windows 10 – Techdirt (original) (raw)

Stories filed under: "windows 10"

NSA Surprises Microsoft With A Vulnerability Disclosure Just In Time For Patch Tuesday

from the what-do-you-give-to-a-company-that-has-everything-but-knowledge-of-this-exploit dept

Given the NSA’s track record with vulnerability disclosures, it’s somewhat of an anomaly when it actually decides the security of millions of innocent computer users is more important than its exploitation of a security flaw. Ellen Nakishima has the details for the Washington Post:

The National Security Agency recently discovered a major flaw in Microsoft’s Windows operating system — one that could potentially expose computer users to significant breaches or surveillance — and alerted the firm of the problem rather than turn it into a hacking weapon, according to people familiar with the matter.

The flaw affects Windows 10 users, the largest user base Microsoft currently has. The vulnerability could have been weaponized by the NSA, as so many others have been. The agency has consistently withheld knowledge of vulnerabilities from affected companies until the exploits have outlived their uselessness.

The equity program, meant to ensure companies are notified of serious software flaws, has routinely been ignored by the NSA, leading directly to the EternalBlue cataclysm that saw malicious hackers repurpose the exploit and unleash ransomware attacks on multiple targets around the world.

Microsoft was not happy. It released a long statement decrying the Intelligence Community’s refusal to completely participate in the Vulnerability Equities Process. As ransomware attacks brought multiple critical facilities to their knees, the NSA was justifying its “better way too late than never” approach with statements about the difficulty of developing useful surveillance tools.

It may have been Microsoft’s response to the WannaCry attacks that prompted the NSA’s proactive disclosure of this vulnerability. This security flaw is strikingly similar to the one exploited for years by the NSA — the one that became ransomware once the Shadow Brokers made the vulnerability available to whoever wanted it.

The discovery has been likened to a slightly less severe version of the Microsoft flaw that the NSA once weaponized by creating a hacking tool dubbed EternalBlue, which one former agency hacker said was like “fishing with dynamite.”

Like EternalBlue, the vulnerability disclosed here is “God mode” for malicious hackers and surveillance agencies.

Companies like Microsoft and Adobe use digital signatures to stamp software as authentic. This helps to prevent malware infections that might try to disguise themselves as legitimate. The NSA discovered an error in the Microsoft code that verifies those signatures, potentially enabling a hacker to forge the signature and install spyware or ransomware on a computer.

Microsoft’s patch will have been issued by the time you read this. The good news beyond the NSA’s surprise disclosure is that Microsoft has not seen the flaw exploited. Yet. A patch is only as good as the end users’ application of it. That’s somewhat beyond Microsoft’s control but Windows 10 is pretty aggressive about pushing updates, so it shouldn’t take too long to close this hole.

This likely doesn’t signal a large-scale change in the way the IC handles vulnerability disclosure. Exploits and vulnerabilities will continue to be hoarded, even if the potential collateral damage is billions of dollars. After all, billions will be lost by targets of attacks predicated on hoarded vulnerabilities. The NSA won’t lose anything, not even a little sleep.

Filed Under: nsa, patch tuesdsay, veb, vulnerabilities, vulnerabilities equities program, windows 10
Companies: microsoft

Microsoft Sort Of Addresses Windows 10 Privacy Complaints With New Privacy Dashboard

from the hoover-up-ALL-the-data dept

Tue, Jan 17th 2017 11:55am - Karl Bode

For the last few years, Microsoft has been under fire because its Windows 10 operating system is unsurprisingly chatty when it comes to communicating with the Redmond mothership. Most of the complaints center around the fact that the OS communicates with Microsoft when core new search services like Cortana have been disabled, or the lack of complete, transparent user control over what the operating system is doing at any given time. Microsoft has since penned numerous blog posts that claim to address consumer concerns on this front — without actually addressing consumer concerns on this front.

