Slashdot Mirror
Windows 8 Tells Microsoft About Everything You Install
musicon writes "According to Nadim Kobeissi, Windows 8 is configured by default (using a new featured called Windows SmartScreen) to immediately tell Microsoft about every app you download and install. This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users. This situation is exacerbated when Windows 8 is deployed in countries experiencing political turmoil or repressive political situations."
While SmartScreen is enabled by default, it's possible for users to turn it off. Also, it's worth noting that Microsoft is hardly alone in this regard, given the rise of app stores over the past several year. (Not that it exculpates this behavior.)
At the rate Microsoft is going, they might as well add a "Windows 8 opt-out feature."
I like your vision of a privacy-invasion free world.
Don't want to be videotaped? Don't go outside.
Don't want to be wiretapped? Don't use a phone.
Don't want medical records in the wild? Don't go to a doctor.
Visionary indeed.
No you won't. Quit trolling for +5.
Look, I'm just a regular user, albeit more technically capable than the vast majority, but not a developer, sys admin, etc., and it's starting to look more and more like it's time to consider making the move to Linux.
This private company invasiveness seems to be growing in parallel with government invasiveness, and I'm not happy about either, but at least I can choose one, for now.
If you are going to blame Microsoft for what third party software does on your computer, then you can't also blame them when they start to track and address such problems. With things like EAs Origin, Steam, etc, what you do on your computer is no longer just your business. At least Microsoft lets you turn it off.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
It seems from the MSDN link this can be avoided by simply not using Internet Explorer, as if you needed another reason not to
Honestly, if my Steam library ran on Linux I'd switch today...
Dear Microsoft, don't try to be apple, we already have apple and you'd just be playing catch up and alienating your current customer base to try and get a customer base that already despises you more than your current one.
... to build an app that fakes the install of programs? In other words, overwhelm MS with hundreds of false install notices to them. As certain programs become 'of interest' to certain parties, we add that program to the list. Eventually, the information would become useless and would be abandoned.
Or am I missing something?
Also, it's worth noting that Microsoft is hardly alone in this regard, given the rise of app stores over the past several year. (Not that it exculpates this behavior.)
Can't compare this. If I download something from the Play Store, I know Google knows I install that app. After all I have to log in using my Google account, and use their app to download from their store. Afaik they do not know what I install from third-party sources, like alternative app stores. Nor do they have any right knowing that.
Apparently MS monitors what you install from third-party sources. Without telling you, and without asking explicit permission. That's simply evil. They have no business knowing what I install from third-party sources. The fact that this data is stored in some foreign country (the US is a foreign country to me, and some 95% of the world's overall population) with notoriously poor privacy protection only helps making it a lot worse.
Also, it's worth noting that Microsoft is hardly alone in this regard, given the rise of app stores over the past several year.
Come on. This is just excuse-making - sure in any given app store the store owner knows what you downloaded - by definition they had to for you to download it!
But here aren't we talking about a more general notion that ANY application installed from anywhere is known by Microsoft? When you use the Amazon app store on Android, does Google know what you have? When I use Cydia on a iPhone, Apple doesn't know what applications I install from there... on the Mac I can use the app store but if I get applications from elsewhere Apple doesn't know about those either.
Just because App Stores exist does not give Microsoft the right to track every app installed.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What's wrong with sticking with Windows 7 for now?
It's not like Windows 7 is automatically obsolete as soon as 8 hits the market.
App stores will know everything you download from them for the same reason any other retailer would, you bought it there so there is a transaction record. This is tracking and sending to Microsoft information about EVERY application you download outside of their eventual marketplace. Apple doesn't know that I downloaded Handbreak from their site but with this Microsoft would, or to put it in a way that could cause an issue, Apple doesn't know that I downloaded LOIC, but Microsoft would. That is why it becomes an issue over and above something like the Mac App Store.
"I use a Mac because I'm just better than you are."
"While SmartScreen is enabled by default, it's possible for users to turn it off."
