MS Support consistently and repeatedly told me that enterprise allowed me to disable this stuff.
If I can't control the egress then I can't verify PCI compliance. I've already had to revert a client to Win 7 because they failed a PCI compliance audit using Win 10 Enterprise. Which, by the way, is very expensive for small businesses.
Win 10 Enterprise isn't viable for business.
I have a bunch of small business clients and I've had to use a whitelist firewall to pass PCI compliance, someone said here that a whitelist firewall is borderline unusable.
I've sunk so much time into that solution and I can attest, it's not viable.
It's kind of interesting, is it common for you to have Win10 systems in scope for PCI compliance?
It seems unusual to me if any desktop systems are anywhere close to card data, IMHO usually you'd have in scope only a bunch of servers (so, Linux or Windows Server for normal businesses who don't have a reason to wrestle mainframes) in an isolated network, but most of company computers including all the user desktops shouldn't have a way to touch in-scope data or systems in any way whatsoever, so if they're properly isolated (as they should be anyway) they would be out of scope for most of PCI DSS requirements.
Wouldn't call centers for online retailers need compliant desktops? How do they deal with customers who prefer to call an agent and read their card number over the phone?
I wouldn't assume these sort of desktops would even run windows at all.
A large BestBuy-like place here in Argentina has their sales terminals boot over PXE into some form of *nix straight to the sales systems with no real internet.
A bank nearby boots the account executive's systems right into KDE, on some pretty locked machines.
Windows 10 in any of those scenarios would be a laugh, I can't even being to think why someone would pick it for anything that requires security audits.
Its depressingly popular in the US for small & mid-size retailers and businesses. NCR, Loc, IT Retail, et all are built for Windows, and in the pharmacy arena you've got major companies like CVS using stuff from companies like Integra (not the telecom company, the pharmacy one) that thinks moving to SQL Server 2008 and C# with a full rewrite is the route to go for their major PCI compliant products.
It confounds me that locking yourself into a shrinking platform is what these players choose to do. Walmart doesn't use Windows in PCI related situations, nor do the big boys, all are on SLES running a POS atop that.
If your gonna do a rewrite, why lock yourself into one OS and into one database? Database connectors are a thing, and they aren't hard to use...
In all fairness, writing in C# and targeting SQL Server is not locking you into Windows unless you use WPF or other Windows specific parts of the framework.
Sure, you can technically run C# on a Linux box (eg: Debian), but the last few times I had to (to interface with some point of sale hardware) I literally ended up just rewriting the driver in python. No desire to maintain something so foreign to the rest of the codebase when python can handle serial devices just fine.
Wrt not using a database connector, just why? Your literally locking yourself to the SQL Server licensing model, which blows up when you allow BYOD on every android phone, and they're all connecting back to your SQL server. Postgres and MariaDB meanwhile have no issues. Let alone if you hit the 10GB DB size cap, or need more than 1 cpu core or 1GB of ram to cache your database.
Are you aware that .netcore natively runs on a variety of systems now?
If you make your systems such that you are dependent on SQL Server and cannot switch it to something else, then it's just a shame, but don't blame SQL Server for that. Besides, unless you have massive performance requirements, it should be behind an API anyway. It doesn't take much to code, and it increases modularity a lot.
Not sure why you're getting downvoted. We use .net core together with SQL Server on Linux boxes in production, no issues whatsoever and we can finally use a programming language which is actually pleasurable to code in.
Retailer customer service people generally do not need compliant desktops, because the systems they can access should not be storing protected data - maybe it would contain masked PAN i.e. the last four digits, but definitely nothing more.
For phone authorizations (if they are used - it may be a regional thing as most smaller online retailers here won't do it at all, banks really frown on merchants who do so because of risks and make it really expensive), generally the agent would use a similar interface as an online customer (encrypted channel, yadda yadda), and the card information would not be stored anywhere on that machine. Whether all kinds of PCI DSS security requirements would apply to these workstations is debatable, your mileage may vary, I've seen them considered out of scope - but in that case it wasn't really a call center for taking transactions but a support call center that might also handle a phone authorization in rare cases.
In any case, for a call center the biggest PCI compliance problem IMHO is handling the sensitive data in call recordings.
Use LTSB. Microsoft tries to scare you into not using it because it doesn't support the Windows store or Edge or have telemetry or any of that fun stuff.
But they keep coming out with respins of it to otherwise keep feature parity with CB Enterprise. A 2017 LTSB based on 1703 should be out soon.
I went through the same thing last year. I spent two months trying to plug all the holes in the enterprise version, for a medium sized healthcare client, and eventually gave up.
The LTSB edition looks promising but I haven't put it under the microscope yet.
I'm not sure if it's comedic or tragic that the version so very many users would want most, is not only the version with the worst name, but also the version Microsoft discourages people from adopting.
Critical patch support, infrequent updates, and excludes crufty bloatware. What's not to like?
but also the version Microsoft discourages people from adopting.
Not surprising, because MS wants to push all the features (and ads, telemetry, etc.) to users regardless of whether they actually want them.
Indeed I wish MS would just keep supporting XP as the "Windows LTSB" with nothing but critical security patches, and keep doing it until the OS becomes nearly invulnerable to remote attacks.
> Indeed I wish MS would just keep supporting XP as the "Windows LTSB" with nothing but critical security patches, and keep doing it until the OS becomes nearly invulnerable to remote attacks.
I lol'd. You'd probably be pretty safe with Windows 3.11, Trumpet Winsock, and Netscape Navigator.
edit:
so long as nobody got your public IP and used Winnuke on you.
I think this is what the ReactOS project will eventually become (which to me would be a great thing). They just released v0.45, if you haven't seen it yet.
Yes. Every software which runs on Windows 10 Home or Pro, will also run on Windows 10 LTSB, as long as they don't depend on Windows Store, Cortana, or Edge browser.
Microsoft offers 90-days evaluation ISOs of Windows 10 Enterprise and LTSB [1]. Just be sure to select "Windows 10 Enterprise LTSB" instead of "Windows 10 Enterprise" when downloading [2].
