, @02:28PM
Here's a reference or two for you https://www.gnu.org/philosophy/proprietary.html [gnu.org]
(Score: 5, Insightful) by Anonymous Coward on Saturday June 11 2016, @02:30PM
"We had always planned to remove this feature when it was found out."
(Score: 0) by Anonymous Coward on Saturday June 11 2016, @02:34PM
Surely you mean: "It's not spying, it's telemetry... meta-data only, you see."
(Score: 3, Funny) by MrGuy on Saturday June 11 2016, @02:48PM
No, no, no. It's not metadata. It's "business records," which have an even lower standard of privacy attached.
(Score: 2, Funny) by Anonymous Coward on Saturday June 11 2016, @04:11PM
You owe me a new keyboard...
(Score: 4, Insightful) by Anonymous Coward on Saturday June 11 2016, @02:41PM
1984 ACM acceptance speech for Ken Thompson, primary implementer of the first Unix: (PDF) Reflections on Trusting Trust detail how even open source code can get backdoors put in them via the compiler. [cmu.edu]
It's even worse for C#... MANAGED CODE, YAY!
(Score: 0) by Anonymous Coward on Saturday June 11 2016, @03:21PM
And the year had to be 1984. Oh it was Thompson's - had thought it was Kernighan's paper.
(Score: 4, Interesting) by martyb on Saturday June 11 2016, @05:10PM
This presents a counter to the "Trusting Trust" attack: Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers [dwheeler.com] by David A Wheeler.
It has been a long time since I read it, but I recall trying to tear it apart and could find no shortcomings in it. Well worth the read!
Wit is intellect, dancing.
(Score: 4, Informative) by Fnord666 on Saturday June 11 2016, @06:57PM
Does applying DDC by itself guarantee the compiler isn't malicious?
No, applying DDC by itself does not guarantee that the compiler isn't malicious, or that the compiler is not doing something surprising to you, or that the compiler has no defects. For example, in 2016 it was discovered that Microsoft Visual Studio 2015 Update 2 was quietly inserting telemetry calls into compiled programs by default, even though this was not well documented and could harm privacy. That's not the sort of thing that DDC could typically detect.
In a nutshell Diverse Double Compiling assumes that you have the source for the compiler and is intended to validate that the associated binary was indeed created from that source. With closed source compilers it doesn't help us.
(Score: 2) by martyb on Sunday June 12 2016, @02:32AM
Very interesting! Like I mentioned above, it was a long time ago that I read the DDC article, so I appreciate the feedback. A quick search came up empty; would you care to share where you got that snippet from?
Wit is intellect, dancing.
(Score: 2) by fleg on Sunday June 12 2016, @03:25AM
looks like its maybe from here...
http://www.dwheeler.com/trusting-trust/ [dwheeler.com]
(Score: 2) by Subsentient on Saturday June 11 2016, @07:50PM
I was going to mention this. Indeed, Microsoft took an old one and made it new again.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 1, Interesting) by Anonymous Coward on Saturday June 11 2016, @02:41PM
examines Windows 10 telemetry [zdnet.com].
The claim by Steve Carroll that "The event data can only be interpreted if a customer gives us symbol information (i.e. PDBs) so this data is only applicable to customers that are actively seeking help from us and are willing to share these PDBs as part of their investigation." sounds like BS. Just getting frequency counts and durations of app and module loads in the field would be valuable to Microsoft. From that, they can easily estimate the relative user populations of various third party apps and libraries.
(Score: 3, Informative) by Anonymous Coward on Saturday June 11 2016, @02:49PM
Unfortunately, one of the options isn't "Off".
(Score: 3, Insightful) by SomeGuy on Saturday June 11 2016, @03:13PM
Anyone else remember the days when this sort of thing was just surreal fiction:
[Janie Crane presses a button on a television, turning it off.]
Janie Crane: "An off switch?"
Metrocop: "She'll get years for that. Off switches are illegal!"
(Score: 4, Funny) by Anonymous Coward on Saturday June 11 2016, @03:17PM
Well... telemetry, egg, sausage and telemetry doesn't have much telemetry in it...
(Score: 1, Flamebait) by turgid on Saturday June 11 2016, @08:34PM
To be fair, this is C++ binaries, and C++ programs are so buggy the users are grateful for any help debugging them that they can get, even if it is from the experts at Microsoft.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by Subsentient on Sunday June 12 2016, @08:23AM
Go back to Rust and leave us systems programmers in peace.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 2) by turgid on Sunday June 12 2016, @10:02AM
I'll stick to C, thanks very much.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by Subsentient on Tuesday June 14 2016, @01:43AM
Ahh, a fellow C guy. I took your comment for one of the hipster's bashes on C family languages. Glad to be mistaken.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 3, Interesting) by Hairyfeet on Sunday June 12 2016, @06:13AM
How can you tell the tales of spying are true? When Ed Bott, one of the biggest Softies that ever drew a breath, says "maybe you better turn it down". BTW to translate that into non shill-ese that should read "ZOMFG they are grabbing so much data they can probably see you nekkid through your webcam, OMFG!"