And this is what's wrong with this setup. Debian has popcon, which is a survey of what you use and how often you use it, and you can participate by having a cronjob send off the file.
http://popcon.debian.org/README
But it's not a privacy concern because it's opt-in.
If this equivalent of popcon on 8 was opt-in, this thread wouldn't be here.
--
BMO
IE has done something similar for a while now with every program you download. MS is just moving it from IE to Windows so that users of ALL browsers get the same technology. To be fair I don't know if IE sends the same data that Windows does.
Regardless you can turn this off along with the other privacy-imparing features in Windows during the first run setup.
There's no indication that Microsoft themselves keeps track of which individuals downloaded/installed which programs.
The issue this article seems to propose is that somebody could sniff the network traffic between yourself and Microsoft to grab the SmartScreen data and see what you'd installed when Windows contacts MS to see if the file is marked as safe/unsafe/unknown.
If they're in a position to do that, wouldn't they theoretically be in a position to have potentially snooped on the download of the software which is triggering the SmartScreen traffic? (Depending of course, on where in the network their sniffer is at.)
The only valid complaint seems to be that Microsoft is using a known-insecure version of SSL for the website all this data is sent to. If they fix that, I'm not sure what reasonable issue would be there.
I would argue that for the average user, SmartScreen is a useful feature and having it turned on by default (assuming MS is tracking individual user downloads of software for some nefarious purpose) is a good thing.
While I am a linux user already, a friend of mine recently said something along these lines. He then qualified it with something like:
"But then, linux probably won't have AAA games until windows 9. Now it seems to me that every other version of windows sucks (2K/XP, Vista/7), and the version after it is just fine. So I'll probably continue using windows if 9 doesn't suck. At least, until windows 10, which will suck. I'll probably switch then."
Any sufficiently advanced incompetence is indistinguishable from malice.
Did you check if it doesn't run with wine? You'd be surprised how much it has improved recently.
You know, I've been resisting Linux all these years, but with the current direction of Windows development and greater Linux game support (Steam, etc.) I may make the switch yet...
You sound like me about 5 years ago, when Vista was supposed to be Microsoft's hot new OS. I figured the way that was going, I might as well go Linux now and get over the hassle of switching. Long story short I spent 3.5 years on Linux as my primary desktop before I gave up the fight and switched to Win7. If you want to try Linux go right ahead, but if you're just think Win8 is a dead end I suggest just buckling down with Win7 and see if Microsoft comes to their senses. There's plenty time and being 64 bit I think it's even more of a stayer than XP, that and SSD support were really the only two "must have" features of Win7 for me. I expect the coming decade to have even less such "must have" features.
Live today, because you never know what tomorrow brings
Right, use Chrome as the example of a privacy-conscious application... it's not like it sends not only every URL you type in the location bar, or knows and pre-fetches every possible combination of the URL while you're typing it, or anything. It doesn't take URL's you're typing and try to suggest search results for those words either, no sir! And it definitely, definitely doesn't let Google store and analyze all of that information against your account, should you happen to be logged in to Gmail or anything.
Bow before me, for I am root.
Um, check the date on that blog post. March 22nd, 2011.
This was a feature added, by default, to Internet Explorer 9.0. It is a part of the browser. If you are running Windows 7 and have updated to Internet Explorer 9.0 then it is already doing this. All Windows 8 does is have Internet Explorer 10 installed by default.
Olds for nerds?
Is Windows 7 really that bad? I spent about 10 minutes customizing it and find it to be a much better experience than XP. The only thing that chews my balls is the lack of an included utility to password-protect .zip files, but aside from that, I can't think of anything I really dislike about it.
I used to be a die hard Mac guy until the early 2000s when I realized none of the games I wanted to play were available for Mac. So I switched to XP and never looked back. Now I am on Windows 7 and it works for me, but like many 8 scares the hell out of me. I want my task bar, I don't want a tablet GUI, and now this. Will I switch to Linux in the immediate future? Nope. But I won't be "upgrading" to 8. And if MS doesn't see the light and fix it before 7 is no longer supported, then I'll certainly look to Linux. Prior to Windows 8 I would never have considered that. I could probably be forced to get used to the GUI, but privacy issues are a big deal to me.
