EU Still Concerned about Windows 10 Privacy Settings

We all should be concerned about the privacy settings in Windows 10. And we should be glad that the EU has the regulatory authority to do something about it.

Posted on February 28, 2017 at 6:25 AM • 58 Comments

Comments

WinterFebruary 28, 2017 7:02 AM

@Ion
Privacy is a political problem which has only political and legal solutions. There is not sustainable technical solution. So it is correct that the EU enforces the laws of the country onto companies working in their jurisdiction.

David K. M. KlausFebruary 28, 2017 7:17 AM

When support ends for Windows 8.1 is the latest I'll be switching to some version of Linux.

I've learned new operating systems many times over the last 35 years. I can do it again if I have to, and the Windows 10 privacy settings will be making me do just that.

IonFebruary 28, 2017 7:38 AM

So they are right to enforce Authoritarianism.

BTW Winter, EU is not a country. But that is secondary I guess.

keinerFebruary 28, 2017 7:57 AM

"Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid."


...should cost them 10 Mio a day, at least.

IonFebruary 28, 2017 8:09 AM

ROFLMAO

Right.

The State should punish Microsoft although I bet you don't know one single case of a person kidnapped and beaten for refusing to buy a Windows laptop.

Yet none of you seems to give a fly's behind for paying for a nuclear arsenal, paying thugs to go kill people whose only sin is to not be born white and christian, and so on.

Yea! Microsoft should pay! It should pay your pension plan too.

AnuraFebruary 28, 2017 8:25 AM

@Ion

How is Microsoft being punished? What's wrong with requiring transparency on the usage of our information?

Clive RobinsonFebruary 28, 2017 8:33 AM

@ Ion,

So they are right to enforce Authoritarianism

All legislation can and will be viewed by some people as "Authoritarian", that is the nature of the human race, even excluding those with sociopathic traits and similar.

However legislation can be viewed as a way of encoding societal norms such as "Though shall not kill" etc.

Citizens in general accept legislation they can see as being for the common good, and some will protest laws they see as unjust or against the common good.

Various EU countries having been in what quite a few would regard as authoritarian control as part of the CCCP have seen where a lack of privacy leads to and thus are against any plans to reduce or remove privacy.

There is little evidence that a masive intrusion into privacy --that the US and UK want-- will achieve anything other than increases in authoritarian behavioir from Politicos and their paymasters... And many are keen to avoid such intrusion.

In the EU various pieces of new US legislation are seen as being not just undesirable, but actively designed to turn service / OS / App supliers into the instruments for "collect it all" US IC. Worse is the Cloud fetish, the US IC agency actively attacking the likes of Googles backend site to site communications has woken many upto the idea that any data in the cloud is openly available to the Five Eyes and similar to their potential harm. Hence they do not want the "Instrumentation" of their privacy by anybody at any time.

They view it as equivalent to "Big Brother overlooking the bedroom, toilet and other private places in their homes, especially as they know they will be "rated" by such intrusion.

For some reason unknown to those living outside the US, US citizens in general appear to be lacking in basic understanding of what privacy is and why it is essential to society. Some put it down to the propaganda of the US Government and the outrageous behaviour of the political parties and their plutocracy backers, others that the average US Citizen has been brain washed.

StephanFebruary 28, 2017 9:01 AM

@Ion: Basically it is easy. A company in country A wants to sell its products in country or region B (as the US is no country, as you pointed out). Because of this the product must comply with the laws of said country or region.

Another argument for enforcing laws is that consumers sometimes have no choice since there is no alternative. There are multiple other operating systems out there (e.g. Linux, which was invented by a European). However, since MS has a quasi monopoly on business applikation support, there is little chance to migrate away from windows. In case you deal with computers you might have encountered that a lot of people for some reason do not regard *.odf but want *.docx

Btw: I do not want to give my consent to extracting all my personal data.

BabakFebruary 28, 2017 9:08 AM

I made this BAT file base on base on what I saw in www.blackviper.com.
Copy Past these lines below in a notepad, then save it as for example:
Win10-Myservices.bat and then run in as admine. It disables Windows10 Services.

REM Custom Windows XP Pro Services Control Batch File
REM File from www.blackviper.com

sc config Browser start= disabled
sc config BthHFSrv start= disabled
sc config bthserv start= disabled
sc config CDPSvc start= disabled
sc config HomeGroupListener start= disabled
sc config HomeGroupProvider start= disabled
sc config LanmanServer start= disabled
sc config LanmanWorkstation start= disabled
sc config lfsvc start= disabled
sc config lmhosts start= disabled
sc config MSDTC start= disabled
sc config Netlogon start= disabled
sc config NetTcpPortSharing start= disabled
sc config RasAuto start= disabled
sc config RasMan start= disabled
sc config RemoteRegistry start= disabled
sc config SSDPSRV start= disabled
sc config TrkWks start= disabled
sc config vmicrdv start= disabled
REM end file

IonFebruary 28, 2017 9:13 AM

@Stephan so you just explained why it is good for companies to sell to you-name-your-fav-dictatorial-regime.

and if you do not give your consent, you do not use that program. as you have already underlined, there is a choice. otherwise it is like selling your kidney, taking up the money than explaining your right to bodily integrity.

