Slashdot Mirror

"Restricted Boot" is a term used by the Free Software Foundation to refer to UEFI Secure Boot

Thank you for the lecture on what UEFI secure boot is.

The terms under which Microsoft licensed Windows RT to OEMs required devices to use Restricted Boot.

This is a Surface Pro. Just a few seconds on Google finds simple instructions for disabling secure boot, with explicit reference to running Ubuntu or even MacOS. Can you cite anything that shows that Microsoft as the OEM is now disabling the ability to disable secure boot on their hardware?

Admittedly, the link I just gave is a few years old. Here's one that is much more recent. Here's one from MS itself talking about Surface Pro 4 and disabling secure boot.

FROM -> http://msdn.microsoft.com/en-u...

SYN Attack Protection

---

The named value to enable SYN attack protection is located beneath the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

Value name: SynAttackProtect

Recommended value: 2

Valid values: 0 1 2

Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.

---

SYN Protection Thresholds

The following values determine the thresholds for which SYN protection is triggered. All of the keys & values in this section are under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

Value name: TcpMaxPortsExhausted

Recommended value: 5

Valid values: 0-65535

Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

Value name: TcpMaxHalfOpen

Recommended value data: 500

Valid values: 100-65535

Description: When SynAttackProtect is enabled this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded SYN flood protection is triggered.

Value name: TcpMaxHalfOpenRetried

Recommended value data: 400

Valid values: 80-65535

Description: When SynAttackProtect is enabled this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded SYN flood protection is triggered.

---

More Protections

All keys & values in this section are located under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

Value: TcpMaxConnectResponseRetransmissions

Recommended value data: 2

Valid values: 0-255

Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.

Value name: TcpMaxDataRetransmissions

Recommended value data: 2

Valid values: 0-65535

Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.

Value name: EnablePMTUDiscovery

Recommended value data: 0

Valid values: 0 1

Description: Setting this value to 1 (default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation which overworks the stack.

Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.

Value name: KeepAliveTime

Recommended value data: 300000

Valid values: 80-4294967295

Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.

---

"Null-routing" (A network w/ multiple IP addresses ala multi-homed servers ahead of production ones must be done "upstream" of them):

http://en.wikipedia.org/wiki/N...

---

Microsoft &/or Amazon setups alerts them to DoS/DDoS & can start "shutting down" IP address sources of packets for DDoS easily - it's the reason "Anonymous" can't "take them down" (& they've tried).

---

Microsoft: We're not vulnerable to DDoS attacks

http://www.networkworld.com/co...

PERTINENT QUOTE:

"At Microsoft we have robust m

There is a switch and service to disable User Experience (not send into to MS). This does nothing, one must disable them in the Task Options.

No remote access is the same way

Autoruns https://docs.microsoft.com/en-... allows you a one click to stop method. BUT could take many areas the same programs is turned off - I have always disabled "Windows Mail" I've 0 use for it. It must take some 20 disables - there obvious.

SMB is a one stop area.

See subject & for the solution - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

(THIS HAS BEEN PATCHED but you can protect this way too & it works...)

Not sure if this works in a "mixed-mode" network though (check MS link) using older Windows (e.g. XP/2000 etc.).

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk... apk

Agreed, there is a huge lot of older but still functional equipment that only talks SMB1. Microsoft has put together this list, and it surely isn't everything: https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/

https://support.microsoft.com/...

https://blogs.msdn.microsoft.c...

If it's not sufficiently obvious then that's what we have courts and tribunals to decide. However, selling a high-end electronic product for hundreds of bucks with hardware that could last a decade and then nerfing it artificially through software after a couple of years surely wouldn't qualify.

You didn't answer the question. You just rambled. What standard do you expect Apple to follow? Please be specific.

How many years, exactly?

At least 2 years for iOS. Starting Sept 2014, the migration to 64 bit was noted by Apple.

We've got iThings here that are 5-6 years old and still going strong, but we've lost the use of some apps on them purely because of the way Apple has driven iOS updates and what's allowed in the App Store in the intervening period.

You've made multiple assertions in that claim. What do you mean specifically "the way Apple has driven iOS updates"?

Were the developers of those apps given sufficient notice to avoid this problem?

At least 2 years. It might be 3 years by the time iOS 11 is launched.

And if we don't update to iOS11 so we can keep using software that currently works, will we still be safe and secure connecting our iPhones and iPads to the Internet?

