Visual Studio 2015 C++ Compiler Secretly Inserts Telemetry Code Into Binaries

Reader edxwelch writes: Reddit user sammiesdog discovered recently that Visual Studio 2015 C++ compiler was inserting calls to a Microsoft telemetry function into binaries. "I compiled a simple program with only main(). When looking at the compiled binary in IDA, I see a call for telemetry_main_invoke_trigger and telemetry_main_return_trigger. I cannot find documentation for these calls, either on the web or in the options page," he wrote. Only after the discovery did Steve Carroll, the dev manager for Visual C++ admit to the "feature" and posted a workaround to remove it.A Microsoft spokesperson confirmed the existence of this behavior to InfoQ, adding that the company wil be removing it in a future preview build. For those who wish to get rid of it, the blog writes: Users who have a copy of VS2015 Update 2 and wish to turn off the telemetry functionality currently being compiled into their code should add notelemetry.obj to their linker command line.

MS Spyware

[allo]

No escape.

Re:MS Spyware

[Assmasher]

Found in release builds.

Re:MS Spyware

From https://www.reddit.com/r/cpp/comments/4hoyzr/msvc_mutex_is_slower_than_you_might_expect/d2thalz :

ETW events are used for performance tracing, and they are disabled by default. They never write to anywhere but your own computer, and they're for you to debug your own programs. The entire OS and .NET emits ETW events, they are extremely useful when trying to track down hard-to-debug perf issues.

The easiest way to view them is via WPA, here's a website where you can learn more about it: https://msdn.microsoft.com/en-us/library/windows/hardware/hh448170.aspx

Not spyware. Its all code to help you profile the performance of your application, and is just a stub on normal builds.

Re:MS Spyware

This industry is becoming more like THX-1138 every year. Right down to the buzzcuts, and inescapable software updates who are "only trying to help".
I want off this ride.

Re:MS Spyware

[JustBoo]

Debug performance telemetry? Yep. Clearly spyware.

Like the other comment said, (but I can't help myself here): One does not put debug information in release builds. Period.

I'm sorry, you are either an Uneducated Idiot or a Shill. Which is it?

Let see another way.

Do you think that "debug performance telemetry" should be in a mission critical embedded application build in release mode? Do you?

I await your answer.

Re:MS Spyware

[bondsbw]

Do you think that "debug performance telemetry" should be in a mission critical embedded application build in release mode? Do you?

I don't believe any mission critical application (or any production application) should be built in unreleased software.

That said, I'm pretty pissed about this, Microsoft is screwing themselves over by withholding things like this until they get found out, and by not making it a simple obvious setting that remains the way you left it. I'm ok with the idea of telemetry, but that should be my decision, not theirs. I'm not ok with how they push it on everyone. Doing this to developers is burning some of the only good bridges they have left.

Re:MS Spyware

I don't believe any mission critical application (or any production application) should be built in unreleased software.

What in the sweet fucking hell does this even mean? Do you understand words?

Re:MS Spyware

Microsoft Telemetry - dedicated to fast-tracking the confirmation of Richard Stallman as public visionary.

Re:MS Spyware

I'm ok with the idea of telemetry

I would be interested in hearing your reasoning here.
To locally measure performance of an application I get, but the "tele" part of this is something that I'm not OK with.
What I develop and who my customers are is something I don't wish to share with Microsoft.
I have no contract with Microsoft that says that they can't take my customers from me. They can afford developing some applications at a loss. I can't.

Re:MS Spyware

[sqlrob]

Visual Studio 2015 Update 2 is released software.

What's your next excuse?

Re:MS Spyware

Quote from wiki
"Visual Studio "15" Preview 2 was released 10 May 2016."

In other words, this isn't a final MS product. Think of it as more of a beta. Aka the other poster titling it "unreleased". He meant more than it's not a retail build. It also has telemetry. However it's still inexcusable that MS did this without notification. So MS is at fault here. And I don't believe for a minute they would have removed it before final build. See win 10.

On the other hand, it's also a STUPID move for developers to program production applications in a preview product.
Production meaning, you are deploying it, you are giving it to customers, you are selling it, etc.
No one with a clue should have released any software built in this non final build version.
Doing anything in a preview/beta product you run huge risks of a screwup biting you on the butt.
EXACTLY LIKE THIS .

So if anyone had used this to release production software, they would be at fault for doing it with preview/beta crap from MS.

Re:MS Spyware

[Killall+-9+Bash]

No one listen to this man! He's just a hologram!!!

Re:MS Spyware

[bondsbw]

Oops, I read the article too quickly, as it also mentions VS "15":

while this behavior does currently exist in "15", it will be removed in a future preview release.

I didn't realize the article also was talking about VS 2015.

Re:MS Spyware

[bondsbw]

Actually I was wrong, the article mentions both VS "15" and VS 2015.

Re:MS Spyware

[bhcompy]

Except for the part that it's only storing data locally for your own purposes and not sending anything to Microsoft.

Re:MS Spyware

[bondsbw]

You seem to have stopped before reading to the end of the sentence. I went on to say:

but that should be my decision, not theirs.

It's the same reason you give feedback for beta software, you want to help make the final product better. Either way, regardless of whether it's automated, it should still be your choice.

Re:MS Spyware

[cfalcon]

> Debug performance telemetry? Yep. Clearly spyware.

While Microsoft offers a profiler, this is NOT that. I'm puzzled how someone could could confuse the two. Profilers / debuggers / all manner of code analysis tools are all hooks that allow the developer (not Microsoft) to analyze how something works in development. They are usually stripped out of release builds, but, more importantly, are only ever present at the convenience of the developer.

The mysterious telemetry calls are not even claimed by MICROSOFT to be debugging or profile hooks. "The event data can only be interpreted if a customer gives us symbol information (i.e. PDBs) so this data is only applicable to customers that are actively seeking help from us and are willing to share these PDBs as part of their investigation. ". This means that the hooks make data available to a telemetry subsystem, on production code, which Microsoft can usefully access in some fashion- while to make use of this in any way would require a developer to know about it (it is not publicized), contact the "right" part of Microsoft (which no one knows), and ask to use the data Microsoft has been collecting about their shipped code, using an undocumented system to gather unknown data.

If this was in any way benign:
1- It would have been documented: you'd know what it gathers
2- Microsoft would offer this data to the developer in some fashion, including what it is
3- It would have been opt-in: you'd have to link in the telemetry, instead of linking it OUT.
4- It wouldn't be present in secret on ALL code Microsoft compiles. This affects run times in some fashion, even if you ignore the massively spooky privacy issues.
5- The data wouldn't be available for Microsoft's use, but not the developer: what right do they have to gather data on your code as you build it, much less on your code as it runs for your customer?

This whole thing gets crazier. That Microsoft is putting hooks into as much code as they can may actually be illegal, or it may be buried in some document- all I know is, this is just what has been FOUND so far. Every couple weeks, someone finds more stuff. All of it is found by acting on some highly technical layer Microsoft hasn't been able to obscure yet. How much more is there? We really have no way to know.

Re:MS Spyware

[pagebt]

It is documented. When this whole windows 10 is spyware thing started, I started searching. The telemetry is exactly that. how many times an application is run. For how long? did it exit clean or with errors? etc... Microsoft has been giving speeches @ Dev conferences for a while now shopping this new feature set. Not a secret. it it a service called "Application Insights" https://www.visualstudio.com/e... Nothing secret, an apparently an advertised service. Another way to make money for Microsoft, not spyware for nefarious purposes.

Re:MS Spyware

[Gr8Apes]

Nothing MS does today is solely local. Haven't you been paying attention? Win10 is a cloud service OS, and if you think telemetry data stays local, there's some beach front property in Kansas I'd like to sell you.

Re: MS Spyware

[rochrist]

Personally, I figure you're all the same person, Coward.

Re:MS Spyware

[0ld_d0g]

Do you think that "debug performance telemetry" should be in a mission critical embedded application build in release mode? Do you?

Did you also throw a hissy fit when they added dtrace to the kernel? Did you?

I await your answer.

You people are really dumb. I mean, I get it, you're clearly an anti-ms troll and a Linux cheerleader, but you should know when you're getting fucked and when you're just masturbating.

Re:MS Spyware

[oldcarsmell]

This exactly. I wonder why aluminum prices haven't skyrocketed since the Windows 10 announcement unless all of the foil hat makers have just been stockpiling.

Re:MS Spyware

[bhcompy]

The proof is in the pudding, and someone in this thread already linked the pudding.

Re:MS Spyware

[kheldan]

Oh, I think there's an 'escape' available: Stop using Microsoft products entirely. Also, Microsoft needs to be brought up on charges for violating anti-hacking laws. Their compiler is, by default, inserting unwanted and malicious code into other people's code. I think that qualifies as 'hacking' under the anti-hacking laws, doesn't it? Where's the indictments against Microsoft for this and all the other malicious things they've been doing?

Re:MS Spyware

[currently_awake]

It's linking in unknown code. It may be only local today but tomorrow who knows? Is it running an external DLL file or does it bind in the actual code? If it's an external DLL then microsoft can update it through windows update and you'll never know. This sounds like a very nice attack vector, I wonder what the NSA could do with it?