I am person who runs LTSB used for coding/rce/gaming. Everything runs without a glitch after initial setup. At start we indeed have to do some stupid things as restoring windows photo viewer because images open with paint, but its way better than what "full" version offers.
I'm curious what was the biggest issue with whitelisting. Was it about making sure services work, or about standard users' daily work? Did you try to comply on everything, or just have a PCI compliant zone?
Also, do you remember what was the specific reason for failing the audit? This all sounds interesting since you've gone though that experience.
All of the first-party connections seem to have proper DNS names, even on CDN (microsoft.com, microsoft.com.akadns.net). The ad networks are obvious third party that could be dropped. I mean, there could be more stuff I didn't see, but from the screenshots, dns blackholing seems viable.
DNS blackholing is playing whack-a-mole. I can blackhole scontent.xx.fbcdn.net today, and I have no assurance or confidence that they won't use scontent.xx.fbcdn2.net tomorrow.
DNS/FW whitelist is the only way to have even a little confidence that egress is controlled at this point.
>MS Support consistently and repeatedly told me that enterprise allowed me to disable this stuff. If I can't control the egress then I can't verify PCI compliance.
Not that this is necessarily the best solution, but these sound like damages to me.
Or better, if you're worried about PCI compliance - start with a minimal system and whitelist specific packages that do not call home. Does that computer actually need all that software that comes with a default install? (Most likely not)
I don't think they do it on purpose. I think Windows is just a patchwork of cruft at this point.
I'm sure the Enterprise version shares all the code with the non Enterprise versions which have all the spying ... analytics... enabled, so bugs are bound to happen that let this escape into the Enterprise version.
Whether it's incompetence or malice, it's wholly unprofessional.
My confidence was already shaken with MS through their entire Win 10 Campaign and it's now completely gone. Their paid support services are hit and miss and if I'm going to end up supporting things that my client is paying MS to support then they're out and my client gets a smaller TCO overall.
I'll have to work with some of them so their business remain viable during the transition but I'm willing to do that. Their growth is our growth. Payment plans, trade, whatever we can come up with to make this happen.
For every one thing MS has done, loudly, in the attempt to instill trust they've done 5 things, quietly, that harm it. There are too many viable platforms available and if money is the only obstacle then I'll mitigate that for our clients benefit.
Agreed. Their forced Windows 10 upgrade "mistake" and my experience last year trying to plug all the holes in enterprise just to watch them re-install Candy Crush Saga with the next update vaporized any confidence or trust I had.
I've always been an MS person but am running Ubuntu on all of my devices now. I feel it hurts my productivity as lots of things I did in Windows just don't work in Ubuntu, but it's better than the alternative. I have a Windows 10 VM that I use every once in a while for those things that are completely impossible on Ubuntu.
I switched about 10 years ago. Before that I was windows 100% on desktop. I had similar issues at first but gradually became pretty comfortable with Ubuntu and Linux in general. Some things are more of a pain and may always be in Linux but overall the experience for me has been that things have been getting easier with time. I think that for better or worse as more applications move to the web the change will be easier and easier. What are some examples of things that are hurting your productivity?
Canonical did some stuff that upset a lot of people with sending search results through Amazon but that could be opted out of much easier than all this windows 10 stuff. I have also read that they don't contribute to the kernel as much as some think they ought to. And they have a tendency to fiddle with their UIs endlessly (I use xubuntu which is based on XFCE and avoids a lot that bikeshed renovation). Are there other reasons not to trust canonical?
I don't mean to pry with either question just generally curious.
I don't mind the questions at all. I hope you didn't want the TL;DR version.
Some of my pain points. Many probably have solutions, but I'm stuck between spending time dealing with it the way it is, and spending time finding a solution. These are not in any particular order:
1. Serial communication(terminal, for interfacing with console ports). I tried a few programs that didn't really work right away, and settled on Putty as that's what I used in windows. Except Putty under Ubuntu has no menu bar -- just an X to close it, and I can't copy or paste anything in or out of it. I also have to run it as root to access /dev/ttyUSB0 (I know I think there is a setting for this, just hasn't been important enough to spend the time looking). The copy/paste is the most annoying part.
2. Office(Outlook in particular) -- I tried a few options, even found a plugin for Thunderbird that would let me connect to an exchange server, but it just never quite worked right. I've adapted and am using OWA now, but I feel like it slows me down. I haven't yet been able to get Office >2007 running under Wine (not saying that I can't, just time vs benefit)
3. Google Earth Pro - I used this almost daily. I finally got it running under wine, but it's an older version, and many features don't work, such as searching by address. And any time it's running it leaves a shadow on the bottom of my screen, on top of all other applications.
4. Right-click shell interaction with 7-zip. Ubuntu's archive manager just doesn't seem to work right sometimes. I really miss right click > extract to ... or Extract all to (asterisk)\
5. PUTTING AN ISO ON A USB DRIVE. This is one of the more shocking ones and is something I can't even use the Windows 10 VM for because I'm not able to get USB passthrough working. Something as simple as firing up Unetbootin or Rufus and plopping an ISO on to a USB drive is nearly impossible on Ubuntu. I have Unetbootin, but have yet to get it to work. Haven't found Rufus yet for Linux/Ubuntu.
6. Network manager. It's always crashing and it never does what I want. Sometimes I just want to set a f*cking IP address on an interface and don't want to jump through 15 hoops. I might need to set addresses in 20 different networks in a single day. If I do it with ifconfig, the network manager "fixes" it for me. I have seriously resulted to using "sudo watch -n .2 ifconfig eno1 192.168.1.5 netmask 255.255.255.0" to set and keep an address on an interface.
Sometimes when it crashes and refuses to scan wifi networks(or 4g networks) I can just sudo service network manager restart, other times it takes a complete reboot.
7. I get random errors that pop up all the time "A system error has been detected, would you like to send a report to Ubuntu? With the default set to yes" -- never bothered to look for the error and it doesn't seem to coincide with any behavior I've seen.
