Windows is getting disgusting

[Halcyon]

Are you sure it works for telemetry?

A lot of the telemetry stuff in windows falls back to internal hard coded addresses if the DNS entry doesn't work.

Yup, which is where my firewall blacklist comes in. DNS blocking is just one of several security techniques I use, even at home.

Nothing leaves my network without me knowing about it.

[harnon]

Yikes! All that telemetry is a bit   

Nothing leaves my network without me knowing about it.

Are you using a Pi-hole @Halcyon? I was looking at it the other day as something to do with a Raspberry Pi that's just getting dusty. Maybe I'll move it a bit up the todo list!

[RoGeorge]

Nothing leaves my network without me knowing about it.

That is just what you *wish* to achieve.  An external firewall might help, but there is no guarantee that the wish really happens.

Everybody should keep that in mind at all times.

[bd139]

There is a guarantee if you deny all traffic then whitelist what you need.

I only don't do this because I don't really care.

[RoGeorge]

There is a guarantee if you deny all traffic then whitelist what you need.

Still NO guarantee.  That is exactly what I am trying to highlight.

There are all kind of side channel leaks.  In theory, you are correct, because you assume all the devices are doing only what it is supposed to be doing, and nothing more.  This doesn't happen in real life.  Never.  There is always something we didn't think about it yet, but someone else might already discover it and exploit it.

[bd139]

That's possible but the whole point is to make that difficult to exploit if it does happen using carefully layered architecture and security policies. Never rely on just one security control!

Knowing what risks lead to exfiltration is step one. mitigation, step 2. monitoring, step 3. prevention, step 4.

[Alex Nikitin]

There is a guarantee if you deny all traffic then whitelist what you need.

I only don't do this because I don't really care.

All computer users go through three stages in respect of Internet security:

1) Ignorance - "I know nothing".

2) Paranoia - "I am scared of everything".

3) Enlightenment - "I don't care" . 

 

Cheers

Alex

[bd139]

It’s my job to care about this unfortunately. I just don’t take the work home 

[NiHaoMike]

I wonder if there have been any attempts to feed the telemetry fake data. Or more to it, selectively amplify/repeat real data to distort the data distribution.

[SiliconWizard]

MS just released an "update" for Windows 7 which will serve as a reminder starting jan. 2020 to annoy the hell out of people who will still be using 7. This update is optional  for now, but I wouldn't count on that forever.

I wonder how MS can get away with all this telemetry data. This is a huge security (and obviously privacy, but many people seem not to care in the least anymore, so talking about privacy is like pissing against the wind these days) concern. It's getting even worse than plain viruses. Keyboard, camera, microphone, data... hello? At least with viruses, you have an opportunity to get rid of them. If you're half-computer savvy, you'll certainly prefer taking the risk of getting a virus than having this shit running at all times behind your back.

If MS don't get their act together, Windows will be past history here.

@madires: unfortunately, they are only partly violating the GPDR, or maybe even not at all. Two key points IMO: first, if MS claims they are only storing and using this data after anonymizing it, they can claim it's not personal data anymore. What guarantee we have about this anonymization, I bet very few even know for sure, but I'm not counting on a squad of EU experts going to MS headquarters to audit them , so this is probably all based on declarative statements if MS is ever asked about it, at least for now. Second, even if personal data is not anonymized, all the GPDR really implies as far as I've gotten it is that the company has to tell people about it and give them access to the data the company holds about them. It doesn't prevent the companies from collecting data. So all you can do is opt out.

[bd139]

They're already in trouble: https://www.theregister.co.uk/2018/11/16/microsoft_gdpr/

EU will fuck them up pretty hard the moment there's evidence their product has leaked personal data.

They will keep doing it until it's a shareholder profit risk.

[rdl]

Microsoft gets away with this crap because you basically have to agree to it in order to use any of their products or services. The smartest thing to do is avoid them as much as possible.

https://privacy.microsoft.com/en-US/privacystatement

Just scroll down to this part and start reading.

The data we collect...

[james_s]

MS just released an "update" for Windows 7 which will serve as a reminder starting jan. 2020 to annoy the hell out of people who will still be using 7. This update is optional  for now, but I wouldn't count on that forever.

I'm ever more glad that I disabled updates completely 3 years ago after the GWX fiasco. Updates have caused far more damage, grief and wasted hours than they have prevented. It's asinine that they abuse the update process in order to push crap. It should be possible to get security fixes only rather than mixing those with features. I don't want my operating system to be a service, I want it to stay out of my way and let me work.

[SiliconWizard]

MS just released an "update" for Windows 7 which will serve as a reminder starting jan. 2020 to annoy the hell out of people who will still be using 7. This update is optional  for now, but I wouldn't count on that forever.

I'm ever more glad that I disabled updates completely 3 years ago after the GWX fiasco. Updates have caused far more damage, grief and wasted hours than they have prevented. It's asinine that they abuse the update process in order to push crap. It should be possible to get security fixes only rather than mixing those with features. I don't want my operating system to be a service, I want it to stay out of my way and let me work.

The mentioned update is the following: https://support.microsoft.com/en-us/help/4493132/windows-7-update-kb4493132
It appears unchecked by default in Windows update, but is flagged as "important". I think that's exactly what MS did at first with GWX. You can still mask it though so it doesn't constantly reappear... until next time.

[magic]

Nothing leaves my network without me knowing about it.

Do you block tor too? What if Windows starts exfiltrating your data to a hidden service? Or even some random server on Azure cloud, no different from a million other servers your users visit?