Re:MS Spyware

[mrprogrammerman]

Alot of betas are no longer giving you a choice.

Re:MS Spyware

[Fragnet]

Performance tuning is useless in a debug build.

Re:MS Spyware

[rock_climbing_guy]

The logical end result is that they eventually put these hooks in the hardware so that there is literally no escape unless you can make your own hardware. I can't help but wonder if they're doing this under serious duress; the exposure has been awful for them as far as I can see.

Re: MS Spyware

[Dunbal]

I seem to remember the GNAA being part of slashdot since, well forever. Welcome to the internet. Some people might post offensive things. You have been warned.

Re:MS Spyware

[tepples]

I don't believe any mission critical application (or any production application) should be built in unreleased software.

What makes you think the feature of telemetry by default in the preview compiler won't make it into the final released compiler?

Re:MS Spyware

[allo]

So, YOU are getting the data? Or MS?

Re:MS Spyware

[Darinbob]

I don't program on Windows. Still, I find it suprising that the justification from MS was that this could help them with debugging a customer's problem. Seriously, if *my* program is broken then Microsoft is offering to help debug it? Sounds like a fantasy world.

Re:MS Spyware

[Darinbob]

Debugging my program is my job. No information needs to go to Microsoft unless I am talking to them directly and I offer to send it. Maybe they ask me to send them a core file or whatever post-mortem info I have. There is no legitimate reason for telemetry here, "telemetry" means that data is being sent to Microsoft rather than just being an event stored locally. For Microsoft to know how often my program ran and how often it crashed without my telling them, then that is indeed spyware. They're not offering to help debug everyone's code, no way do they have that amount of manpower, so this is in no way a service to help out customers.

Re:MS Spyware

[Darinbob]

So if you brother sells crack on the street then it's ok for you to do it?

Re:MS Spyware

[JustAnotherOldGuy]

Debug performance telemetry? Yep. Clearly spyware.

Is there any behavior by Microsoft you can't rationalize away?

If Microsoft was found to be running a full-on pedophile/murder ring with the explicit written approval of Satya Nadella, you would find a way to brush it off and minimize it.

Seriously, they could be kidnapping people off the street at random and tossing them into wood chippers and you would chalk it up to "market research" or some shit.

Re:MS Spyware

[david_thornley]

If you're using a proprietary compiler, you're almost certainly linking in unknown code. You have to trust the vendor not to be actively malicious. Usually this is a reasonable assumption, but MS seems to be trying to falsify it.

Re: MS Spyware

[imidan]

I seem to remember the GNAA being part of slashdot since, well forever.

Yeah, but isn't that kind of weird? I mean, I started reading Slashdot in the late 90s, and GNAA has always been here. Who are these people who are so dedicated that they tirelessly post the same shitposts to every article, every day, for almost 20 years? How do they have time for this? Do they never grow bored, or tired? Do they never become disenchanted with their chosen occupation?

It's like Sisyphus pushing the boulder up the hill only to watch it roll back down, except somehow even less useful than that.

Re:MS Spyware

[Carewolf]

Oops, I read the article too quickly, as it also mentions VS "15":

while this behavior does currently exist in "15", it will be removed in a future preview release.

I didn't realize the article also was talking about VS 2015.

VS 15 is to be MSVS 2016. It it not to be confused with MSVS 2015.

Yes, silly conflicting numbering. What else is new.

Re:MS Spyware

[bondsbw]

I did not make such a claim.

Re: MS Spyware

[ChanceCallahan]

Hey, we have beach front property in Kansas! I saw a home for sale on the Cowskin Creek the other day!

Re:MS Spyware

[jonwil]

This stuff is right there in Visual C++ 2015 Update 2 which is most definitely NOT a preview product.
There are some comments regarding telemetry_main_invoke_trigger and telemetry_main_return_trigger in vcruntime_internal.h in the CRT source code.
These reference a telemetry.cpp and a telemetrydefault.cpp (neither of which are included in the CRT source)

I can confirm however that the notelemetry.obj file (the source code for that IS included in the CRT source) does exactly what it says on the tin and will disable the telemetry.

I have also disassembled telemetry.obj (compiled form of telemetry.cpp) in IDA and it makes calls to GetLastError, GetModuleFileNameW, __vcrt_EventRegister, __vcrt_EventSetInformation, __vcrt_EventUnregister, and __vcrt_EventWriteTransfer. Source code for the __vcrt functions can be found in winapi_downlevel.cpp (they are functions designed to wrap the real windows API calls with those names so workarounds can be provided on operating systems that dont support them)

So whatever this "telemetry" actually does, it uses EventRegister, EventSetInformation, EventUnregister and EventWriteTransfer to do it (part of the "event tracing for windows" APIs)

If Microsoft wants to silence critics on this they should publish telemetry.cpp and let people see for themselves what it really does and why it doesn't do anything untoward.

Re:MS Spyware

[JustBoo]

Did you also throw a hissy fit when they added dtrace to the kernel? Did you?

I await your answer.

You people are really dumb. I mean, I get it, you're clearly an anti-ms troll and a Linux cheerleader, but you should know when you're getting fucked and when you're just masturbating.

You mentioned something about being dumb? You clearly know quite a bit about that subject. dtrace, really? Wow.

Also, you know absolutely nothing about me, yet you made quite a large number of assumptions about something you know nothing about. Given your clear propensity for (psychological) projection, we now do know quite a bit about you. Not really anything there though. Certainly not technical knowledge, that is clear.

Re: MS Spyware

[Black+LED]

Wow, there really is a place in Kansas called "Cowskin Creek". I had to look it up because I wasn't sure if you made it up, but yeah, you guys are some real hicks over there in tornado alley.

Re: MS Spyware

[Ilgaz]

MS is actually documented by USA courts to do very evil things with the code and use "oops it was a mistake" as excuse when someone figures it out.

https://en.m.wikipedia.org/wik...

Please note that the code comes from very experienced, legend like developer who clearly knows the consequences. Just like MS hires the best compiler developers on the planet who clearly knows the difference between debug and final builds.

They were testing the waters, period.

Re: MS Spyware

[cthulhu11]

So let's make all kinds of assumptions based on the name of a function.

Re:MS Spyware

[lgw]

Seriously, they could be kidnapping people off the street at random and tossing them into wood chippers and you would chalk it up to "market research" or some shit.

Can you think of any other explanation for Windows 8?

Re:MS Spyware

[JustAnotherOldGuy]

Can you think of any other explanation for Windows 8?

Brain damage? LSD overdoses? A management structure composed mostly of vindictive, clueless clowntards?

Re:MS Spyware

[silentcoder]

Thousands of linux systems have the capacity to send coredumps to the developer automatically on a crash.

And every single one of them will ask the user's permission to do that every single time.

Re:MS Spyware

[silentcoder]

Mostly because tin-foil hats are made of tin ? Tin prices are through the roof, you just can't see it because of the commodities recession.

Re: MS Spyware

[Zontar+The+Mindless]

This is great stuff. Can you share your experiences as a Navy SEAL with us as well?

Re:MS Spyware

[mathew7]

Those functions could (and probably do) call some MS-controlled DLLs. Which can be changed anytime with an OS update. Like adding logging of the command line, starting external file monitoring etc.
All these privacy issues are not about what "they" do now, but what they will decide to do in the future without notice. See Carrier IQ discussions.
If your production SW is sold to a restrictive client (like goverment, NSA whatever) and you don't disclose these hooks, you can have bad consequences whether you knew about it or not.

wow wtf

wow wtf Msft. Just when they were getting good about .NET and open source and their stuff was getting good as a product. Seriously stupid and not a good business decision. Sounds like that Carroll guy needs a new 'role' at Msft.

Apparently...

[ChodaBoyUSA]

Microsoft has shed all pretense of shame and is adamant to infect everything with their spyware/malware behavior. This is very unfortunate. They keep removing any remaining reason to stick with Windows over OSX or Linux. Sad.

Re:Apparently...

[Aruta]

...I think that there is a very good possibility that systemd will someday get telemetry enabled by default. Before you mod this down, ask yourself this: What would stop them? Community uproar? HA!

Firstly: stop who? systemd developers? individual distro developers?

Secondly: where would the telemetry be gathered? the main advantage for M$ is that they get ALL of it. For each distribution to get their share would be much less profitable (monetary or otherwise), and there would be clear ability to switch it off completely (not like with the MS hydra, with new telemetry hooks constantly uncovered). At worst, you'd have to re-compile the stuff, and most probably there would be distributions already offering such versions.

No, I can never see Linux overall going anywhere near such state as M$. Individual, commercialized distributions maybe, but not the whole thing. This is the main advantage of choice under Linux

Disclaimer: Arch Linux rules!

Re:Apparently...

[geoskd]

Or I could freely go to linux and ditch 99% of my software.

Fortunately, that is simply not true. The vast majority of software will run under Linux in one way or another. The only major exceptions are games, and even many of those will work.

The reality that Microsoft has been FUDing around for years is that Linux really is a viable alternative for almost every windows use case.