And why woudn't you?

I wouldn't know, because we're still running Windows 7, in our view the last acceptable version of Windows. That's an option we have because Microsoft still issues Windows 7 security fixes without requiring updates to later Windows versions that might break application compatibility, by the way.

MS says you cannot run Office 2003 on Windowws 8 or newer. Those two pieces of software are from the same company. By the way Windows 7 is EOL but MS will continue to create security updates until 2020. Then you'll need OS and possible all new productivity software.

Saying I use Windows firewall cause it's as good as the rest, is a real common phrase. While they are unaware or forget anyone holding a certificate issued by Microsoft can pass through as if it didn't exist.

Finding the the best AV (which is all that's needed) can't really be done anymore. I used VX.Heavens http://preview.tinyurl.com/ybk... (long gone) and found at the time NOD32 (Eset) did around 85% and the best. The test was to download, open, and move the zip file contents elsewhere, and which did what when.

All that's available to use now is use the EICAR test file https://en.wikipedia.org/wiki/... that all AV's are capable of finding (it's hardcoded).

I long ago quit using an AV and put all my trust in a good hosts file, reliable Firewall (old version of Comodo), and to use autoruns on occasion to find the ones that might of been missed (one's running from the temp directory) https://docs.microsoft.com/en-...

If one installs Comodo anymore, autoruns can also disable all of the Geek Squad crap. But Comodo fails the leaktext https://www.grc.com/lt/leaktes... (12 year old test) and not recommended. - Creates a virtual process but it still connects.

All that to say; your on your own - it's a personal preference.

In case you really want to get a clue someday. You are welcome.

Indeed.

"PWAs enable you to use JavaScript to create a "Service Worker", which gives you all sorts of great features that you'd normally associate with native apps, like push notifications, offline support, and app loading screens"

1. Offline support seems to work fine already in various applications (e.g., even Microsoft's Outlook Web Access can run offline). It merely strongly hints at adding a favourite/bookmark so you can access the site while offline. Fair enough, really.

2. Push notifications? That... does not sound like a feature. And even if it was, I'm sure it could be done in another way outside of needing JavaScript. Reminds me Active Channels that Microsoft developed a while ago.[1]. But something more ... "JavaScript can ask the web browser to occasionally pull down a specially formatted JSON/XML/INI file with this authentication key and display notifications contained therein" is more than sufficient without running JS in the background.

3. App loading screens? SERIOUSLY? That's called "the blimming animated GIF on a HTML page before the javascript framework du jour takes over and builds the whole DOM again. Seriously. Someone is arguing for THAT.

What the heck, is this just another attempt by Google (note; it's only Google that push this, Microsoft don't especially seem to care about it) as their chrome app store thingie never really got going?

This is so Google-specific, I would suggest this person is a Google atroturf attempt.

[1]: before you panic, Microsoft themselves call this obsolete as of Internet Explorer 7; so you have to be using IE6 on Windows XP or earlier to see this stuff.

All Microsoft is doing is moving Paint to the app store, and renaming it to "Fresh Paint."

Fresh Paint is free "for now" but will be $9.95/year after Paint is deleted from your computer without your consent.

Get your free copy here before it's too late!

https://www.microsoft.com/en-u...

https://support.microsoft.com/...

From the official list;

"Syskey.exe
Removing this nonsecure security feature..."

MS-Paint is not the only thing that gets removed or deprecated in the Windows 10 Fall Creators update: There is a full list on their website

What I think Microsoft should do is continuously ping a master list of hardware. The second any hardware is no longer supported by the manufacturer Windows should bluescreen or greenscreen or whatever color it is these days with stop error DEVICE_TREADMILL_VIOLATION.

After all if the vendor doesn't support something.. it may not work right or may not be secure or similar specious drivel so crashing is the safest most responsible course of action.

Forget the fact most of the things myself and everyone I know own are long since out of warranty and no longer produced or supported by the original manufacturer in any way.

Forget the fact Microsoft pretends to care about protecting the environment: https://www.microsoft.com/en-u...

At this point anything Microsoft can do to hasten the inevitable rise of not Windows should be encouraged. Only takes a few percent of overall market share to sustain and reinforce alternatives.

If a program refuses to uninstall, use the Microsoft Fix-It utility.

https://support.microsoft.com/en-us/help/17588/fix-problems-that-block-programs-from-being-installed-or-removed

I've been running Linux ever since Microsoft force-upgraded without my knowledge and consent, so I'm a little out of the loop. Did they ever get Fixit working for Windows 10?