@Anura that is a non sequitur which can be easily mistaken for a straw man. anyway, let's assume your cute slogan "What's wrong with requiring transparency on the usage of our information?" this way your next door neighbor might have a right to install microphones and cameras in your home because someone has been doing xxxx with data only a neighbor might have.

if transparency is a buying argument, closed source is a dubious choice if not worse.

this transparency argument is also both ridiculous and hypocritical given the political systems in use today.

keinerFebruary 28, 2017 9:21 AM

...didn't know yet that Micro$oft is a "Gov't thing". Interesting. So Trump canceled the Feb patch day?

AnuraFebruary 28, 2017 9:26 AM

@Ion

that is a non sequitur which can be easily mistaken for a straw man. anyway, let's assume your cute slogan "What's wrong with requiring transparency on the usage of our information?" this way your next door neighbor might have a right to install microphones and cameras in your home because someone has been doing xxxx with data only a neighbor might have.

...

For the record, my position is that organizations should be transparent, individuals have the right to privacy.

bobFebruary 28, 2017 9:31 AM

@Ion A choice? There's two main operating systems and one main "office" package. What choice? What a fucking stupid argument.

parabarbarianFebruary 28, 2017 9:43 AM

This is a paper tiger snarling. What is the EU gonna do? Stop allowing Windows to be used in Europe?

Not very likely. More likely is that MS will make a few cosmetic changes, contribute money to the right people and then Windows 10 will be blessed by the powers that be.

WinterFebruary 28, 2017 10:05 AM

"This is a paper tiger snarling. What is the EU gonna do? Stop allowing Windows to be used in Europe?"

Fine billions of euros? Many billions. Incarcerate MS CEOs? They already did the former long enough to get MS to obey by the law.

And then the various EU governments can require interoperability of office applications by law.

anonGFebruary 28, 2017 11:23 AM

Well it doesn't immediately concern me or my family.
I have openbsd and mint linux on my laptop. I recently switch my parent and my sisters computer to mint. I even changed an old computer my uncle had on his office after he got some ransom-ware from his email.

If someone is using his computer for simple tasks like web surfing and text editing i don't see the point to stick with windows.
Linux is safer and almost free from virus.
Maybe debian would be a better choice but i choose mint since it was running out of the box and debian didnt support my cpu

National ruinFebruary 28, 2017 12:06 PM

@Clive Robinson

...propaganda... [or] brain washed...

Yes to both!

In the US the news agencies are all controlled, therefore it becomes propaganda pushed by somebody with an agenda. This is why Snowden went primarily to a non-US news agency! He knew what was going on in that respect.

And the US school system is split into two kinds: a) ivy league schools that teach the rich to become good authoritarian dictators... and b) public schools that teach the masses to be pliable followers of authoritarian discipline as well as to be less smart. Hence the brainwashing in both camps, which goes contrary to what the original US founders established.

Not to mention the food supply (hormones, pesticides, GMO's, etc) and entertainment industry that encourages people to be more aggressive and barbaric...

Altogether these things are a vicious race to the bottom, and it will end in total national ruin at some point, and take the rest of the world with it. Mark my words.

Tin HatFebruary 28, 2017 12:21 PM

With my locked down Windows 10 machine, it still tries to make thousands of ***outbound*** contacts MS every day, and in particular to login.live.com.

I can only surmise MS trying to extract detailed personal data from users for marketing purposes with this intense level of surveillance.

But, it's all disguised with SSL, which for all intents is not secure because any IT corporation, crook or government now can crack it via CDN MITM exploits, crooked certificates, crooked CA's or even direct feeds off the wire.

Seems the main purpose of SSL is to provide security theater for end users.

I think our only hope is one day they truly go "too far" to the point people will unite and march in the streets until we get our data secured and for certain private again. Maybe, summarily confiscating bank accounts, openly selling personal data of everyone, etc. will be a trigger.

The downside is the willingness of end users to be abused seems endless.

Nickie HalflingerFebruary 28, 2017 12:45 PM

@Anura:

Remember Corporations (organizations) are people too, or so says SCOTUS. Thus shouldn't they have privacy? :)

I'm still waiting for a corporation to be thrown in jail!

keinerFebruary 28, 2017 1:09 PM

@Nickie H

That's the REASON why there are Corps. Dilute responsibility and profit until nobody can identify where they go...

Ergo SumFebruary 28, 2017 4:07 PM

@Tin Hat...

With my locked down Windows 10 machine, it still tries to make thousands of ***outbound*** contacts MS every day, and in particular to login.live.com.

I can only surmise MS trying to extract detailed personal data from users for marketing purposes with this intense level of surveillance.