8. RDP -- Remmina is pretty close to good enough, but sometimes I find copy/paste doesn't work, and the VNC function seems to have some compatibility issues.
9. CD/DVD Writing -- a problem solved long ago in Windows still gives me headaches in Ubuntu. System stutter will toast a disc, if I can even get it to burn at all.
10. Lock screen issues(not really productivity related...) Sometimes I will lock the desktop and close the screen(I don't often use standby) -- and open it back up and can use the desktop for 10-20 secs without entering a password. Then, as if it forgot, it will toss the locked screen up there and make me unlock it.
11. Task switcher grouping. I wish there was a way to turn this off without using the static application switcher. I alt-tab A LOT and don't like the delay I have to take in order to switch windows in a single application. To be fair, I hate the newer Windows behavior also that regroups windows in alphabetical order after the top few.
12. There's always some vendor rabbit hole that I get sucked into that would be easier to deal with on Windows. Maybe Dell packaged a bios update in a .exe file that can't be extracted without a Windows box(yes probably with Wine, but how much time am I going to spend getting that .exe to run?). Or some SAN management application, and don't even get me started on Java and Cisco's SDM, or some special VPN program I have to use to access a client's network that doesn't have a functional linux version, etc...
Those are the ones at the top of my head. I realize most can probably be solved with some time spent, but I'm still not yet nimble enough in linux to effectively compile/recompile things without following a step-by-step somewhere, and then when I do that, I'm left to my own devices to keep it updated, something I'd rather not spend cycles doing.
I'm running 16.04 LTS on a Latitude E7250 laptop. Chrome(not Chromium) is my main browser. There are tons of things that Ubuntu handles very well, and I paid nothing for it, so I can't complain much. One of the big complaint's I've heard about linux vs windows on laptops is battery life -- but I'm happy with what I get. Depending on what I'm doing, it will last anywhere from 2 to 12 hours. Standby and resume work well, though sometimes it seems that it shuts down instead of standby(though I haven't ruled out fat-finger in these cases), and all in all I think they've come a long way to making a usable OS for someone like me that's been using Windows since 3.0(though I'm quite comfortable on a command line).
As for the trust, it's mostly because I know TINSTAFL, and as it's free, I wonder where Canonical's interests are. The constant pestering to send error reports to Canonical are reminiscent of Windows trying to upload my crashdumps to MS. Whether or not these are memory dumps, I don't know, but to me Error report is often =Crashdump=memory dump= whatever info was in memory at that time is fired off to who knows where into an environment with unknown security.
Network manager pissed me off so much that I stopped using it. I recommend just shutting it off. All it seems to do is run the bash commands for you. Might as well just run them yourself.
Same with burning ISO's, it's easier to just use command line tools. The most dead reliable USB ISO burner I've used is the DD command. I've used it to burn all sorts of crazy stuff that windows refused to write.
I haven't found the command-line-fu yet(and haven't spent much time looking) to scan, save, and auto-connect to various wifi networks, and to handle my Verizon LTE 4g card. I did hunt down the scan command once but I didn't use it enough to remember what it was. something to do with ilwifi iirc.
Haven't tried DD as an ISO to CD burner...will give it a shot.
You can only DD a bootable ISO to USB if it's been created as a hybrid ISO image. The syslinux package includes an isohybrid[1] command to convert existing non-compliant ISOs to hybrid ISOs that can boot via USB.
1) sounds definitely like a permission problem. Is your user member of the dialout group? If not, add it there, re-login and try again. You should not be forced to use the root user.
2) Exchange is a problem. There are several solutions, none of them is all that great: a) use Evolution, b) use Thunderbird with the proprietary plugin, c) use a proxy like davmail (davmail.sf.net).
3) There is Earth Pro for Linux too, it just isn't advertised. After installing the regular Earth, it will install also a repo for updates. Check what else is there in the repo - in the .rpm repo, there is the pro version. It has some bugs though - every time I try to use GPS tracing, it crashes.
5) Most distribution have a utility to make a boot drive. There are also other ways. If you intend to boot via UEFI, there's no need for special utilities to make the USB key. Just copy the iso content to the USB stick, on FAT{16,32}-formatted partition. If the UEFI bootloader can find the EFI directory in the root and it's content, it will boot fine.
This will not work for some windows editions, thought. For example, Windows 2012R2 has install.wim larger than 4 GB, so it won't fit on a FAT filesystem.
6) Do not fight the NetworkManager with ifconfig. If you want to use NetworkManager (and you want, if you use wifi, wwan, etc), change the IPs with nmcli. It's command line interface to the NM, so it will take note of this change and it won't cause difference between what the config files say and what is the reality on the interfaces.
> 1) sounds definitely like a permission problem. Is your user member of the dialout group?
Probably not. Will check -- I haven't changed any group memberships, so if it isn't by default, then it isn't.
> 2) Exchange is a problem...b) use Thunderbird with the proprietary plugin
Thunderbird with Exquilla is what I tried, but it just didn't quite do it for me -- the friction to use was greater than adapting to OWA.
> 3) There is Earth Pro for Linux too, it just isn't advertised.
Really?! I have to figure this out then! 3D buildings and drawing 3D paths to check LOS is my primary usage, so a GPS trace bug won't bother me too much.
> 5) Most distribution have a utility to make a boot drive.
I found the Ubuntu utility to make an Ubuntu bootable disk, but it wouldn't work on anything but an Ubuntu ISO.
> 6) Do not fight the NetworkManager with ifconfig. If you want to use NetworkManager (and you want, if you use wifi, wwan, etc), change the IPs with nmcli.
Thanks for the tip -- I'll learn nmcli and give it a shot, sounds like exactly what I need.
I don't understand how people aren't screaming about point 10 - I haven't had a linux distro which didn't do that, Ubuntu, Mint, Fedora, Arch - they all had this exact issue.
I close my laptop, it goes into sleep mode, I open the screen and my desktop is just there, I can happily use the browser, open apps, run commands, whatever, and then 10-20 seconds later the lock screen kicks in. It's insane that the architecture of the system even allows it to happen.
