Topic: Windows10 and privacy

I know these types of things tend to get blown out of proportion but if half of the things in this article are true I will be skipping Microsoft's new OS.

https://edri.org/microsofts-new-small-p … ta-abused/

Tar, feathers, congress. Some assembly required.

2 (edited by infocastme 2015-07-30 08:17:42)

Re: Windows10 and privacy

Here is a quote from the article;

"By default, when signing into Windows with a Microsoft account, Windows syncs some of your settings and data with Microsoft servers, for example “web browser history, favorites, and websites you have open” as well as “saved app, website, mobile hotspot, and Wi-Fi network names and passwords”. Users can however deactivate this transfer to the Microsoft servers by changing their settings."

I have never set up a Microsoft account in my name and have never activated Windows with a Microsoft account. You can do this but it has never been obvious or well documented. All my Win8.1 machines do not phone home!

Re: Windows10 and privacy

Most people will use the default settings when they set up their new computer.  Microsoft knows this.

Tar, feathers, congress. Some assembly required.

Re: Windows10 and privacy

You have to add _optout to the end of the SSID to not have Windows 10 send your WiFi key to Microsoft.

Re: Windows10 and privacy

Holy crap - really? Windows sends your Wifi passphrase to their systems?

Re: Windows10 and privacy

Can't imagine anyone (not even the government) ever trying to get/steal/hack the list from Microsoft. I mean, their servers have never gotten hacked...right?
/s

Imagine the identity theft potential. In one shot you could get access to a person's PC, files (local and one drive), emails, etc.


“BitLocker recovery key for the user’s device is automatically backed up online in the Microsoft OneDrive account”
“(for Cortana) we collect your voice input, as well your name and nickname, your recent calendar events and the names of the people in your appointments, and information about your contacts including names and nicknames.”
“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to”

Sounds like the best security for Windows 10 is an air gap.

Tar, feathers, congress. Some assembly required.

Re: Windows10 and privacy

Here's a picture I've seen floating around the Internet summing up all the privacy violations in Windows 10.

http://i.imgur.com/Hlffigz.jpg

Re: Windows10 and privacy

BoloMKXXVIII wrote:

Sounds like the best security for Windows 10 is an air gap.

https://hacked.com/airgap-wont-secure-computer-anymore/

Re: Windows10 and privacy

BoloMKXXVIII wrote:

Sounds like the best security for Windows 10 is an air gap.

for windows anything.

Cleaning up any loose bits and bytes.

Re: Windows10 and privacy

Windows with an air-gap, isn't that called double glazing?

I'll get my hat...

Re: Windows10 and privacy

songmaster wrote:

Windows with an air-gap, isn't that called double glazing?

I'll get my hat...

I lolled.. out loud and everything big_smile

Cleaning up any loose bits and bytes.

Re: Windows10 and privacy

songmaster wrote:

Windows with an air-gap, isn't that called double glazing?

I'll get my hat...

Double glazing sounds like a great name for a security suite for Windows.

Tar, feathers, congress. Some assembly required.

Re: Windows10 and privacy

Duane wrote:

Holy crap - really? Windows sends your Wifi passphrase to their systems?

Yes, it does, although it is sent encrypted.

The issue is explained here:
https://nakedsecurity.sophos.com/2015/0 … r-friends/

As nathanm points out, you can change the name of your Wifi network from "mynetwork" to "mynetwork_optout". And if you want Google to also stop collecting information about your network, you can rename it to "mynetwork_optout_nomap".

The bottom line is that all of us are trading the benefits of using various company's services (whether those companies are Microsoft, Google, Facebook, Twitter, and Yahoo to name a few) in exchange for less privacy, including tracking us across the net so we can get more targeted ads that generate more revenue for the companies, or, to allow us to log on to our friend's networks without them sharing their passphrase.

Re: Windows10 and privacy

Well, it doesn't really matter if the transfer of the passphrase is encrypted, because Windows still needs to enter into the WPA negotiation with the AP with the original passphrase.  The means the encryption is reversed on the client machine.  They *are* technically sharing your passphrase - they have to or it can't work.

Usually, to break the passphrase on an AP, you need a computer that has previously authed with the AP and saved the credentials, and is set up to automatically connect.

With this feature, now all you need is a Facebook, Skype or Outlook friend that has authed, and sufficient information to spoof the AP (probably SSID, MAC, and maybe location depending upon how MS identifies APs), and now you can take your time to break the passphrase for an AP you've never been connected to.

Breaking WPA encryption in not trivial of course, however, but now you have so many more opportunities and can be done without the need to acquire a computer than has connected.

Some articles recommend changing your passphrase to get around this - however, it seems that if your sharing user reauths with the new passphrase, that will then be shared as long as the box is checked.  Another problem is that once a user has authed with your network, they can flip the sharing switch at any time in the future, even if you politely ask them not to - once you've allowed one of these users to connect, you've effectively made your network public to random people you've never met.

You've also set your security level to the lowest level of these third-party services over which you have no control.  You are now vulnerable to Facebook phishing, the worst password any friend of your user might have, etc.

It should be entirely the decision of the owner of the network to decide who should have access to their networks.  I really don't see how Microsoft thinks they've got the right to collect, store, and redistribute access credentials without obtaining permission from the network owner.

At the very least, the "_optout" SSID hack should have been "_optin".

The position we're taking at my workplace is that Windows 10 guest clients will be offered a wired connection only.

