February 16, 2016

Worried that Windows 10 is ‘spying’ on you? Here’s how to take back control

There is no evidence to suggest that Windows 10 is “spying” on you, but if network analysis of the telemetry data isn’t enough to put your mind at ease, here are a couple of tools that may help.

 

I love the X-Files, and I enjoy a conspiracy theory as much as the other guy, but there needs to be evidence, and I’ve seen more far compelling evidence for the existence of Bigfoot, the Roswell crash, or the Lost City of Atlantis than I have for the allegation that Microsoft is using Windows 10 to spy on users.

And believe you me, I’ve spent countless hours searching for a smoking gun, with no success. Like my ZDNet colleague Simon Bisson, all I found was innocuous telemetry data.

This is why I’ve put the word “spying” in quotation marks in the title, and I’m only using this word because this is the word most commonly used by those concerned by this issue.

If you ask me whether I’m worried about using Windows 10, my answer would be “no.” I have dozens of Windows 10 installations here and I’m not in the least bit worried.

But despite such reassurances, there are a lot of people who are concerned by this, and the fact that Microsoft isn’t willing to give concerned users an official way to opt out from data collection (which I think is a bad idea) is adding fuel to the flames. After all, as Bisson pointed out, we live in “justifiably paranoid times,” where governments and social media sites are slurping up user data.

What’s wrong with a little protection?

If you are worried about Windows 10 privacy, I suggest that you take matters into your own hands and install a tool that allows you to shut down all the different ways that your PC is communicating with Microsoft. Be aware though that doing this will result in some features no longer being available, since a number of Windows 10 features rely on having a connection to the cloud.

Be careful though. I’ve come across a number of “Windows 10 privacy tools” from unknown sources that do who knows what. Some tools actively display ads, and one even installs a third-party tool that displays ads in other applications. Talk about taking what is a non-issue and blowing it up into a real problem! No self-respecting privacy tool should install adware onto a system. Period.

I’ve tried a number of Windows 10 privacy tools and boiled them down to two.

The first is Spybot Anti-Beacon. This is a one-click solution (along with an undo button in case things don’t go as you planned) from a known developer that’s been in the privacy business since 2000.

Still worried that Windows 10 is 'spying' on you?

Another tool that I like is O&O Shut Up 10. This one is particularly useful if you have multiple PCs because it doesn’t need to be installed and can be run from a USB flash drive. O&O also offers a good explanation as to why Windows 10 needs to be able to communicate with the cloud.

Still worried that Windows 10 is 'spying' on you?

“As an example, Windows 10 can remind you to set off to the airport 30 minutes earlier due to traffic en route. In order to deliver this information to you, however, Windows 10 has to access your calendar entries, your mails (i.e. the airline confirmation email), your location and it has to have access to the internet to get traffic news.”

I’ve tested both of these tools on a variety of systems and both utilities seem to do what it says it does on the tin, and nothing more.

If nothing else, they put you in charge of what happens to your data. If something stops working (or you break something) as a result of using these tools, well, that probably explains why Microsoft doesn’t want you to have this sort of granular control over communications to and from your PC.

And if you’re still worried, then fire up your PC, install Wireshark, and examine the packets yourself.

Permalink • Print • Comment

July 27, 2013

How Microsoft handed the NSA access to encrypted messages

 

• Secret files show scale of Silicon Valley co-operation on Prism
• Outlook.com encryption unlocked even before official launch
• Skype worked to enable Prism collection of video calls
• Company says it is legally compelled to comply

 
 
Skype logo

Skype worked with intelligence agencies last year to allow Prism to collect video and audio conversations. Photograph: Patrick Sinkel/AP

Microsoft has collaborated closely with US intelligence services to allow users’ communications to be intercepted, including helping the National Security Agency to circumvent the company’s own encryption, according to top-secret documents obtained by the Guardian.

The files provided by Edward Snowden illustrate the scale of co-operation between Silicon Valley and the intelligence agencies over the last three years. They also shed new light on the workings of the top-secret Prism program, which was disclosed by the Guardian and the Washington Post last month.

The documents show that:

• Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;

• The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail;

• The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide;

• Microsoft also worked with the FBI’s Data Intercept Unit to “understand” potential issues with a feature in Outlook.com that allows users to create email aliases;

• In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;

• Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a “team sport”.

The latest NSA revelations further expose the tensions between Silicon Valley and the Obama administration. All the major tech firms are lobbying the government to allow them to disclose more fully the extent and nature of their co-operation with the NSA to meet their customers’ privacy concerns. Privately, tech executives are at pains to distance themselves from claims of collaboration and teamwork given by the NSA documents, and insist the process is driven by legal compulsion.

