We don't know if this is a security update or not.
This is an article, about an article, about a blog post, about a random comment. Someone grabbed the update's file change list, spotted files used by the Customer Experience Improvement Program (CEIP) and then said that because those files were updated that this security update "added telemetry."
Problem is that those files previously exist on Windows 7 as part of CEIP and may require legitimate updates (inc. security). You still need to opt into the CEIP so that telemetrics are sent to Microsoft, and there's no proof that this update has changed that.
I guess what I am saying is: There could be a story here, hypothetically, but this article lacks enough information to say that there is. This could be a legitimately security update to an unpopular part of the Windows 7 OS.
OP's point was that ZDNet is stooping a bit low here by journalistic standards. In this case, it appears there's not enough evidence to publish a "question headline" -- much less question whether they deserve some benefit of a doubt.
We all know MS and others have engaged in questionable behavior - but at least wait until there's something substantive before publishing.
As an interested but unaffected observer, I'd just like to understand accurately the state of things. It's quite right to call out biased reporting that misrepresents the facts, fails to cite evidence of claimed facts, or that misrepresents speculation as fact, since otherwise all we get is "fake news" and lynch mobs, which just polarises the population and helps nobody.
If you have a problem with a rebuttal, then argue against it on the basis of what it said, please, rather than on the assumption that it is automatically wrong based on previous history.
It's fine (and perhaps even appropriate) to speculate in a biased way on unknowns based on previous history, but that doesn't in any way invalidate proper journalism based on seeking the facts, and the two should not be conflated.
 In principle. You seem to be arguing against the principle. My comment isn't intended to pass judgement on the accuracy of this reporting or the accuracy of the rebuttal.
>since otherwise all we get is "fake news" and lynch mobs, which just polarises the population and helps nobody.
Perhaps, but one difference I see is that lynch mobs target disempowered individuals who can't defend themselves against the mob, usually people who were already very low on society's totem pole.
What's anyone going to do to Microsoft? They've been rightfully criticized for all kinds of bad behavior for decades now, and they're still hugely profitable. People have known about the spyware issues in Windows 10 for ages now, but it isn't stopping them from using it.
Microsoft isn't the only one negatively affected by false news. The consumer of the information is also negatively affected. Security workers need accurate information, not Outrage of the Day junk. It might turn out that the concerns raised in the article are valid but they don't have enough evidence at this time to raise those concerns. It just adds noise for the consumer of the information has to deal with. I don't really care about Microsoft somehow getting harmed. I do care about the IT worker whose job it is to protect their company's systems from security exploits. Dumping low quality possibly false information on them makes securing their systems more difficult. That's the real harm.
It's not about "defending a company". That's the wrong way of looking at it. It's about HN not reporting on "..an article, about a blog post, about a random comment..." as if it's facts. Until otherwise demonstrated, this is a non-story. If it turns out to be true, I'll be the first person to say "yeah, same old same old" but no-one's put the work in yet.
> Pointing something out about somebody's comment history is not an "attack".
That's certainly true in general. For example, if I post "Hey, I noticed that you've posted a lot about APL. Did you ever work with it professionally?", that's not a personal attack. But the pattern here was more specific than that. If you single someone out by name and insinuate bad faith in their comment history, that pattern-matches closely to the online calling-out and shaming culture. We want to avoid that culture here: its spirit is aggressive, we want HN's spirit to be collegial, and one can't have both. When we post moderation comments like I did above, we're always looking at the effect something has on the site as a whole. The calling-out culture is contagious because people are so used to it elsewhere.
It's perfectly natural for someone who disagrees with your view to have various comments in their history expressing that. The way to answer this is with better arguments, not by naming and shaming.
If you say that your intent wasn't to shame or insinuate, I believe you, but that's only a necessary condition for posting here, not a sufficient one. If your post pattern-matches to a standard way people do that on the internet, then readers will interpret you that way (like I did above) even if you intended otherwise, and the effect on the community will be just as bad. In such cases, the burden is on the commenter to make their benign intent explicit and disambiguate from the default pattern.