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

(THIS HAS BEEN PATCHED but you can protect this way too & it works...)

Not sure if this works in a "mixed-mode" network though (check MS link) using older Windows (e.g. XP/2000 etc.).

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk... apk

I haven't had a Windows machine in a while but when I did (Win 95) CCleaner was a must because uninstall programs were sloppy and and most Windows programmers abused the registry.

Windows 9X was a cobbled together mess until Windows 98SE came out. WinXP was better but still required third-party utilities to fix registry issues. With Windows Vista onward, I no longer needed those programs at home. There are two utilities that I do use at work since remote installs or upgrades occasionally go FUBAR on Windows 7.

If a program refuses to uninstall, use the Microsoft Fix-It utility.
https://support.microsoft.com/en-us/help/17588/fix-problems-that-block-programs-from-being-installed-or-removed

For Adobe Reader or Acrobat, use the Cleaner Tool.
http://labs.adobe.com/downloads/acrobatcleaner.html

I think I may go with hard to set up local network for anything where financial data etc is. For entertainment, a mesh could be great. This is a reminder that you should be careful selecting your smart home software. http://garyjohnsoninfo.info/mu.... There are so many issues with smart houses. Lock in to a specific vendor, security, obsolescence . For example see https://msdn.microsoft.com/en-... excerpt "LIMITATION ON REMEDIES; NO CONSEQUENTIAL OR OTHER DAMAGES. Your exclusive remedy for any breach of this Limited Warranty is as set forth below. Except for any refund elected by Microsoft, YOU ARE NOT ENTITLED TO ANY DAMAGES, INCLUDING BUT NOT LIMITED TO CONSEQUENTIAL DAMAGES, if the Software does not meet Microsoft's Limited Warranty, and, to the maximum extent allowed by applicable law, even if any remedy fails of its essential purpose."

Here's how to disable the keylogger you claim doesn't exist: http://www.pcworld.com/article... [pcworld.com]

That takes handwriting samples, not a full transcripted record. There's a difference. It's still an information leak, but it's not a keylogger in that it's not, you know, logging a transcript of everything you type, or selectively logging sensitive information (passwords), or whatnot.

Here's the file sniffer that probably exists, or at least, you give them permission for one at any time: https://privacy.microsoft.com/... [microsoft.com]

When we started down the road of "Windows 10 Is Spyware", there was a claim that it copied gigabytes and gigabytes of everything up to Microsoft because it copied all of the files on your hard drive to Microsoft's servers. Even Fedora and Ubuntu send memory contents and copies of configuration files up in automated bug reports (you should be freaked out by memory contents, which contain your private ssh keys and such).

When you provide payment data to make a purchase, we will share payment data with banks and other entities that process payment transactions or provide other financial services, and for fraud prevention and credit risk reduction.

Every entity who takes payments does this. The payment processor does this. It's done repeatedly up the entire chain.

Finally, we will access, transfer, disclose, and preserve personal data, including your content (such as the content of your emails in Outlook.com, or files in private folders on OneDrive)

This is stuff in The Cloud, not stuff on your PC. I can use these services from Ubuntu, and I can use Windows without using these services.

when we have a good faith belief that doing so is necessary to: ...protect the rights or property of Microsoft, including enforcing the terms governing the use of the services

Informing you that they have their hands on stuff they can rummage through for legal discovery if you're using their cloud services to store thats tuff on your servers, yes. Shocking revalation: Gmail also can dig through your e-mail for evidence if they file suit against you; Yahoo has access to your e-mail.

however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer's private content ourselves, but we may refer the matter to law enforcement.

That's actually an odd voluntary limitation.

None of this stuff is particularly-shocking. Siri, Google, and Alexa have voice samples and typing pattern vectors collected from cell phone and tablet users. Automated bug reporting systems collect files, memory dumps, and so forth. Payment processors run your credit data through all kinds of fraud checks (I used to use people's information to find their home address and the names of the people who lived with them when I was doing fraud checks at a Web host--we didn't like paying $25 for chargebacks, so we essentially investigated people before charging their card). Cloud services have your data and may rummage through it during investigations and legal discovery .

Where is the spyware? Where is the constant, continuous keylogging, the transcripting of everything you do? Where's the secret of every document you ever generate, the e-mails sucked from your Thunderbird desktop client that's linked to your Gmail account via IMAP? Where is it?