Don't feel bad, Windows 7 and 8.1 do the same since Microsoft retrofitted these OSs with surveillance, oops, telemetry. For that matter, starting with MS Office 2013, the office suits from the DVD have this "feature" as well. Don't even bring up Office 360 that being given away for almost free...

I do agree that the collected data is for marketing purposes and it's probably more valuable, since it can positively identify the end user and monitor every activity by the user. Even if one would use secure VPN, or other connections, the OS will have access to all that being transferred prior to being encrypted. Just think for a moment how valuable this data is for intelligent agencies.

In my view, it isn't the agencies that collect most data, even if they do their share. It's companies like Apple Google, Microsoft, etc., who does the collection most of the times...

Clive RobinsonFebruary 28, 2017 4:14 PM

@ Gerard van Vooren,

I am sick and tired of it.

It would appear you are not the only one, a number of the regular posters, now hardly post at all. And those of us still here psost less and less.

The problem is that it was once possible to have an interesting leading edge technical blog without politics or other human failings getting either a toe hold or a strong reaction. Now the Politicians and many of their scumbag followers have stuck their snouts in the technical trough big time bringing there midden heaps with them to befoul the place.

Gerard van VoorenFebruary 28, 2017 4:39 PM

@ Clive Robinson,

I also think that the problem these days is, let's face it, Bruce. There is simply too much non-tech. I am quite aware of what is going on in the world of politics but there is only that much negativism one can handle.

Well, I will stick around but it ain't what it used to be.

PeteFebruary 28, 2017 4:54 PM

We switched to Linux full-time at home in 2008, except for 1 system that runs Quicken and Media center. It is a Win7 box now - obviously, we have worked hard to prevent Win10 updates - even had to roll back once.
I decided about a year ago, it was safer to stop patching Win7 than to use Windows on the internet. I'd wasted probably 20 hrs trying to stop their bad patches from violating our privacy when I finally gave up and installed from backups and disabled all patching. Haven't had any issues since.

At work, my boss asked me to come up with a plan to replace 22K disconnected Windows systems with Linux. I ran some numbers and we couldn't do it. The time to recoup those costs would be over a decade and it would require at least 5 yrs. Too much high-cost custom software purchased from external vendors which would require tens of millions to rewrite.

Any company that forces OS-level updates without permission needs to be fined 100% of their world-wide profit for 5 yrs, at a minimum. They need to be held accountable. Hopefully, Europe will get them.

I'd like to see large companies required to provide software support for at least 5 yrs after the physical HW was sold to an end user too. Been very unhappy with google recently. Their idea of EOL and my idea for a $650 phone are very different.

I don't have an issue with MSFT choosing their business model. If they want to show ads, great. When they want to violate my privacy without EXPRESSED PERMISSION EVERY TIME, then I have an issue. Settings that control this stuff should be clear and work. Every time they don't, $10K fine, per incident. That isn't just for MSFT, but **every** company that might have personal data. The cost of violation needs to be painfully high or nothing will change.

I do have an issue with Win10 and will do everything I can to never have to give MSFT any money, in any way, ever again, though I think exFAT will force my hand. Need a new camera.

Sorry for the rant. More and more, I'm building my own systems to do the common things based on Linux. Much more likely to be maintained and open than any other solutions I've found.

Clive RobinsonFebruary 28, 2017 5:17 PM

@ Ergo Sum,

In my view, it isn't the [National SigInt] agencies that collect most data, even if they do their share. It's companies like Apple Google, Microsoft, etc., who do the collection most of the times...

It depends on "who the target is" to some extent. It is possible to use the Internet and avoid using the "snoopware" of the US Big Five Corps. Thus the national SigInt agencies have to still Vampire the major arteries to get at the life blood of those who chose not to play in the Corporate tar pits.

The problem for the SigInt agencies is "crypto workload" even quite poor security products and protocols put quite a few rocks in the way and thus eats resources. In the past the US SigInt agency --and I assume other national SigInt agencies likewise-- exploited the corporate "private leased line" backhauls between data centers thus getting past the Internet link encryption security end point.

People need to keep this in mind when they think about their security. If the SigInt agencies can not get beyond the "security end point" at the corporate end, then they are going to use other techniques... Starting with least effort stuff such as MITM attacks with faux certificates and getting beyond the security end point at the client end. If that fails then traditionally they would look to exploit weaknesses in Standards, Protocols and Implementations.

However the new game of corporates making money through "collecting PII for commerce" is a target rich environment for SigInt agencies and they will get access one way or another be it overt or covert. The SigInt agencies would prefer fully covert but will go with what they can get, especially if a big chunk of the "analytics work" has already been done for them[1] by the Corps.

Thus as an individual you need to consider how you keep your PII and thoughts Private. Obviously you need to work well beyond the security end points, further than a SigInt agency can reach. Also avoid, where possible, any comms system that has a hub beyond your control, thus P2P is preferable to client-server etc etc.