Because how something is described is always exactly what it is, that's why we are always told to judge books by their covers...
That page doesn't state what security matters the update address, nor does the page it links to (directly, maybe the information is there with more digging, but if I'm given a link on the pretext that it shows something I expect it to show that thing without needing to dig).
> What are you implying,
I'm not the OP, but I think what is being implied is fairly obvious: that the patch exists purely as a way to get the telemetry stuff installed and had no real security addressing content.
I very much doubt that is the case though, it is something that would not surprise me from the MS of old but they are at very least more clever these days and would not risk the resulting furory.
Problem is that those files previously exist on Windows 7 as part of CEIP
Were they there from the beginning? If not, which update(s) first added them? I doubt they were, because I clearly remember all the telemetry being in the news starting with Win10 and plenty of people refusing to upgrade to 10 because of it.
Even if it's a security update to CEIP, I don't think it should be offered to those who didn't install the original version of it.
The last time I helped my wife with a Windows 10 install, I was utterly grossed out. I've always been suspicious about snooping and covert logging, and spent years playing the game about blocking it all, but Windows 10 is crazy invasive.
I mean, by default, it wants to send every keystroke back to Microsoft servers! For "diagnostic purposes", I guess. And every URL that you visit. That's arguably worse than Google. Which is saying a lot.
I just setup Windows on a machine for the first time in a decade, it was a very gross experience indeed. I do recall it asking a series of questions about sending data to MSFT that were all by default, opt-in. One of those options sounded a lot like a key logger. The entire install process was so full of dark patterns it was really quite unbelievable to me.
There was actual fake news going around about it. Actual as in sponsored by Russia. So finding others saying the same isn't close to saying it happened, especially given many people have an axe to grind.
I appreciate that this is a prevailing and popular narrative pushed by popular people, but that doesn't mean it needs to penetrate into a discussion between two civilised human beings capable of critical thinking. It would be best to keep at least this website as propaganda-free as we can.
I need to use Windows sometimes to check out VPN client apps. Also to use Excel, when Calc chokes on too much data and/or too many calculations.
So I'm just very careful. I have old Windows 7 and Office DVDs that I bought for cash at a yard sale. I created a VirtualBox VM, and updated it through a nested VPN chain.
When I need to use Windows, I just clone that VM. If I'm putting data on it, I don't give it an Internet uplink. Occasionally, I update a clone. And if everything goes well, I use that as the source for future working clones. If I need to retain old clones, I put them on an external LUKS SSD.
$ for range in <results> ; do sudo iptables -A INPUT -s $range -j DROP ; done
Of course this will break a lot of Windows native system functionality, perhaps even Azure hosting, but this may not be an issue for someone just wishing to game in peace and privacy, unmolested by Microsoft telemetry.
As in my nearby comment, I only allow network access on VMs that don't contain any sensitive data. Once I've fully updated, I create clones to actually work on, and disable the Internet uplink entirely. When it's time to update again, I start with a virgin clone. And then transfer data to it, after disabling the Internet uplink.
You know, I would do quite a lot to get full granular control of Windows Update back. I'd sign and mail a liability waiver. I'd send Microsoft a box of chocolates. I'd take a training course and pass a standardized licensing exam.
In the meantime I'm stuck dealing with Windows Update breaking things every week. I've completely given up on ever using my convertible laptop as a tablet again because every day I have to replace the updated broken drivers for the orientation sensor with the good ones from a fresh install of Windows and every night it dutifully installs the broken updated ones and there's not a damned thing I can do about it without disabling Windows Update entirely.
I've been running Windows with Windows Update disabled for many years. I enable it and update when I feel I should, and assess risk on an as-needed basis. I'm aware that running outdated software is bad practice, but I like not getting interrupted on my PC... for 154 straight days so far: https://i.imgur.com/1RTpIBY.png
In that case, it seems the root cause of your concerns about other Internet users is that updates for their systems from the OS developer are no longer considered trustworthy. Given that the developer in question has something of a track record now of delivering potentially unwelcome updates, such caution is reasonable. So I think you're aiming at the wrong target here.