The first one is a poor comparison. Outside is not a private space in the same way that your computing hardware should be.
How do you people thing virus scanners work?
Erm, by checking against a local signature database of known viruses or running local heuristic checks?
Bow before me, for I am root.
MSE keeps track of every process, and asks you to submit any it doesnt know.
Ethically it is hard to support any company which obviously has zero respect for user/consumer rights.
Steam is configured to report back to Valve about every app you download+install on it, and every time you launch an app, and there's NO way to opt out. (Well, you can switch it to offline mode, but that will prevent multiplayer and updates).
App stores do this for apps installed via the store; the difference here is that Windows is doing it for every app being installed whether via an app store or not.
Does anyone remember the controversy (one of many) about Windows 95 when it would do the same thing? When you went to register it, it would supposedly tell Microsoft what programs you had installed. When I got my Win95 machine in December 1995 I watched carefully to see what it did. The phoning home and telling them what you had installed was voluntary, and the only program that Win95 could accurately detect was MS Office 95. It couldn't detect any of the DOS games I had installed, nor did it seem to recognize the 3rd party email apps, etc I had installed.
If you want to use Chrome without sending that stuff to Google it's really easy. Go into the settings and click on Privacy. Uncheck everything. Done.
The soylentnews experiment has been a dismal failure.
Unless you use TrendMicro or any of the vendors who have a "cloud" solution.
I want to delete my account but Slashdot doesn't allow it.
Isn't popcon opt-in?
Sorry to disappoint, but Steam also takes the installed applications on your PC and returns it to the mothership.
look up published stats on steampowered if you don't believe me.
Uh, Steam _ASKS_ whether you want to allow it to upload that information when it picks you for the hardware survey.
It also crashes when it tries to find that information on Linux, so you're totally safe if you run it in Wine.
The "Windows SmartScreen" referenced in TFA is nothing of the sort.
/. editors to generate traffic to their blog.
This is an IE9 feature, which would not be a huge surprise to find is still there in IE10. TFS links to an 18-month-old article talking about it in IE9. Not Windows 8. There is nothing to back up the wording used in TFS or TFA. It's a good feature I have enabled on my parent's machines for their protection, as it's one more layer against malware downloads.
The ONLY things this feature touches is executables which are downloaded from the Internet using IE. Install from a DVD? Download using Chrome/Firefox? USB drive? Copied from another disk? Compiled yourself? None of those things gets "sent to Microsoft".
Just someone (successfully) using a combination of inflammatory wording and gullible/lazy
Where do we find companies that have respect for user/consumer rights, because I would be happy to use their products and services.
Just a dude. Stuck in IT.
Isn't that equivalent to the answer of 'If you don't want Windows SmartScreen to tell Microsoft about your installed apps, go into Privacy and turn it off.'?
It would seem to me that the point the parent was making is that Chrome's data reporting habits and this new one in Windows 8 are effectively the same. Both are enabled by default, and both report data back to their 'owners'. That both have an 'opt out' to turn them off really doesn't differentiate or describe either one as awesome with regards to privacy.
The world moves on. You can't live in your sheltered world forever. One day, you'll buy a computer that comes with Windows 8, and Windows 7 drivers aren't available for it. Then software comes out that requires Windows 8 or later. You would have a hard time living with Windows 2000 today. The same thing will happen with Windows 7 in a few years.
It's a feature where where you download random programs from the internet and install them, windows checks if it's known malware.
That actually seems a useful feature, one I wish my parents had on their machine!
New PC's won't come with Windows 7, they'll be shipped with Windows 8.
-- By all means let's be open-minded, but not so open-minded that our brains drop out.
You know, Steam knows not only every game you install, but also every time you play it. That's an even greater intrusion into your privacy, so why aren't you as worried about it?