Re: Windows10 and privacy

Duane, I agree completely that Microsoft should have explicitly offered folks the option of opt in versus opt out, and made the default opt out. Then, when my friends decide to visit and see a need to get on my wifi network, they can either bug me to change my opt out option, or, I can turn on my Guest access and tell them they can use that, or, just give them my passphrase. But, to automatically opt me in is not the right way to do things.

By the way, I just downloaded the latest copy of the Security Now podcast, which has the title "The Win10 Privacy Tradeoff." I have not listened to it yet, but, I suspect these are exactly the kind of issues that are raised there, and, from past experience, I think the host provides a fairly rational discussion of security issues. (The podcast is available at http://www.podtrac.com/pts/redirect.mp3 … sn0519.mp3 if someone wants to listen.)

Re: Windows10 and privacy

Here's another problem with the SSID opt-out hack - Google allows you to prevent a WiFi AP from being included in its Wifi Geo database by appending "_nomap" to the SSID.  Since you can only add one suffix - your choice is to block W10 sharing, or Google maps, but you can't block both.

Re: Windows10 and privacy

According to the Naked Security article (https://nakedsecurity.sophos.com/2015/0 … r-friends/), it claims you can put both _nomap and _optout in your SSID name to exclude both, although it specifies that _nomap needs to be at the end, but _optout can be before that.

I don't know enough about these things to figure out if that is correct, and I have no idea how to test it.

By the way, I did convert a tablet I have to Windows 10 (a Winbook) and took it to work today to see what would happen. When I had Windows 8 on the tablet, I could connect to our secure network, but as a Windows 10 computer, the only choice I have is to connect to our Guest network.

Re: Windows10 and privacy

Sticking to W7, as long as I'm able to tongue

Re: Windows10 and privacy

I knew it wouldn't be long before someone made a tool to help with the privacy settings in Windows10. I haven't tried it yet as I am staying with Linux/Windows7 for now.

http://www.oo-software.com/en/shutup10

Tar, feathers, congress. Some assembly required.

Re: Windows10 and privacy

songmaster wrote:

Windows with an air-gap, isn't that called double glazing?

I'll get my hat...

Double-pained glass  smile

Re: Windows10 and privacy

This software should make Windows 10 less unsafe to use.

http://www.oo-software.com/en/shutup10

Re: Windows10 and privacy

More good news: Microsoft is being helpful by pushing several gigabytes of Windows10 installation files onto users computers...wanted or not. I guess they don't care about how it slows down your connection for other content nor do they care about if you have data caps or limited storage on your device.

http://www.zdnet.com/article/windows-10 … it-or-not/

I yanked access to the internet from my one Windows7 computer a couple of weeks ago. I only use Windows for Adobe InDesign and Photoshop anyway. Linux Mint is my primary OS.

Tar, feathers, congress. Some assembly required.

Re: Windows10 and privacy

BoloMKXXVIII wrote:

More good news: Microsoft is being helpful by pushing several gigabytes of Windows10 installation files onto users computers...wanted or not. I guess they don't care about how it slows down your connection for other content nor do they care about if you have data caps or limited storage on your device.

http://www.zdnet.com/article/windows-10 … it-or-not/

I yanked access to the internet from my one Windows7 computer a couple of weeks ago. I only use Windows for Adobe InDesign and Photoshop anyway. Linux Mint is my primary OS.

My computer uses Windows 7 and I can confirm that if you only have important updates enabled (recommended disabled),  you don't get any telemetry updates. MS hasn't even asked me to "claim my free Windows 10 update"  yet.

Re: Windows10 and privacy

nathanm wrote:
BoloMKXXVIII wrote:

More good news: Microsoft is being helpful by pushing several gigabytes of Windows10 installation files onto users computers...wanted or not. I guess they don't care about how it slows down your connection for other content nor do they care about if you have data caps or limited storage on your device.

http://www.zdnet.com/article/windows-10 … it-or-not/

I yanked access to the internet from my one Windows7 computer a couple of weeks ago. I only use Windows for Adobe InDesign and Photoshop anyway. Linux Mint is my primary OS.

My computer uses Windows 7 and I can confirm that if you only have important updates enabled (recommended disabled),  you don't get any telemetry updates,  and it doesn't download Windows 10.  MS hasn't even asked me to "claim my free Windows 10 update"  yet.

Re: Windows10 and privacy

nathanm wrote:
nathanm wrote:
BoloMKXXVIII wrote:

More good news: Microsoft is being helpful by pushing several gigabytes of Windows10 installation files onto users computers...wanted or not. I guess they don't care about how it slows down your connection for other content nor do they care about if you have data caps or limited storage on your device.

http://www.zdnet.com/article/windows-10 … it-or-not/

I yanked access to the internet from my one Windows7 computer a couple of weeks ago. I only use Windows for Adobe InDesign and Photoshop anyway. Linux Mint is my primary OS.

My computer uses Windows 7 and I can confirm that if you only have important updates enabled (recommended disabled),  you don't get any telemetry updates,  and it doesn't download Windows 10.  MS hasn't even asked me to "claim my free Windows 10 update"  yet.

I would keep a close watch on those updates. Microsoft is desperate for everyone to upgrade to Windows10. I would not be surprised if the Windows10 upgrade became an "important" update some time in the near future.

Tar, feathers, congress. Some assembly required.