This week, Microsoft penned a new blog post claiming that the company has been listening to annoyed customers and privacy activists, and will finally be making substantive changes to Windows 10 privacy settings to give users more control. Among them will be new operating system-level privacy controls that make consumer options more granular. But Microsoft also says it is building a new privacy dashboard the company says will be doled out to Windows Insiders in an upcoming build, and will look something like this:

Microsoft says the company will simplify the operating system’s diagnostic data collection levels, so that it’s clearer what telemetry data is being sent back to the company?s servers. As it stands, Windows 10 currently has three snooping levels, but in the Creators Update (expected sometime in the Spring) there will be just two: an option to switch between “basic” and “full” data collection levels, depending how much invasive snooping you like with your morning coffee. Said basic tier is the lowest the settings will go, and includes collection Microsoft claims is necessary for the functioning of the OS. Basic includes:

“Data that is vital to the operation of Windows. We use this data to help keep Windows and apps secure, up-to-date, and running properly when you let Microsoft know the capabilities of your device, what is installed, and whether Windows is operating correctly. This option also includes basic error reporting back to Microsoft.”

The problem is that Microsoft has often hidden behind claims that it has to collect a lot of this data or the operating system won’t work, and there’s still no option to eliminate the collection of telemetry data completely. “Full” data collection, in contrast, will collect everything that the basic setting covers, as well as “inking and typing data.” That can include sending Microsoft the document you were working on that caused a system crash, and giving Microsoft support permission to access the OS remotely for troubleshooting.

The entire goal, Microsoft claims in the post, is to make consumer privacy easier to understand:

“When it comes to your privacy, we strive to make choices easy to understand while also providing clear visibility and control over your data. We believe finding the right balance is one of our most important tasks in delivering great personalized experiences that you love and trust.”

We’ll have to wait until Spring to see if these changes address concerns of the EFF, which last August criticized Microsoft’s malware-esque forced upgrade tactics and its refusal to answer consumer privacy inquiries in a straightforward fashion. Microsoft’s also trying to appease French regulators, who last summer demanded that Microsoft “stop collecting excessive user data” and cease tracking the web browsing of Windows 10 users without their consent. Of course if having total, granular control over how chatty your OS is over the network is your priority, not using Windows whatsoever probably remains your best option.

Filed Under: privacy, privacy dashboard, windows 10
Companies: microsoft

Microsoft Finally Admits Its Malware-Style Windows 10 Upgrade Sales Pitch Went Too Far

from the self-sabotage dept

Wed, Dec 28th 2016 02:48pm - Karl Bode

We’ve talked a lot about how Microsoft managed to shoot Windows 10 (and consumer goodwill) squarely in the foot by refusing to seriously address OS privacy concerns, and by using malware-style tactics to try and force users on older versions of Windows to upgrade. While Microsoft’s decision to offer Windows 10 as a free upgrade to Windows 7 and Windows 8.1 made sense on its surface, the company repeatedly bungled the promotion by making the multi-gigabyte upgrade impossible to avoid, which was a huge problem for those on capped and metered broadband connections.

But at times Microsoft made things even worse by engaging in behavior that would make even the lowest scumware peddlers proud. Like that time the Redmond-giant began pushing Windows 10 upgrade popups that pretended to let users close the popup dialogue by pressing X, only to have that begin the upgrade anyway against the user’s wishes.

Between this and the company’s outright refusal to let users control how and when the operating system phoned home, Microsoft managed to take a relatively successful OS launch and turn it squarely on its head — largely by ignoring some of the most basic principles of design, customer service, and public relations.

Now that the Windows 10 upgrade push is long gone, the company actually got close to acknowledging that its behavior went too far. Speaking on the Windows Weekly podcast, Microsoft?s Chief Marketing Officer Chris Capossela finally acknowledged that the company mishandled the entire forced upgrade (though he falls short of apologizing or addressing the parallel privacy concerns):

“We know we want people to be running Windows 10 from a security perspective, but finding the right balance where you?re not stepping over the line of being too aggressive is something we tried and for a lot of the year I think we got it right, but there was one particular moment in particular where, you know, the red X in the dialog box which typically means you cancel didn?t mean cancel.

And within a couple of hours of that hitting the world, with the listening systems we have we knew that we had gone too far and then, of course, it takes some time to roll out the update that changes that behavior. And those two weeks were pretty painful and clearly a lowlight for us. We learned a lot from it obviously.”

Except Microsoft didn’t really “get it right,” and users made that abundantly obvious. And whether Microsoft actually “learned a lot from it” really isn’t clear, since a refusal to let users truly control how the OS works (whether it’s preventing the OS from being quite so chatty or letting users dictate upgrade schedules on their own terms) has been somewhat of a recurring theme since launch. That “we know what’s best for you” mentality has been bone-grafted to the company’s DNA for some time, and we’ll likely have to wait until Windows 11 to see if any lessons were actually learned.

