Someone1234 3 months ago

We don't know if this is a security update or not.

This is an article, about an article, about a blog post, about a random comment. Someone grabbed the update's file change list, spotted files used by the Customer Experience Improvement Program (CEIP) and then said that because those files were updated that this security update "added telemetry."

Problem is that those files previously exist on Windows 7 as part of CEIP and may require legitimate updates (inc. security). You still need to opt into the CEIP so that telemetrics are sent to Microsoft, and there's no proof that this update has changed that.

I guess what I am saying is: There could be a story here, hypothetically, but this article lacks enough information to say that there is. This could be a legitimately security update to an unpopular part of the Windows 7 OS.

  • ceph_ 3 months ago

    You're spreading baseless FUD about the article.

    They are telemetry files that previously non-security patches have attempted to add on multiple occasions[1].

    $ cat 4507456.csv | grep -i telem Appraiser_telemetryrunlist.xml,Not applicable,"71,958",17-May-19,16:16,Not applicable,None,Not applicable Appraiser_telemetryrunlist.xml,Not applicable,"71,958",17-May-19,16:17,Not applicable,None,Not applicable File name,,,,,,, File name,X86_microsoft-windows-a..ence-telemetry-sdbs_31bf3856ad364e35_6.1.7601.24490_none_0a5a1cf1c1a22732.manifest,,,,,, File name,,,,,,, File name,Amd64_microsoft-windows-a..ence-telemetry-sdbs_31bf3856ad364e35_6.1.7601.24490_none_6678b87579ff9868.manifest,,,,,,


  • tinus_hn 3 months ago

    They’ve pulled these tricks so many times before they are not getting the benefit of the doubt from me.

    • TimTheTinker 3 months ago

      > benefit of the doubt

      OP's point was that ZDNet is stooping a bit low here by journalistic standards. In this case, it appears there's not enough evidence to publish a "question headline" -- much less question whether they deserve some benefit of a doubt.

      We all know MS and others have engaged in questionable behavior - but at least wait until there's something substantive before publishing.

      • fartcannon 3 months ago

        No, publish now, and let Microsoft's PR machine reveal itself. We could learn so much.

        • darkcha0s 3 months ago

          So you'd rather push fake news, rather than see if the report substantiates.

    • phs318u 3 months ago

      Are you referring to Microsoft or ZDnet?

  • VvR-Ox 3 months ago

    Just stop defending this company please, they tried this a lot and look at how much telemetry they managed to get into windows and other products nowadays.

    I can't listen to this naive way of dealing with these companies anymore. Use it if you want and also use it for your business but don't complain afterwards that someone stole something important etc.

    • rlpb 3 months ago

      > Just stop defending this company please...

      As an interested but unaffected observer, I'd just like to understand accurately the state of things. It's quite right[1] to call out biased reporting that misrepresents the facts, fails to cite evidence of claimed facts, or that misrepresents speculation as fact, since otherwise all we get is "fake news" and lynch mobs, which just polarises the population and helps nobody.

      If you have a problem with a rebuttal, then argue against it on the basis of what it said, please, rather than on the assumption that it is automatically wrong based on previous history.

      It's fine (and perhaps even appropriate) to speculate in a biased way on unknowns based on previous history, but that doesn't in any way invalidate proper journalism based on seeking the facts, and the two should not be conflated.

      [1] In principle. You seem to be arguing against the principle. My comment isn't intended to pass judgement on the accuracy of this reporting or the accuracy of the rebuttal.

      • magduf 3 months ago

        >since otherwise all we get is "fake news" and lynch mobs, which just polarises the population and helps nobody.

        Perhaps, but one difference I see is that lynch mobs target disempowered individuals who can't defend themselves against the mob, usually people who were already very low on society's totem pole.

        What's anyone going to do to Microsoft? They've been rightfully criticized for all kinds of bad behavior for decades now, and they're still hugely profitable. People have known about the spyware issues in Windows 10 for ages now, but it isn't stopping them from using it.

        • Mountain_Skies 3 months ago

          Microsoft isn't the only one negatively affected by false news. The consumer of the information is also negatively affected. Security workers need accurate information, not Outrage of the Day junk. It might turn out that the concerns raised in the article are valid but they don't have enough evidence at this time to raise those concerns. It just adds noise for the consumer of the information has to deal with. I don't really care about Microsoft somehow getting harmed. I do care about the IT worker whose job it is to protect their company's systems from security exploits. Dumping low quality possibly false information on them makes securing their systems more difficult. That's the real harm.