As was noted in another thread the other day, Osama Bin Laden used an ordinary computer with communications by trusted couriers carrying USB Thumb/Memory drives. The computer was of sufficient age that it did not have built in WiFi and other comms beyond an ordinary users control. Thus it was beyond the SigInt agencies reach.

[1] There is a problem with using such processed results. As you go from raw data to processed data you loose information and you add assumptions. That is the analytics lenses are filters and colour the results and it is unlikely that the analytic filters of a large corporate are going to align with those of a SigInt agency. Thus even though processed the data is of less direct use to the SigInt agencies than the raw bulk data. Worse for the data subjects is that the SigInt agencies "kill people by metadata" and corporate data is directed at maximizing revenue thus tends to be speculative not definitive. Do you realy want some one to decide you are probably Muslim because you buy a lot of beard grooming products, then have a SigInt agency work on that assumption as though true?

Dirk PraetFebruary 28, 2017 5:27 PM

@ Gerard, @ Clive

How come there is always at least one dickhead or moron in this kind of news item threads? ... I am sick and tired of it.

Same thing here. The discussion to trolling ratio is completely out of control on this forum. I don't mind discussing the political side of things, but for a lot of people it just seems impossible to do so in a civilized way.

@ Pete

We switched to Linux full-time at home in 2008, except for 1 system that runs Quicken and Media center.

You don't need Windoze for a Media Center. Switch to OSMC, i.e. Kodi (xbmc) on a Raspberry Pi. Latest version is 17 (Krypton). Handles all your media and home theater needs. I set one up for a friend last week. He now has access to about 1.200 tv channels (iptv), 8.000 radio stations, thousands of movies and hundreds of thousands of songs. On top of a totally organized photo, video and music collection of his own. And did I mention it's all free?

John SmithFebruary 28, 2017 5:54 PM

Pete's comment:

"At work, my boss asked me to come up with a plan to replace 22K disconnected Windows systems with Linux. I ran some numbers and we couldn't do it. The time to recoup those costs would be over a decade and it would require at least 5 yrs. Too much high-cost custom software purchased from external vendors which would require tens of millions to rewrite."

I run Win7 under Virtualbox on Linux hosts, for Win applications that I still need to use. It mostly works well, except for applications that need a medium-to-high end graphics card (CAD packages etc).

Was the Virtualbox solution infeasible, in your situation?

My InfoFebruary 28, 2017 7:14 PM

Thieves in Law

"Encryption technology should not prevent law enforcement agencies or other competent authorities from intervening in the lawful exercise of their functions," an EC spokesman said in response to the letter, according to Politico.

https://www.theregister.co.uk/2017/02/28/german_french_ministers_breaking_encryption/

http://www.politico.eu/pro/commission-agrees-with-france-and-germanys-counter-terrorism-call/

Watch the language. Too much "law." Characteristic of Russian ВОРЫ В ЗАКОНЕ.

BabakFebruary 28, 2017 8:06 PM

SpybotAntiBeacon-1.6-setup.exe also disables some services that if I add them to mine( above), the new BAT file is like this:


sc config Browser start= disabled
sc config BthHFSrv start= disabled
sc config bthserv start= disabled
sc config CDPSvc start= disabled
sc config CDPSvc start= disabled
sc config DiagTrack start= disabled
sc config DiagTrack start= disabled
sc config dmwappushservice start= disabled
sc config HomeGroupListener start= disabled
sc config HomeGroupProvider start= disabled
sc config LanmanServer start= disabled
sc config LanmanWorkstation start= disabled
sc config lfsvc start= disabled
sc config lfsvc start= disabled
sc config lmhosts start= disabled
sc config MSDTC start= disabled
sc config Netlogon start= disabled
sc config NetTcpPortSharing start= disabled
sc config RasAuto start= disabled
sc config RasMan start= disabled
sc config RemoteAccess start= disabled
sc config RemoteRegistry start= disabled
sc config SCardSvr start= disabled
sc config shpamsvc start= disabled
sc config SSDPSRV start= disabled
sc config TrkWks start= disabled
sc config TrkWks start= disabled
sc config vmicrdv start= disabled
REM end file


DroneFebruary 28, 2017 11:59 PM

@David K. M. Klaus,

I suggest you move to Linux Mint, Cinnamon version. Linux Mint Cinnamon is Ubuntu-based but the GUI is classically designed (the UI is NOT trying to be a cell-phone that a five-year-old would love). Pick up a low-end Dell laptop and start transitioning away from Windows now while you are still running your Windows machine in parallel. That way you will be under less pressure to settle-in with your Linux applications.

I suggest a Dell machine because I have had less Linux driver compatibility issues with Dell (Lenovo has been the worst. Some Acer models do well with Linux.) Currently I am using 11.5" Dell Inspiron-11 3000 series laptops (AVOID the 2-in-1 touch-screen versions!). Get the matte-screen non-touch model with the Pentium and 4GB on-board SDRAM. Cheap, speedy enough, small, and I've had no problems running Mint Cinnamon on them (I have three). The only things bad about the Dell Inspiron-11 3000 series laptops are a non-removable battery and no wired Ethernet port (a USB/Ethernet dongle works OK). But these are common omissions these days on small low-end machines.