I'm ever more glad that I disabled updates completely 3 years ago after the GWX fiasco. Updates have caused far more damage, grief and wasted hours than they have prevented.

Including security updates? That may turn into an adventure one day, be sure to have backups at least

[Halcyon]

Nothing leaves my network without me knowing about it.

That is just what you *wish* to achieve.  An external firewall might help, but there is no guarantee that the wish really happens.

Everybody should keep that in mind at all times.

As I said, I know what goes in and out of my network at all times. Apart from the use of firewalls, there are other ways to achieve this. For example, I use whitelisting on other parts of my network, where completely untrusted device sit.

Someone else mentioned side-channel attacks, those can be mitigated too with some careful planning (such as not buying devices with microphones built-in).

As for my Windows 10 machine, even if it did manage to talk back to Microsoft, I can still control what data it provides by giving it fabricated information to begin with and keeping personal/private information off that system. In my case, that box is only used for gaming. Any telemetry is not personally attributed to me in any way and contains no private information (because the system doesn't hold that information to begin with).

Network security is just as much about the humans as it is about the systems in place.

[james_s]

Including security updates? That may turn into an adventure one day, be sure to have backups at least

Well I've already had adventures including having to reinstall machines due to borked updates so I'll take my chances. Despite cries that the sky is falling I've yet to ever be a victim of an exploit so at this point updates have caused me far more problems than they have fixed and it is only getting worse. Naturally I have all my important data backed up.

[bd139]

I suggest you turn off windows defender if you haven't updated for 3 years. There's a nasty non user invoked remote execution vulnerability in it. Basically just receiving a file in your mail client without opening it with the vulnerability injected can cause the sandbox process to execute it as SYSTEM. Fun fun fun.

This is fixed now. QED. Run updates. Don't be a dick. Or we end up with Slammer or Stuxnet again.

Edit: also check your T&C on your ISP. If you cause their network trouble and you didn't follow due diligence then expect to have a fat finger pointed at you.

[magic]

Well I've already had adventures including having to reinstall machines due to borked updates so I'll take my chances. Despite cries that the sky is falling I've yet to ever be a victim of an exploit.

Malware is a concern though. IIRC, a year or two ago some shitty Ukrainian ransomware completely shut down large part of Maersk, a global shipping company, for something like a day or two. Not a good place to be, I guess.

But indeed, I am quite Zen about security myself too. Relevant old joke:

noob's password: suzy, because no one on the Internet could possibly know his girlfriend's name
hacker wannabe's password: bugfkfon3598up..11!!.1, because no one could possibly guess that
actual hacker's password: suzy, because anyone who cares will find a way to break in anyway

[apis]

Most of the time an infection of a home computer will just silently sit and wait for a command to be used for a denial-of-service attack or some such. I suppose they could silently log your keystrokes and send it off to a server as well. You wouldn't notice it. Ransomware (like wannacry) is more spectacular though.

[Halcyon]

I suggest you turn off windows defender if you haven't updated for 3 years. There's a nasty non user invoked remote execution vulnerability in it. Basically just receiving a file in your mail client without opening it with the vulnerability injected can cause the sandbox process to execute it as SYSTEM. Fun fun fun.

This is fixed now. QED. Run updates. Don't be a dick. Or we end up with Slammer or Stuxnet again.

But I haven't been infected before! I mean, I don't know what an infection would look like. I suppose it's very obvious, but I haven't been infected before.

Why bother getting immunised either? I mean, I've had Hepatitis before. ;-)

[bd139]

Just to note on telemetry, even the server versions (2019+) and the enterprise editions report telemetry when it's turned off now.

The company I am currently consulting with consider this to be a grave enough security risk they are planning a whole site migration to RHEL / CentOS at the moment which is paying the bills nicely. So thanks Microsoft! 

Do you have a source for that? I know some people who'd be very interested in that information.

Nothing public yet. This is from internal testing of windows server 2019 in a sandbox in AWS. Traffic identified by wireshark. This is with all the GPOs that control telemetry turned off. This may be a bug as this has happened before where they screwed up but at the best it shows their quality control is a risk in itself.

 

I suggest you turn off windows defender if you haven't updated for 3 years. There's a nasty non user invoked remote execution vulnerability in it. Basically just receiving a file in your mail client without opening it with the vulnerability injected can cause the sandbox process to execute it as SYSTEM. Fun fun fun.

This is fixed now. QED. Run updates. Don't be a dick. Or we end up with Slammer or Stuxnet again.

But I haven't been infected before! I mean, I don't know what an infection would look like. I suppose it's very obvious, but I haven't been infected before.

Depends on the goal. 90% of the time you know nothing. Only the ransomware and poorly written worms tend to make a lot of noise. Much like a disease it’s ineffective if it kills the host too quickly or draws attention to itself.

[Richard Crowley]

Considering the likely monitoring by NSA, China and Russia, what the guys in Redmond may be doing pales by comparison.  I'm one of the people who don't give a toss because the battle has been lost.  Unless you like aluminum foil headwear.

[bd139]

Microsoft hand over their vulnerabilities to the NSA before we get patches under their early disclosure scheme. Everyone shits in the same toilet.

[Halcyon]

Microsoft hand over their vulnerabilities to the NSA before we get patches under their early disclosure scheme. Everyone shits in the same toilet.

Quite often its the other way around. Vendors don't like sharing with Government and vice versa.