Filed Under: push, upgrade, windows 10
Companies: microsoft

DRM: Still Hurting Paying Customers The Most

from the the-internet-is-for-opening-client-side-PDFs-apparently dept

Today’s Stupid DRM Trick is brought to you by Adobe LiveCycle ES3 and Windows 10.

Starting in August, we started to receive noise from end-users on unable to open DRM protected PDFs, ones that are protected with 2016-17 policy, with the use of Adobe Reader and Adobe Acrobat. Users are mostly facing issue on seeing the below message when opening the PDFs:

Error Message:

“This computer must be connected to the Internet in order to open this document. Your permission to open this document offline has expired. Make sure this computer is connected to the network and the Adobe Experience Manager- Forms Server(Document Security) is running.”

or

“This computer must be connected to the network in order to open this document. Your permission to open this document offline has expired. Make sure this computer is connected to the network and the Adobe LiveCycle Rights Management Server is running.”

While I can understand some companies might want to prevent unauthorized users from reading PDFs possibly containing sensitive material, the fact that an authorized user’s computer has to “phone home” to Adobe to read a PDF generated (and held) by a third party is ridiculous. While password-protection schemes may have their drawbacks, the LiveCycle solution doesn’t do much for employees (or students — LiveCycle is also used for courseware) who might not have access to an internet connection (an unfortunate reality when traveling) but still need access to these documents.

However, this problem isn’t completely Adobe’s fault (although the DRM’s insistence on an internet connection still is). It appears a Windows update is what’s preventing LiveCycle from phoning home.

Today, I am unable to access the pdf courseware on my system due to the following error message:

“This computer must be connected to the Internet in order to open this document. Your permission to open this document offline has expired. Make sure this computer is connected to the network and the Adobe Experience Manager- Forms Server(Document Security) is running.”

Now, I know my system is connected to the network but I can’t figure out what else is wrong. Usually, when I open these pdfs, I get a login prompt but this time, nothing. Please help ASAP. But even after re-downloading the material from aspen portal once again, it still doesn’t work. I had installed the Cumulative Update for Windows 10 Version 1511 for x64-based Systems (KB3163018) on 30-06-2016 and the only issue I faced before was that the login prompt was not appearing but I could still open the document. Now, I can’t even open the document.

Once again, a Windows update breaks something that was working, leaving end users to clean up the company’s mess. Another user had the same update kill their VPN access. And if it’s not blocking connections, it’s killing webpages accessed through Microsoft’s own Edge browser. Fun stuff. These not-all-that-optional cumulative updates tend to create as many problems as they solve and Microsoft’s own “help” isn’t all that helpful, leading to this sort of exasperated response.

The trouble we have is I have over 200 Windows 10 machines and cannot go to each one and run a tool to view the updates. We use WSUS and I had hoped that there would be a way to split out the Cumulative update so we can disable the two patches I mentioned and then have that push. I have for the time being approved the update for removal in WSUS so it will handle removing it. I am concerned about the other fixes and not having them. Does MSFT QA these updates or are they blaming Cisco on this one?

So, we have two issues, neither of them useful to end users. On Adobe’s end, we have a protection scheme that requires an internet connection. That’s classic DRM — phone home, get permission… all well and good (NOT REALLY) until someone needs access to documents but can’t because they’re not connected to the internet.

Then we have an update that breaks the connection Adobe’s DRM relies on, forcing the same problem on users who do have internet access. The problem with DRM schemes like these is that they rely on a bunch of parts that aren’t interconnected (Adobe, Windows) but both have to be working properly to get the job done… rather than just, say, open Adobe Reader and be done with it. Subtract an internet connection and Adobe’s documents are useless, even to authorized users. Throw a suprisingly volatile Windows update into the mix and end users doing everything right are still screwed. Combine the two and sensitive documents are suddenly so “protected” that a majority of users can’t even view them. And, remember, this is a “privilege” corporate customers pay for.

DRM: still mostly useless and still mainly a pain in the ass for paying customers.

Filed Under: drm, livecycle es3, pdf, windows 10
Companies: adobe, microsoft

The EFF Calls Out Microsoft's Ongoing Bullshit On Windows 10 Privacy Concerns

from the talking-out-of-both-sides-of-your-mouth dept

Tue, Aug 23rd 2016 04:26pm - Karl Bode

While Windows 10 is generally well-liked by reviewers and users, it’s relatively clear that it’s not the OS to choose if you actually want to control how much babbling your OS does over the network. While a lot of complaints about Windows 10 have been proven to be hyperbole or just plain wrong (like it delivers your BitTorrent behavior to Hollywood or it makes use of menacing keyloggers), Windows 10 is annoyingly chatty, sending numerous reports back to Microsoft even when the operating system is configured to be as quiet and private as possible.