Many people have a single application that will not run under windows. Something work related or a specific game. I have two such applications, and I am constantly reminding the developers of those applications that it is a race to see which happens first: they get a Linux version working or one of their competitors gets a Linux version working. I am a relatively small fry, but I am not the only one asking about it. In the mean time, I have two PCs. I have a Linux machine that does my day to day heavy lifting, and I have the windows machine that only ever turns on when I need to run one of those applications (about once or twice a month). The windows Box had automatic updates turned off and gutted the GWX, so I can never again trust it exposed to the network, which is fine because it will never again *be* exposed to the network. I added the cost of the hardware to the cost of the two software packages and that is the end of it.

It should be noted that the free ( as in freedom ) versions of things I need run just fine on a core 2 quad with 2GB of ram, whereas the windows machine had to be an i5 or better with 4GB just to keep from pissing me off.

Most everything from a users perspective in Ubuntu is pretty simple. Although I would call myself a power user, I rarely have to resort to that level to get things done, and even then, its mostly related to experimentation and learning. For just about everything I have tried to do, a google search for "apt-get xxx" finds exactly what I want.

The user interface in Ubuntu is "good enough for grandma". With the advent of smartphones and tablets, and the radical differences between how windows works and tablets work, people have been primed to be able to learn some simple differences in UI pretty quickly. Almost everyone I have exposed to Ubuntu has taken to it easily enough. The one exception was completely computer illiterate before we started, and it took him a little longer than otherwise, because computers and tablets / etc... were all new to him.

Re:Apparently...

[Aruta]

Or I could freely go to linux and ditch 99% of my software.

Did you try, ever?

After a long time in such denial, I recently migrated my family to Linux. The only thing that doesn't work is the 4th installment of a certain game, and for that I have a dedicated partition with Win. Everything else is on Linux natively or in Wine. Even some applications using Adobe AIR work flawlessly, which I was amazed about.

(There was a massive rant following this pro-Open Software, but I took my meds and deleted it)

Re:Apparently...

[geoskd]

What would stop them? Community uproar? HA!

It is open sourced and would get forked in a New York minute. People have already talked a good line about another Debian fork just to avoid systemd (although I have yet to see more than just empty rhetoric).

Even systemd has not been forced on anyone. There is absolutely nothing preventing someone from continuing to use upstart with Ubuntu, or building something better on their own. The reality is that the things about systemd that people dont like are not enough to cause them to do actual work to change, so they live with it. Some of the more savvy ones have taken an active role in helping maintain systemd so they can modify the behavior to better suit their particular desires.

I actually wish someone would hurry up and complete a Debian fork without systemd just so that we could finally get some idea of the actual popularity (plus we could get side by side comparisons of features and performance), all we have right now is FUD and rhetoric.

Re:Apparently...

[johnnys]

What he said.

A few years ago, I handed a netbook to my 80-year old father-in-law. He was used to a Windows PC, but he was visiting and he wanted to check the BBC website. After about 10 minutes I asked him if he knew that it was running Linux (Xubuntu) and he was surprised, as he had no problems at all doing just what he wanted to do.

So Linux on the desktop Just Works. It is a genuine and viable alternative to anyone who wants to use a system that isn't continually monetizing *you* as the product to everyone's benefit except you.

Re: Apparently...

What a weird way of saying you do not have an actual counter argument...

Re:Apparently...

[Mitreya]

The vast majority of software will run under Linux in one way or another.

Linux did not gain more ground precisely because of this. I believe the devil is in the one way or another part. You probably can get almost any software to work, but it is not a "double-click this" level of effort.

I usually forget what software I started to install (on CentOS, typically) by the time the 5th library had to be added.

The only major exceptions are games, and even many of those will work.

Do you mean natively or through Wine (or such)? With all of the fun of determining the required configuration settings online?

The user interface in Ubuntu is "good enough for grandma".

It is really time for someone to do a proper study because I have difficulties believing that statement -- but that's all too anecdotal.

Re:Apparently...

[LynnwoodRooster]

I the real world Linux is vastly superior for the deployments is do for work.

But apparently using Linux really screws with your ability to write understandable English sentences.

Re:Apparently...

[jacekm]

Right. AutoCAD, Photoshop, Microsoft Office just to name a few do not run on Linux. Those are key programs for many professionals.

Re:Apparently...

[mattventura]

I actually wish someone would hurry up and complete a Debian fork without systemd

What's wrong with apt-get install sysvinit-core?

Re:Apparently...

[i.r.id10t]

There are cross platform programs that many/most of us use, or programs that have cross platform support for the file formats they use. Long ago I got my Mom on OpenOffice, Firefox, Chrome, Thunderbird and GIMP. She recently switched to Linux with no problem, because the apps she was already using were Just There (along with her data after I moved it over)

Re:Apparently...

[Immerman]

Inertia can only carry you so far. Especially when 90% of your software probably runs just fine on Linux using Wine.

If I were feeling cynical I'd almost think Microsoft' shift to Win10 "apps" was at least partially due to Wine support for traditional programs getting dangerously good. Time to add a new layer of incompatibility.

Re:Apparently...

[TapeCutter]

Yep. Microsoft's money comes from corporate licenses/partnerships, the programs you listed, plus exchange, msdn accounts. Since my mega-corp employer pays for a full msdn account for devs I can have all that stuff on my home pc too. Most large corporates do this and call it SOE (Standard Operating Environment). There are plenty of *nix variants and open source in the backroom, eg: KVM is popular right now. However a basic fact of business is that if you're a subcontractor/supplier to a mega-corp, you will need at least one of the major windows applications. That may or may not make sense, but as a small-med business owner you can't ignore it and stay in business.

Re:Apparently...

[HiThere]

The only thing that's wrong with all attempts to avoid systemd ... programs and libraries that depend on it. That KDE is planning to depend on systemd is a clear sign that this is not a minor worry.

Re:Apparently...

[maharvey]

databases of beard hairs on your neck

Nifty. Download link?

Re:Apparently...

[Aighearach]

I've been saying for awhile, post-anti-trust MS has finally realized that they can't leverage a monopoly and so don't gain from having lots of users/followers/fans who won't subscribe. They're in an intensive process right now to drive away the people who don't want to be part of their subscription-based future. Those people are just a dead weight to them, an expense, a liability. They're not the only option, they can't leverage being the default, and there is not significant financial value in being the default anymore. They can't use it to coerce additional payments or higher rates from wholesalers, so there isn't value in it.

This is probably intentionally designed to drive away people who like to use their compiler, but consider subscription-style information flows to microsoft to be "spyware." Those people will never ever pay for the type of services that MS is building their future around. They are just past lovers who are guaranteed to become disgruntled and angry at some point, because MS has grown in a different direction than them, chosen a new and different lifestyle. It is time for these people to move on, find a new compiler, find a new OS, etc.

Re:Apparently...

[Aighearach]

Remember though, there are lots of people using open source and getting real work done.

Handwaving and presuming that we must not be doing anything important is not a realistic basis for convincing us that we're not actually getting stuff done. ;) Or is that too anecdotal?

Re:Apparently...

[Aighearach]

That's recycled nonsense of yesteryear. Documents can be opened in other applications, and that has been expected for over a decade. There no guarantee that you're going to "need" those applications unless your own product or service is within the niche of said application; so if I'm a consultant writing custom photoshop plugins, of course I'll need photoshop. But if I'm offering custom photo editing services, and writing my plugins for internal use in providing the service, then I won't need anything commercial.

It may be that a corporate process insists on accessing a database with a commercial DRM or something; it is quite possible that if you do generic contract work for corporations you'll need at least one box with each OS so that you can run those types of things to receive information from the client, and to report on progress or deliver data. But that would only be a data interface; there is no reason that any of the actual core work would require some Advanced Proprietary Tool That Sounds Very Important To The Internet.

That you might eventually have install some crap Adobe whatthewhat to access a checkbox or data download is "the exception that proves the rule" because even when the exception happens, there is no reason for the actual work to require anything proprietary.

Re:Apparently...

[Aighearach]

That's funny, the movie editing software we have was originally developed as a proprietary in-house tool for... a movie company.

There is no software without an OSS alternative. I assume your lie is hidden in equivocation and no-true-scotsman about the exact meaning of "equivalent." No, your favorite user interface might not be replicated in the professional tools I use. No, that does not stop me from getting work done, thanks for asking.

Re:Apparently...

[Aighearach]

And by "depend on" he just means, "are required to be installed as a package prerequisite but don't have to be used" and that the only reason for the requirement is the lack of a use case or volunteer interest in maintaining separate packages.

Doesn't lying about petty shit get boring eventually? Oh, right, I forgot, [pejorative] and [ad-hominem] and [unrelated-successful-software-was-written-by-the-same-guy-so-the-sky-is-falling]

Your lack of choice is a lie.

Re: Apparently...

[geoskd]

Schematic capture, FPGA design and simulation tools. Multichannel audio and video editing.

Funny you should mention those. I use gEda quite regularly. Although it is far and gone away from being as powerful as Orcad, it is also free (as in beer), and I am one more tool chain away from MS. The reduced feature set doesn't slow me down enough to justify the yearly maintenance contract.

