Plus ça change...Microsoft proves, once again, that they refuse to learn from past mistakes

I had to shake my head at this report from betanews:

Windows 7 may be an aging operating system, but there are still plenty of individuals and organizations using it. With the end of support date of January 14 fast-approaching, Microsoft is getting twitchy and is eager for everyone to upgrade to Windows 10.

Having already started to notify Windows 7 hangers on that support is due to come to an end, the company is now ready to get a little more aggressive. If you haven't moved on from Windows 7, soon you will see full-screen notifications warning you that "your Windows 7 PC is out of support".

The messages are due to be displayed from the day after support ends. So when January 15 rolls around, anyone who has doggedly stuck with Windows 7 will find that they not only have no support and no security updates, but also that they are pestered by an invasive message delivered by a program called EOSnotify.exe.

[...]

The good news is that it will be possible to dismiss the message and opt to never see it again.

Where do I even start with this shit?

WX 1809 update negligence gets worse

So, do you remember that "bug" in the 1809 update, that finally prompted Microsoft to pull it yesterday? Well, here's the thing about that... funny story... it's not new. As reported by ZDNet:

As ZDNet reported yesterday, the Windows 10 October 2018 version 1809 upgrade hasn't gone well for a bunch of users who lost documents and photos after updating.

What's worse, it appears that Microsoft may have let this bug slip through testing with Windows Insiders during the preview of Windows 10 version 1809.

As noted by MSPoweruser, Windows insiders hit the exact same snag during Microsoft's preview phase of the Windows 10 version 1809 when updating from version 1803.

For some unknown reason, moving up to Windows 10 version 1809 may delete all the files in user folders. The folders remain, but the files within them are gone, leaving users in potentially a worse pickle than ransomware victims experience.

WX's spring update was delayed from its originally planned April launch into May by an unspecified-but-serious issue, but Microsoft never did say what the issue was. Apparently this was the issue, and it's certainly enough of an issue to have justified the delay of the 1803 update's rollout. The fact that WX still has this issue, though, and that Microsoft didn't think it important enough to delay the 1809 update's rollout, elevates this from incompetence to malice. It's simply mind-blowing.

And the only defense against this happening to you, both with this update and with and and all future updates, is Microsoft's OneDrive cloud storage service, which is not free if you need to back up more than 50GB of data. It's as if Microsoft is engaged in a low-key shakedown of the entire WX user base. Holy ransomware, Batman! Except this ransomware is your OS, and thus can't be avoided.

I've said it before, I'll say it again, and I'm not alone in saying it: I don't care if it comes from Microsoft, Windows 10 is malware.

This is why I ad-block...

...and why I'm not relying on Google's built-in ad-blocker, which (naturally) won't block ads served by their own sites.

ArsTechnica reported on this first, but Gizmodo has a really good article about the problem:

As Ars Technica first reported on Friday, users on social media started complaining earlier this week that YouTube ads were triggering their anti-virus software. Specifically, the software was recognizing a script from a service called CoinHive. The script was originally released as a sort of altruistic idea that would allow sites to make a little extra income by putting a visitor’s CPU processing power to use by mining a cryptocurrency called Monero. This could be used ethically as long as a site notifies its visitors of what’s happening and doesn’t get so greedy with the CPU usage that it crashes a visitor’s computer. In the case of YouTube’s ads running the script, they were reportedly using up to 80 percent of the CPU and neither YouTube nor the user were told what was happening.

[...]

Gizmodo reached out to YouTube for comment on Trend Micro’s claims, and a spokesperson acknowledged the problem:

Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.

The part of the statement about the ads being blocked in less than two hours doesn’t align with Trend Micro’s assessment that the ad campaign has been a problem for at least a week. When we asked YouTube about this discrepancy, a spokesperson declined to comment any further.