While Microsoft has been criticized for this behavior for some time now, the general response out of Redmond has been to tap dance over, under and around most of the key complaints.

Enter the Electronic Frontier Foundation, which last week effectively called on Microsoft to stop bullshitting everybody in terms of what gets collected and why. The EFF does a good job reiterating how Microsoft used malware-esque tactics to get users to upgrade, then once installed, Windows 10 collects user location data, text input, voice input, touch input, web browsing history, and general computing telemetry data, including which programs you run and for how long — which would be arguably less of an issue if you had full control over how much of this data was collected and funneled back to the Redmond mothership.

Microsoft has made some modest changes to address ballooning concern about user privacy over the last year, but the EFF notes that the company continues to tap dance around how much data is collected, what the company is doing with it, and why users can’t have full privacy control over an OS they purportedly own:

A significant issue is the telemetry data the company receives. While Microsoft insists that it aggregates and anonymizes this data, it hasn?t explained just how it does so. Microsoft also won?t say how long this data is retained, instead providing only general timeframes. Worse yet, unless you?re an enterprise user, no matter what, you have to share at least some of this telemetry data with Microsoft and there?s no way to opt-out of it.

Microsoft has tried to argue that Windows Update won’t work if telemetry reporting is minimized and user privacy and preferences are actually protected. In short, Microsoft has tried to claim that giving users broader control puts the user at risk by hamstringing security updates. That’s something the EFF is quick to call bullshit on, calling it a “false choice” that’s “entirely of Microsoft’s own creation.” What Microsoft should do if it truly values its customers, the EFF argues, is dramatically ramp up company transparency and finally offer a meaningful, simple opt-out functionality:

Microsoft should come clean with its user community. The company needs to acknowledge its missteps and offer real, meaningful opt-outs to the users who want them, preferably in a single unified screen. It also needs to be straightforward in separating security updates from operating system upgrades going forward, and not try to bypass user choice and privacy expectations.

In response to the EFF, Microsoft has continued to do what it has always done: pretending that nothing is wrong, customer control and privacy are the company’s highest priorities, and these privacy concerns are overblown because, shucks, most people really like the OS:

Microsoft is committed to customer privacy and ensuring that customers have the information and tools they need to make informed decisions. We listened to feedback from our customers and evolved our approach to the upgrade process. Windows 10 continues to have the highest satisfaction of any version of Windows.

Granted that may say more about past interactions of Windows than of Windows 10. Even then, because people generally like the core OS experience Windows 10 offers doesn’t magically dismantle concerns that Microsoft still, more than a year after launch, isn’t actually listening to its customers when it comes to privacy and control.

Filed Under: privacy, windows 10
Companies: eff, microsoft

After Multi-Month Tone Deaf Shitshow, Microsoft Finally Lets Users Control Obnoxious Windows 10 Upgrade

from the lack-of-control dept

Wed, Jun 29th 2016 03:21am - Karl Bode

Microsoft’s decision to offer Windows 10 as a free upgrade to Windows 7 and Windows 8.1 made sense on its surface. It was a nice freebie for users happy to upgrade, and an effective way to herd customers on older Windows iterations onto the latest platform to help consolidate support expense. But Microsoft’s upgrade in practice has seen no shortage of criticism from users annoyed by a total lack of control over the update, and Microsoft’s violent tone deafness in response to the complaints.

For example a Reddit post from an anti-poaching organization made the rounds earlier this year after the 17 GB automatic Windows 10 update resulted in huge per megabyte charges from their satellite broadband ISP. Microsoft’s response to these complaints? Ignore them. As complaints grew, Microsoft finally provided a way to fully disable the forced upgrade, but made sure it involved forcing users to modify the registry, something Microsoft knew full well less technical users wouldn’t be comfortable attempting to hurdle.