All of the FPGA / ASIC design tools I have ever used have been *NIX only tools. Mostly HPUX, but more recently Debian and BSD based, but easy as hell to port to other flavors. I have heard there are windows versions of much of it, but why would I care?

Last I had heard, pretty much all serious video editing was done on MACs, and not Windows based systems. From my experiences with several windows based Video editing hardware and software setups, I can easily understand why that is.

As someone else mentioned above, If you insist on backing yourself into a corner with particular design suites, or are simply incapable of learning different software to perform the same task then yes, you will be locked in to whatever vendors have managed to get their claws in you. As an independent contractor, I can underbid most competitors by virtue of having almost zero tools costs. I specify in all bids the additional costs associated with toolchain requirements and let my customers make the decision. Some of them insist on a particular toolset, most go with the cheapest alternative. The key to that flexibility is being able to pick up whatever tool is needed and learn to use it fast (I don't get paid to learn, I get paid to create).

Re:Apparently...

[geoskd]

Linux is still not a credible replacement desktop OS short of simple browsing and media playback.

Last I checked, browsing, media playback and games were what 85% of the population uses PCs for. That is why tablets and smart-phones are a thing and PCs are slowly loosing market share. In a very real sense, Android is the coming of Linux on the desktop...

Re:Apparently...

[HiThere]

I'm relying on reports of what will be required, but lack of someone maintaining separate packages is the probable cause of the requirement. And KDE is just one of the packages that is reported to be planning on eventually requiring systemd, probably for that exact reason.

Right now there's no problem in avoiding it. Right now I have a partition that works fine without it. But there are a lot of different packages that interact with various services that systemd has merged into it's collection. When systemd was just an init package then avoiding it was trivial, but as it adds in more and more system functions, avoiding it becomes increasingly problematic, and as more and more projects and libraries adapt to presuming that it will be present it will become increasingly limiting to avoid it.

And I still haven't figured out what benefit I'm supposed to get out of this mess. So far I've been able to run equivalent systems both with and without it, but if projects adapt as they've said they will, this won't be true in the future. (KDE was just a notable example, not the sole instance. And so far it seems to be only an announced future dependency, not an actual one.)

Re:Apparently...

[geoskd]

You are absolutely right in that many, many companies are locked into Microsoft in a severe way, but they have broguht it on themselves through their own incompetence. To explain, let me describe a situation I dealt with not that long ago. A company I was working with was releasing a new internal tool. That new tool would be needed in operations, and all of the management team would need to learn how to use it.

Given that, there are several ways to approach making this particular tool. The tool required extensive interaction with a large database to provide information and record inventory. Given that, there are several front end options, and several back end options. For the back end, option 1 is to deploy database software to existing hardware infrastructure and see if it will be sufficient to the task. Some basic testing would be appropriate to this approach to verify that the hardware and software could handle the load. This was not done, and the system got into production before it was discovered that in spite of Microsoft's assurances, the Windows server based database machines couldn't handle the load, so they had to buy all new hardware, and consequently all new windows licenses, as the database was mssql. Way to lock themselves in on that one. Turns out no other database software was even considered and since they didn't do due diligence, they had no idea it wouldn't work as planned. The better option would have been to at least do same comparison testing between DB options to find out which ones could perform under this type of load. An even better option would have been to limit their selections to only DBs that were platform independent, and could be run on multiple different OS'. That wasn't done either. All down the line it was Microsoft or nothing, without even a look at the alternatives.

All that pales to the front end idiocy. On the front end, you have several options as well. You could lock in to any of a number of specific OS' by compiling to a specific platform. This is what was done. Again Microsoft was selected without even considering or evaluating any alternatives. The far better solution would have been to go with a browser based application that could have been 100% platform agnostic. That way they could have stuck with Microsoft as the operating system in the future, but were by no means tied to it for the sake of this application.

When it is all said and done, because this application is tied to windows, the company is committed to an annual cost of $10M in licensing fees to Microsoft just to support this one application (All of the terminals turned out to be dedicated to this one application because their placement in ops rendered them too awkward to use for anything else). That amounts to 5% of the IT operating budget in perpetuity because they chose to lock themselves to Microsoft. Had they gone with the browser option, they could have reduced that cost to just $2M annually (the cost of the DB server licensing).

When I talk about incompetent IT management, that is what I mean. Continued ignorance and perpetual vendor lock in in this day and age are unforgivable failings of IT management in any company. The only reason it is not the basis for a significant number of shareholder lawsuits is that shareholders understand the technology even less than the IT management does.

Re:Apparently...

[Rakarra]

What would stop them? Community uproar? HA!

The people who don't like systemd have always greatly overestimated the amount of "community outrage" there actually is.

Re: Apparently...

[Rakarra]

Sounds like you got your self locked into a shit storm. This is 100% your fault. People doing the same type of work as you get by using other tools. Just because you locked yourself into that toolset does not mean no one else can do that work without those tools. There are tools that exist in Linux that do almost everything you need. No they aren't the SPECIFIC tools you mentioned.

The alternatives are usually INFERIOR tools to the industry standard, not just "different." GIMP, for instance, doesn't hold a candle to Photoshop. And I've yet to see a movie editor under Linux that is anywhere as close to quality commercial editors as GIMP is to Photoshop.

You argument makes you look really dumb. You locked yourself into a way of doing something and now all of a sudden you have no alternatives, and somehow that's the fault of Linux?

Most people don't care whose fault it is. Fault doesn't matter. What matters is what platforms the programs they need to run are supported under.

As for games, yea Linux does not have great gaming, so what.

What a rebuttal!

Re:Apparently...

[lgw]

Gimp is not even close to Photoshop for someone who uses it professionally, rather than just doing a few simple things with it.

No one has a good alternative to Excel for someone who uses it professionally, rather than just doing a few simple things with it.

No one has a good alternative to PowerPoint for someone who uses it professionally, rather than just doing a few simple things with it.

You'd think the latter 2 wouldn't be so hard to replace, but no one in any of the alternative Office products seems to really understand the use cases.

Re:Apparently...

[Cochonou]

I am not sure I really agree for Powerpoint.
What would you consider to be a professional use of Powerpoint for which there is no other alternative ?
Powerpoint is the undisputed leader in animations and transitions, but I would not call that very professional.

Re:Apparently...

[Zontar+The+Mindless]

I don't think so.

People who lack the expertise to appreciate the fine points distinguishing Linux distros are very likely to have their needs met by just about any distro. Pick one and slap it on the drive already.

Re: Apparently...

[Zontar+The+Mindless]

Apparently it is as you seem to be the only one bothered.

Not the only one.

Re:Apparently...

[lgw]

Powerpoint is the undisputed leader in animations and transitions, but I would not call that very professional.

Which is exactly why nothing can replace it. Geeks simply don't understand what salesdroids love so much about PowerPoint. Also: Smart Art.

Next time it will be hidden better

[flyingfsck]

I suppose MS will learn from this and hide it better in the future.

Re:Next time it will be hidden better

[null+etc.]

I suppose MS will learn from this and hide it better in the future.

Or, they'll just update their operating system to dynamically inject telemetry into every executable that runs.

Ooops, I hope I didn't just give Microsoft a new idea. Wait, they're probably already thought of it, and more.

Re:Next time it will be hidden better

I suppose MS will learn from this and hide it better in the future.

Which is easy.

I'm not sure why everyone is so up in arms about this. Microsoft wrote the O/S for heaven's sake. All they have to do is move the call to the appropriate system library, so that telemetry_main_invoke_trigger() is called right before main() is invoked. That way, A) it's not in your binary any more, and B) it gets invoked for all binaries, not just those compiled by Visual Sturio C++. Win-Win!

If you trust Microsoft to not play silly-buggers with your data, or your customer's data, then fine, use Windows. Calling telemetry_main_invoke_trigger() is not a problem, because you trust Microsoft. But if you don't trust Microsoft, that what on Earth are you doing running Windows in the first place?

Re:FUD - no, TREASON

[scsirob]

"It is just a way...." Really? REALLY??!? What the h*ll is Microsoft thinking.

Their compiler should do one thing and one thing only. Take the source and translate its instructions into machine code, so the computer performs the instructions as described in the source.. Nothing less. Nothing more. They have NO excuse whatsoever to include extra stuff to their benefit. Just that fact that you defend this behaviour is scary.

HOLY FREAKIN' FRIP-FROP!

[Thud457]

Ken Thompson must be spinning in his grave!

1984 wasn't intended as an instruction manual.

Re:HOLY FREAKIN' FRIP-FROP!

[vadim_t]

He's not dead yet.

Re:HOLY FREAKIN' FRIP-FROP!

He's not dead yet.

All the more reason to spin in his grave.

Re:HOLY FREAKIN' FRIP-FROP!

Give it a bit of time. There's only so much air in that coffin and he'll use if up quickly if he keeps spinning like that.

Re:HOLY FREAKIN' FRIP-FROP!

[fustakrakich]

Well, he will be soon, he's very old

Re:HOLY FREAKIN' FRIP-FROP!

[geoskd]

He's not dead yet.