IIRC it's because the Ubuntu screen locking is tied to screensavers. I can't remember how I solved it for myself, but it involved invoking a much baser system to lock the screen.
Yeah, I'm pretty sure it's because the "lock screen" is just another process running on top of the desktop capturing all input and for whatever reason sometimes it takes longer than normal to start. But if that's the case, then the design is fundamentally wrong - it should be written in such a way that the desktop cannot display at all unless the state changes to "unlocked" somewhere deeper in the system.
Long Time Ubuntu user feels your pain - I've solved most of the pain by using KDE (kubuntu backports ppa on 16.04) or switching to Arch with KDE.
Subjective List - only a few good solutions:
1. screen can be used for serial stuff - also allows logging everything to file and copy&paste - you add yourself to a group that uses that device if you don't want to be root.
2. Yup. It's a pain point. There is stuff like Play on Linux that eases some WINE pain points.
6. Yes. NetworkManager is a pain point. Plasma NM (KDE) works fine for me. There is nmcli that you can use via command line. It's not totally straight forward but should be good enough for automation.
8. Yes. Remmina crashes for me a lot of times, I'm not using VNC that often but it's kind of pain in the ass. You could try using plain rdesktop and reading up on details - I've switchted NX where it is possible but it's also not perfect.
9. Only ever burned with k3b and never got problems.
10. Lightdm lockscreen sucks :( - sddm (again KDE) works far more reliable for me.
12. kwin/KDE gives you all the options. There might be some hidden GNOME or Ubuntu Tweak tool settings but I stopped bothering.
Battery life: powertop + tlp and it's now better than windows for me (on an Ivy Bridge i5 HP Notebook, should work similiar good on a Dell with Intel)
I think PuTTY for Linux will show a menu where you can access settings if you press Alt-Space (and that key isn't bound by your WM). You can change the copy/paste behavior in the PuTTY settings before you open the initial connection and save it as the default configuration (also scrollback settings).
Use K3B to burn CDs and turn on Burnfree/whatever it's called.
All I get is the window-menu with alt space -- the one where you get "Minimize/Maximize/Move/Resize/Always-on-top/Close" -- not the one in the Windows putty where you have the duplicate session, restart session, etc... option.
I didn't see any copy/paste options in the settings -- am I missing something?
I've tried that -- it's what I would think would work, but the few times I did, it didn't work. I don't recall what I was testing with, but it was likely either a Windows OS ISO, or a VMWare ESXi ISO. I haven't tried since then, I just go boot up the Windows 7 desktop I keep just for this purpose and use Rufus.
I think it only works that way with ISOs made in a way to support it?
The simplest way of getting a serial terminal under Linux is to run screen under your preferred graphical terminal program. First parameter is the port, second is the baud rate, Ctrl-A shift-K exits. To access the serial device without root you need to add your user to the appropriate group, probably dialout.
It sounds like the problem is that you didn't set your client's system up properly for PCI compliance. Don't blame Microsoft for your technical incompetence!
Since the first release of W10 several registry keys and policies have changed in very confusing ways. I can't remember what exactly but I had to change my personal scripts several times based on the changelog of other tools. Privacy and settings like default apps were also reverted (reset to default) when you updated. They installed some apps like Candy Crush Saga on Enterprise. I don't see that much of a problem here, it's understandable since they are letting go of legacy stuff, bugs happens (even more after you cut your QA department). Now it's time to stop with all the excuses. Get your shit together.
> Security. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
I have all the possible settings configured, from registry to policies and I still see random connections everywhere. But it's ok because it's not telemetry, right?
> What is NOT telemetry?
> Telemetry can sometimes be confused with functional data.
Is anyone taking legal actions against Microsoft about all of this? Does anyone care? Not everybody can switch all their machines to Linux/VMs, this whole situation makes me angry.
I can't agree with this more.
A client straight up failed a PCI compliance audit, replete with daily fines, for using 10 Enterprise. They decided to pursue legal measures against MS for false claims.
I really hope this gets elevated because reverting to win 7 is a solution with a short life span. The other solution is to rebuild infrastructure on top of a different platform but that's prohibitively expensive.
> The other solution is to rebuild infrastructure on top of a different platform but that's prohibitively expensive.
The more Microsoft degrades their viability for enterprise computing, the more market pressure will build (I think) for a different platform infrastructure.
If / when the market reaches that tipping point, the schadenfreude will be overwhelming.
To preface to avoid what might otherwise seem like a bias toward defending use of Windows: I'm a free software activist, a GNU maintainer, and do extensive volunteer work for GNU and the FSF.
It's not fair blame. Many companies simply go for what works and throw money at the problem. Windows historically has excellent support from a large number of third parties.
The other problem is third-party software. I work for an insurance company. The system that they use for managing everything---policies, accounting, brokers, etc---is tied to Windows. This is a specialized program---there are only a few of them that exist, and none as sophisticated as the one this company uses. This system has been responsible for not only tying the office to Windows, but holding us back from upgrading---for the longest time we couldn't even get off of IE6 because it didn't support anything higher.
I'm able to do 99% of my work within a GNU/Linux VM. But on rare occasion, I need to use that system, and it requires Windows. Everyone else in the office---the majority of the company---requires Windows. This is a system that the company has invested many millions of dollars into.
So while we can do our best to inform others, perhaps before they make these critical business decisions, it ultimately comes down to practicality for most businesses. Yes, they may pay for it. Yes, they're taken advantage of, have issues with vendor lockin, etc, but unless you travel upstream and liberate those systems or provide suitable replacements _that the business is confident will have support for years to come_, there's not much to do.
I'm not defending the situation; it's terrible. But sympathy _should_ be had, because there's much to lament, and much room to help.
> Many companies simply go for what works and throw money at the problem
So they went with the easiest option and now they are locked in due to lack of forward planning. Their own short term planning is to blame.