For that matter, where's the stuff that separates Windows from iOS, Android, Ubuntu, and Fedora? Where's the differentiation between Microsoft and the likes of Apple, Google, and Yahoo?

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

(THIS HAS BEEN PATCHED but you can protect this way too & it works...)

Not sure if this works in a "mixed-mode" network though (check MS link) using older Windows (e.g. XP/2000 etc.).

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk... apk

I've got a fast computer with an 8 core CPU, 32 GB of RAM and booting from an SSD. The performance of Windows 10 is noticeably worse than Windows 7 on the same hardware, probably due due the massive amount of useless bloatware, much of which is difficult or impossible to remove without breaking something.

Moderating at the moment hence posting as an AC.

I normally dislike Microsoft for various reasons so I run Linux instead.

You should know that you can download the Windows 10 ISO from here (approx 4.2 GB) and install without any of the rubbish (subjective) that you get with a pre-installed Microsoft OS.

If you do the "quick install" (not recommended despite what Microsoft suggests) you will be able to run Windows 10 within a few minutes (HDD's take longer). The more detailed installation (strongly recommended) is a real eye opener and I do suggest you have a copy of the Malware Wiki where Windows 10 by default ticks all the boxes. Still, you can turn off many of the privacy concerns although you really do need to delve into the Registry to lock the machine down further and even then Microsoft does not play fair.

Personally, I have found Windows 10 to be a fairly good OS (I have tested it in a virtual machine) although I don't like the idea of Windows phoning home (confirmed via Wireshark) even when I tried locking the OS down. Still, I am quite happy with Linux and have installed not updated the latest Fedora 26 (took about an hour) so I have no real need to use or pay for Microsoft related software.

At this point I'll never trust them again. Windows 7 wooed me back from Linux (a situation not helped by GNOME being in peak bed-shitting mode at that particular moment), relegating my Linux drive to an infrequently booted partition on a machine that spent most of its time in Windows.

Windows 10 really opened my eyes. Like many folks, I skipped 8, seeing it as mostly a usability downgrade. I figured 10 would be like 7, but with the back end of 8 and new shiny stuff. Instead it was a security and privacy and version management disaster. Just reading through https://privacy.microsoft.com/... was enough to freak me out. Watching the internet fill up with people writing goofy scripts to turn off telemetry and batten down the hatches to prevent data leaking to everywhere all the time, watching people tcpdump the stuff from their locked down machines and seeing packets fly to Microsoft each and every time they opened notepad, watching people change four bytes in the Windows 7 solitaire binary to allow it to run in 10, so they can play solitaire without ads or a subscription...

And then to find out that Microsoft had silently shipped telemetry patches to Windows 7, let it sit for about three months, and then TURNED IT ON SERVER SIDE.

The moment when I was tearing out a service that didn't exist for any reason except to hurt me and was installed only because I updated my computer like they said I should, and was spying on me for weeks ...was when I realized I had been a goddamned fool, that this would never get better, that Microsoft was simply irredeemable.

When they next temporarily step back the telemetry and server-side drama, consider that it is a ruse, and they will be right back to it immediately. It's guaranteed that they will.

> there was also chatter about it being a file sniffer and keylogger, but that was debunked pretty hard

Here's how to disable the keylogger you claim doesn't exist:
http://www.pcworld.com/article...

Here's the file sniffer that probably exists, or at least, you give them permission for one at any time:
https://privacy.microsoft.com/...

"When you provide payment data to make a purchase, we will share payment data with banks and other entities that process payment transactions or provide other financial services, and for fraud prevention and credit risk reduction. ...In addition, we share personal data among Microsoft-controlled affiliates and subsidiaries...

Finally, we will access, transfer, disclose, and preserve personal data, including your content (such as the content of your emails in Outlook.com, or files in private folders on OneDrive), when we have a good faith belief that doing so is necessary to: ...protect the rights or property of Microsoft, including enforcing the terms governing the use of the services - however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer's private content ourselves, but we may refer the matter to law enforcement. "

So maybe they can't sniff your hard drive, but if they do, you have suspiciously granted them permission. Hrm...

If the data being harvested is so benign, why didn't Microsoft publish the full list?

They did.

This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type.

https://docs.microsoft.com/en-...

Slashdot comments taking up only about 60% of the screen width, with nothing but a very wide blank white space on the right hand side of my monitor.