In any case, the vaccination argument only works if it's defending against a real threat. If there's a genuine security issue here, perhaps it is. On the other hand, if this update really is causing otherwise absent telemetry software to be installed, not installing that telemetry software is hardly a threat to other Internet users.
I'm not 100% sure I understand all of what you're saying.
Generally if you disable updates, you disable them all, so that means security updates too. If a given update isn't a security update and you disabled all updates ... you're still going to miss it if it was a security update too.
Generally if you disable updates, you disable them all
That isn't necessarily true at all. Indeed, the basis of this very story is that Microsoft has been providing updates for older versions of Windows that included only the security patches (i.e., not new features, telemetry, and any other stuff that might change the behaviour of system in ways its user doesn't want). In terms of your "vaccination" strategy for the Internet, these patches are the ones that matter.
However, in this case, Microsoft might have bundled one of the things that people have been trying to opt out of -- telemetry -- into one of the updates labelled as security only. If they really have, that would be a further significant breach of trust, and given their recent track record with pushing telemetry, GWX and so on, a lot of people are no longer even willing to give them the benefit of the doubt, to the point that some people are no longer applying updates from Microsoft at all, in some cases including security updates. That is bad for almost everyone, and it's been directly caused by Microsoft's repeated abuse of the update system to push user-hostile changes.
Indeed. The October 2018 update erased my archive of digitized home videos. Thankfully I had backups because it took me a while to notice and some of the reallocated disk space had probably been overwritten by then. Microsoft's stunning lack of respect for its users is the reason I almost never got to see my grandfather smile again.
Since I have very clear memories of the first time MS did something like this, it kills me that no one publishes articles with quite the same degree of alarm about the massive amounts of telemetry that Google, Facebook, Amazon, et al. have successfully deployed. I mean, I don't like MS, but they're kind of like the annoying acquaintance who always pushes their latest MLM scheme while we all live in a neighborhood full of gangster thugs.
Yawn. That would only be a problem if you choose to run Micro$oft software. And it is in your hands to fix the problem by going with Linux etc. (key word is choose...i realise it is imposed on many, specially in the enterprise world).
How on earth is MSFT supposed to maintain comparability for quintillions of iterations of hardware across millions of machines with no data on what works and what doesn't? Unlike FAANG they aren't out there pushing listening devices or trying to build exclusive data sets; they are trying to maintain the stability and security of 78.43% of the world's desktop computers. I don't care for the alarmism here when there are blazing infernos of actual malevolence burning in every direction.
Arguably 'successfully' is relative- Windows 98, ME, Vista etc famously struggled with BSODs all the time. I imagine they were operating in relative blindness, basing their triage efforts on incomplete, angry user reports. They didn't have reliable information on which build was breaking, how many users were getting the same error, how frequently, on which types of hardware. With structured data they can prioritize fixes that affect the most users and verify their patches were effective.
> Windows 98, ME, Vista etc famously struggled with BSODs all the time.
Windows 98 and ME struggled with BSODs because they were still built on something designed as a GUI layer on top of a CP/M clone. Vista mostly fixed all that. I've been running Windows 7 for most of a decade now without a single BSOD.
They could start by being honest and open about what data they gather and give users simple, easy-to-access tools to restrict it if they want. (Most modern users won't care, anyway.)
If MS has built an OS that cannot be effectively maintained without being sneaky and deceptive about their data gathering, that's their problem. Don't ask me to sympathize with them just because doing things right is hard.
It should be possible to have a single, giant button for the complete opt-out, and the assurance that no updates, inconsistencies, individual settings, or else could cause analytics to get out of your pc.
It doesn't matter that it's unverifiable; that's just how it works. If they're found to be breaking the rules then they earn exorbitant fees, sanctions, and lawsuits.