In a statement, Microsoft said: “When we upgrade or update products we aren’t absolved from the need to comply with existing or future lawful demands.” The company reiterated its argument that it provides customer data “only in response to government demands and we only ever comply with orders for requests about specific accounts or identifiers”.

In June, the Guardian revealed that the NSA claimed to have “direct access” through the Prism program to the systems of many major internet companies, including Microsoft, Skype, Apple, Google, Facebook and Yahoo.

Blanket orders from the secret surveillance court allow these communications to be collected without an individual warrant if the NSA operative has a 51% belief that the target is not a US citizen and is not on US soil at the time. Targeting US citizens does require an individual warrant, but the NSA is able to collect Americans’ communications without a warrant if the target is a foreign national located overseas.

Since Prism’s existence became public, Microsoft and the other companies listed on the NSA documents as providers have denied all knowledge of the program and insisted that the intelligence agencies do not have back doors into their systems.

Microsoft’s latest marketing campaign, launched in April, emphasizes its commitment to privacy with the slogan: “Your privacy is our priority.”

Similarly, Skype’s privacy policy states: “Skype is committed to respecting your privacy and the confidentiality of your personal data, traffic data and communications content.”

But internal NSA newsletters, marked top secret, suggest the co-operation between the intelligence community and the companies is deep and ongoing.

The latest documents come from the NSA’s Special Source Operations (SSO) division, described by Snowden as the “crown jewel” of the agency. It is responsible for all programs aimed at US communications systems through corporate partnerships such as Prism.

The files show that the NSA became concerned about the interception of encrypted chats on Microsoft’s Outlook.com portal from the moment the company began testing the service in July last year.

Within five months, the documents explain, Microsoft and the FBI had come up with a solution that allowed the NSA to circumvent encryption on Outlook.com chats

A newsletter entry dated 26 December 2012 states: “MS [Microsoft], working with the FBI, developed a surveillance capability to deal” with the issue. “These solutions were successfully tested and went live 12 Dec 2012.”

Two months later, in February this year, Microsoft officially launched the Outlook.com portal.

Another newsletter entry stated that NSA already had pre-encryption access to Outlook email. “For Prism collection against Hotmail, Live, and Outlook.com emails will be unaffected because Prism collects this data prior to encryption.”

Microsoft’s co-operation was not limited to Outlook.com. An entry dated 8 April 2013 describes how the company worked “for many months” with the FBI – which acts as the liaison between the intelligence agencies and Silicon Valley on Prism – to allow Prism access without separate authorization to its cloud storage service SkyDrive.

The document describes how this access “means that analysts will no longer have to make a special request to SSO for this – a process step that many analysts may not have known about”.

The NSA explained that “this new capability will result in a much more complete and timely collection response”. It continued: “This success is the result of the FBI working for many months with Microsoft to get this tasking and collection solution established.”

A separate entry identified another area for collaboration. “The FBI Data Intercept Technology Unit (DITU) team is working with Microsoft to understand an additional feature in Outlook.com which allows users to create email aliases, which may affect our tasking processes.”

The NSA has devoted substantial efforts in the last two years to work with Microsoft to ensure increased access to Skype, which has an estimated 663 million global users.

One document boasts that Prism monitoring of Skype video production has roughly tripled since a new capability was added on 14 July 2012. “The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete ‘picture’,” it says.

Eight months before being bought by Microsoft, Skype joined the Prism program in February 2011.

According to the NSA documents, work had begun on smoothly integrating Skype into Prism in November 2010, but it was not until 4 February 2011 that the company was served with a directive to comply signed by the attorney general.

The NSA was able to start tasking Skype communications the following day, and collection began on 6 February. “Feedback indicated that a collected Skype call was very clear and the metadata looked complete,” the document stated, praising the co-operation between NSA teams and the FBI. “Collaborative teamwork was the key to the successful addition of another provider to the Prism system.”

ACLU technology expert Chris Soghoian said the revelations would surprise many Skype users. “In the past, Skype made affirmative promises to users about their inability to perform wiretaps,” he said. “It’s hard to square Microsoft’s secret collaboration with the NSA with its high-profile efforts to compete on privacy with Google.”

The information the NSA collects from Prism is routinely shared with both the FBI and CIA. A 3 August 2012 newsletter describes how the NSA has recently expanded sharing with the other two agencies.

The NSA, the entry reveals, has even automated the sharing of aspects of Prism, using software that “enables our partners to see which selectors [search terms] the National Security Agency has tasked to Prism”.