    • iamnotacrook 3 months ago

      It's not about "defending a company". That's the wrong way of looking at it. It's about HN not reporting on " article, about a blog post, about a random comment..." as if it's facts. Until otherwise demonstrated, this is a non-story. If it turns out to be true, I'll be the first person to say "yeah, same old same old" but no-one's put the work in yet.

      • blub 3 months ago

        The article author tried to contact MS and checked themselves that the files are part of the update.

        Furthermore, the user Someone1234 has been defending telemetry on HN for years, often ignoring two important facts:

        * telemetry was invasive and non-transparent, but got toned down because of the backlash. They always refer to the current state and pretend that people are paranoid and exaggerate.

        * MS used many dark patterns when rolling this out, essentially getting into an arms race with the customers that wanted to disable telemetry.

        • dang 3 months ago

          Please don't cross into personal attack in comments here. I'm sure you can make your substantive points without that.

          • blub 3 months ago

            Pointing something out about somebody's comment history is not an "attack".

            There are many HN users which repeatedly defend dark patterns and the nasty practices of companies and then don't reply or ignore counter-arguments.

            It would seem to me that HN should be more concerned with those situations, than those that point the above out in a rather benign way.

            • dang 3 months ago

              > Pointing something out about somebody's comment history is not an "attack".

              That's certainly true in general. For example, if I post "Hey, I noticed that you've posted a lot about APL. Did you ever work with it professionally?", that's not a personal attack. But the pattern here was more specific than that. If you single someone out by name and insinuate bad faith in their comment history, that pattern-matches closely to the online calling-out and shaming culture. We want to avoid that culture here: its spirit is aggressive, we want HN's spirit to be collegial, and one can't have both. When we post moderation comments like I did above, we're always looking at the effect something has on the site as a whole. The calling-out culture is contagious because people are so used to it elsewhere.

              It's perfectly natural for someone who disagrees with your view to have various comments in their history expressing that. The way to answer this is with better arguments, not by naming and shaming.

              If you say that your intent wasn't to shame or insinuate, I believe you, but that's only a necessary condition for posting here, not a sufficient one. If your post pattern-matches to a standard way people do that on the internet, then readers will interpret you that way (like I did above) even if you intended otherwise, and the effect on the community will be just as bad. In such cases, the burden is on the commenter to make their benign intent explicit and disambiguate from the default pattern.

        • VvR-Ox 3 months ago

          Thank you very much, now I don't have to answer anymore. Have a good day :)

  • altmind 3 months ago

    >>We don't know if this is a security update or not.

    What are you implying, go to the link in the article and find how it is described:

    • dspillett 3 months ago

      Because how something is described is always exactly what it is, that's why we are always told to judge books by their covers...

      That page doesn't state what security matters the update address, nor does the page it links to (directly, maybe the information is there with more digging, but if I'm given a link on the pretext that it shows something I expect it to show that thing without needing to dig).

      > What are you implying,

      I'm not the OP, but I think what is being implied is fairly obvious: that the patch exists purely as a way to get the telemetry stuff installed and had no real security addressing content.

      I very much doubt that is the case though, it is something that would not surprise me from the MS of old but they are at very least more clever these days and would not risk the resulting furory.

  • userbinator 3 months ago

    Problem is that those files previously exist on Windows 7 as part of CEIP

    Were they there from the beginning? If not, which update(s) first added them? I doubt they were, because I clearly remember all the telemetry being in the news starting with Win10 and plenty of people refusing to upgrade to 10 because of it.

    Even if it's a security update to CEIP, I don't think it should be offered to those who didn't install the original version of it.

mirimir 3 months ago

The last time I helped my wife with a Windows 10 install, I was utterly grossed out. I've always been suspicious about snooping and covert logging, and spent years playing the game about blocking it all, but Windows 10 is crazy invasive.

I mean, by default, it wants to send every keystroke back to Microsoft servers! For "diagnostic purposes", I guess. And every URL that you visit. That's arguably worse than Google. Which is saying a lot.

