"Even when told not to, Windows 10 just can’t stop talking about how great Microsoft is"


  • area_can

    For example, even with Cortana and searching the Web from the Start menu disabled, opening Start and typing will send a request to www.bing.com to request a file called threshold.appcache which appears to contain some Cortana information, even though Cortana is disabled. The request for this file appears to contain a random machine ID that persists across reboots.

    Hmm...that's kind of fishy...

    Windows 10 will periodically send data to a Microsoft server named ssw.live.com. This server seems to be used for OneDrive and some other Microsoft services. Windows 10 seems to transmit information to the server even when OneDrive is disabled and logins are using a local account that isn't connected to a Microsoft Account. The exact nature of the information being sent isn't clear—it appears to be referencing telemetry settings—and again, it's not clear why any data is being sent at all. We disabled telemetry on our test machine using group policies.

    Uh...

    And finally, some traffic seems quite impenetrable. We configured our test virtual machine to use an HTTP and HTTPS proxy (both as a user-level proxy and a system-wide proxy) so that we could more easily monitor its traffic, but Windows 10 seems to make requests to a content delivery network that bypass the proxy.

    :wtf:

    I'll just quote the comments on the article:

    Here's hoping that the good folks at Microsoft will address these bugs, soon.



  • Hey, Hanlon's razor! (never attribute to malice...)


  • Grade A Premium Asshole

    INB4 blakeyrant about how everyone else does it and people only bitch when Microsoft does it. Blah, blah, blah, Mac Classic.


  • Banned

    @anonymous234 said:

    Hey, Hanlon's razor! (never attribute to malice...)

    That can't be adequately explained by stupidity.



  • @anonymous234 said:

    Hey, Hanlon's razor! (never attribute to malice...)

    I'd say that malace may be warranted. Here's a related article:

    And a relevant quote, talking about the changes to Error reporting and the Customer Experience Improvement Program in Windows 10:

    Windows 10, however, shakes this up. Instead of two separate systems—one for error reporting, a second for collecting usage data—**both have been rolled into one combined setting.** This setting has four positions: off; basic error reporting and simple device capability reporting; enhanced diagnostic tracking that extends the basic information with more detailed error reporting, and usage telemetry; and full data, that adds process memory snapshots to the enhanced data. This means that there's no way to participate in error reporting without also participating in usage tracking, and vice versa.

    Further, the "off" option is only available in Windows 10 Enterprise. The common home user versions of Windows, Windows 10 Home and Windows 10 Pro, always collect (and report) at least "Basic" level information and no way to turn off the feature entirely.

    While not definitive evidence that the communications referred to in the article linked by @bb36e are because of malice, there is enough here to at least lend credence to the thought.


  • Fake News


  • area_can

    Argh! My first Hanzo!


  • Fake News

    Have a "My first Hanzo" plushie:



  • @abarker said:

    Further, the "off" option is only available in Windows 10 Enterprise. The common home user versions of Windows, Windows 10 Home and Windows 10 Pro, always collect (and report) at least "Basic" level information and no way to turn off the feature entirely.

    OK that is fucked up.

    I'm sure you can block it with the firewall though.


  • Discourse touched me in a no-no place

    @Gaska said:

    That can't be adequately explained by stupidity.

    Advanced stupidity is sometimes indistinguishable from malice.


  • Banned

    In my next game, I'm putting Stupidity stat instead of Intelligence.


  • Discourse touched me in a no-no place

    The original Fallout game had something like that, dialog options that were only available (and only revealed) to very low INT players.



  • @anonymous234 said:

    I'm sure you can block it with the firewall though.

    @bb36e said:

    Windows 10 seems to make requests to a content delivery network that bypass the proxy.

    Wonder if that firewall will monitor the ports for this traffic specifically to let it through?

    3rd party firewall might be the safest.

    If it turns out MS purposefully attempts to circumvent a 3rd party firewall, then you have a legal case.



  • I wish the game gave distinct acute advantages for low stats. Nothing to compensate for the low stat, it's still overall a drawback. But acute advantages that would compensate 10% of the loss, only for entertaining purposes.

    For example, low intelligence leaves you resistant to mind control.

    The scare perk is automatically available if you have law CHA instead of high Speech.

    Low strength gives bonuses to your companions.



  • @Gaska said:

    In my next game, I'm putting Stupidity stat instead of Intelligence.

    [url=http://rpg.starwreck.com/star_wreck_RPG.pdf]Already been done[/url] (see page 8).



  • I liked this one


  • Discourse touched me in a no-no place

    @xaade said:

    Low strength gives bonuses to your companions.