DroneMarch 1, 2017 12:12 AM

Windows 10 spying has had the beneficial effect of driving people away from Windows 10. So keep it up Micro$oft, you are doing just fine!

Hey, while you are at it Micro$oft, do you think you could make Windows 10 Updates any harder and slower? And how about the Windows 10 GUI, aren't we overdue for one of those updates where you try to make the interface look like a 5-inch cell-phone again?

ab praeceptisMarch 1, 2017 1:00 AM

Gerard van Vooren

Sadly I have to fully agree. Really sad story.

TovaritchMarch 1, 2017 1:48 AM

@ Clive Robinson

"For some reason unknown to those living outside the US, US citizens in general appear to be lacking in basic understanding of what privacy is and why it is essential to society. Some put it down to the propaganda of the US Government and the outrageous behaviour of the political parties and their plutocracy backers, others that the average US Citizen has been brain washed."

Amen, but I'm afraid it's even more complex than that. I think the general lack of understanding for the concept of privacy and the dominant "nothing to hide" attitude is connected to other typical North American customs, such as absence of fences or curtains. Last not least, there is the penchant for public exhibitionism, (in)famous around the world, and which was around long before facebook: https://www.buzzfeed.com/robinedds/i-can-see-you?utm_term=.mry0pNkJw#.skxGKZEr6

Only half kidding.

Sebastian B.March 1, 2017 2:15 AM

As Munich decides to discontinue LiMux and move back to Microsoft this discussion popped up in Bavaria/Germany, too...

Also for corporations Windows 10 and Office 365 should be a no go in the post-Snowden era. Just it has not been realized by the responsible managers.

keinerMarch 1, 2017 3:19 AM

@Sebastian B.

You have to sign ridiculous "Security Agreements" for big companies and in the next step you have to establish a connection (from wherever with totally uncontrolled hard-/software) to "Microsoft sharepoint" with a Microsoft (!) account to access the "secret" data. Fun!

WebExtender?March 1, 2017 5:02 AM

@ Clive, Gerard, Dirk

I wonder if a web extension could help. I am envisioning something that makes it easy to blacklist someone if they seem to be trolling or if they are uninteresting. Several folks were lamenting the quantity of posts by one individual in a recent squid thread. I could also see a whitelist working in some cases.

Any suggestions/feedback on the idea would be appreciated.

keinerMarch 1, 2017 6:09 AM

...the owner of this blog posting on "how to deal with propaganda" clearly documents that he knows what time it is.

People daydreaming how to optimize their filter bubble clearly document the opposite.

WebExtender?March 1, 2017 11:47 AM

@keiner

From the article recently linked by the owner of this blog:
This tactic involves having huge numbers of channels at your disposal: fake and real social media accounts, tactical leaks to journalists, state media channels like RT, which are able to convey narrative at higher volume than the counternarrative, which becomes compelling just by dint of being everywhere ("quantity does indeed have a quality all its own").

I am looking at ways to reduce the quantity of BS that I need to sift through daily. Tools like the one I suggest could help offset all three of the techniques mentioned in the article, but would be particularly effective against those that derail discussion with a high volume of negative/unrelated posts...

Gerard van VoorenMarch 1, 2017 12:27 PM

@ WebExtender?,

That has been suggested in the past. Our host/moderator just don't want it. And to a certain degree they have a point.

@ the usual suspects,

The situation is what it is. I can't change it but I certainly don't like it.

The problems are:

1. It takes too much time, there is too much ranting, and too little to learn.
2. Data is scattered all over the place.
3. I am more interested in Applied Security, in software/hardware/networking ranging from wet dream ideas, brainstorming, PL, OS, config settings, etc.

With that in mind I ask the question: Is there a site about Applied Security? I mean a forum/wiki based site, preferably in the EU, non-profit (no ads), simple and ultimately P2P?

AlMarch 1, 2017 12:50 PM

Pete's comment:

"At work, my boss asked me to come up with a plan to replace 22K disconnected Windows systems with Linux. I ran some numbers and we couldn't do it. The time to recoup those costs would be over a decade and it would require at least 5 yrs. Too much high-cost custom software purchased from external vendors which would require tens of millions to rewrite."

I run Win7 under Virtualbox on Linux hosts, for Win applications that I still need to use. It mostly works well, except for applications that need a medium-to-high end graphics card (CAD packages etc).

Or perhaps WINE? I've got a number of windows programs that run just fine on a Mac (OSX) under WINE, but that I cannot, for the life of me, get to run under new versions of Windows.

It's starting to become a trend in online gaming, companies using WINE, cider, etc to cheaply port their software to the mac. When the revenue is there, it's not difficult to switch OS's.