  • pilif 3 months ago

    > I mean, by default, it wants to send every keystroke back to Microsoft servers

    do you have any proof to substantiate this statement? I don’t believe for a second that Microsoft is getting away with an OS-wide keylogger

    • tallanvor 3 months ago

      Of course he doesn't, because it's obviously untrue. Newer versions of Windows 10 gives you the option to save all diagnostic data and view it, so that you can actually see what they send back.

      • chopin 3 months ago

        There's no way of verifying that the data shown is identical to the data being sent back.

        For me Microsoft has become untrustworthy as an OS vendor, enough for me to even scrap my Windows7 installations.

      • JeffDClark 3 months ago

        I just setup Windows on a machine for the first time in a decade, it was a very gross experience indeed. I do recall it asking a series of questions about sending data to MSFT that were all by default, opt-in. One of those options sounded a lot like a key logger. The entire install process was so full of dark patterns it was really quite unbelievable to me.

      • mirimir 3 months ago

        It's true that I can't, because that was years ago. But I do remember what I read. And some searching will find others who say the same.

        All of the angst about Windows 10 spying did force Microsoft to be more transparent. At one point, they were facing legal action from France and Brazil, and very likely other countries.

    • mirimir 3 months ago

      As I recall, this is what you saw when customizing privacy settings, back when Windows 10 first came out:

      > 1. Go to Start, then select Settings > Privacy > General.

      > 2. Turn off Send Microsoft info about how I write to help us improve typing and writing in the future.

      I didn't verify what it actually sent, but that's what I remember seeing.

      I got that here:

      For current Windows 10 versions, it's become a local database:

      > As part of inking and typing on your device, Windows collects unique words—like names you write—in a personal dictionary stored locally on your device, which helps you type and ink more accurately.

    • blub 3 months ago

      I helped a friend turn off the worst of telemetry and there was definitely a pre-checked checkbox that would send data to MS to improve "typing" or some other nonsense.

      Given that MS can connect to your computer at higher telemetry levels and run programs and download documents, I have zero trust in this company and turned everything I could find off.

      • posix_me_less 3 months ago

        If you have zero trust why do you expect turning off everything achieves anything? Microsoft is known to turn their malfeatures back on.

        • magduf 3 months ago

          Furthermore, if you have zero trust in your OS vendor, then why are you continuing to use their product?

          • mirimir 3 months ago

            I need to use Windows sometimes to check out VPN client apps. Also to use Excel, when Calc chokes on too much data and/or too many calculations.

            So I'm just very careful. I have old Windows 7 and Office DVDs that I bought for cash at a yard sale. I created a VirtualBox VM, and updated it through a nested VPN chain.

            When I need to use Windows, I just clone that VM. If I'm putting data on it, I don't give it an Internet uplink. Occasionally, I update a clone. And if everything goes well, I use that as the source for future working clones. If I need to retain old clones, I put them on an external LUKS SSD.

          • krageon 3 months ago

            Perhaps you work on windows (and are required to), or you like playing AAA videogames. Two use-cases where not using windows is not an option, but a requirement.

            • magduf 3 months ago

              Playing AAA videogames is not a requirement for anything unless your job is game testing.

              • krageon 3 months ago

                I said it was a use-case. It might not be a use-case that is right for you, but I'd hazard to go so far as to say that it is a use-case for a large amount of people that run Windows.

  • oil25 3 months ago

    One possible solution is to block access to Microsoft IP ranges on your firewall:

        $ whois -h '!AS8075'
        $ pfctl -t drophosts -T add <results>
    Or on Linux:

        $ for range in <results> ; do sudo iptables -A INPUT -s $range -j DROP ; done
    Of course this will break a lot of Windows native system functionality, perhaps even Azure hosting, but this may not be an issue for someone just wishing to game in peace and privacy, unmolested by Microsoft telemetry.
    • cm2187 3 months ago

      Using an unpatched OS isn’t the best advice I can think of in this day and age.

      • mirimir 3 months ago

        That's very true.

        As in my nearby comment, I only allow network access on VMs that don't contain any sensitive data. Once I've fully updated, I create clones to actually work on, and disable the Internet uplink entirely. When it's time to update again, I start with a virgin clone. And then transfer data to it, after disabling the Internet uplink.