The document continues: “The FBI and CIA then can request a copy of Prism collection of any selector…” As a result, the author notes: “these two activities underscore the point that Prism is a team sport!”

In its statement to the Guardian, Microsoft said:

We have clear principles which guide the response across our entire company to government demands for customer information for both law enforcement and national security issues. First, we take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes.

Second, our compliance team examines all demands very closely, and we reject them if we believe they aren’t valid. Third, we only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate.

Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That’s why we’ve argued for additional transparency that would help everyone understand and debate these important issues.

In a joint statement, Shawn Turner, spokesman for the director of National Intelligence, and Judith Emmel, spokeswoman for the NSA, said:

The articles describe court-ordered surveillance – and a US company’s efforts to comply with these legally mandated requirements. The US operates its programs under a strict oversight regime, with careful monitoring by the courts, Congress and the Director of National Intelligence. Not all countries have equivalent oversight requirements to protect civil liberties and privacy.

They added: “In practice, US companies put energy, focus and commitment into consistently protecting the privacy of their customers around the world, while meeting their obligations under the laws of the US and other countries in which they operate.”

• This article was amended on 11 July 2013 to reflect information from Microsoft that it did not make any changes to Skype to allow Prism collection on or around July 2012.

Permalink • Print • Comment

May 16, 2012

Windows 7 does not save network login credentials (username and password)

This is a note to self while I am elsewhere:

I just signed up so I could post the simplest solution:

  1. Go to: Control Panel > User Accounts and Family Safety > Manage Windows Credentials
  2. Expand each device listed by clicking the down arrow
  3. Delete all the credentials by selecting "Remove from vault"(to make things simple)
  4. Create new credentials for each network by entering the IP address of the device you're trying to connect to. For example, most internal IP addresses start with 192.168.1.xx. The last two digits vary with each device. It could be 192.168.1.1, 192.168.1.16, etc. Enter this address in the "Internet or network address" field.
  5. Enter your username and password (don't have to enter computer name, slashes, etc)
  6. Try to connect to the network. It will now work.
  7. To double check, restart your computer. The credential will still be remembered.

I tried to write down the simplest instructions. Obviously, there is more depth to this and alternative solutions, but this one works. The issue is 1.You either did not enter your credential in the correct format or 2.You have corrupted/duplicate credentials. There is no sequence required. We usually think that if something works, the sequence must have mattered.

Permalink • Print • Comment

March 29, 2012

New Counterorrism Guidelines Gives Authorities Vast Access to Private Info of Innocent Americans

March 25, 2012 | By Trevor Timm

On Thursday, U.S. Attorney General Eric Holder signed expansive new guidelines for terrorism analysts, allowing the National Counter Terrorism Center (NCTC) to mirror entire federal databases containing personal information and hold onto the information for an extended period of time—even if the person is not suspected of any involvement in terrorism. (Read the guidelines here ).

Despite the “terrorism” justification, the new rules affect every single American.  The agency now has free rein to, as the New York Times’ Charlie Savage put it, “retrieve, store and search information about Americans gathered by government agencies for purposes other than national security threats ” and expands the amount of time the government can keep private information on innocent individuals by a factor of ten.

From the New York Times :

The guidelines will lengthen to five years — from 180 days — the amount of time the center can retain private information about Americans when there is no suspicion that they are tied to terrorism, intelligence officials said. The guidelines are also expected to result in the center making more copies of entire databases and “data mining them” using complex algorithms to search for patterns that could indicate a threat. (emphasis ours)

Journalist Marcy Wheeler summed the new guidelines up nicely saying, “So…the data the government keeps to track our travel, our taxes, our benefits, our identity? It just got transformed from bureaucratic data into national security intelligence.”

The administration claims that the changes in the rules for the NCTC—as well as for the Office of the Director of National Intelligence (DNI), which oversees the nation’s intelligence agencies—are in response to the government’s failure to connect the dots in the so-called “underwear bomber” case at the end of 2009, yet there was no explanation of how holding onto innocent Americans’ private data for five years would have stopped the bombing attempt.

Disturbingly, “oversight” for these expansive new guidelines is being directed by the DNI’s "Civil Liberties Protection Officer" Joel Alexander, who is so concerned about Americans’ privacy and civil liberties that he, as Marcy Wheeler notes, found no civil liberties concerns with the National Security Agency’s illegal warrantless wiretapping program when he reviewed it during President George W. Bush’s administration.

