ITsecurity
twitter facebook rss

Microsoft Back to Basics

Posted by on August 6, 2015.

Following on to Kevin Townsend’s post Windows 10 makes Google look like it still does no evil (love that title) – there is much in Win10 to be concerned about; some of which has already made its way into Win7.

Microsoft has gone back to basics. In the early days, their claim to fame was strong-armed marketing combined with ease of deployment (ie: turn everything on). I still remember the day two MS reps had a meeting with my CIO and me. We were using Novell with directory services. The reps told us Novell would be out of business in 12 months. If we did not switch to Microsoft now (which did not have a directory service at that point), our own business would break. My CIO politely asked them to leave. That really did happen and a decade later, that organization was still on Novell. Yet the MS campaign did work and Microsoft won the battle, but it did leave a trail of distrust. Before I continue, let me say there is a lot I like about Microsoft (and Win10). I have Mac’s, PC’s and Linux boxes – my main squeeze for a desktop is Windows.

Back to basics is now strong-armed deployments with everything turned on – as in Opt-Out not Opt-In. Kevin covered much of this in his excellent post, but I also have some additional concerns thrown in for fun.


 

First, the legal aspects of the agreement you are executing with Win10:

Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary…”

How does this work if you are required to keep documents and records confidential (health profession, legal profession, et al.)? And before you say businesses will be deployed differently, some are small and don’t have IT departments.

We continue with the Privacy Statement and things get a bit creepy:

“Interests and favorites. We collect data about your interests and favorites, such as the teams you follow in a sports app, the stocks you track in a finance app, or the favorite cities you add to a weather app. In addition to those you explicitly provide, your interests and favorites may also be inferred or derived from other data we collect.”

“Contacts and relationships. We collect data about your contacts and relationships if you use a Microsoft service to manage contacts, or to communicate or interact with other people or organizations.

“Usage data. We collect data about how you interact with our services. This includes data, such as the features you use, the items you purchase, the web pages you visit, and the search terms you enter.”

It bears repeating, there are 13 pages of privacy settings in Win10. Here is a good review: https://fix10.isleaked.com/


 

Next, we have the new telemetry system called “Asimov” which can be used to monitor the usage of your Windows 10 computer in real time. The claim is all data will be anonymized or maybe that is the “your interests and favorites may also be inferred or derived from other data we collect.” Someone has created a registry-setting tool to stop the telemetry data and you can read more about that here: http://news.softpedia.com/news/this-little-app-disables-all-windows-10-tracking-features-488510.shtml

However, if you think staying on Win7 will keep you from that telemetry data grab, think again! I was recently troubleshooting a bunch of errors in an event log on Win7 referencing “utc.app.json”. Long story short, telemetry data grabbing was added to Win7 via KB3022345. You can read about that in the release notes: https://support.microsoft.com/en-us/kb/3022345. The claim is this only happens if you participate in the CEIP. I do not participate in the Microsoft Customer Experience Improvement Program but the KB was loaded and producing errors.


 

It does not end there – you now are part of a delivery system. Your PC will now feed software updates to other Win10 machines in a BitTorrent like collective. Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from other PCs that already have them. Depending on your settings, Windows will then send parts of those files to other PCs on your local network or PCs on the Internet that are downloading the same files.

Gee, I wonder if that is enabled by default. If you want to turn it off, you will not find it in the Privacy settings. No for this, you go to Settings / Update and Security / Windows Update. Nope, not there yet – click the Advance Options. Nope, not yet – now choose how updates are delivered. It might be handy to pick “just other PC’s on my network” – yet I have a little trust issue at this point. You can read more about this setting from The Windows Club here: http://www.thewindowsclub.com/turn-off-windows-update-delivery-optimization


 

Oh yes, there is more! How would you like to share your WiFi key with all your Facebook, Skype and Outlook contacts? Miss a click and that too will happen. This “feature” lets you share your personal WiFi access by taking your WiFi password, storing it at Microsoft and then delivering it to all your contacts.

WiFi Sense like everything else is enabled by default. You however must elect to share a network, which can be as simple as clicking [Yes] inadvertently during a WiFi connection.

I’m so glad they added WiFi Sense, because of all the issues I have with my computers and networks – the one thing I’ve always wanted to do was blast my router password to all my contacts and have it stored at Microsoft. Here is how to disable it: http://www.surfacetablethelp.com/2015/07/how-to-disable-or-turn-off-wifi-sense-in-windows-10.html

Here is more info on the controversy from one of the preeminent InfoSec personalities, battling it out with ZDNet: http://krebsonsecurity.com/tag/wi-fi-sense/


 

How long ago was Windows 10 released!?!? On the bright side, Microsoft proper documents much of this. The fact that you have to Opt-Out is upsetting. The privacy fears are more than concerning. As Kevin pointed out, “At first glance, Windows 10 is no less intrusive than the worst of Google; and potentially more so since its basis is the operating system rather than just the browser.” We are talking about the whole operating system. Yet we have pretty much been living like this on our smart phones and tablet devices.

I am convinced we have lost most if not all privacy in the new world of Tech Toys. And while I have been resigned to that thought process for some years, Windows 10 appears – at least to me – to be the next major leap down the PIT. There are many voices supporting every one of the items listed above as non-events blown out of proportion. I see it as a Sea Change in the thought process of individuals and companies. Only standing laws made notification of such potential invasions of privacy documented. The elected implementation of said potential invasions is dubious at best. The real problem is well beyond the switches, settings and disclaimer jargon. The problem actually brings us back to basics. Technology makes all of this tracking and aggregating possible and out of the control of the individual. It was never designed to be secure and as such, it was never designed to be private.


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Martin Zinaich |