    • smileypete 3 months ago

      I wonder if the Windows Firewall is trustworthy enough? So if it just has allow rules for non MS third party programs for both inbound AND outbound connections, would that block all the telemetry?

Causality1 3 months ago

You know, I would do quite a lot to get full granular control of Windows Update back. I'd sign and mail a liability waiver. I'd send Microsoft a box of chocolates. I'd take a training course and pass a standardized licensing exam.

In the meantime I'm stuck dealing with Windows Update breaking things every week. I've completely given up on ever using my convertible laptop as a tablet again because every day I have to replace the updated broken drivers for the orientation sensor with the good ones from a fresh install of Windows and every night it dutifully installs the broken updated ones and there's not a damned thing I can do about it without disabling Windows Update entirely.

  • herpderperator 3 months ago

    I've been running Windows with Windows Update disabled for many years. I enable it and update when I feel I should, and assess risk on an as-needed basis. I'm aware that running outdated software is bad practice, but I like not getting interrupted on my PC... for 154 straight days so far:

    • oauea 3 months ago

      Can you visit my website? I need some new nodes for my botnet.

    • Causality1 3 months ago

      What method do you use? Group Policy, a third party program, or just renaming needed DLLs?

  • duxup 3 months ago

    >I'd take a training course and pass a standardized licensing exam

    I like this idea but it really doesn't protect anyone else if you quit updating and your machine become a less than desirable participant on the internet for the rest of us.

    • Causality1 3 months ago

      So instead I stay on Windows 7 and become a much greater risk.

      • duxup 3 months ago

        It is ultimately your call.

    • Silhouette 3 months ago

      In that case, it seems the root cause of your concerns about other Internet users is that updates for their systems from the OS developer are no longer considered trustworthy. Given that the developer in question has something of a track record now of delivering potentially unwelcome updates, such caution is reasonable. So I think you're aiming at the wrong target here.

      In any case, the vaccination argument only works if it's defending against a real threat. If there's a genuine security issue here, perhaps it is. On the other hand, if this update really is causing otherwise absent telemetry software to be installed, not installing that telemetry software is hardly a threat to other Internet users.

      • duxup 3 months ago

        I'm not 100% sure I understand all of what you're saying.

        Generally if you disable updates, you disable them all, so that means security updates too. If a given update isn't a security update and you disabled all updates ... you're still going to miss it if it was a security update too.

        • Silhouette 3 months ago

          Generally if you disable updates, you disable them all

          That isn't necessarily true at all. Indeed, the basis of this very story is that Microsoft has been providing updates for older versions of Windows that included only the security patches (i.e., not new features, telemetry, and any other stuff that might change the behaviour of system in ways its user doesn't want). In terms of your "vaccination" strategy for the Internet, these patches are the ones that matter.

          However, in this case, Microsoft might have bundled one of the things that people have been trying to opt out of -- telemetry -- into one of the updates labelled as security only. If they really have, that would be a further significant breach of trust, and given their recent track record with pushing telemetry, GWX and so on, a lot of people are no longer even willing to give them the benefit of the doubt, to the point that some people are no longer applying updates from Microsoft at all, in some cases including security updates. That is bad for almost everyone, and it's been directly caused by Microsoft's repeated abuse of the update system to push user-hostile changes.

          • Causality1 3 months ago

            Indeed. The October 2018 update erased my archive of digitized home videos. Thankfully I had backups because it took me a while to notice and some of the reallocated disk space had probably been overwritten by then. Microsoft's stunning lack of respect for its users is the reason I almost never got to see my grandfather smile again.

sverige 3 months ago

Since I have very clear memories of the first time MS did something like this, it kills me that no one publishes articles with quite the same degree of alarm about the massive amounts of telemetry that Google, Facebook, Amazon, et al. have successfully deployed. I mean, I don't like MS, but they're kind of like the annoying acquaintance who always pushes their latest MLM scheme while we all live in a neighborhood full of gangster thugs.

infiniteseeker 3 months ago

Yawn. That would only be a problem if you choose to run Micro$oft software. And it is in your hands to fix the problem by going with Linux etc. (key word is choose...i realise it is imposed on many, specially in the enterprise world).

reilly3000 3 months ago

How on earth is MSFT supposed to maintain comparability for quintillions of iterations of hardware across millions of machines with no data on what works and what doesn't? Unlike FAANG they aren't out there pushing listening devices or trying to build exclusive data sets; they are trying to maintain the stability and security of 78.43% of the world's desktop computers. I don't care for the alarmism here when there are blazing infernos of actual malevolence burning in every direction.

