A Naysayer's Take On Windows 10: Potential Privacy Mess, and Worse

Lauren Weinstein writes: I had originally been considering accepting Microsoft's offer of a free upgrade from Windows 7 to Windows 10. After all, reports have suggested that it's a much more usable system than Windows 8/8.1 — but of course in keeping with the 'every other MS release of Windows is a dog' history, that's a pretty low bar. However, it appears that MS has significantly botched their deployment of Windows 10. I suppose we shouldn't be surprised, even though hope springs eternal. Since there are so many issues involved, and MS is very aggressively pushing this upgrade, I'm going to run through key points here quickly, and reference other sites' pages that can give you more information right now. But here's my executive summary: You may want to think twice, or three times, or many more times, about whether or not you wish to accept the Windows 10 free upgrade on your existing Windows 7 or 8/8.1 system. Now that we're into the first week of widespread availability for the new version, if you're a Windows user and upgrader, has your experience been good, horrible, or someplace between?

I'm surprised they missed "Wi-Fi Sense."

It's also enabled by default if you don't customize your installation settings and in a nutshell, does the following:

- uploads a supposedly-encrypted form of your wireless AP's password to a Microsoft server for safe-keeping
- when enabled, shares your wireless password with anyone on your Facebook, Outlook or Skype contact lists who also has it enabled
- also automatically joins you onto hotspots that your contacts share, regardless of how they are secured.

I'm beginning to understand how Microsoft can afford to offer the "new and improved" Windows as a free upgrade for a year, I'm guessing the military and surveillance agency contracts have more than paid the bill.

Re:I'm surprised they missed "Wi-Fi Sense."

[ShaunC]

It shares a *hash* of your password (Slashdot of old would know the difference) with first-level friends (not friends of friends) for networks where you actively choose to. It's like given them the password, except better, because you don't.

How does that work?

Suppose the password for my wireless network is BillGates. You're saying Wi-Fi Sense stores some hash of this, let's say 510ae47865e94f0e2165, and shares that with my friend. My friend comes over to my house. How does his computer sign on to my wireless network knowing only the hash, 510ae47865e94f0e2165? That isn't the password for my network, the router isn't going to accept it.

Re:I'm surprised they missed "Wi-Fi Sense."

[cfalcon]

> It is only enabled when you optionally check it for a specific Wi-Fi network.

True.

> It shares a *hash* of your password

False.

> (Slashdot of old would know the difference)

Depends. If you were on it, at least you wouldn't know the difference.

It shares an ENCRYPTED version. Not a hash. If it shared a hash, it wouldn't let them access it, now would it?

Hashes normally throw away data. So if you have a local /etc/shadow file with hashed passwords, you can't unscramble / unhash / decrypt them, because there's a many-to-one mapping involved. The encrypted data, on the other hand, is one to one. This is because the people you share it with have to decrypt it locally and use it. This means that it is available in plaintext on their boxes (and how that key is managed I don't know- if they screwed up anything about that, it could be decryptable in transit too).

There's a lot to complain about in Windows 10. Enough that I will never use it personally, and I was planning on upgrading to Pro before I read their absolute nightmare combo of dick-kicking bullshit.

Here's the scoop:

1) By default, this OS will leak your local data. You can opt out of this, but good luck constantly finding that setting, and having one more horrendous weight to lug around every time you have to reinstall, or use a new machine. This goes up to some microsoft account, and it includes all your favorites, any active websites at any time, etc. Again, you can opt out of this crap, but why on earth would you need to opt out of this?

2) It mentions giving law enforcement all your data if asked, which, I mean, we JUST saw that exact thing become both automated, and globally used against all Americans. Like JUST saw it. Importantly, even if somehow this isn't used for massive and warrantless data collection the next time anything bad happens anywhere, it still means that whatever this back-orifice negafeature is, will be installed in all Windows 10 systems by default, with no opt out (only a bad guy would opt out, right?), and that it will sit there waiting patiently for some black hat to hack it. Even if you are still ok with this massive overreach, just ask yourself- wouldn't it be smarter to use a product that doesn't have this built in?

3)- Many new features require you to opt in to wholesale uploading of your activities. Cortana is a huge feature of this OS, but everything from your location to *lists of played media files* is uploaded when you use this feature. You can opt out, but this disables Cortana.

4)- You can't turn off a lot of the telemetry.