>>> It's called "downgrade rights"
Please tell me more. I have a Windows 7 PC but suppose it dies five years from now, and I need a replacement. I goto staples, but a Win8 PC, and then what? How do I downgrade it to Windows 7? It isn't on stores shelves anymore (and frankly I don't want to pay for Windows twice... once for 8 and again for 7).
Please educate me and everybody else.
thx
You should have a license key for Win7 and install media; use that to reinstall it in 5 years.
At worst, you may have to burn a copy of the install DVD if you don't already have one. I had to do this with my Inspiron laptop, it has a key, but Dell didn't ship media but they include a method to burn it from a "recovery" partition.
Fifty watts per channel, baby cakes.
I hope you realize Windows 8 has a the taskbar that behaves just like Windows 7. I am running W8 RTM and it haven't missed 7 one bit. I actually using 8 a bit more.
The major difference it the "start screen" takes up the whole screen instead of 1/8 of the screen. You can still hit start and then start typing, etc... And you can use Tablet apps on your desktop if you like them. Some of the apps from the App Store are games, etc... SoulCraft actually lets you use the 360 gamepad, etc...
Watch: http://www.youtube.com/watch?v=t4ooYKE4F-c&feature=player_embedded
Hmmm, Steam is basically an online store. How do you expect it *not* to report to Valve? Like, you do know that Amazon and EBay know about all the stuff you buy through them, do you?
May Peace Prevail On Earth
Nope, not just discovering. I've used computers since my C64 in the mid 80s. I'm on a computer all day at work and most nights at home - probably far more than is healthy. But I've been a gamer ever since I first saw Space Invaders, and so my home computer is always built for gaming. A good gaming machine can do most other computer related things just fine. We have a PS1, PS2, PS3, Wii, miscellaneous Gameboys, etc., but mainly my son uses those. Give me a keyboard and a mouse to control games any day.
I assume you don't install punkbuster to play your steam games?
No.
And none of those programs are sending details of all my installed apps to Valve to put up on their web site. The original claim is still completely bogus.
Can you give me some insight as to why you switched from Linux to Windows 7 ? (...) So you reasons for Switching from Linux to Windows 7 might enlighten/teach me.
Well, like I said I managed to use it for 3.5 years so there was no deal breakers that I can point to, it was more the death of a thousand stings. A few off the top of my head:
1. Very often you want one or two new features in one application, but due to the nature of distros and dependencies, the lack of backports and my unwillingness to start compiling and dealing with those dependencies myself you often end up upgrading your distro - in my case every six months with another Kubuntu release. This almost every time leads to a) some kind of unexpected issue or b) some applications doing some major UI rework or some other change I didn't really ask for. With Win7 I feel that I can install practically any application without making changes to my "system", unless that application is running all is working as before.
2. Despite all that is said and done with WINE gaming on Linux requires a lot of tweaking, even if Steam should come to Linux a lot of games is built around DirectX that won't run natively. Ultimately it's a lot easier to run games made for Windows on Windows and where you know all the shitty issues is due to shitty games and not WINE bugs. A major part of that is that WINE has regressions, old games can suddenly break and waiting for a patch to fix the regression can take a long time. I think my record is about half a year unless you went back and installed an older version in a side-by-side arrangement.
3. The kernel is rock stable, but as I was on KDE at the time I was balancing between a working but almost abandoned KDE 3.5 and a buggy KDE 4.x, the kernel is rock stable but everything on top isn't nearly of the same quality. There's only so many times you can hear that the next 4.x+1 release will/has fixed everything before it sounds like the boy crying wolf. In my experience a lot of open source people say "it works" when they mean "it sorta works, with lots of tweaking". For better and for worse I find Windows troubleshooting much quicker comes down to "it works" or "it won't work" while on Linux you end up way down in the nitty gritty details and never really concluding. There's a ton of technical detail available but it's just not navigable and it's a huge time sink.