BTW on behalf of myself and all the other little shop guys? I'd like to thank MSFT, the extra $$$ we're making removing your spyware OS and installing blocks to keep that shit off is a better windfall than Vista, hell it might even reach Windows Mist8ke proportions, thanks MSFT!
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 3, Insightful) by SomeGuy on Saturday June 11 2016, @03:07PM
It is interesting how benign they make this feature sound. Various forms of automated debugging have been around for ages, but now they are trying to integrate their telemetry malware in to all of this. Kind of reminds me how they made everything including the kitchen sink require Microsoft Internet Explorer 4.0 back in the day (And now they have to have two web browsers because of it). They are trying to justify the survival of a program that needs to be burned at the stake.
(Score: 1) by Francis on Saturday June 11 2016, @04:12PM
Considering their business model is to trick people into buying crappy software that they don't need, I think it's not surprising that they've gotten rather good at this kind of BS.
(Score: 2) by frojack on Saturday June 11 2016, @07:01PM
Automated debugging is usually at the programmer's option, when trying to track down some obscure bug. You turn that shit off and recompile for production use. It generally introduces a large amount of overhead, even when the symbol tables are not present and debugging can't be done.
This is just another reason to avoid their compiler.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Saturday June 11 2016, @04:03PM
Here at Microsoft we patent your source code for you so you don't have to!
(Score: 5, Insightful) by Chromium_One on Saturday June 11 2016, @04:32PM
So ...
I refuse to upgrade past Win7 and I audit windows updates so as to avoid GWX and telemetry hooks.
Now I have to watch out for individual applications or plausibly even updates to things like msvc dlls?
So this shit only ends when I can finally ditch that last windows application?
When you live in a sick society, everything you do is wrong.
(Score: 2) by Nerdfest on Saturday June 11 2016, @04:36PM
Application? No, it will only end when you ditch Windows. However, after all of the crap that has gone on, anyone still using Windows at this point is quite likely to keep using it.
(Score: 1) by Chromium_One on Saturday June 11 2016, @04:50PM
[ditch windows implied by ditching last windows application]
When you live in a sick society, everything you do is wrong.
(Score: 2) by Nerdfest on Saturday June 11 2016, @05:24PM
Well alright then. Carry on.
(Score: 0) by Anonymous Coward on Saturday June 11 2016, @07:05PM
ditching [my] last windows application
It sounds like you are on the right track, finding replacements for Windoze-only stuff.
As for the cling-ons that remain and running those without any MICROS~1 code, have you tried an alternative way of getting that code executed?
ReactOS Is a Promising Open Source Windows Replacement [linuxinsider.com]
You may be surprised by how many "Windoze-only" apps are capable of running using a FOSS OS. [reactos.org]
-- OriginalOwner_ [soylentnews.org]
(Score: 1) by Chromium_One on Saturday June 11 2016, @08:14PM
Regularly. WINE works. Some of the time with no massaging. Most of the time with some massaging. Nearly all of the time with excessive-to-insane amounts of digging through settings to get the corner cases to work. winetricks and the AppDB help as well, but still we're nowhere near having everything work reliably.
For ReactOS, well, depsite aggressive code sharing with WINE, it has so far shown me a worse compatibility rating.
VMs have their own issues
When you live in a sick society, everything you do is wrong.
(Score: 0) by Anonymous Coward on Sunday June 12 2016, @07:42AM
"Now I have to watch out for individual applications or plausibly even updates to things like msvc dlls?"
Oh no no no. You just have to make sure you never use any program that has ever been compiled with Visual Studio C++, either directly, or uses dlls/obj code that has been compiled with it.
Remember, they hid this functionality, so it's probably safe to assume no developer knew they were adding microsoft's telemetry into their products - and you had to know about it to explicitly prevent it from being added.
(Score: 1) by tbuskey on Saturday June 11 2016, @04:36PM
Reflections on Trusting Trust
http://dl.acm.org/citation.cfm?id=358210 [acm.org]
(Score: 2) by Scruffy Beard 2 on Saturday June 11 2016, @05:04PM
An AC beat you to it, but your link appears to be different.
(Score: 5, Funny) by datapharmer on Saturday June 11 2016, @05:37PM
Yes, but if you hash them both they don't match... I think one might have been tampered with by the browser during render.