True, but if this doesn't give him a massive stroke, I don't know what will.

Re:HOLY FREAKIN' FRIP-FROP!

[epine]

Ken Thompson must be spinning in his grave!

I don't think they've shuffled Ken or his progeny into the Google graveyard just yet. There was a close call a long time ago, but it crawled onto the shore and sprouted lungs (since renamed "types") just in time.

During 1971 and 1972 B evolved into "New B" (NB) and then C.

Personally, I don't think he wrote his classic paper about the behaviour of the malicious; he wrote it about the behaviour of the naive, which at the time was an exceptionally wide net encompassing all things digital.

Re:HOLY FREAKIN' FRIP-FROP!

[RavenLrD20k]

He's not dead yet.

Well he will be soon, he's very ill; despite his claims to be getting better. He really isn't, he'll be stone dead at any moment. Now here's your nine pence.

Re:HOLY FREAKIN' FRIP-FROP!

[messymerry]

DANG! I wish I had some mod points. +1 4 U.

Re:FUD

[MightyMartian]

If it's telemetry it's bad. Period.

Imagine writing highly secure software only to find out the fucking compiler is placing a telemetry backend into the binary. Regardless of the purpose or intent out destination, it's bad.

MS still the shitheel of the tech world

[bazmail]

Embedding malware via their compiler? Wow a new low

No matter how Nadella tries to spin things and give them a new image, MS still sucks worse than ever.

Re:MS still the shitheel of the tech world

Embedding malware via their compiler? Wow a new low

No matter how Nadella tries to spin things and give them a new image, MS still sucks worse than ever.

The moment I'll believe that Microsoft has created a product that doesn't suck is when they start selling vacuum cleaners.

Re:MS still the shitheel of the tech world

[Killall+-9+Bash]

Xbox360 controllers make excellent PC game controllers. I can't think of a 2nd one.

Re:MS still the shitheel of the tech world

[DoofusOfDeath]

No matter how Nadella tries to spin things and give them a new image, MS still sucks worse than ever.

I think you're exaggerating, but only slightly. This is probably on par with some of their other, sleaziest moves from years past.

Re:MS still the shitheel of the tech world

[Bob+the+Super+Hamste]

I always like the old MS analogue Sidewinder Joystick and I have an old MS serial (9 pin) mouse that is still nice to use (I found it when my previous mouse died and no place was open) except it doesn't have a scroll wheel.

g++ adds same feature!

Little known fact: g++ has had the same ability to insert spyware for a long time. It's described about line 39885 of the manpage. All you have to do is invoke is via:

g++ --mrelocate --use-upper-reg-halfs --insert-telemetry-libs --mnetwork-lib --include-nsa-stubs --include-fbi-stubs --omit-eff-stubs --no-powerpc --no-fpu --disable-optimization --use-network-capture-prologs --fuck-snowden --section215-includes --fort-meade-includes --fiveeyes-libs --use-eschelon-libs --omit-greenwald-reporting --prism --enable-gchq-sharing myfile.cpp -o myfile

That does the same thing as Visual Studio. Easy peasy. Dunno why Microsoft always acts like they invented everything.

Re:g++ adds same feature!

[flyingfsck]

You forgot the Amazon and Google modules. Linux always makes everything so complicated.

Re:g++ adds same feature!

[maharvey]

>It's described about line 39885 of the manpage.

So close, and yet so far... 3985

Bingo

A Microsoft spokesperson confirmed the existence of this behavior to InfoQ, adding that the company wil bel removing it in a future preview build

...because it was finally discovered. If it hadn't been discovered, does anyone honestly think they would be removing it? Of course not.

Re:FUD

[JustBoo]

VC++ dev manager explained that this is not the telemetry you think it is. It is just a way to gather perf statistic that have been badly named.https://www.reddit.com/r/cpp/comments/4ibauu/visual_studio_adding_telemetry_function_calls_to/d30dmvuMS does a lot of shady things, but that isn't one of those.

Hey man. I have a bridge in Brooklyn that is for sale. You need to buy it, no really, you too can own a bridge.
Hey man. I have a deed to the moon. You need to buy it, no really, you too can own the moon.
Hey man. I have pictures of your mom. You need to.... Yeah.

Ken Thompson's compiler attack

[LichtSpektren]

Even if this telemetry were perfectly innocent (likely not, if Windows 10's spyware is any indicator), the fact of the matter is that Microsoft have now compromised their own compiler using Ken Thompson's compiler attack.

When will this madness end? Is MS now just an arm for the NSA?

Re:Ken Thompson's compiler attack

[courteaudotbiz]

To answer your questions:
- no
- yes
period.

Welcome to surveillance land, where all you do is tracked. Every executable you run, every website you visit, every IP you are connected with, all this linked to your real ID with the help of mobile carriers and ISPs.

Re:Ken Thompson's compiler attack

[HiThere]

I'm still willing to consider the possibility that "NSA_KEY" may have been something innocent. Possibly. Nobody ever demonstrated what the key did.

What this appears to do is add a couple of hooks to something that is, as the moment, approximately harmless. I.e., it appears that currently what it saves, it only saves to a local file, and the items saved seem probably harmless...depending on what the program does. So this doesn't appear to provide remote access to the information. Of course, which this does looks like depends on external libraries, which could be changed if there's dynamic linking.

Re:FUD

[Khyber]

"It's for catching application crashes."

And if an application crashes - that's what DRWATSON is fucking for. NOT telemetry code insertion.

Backdoored compiler

[sinij]

When you consider that MS backdoored OS, compromised compiler is, comparatively, much lesser sin.

Re:Backdoored compiler

[LichtSpektren]

When you consider that MS backdoored OS, compromised compiler is, comparatively, much lesser sin.

Not at all. I can avoid their OS. I have almost no way of knowing what binaries were compiled by VS.

Re:Backdoored compiler

[mrchaotica]

Realistically, is anybody likely to use the Microsoft toolchain to compile software for any platform other than Windows? I doubt it. Therefore, considering the fact that Windows 10 (and patched versions of 8.1 and 7) are spyware at the OS level anyway, this compiler-trojaned-application issue is only of real concern among users of carefully-unpatched older Windows versions.

Re:Backdoored compiler

[ceoyoyo]

Easy enough. Just avoid their OS, it gets you two for one. Or do VS binaries run on other OSes now?

Re:Backdoored compiler

[tepples]

Just avoid their OS

Even if I do, my customers are unwilling to.

Re:Backdoored compiler

[ceoyoyo]

Lucky for you. People who use Windows have lots of problems they have to pay other people to fix.

Re:Sneaky Devils

[vtcodger]

What is this obsession with spying on users? Seems to me that the potential benefits to MS, Google, et. al. are pretty limited and the risks of eventually getting hit with one or more serious class action suit(s) are substantial -- especially when (not if, when) their data bases are breached and vast amounts of personal information on users are exposed to the world. Am I missing something, or are the folks guiding these companies steering them toward potential big trouble?

Re:FUD - no, TREASON

[Viol8]

Debugging symbols and hooks should be an OPT IN you idiot. Even if they're harmless they slow down the program and make the binary larger.

Hello, world!

[__aaclcg7560]

You would think that the IDE would be smart enough not to insert extraneous calls for trivial programs.

Re:Hello, world!

[__aaclcg7560]

it's the compiler, idiot, nothing to do with the IDE

IDE stands for Integrated Development Environment. That includes the compiler.

it still happens if you run the compiler from the command line

I wasn't aware that VS2015 C++ was available for Linux.

Re:Hello, world!

[__aaclcg7560]

Linux is an operating system kernel, not a command line program such as cmd.exe or bash (or command.com).

I commonly use the command line on Linux via SSH or serial console. If the Linux box has a GUI available, I'll have several terminal windows open and nothing else.

There very much is a command line version of the Visual Studio compiler, which is what the IDE invokes.

When I went to community college to learn computer programming after the dot com bust, we had to learn all flavors of Java because the CIS department couldn't afford to renew the Microsoft site license. Apparently, no could learn how to program C++ without Visual Studio. Local employers demanded that students be well versed in Visual Studio. The dean wanted to teach C++ from the Linux command line, but told by the powers to be that he could not without Visual Studio. When the site license got renewed, none of the lab computers were powerful enough to run Visual Studio .NET. After that got fixed, no instructor ever used the command line with Visual Studio.

Re:Hello, world!

[Dwedit]

You're going to get junk for every trivial program no matter what. It includes the CRT or runtime library into all statically linked programs, no matter how much of the CRT or runtime library it actually needs.
The only way to not get junk is to turn on "ignore all default libraries", which is tough to do, but possible. You lose a lot of features of the compiler, such as the built-in standard library, converting floats to ints, etc.

Here's a minimal Hello World program that includes no junk whatsoever:
#include <windows.h>

void PutText(const char *str)
{
        HANDLE standardOutput = GetStdHandle(STD_OUTPUT_HANDLE);
        int len = lstrlenA(str);
        WriteFile(standardOutput, str, len, NULL, NULL);
}

int EntryPoint()
{
        PutText("Hello World!\n");
        return 0;
}
You need to adjust linker settings, you turn on "Ignore Default Libraries", then change the entry point to EntryPoint.
After doing this, you get a 2.5K EXE file, where each section (.text, .data, .rdata) contains nothing extraneous at all, except for the padding to 512 byte alignment.