4. The various Linux chat clients have a mediocre interface to MSN, basic chat works but the rest is usually wonky. Which is kind of annoying when you want to talk to people there, who won't switch because they all use MSN. Same goes for browser plug-ins besides flash - that one worked more or less. The Citrix client was only a major pain to install. Usually something can be tweaked but on Windows this just works. It's not Linux's fault that MSN is using a proprietary protocol they're reverse engineering poorly, but like arguing whose blame it is doesn't solve the problem. It might not be a problem with Linux, but it's a problem trying to use Linux.
5. Almost all the good open source software is also on Windows, if you want LibreOffice and Firefox and whatnot you can run those. And you get the full selection of Windows software when that's not enough and those obscure Windows-only pieces of software you could never replace (I have two) run natively instead of dealing with WINE or a VirtualBox. I'd put it another way, start switching applications and if you run out of Windows-only applications then you can switch to Linux, it should be the last step in going open source not the first step.
In short, I ended up with long list of like tiny annoyances, and I couldn't really list any big pros. Yes it's free but if I take into account all the time I spent trying to fix little annoyances it just didn't pay off, not to mention I deal enough with IT stuff that doesn't work at work. The final straw was a borked upgrade, like if I need to do a clean install now I'll go Windows. Those installs usually last me years if I don't install any crapware.
Live today, because you never know what tomorrow brings
Every layer is a chance to stop, slow, or at least detect an attack. Throwing out any layer of security simply on the basis that it can be bypassed is a bad idea. On that basis, we shouldn't make use of user accounts, firewalls, IDS/IPS, AV, digital signatures, SEH, DEP, ASLR, or pretty much anything else because everything can be bypassed.
You can never go home again... but I guess you can shop there.
A) There is no standard IDE and the SDK is nonexistent -- App developers generally don't feel welcome or like they can easily 'get their legs'.
B) 'Developer' support sites are overwhelmingly oriented to system coders, and these sites pretend that all coders are the same.
C) The GUI environment fluctuates greatly from distro to distro, and within each distro, and every 18-24 months.
C1) The chaotic state of GUIs prevents the user experience from 'gelling', making the systems feel disjointed and even unidentifiable. (That's right, most people could not identify a "Linux Desktop" if their lives depended on it, which to me signifies that "Linux Desktop" is a apparition experienced by techies.)
C2) Just try doing phone tech support for a GUI app on Linux, for a living. I have and with non-techie customers the overhead and disorientation factor is too high.
D) Most PCs are now laptops, and Linux power management still sucks. Hardware support lags in general, partly because the Linux Foundation has ignored the role it has to play in helping consumers identify compatible equipment. The smart thing to do would be to start a hardware certification program for OEMs and license a special Linux-compatible logo to them.
D1) Shall I describe how popular distros handle mirroring and dual-displays, combined with events like wake and sleep, on my 2006 and 2009 vintage laptops? Actually, its too frustrating to go into here.
E) App packaging and management is still in a bad way. It has to be both intuitive for the consumer (they can download a file or use a CD if they wish) and flexible for the author (packaging for independent distribution ought not to be a high-wire act that leaves you with only the most sparse set of APIs to work with). Work on offering the best of both world instead of cramming everything into a huge repository because many things simply won't fit in there.
F) "Linux Desktop" proponents keep telling us to sit tight because web apps are the future. That cop out doesn't even work in the smartphone market. So stop pushing thick clients in place of personal computers; that is a shameful bait-and-switch.
G) Apps still sell the systems to a large degree. A,B,C and E are the most direct causes for the dearth of top-tier apps.
"No OS or desktop is perfect" -- indeed -- but what we know of as "Desktop Linux" is a non-entity for the average consumer. There will be no real advance in mindshare or marketshare until most of the above are changed for the better. A distro like Ubuntu would do well do follow my advice, and while they're at it remove the overt association with "Linux" itself... people who like and support the OS should be coding apps for "Ubuntu" not "Linux". It seems to work for Android.