With the third party software you mentioned, how long have the relied on it and have they don't absolutely anything to mitigate this reliance? My guess is that they've done nothing or worse, written a bunch of integration points on top of the software that makes it even harder to replace.
One day the company providing that software will jack up the price and you'll be forced to pay it. Again I'll have no sympathy because the company has done nothing to unlock themselves.
Heaps of server side tools are truly cross platform, but I was talking about avoiding proprietary platforms in the first place, which means no windows, or at least no windows tech that doesn't conform to open standards.
Typically business will build there own software on top of MS (or oracle, or <insert cloud platform>) tech as well, locking them in further to several years of "investment".
Yes, Mozilla and FSF in particular. They don't try to gouge me with new versions or price discrimination either, unlike "oh you need the pro version for that" windows.
Wait, why was your client running a desktop OS in-scope?
Every PCI zone I've seen is just servers (Windows Server and Linux). Does the client store card data on desktop machines?
Generally, you'll have a locked-down portion of your infrastructure be PCI-compliant, and that's the only place card data is stored or entered. That reduces your scope and costs.
The switch to Linux or other free operating systems is long overdue. If your excuse is hardware support, then (1) your hardware is probably supported these days and (2) you should not buy hardware that is incompatible with the operating system you plan to use. If your excuse is editing MS Office files, LibreOffice supports the formats and works great, and MS Office on Wine is an option. If your excuse is games, then know that with Steam and Wine combined your potential gaming library is HUGE. If your excuse is laziness or resistance to change, then I thank you for being honest, and urge you to overcome it.
Proprietary operating systems work against your interests. Stop using them.
You're making the same exact argument that people trying to push Linux on the desktop were making 10 years ago, and 15 years (and probably before that, it's just that's when I started dabbling in that stuff).
It boils down to "it works for me, and if it doesn't work for you because of X, Y and Z, then you should just stop doing that".
You can judge for yourself just how persuasive this argument really is by looking at desktop Linux market share over the past 20 years.
The argument is the same, but Linux desktops did get a lot better, and with better support, since then. There's now multiple distros with great UX to choose from (as opposed to "learn xfree86 and stop whining") and indeed Wine works great with lots of programs.
I say this as an avid Windows 10 user. IMHO there's still a usability gap (which is why I'm on Windows), but it's narrowing. GP's argument has a lot more merit now than it did 15 years ago.
Desktop Linux suffers from the same chicken-and-egg problem that doomed Windows Phone.
Developers don't develop for it since the user base isn't large enough, and people don't switch to it because app support is severely lacking. How good the raw OS is doesn't matter that much when the apps aren't up to par.
Your Wine comment illustrates my point - while Wine is an awesome project - even apps running perfectly through it feel like they're running on Windows 2000. That's fine if you just care about the functionality of the app, but not if you care about the user experience.
Back in 2005, there were numerous distros with great UX. SUSE was great, Mandrake was pretty good etc. Ubuntu was the new kid on the block, but was already showing great promise. Wine worked for a lot of stuff, and there was Cedega for games.
I agree that things have improved since then... but with hardware, for example, it's very much a moving target. Your chances of running Linux on a random new PC bought off the shelf, or assembled from off the shelf components, and having all the hardware fully supported without mucking around with firmware, kernels, configs etc, are still low enough that hardware shopping needs to be done specifically with Linux hardware compatibility in mind, checking lists for what works on what distros etc. And I'm not talking about exotic stuff here, but basic things like WiFi.
Driver support is only part of the problem (but still a problem). The absence of self discoverability / the RTFM approach of linux will always create a ceiling in term of adoption outside of professional developers. Except when you stick a consumer GUI and specialised hardware on top (android/chromeOS). But these are not general desktops on which people can work.
Steam works great, and LibreOffice has been good enough to get the job done. I run Google Earth Pro and Sketchup in Wine, even World of Warcraft runs quite well in Wine.
I had a ton of issues with Wine until I found PlayOnLinux. Things still don't quite 'just work' -- but I've been able to use way more than I could before I found it.
KSP and WoW are my two big games, and they both work fine.
Np. I messed around for a bit till I found it also. I'm surprised it didn't pop up on my radar previously. It's really helped me a ton with getting things working under Ubuntu.
I haven't played Rimworld yet. Might have to go check it out.
I've found TerraTech recently but I've had about as much fun as I can have with it until they fix some more things.
Stop using the operating system where everything works: apps, games, hardware, good office package, etc.; rather use an operating system on which debugging to a layman translates to a plane of hell itself, where your hardware may or may not work, and half your game library certainly won't.
I would happily switch to Linux permanently the day the flagship office package UI doesn't resemble Office 97 (the ribbon UI is absolutely fantastic in MS Office), I can get all of my games to work, and I don't need to recompile a kernel to get something as basic as a graphics driver running.
Many games don't port to Linux until all users have switched. It's a chicken-egg problem :(
> I don't need to recompile a kernel to get something as basic as a graphics driver running.
You already don't need to do that. Intel and AMD's open-source drivers are included in the kernel and nVidia's driver can be installed without recompiling the kernel.
The games are getting better. Just over half of my steam library works at the moment. Not sure when it happened but over the last 2 years I noticed more and more things being available. It's no longer just low quality indie stuff.
If any Blizzard game would be ported, that would truly be a milestone (StarCraft 2 with WINE is a lot slower on my machine).
Also many games require nVidia drivers or AMD's open source driver (e.g. Life is strange). I'm using a 144 Hz monitor and therefore need touse AMDGPU Pro (AMDGPU has a bug with >120 Hz: https://bugs.freedesktop.org/show_bug.cgi?id=93826 ).
But you're right: It's getting better :) For example Rocket League and Dota 2 work great.
Your refutations are both weaker and discussion-worsening when you call names and are personally thorny. The guidelines are here so we can have more civil and insightful discussions.
My refutations aren't weaker, they're just in poorer taste. I'm sick of the typical Windows apologist making baseless claims about Linux and I don't see it necessary to treat such people with respect. They haven't earned it.