(Windows 7 specific from here on, not sure what's been fixed since:)

Windows Explorer expands folders inappropriately, jumping the folder you expand to the bottom of the navigation pane. This one has been driving me crazy for years. Not just the bug itself, but MS's unwillingness to fix it.

How the system generally thrashes and grinds to a halt when simply copying a large file.

The amount of time and painful sequence of events when switching some graphical application or game between windowed and full screen mode. The screen turns blank, then off, then on but blank again (there was also a nasty click back in the Trinitron monitor days), then off again, then on and blank, and finally the desired image is displayed. Why this takes 5 seconds and not 5 milliseconds is a mystery to me.

From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

Disable SMBv1 on the SERVER, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Enable SMBv2 on the SERVER, configure the following registry key:

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled

Default: 1 = Enabled

---

Disable SMBv1 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

sc.exe config mrxsmb20 start= auto

---

* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/

(IMPORTANT: Finally, THIS HAS BEEN PATCHED by MS but you can protect this way too & it works...)

APK

P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.

* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.

AND?

Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk

See subject: Increase cpu core count @ hardware level (OS can use it for starters ala this in Windows for example):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive]
"AdditionalCriticalWorkerThreads"=dword:00000008
"AdditionalDelayedWorkerThreads"=dword:00000008

* I.E. - How much extra cores will help BEYOND today's CPUs for the OPERATING SYSTEM itself (in Critical Worker Threads) in juggling threads in itself & for other processes (in Delayed Worker Threads) per https://msdn.microsoft.com/en-us/library/cc615012(v=bts.10).aspx/

Here I use 8 for an Intel Core I7 as shown above (both in 1st a 920 & currently a 4790k, since they're quad core (& hyperthreaded) & it was lesser based on physical core count of earlier systems I had (this setting has been around since, iirc, Win2k (correct me IF I am off/wrong - it's been SO long since then)...

(Those are settings in WINDOWS you can adjust to take advantage of added cores as you upgrade to CPUs w/ more cores, for example).

ANYTHING/EVERYTHING, in theory, gains there alone (less "process scheduler thrashing" in other words) - I don't care so much about applications/programs (they are probably written to their practical limits anyhow as to what threadwork will gain them) but again, MORE about how the OS will utilize them (per the 2 TUNABLE PARAMETERS in the .reg file I note above as a way to REALLY use the extra cores, almost guaranteed - Windows allows it, not sure of other OS like *NIX based ones).

APK

P.S.=> The rest will be done @ compiler level (already good, only depends on HOW you can leverage it OR if internal-to-program itself datasets AND PROCESSES (imo, a Gannt chart illustrates this well) allow for it - not all do) & it's always that way, pretty much - hardware 1st, software catches up (& it does, mostly inefficiently @ 1st, sucking up the CPU cycles/efficiencies gained)... apk

See subject: Increase cpu core count @ hardware level (OS can use it for starters ala this in Windows for example):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive]
"AdditionalCriticalWorkerThreads"=dword:00000008
"AdditionalDelayedWorkerThreads"=dword:00000008

* I.E. - How much extra cores will help BEYOND today's CPUs for the OPERATING SYSTEM itself (in Critical Worker Threads) in juggling threads in itself & for other processes (in Delayed Worker Threads) per https://msdn.microsoft.com/en-us/library/cc615012(v=bts.10).aspx/

Here I use 8 for an Intel Core I7 as shown above (both in 1st a 920 & currently a 4790k, since they're quad core (& hyperthreaded) & it was lesser based on physical core count of earlier systems I had (this setting has been around since, iirc, Win2k (correct me IF I am off/wrong - it's been SO long since then)...

(Those are settings in WINDOWS you can adjust to take advantage of added cores as you upgrade to CPUs w/ more cores, for example).

ANYTHING/EVERYTHING, in theory, gains there alone (less "process scheduler thrashing" in other words) - I don't care so much about applications/programs (they are probably written to their practical limits anyhow as to what threadwork will gain them) but again, MORE about how the OS will utilize them (per the 2 TUNABLE PARAMETERS in the .reg file I note above as a way to REALLY use the extra cores, almost guaranteed - Windows allows it, not sure of other OS like *NIX based ones).