But a source with direct knowledge of YouTube’s handling of the situation told Gizmodo that the two-hour measurement was just being applied to each individual ad run by the hackers, not the ads en masse. YouTube approves a clean ad submitted by a clean account set up by the hijacker. When the ad goes live, the attackers use various cloaking methods to subvert YouTube’s system and swap the ad with one that includes the malicious script. A couple hours later, the ad is detected, taken down, and the user who submitted it gets their account deleted. Wash. Rinse. Repeat.

I was actually going to give Chrome another try, in part to see how its newly upgraded ad-blocking feature stacked up against uBlock and AdBlocker, but I think I'll be holding off for a while longer. Forget the desirability of the thing, when even sites like YouTube, run by companies as large as Google, are delivering ads loaded with malware, it simply isn't safe to let ads of any kind run in your browser window.

Of course, the more that I become accustomed to ad-free internet, the harder it becomes to ever turn the ads back on. I don't know what sort of an experience Chrome's built-in ad-blocker delivers, but the fact that users like me aren't less and less interested in even trying it anymore, thanks to egregious abuses like cryptojacking, probably spells real trouble for the advertising industry.

And then, of course, there's the problem that advertising doesn't even work anymore:

Sorry, advertisers. It's too bad that you all didn't decide to behave sensibly and ethically, before we developed the ability to simply shut you out completely. Now you have to come up with an ad that can go viral as a stand-alone piece of content, which ad-blocking users will choose to watch, and which still doesn't sell the product it's supposed to be flogging. That Vitamin Water ad may well have introduced the world to Feel It Still, but I it's probably done more for "Portugal. The Man" than it did for Vitamin Water sales, and how much did it cost to hire Aaron Paul for that thing? GG.

What does this mean for the internet that we're used to, filled as it is with "free" content from sites that can only keep operating if they're supported with ad revenue? Honestly, I have no idea. I suspect, though, that we're only a few years away from finding out.

Windows XP not only didn't spread WannaCry - it couldn't

It turns out that most of the WannaCry story that everybody thought they knew is actually wrong, and Microsoft's motives for patching Windows XP to defend against the malware attack may be even murkier than was previously reported.

From Computerworld:

Rather than take aim at Windows XP, WannaCry targeted Windows 7 and Windows Server 2008, Kaspersky's data showed. [...]

The reason for XP's absence from the WannaCry count was simple. "WannaCry itself did not support Windows XP," [Costin Raiu, director of Kaspersky Lab's global research and analysis team] said, noting that the exploit neither focused on XP or reliably worked on the 2001 operating system. Individual machines could be infected -- the researchers and testers who put WannaCry on Windows XP systems likely ran it manually -- but the worm-like attack code would not spread from an XP PC, and in some cases, executing the exploit crashed the computer.

That put Microsoft's decision to issue a security patch for Windows XP in a different light. [...] Computerworld, like many other publications, assumed Microsoft released patches for Windows XP and Server 2003 because it believed older -- and unprotected -- systems were instrumental in spreading WannaCry.

Raiu thought different. "I think Microsoft was worried about the possibility of someone leveraging this exploit," Raiu argued. "Their fear was that it could be theoretically possible to repurpose the exploit to attack Windows XP."

It wasn't a surprise that WannaCry's backers had primarily pointed the attack at Windows 7. "They focused on the most-widespread platform," said Raiu.

According to analytics vendor Net Applications, approximately 53% of all Windows personal computer ran Windows 7 last month. That was nearly double the share of the newer Windows 10, which clocked in at 29%, and more than eight times that of Windows XP's 8%. Cyber criminals typically aim attacks at the most popular operating systems and versions within each OS, a logical practice when profit is paramount. That's especially true of extortion rackets like WannaCry's payload, which encrypts files and then demands a ransom payment to decrypt those hijacked files.

It's hard to say whether this makes Microsoft's decision to shake down Windows XP customers for more "custom" support contracts before finally patching the vulnerability for free look slightly less shitty, or even more so. After all, if WannaCry couldn't even affect machines running Windows XP in its extant form, then Microsoft were essentially shaking down customers like the UK hospital system for "protection" against a threat that actually posed more of a threat to their Windows 7/Server 2008 machines than it did to their Windows XP/Server 2003 PCs. The fact that less harm may have resulted from the delay than was previously believed mitigates the shittiness somewhat... but only somewhat.