Re:Hello, world!

[__aaclcg7560]

Your college was really dumb.

That's what the local employers in Silicon Valley wanted. Fewer C++ programmers, more Java programmers.

Re:Hello, world!

[__aaclcg7560]

I'm different AC, but I'm not sure what you're implying with your command line story.

My programming experience is mostly the command line on Linux or Mac. My limited experience with Visual Studio on Windows has always been the GUI. It never occurred to me that Visual Studio may have command line functionality.

Now we know

[Alumoi]

What compiler MS used for Windows 10.
'We did not add any telemetry in Windows 10. It was the compiler, I tell you.'

Re:Now we know

[LichtSpektren]

Reminds me of those scammers that call people and say "Hi we're from Microsoft and we found a virus on your computer. Do you want us to clean it?" Then they pass the phone to somebody in the sales department to piddle some 'antivirus suite' (really malware). The scammer technically didn't sell you anything so he's not liable for it; he just told you something (outrageous it may be) and forwarded your call to somebody to sell you something.

Ken Thompson Attack

[goombah99]

Boy this is at the scale of the Ken Thompson attack. Compilers that insert backdoors

http://c2.com/cgi/wiki?TheKenT...

Re:Ken Thompson Attack

[Geoffrey.landis]

Reading through the long Reddit thread, it looks as if the "telemetry" call saves the telemetry data locally; it does not seem to export it. So it's hard to call it "inserting backdoors".
From https://www.reddit.com/r/cpp/c...

[–]flashmozzg 68 points 1 month ago
Apparently it's only VS15 feature. It logs at least when your app is executed. You can access logs via logman and tracerpt. Some investigation was done here recently: (lang: Russian) https://habrahabr.ru/post/2813...

[–]sammiesdog[S] 30 points 1 month ago
Are the logs a local feature (i.e. stays on the user's computer)?
And can it be disabled?

[–]flashmozzg 29 points 1 month ago
Seems to be that way. At least right now they only keep main invoked/returned, exit/abort called and such. Nothing serious.
The suggested way to disable it is adding this to your project:

extern "C"
{
        void _cdecl __vcrt_initialize_telemetry_provider() {}
        void _cdecl __telemetry_main_invoke_trigger() {}
        void _cdecl __telemetry_main_return_trigger() {}
        void _cdecl __vcrt_uninitialize_telemetry_provider() {}
};

Re:Ken Thompson Attack

[ljw1004]

Boy this is at the scale of the Ken Thompson attack. Compilers that insert backdoors

http://c2.com/cgi/wiki?TheKenT...

No it's not. Ken Thompson's work was beautiful and subtle - a compiler disguised all evidence of its backdoor even when you write code to search for these backdoors or when you compile the compiler itself.

If Ken Thompson had gone on stage to say "hay guys I made a compiler which inserts a call at the entrypoint of your program" -- well, that's trivial.

Re:Ken Thompson Attack

[Insanity+Defense]

So what happens to it then? Does a Windows component detect it and send it on?

Re:Ken Thompson Attack

[AntronArgaiv]

Boy this is at the scale of the Ken Thompson attack. Compilers that insert backdoors

http://c2.com/cgi/wiki?TheKenT...

No, I think that requires one more level of indirection -- reinserting the backdoor in the compiler when it is recompiled without the backdoor.

Re:Ken Thompson Attack

[dmbasso]

Indeed, Microsoft has been sloppy, as always. But don't worry, next time there will be no evidence of spying being done.

Re:Ken Thompson Attack

[Billly+Gates]

Well what would be the purpose of telemetry if not never leaves the hard disk?

Obviously there are more undocumented calls to then move that saved data locally outward.

So far so bad

[Impy+the+Impiuos+Imp]

I see a call for telemetry_main_invoke_trigger and telemetry_main_return_trigger

Did he ever find out what feed_all_keystrokes_and_web_sites_to_nsa does?

There is no return version of this, because history shows a nation never returns from it.

Re:Where's the outrage over Firefox's telemetry?

[LichtSpektren]

Because you can turn it off easily and clearly. It's not stealthily inserted into binaries you compiled.

Re:Where's the outrage over Firefox's telemetry?

[Aruta]

Difference, and it's a whopping one, is that the Firefox telemetry is fully documented on, shock-horror, the mozila site. You get it clear and simple, and if you don't like it, you don't use it.

The MS stuff was undocumented, and now they are making up BS excuses as to how it's for the developer's benefit.

Re:Just the compiler doing its job

[__aaclcg7560]

The naughty bit still needs twiddling.

Re:Sneaky Devils

[johnnys]

Either one of two things happens:

1. Nothing bad happens - Company makes lots of money - C*O makes big bonus/stock options/whatever - Profit!!!

2. Bad things happen - Company is sued/destroyed/bankrupt - C*O gets fired - Golden parachute kicks in with lots of money - Profit!!!

Re:Sneaky Devils

[TroII]

Am I missing something, or are the folks guiding these companies steering them toward potential big trouble?

Surely "big trouble" is reserved for the guys who don't cooperate with NSA and friends. All of this spying is probably of some marketing value to Microsoft, but I'm thinking the real benefit is a cozy arrangement with big brother.

A new take on a classic...

[fuzzyfuzzyfungus]

It's so heartwarming to see the long-theorized 'backdoor the compiler' attack finally gaining commercial acceptance and enterprise support!

VS dev manager's response

[MrVictor]

Steve Carroll, the dev manager for the Visual Studio diagnostics team, responded directly to these concerns on Reddit. The rest of that whole thread is pretty informative as well.

Visual Studio adding telemetry function calls to binary?

Re:VS dev manager's response

[MrVictor]

Ah fuck. His comment was already linked in TFA. /faceplam

Re:VS dev manager's response

[MrVictor]

/facepalm

too much coffee

Re:VS dev manager's response

[fnj]

/facepalm

too much coffee

No, no, it's OK. We figured that.

Classified or secure operations invalidated

[goombah99]

So one can imagine a case where a program crashes and sends telemetry to microsoft from inside a secure computing enviornment or otherwise exports secret bussiness data. This could invalidate MS from all government computing.

Re:Classified or secure operations invalidated

After the W10 spyware fiasco MS should already be barred from *ANY* secure computing environment, not just government computing. I'm sitting here happily waiting for MS's telemetry data store to be hacked and to find that anything whatsoever of my companies data has been leaked onto the internet.

When that happens my legal team will be launching lawsuits before the news feed of the hack has even finished rendering.

Re:Classified or secure operations invalidated

[HiThere]

s/could/should/

I note the claim that this only stores stuff locally, so it MAY not be that serious. Depending. But this has no business being there at all, and it adds hooks that could be activated later.

Re:Classified or secure operations invalidated

[eth1]

So one can imagine a case where a program crashes and sends telemetry to microsoft from inside a secure computing enviornment or otherwise exports secret bussiness data. This could invalidate MS from all government computing.

It wouldn't just affect MS software, but anything from anyone with any component built with MS development tools, anything built by tools built by MS dev tools, etc.

Re:Classified or secure operations invalidated

[ausekilis]

If its truly a secure computing environment then it wouldn't be an issue in the first place... there would be air gaps and physical security mechanisms in place.

Re:Classified or secure operations invalidated

[DeVilla]

I haven't touched Windows 10. I'm curious how well it will operate in an air gapped environment. Does it support offline updating?

Re:What about Rust? Is it any better?

[Killall+-9+Bash]

If you're gonna same the same shit again and again day after day, can you at least make it funny? Luddite programmers use C++, while enlightened programmers know that only rust apps app appy apps....?

Source is not enough

[Holi]

And this shows you why access to the source code is not enough to audit software.

Telemetry!

[MrVictor]

"Telemetry! Telemetry! Telemetry!" seems to have been the decree screamed from the ivory tower of MS leadership to the devs crafting Win10.

Seems like desperate flailing to maximize profits from the terminally declining Windows hegemony.

Re:FUD

Excuse me? What? Why do I want MS collecting ANY statistics on MY program? Who authorized that? I don't care WHAT the MS shill is claiming...and 'poorly named my ass'...they got caught & now scrape up an excuse they think you'll buy. O, and let's be clear here, these are entirely undocumented calls, if they wanted you to know about them & make a conscious decision to use them they'd document them & require a flag to compile them (e.g. 'opt-in') NOT a flag/command to srtip them out (opt-out).

If this isn't enough reason to drop anything MS related then there is no hope for you.

Re:FUD

[LynnwoodRooster]

And that is exactly what it does. Of course, your code probably also calls - and links in - a lot of THEIR code and THEIR code adds the extra bits. Which means you really didn't do YOUR job and think about the implications of what external code you added to yours before you released it to your customers.

Re:FUD

[MightyMartian]

Oblivious to an undocumented telemetry function? Or oblivious to the fact that using Microsoft development tools means your sending out vulnerable binaries that send potentially unknown data to an external server on the Internet?