The only safe way to use Windows 10 is on a fully airgapped machine. If you are interested in turning off Windows Update, auto-telemetry, and whatever that amazing law enforcement backdoor is, you'll need some rather intelligent application firewall to make that happen.

Windows 10 will be an absolute nightmare. This should have been obvious the moment that they told you that you can't turn off Windows Update- that means that they will use Windows update to turn your destkop into an X-Box load screen, with everything full of advertisements and assorted diseases. Taking out your opt-out from that was never about security, it's about ensuring that the coming advertisements hit as many eyes as possible. You'll be downloading AdBlock Desktop soon enough.

Oh, and most of this shit (especially the wholesale user monitoring) isn't enabled on the corporate boxes. Businesses, after all, have a right to privacy. Because they are more human than human, now?

Re:I'm surprised they missed "Wi-Fi Sense."

[AmiMoJo]

How does his computer sign on to my wireless network knowing only the hash, 510ae47865e94f0e2165? That isn't the password for my network, the router isn't going to accept it.

In addition to my other post, to be absolutely clear your router will accept that hash*. It doesn't accept passwords, only hashes for WPA2 enabled networks. If implemented properly the router should not even store your password, only the hash of it.

That's the normal way passwords are handled - hashed and the hash used for comparison and storage. I'm kinda sad that Slashdot seems to have forgotten this and modded you up... It's basic computer security stuff. You never store or use the plaintext password.

* Okay, with WPA it actually accepts a hash of the hash, but anyway... You need the hash, not the password.

stupid article

[slashmydots]

What a crappy choice for an article. It's a bunch of Google shill crap followed by generalizations and no specifics about actual issues users are specifically facing. I'm fairly certain you can opt out of a lot of the stuff he's complaining about.

Re:stupid article

[kuzb]

Had this problem on a laptop. There is a relatively simple fix. Basically, something was corrupted in the download for one reason or another. The fix is dead simple.

1) Delete all the files at C:\Windows\SoftwareDistribution\Download
2) open cmd.exe as admin
3) run "wuauclt.exe /updatenow"
4) Open windows update. You'll see windows 10 downloading.

It will download the patch again.

Reading... how does it work?

[yodleboy]

Installed W10 Pro on my PC last night. After all the copying and such, you get a screen that mentions privacy items and offers you the chance to configure them manually. Behold, you can turn off 2 screens of data going to MS and 3rd party applications. I believe the option to turn off wi-fi sharing was there too. So, yes, if you just blindly click through anything that says NEXT, you might have a problem. If you actually read crap, you can avoid most of this mess at install.

So far, I have no complaints about 10. It looks nice and seems to run as smoothly as the Win7 Ultimate it replaced. Previously installed apps and games all seem to work, although I certainly haven't tried them all yet. The only stand out annoyance was that all my media file associations were reset to use stock MS applications.

you mileage may vary...

What did you read?

[s.petry]

It could not have been TFA because there are only 2 mentions of Google in the whole post. One of those is a disclaimer that the person has consulted for Google but is not doing so presently. The other is: Being careful with your data isn't just a Microsoft thing. My views of Microsoft and Google are pretty much diametrically opposed -- I have enormous faith in Google and Googlers doing the right thing with respect to protecting the data I share with them, but even in the case of Google -- with whom I share a great deal of data -- I'm selective about what I do share.

I put the parts you didn't read or didn't pay attention to in bold so that even a moron can find them.

You would have been okay if you had said she favored Google in the article, but to claim it's a shill is completely dishonest.

Re:Really?

Just a small part of the EULA (there's lots of other juicy parts):

Usage and connectivity data. Microsoft regularly collects basic information about your Windows device including usage data, app compatibility data, and network and connectivity information. This data is transmitted to Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns.

The data we collect includes:
The software (including drivers and firmware supplied by device manufacturers), installed on the device.
App use data for apps that run on Windows (including Microsoft and third party apps), such as how frequently and for how long you use apps, which app features you use most often, how often you use Windows Help and Support, which services you use to sign into apps, and how many folders you typically create on your desktop.
Network and connection data, such as the device's IP address, number of network connections in use, and data about the networks you connect to, such as mobile networks, Bluetooth, and identifiers (BSSID and SSID), connection requirements and speed of Wi-Fi networks you connect to.
Other hardware devices connected to the device.
Some diagnostic data is vital to the operation of Windows and cannot be turned off if you use Windows.

