When Privacy and Reality Interconnect

His privacy being paramount, Kelly grudgingly chooses to head into Columbia every so often, rather than cede his data to Google or turn over his purchase history to another online retailer. “I’m just not sure why Google needs to know what breakfast cereal I eat,” the 51-year-old said. Washington Post

There are a couple of things to notice here.

First: Google is not the only company out there snarfing up your data. Zuckerbergland apps, Verizon (you know, AOL, Yahoo, Tumblr), Microsoft (Linkedin, Bing, all those Microsoft apps like Word, etc) are only some of them.

Second: Most websites have some form of tracking software on them, and they can be related to any of the three or more listed above.

Third: Despite what the EU would have you believe, GDPR is not your salvation, as many websites, in the small print, outside the EU say this site not intended for consumption by people in the EU which means that the GDPR has zero impact.

And realistically, if you do not want to be tracked, there is only one way to avoid it. Stay off the Internet. And that includes no smart devices (there is tracking software on them too), no credit cards (who do you think came up with the idea of tracking purchases), and no cheques. In fact, depending where you live, you are being watched by CCTV cameras, where the video is uploaded and searched for malcontents, using AI and facial recognition software. If you travel, you are tracked whether by planes, trains, or automobile (toll plazas, rest stops…). Let’s face it, unless you are a hermit, you have no privacy.

And ironically, we all know that Mr Kelly, who is 51 years-old, likes to eat Bob’s Red Mill muesli cereal. So his privacy is now shot too, because he talked to a reporter, and the story ended up…on the Internet.

Windows 10 Security Issues are not Overblown

As a technology professional, I have been reading ComputerWorld for most of my career. Most of the time, the information in it is useful and occasionally biased. But the bias is easy to pick out and people will generally roll their eyes and move on. However, today, while reading a different article, I came across an August 25, 2015 article by Preston Gralla on 4 overblown Windows 10 worries that made my jaw hit the floor and actually question if Preston is working directly for Microsoft, because I cannot imaging an objective journalist writing some of the things he says, at least a journalist with any technical skill whatsoever.

Now, I am going to start by saying that Windows 8, as an operating system had a number of problems that really made me wonder what Microsoft was thinking, but the more I hear about Windows 10, the more I am convinced that Microsoft knows exactly what I am thinking, and what they are thinking runs diametrically against what most technicians and other IT professionals (especially security professionals) feel and operating system should be doing. The article tackles four key features of Windows 10 that have security people (and others concerned about digital privacy and security) pretty much wrapped around the axel.

First: Wi-Fi Sense will share all your passwords

Preston say this is not true, then goes on to explain why it is. He also says it is a good and necessary thing.

The concept behind Wi-Fi Sense is a solid one: To make it easier for visitors to find and connect to Wi-Fi networks. Wi-Fi Sense lets you share your network with others without seeing the actual network passwords – the passwords are encrypted and stored on Microsoft’s servers so they aren’t visible to outside users.

Let me explain. Wi-fi Sense shares your passwords with other users and they are stored on Microsoft’s servers. Oh, sure, they are encrypted, but are they encrypted with your keys? Do you control the revocation of the passwords? If you answered yes, please box up your PC and return it to where you bought it. The fact that this feature is enabled by default is a massive security hole. He tries to bloviate by saying it was invented by a similar idea invented by the Open Wireless Movement, but you can be sure the OWM had much less specific user information in mind for its implementation than what Microsoft has implemented. He goes on to say you have to take another step to actually share the key. Again, that it is enabled by default is a bad idea. The second step is merely a feel-good panacea. And since most home users do not have good network security, the myth that users on your network will not be able to get to other resources is just that a myth. This feature should not be part of any implementation of any operating system. If I want someone to have access to my Wi-Fi, I will provide them that access in a way that does not jeopardize my network, nor provides critical infrastructure information to an unknown third-party system.

Second: Windows 10 updates are automatically installed on your system, and that is a bad thing.

Says Preston:

The concern here is that, unlike previous versions of Windows, Windows 10 doesn’t give you a choice about when (or which) Windows updates will be installed on your computer. What Microsoft sends to you will be installed, whether you like it or not, and as a result, an update could break something on your PC – for example, a driver for a peripheral like a printer.

The truth is much more sinister.

It’s true that if you have the Windows 10 Home edition, you don’t have a choice about installing Windows 10 updates – Microsoft sends them and your system installs them.

And the fact is that most people have will be running Windows 10 Home. And you really should have a choice about what you will install because while most of Microsoft’s core patches are necessary, I have spend hours helping my less technologically savvy friends recover from a bad patch, or roll back a peripheral patch that caused a once working device to fail. And it happens more than anyone would like to admit.

I am all for installing patches and keeping your systems as current as possible, but not all patches should be blindly installed and certainly not on the day they are released. Let other people be the Guinea pigs. This is especially true with some of the less than successful browser updates in Microsoft’s past.

Third: Microsoft’s use of peer-to-peer networking for Windows updates will slow down your network connection.

Says Preston:

With Windows 10, Microsoft uses a trick borrowed from peer-to-peer networking apps like BitTorrent in order to distribute updates more efficiently. Rather than have everyone get updates from a central server, the updates are also delivered from PC to PC.

Microsoft “BITS” service has been around for a long time. Systems Management Server and the updated Systems Center Configuration Manager have used BITS for distributing files across low-bandwidth links. Preston likens the model to the way Bit Torrent works. But unless you have a slow bandwidth (and some do), this is actually not an effective way to deliver packets for an update. Further, there is a risk that the Peer-to-Peer network can be infiltrated. I fully expect that there will be a viable penetration before year-end if there is not one already. Again, you can turn it off, but it should not be enabled by default to begin with.

Fourth: Windows 10 is a privacy nightmare.

Well, honestly, it is. Preston even admits it by saying:

Most of the fears have to do with Windows 10’s default privacy settings, created during the installation if you use the express install option. With those default options, Windows 10 will send your calendar and contact details to Microsoft; assign you an advertising ID that can track you on the Internet and, when using Windows apps, track your location; and send your keystrokes and voice input to Microsoft.

He goes on to say that you can turn them all off. Two things wrong with this. First, opt-in, not opt-out should be the default setting for anything being sent anywhere. Period, end of sentence. Secondly, there are still a number of things that security professional are finding being sent to Microsoft even if you turn them off. Compound that by even more errors when you actively block the transmission of data to Microsoft. This is not a secure operating system. This is an information sieve.

What really upsets me is this:

Let’s face it – every time you use a computer, you’re living with tradeoffs between your privacy and getting things done more easily.

No. Privacy should never be a trade-off. Deciding what and when I send information to unknown third-parties should always be my decision, not the decision of an organization that knows better than me. Most home users do not know any better, which means that Microsoft should actively be helping them better protect themselves than exposing them to harm.

He concludes his article with this statement:

But other concerns have been overblown – in many cases you can change the defaults to make the operating system work more to your liking. And other concerns – for example, that Wi-Fi Sense automatically shares your Wi-Fi passwords with your friends and friends of friends – are myths.

No, they are not myths. They are facts, enabled by default, and while some of them can be turned off, the average user needs a much larger skill set than in past versions of Windows. Microsoft is not interested in their customer’s privacy, or security, or these, and other features would not be enabled by default, and that is not a myth.