But Microsoft made the problem worse in other ways, too. The Redmond giant also came under fire for upgrade popups that misleadingly shoved users toward the upgrade. For example, closing an update notification dialogue box by clicking “X” automatically began the update process, much like malware:

“Last week, Microsoft silently changed Get Windows 10 yet again. And this time, it has gone beyond the social engineering scheme that has been fooling people into inadvertently upgrading to Windows 10 for months. This time, it actually changed the behavior of the window that appears so that if you click the ?Close? window box, you are actually agreeing to the upgrade. Without you knowing what just happened.”

Things have been escalating ever since, often to comedic effect. But this week things changed somewhat with the news that Microsoft has struck a $10,000 settlement with a California woman who sued the company after an ill-timed Windows 10 upgrade brought her office computers to a crawl. The woman took Microsoft to court after support failed to help resolve the issue, a spokesman saying Microsoft halted its appeal of the ruling “to avoid the expense of further litigation.”

And while Microsoft was sure to avoid admitting error of any kind, the company this week announced it will finally give users actual control over the Windows 10 upgrade experience. A new notification window will let users update now, schedule the upgrade for a later date, or (gasp) decline the free offer entirely:

“Since we introduced a new upgrade experience for Windows 10, we’ve received feedback that some of our valued customers found it confusing,” admits Windows chief Terry Myerson, in a statement to The Verge. “We’ve been working hard to incorporate their feedback and this week, we’ll roll out a new upgrade experience with clear options to upgrade now, schedule a time, or decline the free offer.”

Aren’t you a bunch of sweethearts, actually listening to “valued customers” screaming for months about how you’re acting like a malware vendor! As of now, this is what the Windows 10 upgrade notification will look like:

And to think: it only took months of public kicking and screaming, a repeated, vicious beating in the media (even from historical supporters of the company) and this latest settlement for Microsoft to do the right thing. It’s particularly absurd given that (assuming you like operating systems that send uncontrollable chatter over the network) Windows 10 is generally well reviewed and liked by people. All Microsoft really had to do was offer the free upgrade, let the OS sell itself, then give consumers some control over the process and this entire absurd saga would have been avoided.

Filed Under: upgrade, windows 10
Companies: microsoft

Annoying Windows 10 Update Request Highlights Its Annoying-Ness On Live Weather Broadcast

from the ten-percent-chance-of-hilarious dept

Since its launch, Windows 10 has received its fair share of criticism, mostly revolving around the very valid privacy concerns that the megalithic company has chosen to shrug off as mere noise from the peanut gallery. Now, I have more than one machine at home, and I have upgraded some of them and have chosen not to upgrade others. Because of this, I am victim of Microsoft’s quite regular insistence that I upgrade everything I own to Windows 10, which presents itself in the form of a popup. This popup tells me that Microsoft thinks it knows what I should do better than I do and offers me two glorious options: upgrade to 10 immediately or schedule the upgrade to run at a different time in the future. Closing the popup satisfies it…for a while. Then it pops up again, because there’s no option to tell Microsoft to boil its new operating system in water and screw off.

But what’s a minor annoyance for me can be something altogether different for others. Say, for instance, a live newscast just trying to give its viewers the weather.

Yes, the annoyance that is this popup gets the spotlight treatment on live television, successfully sending the weather forecast askew as it interrupts the broadcast. Is it a funny little occurrence? You betcha. Does meteorologist Metinka Slater deal with the whole thing in stride? Mostly, I guess. But it’s the obviously planned lack of options Microsoft’s request presents that should piss people off here.

As always the annoying window offered two choices — ‘Upgrade now’, or ‘Start download, upgrade later’. Slater wisely chose neither option and switched to another video source instead.

The point is that Microsoft’s bull-headed attempt to push its latest operating system on the public wouldn’t be so blatant if it simply allowed people, including newsrooms, to shut it the hell up. But that truly is probably asking too much.

Filed Under: alert, metinka slater, update, weather, windows 10
Companies: microsoft

Microsoft 'Addresses' Windows 10 Privacy Concerns By Simply Not Mentioning Most Of Them

from the delightfully-invasive dept

Wed, Sep 30th 2015 08:27am - Karl Bode

Since launch, Windows 10 has seen no limit of criticism for violating user privacy. Some of these concerns have been legitimate — such as the fact that the OS keeps communicating with Microsoft when core new search services like Cortana have been disabled, or that users don’t seem to have complete, transparent control over what the operating system is doing. But other complaints seem to have been based on false rumors that Windows 10 is embedded with a nefarious “keylogger” that tracks everything you type and say or is reporting your BitTorrent activity to Hollywood middlemen.