WebExtenderMarch 3, 2017 2:49 AM

@Gerard

It is not really in the moderator's hands if visitors to this site choose to run a web extension. I could build something that would run on chrome/ff/safari and collapse all comments from names on a blacklist, keep all names on a whitelist, and slightly grey out all posts from names which are not on either list; with an option to collapse all the non-listed names, or add them to one of the lists.

That is more or less what I am proposing. Think of it as a very specialized version of an adblocker.

If I find time this weekend I will build a prototype and link it on the squid thread.

Dirk PraetMarch 3, 2017 4:57 AM

@ Webextender, @ Gerard van Vooren

I could build something that would run on chrome/ff/safari and collapse all comments from names on a blacklist, keep all names on a whitelist, and slightly grey out all posts from names which are not on either list; with an option to collapse all the non-listed names, or add them to one of the lists.

It can easily be defeated by using Tor and ever-changing aliases, which - analysing the style, content and tone of certain trolls - is exactly what is happening here. And whitelisting carries the risk of missing interesting comments of occasional commentors and locking yourself up in an echo chamber.

@ AI

Or perhaps WINE?

Wine and Mono sometimes come in handy for running certain legacy Windows applications on other platforms, but over the years I have had only limited success getting them to fully support all features of, say ERP or other packages, in an average business environment. On top of that, almost no vendor will support it, which means your technical support team is entirely on its own. And that's the real show stopper here.

Who?March 3, 2017 11:17 AM

@ Clive Robinson

For some reason unknown to those living outside the US, US citizens in general appear to be lacking in basic understanding of what privacy is and why it is essential to society.

The United States are [still] a young country. Values like privacy and othe rstandards of behaviour are not strong enough on its citizens yet.

GweihirMarch 3, 2017 5:33 PM

@ Clive Robinson

Usually, I am not so impressed with your comments. This time you are spot on, especially in your first and second comment.

MarekMarch 3, 2017 11:10 PM

For those who need some of Windows features or software that runs only on that system, but at the same time want more privacy (secure web browsing, SSH, etc.) I would recommend to install Linux (e.g. FreeBSD) as a host OS, and setup Windows in a virtual machine, as a GUEST OS. That will limit reduce the Windows OS's rights to minimum (as just one of the apps run by Linux, not as "omnipotential" OS), and let you take advantage of both: Windows apps & goodies, and also transparency (i.e. open source based) of Linux.

Clive RobinsonMarch 4, 2017 12:41 AM

@ Who?,

The United States are [still] a young country. Values like privacy and other standards of behaviour are not strong enough on its citizens yet.

Whilst what you say probably has a large grain of truth to it, the history of a large number of US Citizens is that their ancestors arived in America to escape persecution in their countries of origin. Where the persecution was frequently "sovereign terrorism", using the full panoply of tools of oppression then available to the rulers of the country of origin against them. It is a shame that the hard learned lessons of such exoduses should be so quickly forgotten.

Clive RobinsonMarch 4, 2017 12:45 AM

@ Gweihir,

... you are spot on, especially in your first and second comment.

Thank you, for saying so.

Clive RobinsonMarch 4, 2017 1:33 AM

@ Gerard, Dirk, ab,

Well, I will stick around but it ain't what it used to be.

No it's not, part of the problem is that there is little that is "new" in the technical side of security, there are only so many "Mega Corp XYZ loses a half billion user details" stories that you can read before you become jaded and fed up of the issue and turn off.

Bruce has said in the past he wants to try and post two threads a day, whilst this can be done in a target rich environment, it's much harder when targets are few and far between. Thus you get into the "lesser of two evils" issue of making less posts thus losing audience or broadening your scope into "soft issues" which often boil down to politics.

@Nick P does post to other sites with Krebs being one similar in format to this blog. However he does post to a couple which have a different format, where users post a link to an article, that in effect get "popularity" selected, as well as having an attached comments section. Many of the articles that end up on those sites are more about "product visability" than impartial technical comment. Perhaps with a gentle nudge @Nick P and others will say what technical sites they visit.

One site I keep an eye on is, "The Morning Paper" ( https://blog.acolyer.org/ ) but it's probably not to a lot of peoples interest, there is also "The Register", "Tech Crunch" etc but Tech Crunch appears to be going down hill these days...

The underlying problem is there is little technical content you can get your teeth in these days. You only have to look at the "same old same old" in academic papers to see that "publish or be damed" has started a paper mill of at best mediocrity.

But we also have ourselves to blaim, we are getting long in the tooth and have seen a lot of things, thus to be new or original to our standards is getting to be a large ask. One aspect of this is how we see much that we consider old being treated by less experienced practitioners as new. That is there is a very real gulf of knowledge that is not being adequately addressed in the training of younger practitioners. I put much of the blaim for this on the lack of real metrics by which security can be properly measured and thus compared, which under pin the scientific method. This has led to the voodoo of "Best Practice" and "Audit by check box" amongst many other sins that get exploited by marketers, trade bodies and legislators all of whom should know better.

