Newsletter Archives

  • This month’s Win7 and 8.1 “security only” patches install and activate telemetry systems

    Back in July, we discovered that the Win7 security-only patch was installing and activating telemetry (read: snooping) subsystems.

    The August security-only patches didn’t include telemetry, and many of us breathed a sigh of relief.

    Now it looks like the September security-only patches have telemetry once again — and not just for Win7.

    Details in Computerworld Woody on Windows.

  • Google says it may start scanning Gmail again

    It’s a disturbing development.

    In late June, Google announced that it would stop scanning free Gmail, in order to serve up ads. That follows earlier commitments to not scan Gmail for ads, for both the Educational version of Gmail and the paid GSuite.

    David Kravets at Ars Technica has uncovered a footnote in a class action settlement that says Google has reserved the right to start scanning free Gmail again. The settlement received preliminary approval on Thursday.

    The wording of the footnote has a tone that should ring familiar to most of you:

    Google believes, however, that the architecture and technical requirements for providing email services on a large scale evolve and change dynamically and that a longer commitment may hinder Google’s ability to improve and change its architecture and technology to meet changing demands.”

    It sure sounds to me like the “Let Microsoft provide more tailored experiences with relevant tips and recommendations by using your diagnostic data” setting in Win10 1703.

    I talked about that setting in my article about setting up Win10 Creators Update. It’s yet another step toward blurring the lines between telemetry and snooping. And now Google’s playing the same song and dance.

  • MS re-re-..release (again) of KB 2952664 and KB 2976978

    We’re seeing a recurrence of the two snooping patches KB2952664 for Win7 and KB2976978 for Win8.1. The last time they showed up, was on March 7th, but now they’re back……

    MS re-re-..release of KB2952664 and KB2976978

    Microsoft describes them as a “Compatibility update for keeping Windows up-to-date.”

    This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. The diagnostics evaluate the compatibility status of the Windows ecosystem, and help Microsoft to ensure application and device compatibility for all updates to Windows. There is no GWX or upgrade functionality contained in this update.

    They are appearing as unchecked Optional now, which means they won’t be installed unless you check the corresponding box in Windows Update.
    Their status may change next week to Recommended and, for some, they may show up as checked Important on Patch Tuesday.

  • The complexity of controlling Windows telemetry

    Noel Carboni has a great post that I wanted to bring up here onto the main page. It’s in response to the question of what to recommend for Win7 and 8.1 users, in this age of Malware as a Service, but it’s generally applicable to all Windows customers:


    I’ll wager I know what communications a desktop system does online as well as anyone, as understanding and controlling such communications is a passion of mine. A career in data communications and software engineering tends to do that to you.

    Thing is, there’s not just one “telemetry” communications stream. What Windows does online is much, much more complex than that! Insanely more complicated.

    Presuming you want to do at least SOME things online with your system you actually DON’T want to block all the comms – there are some very necessary sites that MUST be contacted by a typical system regularly, e.g., for the purposes of certificate verification, time sync, license management…

    That’s not to say Windows can’t be made very private. I myself maintain Windows 7, 8.1, and 10 systems that don’t spill the beans online. But it’s no small, simple, turnkey task. Windows is a complex beast, and it takes some geek chops to do it along with ongoing effort.

    As an example, here’s a list of all the sites my Windows 10 test system at LAN address, allowed to sit idle all day, contacted. I ran the command (on my Win 8.1 workstation) to search my DNS log at near midnight last night. You can see that the only communication initiated in the 24 hour period was to get the time from the National Institute of Standards and Technology via a task I have scheduled (I have disabled the out-of-box Windows time service).


    Most folks, however, wouldn’t find my Windows 10 system, above, acceptable. Why? Because I have shunned all the Apps and cloud-integration entirely. But it DOES illustrate that the beast can be controlled, and my techniques are applicable to purely desktop-oriented Windows 7 and 8.1 systems also.

    What have I found that it takes to accomplish this reduction/elimination of Microsoft-initiated online communications?

    • Reconfiguration of all provided settings to their most private choices.
    • Being willing to do without (or reduced function from) some services Windows seeks to provide.
    • Configuration through the local Group Policy editor a number of settings.
    • Configuration through the registry of a number of settings that have no UI.
    • Disabling of scheduled tasks involved with telemetry and online comms.
    • Disabling of services involved with telemetry and online comms.
    • Adding entries to the hosts file to blacklist some sites.
    • Watching vigilantly for any of these things to be reverted by updates.
    • Outfitting with extra software to monitor and police communication attempts.

    The list above may seem daunting, but we haven’t even gotten to the part where the devil is in the details. The lists of how to accomplish the above things are long and complex.

    Ideally I imagine people want a fully private system that still allows them to do everything they want. That’s not gonna happen. You have to be willing to compromise.

    What does one have to consider doing without?

    • Apps. The very nature of Apps is that they’re web-integrated and they require an infrastructure to keep them functional. If you want to run Apps, stop reading now.
    • Cortana. A personal digital assistant COULD work entirely from local data, but Cortana doesn’t. If you want a personal digital assistant that talks to you, stop here.
    • Cloud-integration, such as OneDrive, except for user-initiated operations e.g., in a browser. The good news is that you can use a OneDrive server to store/retrieve files through a browser without ANY of the system-level integration
    • Automatic updates. You have to be willing to install them yourself from the catalog if you want a truly subservient system.
    • Some security features such as the “Smartscreen Filter”. But you can’t rely on luck; you need a GOOD alternate plan to stay safe online.
    • Suggestions that pop up while you type. Your keystrokes are sent to Bing or Google or whatever search engine to make that happen.
    • Generally speaking, subscription and high-end commercial software communicates regularly online to do things like verify its licensing. Either you need to allow this or choose software that doesn’t do that.
    • Some software seeks to be cloud-integrated (late versions of Office, for example). You have to avoid this software or specific features within it, and be able to differentiate wanted comms from unwanted comms. That’s no small feat!
    • Online backups. Uh, no, get one or more external USB drives and make your own local backups, where you maintain full control of your data.

    This has gotten long already, yet I’m sure there are things I’ve missed and I haven’t even begun to get into the list of actual technical things to do to get to a secure, private system that doesn’t try overmuch to send your data abroad. It’s a challenging task even for a career software engineer. It’s not going to be feasible at all to provide a “have your cake and eat it too, set it and forget it” solution for an average user.

  • Five fatal flaws in the current Windows 10, and how they’ll fare in the new Creators Update

    Take a look at the five worst traits of Windows 10 Anniversary Update – forced updating, snooping, advertising, stability, and hijacked settings – and how they’ll change in the Creators Update. Some very good news. Some not so good.

    Details in InfoWorld

  • The inside scoop on Windows snooping

    Microsoft won’t give us any decent documentation about its telemetry/snooping efforts. Ed Bott, on the other hand, has lots of contacts on the Windows team and has turned out an important piece on Windows security.

    Yes, I know that Ed writes books for Microsoft. Yes, I know he generally comes down on the side of the Redmondians. Nonetheless, if you read his article carefully, you’ll learn a lot.

    I know I did.

    I’d love to see a companion piece on Windows 7 and 8.1 snooping.

  • Microsoft walks a thin line between Windows 10 telemetry and snooping

    And the situation’s becoming more dire as MS uses Win10 techniques in Win7 and 8.1.

    InfoWorld Woody on Windows