I know. It's still frustrating that you'll moderate comments like mine but comments spreading harmful misinformation never hear it. It's also difficult to take your rules seriously when even you don't.
Even if your excuse is needing MSO, I've heard that WPS Office (http://wps-community.org/download.html) works really really well for people migrating, even in cases where LO was insufficient.
A lot of people who use a computer for work purposes have a number of software applications that they must be able to run reliably in order to do their job.
The problem is steadily getting better in some areas, but there are still thousands of specialist applications in service today that only run on Windows. If you are lucky, there may also be Mac versions.
The reality is that it's often not feasible to only run FOSS, and nothing but FOSS.
Wine has been up to real-world commercial use for at least a decade, in my experience. It's more surprising these days when stuff doesn't work in Wine than when it does. (.NET support is still annoyingly imperfect.)
Sponsoring getting a vertical market app working 100% in Wine is unlikely to be cheaper than cleaning up after WannaCry's competently-written successors.
LibreOffice is fine for basic features. But in a corporate environment you often have lots of addins to interoperate with lots of systems which won't play well with LibreOffice
True. Support has gotten significantly better. It's not perfect, and the failure cases are much worse than Windows (and somewhat worse than OS X), but it's gotten better.
> you should not buy hardware that is incompatible with the operating system you plan to use
This is where you start going off the rails.
People did buy hardware that was compatible with the operating system they do use. It is super presumptuous and weird to try this sleight-of-hand in your argument.
> LibreOffice supports the formats and works great
You are now off the rails and airborne.
Nontrivial Excel spreadsheets break in LibreOffice Calc on the regular and it's significantly slower (!) than Excel besides; anything using VBA, which is still a pretty big chunk of serious Office users especially in enterprises, is a nonstarter for obvious reasons. The UI is also, IMO, a huge step backwards from Office and now that the Ribbon "but but it's different" is far enough in the past that pretty much everybody has switched, another UI switch is probably not worth it.
> with Steam and Wine combined your potential gaming library is HUGE
Sailing through the air with the mountain approaching.
Your potential gaming library is huge--and either indie (which is fine, but limited) or largely broken. Suggesting WINE to somebody who doesn't already know what they're in for is dirty; even gold-flagged games in WINE that aren't a decade old are often broken in ways your average mortal can't fix. If you enjoy being elbow-deep in a computer, this may be fine for you. Most people aren't. Your preaching ignores this. It shouldn't.
> Proprietary operating systems work against your interests. Stop using them.
You've hit the cliffside. There are no survivors.
People will stop using them when open-source ones are good at the things they want. Right now, they're still not, and exhorting people to use an inferior good (for the things they care about) is kinda just doing people dirty.
Don't get me wrong: I would like Linux and other open-source operating systems to be better desktop OSes for normal people (and some of my own projects are intended to help facilitate that) but still, in 2017, it is a raw effing deal for the majority of people to switch to it. This should change. I know you work on stuff to make that happen, and that's awesome. But it's still not something I think can be recommended in good conscience to most folks, even around here.
It barely works for me, and I've been using it on the desktop for fifteen years and have grown accustomed to the need to cultivate tragically low expectations around the whole stack.
>This is where you start going off the rails. People did buy hardware that was compatible with the operating system they do use. It is super presumptuous and weird to try this sleight-of-hand in your argument.
Make new purchases more intelligently.
>You are now off the rails and airborne. Excel is still largely unsupported and breaks nontrivial spreadsheets. The UI is also, IMO, a huge step backwards from Office and now that the Ribbon "but but it's different" is far enough in the past that pretty much everybody has switched, another UI switch is probably not worth it.
Which is why I mentioned MS Office in Wine.
>Still sailing through the air with the mountain approaching. Your potential gaming library is huge--and either indie or largely broken. Suggesting WINE to somebody who doesn't already know what they're in for is dirty; even gold-flagged games in WINE don't work particularly well a whole lot.
I suggested it to the HN crowd, who I expect to have a higher bar of troubleshooting capability.
>People will stop using them when open-source ones are good at the things they want. Right now, they're still not, and exhorting people to use an inferior good (for the things they care about) is kinda just doing people dirty.
You and people like you are the reason that it's not as good as it could be. I use Linux as my daily driver and it works extremely well. But if you continue to let it languish with a small market share because you can't be bothered to troubleshoot it for 10 minutes or maybe live without that piece of software you need so much, then it won't even go anywhere. Yours is a self defeating attitude.
I've been using Linux as a daily driver for fifteen years. I have shot my share of trouble and the next two guys' too. It's not a good experience. It's bad. Even when things aren't breaking left, right, and sideways (which, to be clear, definitely happens less often today than five years ago, with the corollary that that breakage is usually something a mere mortal can't do too much about), it feels kinda...well, shitty. I've done my time with a bunch of different DEs and each and every one is a fit-and-finish mess. (KDE comes closest. It is still leagues shy of the Mac that's also on my desk.) If you--the general community, not you specifically--can't make something that feels good to use, your foot is already deep in that bucket. Then you add on hardware and software incompatibilities and your answer is "halfway patches or just do without", and you are so deep in Zealotville that me shouting sure isn't going to reach you (but might dissuade a few people from burning themselves along the way).
If you don't have a positive argument for using your thing instead of framing its competition negatively, few people will ever use it. The Linux desktop as a whole doesn't have that positive argument. Because, for most people and including most developers, it is a strictly inferior good. Not to Windows--but to the Mac. You're stomping your feet about people not being bothered to troubleshoot--it ain't their fault that that's still a tire fire! I use a Linux desktop because I know what I'm getting into and I know enough, from the aforementioned fifteen years of dealing with its crap, to make it mostly tolerable for work (not at all for fun, which is why I still use Windows, too!). I sure wouldn't start today, not on either the handwavy "but but telemetry!" grounds nor the usefulness of it.
It's not really my thing, but Plasma seems like a really solid desktop. What are your complaints with it?
