Slashdot Mirror
Visual Studio 2015 C++ Compiler Secretly Inserts Telemetry Code Into Binaries (infoq.com)
Reader edxwelch writes: Reddit user sammiesdog discovered recently that Visual Studio 2015 C++ compiler was inserting calls to a Microsoft telemetry function into binaries. "I compiled a simple program with only main(). When looking at the compiled binary in IDA, I see a call for telemetry_main_invoke_trigger and telemetry_main_return_trigger. I cannot find documentation for these calls, either on the web or in the options page," he wrote. Only after the discovery did Steve Carroll, the dev manager for Visual C++ admit to the "feature" and posted a workaround to remove it.A Microsoft spokesperson confirmed the existence of this behavior to InfoQ, adding that the company wil be removing it in a future preview build. For those who wish to get rid of it, the blog writes: Users who have a copy of VS2015 Update 2 and wish to turn off the telemetry functionality currently being compiled into their code should add notelemetry.obj to their linker command line.
A Microsoft spokesperson confirmed the existence of this behavior to InfoQ, adding that the company wil bel removing it in a future preview build
...because it was finally discovered. If it hadn't been discovered, does anyone honestly think they would be removing it? Of course not.
Even if this telemetry were perfectly innocent (likely not, if Windows 10's spyware is any indicator), the fact of the matter is that Microsoft have now compromised their own compiler using Ken Thompson's compiler attack.
When will this madness end? Is MS now just an arm for the NSA?
Found in release builds.
Loading...
Or I could freely go to linux and ditch 99% of my software.
Fortunately, that is simply not true. The vast majority of software will run under Linux in one way or another. The only major exceptions are games, and even many of those will work.
The reality that Microsoft has been FUDing around for years is that Linux really is a viable alternative for almost every windows use case.
Many people have a single application that will not run under windows. Something work related or a specific game. I have two such applications, and I am constantly reminding the developers of those applications that it is a race to see which happens first: they get a Linux version working or one of their competitors gets a Linux version working. I am a relatively small fry, but I am not the only one asking about it. In the mean time, I have two PCs. I have a Linux machine that does my day to day heavy lifting, and I have the windows machine that only ever turns on when I need to run one of those applications (about once or twice a month). The windows Box had automatic updates turned off and gutted the GWX, so I can never again trust it exposed to the network, which is fine because it will never again *be* exposed to the network. I added the cost of the hardware to the cost of the two software packages and that is the end of it.
It should be noted that the free ( as in freedom ) versions of things I need run just fine on a core 2 quad with 2GB of ram, whereas the windows machine had to be an i5 or better with 4GB just to keep from pissing me off.
Most everything from a users perspective in Ubuntu is pretty simple. Although I would call myself a power user, I rarely have to resort to that level to get things done, and even then, its mostly related to experimentation and learning. For just about everything I have tried to do, a google search for "apt-get xxx" finds exactly what I want.
The user interface in Ubuntu is "good enough for grandma". With the advent of smartphones and tablets, and the radical differences between how windows works and tablets work, people have been primed to be able to learn some simple differences in UI pretty quickly. Almost everyone I have exposed to Ubuntu has taken to it easily enough. The one exception was completely computer illiterate before we started, and it took him a little longer than otherwise, because computers and tablets / etc... were all new to him.
I wish I had a good sig, but all the good ones are copyrighted
What he said.
A few years ago, I handed a netbook to my 80-year old father-in-law. He was used to a Windows PC, but he was visiting and he wanted to check the BBC website. After about 10 minutes I asked him if he knew that it was running Linux (Xubuntu) and he was surprised, as he had no problems at all doing just what he wanted to do.
So Linux on the desktop Just Works. It is a genuine and viable alternative to anyone who wants to use a system that isn't continually monetizing *you* as the product to everyone's benefit except you.
Sometimes the "writing on the wall" is blood spatter...
So one can imagine a case where a program crashes and sends telemetry to microsoft from inside a secure computing enviornment or otherwise exports secret bussiness data. This could invalidate MS from all government computing.
Some drink at the fountain of knowledge. Others just gargle.
It is documented. When this whole windows 10 is spyware thing started, I started searching. The telemetry is exactly that. how many times an application is run. For how long? did it exit clean or with errors? etc... Microsoft has been giving speeches @ Dev conferences for a while now shopping this new feature set. Not a secret. it it a service called "Application Insights" https://www.visualstudio.com/e... Nothing secret, an apparently an advertised service. Another way to make money for Microsoft, not spyware for nefarious purposes.
I assume that Microsoft compiles its shipping products with some form of Visual C++.
Does anyone know if these telemetry calls are made inside those products? For example, inside Microsoft's shipped versions of SQL Server?
And if so, does this mean using those products for handling HIPPA or PCI workloads is illegal?
So what happens to it then? Does a Windows component detect it and send it on?
I've been saying for awhile, post-anti-trust MS has finally realized that they can't leverage a monopoly and so don't gain from having lots of users/followers/fans who won't subscribe. They're in an intensive process right now to drive away the people who don't want to be part of their subscription-based future. Those people are just a dead weight to them, an expense, a liability. They're not the only option, they can't leverage being the default, and there is not significant financial value in being the default anymore. They can't use it to coerce additional payments or higher rates from wholesalers, so there isn't value in it.
This is probably intentionally designed to drive away people who like to use their compiler, but consider subscription-style information flows to microsoft to be "spyware." Those people will never ever pay for the type of services that MS is building their future around. They are just past lovers who are guaranteed to become disgruntled and angry at some point, because MS has grown in a different direction than them, chosen a new and different lifestyle. It is time for these people to move on, find a new compiler, find a new OS, etc.
Ken Thompson's work was beautiful and subtle - a compiler disguised all evidence of its backdoor even when you write code to search for these backdoors or when you compile the compiler itself.
True. But that works only when there's one compiler available for a particular language. If you bootstrap a compiler with three independent compilers, the backdoor is highly unlikely to persist into all three according to "Diverse Double-Compiling" by David A. Wheeler. Compile the compiler A with multiple compilers B, C, and D, and then compile A with (A compiled with B), (A compiled with C), and (A compiled with D), and you end up with (A compiled with A), (A compiled with A), and (A compiled with A). If they're identical, then B, C, and D have either no backdoor or an identical backdoor. Which is more likely?
Of course, all this requires that source code for A be available to the public or at least to a person trusted by the public to release compiler binaries. This is true of TCC, GCC, and Clang, not so much for Microsoft C++.