    Low strength usually correlates with playing a DPS class. A squishy-squishy glass-cannon DPS class. It's common as anything.



  • It actually makes you do more melee damage.



  • I think the point was that low strength correlates to a magic-using, damage dealing class.

    The key was "Glass Cannon". A Cannon can do major amounts of damage, but if it's made of glass, it would be easily broken. This is similar to modern artillery- it can do amazing amounts of damage, eliminating all life within a particular grid square (a 1 square kilometer area), but would not hold up well against direct assault.

    In gaming terms, this is generally a "Wizard" type role- they wear robes or silk instead of armor, and cast offensive spells at range. They generally have the lowest defense of any roles. If they are getting hit at all, they are expected to die. Depending on the game, dump stats (IE, things that are useless) would be Strength, Dexterity, and Agility. Sure, those stats might make it so you can last 2 attacks instead of 1- but if you're getting attacked at all, the whole party is probably dead.

    It's not dissimilar to an archer- Great in ranged combat, crap in melee. Typically, it's even better offense, and even worse in defense.

    YMMV, depending on the game you play.



  • @cdosrun1 said:

    In gaming terms, this is generally a "Wizard" type role- they wear robes or silk instead of armor, and cast offensive spells at range. They generally have the lowest defense of any roles.

    I'm wearing Jatoro's robes. I'm holding Mathilde's staff My attacks heal me. My condition damage heals me. My wells heal me. My flesh golem heals me. I effectively have two health bars. I even have a passive that applies a healing effect to anyone that attacks my target.

    Something tells me that cloth-wearing magic user ≠ glass cannon.


  • Discourse touched me in a no-no place

    @cdosrun1 said:

    Sure, those stats might make it so you can last 2 attacks instead of 1- but if you're getting attacked at all, the whole party is probably dead.

    Or the other side has an attacker using the Blitzer strategy: smash through the front line fast and attack the weak support classes. That sort of thing can make fights “interesting”…



  • someone tried to block it by editing hosts and pointing all the urls win10 talks to (there was a list of about 30 of them?) to localhost. claimed it cause the system to start throwing error messages about some services crashing and such


  • Grade A Premium Asshole

    @ben_lubar said:

    My flesh golem

    :giggity:



  • Yeah but you're only like 4' tall, so it's gonna be hard to intimidate those Charr motherfuckers fucking with you.

    If you need to intimidate and are super-small, you gotta get the crazy-eyes, man.


  • Discourse touched me in a no-no place

    @ben_lubar said:

    Something tells me that cloth-wearing magic user ≠ glass cannon.

    Something tells me your anecdote doesn't invalidate the general property.


  • Discourse touched me in a no-no place

    @sh_code said:

    editing hosts and pointing all the urls win10 talks to (there was a list of about 30 of them?) to localhost.

    In the past I believe MS warded against that by using IPs.


  • Java Dev

    @ben_lubar said:

    Something tells me that cloth-wearing magic user ≠ glass cannon.

    Glass cannon builds are a type of DPS build. They're not the only type. For example, melee DPS tends to be better armoured as well, and in general PvE-oriented characters can get away with glass cannon more easily than PvP-oriented characters can.



  • @ben_lubar said:

    Something tells me that cloth-wearing magic user ≠ glass cannon.

    Correct, if you were intending to post an example of a Glass Cannon, you chose poorly. It appears that your build actually has significant defensive options and abilities- a Glass Cannon would have a low defense, focusing purely on offense.

    It also appears that you fell into a logical fallacy known as reasoning from the specific to the general. Saying that Glass Cannons are generally robe wearing magic users does not mean that all robe wearing magic users are Glass Cannons, in the same way that saying All Roses are Flowers doesn't mean All Flowers are Roses.

    Lastly, I know that you're a native lobjam speaker, but in US English, terms such as "generally" and "often" mean that the statement may not be true in every case. This allows you to make a statement that applies to the majority of examples, without having to be true in every case.

    For example "I generally eat dinner" would not be disproved by me not eating dinner on only one day.



  • Back to topic

    And finally, some traffic seems quite impenetrable. We configured our test virtual machine to use an HTTP and HTTPS proxy (both as a user-level proxy and a system-wide proxy) so that we could more easily monitor its traffic, but Windows 10 seems to make requests to a content delivery network that bypass the proxy.

    This is stupid. First, who does a security audit (or any network related audit) using a proxy? You use ncap or wireshark. Second, if Microsoft is really skipping the proxy configuration and the system is in a real proxy environment, how the hell do they expect their requests to get out of the network?