And I'll raise this point again:
>You and people like you are the reason that it's not as good as it could be. I use Linux as my daily driver and it works extremely well. But if you continue to let it languish with a small market share because you can't be bothered to troubleshoot it for 10 minutes or maybe live without that piece of software you need so much, then it won't even go anywhere. Yours is a self defeating attitude.
Using proprietary operating systems because Linux isn't there yet is a great way to keep Linux from getting there. It's a chicken and egg problem. What would you prefer: getting your privacy thourougly invaded by a proprietary operating system, or being there to help Linux gain market share and tip the scales? Even if it's not perfect, it's more than enough, and supporting it is the best choice.
> Using proprietary operating systems because Linux isn't there yet is a great way to keep Linux from getting there. It's a chicken and egg problem. What would you prefer: getting your privacy thourougly invaded by a proprietary operating system, or being there to help Linux gain market share and tip the scales? Even if it's not perfect, it's more than enough, and supporting it is the best choice.
The vast majority of people out there see computers (and other devices) as things that get stuff done, right now. They couldn't care less about proprietary vs open source, and the philosophy and the politics of the latter.
So there will never be a critical mass that will tip the scales, ever. You'll get the geeks going there because they care, trying to live with the inconveniences for a while, and then mostly going back to OS X (or even Windows), because they find other things to care about, and stop feeling like struggling with xorg.conf or NetworkManager or whatever is meaningfully "fighting against the system".
I used to study with a guy that openly said "Linux is only free if your time has no value". I've tried Linux so many times, and my longest streak was when having a VMWare Workstaion to run Windows in it. Eventually, I just got fed up.
First and foremost, I need my systems to just WORK. When I sit down to code, the last thing I want to do is debug why it is not properly displaying on all of my monitors.
That's not specific to Linux. I don't even want to calculate the time I've spent on this...in recent Windows. Saying "Windows is only worth it if your time has no value" works the same way, and is just as meaningless.
In other words, I know no current OS which doesn't suck :((( Win7 held some promise, as did OS X, and current Linuxes hold some still; but alas, we're still not in plug-and-play land after many decades of effort.
I have had 0 issues with multiple monitors, even with different resoluions and switching from one to the other when moving about with a laptop. This is during the last 10 years with various different machines. It just works.
But even if you have issues with Windows, I have zero doubt you would spend more time batteling with Linux. It just doesn't have polish or UX as a primary target. It is wonderful for servers, but as a desktop it is a broken experience unless you value tinkering with it.
Interesting, but for your doubt I have the opposite experience. "Windows update came and took away the working drivers again" is a recurring theme, as are Windows networking issues (on many, many different networks). If I want a system that just works, I have one bootable and installable on a USB drive; for endless tinkering (and fighting against "where do we drag you today?"), there's Windows.
Where did that "monitors" issue come in, no idea - typing this on Kubuntu with 3 different displays, also no issues (except for my prankster colleagues unscrewing the video cable).
As someone above noted, I don't care about the OS. I care about the work I do on it - and I have the same Jetbrains tools, the same Firefox, the same Chrome, etc etc etc. Whether the title bar is polished, transparent and the exactly right shade of unmagenta, I don't care.
Are you running special hardware? Ever since Vista I have at most had to install a graphics driver, and that is it. Windows networking failures seems to be driver issues when I debug them, just as they are on Linux, but I haven't had any myself on either system.
To me, and without exception, every single person I talk with about this, have less issues with Windows or OSX, than Linux. This is primarily CS majors that are required to run it to get their degree.
The tools only exist for Linux, but there are plenty of machines available to remote into. Many just choose to install it on their own machine because they want to.
At work, I am a sysadmin/helpdesk monkey taking care of a network of ~80 users and a dozen servers, all on Windows, and let me tell you: Windows has its fair share of weird problems, inexplicable failures, stuff that "worked yesterday"...
Windows may "just work" often enough, but unlike Linux, it also "just stops working" so often, it's just not funny any more. On Linux, once one has it working, at least it keeps working.
I'm not talking to the vast majority of people. I'm talking to Hacker News readers. The sort of people who would care, and who would be technically capable of running the system (though to be quite honest, if it weren't for the mental leap of installing something new, the "vast majority" would have no problem running a modern Linux distro). The Hacker News crowd is also full of developers and, well, hackers. The sorts of people who, if they used free operating systems as their daily driver, would be capable of investing in it and improving it until it reaches the potential to have an impact on the market. I struggle to refer to the readers of HN as "hackers", though, considering many of them are the sort of people who would write comments like yours in defense of Windows and excusing away their proprietary behavior.
You're telling all these people that they should persevere, because by doing so they will "tip the scales".
My point is that they're simply not sufficient to tip the scales. Even if every single HN reader did what you demand they do, it would not tip the scales.
Once you realize that, this whole notion of "fighting the man" by struggling with config files and broken hardware support rather loses its edge.
Hits too close to home. It's fun to have an i3wm as a dual boot because it makes me feel "1337". But all my CAD, FEA, CFD, modelling software, they all run better on Windows, if they even run on Linux at all.
From my perspective as a normal user the trade-off isn't worth it. The pain of using Linux is very real, and the benefits you describe are nebulous and uncertain, considering the amount of time people spend on their computers.
I tried really hard to make it work. If it only took 10 minutes of troubleshooting, then it would have been fine, but it was instead hours of crawling through forums.
Ultimately, this is a theory of mind issue, since proficient users and developers can't quite seem to grasp how regular joes use the software. Or if they do grasp it, they react with contempt instead of trying to fix the issue. Without making it REALLY convenient there is simply no way it will gain more than a small market share. Whether the contempt is justified is irrelevant if the goal is to have the Year of the Linux Desktop.
So X decided to reverse my displays today, despite precisely zero patches or changes being applied to the system, and the GUI tool for rearranging them, because life is tremendously too short to go screw with config files to make my GUI work, won't actually save a config file that fixes the problem on reboot.
This is fine. This is great. Everyone should waste their time with this.