As other civil liberties organizations have noted, the new guidelines are reminiscent of the Orwellian-sounding “Total Information Awareness ” program George Bush tried but failed to get through Congress in 2003—again in the name of defending the nation from terrorists. The program, as the New York Times explained , sparked an “outcry” and partially shut down Congress because it “proposed fusing vast archives of electronic records — like travel records, credit card transactions, phone calls and more — and searching for patterns of a hidden terrorist cell.”

The New York Times reported , the new NCTC guidelines “are silent about the use of commercial data — like credit card and travel records — that may have been acquired by other agencies,” but information first obtained by private corporations has ended up in federal databases before. In one example, Wired Magazine found FBI databases contained “200 million records transferred from private data brokers like ChoicePoint, 55,000 entries on customers of Wyndham hotels, and numerous other travel and commercial records.” The FBI would be one of the agencies sharing intelligence with the NCTC.

Despite Congress’ utter rejection of the “Total Information Awareness” program (TIA) in 2003, this is the second time this month the administration has been accused of instituting the program piecemeal. In his detailed report on the NSA’s new “data center” in Utah, Wired Magazine’s James Bamford remarked that the new data storage complex is “the realization” of the TIA program, as it’s expected to store and catalog “all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches.”

Unfortunately, the new NCTC guidelines are yet another example of the government using the word “terrorism” to infringe on the rights of innocent Americans. Aside from the NSA’s aforementioned warrantless wiretapping program, we have seen the Patriot Act overwhelmingly used in criminal investigations not involving terrorism, despite its original stated purpose. As PBS Frontline’s Azmat Khan noted in response to the new guidelines, investigative journalist Dana Priest has previously reported how “many states have yet to use their vast and growing anti-terror apparatus to capture any terrorists; instead the government has built a massive database that collects, stores and analyzes information on thousands of U.S. citizens and residents, many of whom have not been accused of any wrongdoing.” 

This problem has been well documented for years, yet Congress and both the Bush and Obama administrations have continued to use terrorism as a justification for expansive laws, and Americans’ constitutional rights have become collateral damage. 

Permalink • Print • Comment

May 22, 2011

Who’s Screwing You Over on Privacy Issues? Pretty Much Everybody.

Dropbox–flamed this week for revealing that it will hand over your stored files to the feds if requested–is not alone in its willingness to throw users' privacy under the proverbial bus.

Nor is Apple, under the gun today after a revelation by O'Reilly Radar that 3G iPads and iPhones keep track of users' locations in unencrypted files.

The Electronic Frontier Foundation recently released its annual Privacy and Protection Report Card, rating the largest online players' performance in four categories:

  • Telling users about data demands
  • Being transparent about government requests for information
  • Fighting for user privacy in the courts
  • Advocating for privacy before Congress

EFF asks the provocative question, "When the government comes knocking, who has your back?" The discouraging but unsurprising answer appears to be, "You better have your own," because almost everybody failed.

As ZDNet's Violet Blue said, "They've either got your back in a pinch, or they'll sing like yellow canaries when the chips are down and sacrifice you without a second glance."

How the Big Boys Did

Among the tech firms whose performance on privacy issues can best be described as "not terrible:" Google (two stars plus two half-stars), Amazon (two stars) and Twitter (one star and two half-stars).

Google was the only surveyed company to rate something in all four categories, giving it a solid grade of C. Google got props from the EFF for citing user privacy as it pushed back in court against a request for search records, and for regular reporting about how and when they provide data to governments around the world.

Amazon and Twitter received props for their handling of requests for individuals' data, and Yahoo earned a star for resisting subpoenas of a user's email records.

Microsoft, Facebook and AT&T earned one star each for lobbying Congress on privacy concerns.

Coming up completely empty: Apple, Comcast, MySpace, Skype, and Verizon.

Privacy-minded users have already kicked themselves off Facebook and sworn off FourSquare and cloud-based anything. They won't get much additional benefit from a privacy bill rolling out on Capitol Hill.

The Commercial Privacy Bill of Rights, introduced in the Senate last week by strange bedfellows John McCain and John Kerry, got a lukewarm review from EFF's Rainey Reitman: "The bill's most glaring defect is its emphasis on regulation of information use and sharing, rather than on the collection of data in the first place. For example, the bill would allow a user to opt out of third-party ad targeting based on tracking–but not third-party tracking."

Moreover, Reitman adds, a loophole in the legislation allows sites like Facebook to step neatly around privacy protections: "A user would surrender any right to opt out of being tracked by Facebook or Google simply by having an account with them."

You are warned…

Permalink • Print • Comment
Next Page »
Made with WordPress and a healthy dose of Semiologic • Sky Gold skin by Denis de Bernardy