APK

P.S.=> The rest will be done @ compiler level (already good, only depends on HOW you can leverage it OR if internal-to-program itself datasets allow for it - not all do) & it's always that way, pretty much - hardware 1st, software catches up (& it does, mostly inefficiently @ 1st, sucking up the CPU cycles/efficiencies gained)... apk

GDI was replaced with GDI+ a couple of decades ago (Windows 9x->NT transition, IIRC, but don't quote me on that). GDI+ was replaced by DXGI over a decade ago (Vista release). DXGI has had several major upgrades, too. It's at version 1.5 now, as best as I can figure. (source) Each 0.1 version bump after 1.0 came with a full windows release except 1.5, which was released with the Win10 Creator's Update and DirectX 12.1.

And "NT" stands for New Technology.

A couple of decades ago. Yeah don't worry, I won't quote you on that.

GDI was replaced with GDI+ a couple of decades ago (Windows 9x->NT transition, IIRC, but don't quote me on that). GDI+ was replaced by DXGI over a decade ago (Vista release). DXGI has had several major upgrades, too. It's at version 1.5 now, as best as I can figure. (source) Each 0.1 version bump after 1.0 came with a full windows release except 1.5, which was released with the Win10 Creator's Update and DirectX 12.1.

And "NT" stands for New Technology.

My game is still on their store. Blade Master of Mibu. It's the only mobile app store that I bother with these days because there's too much competition on the others and the users treat games as disposable as tissues

Microsoft has questions about using Calibri in Word 12 back in 2005, https://blogs.msdn.microsoft.c..., so clearly it was generally available before 2006.

I don't know MsOffice font handling directives saved to the file. Does MsOffice explicitly names the default font in the save document?

Word binary format. I will let you make that determination. A quick perusal says yes, it saves the specific fonts used inside the document throughout the document. That is why it allows you to mix fonts,size,bold,etc...

Remember WYSIWYG standard?

If you hate it that much, simply uninstall it.

How to get Windows 10 Mobile
Windows 10 Mobile Specifications & Systems Requirements

How to get Windows 10 Mobile
Windows 10 Mobile Specifications & Systems Requirements

Sorry, $7 / month is the current subscription rate for Windows 10 Enterprise.

https://www.microsoft.com/en-u...

https://www.microsoft.com/en-u...

This private Azure technology been around for 4 years. MS deprecated their Web Farm Framework in favor of it.

They're working on other distros:
https://blogs.msdn.microsoft.c...

It will even let you run different distros as the same time.

https://www.microsoft.com/en-u...

It looks like Business pricing starts at $12.50 per user and up to $20/Month if you want the admin console for up to 300 users. Enterprise pricing is not been explicitly announced but price probably depends on users like most of their products.

Pretty much if you're on office 365 business premium, it's a no brainer to go to this since you essentially get the same thing but get windows 10 as well. The $20 version may be useful if you don't have or want a Windows Server at your business for app deployment and policies but not sure if it's really worth the extra $7.50/Month until I see what you can actually do from the console, especially when it comes to virus mitigation and RMM Options (ie: Remote desktop, Patch Deployment, ticketing, ETC)

Windows 10 is possibly the worst spyware ever made. Quote: "Buried in the service agreement is permission to poke through everything on your PC."

When you calculate the Azure Cloud Service cost of losing control, you will be connected to 13 web sites, not just one.

Will the new Azure Cloud Service make sure that secret U.S. government agencies have a copy of everything?

Microsoft Cloud? 1) Micro, small thinking. 2) Soft, sloppy thinking. 3) Cloud, clouded thinking.

Not being productive when system is rebooting. Windows 10 Linux subsystem installs Ubuntu for you.

https://msdn.microsoft.com/en-...

> How many IOT devices run MS-Windows?

Quite a lot actually:

https://www.microsoft.com/en-u...

Uh, no one's done 3D facial scanning for authentication

Are you sure about that?

https://www.groovypost.com/unplugged/can-you-trick-windows-hello-with-a-photo/
Windows Hello-supported devices use two cameras to create a 3D image of your face.

https://software.intel.com/en-us/articles/how-to-get-working-windows-hello-on-actual-windows-10-insider-preview
One of the cool new features announced for the upcoming WIndows* 10 is Windows* Hello [...] The recognition is done using two type of camera in cooperation; the first is a classical HD camera and the second is a depth camera (infrared) for 3D an temperature scanning.

http://www.pcworld.com/article/2937701/why-most-of-us-will-miss-out-on-windows-hello-windows-10s-facial-recognition-feature.html
But the technology depends on “depth cameras,” which use infrared light to peer through makeup and beards to identify users. It’s these cameras, primarily made by Intel, that analysts and some PC makers believe will be too expensive to build into the sort of cheap PCs (with cheap webcams) that consumers prefer.

http://www.dell.com/support/article/us/en/19/SLN298266/windows-10-hello-facial-recognition-feature---supported-systems-and-requirements?lang=EN
The Windows 10 Hello Facial Recognition feature requires an Intel RealSense or 3D Camera to support facial unlock features. This is not available on all Windows 10 tested systems and the current list is detailed below.