That's at least as bad as Google/Facebook. Thankfully other operating systems respect your privacy at least a little bit...

It's shocking- read it

[WOOFYGOOFY]

I RTFA and read the links. They're shocking and I don't use that word casually. I am posting the direct links here with the excerpts from the license agreement.

No human being who had these explained to them in an ordinary setting by someone they knew and trusted would knowingly agree to them.

Here goes:
From:

Sign into Windows with your Microsoft account and the operating system immediately syncs settings and data to the companyâ(TM)s servers. That includes your browser history, favorites and the websites you currently have open as well as saved app, website and mobile hotspot passwords and Wi-Fi network names and passwords.

        To enable Cortana to provide personalized experiences and relevant suggestions, Microsoft collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device. ...

Microsoft can disclose your data when it feels like it

This is the part you should be most concerned about: Microsoftâ(TM)s new privacy policy assigns is very loose when it comes to when it will or wonâ(TM)t access and disclose your personal data:

        We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services. ....

        Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more.â

The author goes on to note:

Lots of things can live in those two words âoeand more.â Also note that because Cortana analyzes speech data, Microsoft collects âoeyour voice input, as well as your name and nickname, your recent calendar events and the names of people in your appointments, and information about your contacts including names and nicknames.â ....

The updated terms also state that Microsoft will collect information âoefrom you and your devices, including for example âapp use data for apps that run on Windowsâ(TM) and âdata about the networks you connect to.'â ...

Windows 10 generates a unique advertising ID for each user on each device. That can be used by developers and ad networks to profile you. ...

They intend to completely remove the notion of privacy from the tools we use to create share and store the most private thoughts we have.

This is Linux's Big Chance. People will reject this massive barefisted amoral invasion of privacy and flee- if they can get a decent computing experience out of some UNIX clone.

Not to turon this into a "What['s wrong with Linux" discussion but I have sincerely tried to move to Linux repeatedly and just found the experience awful. I am nto interested in learning a CLI to get normal stuff done-at all. The performance compared to Windows has always been terrible, my software is slow, the drivers are missing etc etc.

Perosnally I feel like Ubuntu is somehow in the thrall of a culutre of devs who are not interested in accomodating the masses and take it as a point of pride that finding getting installing and using applications still requires exiting to a CLI, which knowledge they love. Yes, many of them do want to share the love with you, but many people wanted me to share their love the Grateful Dead's music with me too and the thing is, I just don't like it.

Re:She's a little crazy

[Knightman]

She says she doesn't trust Microsoft with her information, but Google? She approves of them faithfully

Why didn't you include the whole quote from the post:

My views of Microsoft and Google are pretty much diametrically opposed -- I have enormous faith in Google and Googlers doing the right thing with respect to protecting the data I share with them,

• but even in the case of Google -- with whom I share a great deal of data -- I'm selective about what I do share.

But I guess all you really wanted to do, was to spin it so she looked foolish (just look what you used as a title for your post) -- which tells me you aren't here to have a constructive discussion and I cannot fathom why ANYONE would mod your post as insightful.

Re:Really?

[damnbunni]

Okay look, a lot of this is bullshit.

Account Info privacy setting is staying disabled. It hasn't turned it back on.

Windows Defender can't be disabled because it DISABLES ITSELF when you install another antivirus. The exact same way it worked in Windows 8.

You CAN disable automatic updates for drivers.

Actually, let me repeat that in all caps.

YOU CAN DISABLE AUTOMATIC UPDATES FOR DRIVERS.

The control just isn't under updates. It's actually in the same place it is in Windows 7 - open the Devices and Printers control panel, right-click the icon for your computer, select Device Installation Settings, choose 'No, let me choose what to do' and 'Never install driver software from Windows Update'.

Granted, this does mean it doesn't even offer you the updates, but if you don't want drivers from Windows Update, you don't have to get them.

You can turn off the ads in the start menu.

You can turn off sharing your wifi password with people. (Though it's still bad - if you give your password to someone, they might share it.)

The 'keylogger' in that imgur pic's toggle is ghosted not because you can't turn it off, but because that service is entirely disabled by some other setting the guy's made. Probably the one that turns off Cortana.

There's plenty to dislike about Windows 10 without making up crap. Me, I hate the lack of subfolders in the Start menu. (My gog.com games folder has about 25 entries for 'Manual.pdf' because the menu ignores the per-game subfolders. Augh.)