  • @Eldelshell said:

    Second, if Microsoft is really skipping the proxy configuration and the system is in a real proxy environment, how the hell do they expect their requests to get out of the network?
    The system is not in a real proxy environment; as should be obvious, they were using Fiddler, and although they told WinINET (basically IE and some OS components) to route their traffic through it, there was no mechanism to enforce that.


  • Notification Spam Recipient

    +1 this. Chrome regularly disregards the system proxy AND user proxy (And its own command-line specified proxy settings).
    Just because you told it to use a proxy by some app, doesn't mean all apps (yes, even System apps) need to follow it.



  • How do you expect them to read HTTPS transactions if they don't use a proxy that disallows encryption?


  • Notification Spam Recipient

    Passthrough proxy? I read up that the proxy decrypts it, then re-encrypts it with a fake key (that you then trust on the client machine).



  • So Microsoft aren't checking to see if it's a valid certificate?


  • Notification Spam Recipient

    Most programs don't do much more than check "does the cert have the right domain and usage flags, and does the operating system trust the cert path?"
    Technically it is still a valid certificate, just one made up by your own authority.



  • @Eldelshell said:

    Second, if Microsoft is really skipping the proxy configuration and the system is in a real proxy environment, how the hell do they expect their requests to get out of the network?

    They have form for this. Windows Update didn't work via any kind of proxy for a very long time, and it still doesn't work via proxies with mandatory user authentication AFAIK. MS's official position on this is NOTABUG WONTFIX because WSUS exists.


  • Discourse touched me in a no-no place

    @flabdablet said:

    Windows Update didn't work via any kind of proxy for a very long time

    Wasn't there a point where they were using TFTP/UDP for certain downloads? I remember because they'd belgium­ed up the computation of the MTU (my ISP needed it to be slightly smaller than the default for some reason) and it was failing to download updates that the software said it needed. If they'd been using a TCP-based protocol it wouldn't have mattered; the persistent connection allows negotiation of this thing to work reliably.

    Or at least I hope that was what was going wrong. Anything else would have been much crazier.

    My point was that they were not using normal HTTP or FTP, so proxies might well ignore it (or block it, depending on competence of networking staff).



  • Never seen that. The only versions of Windows Update I've ever tangled with have run on top of BITS, and as far as I know BITS runs over HTTP.


  • Discourse touched me in a no-no place

    @flabdablet said:

    Never seen that.

    It might've been a G4WL update. I just know that it would hang and (eventually) fail over and over until I searched online, found that an MTU shrink would fix it, applied that change, and then had everything Just Work immediately. I remember the :wtf: moment, but not the exact product. 😄



  • @dkf said:

    It might've been a G4WL update.

    Yes, Games for Windows Live was a horrible broken piece of shit. (As was every Microsoft product with "Live" in the name from about 2010 on. Which is why they all no longer exist.)

    That has nothing to do with Windows Update. Which uses BITS. Which runs over HTTP.



  • Windows is. And it's valid; it was issued by "FIDDLER_DO_NOT_TRUST", an automatically-generated trusted root certificate that gets installed (with a prompt) when you install Fiddler.

    Does it check to see if the certificate it got is specifically the certificate it expected? No, it does not; only Google and Firefox do that, and then only for sites on a tiny, tiny list.



  • I honestly don't know, but when did Windows Live Writer or whatever that thing that some bloggers seem to like come out? I've heard that one was actually a good product.



  • I never had any complaints about G4WL. It allowed me to use one account for both Xbox and computer games and communicate with Xbox friends while playing a computer game. It seemed to work just fine for me. HOWEVER, I at first only had it on Halo 2 for Vista, as in the very very special project it was designed to work perfectly with. Now the other games I have that use it, it just seems to login, and then be completely out of the way



  • Oh yeah. Live Writer was ok. So was Live Sync. Live Messenger was ok in the 2009 version, but every version newer than that was shit.



  • @TwelveBaud said:

    it was issued by "FIDDLER_DO_NOT_TRUST", an automatically-generated trusted root certificate

    :wtf:


  • Notification Spam Recipient

    Yes. Computers don't interpret the authority.
    It could reasonably be named something like "We Are Haxors G1v3 U5 M0N13S!!!" and it wouldn't care.



  • @TwelveBaud said:

    No, it does not; only Google and Firefox do that, and then only for sites on a tiny, tiny list.

    Visual Studio apparantly also does it.
    So there's precedent for Microsoft doing it in other products as well.


Log in to reply