Microsoft apologists used headlines that blamed Windows XP for the spread of the malware to blame the victims, telling them to just switch to Windows 10, already, and the same apologists are predictably using this latest news to argue that Windows 7 users should do the same. It's an argument that conveniently ignores the simple fact that Windows 10 was no more the target of WannaCry than Windows XP was, for the simple reason that big, rich corporations and other large institutions haven't yet adopted the latest iteration of Microsoft's OS. Whether the WannaCry outbreak will drive people towards Windows 10 or not, remains to be seen; with most of the early headlines blaming XP for the outbreak, many Windows 7 users may already have lost interest, especially since Windows 7 has already been patched to defend against the WannaCry exploit.

Microsoft finally reveal what data they're collecting with Windows 10.

From the "It's about fucking time" file: Microsoft, openly admitting that they're feeling the heat on privacy issues, especially in the EU, have finally let us know what data they're collecting via Windows 10's telemetry system... and, presumably, via Windows 7's and 8's telemetry systems as well, since telemetry was retconned into to both older operating systems late last year.

As you might expect, there's lots of coverage on this one; the announcement itself is here, and well worth reading if you want all the details on Microsoft's revamped data collection policies. Important as the details of the policy itself are, though, the reaction that Microsoft are getting with this disclosure may well be just as important, if not more important, to the future of Windows 10 and Microsoft as a whole.

Microsoft's announcement is a little dry, though, and Tom's Hardware has a pretty good summary of the changes:

Privacy concerns have plagued Windows 10 for a while. Microsoft previously encouraged you to share information when you got started with the operating system, and when the Anniversary Update debuted in August 2016, it removed the ability to easily disable the Cortana virtual assistant. You could still control what it could access--ranging from your emails and installed apps to your speech and location data--but not turn it off.

That problem remains in the Creators Update. Now, though, Microsoft requires you to set each individual setting before you get started, which means its data collection should come as less of a surprise, and the company has worked to reduce the amount of information it collects. These reductions are particularly noticeable in regard to diagnostic info, as Windows and Devices Group EVP Terry Myerson explained in the blog post:

Aside from sharing new information to inform your choices, our teams have also worked diligently since the Anniversary Update to re-assess what data is strictly necessary at the Basic level to keep Windows 10 devices up to date and secure. We looked closely at how we use this diagnostic data and strengthened our commitment to minimize data collection at the Basic level. As a result, we have reduced the number of events collected and reduced, by about half, the volume of data we collect at the Basic level.

[...] The Creators Update will also make it easier to figure out what each setting does. Why does Microsoft want you to provide your location, enable speech recognition, and let it use your data to offer "tailored experiences" and targeted ads? Right now that isn't clear, but this update will offer more details about each item and provide a "Learn more" link that lets you get even more information about how the settings affect your privacy.

This is the kind of transparency that users have been asking for ever since Windows 10 rolled out nearly a year and a half ago. If Microsoft had been willing to tell people what data they were collecting, why they were collecting it, where they were sending it, when they were sharing it, and who they were sharing it with, back before the GWX campaign descended into the depths of deceit and coercion that saw Microsoft installing Windows 10 on PCs whose users had clearly declined... well, it might have been enough.

Now, though? With Windows 7 at nearly 50% of the PC OS market, and growing in popularity, I think it's safe to say that the relationship of trust that would leave users disposed to believe Microsoft's claim here, i.e. that basic data collection was necessary to Windows 10's maintenance, has been largely eroded, especially with those users who are dug in with Windows 7 and not planning to upgrade anytime soon, if ever. Especially since data collection isn't actually necessary to maintaining a PC's OS. As PC Gamer put it:

Savvy users would disagree that a system can't be secure without sending usage data back to Microsoft. In that regard, today's announcement isn't going to wash away the waves of criticism Microsoft faces over privacy, but at least the company is being much more transparent.