WebExtenderMarch 4, 2017 8:41 AM

@ Dirk

It can easily be defeated by using Tor and ever-changing aliases, which - analysing the style, content and tone of certain trolls - is exactly what is happening here. And whitelisting carries the risk of missing interesting comments of occasional commentors and locking yourself up in an echo chamber.

I do not see why tor use would matter, the tool runs after my browser downloads the page. It would not have any information about source IPs. The risk of changing aliases is mitigated by making it easy to adapt the filters. New names are still visible but with slightly lower opacity so they can be skipped more easily should a large section of them seem uninteresting.

If you take this thread as an example: I would have blacklisted our new friend 'ion' after the first post, scanned a little, then skipped ahead to someone on my whitelist; saving a few seconds of attention for something else. Most of the names I would whitelist quote their prompt and I could always expand a comment from someone on my blacklist if the quoted text is not sufficient.

I would also assert that there are better ways to avoid a 'filter bubble' or 'echo chamber' than by reading every comment on this blog.

ab praeceptisMarch 5, 2017 2:29 AM

Clive Robinson

I respectfully disagree. This blog has gone into a downward spiral not for lack of things going on on the technical side but because not only did Bruce Schneier tolerate political musings of the weirder kind as well a massive spamming by e.g. 'r' but, in fact, he himself has fed the trump/clinton frenzy by consistently putting petrol into or at least close to the fire himself.

Now, don't get me wrong, this is Bruce Schneiers blog and he can do with it whatever he pleases. I would still thank him for his work (e.g. blowfish) and for some good years with this blog (with me reading only for the major part).

"krebs"? Are you joking? That guy may have a name but his weight in ITSec is hardly that of a fly. Compared to this blog here and to the man behind it, krebs online is hardly even a gossip kitchen.

The few of you with whom I had discussions and who have some real interest in ITSec (as opposed to blabla and gossip) may contact me during the next days via bschneier(at)abpraeceptis.mail33.com. Please be sure to tell me the name you used here. Maybe it's about time to prepare for things here not getting back to normal.

Thank you.

ScrumDogMarch 6, 2017 9:11 PM

Lolz.
sc config Windows start= disabled

After learning how to use a firewall and build a quick script or app to toggle wuauserv (among other things), no one should have a problem. Of all of the attack surfaces used to invade and monitor (your damn browser), I still find Windows to be minimal. You can fight for the little people if you want, but you are defending the stupid majority. A philosophical battle for usability and privacy directed solely against Windows is a joke.

Any decent argument would include Microsoft's inability to take advice. It is mind numbing. I don't think the Linux community should be talking. Try fighting Akamai and MIT, though. Good luck. Let me know how that works out. I would also like to remind everyone that the EU also tried to sue Google as a monopoly. At this point, you should ask Europe if they have tried to go it alone. Finally, ponder that Europe is CALEA compliant with network hardware. They don't have to be.

There is a better academic argument here: versioning. They also bought into the continuous product increment promoted by Agile/Scrum subculture. What is used for expediency is abused by all of the OSes. I call it "perpetual beta." What I mean is that at some point you should take end-user advice and deliver something coherent and minimalist, not stacked with cloud marketing ideas. Do you remember the San Fran dotcom blowout, 40k jobs lost in 12 months? I look forward to a dotcloud blowout in the future, after everyone realizes that big data resale is pointless and beyond infiltration.

Clive RobinsonMarch 7, 2017 3:45 AM

@ Scrumdog,

I look forward to a dotcloud blowout in the future, after everyone realizes that big data resale is pointless and beyond infiltration.

The human race is known for it's irrationality when it comes to hanging onto false assumptions and bad ideas with the "I know I can get it to work" and "People just need to see my vision" thinking.

Marketing vies with religion for being the largest grabbers of money there is. Few appear to realise that they are like "Owning sailboats in California" that have the reputation of being "Bottomless holes in the ocean into which you pour money".

But there is another kid on the block to consider that could be thought of as the illegitimate result of a Saturday night knee trembler between Religion and Marketing and it goes by the name of politics.

Politics does not live in the real world where people are starting to see the worthlessness of it's parents, through their lack of results. Thus politics has to tilt the wheel infavour of not just it's self but it's parents as well. But politics has got to the age of taking money off of old men in return for favours.

We try to dress it up by calling it lobbying, but the reality is that Politics swallows money so quickly that it will not be long till in the US we have a Ten Billion Dollar Election. And to make that investment pay a return a small handfull of those old men will want trillion Dollar pay offs.

But as the voting shows the natives have learned to see beyond the beads and baubles previous politicians have bought their votes with, and they want change, but that is not what the old men want. We are entering a time where the grasp of the old men can only be assured by the use of Guard Labour. The natives once learnt that Private Armies in the hands of old men are bad news, the history of the labour unions and similar have shown this. Thus the old men moved to take over the public guard labour of Law Enforcment and Military to do their bidding. But that is not working as well as it did. So the idea now is one of old expressed by Cardinal Richelieu,

    If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged

And add a modern twist via technology, of building an information time machine that holds not just everybodies written lines, but their spoken words and thoughts to, their loves, their losses, their achivments, their failures and those of those that might once have known them, at what time and at what place.