Re:Car Example

[__aaclcg7560]

A few years back, I was in a car wreck. Therefore, my house tried to kill me.

That's what you get for driving forward when you meant to drive out of the garage in reverse. Being drunk and beating your spouse doesn't help either. :P

Should be actionable

[mlwmohawk]

There needs to be a law, if one can not be found that already can already cover this, but "faithful" generation of object code from source code is, by definition, what a compiler does. There MUST be *some* product law that covers intentionally inserting functionality without the user's knowledge.

Re:Should be actionable

[swb]

Doesn't the law generally exclude software from "fitness for a particular purpose" and "free from defects"?

It used to seem that these were exclusions that let them just sell buggy software with no consequences, I'd imagine they figure it allows them to insert spyware, too.

I weep for the idea we'll never get a comprehensive privacy law that makes this and all the other forms of commercial electronic surveillance without extremely explicit permission illegal. The major technology players are too invested in it, the FBI/NSA/etc snoops like to be able to acquire it via NSL and the fucking elected "representatives" are simply too bought and paid for to care about anything other than their political contributions.

Re:Missed Opportunity

[ledow]

To be honest, if they'd named them "_main_support" or "_internal", nobody would have been any the wiser.

Lucky that they left the function name, with obvious telemetry marker, in the data areas of the executable, or you'd not know or suspect what was happening without actually disassembling the thing.

Hell, surely an optimised/stripped executable wouldn't show them anyway, so you have really no way of knowing whether someone's put these into major parts of Windows, drivers or applications.

As always, without the source, you really have NO idea what these things are doing. And, hell, even an old 1MByte DOS game with plain interrupt calls and obvious code paths can take YEARS to properly disassemble and work out what it's actually doing.

Re:Where's the outrage over Firefox's telemetry?

[MrVictor]

Thank %DEITY% for the hacking community who I'm sure will get to the bottom of their insane bullshit with disassemblers and packet sniffers.

Re:FUD - no, TREASON

[squiggleslash]

Take the source and translate its instructions into machine code, so the computer performs the instructions as described in the source

Unfortunately, that's not been true ever since the first version of ANSI C was released, the most common word in the spec being "undefined."

(TBH, this sounds like a storm in a teacup. So some code that, despite the name, turned out to be debugging/profiling crap got into the compiler? So what? Other than minor performance impacts that obviously are so minor nobody noticed, I'm failing to see how anyone was harmed by this.)

Re:What about Rust? Is it any better?

[HiThere]

Is Visual Studio even a compiler? To me it sounds like an IDE. Didn't the complier used to be called "Microsoft C++"?

Of course, it's possible that the compiler is the one inserting the code, but it could also be the IDE applying a binary patch.

This is just nitpickery, as I don't use either, but the story seems to need more precision.

They plan to out-Google Google

Microsoft is clearly planning to move to a future in which they, with total control of the desktop, have a better ability to spy on,and advertise to, users than companies like Google who only have access to the browser activity of users. They have seen Google become far more powerful (even becoming embedded into the White House and several other national governments) and wealthy while making and selling NOTHING as Microsoft was actually making and selling both hardware and software. They seem to have decided that the future will be a free OS with free desktop and free browser that is ubiquitous and that spies maximally and advertises mercilessly, and makes Google and Facebook etc obsolete second class citizens in a commercial sense (because THOSE companies will have far less access to user info than the company that controls the computer).

This explains why they are forcing everybody to move to Windows 10 with who-knows-what built-in spying AND who-knows-what built-in ability to quietly install more remote controls, spying and updating later. Why else would they have done so many "free" upgrades from relatively recent OS versions when in the past they changed around a hundred dollars for each upgrade? Even the tawdry update from DOS 6.2 to DOS 6.22 cost users nearly a hundred dollars for no real improvement.

To achieve their aims, they need everybody to move to the newest flavor of Windows that has been rebuilt with the modern support mechanisms they are putting in place. Users with older versions of Windows that pre-date the strategy shift and lack the new remote control/monitoring/updating/telemetry/etc capabilities need to be replaced. After everybody is on Win10, any future discovery of spying in/by Windows can be apologised for as a "misunderstanding" and then be quietly and secretly replaced by a new and different back-door in a future automatic update using the new "features" buiklt into Windows 10 and newer.

This newly-discovered junk only shows that they have reached the point of even glomming onto the applications that users and other vendors build with MS tools to run within the new "Big Brother" versions of the MS "life experience". This proves that even programs like Chrome or Firefox, when built with modern Microsoft tools and run on Windows 10 and beyond are not trustworthy and not secure.

Poison pill puts publishers in legal jeopardy

[mileshigh]

Most of now have privacy policies where we disclose what data we collect and what we do with it. If that disclosure is defective, you're in legal jeopardy for failure to disclose. Thanks for the poison pill, MS!

And, haven't they considered that the whole Apple/FBI thing might have implications for them and their developers, just maybe? If not legal issues, then PR at the very least? Stunning!

Is this in Microsoft's shipping products?

[DoofusOfDeath]

I assume that Microsoft compiles its shipping products with some form of Visual C++.

Does anyone know if these telemetry calls are made inside those products? For example, inside Microsoft's shipped versions of SQL Server?

And if so, does this mean using those products for handling HIPPA or PCI workloads is illegal?

Re:Is this in Microsoft's shipping products?

[F.Ultra]

Good question. We now for sure that they do not compile them with an out of the box version of Visual Studio since all their programs link with the C runtime provided with Windows (msvcrt.dll) and not with the compiler specific version that you have to install separately (vcredist) so we know that they "do something" with Visual Studio that we normal mortals do not.

Re:Is this in Microsoft's shipping products?

[MightyMartian]

If it is doing undocumented dumps of data or program state, then yes, it very well could violate many jurisdictions' privacy and accountability laws, even where the data isn't directly leaving the system.

Re:Not really a solution

[HiThere]

Actually, there *is* a solution to the problem as stated, though it's too much work to bother with when the better answer is to just use a different compiler. But you could build something to go through your binaries and dummy out all links to those libraries.

OTOH, when they control the OS, a better solution is to go elsewhere. If you MUST use MSWind, run an old version in a virtual environment with either no net access, or very tightly filtered. And to move rapidly away from any applications that depend on it.

P.S.: How long can FreeBSD be trusted now the MS is submitting code to them? And there are definitely problems with Linux security.

HINT: If you want real security, stay off the internet. Nothing else really works. If you don't need quite that much, perhaps a different one of the BSDs would suffice. But for most purposes Linux is safe enough, so far. (I am a bit paranoid about systemd, but nobody has shown that it's actually malicious rather than just autocratic. Example: I install a systemd based Linux in a separate partition and it renders my current partition unbootable until I go in and do a bit of hand editing of fstab, and then reinstall grub. [Once upon a time I would have just hand edited the grub files directly, but grub2 changed that!])

Re:FUD

[fnj]

And that is exactly what it does. Of course, your code probably also calls - and links in - a lot of THEIR code and THEIR code adds the extra bits. Which means you really didn't do YOUR job and think about the implications of what external code you added to yours before you released it to your customers.

Oh, for christ almighty sake. Could you possibly be any more of a sellout?

Could be worse...

[Mysticalfruit]

The function could have been "windows_10_forced_install"

Re:Microsoft/Google/CIA/Facebook/Twitter/more spyw

[maharvey]

That is an interesting article.

Re:What about Rust? Is it any better?

[firewrought]

I'm with you AC... I insist that any programming language I use have multiple implementations that are fully and independently audited by sentient supercomputers who have proven their virtue in trial-by-combat with enraged swamp gorillas.aa.uao.ua3u3!#Pi derp

Just kidding! I pick the best tool for the job. If secure programming were paramount, then I'd (personally) be more successful in Rust then C++. YMMV. (BTW, good luck getting an independent audit for your proprietary compilers.)

Re:Sneaky Devils

[macs4all]

What is this obsession with spying on users?

It all started with NSAKEY...

Re:Not really a solution

[macs4all]

Looks like the solution is to statically link function stubbs. Which means a smart dynamic linker could very easily undo this. And if they were brazen enough to add this to the compiler in the first place they are brazen enough to "fix" the binary with a smart dynamic linker.

But then there really is no solution as the exec dispatcher and dynamic linker could always implement some form of telemetry.

The real solution is an OS vendor that is not going to pull tricks like this.

Wait! I know of one who doesn't...

Microsoft = Government

[axewolf]

They are acting as the same entity.
I don't understand how you deny this let alone not come to this conclusion yourself. The fact that two entities of comparable size that have been caught doing the same thing should be some clue. Not to mention the many ways that they are deeply in bed with each other.

Is it too much to put together for yourself?
There is no terrorism threat.

Complete surveillance has been brought into existence to control you, you are considered to be the potential "terrorist". Every single one of us is. The purpose is to ensure that the transition from human labor to robotic/computerized labor is "smooth". Meaning no one tries to stop the destruction of the vast majority of the population.

'But wait, what? You mean to say that people who have no use to society won't be supported by society?'
People who do not have work run amok, regardless of any comforts they have.