  • stordoff 3 months ago

    > How on earth is MSFT supposed to maintain comparability for quintillions of iterations of hardware across millions of machines with no data on what works and what doesn't?

    Isn't this the same problem they've faced for decades, and largely successfully managed before the telemetry?

    • reilly3000 3 months ago

      Arguably 'successfully' is relative- Windows 98, ME, Vista etc famously struggled with BSODs all the time. I imagine they were operating in relative blindness, basing their triage efforts on incomplete, angry user reports. They didn't have reliable information on which build was breaking, how many users were getting the same error, how frequently, on which types of hardware. With structured data they can prioritize fixes that affect the most users and verify their patches were effective.

      • rwallace 3 months ago

        > Windows 98, ME, Vista etc famously struggled with BSODs all the time.

        Windows 98 and ME struggled with BSODs because they were still built on something designed as a GUI layer on top of a CP/M clone. Vista mostly fixed all that. I've been running Windows 7 for most of a decade now without a single BSOD.

  • PhasmaFelis 3 months ago

    They could start by being honest and open about what data they gather and give users simple, easy-to-access tools to restrict it if they want. (Most modern users won't care, anyway.)

    If MS has built an OS that cannot be effectively maintained without being sneaky and deceptive about their data gathering, that's their problem. Don't ask me to sympathize with them just because doing things right is hard.

    • rstat1 3 months ago

      There's a tool that been in win10 for a while now that shows exactly what data is collected. It shows exactly what component of the OS is collecting it.

      Go in to the Settings app > Privacy > Diagnostics & Feedback and scroll down to the "View Diagnostic Data" section.

      Its not really all that sneaky or deceptive or dishonest or any of that. Its just being portrayed as such by anyone writing about it in the press for some reason.

      • tgragnato 3 months ago

        It should be possible to have a single, giant button for the complete opt-out, and the assurance that no updates, inconsistencies, individual settings, or else could cause analytics to get out of your pc.

        • rstat1 3 months ago

          I personally don't see the big deal, but to each their own.

    • SquareWheel 3 months ago

      >They could start by being honest and open about what data they gather

      Are they being dishonest about what they claim to collect? Is there anything deceiving in their privacy policy?

      • chopin 3 months ago

        It's completely unverifiable. For big companies I assume dishonesty until proven otherwise.

        Give me the keys to read the raw stream and we can talk.

        • SquareWheel 3 months ago

          It doesn't matter that it's unverifiable; that's just how it works. If they're found to be breaking the rules then they earn exorbitant fees, sanctions, and lawsuits.

          It's like saying that you expect letter carriers to read every letter they deliver because there's no way to prove otherwise. They can get caught doing it, and if they are they're severely punished. That's your insurance.

          Nothing is perfect, but somehow it still works. You can't always get 100% assurances; that's the nirvana fallacy. If you insist on it you'll just dismantle a system that was otherwise working perfectly fine.

          Are mail carriers foolproof? No, but they serve a purpose.

          Are privacy policies foolproof? No, but they serve a purpose.

          • chopin 3 months ago

            Opening letters is a punishable crime, at least where I live.

            Collecting too much data: Ooops we're sorry. Facebook has breached on multiple occasions their deal with the FTC. Until now not much has come out of it.

            European data commissioners have requested more detailed information on telemetry to be able to certify Windows 10 for use in public offices and have been stonewalled so far. Not exactly trust-building.

dilawar 3 months ago

If no one is paying you, is there still any good reason to use Windows?

  • moksly 3 months ago

    Visual Studio Code with remote and Windows Subsystem for Linux is arguable the best mix “development / personal use” environment I’ve ever been in, and the surface pro 6 is probably the first time I’ve been excited about a computer since my 2012 MacBook.

    I had originally planned to buy an XPS 13 and run Ubuntu, because I actually don’t like Windows 10. I use Office365 Essentials though and that’s just a hassle to setup on Linux, where as it integrates seamlessly into Windows 10. It was also cheaper to buy the surface. I got one of the cheaper versions with an i5, and re-selling my used MBP 2018 paid for the entire thing.