The first step is to "collect it all" the second is "analyse it all" thus giving rise to the ability to create the best fit naratives that Cardinal Richelieu desired. We see some of this starting with the likes of the FBI "making terrorists" such that they can "Show Justice being done" rather than actually doing it. But that beast once woken needs to be fed, it cares not where the meat it grinds comes from only that there is more to sait it's ever growing appetite.

Thus the first two steps will be called upon ever more, prisons have to be full to be profitable, over crowding them makes the business more profitable still. But people notice, thus the Chicago PD trick of illegal imprisonment and interrogation got found out, so a new game is required one that apparently satisfies the rule of law, thus it will not be questionable.

This is where "Big Data" is going, and those that want to use it as such can buy the legislation, the data and the technology at bargin basment prices because of the way the political system works, those billion dollar investments they make have to be paid off a hundred times over. Which is why Big Data will not die quickly, it will not "blowout" entirely, because it's to usefull to those who would be king makers.

Clive RobinsonMarch 7, 2017 4:43 AM

@ a b praeceptis,

I've just seen your comment, I must have missed it in the 100 last comments for some reason (probably another deluge of unsoliceted advertising).

With regards,

I respectfully disagree. This blog has gone into a downward spiral not for lack of things going on on the technical side but...

The downward spiral started quite a while before that, Bruce even went "clickbaity" for a while as an experiment prior to the tolerance, then alowance of the political comments. Thus they appear almost as a concequence of the decline, not the cause. Almost as though it's another experiment, or way to increase the numbers.

I suspect however it might be that Bruce has less time on his hands these days thus other "irons in the fire" get a greater priority.

As for "Krebs", I was refering to the type of blog it was with regards the way readers could post comments and that one or two regulars hear used to post there, not the type or quality of the posts.

With regards "Email" I stopped doing personal email some time ago as others hear know. There were some personal security reasons why I stopped, but in all honesty it was taking to much time for to little return. As for social networking I saw what a tarpit that was so never bothered with it. Now as standup comedians are now devoting entire acts to taking a rise out of social media, it looks like it has started on a downwards spiral of it's own.

I've been asked in the past why I never set up my own blog, when blogging was the thing. The reason then as now is the workload involved with finding analysing and presenting high quality comments that people would want to build a community around. But there was also the "crowd issue" I've never liked the idea of making people register to say something. I do enough "drive by commenting" that I would have to have an unmanagable number of credentials and other information to carry around which in it's self entails unacceptable risk, due to the majority of people not understanding certain basic problems[1]. The other thing I like about "public commenting" is the third party eye of the audience it tends to not just civilse comments it actually encorages more thoughtful comments in those who want to be a part of a community. However there is a down side, crowds are not communities, and there are always "crowd elements" that are sociopathic in various ways, be it by trying to advertise, or abuse in one way or another. Cleaning up such behaviour is a thankless task at the best of times and due to the time taken gets in the way of other things that might be a more productive use of time.

So Bruce has both my thanks and sympathies for building and maintaining his blog, few say thanks which is a shame.

[1] Put simply there is no way to tie people in a physical way to an information based identity thus digital authentication of a person is nothing of the sort. Thus when people get text messages on phones that says it's from their mate "Fred" they don't question if it's Fred or a Policeman etc who has taken Fred's phone that is actually typing in the text message they read (which has happened in the UK and caused problems in court). Thus if people know there is no "authentication" on a site, they are going to hopefully judge more by the style and content of the comment than any handle that might be used.

ScrumDogMarch 7, 2017 12:53 PM

@Clive
The point I make on Akamai is a fear tactic theory: "If we don't do this, the small private business can overtake the market and there goes our 401K."
They don't even really have to say that because it is already borrowed from Wallstreet. What I think is crazy, and probably collusion, is that some of Akamai's business clients are competitors. Also, I wish I wasn't lazy to pull up a link that describes the US govt being one of Akamai's largest purchasers of big data.

In addition, search for the news thing on France trying to sue Steam for older titles to be piped to a third-party distro system. What I see is a pattern of EU lawyers trying to sue for profit and fun. It is kind of sad because it exposes the downfall of socialized democracy. Their citizens have lower discretionary income, lower motivation, and lower capital movement for IT development.

I have this grand conspiracy theory about EU being bent over lack of US market penetration. At one point, that included torrent trackers as a state-sponsered/allowed weapon to decimate US media sales as reciprocity. Also, "red star" backed EFF to pay off a federal judge to make SOPA go away and do a smear campaign. Their crowning achievement, except it doesn't matter for the purpose of law enforcement. Europe is desperate.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.