Consider that the psychology of the average person is a known system. Consider the example of the effectiveness of advertising or politics. It's easy to tell people what they want to hear, and even easier now because most of their thoughts are being directly monitored through surveillance and mined for patterns.
Basically these people could be convinced that everything that is bad for them is good, and it would be a short matter of time until they destroy themselves.
Genocide through manipulation.

But how on earth to describe this to anyone in such a way that they don't reject it immediately? Is there any hope?

Doesn't make sense

[threc]

If this was meant for perf and debugging with the PDB, then why would it be linking the .obj file for telemetry_main_invoke_trigger and telemetry_main_return_trigger into a retail executable? The retail executable should have all debug symbols stripped. That is the point of retail, right?

Furthermore logging when executables start and close doesn't seem too useful when investigating performance problems. Carroll say's that the feature was abandoned, so perhaps that's why it seems mostly useless. However this feature is not useless if the purpose is to determine which programs the user runs and for how long. I'm suspicious enough about Windows 10 to suspect that's already happening at other levels.

Yep, looks it does: http://winaero.com/blog/how-to...

data about how you use Windows, such as how frequently or how long you use certain features or apps and which apps you use most often

One way to find out if these functions were intentionally meant to explicitly spy on userland programs would be to check whether it is enabled for executables contained within Windows 10. If it is in Win10 exes, and telemetry_main_invoke_trigger is truly useless, I wonder whether it will be removed in the future when Windows gets rebuilt with a newer compiler.

Re:Doesn't make sense

[BradleyUffner]

If they wanted to see what applications are being used and for how long, it would be FAR easier, reliable, and less risky to Microsoft's reputation to just have the operating system record and report that data. Having to rely on users to be running applications that just happened to be compiled with this version of the compiler seems hugely unreliable. Not to mention that it would only report on those specific apps, not apps built by other means.

I'm more apt to chalk this one up to something that got left over from development and testing than something inserted maliciously. I mean, if you are going to do something that risky, at least make the reward something more valuable that a half-assed list of apps being run.

Re: What about Rust? Is it any better?

[Aighearach]

No, you're just lying about what the FOSS position ever was.

Nobody ever said, "having a lot of users means their eyeballs are looking for unknown bugs."

The position was always that when you have a known bug, more eyeballs makes the bug shallower. It is easier to solve known problems when the information is available, and lots of people (who are presumably affected by the problem) can look at it. Some of them will have more insight into the causes than others, because of different backgrounds and use cases.

When you have to lie about what people say just to argue against it, that pretty much refutes not just your claims, but your claim to have even considered the issue. I reject that your analysis was even well-considered. You are just trolling, in addition to be wrong on the merits.

Re: FUD

[MightyMartian]

And even if it isn't telemetry in the sense that it is sending information to the mothership, it means it is still dumping debug code somewhere, even if it's just on your hard drive, which means that on every person running the bloody binary, it's dumping debug code to their hard drive, with the potential of security breach and, if nothing else, just making the application slower. It is always bad form to have debug code active in a production environment. Always.

Out of Curiosity

[ytene]

Do you happen to know if any of the release notes with the early-preview code disclose the fact that the builds include this telemetry?

Re:Truly old news

[MightyMartian]

And how many binaries are out in the wild now that are happily dumping debug data in production environments? Just because from now on the compiler doesn't perform what really is a very bad fucking idea doesn't mean that binaries compiled while it was doing this moronic and stupid thing aren't creating potential security and usability issues.

Re: What about Rust? Is it any better?

[Bob+the+Super+Hamste]

what about:
A ship shipping ship shipping shipping ships.

Re:FUD

[Aighearach]

It is just a way to gather perf statistic...

What happens when you figure out that that is exactly what the complaint is? And that many consider it "shady?" ;)

David A. Wheeler Defense to Ken Thompson Attack

[tepples]

Ken Thompson's work was beautiful and subtle - a compiler disguised all evidence of its backdoor even when you write code to search for these backdoors or when you compile the compiler itself.

True. But that works only when there's one compiler available for a particular language. If you bootstrap a compiler with three independent compilers, the backdoor is highly unlikely to persist into all three according to "Diverse Double-Compiling" by David A. Wheeler. Compile the compiler A with multiple compilers B, C, and D, and then compile A with (A compiled with B), (A compiled with C), and (A compiled with D), and you end up with (A compiled with A), (A compiled with A), and (A compiled with A). If they're identical, then B, C, and D have either no backdoor or an identical backdoor. Which is more likely?

Of course, all this requires that source code for A be available to the public or at least to a person trusted by the public to release compiler binaries. This is true of TCC, GCC, and Clang, not so much for Microsoft C++.

Re:David A. Wheeler Defense to Ken Thompson Attack

[tepples]

It can be done, as you later admit, regardless of there being multiple compilers for that language.

My point was that the Ken Thompson attack isn't quite as relevant for closed source compilers, as they're already less trustworthy for other reasons.

Re:FUD

[Aighearach]

Imagine writing highly secure software only to find out the fucking compiler is placing a telemetry backend into the binary.

Many people are in a hard position here, because they have decades of bad-mouthing FLOSS and they're too embarrassed to want to say, yeah, this implies that people have to have access to the source to know if trust is reasoned.

Debug vs. release is a false dilemma

[tepples]

Performance tuning is useless in a debug build.

There exist builds other than release and debug, such as profiling builds. These are in fact designed for performance tuning.

Re:MS's compiler

[Z00L00K]

Even then the EULA might not be valid, it depends on which country you are in.

Re:FUD

[MightyMartian]

And apparently some of these disgusting sociopathic creatures have mod points.

Here's a bit of advice, MS shill. Being a shill is the lowest activity there is. There are people that eat dog feces who I'd rate higher than a shill.

Re: What about Rust? Is it any better?

[macs4all]

No, you're just lying about what the FOSS position ever was.

I reject your premise on its face.

I know what my intent was, and it was NOT to DECEIVE. Now, I might (probably was) MISTAKEN about what some people's OPINION about what is meant by the "Many Eyes" effect; but that most assuredly does NOT mean I was "LYING".

And BTW, I wasn't.

Re:Not really a solution

[macs4all]

https://support.apple.com/ipho...

Yeah they do not gather telemetry AT ALL.

I would say they are even worse than MS.

Care to post a link to something OTHER THAN the Top of the iPhone Support site?

How about THIS, for example? Simple, no legalese, all layed-out in one easy to read document.

Now, wanna compare that to Microsoft? Let me know when you get done chasing down all Links on that page...

Python binaries for windows are compiled with VS

[Rasta_the_far_Ian]

Considering that the binaries provided by the Python project are generally compiled with Visual Studio, and considering that many if not most new comp sci / programmers now learn python, this is especially troubling.

It is my hope that the Python BDFL and Python Software Foundation will move away from Visual Studio for Python binaries before long ...

Re: FUD

[cbiltcliffe]

I write a standalone program. I include no network functionality whatsoever. Are you seriously telling me I should have to run a network sniffer against it because I don't know what it's doing on the network, and if I don't, it's somehow my own fault for not knowing what it's doing?
I wrote the fucking thing, and didn't tell it to communicate over the network. In what fucked up world should I expect it to make network connections, when I haven't programmed it to?!

Application Insights

[Smirker]

VS2015 Update 2 introduced IDE support for Application Insights, an Azure-hosted desktop/web application performance and error analytics service. We use it at my work - it's great and super easy to get up and running and use. I assume these are just enabling methods for generic application-wide logging/telemetry-based functionality, and I'd put my money on them not sending any telemetry data by themselves. The word "telemetry" in the method names was probably a bad choice, considering how many of you it spooked.

Re: FUD

[MightyMartian]

Go away APK

This can be disabled

[bitwise+counselor]

This nuisance can be disabled by linking "notelemetry.obj" though this shouldn't be necessary but just Microsoft things.

Re:Where's the outrage over Firefox's telemetry?

[Waccoon]

It's not always so clear and simple, as from within the browser itself, Firefox isn't always honest about how its features work.

My favorite example is the offline content feature checkbox that reads, "Tell me when a website asks to store data for offline use". In fact, if you enable that checkbox, the browser will only alert you if the web site wants to store an excessive amount of data in a single request. A special, separate config setting must be changed to "actually" alert you of any data stored. Even with this checkbox enabled, the browser would happily save offline data without notifying me, often with web pages storing in excess of 20MB of data. So, the browser will tell you when data it stored... unless it won't.

Documented or not, doing sneaky stuff in the background is just the norm these days.

How to Use This For Fun and Profit

[stoicio]

Steps to follow:

Wait for all public and government organizations to install programs compiled with this.

1.) make malware that collects the local crash reports and data dumps.

2.) focus attention on crashing commonly used user interface libraries instead of the MS malware

3.) wait until a large number of users have installed your global crash vector.

4.) send signal to turn on crashing globally

5.) direct emails or background FTP of collected crash data through TOR or other obfuscation

6.) sift through the data of world governments at your leisure.

Go get em!

spyware

[darkob]

Why is now spyware called "telemetry"? THey should be held responsible...

Re: FUD

[Zontar+The+Mindless]

Ever hear of Steve Barkto?