It doesn't help that Microsoft are doing this only after EU regulators demanded it, either. From TechRadar:

As you may be aware, with the Creators Update, Microsoft has already made some big changes to Windows 10’s installation process, highlighting privacy settings more clearly, and giving the user simple sliders to turn off elements such as usage of location data or targeted ads.

[...] Despite this move, back in February, EU data protection bigwigs told Microsoft it still wasn’t doing enough with privacy, and that the company needed to clearly explain what kinds of personal data are processed, and to what end.

And this blog post is a direct reaction to that demand, as Myerson notes: “This feedback – in line with the feedback we have received from the European Union’s Article 29 Working Party and national data protection authorities that have specifically engaged us on Windows 10 – was essential for Microsoft to identify and implement improvements in our privacy practices.”

In short, Microsoft didn't do this because users demanded it; if users' feedback was the critical ingredient here, these changes would have happened at least as early as the Anniversary Update, if not sooner. No, Microsoft did this because EU regulators forced them to. Kudos to them for finally making these obviously necessary changes, but this isn't some sort of principled stance on users' privacy; if it was, Microsoft would be allowing users to turn the data collection off completely.

Or, as Computerworld puts it:

"The Windows 10 Creators Update is a significant step forward, but by no means the end of our journey.” [Microsoft’s Windows and Devices Group Privacy Officer Marisa] Rogers added, “In future updates, we will continue to refine our approach and implement your feedback about data collection and privacy controls.”

Hey, Microsoft, how about an option for “none” when it comes to data collection?

Of course, users willing to install a third-party program like SpyBot's Anti-Beacon can turn the data collection off completely, but third-party solutions shouldn't be necessary here; your PC's operating system should not behave like malware, or require anti-malware to keep it in check.

I don't know whether these changes will be enough to kick-start Windows 10's stalled growth; these privacy changes are definitely the most-requested and most impactful changes in the Creators Update. I suspect that Windows 7's "dug in" user base isn't going to be won over by this belated ¾-measure; until Microsoft give users the option to turn off data collection entirely, I suspect that Windows 10 will stay stagnant, while Windows 7 continues to thrive. If that's so, then it's possible that Microsoft will still find their way to Jesus, so to speak, on the Windows 10 issues that users have been most vocal about.

Microsoft to put even more ads in Windows 10’s Start menu

You know, when I started this blog, I really was intending to blog about things other than Microsoft, and how they're being such incredible jerks about everything surrounding their new OS. Hell, there was a moment when I was even looking forward to Windows 10; when my planned summer project was switching to MS's new OS, and not turning my Windows 7 rig into a dual-boot Linux/SteamOS system.

But that was then, and in the now, the hits just keep coming:

Microsoft is planning to put even more ads inside Windows 10’s Start menu in its upcoming Anniversary Update. There won’t just be an extra one or two; the software giant plants to double the current number from five to ten.

Start menu ads are typically promoted tiles for apps and games available from the Windows Store, and according to The Verge, they mostly appear on new PCs to encourage new users to check out the titles available in the Store.

[...]

Microsoft confirmed it was doubling the number of ads at the WinHEC conference, where it also announced fingerprint scanner support is coming to Windows 10 Mobile. The company did not provide a reason for the move, but it’s likely to boost Windows Store downloads.

Of course it's to boost Windows Store downloads. Windows Store is a major focus of Windows 10's Universal Windows Platform, after all. Apparently, nothing else matters, including users' privacy, or their continued trust and good will. We will upgrade whether we like it or not, and we will download from the Windows Store after "upgrading," because UWP will ensure that we don't have any other options. At least, that seems to be Microsoft's plan.

It seems to me like it's just about time for Microsoft to face another antitrust action, and maybe more EU regulatory action, also.