It's like saying that you expect letter carriers to read every letter they deliver because there's no way to prove otherwise. They can get caught doing it, and if they are they're severely punished. That's your insurance.
Nothing is perfect, but somehow it still works. You can't always get 100% assurances; that's the nirvana fallacy. If you insist on it you'll just dismantle a system that was otherwise working perfectly fine.
Are mail carriers foolproof? No, but they serve a purpose.
Are privacy policies foolproof? No, but they serve a purpose.
Opening letters is a punishable crime, at least where I live.
Collecting too much data: Ooops we're sorry. Facebook has breached on multiple occasions their deal with the FTC. Until now not much has come out of it.
European data commissioners have requested more detailed information on telemetry to be able to certify Windows 10 for use in public offices and have been stonewalled so far. Not exactly trust-building.
Visual Studio Code with remote and Windows Subsystem for Linux is arguable the best mix “development / personal use” environment I’ve ever been in, and the surface pro 6 is probably the first time I’ve been excited about a computer since my 2012 MacBook.
I had originally planned to buy an XPS 13 and run Ubuntu, because I actually don’t like Windows 10. I use Office365 Essentials though and that’s just a hassle to setup on Linux, where as it integrates seamlessly into Windows 10. It was also cheaper to buy the surface. I got one of the cheaper versions with an i5, and re-selling my used MBP 2018 paid for the entire thing.
Maybe it’s just me, but I was really on the fence about going Windows, like I said, I actually don’t like it that much. It’s grown on me though. For personal use it’s really not that different than OSX. Then you get actual updated unix cli. You can even get SUSE enterprise server to run stuff in what resembles a real deployment environment. It’s all sandboxed so it doesn’t fill up your personal machine with development tools and servers unless you’re actually working on it. You get one-note and you get to take notes or draw architecture with a pen. The keyboard and trackpad are better than the MacBook and the thing weighs nothing. It even has a MagSafe charger. It really feels like something Apple should have build.
I tried gaming on Linux awhile back, my biggest problem was how spotty the nVidia drivers are. I realise nVidia is mostly to blame here, but it's definitely still a problem that's preventing me from ever really being able to game on Linux (Ubuntu.)
With a goal of 1440p@144hz, and someone who appreciates visual fidelity, I own an RTX 2080 Ti, and there's just far too much of a performance penalty for linux gaming.
Having to relearn the whole stack. Networking, virtualisation, UI of the OS, web servers, database, scripting, programming language and IDE compatible with the OS, and for that programming language desktop framework, web framework, finding and understanding 3rd party libraries.
None of this is my day job, it is knowledge and muscle memory I accumulated over 20 years being invested in and toying with the microsoft ecosystem (.net, visual studio, sql server, iis, hyper-v, etc). Changing OS means pretty much restarting from scratch. It is tempting (I am deeply uncomfortable with the new Microsoft) but I just can’t afford to invest that much time and energy.
I'm personally attempting to transition away from Windows altogether, but it's a long-term organic process driven by hardware changeovers and decommissionings (including a recent involuntary one) rather than remove Windows function X by date Y.
I have Windows on a VM that I remote desktop to for things like budgeting and banking that I'd rather not keep on a "throwaway" type device. Two things that keep me on Windows is Excel (I use enough features that LibreOffice doesn't support) and Remote Desktop (it's just better than alternatives I've tried - I use xfreerdp to connect which support multi-monitor). Admittedly, I haven't looked into alternatives to Remote Desktop as the remote access server for a long time. Whilst vnc was always serviceable, it was never quite the "real" desktop experience that Remote Desktop provides.
Ah, thats the microsoft we all knew and love to hate. Google peeps at you every waking hour, but at least pretends to be clueless. Facebook is what waits at the end of a dark alley, you choose to walk down. But microsoft, microsoft is someone a home depot walking up from behind "So you need that tool for work?" and after that its darkness and pain.
Still amazing though how much windows could decay and they still got away with it. Year of the linux desktop, as if this company did not held the UI-Knowledge and legacy software of half the planet hostage.