    Maybe it’s just me, but I was really on the fence about going Windows, like I said, I actually don’t like it that much. It’s grown on me though. For personal use it’s really not that different than OSX. Then you get actual updated unix cli. You can even get SUSE enterprise server to run stuff in what resembles a real deployment environment. It’s all sandboxed so it doesn’t fill up your personal machine with development tools and servers unless you’re actually working on it. You get one-note and you get to take notes or draw architecture with a pen. The keyboard and trackpad are better than the MacBook and the thing weighs nothing. It even has a MagSafe charger. It really feels like something Apple should have build.

  • kungtotte 3 months ago

    Gaming is still better on Windows.

    It's improved greatly with Steam's work on Proton, at a guess I'd say at least 75% of my library is now playable with no extra work from my side.

    On Windows it's still 100% though.

    • waddlesworth 3 months ago

      I tried gaming on Linux awhile back, my biggest problem was how spotty the nVidia drivers are. I realise nVidia is mostly to blame here, but it's definitely still a problem that's preventing me from ever really being able to game on Linux (Ubuntu.)

      With a goal of [email protected], and someone who appreciates visual fidelity, I own an RTX 2080 Ti, and there's just far too much of a performance penalty for linux gaming.

      • Fnoord 3 months ago

        > I own an RTX 2080 Ti

        Why did you buy that if you planned to game on Linux? I got a Vega 56 and it works great. Right now I'd opt for one of the newly released cards. With a Ryzen 3... AMD is back!

        • acollins1331 3 months ago

          Maybe he does other stuff too. CUDA cores are worth their weight in gold and AMD has none. (Ryzen + RTX Titan user here)

    • fartcannon 3 months ago

      It's not 100% anymore.

      In fact, WINE supports packages that Windows no longer can.

      • kungtotte 3 months ago

        Windows programs in general, or games available on Steam? Because I'm talking about the latter. As far as I know there are no games on Steam that won't run under Windows any more.

  • cm2187 3 months ago

    Having to relearn the whole stack. Networking, virtualisation, UI of the OS, web servers, database, scripting, programming language and IDE compatible with the OS, and for that programming language desktop framework, web framework, finding and understanding 3rd party libraries.

    None of this is my day job, it is knowledge and muscle memory I accumulated over 20 years being invested in and toying with the microsoft ecosystem (.net, visual studio, sql server, iis, hyper-v, etc). Changing OS means pretty much restarting from scratch. It is tempting (I am deeply uncomfortable with the new Microsoft) but I just can’t afford to invest that much time and energy.

  • BLKNSLVR 3 months ago

    I'm personally attempting to transition away from Windows altogether, but it's a long-term organic process driven by hardware changeovers and decommissionings (including a recent involuntary one) rather than remove Windows function X by date Y.

    I have Windows on a VM that I remote desktop to for things like budgeting and banking that I'd rather not keep on a "throwaway" type device. Two things that keep me on Windows is Excel (I use enough features that LibreOffice doesn't support) and Remote Desktop (it's just better than alternatives I've tried - I use xfreerdp to connect which support multi-monitor). Admittedly, I haven't looked into alternatives to Remote Desktop as the remote access server for a long time. Whilst vnc was always serviceable, it was never quite the "real" desktop experience that Remote Desktop provides.

  • rlv-dan 3 months ago

    It's what many (most?) people are used to and comfortable using. And that's a big part in decision making for humans. (Provided they even know of the alternatives.)

  • burrows 3 months ago

    Windows is terrible.

bprasanna 3 months ago

Not sure what happened lately, Microsoft is having a stint of bad news as well! They must always remember that the faith now is hard earned through lots of good decisions and generosity.

devoply 3 months ago

wolf in sheep's clothing, the "new" microsoft.

LifeLiverTransp 3 months ago

Ah, thats the microsoft we all knew and love to hate. Google peeps at you every waking hour, but at least pretends to be clueless. Facebook is what waits at the end of a dark alley, you choose to walk down. But microsoft, microsoft is someone a home depot walking up from behind "So you need that tool for work?" and after that its darkness and pain.

Still amazing though how much windows could decay and they still got away with it. Year of the linux desktop, as if this company did not held the UI-Knowledge and legacy software of half the planet hostage.

craftinator 3 months ago

I don't have this problem on Linux.