So far, Microsoft’s been dead silent on these issues for months, which hasn’t done much to defuse the situation. This week, the company decided to finally comment on user concerns in a blog post and both consumer and enterprise privacy documents that address at least some user worries. Microsoft’s Terry Myerson starts by promising that Windows 10 user data is encrypted in transit, the company isn’t scanning your files or e-mails to blast you with ads, and any data collection Microsoft is engaged in is simply the company trying to develop a “delightful” OS experience:

“We aspire to deliver a delightful and personalized Windows experience to you, which benefits from knowing some things about you to customize your experience, such as knowing whether you are a Seattle Seahawks fan or Real Madrid fan, in order to give you updates on game scores or recommend apps you might enjoy? or remembering the common words you type in text messaging conversations to provide you convenient text completion suggestions.”

Microsoft also takes a few shots at Google in the entry:

“Unlike some other platforms, no matter what privacy options you choose, neither Windows 10 nor any other Microsoft software scans the content of your email or other communications, or your files, in order to deliver targeted advertising to you.”

The problem with Microsoft’s response is largely one of omission. Sure, the OS doesn’t scan your e-mail and files for ad purposes, but you’ll note the company doesn’t really mention the OS’s ingrained search and Cortana data being used for that purpose. Microsoft also doesn’t really address why users don’t really have control over telemetry (crash) data as in previous Windows versions (the enterprise version of Windows 10 allows crash telemetry data reports to be disabled entirely, while the mainstream Home and Pro versions of Windows don’t). Ars Technica probably puts it best:

“There’s nothing new here and nothing that’s likely to convince those concerned about Windows 10’s privacy. Two classes of data are excluded?communications (including e-mail and Skype) and file contents?but everything else appears to be fair game for ad targeting. So while Cortana can’t use your e-mail to tailor ads to your interests, it appears that she could use the appointments in your calendar to do so, for example.”

Microsoft also doesn’t really address concerns about Windows 10 just being annoyingly chatty, sending numerous reports back to the Redmond mothership even when the operating system is configured to be as quiet and private as possible. The core problem with Windows 10 remains that opt-out settings remain muddy and in some cases ineffective, and it’s not really clear how a lot of the OS-collected data is being used. Microsoft’s blog post fails to really address this, though the company at least promises to start elevating the privacy conversation to the level of security-related discourse.

Granted, there’s no shortage of people who will simply never trust the company no matter how much progress is made, justifiably citing decades of bad behavior as precedent. And while it’s lovely that Microsoft’s focused on crafting a “delightful” OS experience, the refusal to give Windows 10 users total, clear control over their OS still doesn’t reflect a company that now claims to be in the vanguard of consumer privacy issues.

Filed Under: privacy, windows 10
Companies: microsoft

DRM Still Breaking Games Nearly A Decade After Purchase

from the call-it-what-it-really-is:-gaping-security-holes dept

About a month ago, Microsoft’s Boris Schneider-Johne explained that — along with everything else Windows 10 was bringing to the party (privacy invasion, blocking of pirated software) — it would also be bricking certain paid-for software. Two early — and much-hated — forms of DRM just simply didn’t play nice with the new operating system: SecuROM and Safedisc.

“Everything that ran in Windows 7 should also run in Windows 10,” said Johne, “There are just two silly exceptions: antivirus software, and stuff that’s deeply embedded into the system needs updating—but the developers are on it already—and then there are old games on CD-ROM that have DRM. This DRM stuff is also deeply embedded in your system, and that’s where Windows 10 says, ‘Sorry, we cannot allow that, because that would be a possible loophole for computer viruses.’ That’s why there are a couple of games from 2003-2008 with SecuROM, etc. that simply don’t run without a no-CD patch or some such.”

This was great news for purchasers of these games, who had already been screwed once by the inclusion of DRM. Now, the DRM is considered a security flaw and their older games would no longer be playable on a computer running Windows 10. The purposefully-flawed software “protected” software companies from piracy (well, not really…) but left paying purchasers exposed.

The problem continues. As Microsoft seeks to seal more security holes, it’s patching up earlier versions of its OS. So, people using older operating systems — and playing even older games — are now going to find their purchased software similarly useless.

A recent security patch released this month, MS15-097 Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution, breaks computer games that rely on the DRM system Safedisc on Microsoft’s Windows Vista, Windows 7 and Windows 8 operating system.