It's true that one page in the Microsoft docs say that they use IR to account for differences in ambient lighting, and make no mention of the presence of absence of 3d scanning:
https://docs.microsoft.com/en-...
But then other docs give the impression that Windows provides two API frameworks, "Companion Device Framework" and "biometric":
https://docs.microsoft.com/en-...

So maybe it's just down to the device driver whether it uses 2d or 3d scanning to power Windows Hello, as suggested in this article:
http://3dscanexpert.com/intel-...

Uh, no one's done 3D facial scanning for authentication

Are you sure about that?

https://www.groovypost.com/unplugged/can-you-trick-windows-hello-with-a-photo/
Windows Hello-supported devices use two cameras to create a 3D image of your face.

https://software.intel.com/en-us/articles/how-to-get-working-windows-hello-on-actual-windows-10-insider-preview
One of the cool new features announced for the upcoming WIndows* 10 is Windows* Hello [...] The recognition is done using two type of camera in cooperation; the first is a classical HD camera and the second is a depth camera (infrared) for 3D an temperature scanning.

http://www.pcworld.com/article/2937701/why-most-of-us-will-miss-out-on-windows-hello-windows-10s-facial-recognition-feature.html
But the technology depends on “depth cameras,” which use infrared light to peer through makeup and beards to identify users. It’s these cameras, primarily made by Intel, that analysts and some PC makers believe will be too expensive to build into the sort of cheap PCs (with cheap webcams) that consumers prefer.

http://www.dell.com/support/article/us/en/19/SLN298266/windows-10-hello-facial-recognition-feature---supported-systems-and-requirements?lang=EN
The Windows 10 Hello Facial Recognition feature requires an Intel RealSense or 3D Camera to support facial unlock features. This is not available on all Windows 10 tested systems and the current list is detailed below.

It's true that one page in the Microsoft docs say that they use IR to account for differences in ambient lighting, and make no mention of the presence of absence of 3d scanning:
https://docs.microsoft.com/en-...
But then other docs give the impression that Windows provides two API frameworks, "Companion Device Framework" and "biometric":
https://docs.microsoft.com/en-...

So maybe it's just down to the device driver whether it uses 2d or 3d scanning to power Windows Hello, as suggested in this article:
http://3dscanexpert.com/intel-...

Are you joking?

Microsoft pays about twice as much in H.264 licensing fees as they receive in licensing payments. So in effect their use of H.264 is discounted by about 50%, but they're not making a profit out of it.

When I first read about systemd I thought it was a knock off of the NT service control manager. Except on Windows, that's all it does. It controls services. It starts and stops them. And manages dependencies. And that's it. It doesn't take over the fucking world and try to control everything in the OS. I think this is where systemd lost its way. It's a sad day when we look to Windows as the example of "does one thing and does it well" and not the whole fucking kitchen sink.

It isn't just AV outfits. I don't know how much arm-twisting this originally may have involved; but Microsoft will let suitably qualified government customers look at the code. Given that the people who don't respect your copyrights have access to pirated versions anyway; and you don't really want "Security" to be an automatic winning argument against using your product, I imagine that it's not too hard a case to make.

What I wonder more about is how much this access actually helps those who have it. Antivirus products in particular, and reasonably complex software in general, receive vendor updates that can, and sometimes do, substantially alter their behavior quite frequently(and often in response to serious security holes, so you can't just adopt a blanket policy of sitting on all updates for 18 months); so if you want to stick to the carefully hand-reviewed stuff, you'll be so far out of date that random botnets and commercially motivated attackers will be nibbling on you; but if you want timely signature updates and security patches you essentially end up trusting the vendor to not slip something nasty into some urgent auto-update.

You are telling me that "versioning" in ActiveX is not a "thing"?

https://msdn.microsoft.com/en-...