Games that rely on Safedisc include the Age of Empire series, Battlefield 1942, Civilization 3, various Command and Conquer games or Microsoft Flight Simulator. These are all old games released more than 10 years ago but still playable on modern systems.

Microsoft has been so kind as to post a workaround that uses the Command Prompt to open/close the insecure driver to allow the games to be played. This workaround can also be applied permanently, but Microsoft recommends against this because it also re-opens the security hole permanently. And, once again, it’s the paying customers who no longer have access — or at least easy access — to their purchases.

Now, one could argue that the damage done here is minimal. The games are old and very few Windows users will still be playing them. But justifying DRM by claiming it only affects a small number of people is a pretty terrible argument. No one necessarily expects 10-year-old software to adapt flawlessly to new operating systems, but they don’t expect to be completely locked out of their purchases by security updates either.

It’s not like purchasers expect this sort of behavior from other products they’ve purchased. A fifty-year-old book can be read just as easily as one printed last week, no matter how much printing technology has advanced over the past five decades. A board game can still be enjoyed years after its purchase, no matter how much game manufacturers would like you to purchase their newer offerings. Software shouldn’t be an exception to the rule. But it is, thanks to DRM.

The fact that these two forms of DRM are considered vulnerabilities by the dominant operating system in the PC market says a lot about the software companies’ priorities. It’s a short-sighted viewpoint that only considers the first few weeks of sales. Anything these companies can do to protect these is considered excusable, even if it makes paying customers unhappy — either immediately after their purchase, or several years down the road.

Filed Under: drm, safedisc, securom, video games, windows 10
Companies: microsoft

Microsoft Retrofitting Windows 7, 8.1 With Windows 10's Privacy-Invading 'Features'

from the unavoidable-Redmond-umbilical dept

Wed, Sep 2nd 2015 05:58am - Karl Bode

Last week we noted that while Windows 10 has generally seen good reviews in terms of spit and polish, there’s growing concern that the OS is too nosy for its own good, and that the opt-out functionality in the OS doesn’t really work. Even when you’ve disabled a number of the nosier features (like Windows 10’s new digital assistant, Cortana), the OS ceaselessly and annoyingly opens an array of encrypted channels back to the Redmond mother ship that aren’t entirely under the user’s control.

Now some of the information being transmitted is purportedly harmless, and some of the problems appear to be overblown (like Windows 10 being banned from some BitTorrent trackers for fear of it reporting user piracy activity), but an operating system you can’t fully control is still undeniably stupid and annoying. And it’s a curious choice for a company intent on moving beyond the fractured Windows adoption of yesteryear and encouraging the lion’s share of Windows users to hop on to a new platform.

Making matters worse, Microsoft now seems intent on retro-fitting its older operating systems (specifically Windows 7 and Windows 8.1) with many of the annoying, chatty aspects of Windows 10. GHacks has noticed that four updates to the older operating systems, described as an “update for customer experience and diagnostic telemetry,” connect to vortex-win.data.microsoft.com and settings-win.data.microsoft.com. These addresses are hard-coded to bypass the hosts file, and ferry all manner of personal information back to Microsoft.

Fortunately, it appears that users in this instance can configure Windows firewall and routers to block the traffic, and users can avoid much of the snooping by opting out of the Customer Experience Improvement Program (CEIP):

“The concern with the new Diagnostic Tracking service is much the same as with Windows 10’s tracking: it’s not clear what’s being sent, and there are concerns that it can’t be readily controlled. The traffic to Microsoft’s servers is encrypted, sent over HTTPS, so it can’t be easily examined. While the knowledge based articles describing the new service list the DNS names of the servers that the service connects to, there are reports that the service ignores the system HOSTS file. As such, a traditional and simple method for redirecting the traffic doesn’t work.

However, we’re not sure just how big an impediment this is in practice; in our testing of Windows 8, the builtin Windows Firewall, for example, is more than capable of blocking the traffic, and this appears to be working entirely as it should. Disabling the service is also effective for those who don’t trust its behavior.”

Still, it’s annoying that Microsoft continues to insist on expanding this kind of OS behavior, without making opting out simple and comprehensive. And it certainly doesn’t exactly deflate arguments by folks like Richard Stallman, who consistently argue that Windows is effectively malware. More than anything though, it’s a continued advertisement for Linux and operating systems that the end user actually has some degree of control over.

Filed Under: privacy, windows, windows 10, windows 7, windows 8
Companies: microsoft