I used to have these problems, but since about 2013 I've just had the same Arch install with Plasma on my desktop and notebook and they have just worked. Update once a week, watch the mailing list for breakage notifications (about once a quarter) and have a boring desktop experience while I get work done. Along the way, my GPU (290) got much faster on the Mesa driver, the kernel has developed new features, btrfs has been stable as hell for me for years, and if I ever need anything I just yaourt it and its there.
Since you used KDE as an example, maybe you switched too soon. A lot of people did. The recent Plasma 5 release was exactly like the KDE 4 release - it took a good 5 - 6 major releases before stability and feature parity with the predecessor were reached. But if you switched from KDE 3 to 4.5, or from 4 to 5.6, the new desktop worked fine. Were on Plasma 5.9 now and its boring. In a good way. It is stable, it works, the features are great, the looks are excellent, it gets out of my way and I can get work done on it very well.
Linux is boring. And thats a good thing. I can easily buy a system76 / Dell computer that runs Ubuntu, install whatever I want on it, and have a crisp experience without issue now, unless I go looking for trouble on the bleeding edge of hardware or software.
> If you don't have a positive argument for using your thing instead of framing its competition negatively, few people will ever use it. The Linux desktop as a whole doesn't have that positive argument.
How about being much easier to keep up to date for the average user? A single tool updates everything and doesn't leave a million bundled copies of various low level libraries in every app that uses them. It's much easier for a normal person (or advanced user) to keep a linux system patched. Keeping your OS and applications takes a lot of effort on windows.
Another is that it comes with a lot more great tools out of the box than windows, users don't have to navigate the web trying to find software or rely on OEM crapware.
UI wise it provides a much more consistent experience and it stays out of your way a lot better (no focus stealing shit everywhere).
> Even when things aren't breaking left, right, and sideways, it feels kinda...well, shitty.
Funny, because this is exactly how I would describe windows 10.
Anyway!
> If you don't have a positive argument for using your thing instead of framing its competition negatively, few people will ever use it.
There are plenty of positive arguments. They have been repeated over and over so I won't do it again.
> It's not a good experience. It's bad.
> Because, for most people and including most developers, it is a strictly inferior good.
Citations needed. Because this seems purely your subjective opinion. I'm sure many people will share it with you, but that definitely isn't my experience and many will share my opinion too.
I have been using Linux and Mac for last 10 years. It nots bad as you note. Actually i had more issues with Mac these days due to updates slowing down the machine and their half transparent UI. As a developer i would far use linux them mac.
I'm not sure if MS isn't still sabotaging support, but Europe did force them to implement exporting to the open document formats. You should be able to convert all your docx / pptx / xlsx files to odt / ods / odp before switching, or just using Wine as a conversion tool.
Well, my definition of "works" is that you can read it. Authoring new documents should use ODF. And again, MS Office works on Wine, so you can use that in the worst case.
I have used Linux (Mint) for all my work in college for ~6 months. In my experience, using Word online on Chromium was better than using libre Office locally. Both features and UI wise. Both for reading existing stuffs and for making new docs. I have nothing agains Libre Office but suggesting it can be used as a replacement for MS Office in any capacity is disingenious.
Regarding wine, no need for that now that Office online and Google docs exists.
> Regarding wine, no need for that now that Office online and Google docs exists.
This is evidence you've never used Google Docs for real work and have never encountered its absolutely dismal docx rendering. I get stuff in Gmail regularly I then have to open in LibreOffice to bloody read.
That's disingenuous. Word has supported odt and odf for both read and write, for nearly a decade already. (2008 version supported it from preliminary checking)
Follow up with "open the file with Word". If they panic over that, you have an awfully stupid lawyer/investor/accountant. It'll even have the word icon on it! I doubt they even have file extensions enabled, they probably wouldn't even notice.
Filing you into the "change resistant and lying to themselves" category of Windows user, too.
Because it's the best spreadsheet software out there. It really is first-class, and LO Calc has a lot of catching up to do (and they are quite aware of this).
My theory is that Excel's userbase includes the guys who actually sign the cheques, so MS has to get it right.
Yeah... LO may have 80% of the features, but if 25% of users use a few of those other 20% of features, you're going to face a lot of resistance from any company with even a dozen users. I've seen some amazing/scary things done in Excel (and Access even).
I also like Access for what it is. I haven't used Base enough to really comment... Would be kind of cool to see Base spun off, so that it could be a stand-alone access competitor, if that isn't already an option.
There are also many computers, where nothing but Windows, Office and company ERP client are installed. This has been for decades.
Due to lack of other tools, people learned to do absolutely crazy things with the Office - from saving screenshots in the Word files to drawing in PowerPoint.
I now consider this an utterly, utterly bogus argument - Google Docs has absolutely dismal docx and xlsx support, and I've never seen anybody but me note it.
Most of his configuration is invalid, due to his misconfiguration of group policy. For example, he disabled the Teredo policy. But here's the help text for that policy: "If you disable or do not configure this policy setting, the local host settings are used."
He made this error countless times, rendering the entire experiment a failure.
Actually I made this error twice, which is far from "countless times". The one Allow Telemetry setting would not have made a difference because I had also configured it manually and the Teredo setting doesn't actually disable Teredo anyway. This does not make the entire experiment a failure.
Enable the Group Policy: Computer Configuration > Administrative Templates > Network > TCPIP Settings > IPv6 Transition Technologies > Set Teredo State and set it to Disabled State.
Reading that, it seems as though you should disable the policy but in fact you should first Enable the policy, then go into the policy settings and Disable the setting there. And even with that mistake, I had it manually disabled in both HKCU and HKLM so if disabled means it uses the local host settings then it should use that.
Nevertheless, there are some serious concerns here:
1. Why is it even connecting to facebook, msn ad services, google analytics, etc when nothing is running?
2 Why is it doing this by default on an Enterprise operating system?
4. Why is this the default setting that requires dozens of group policy settings (and knowledge of group policy) to disable?
5. And why is there no option to opt out completely?
Most of his configuration is invalid, due to his misconfiguration of group policy.
Yeah, it's his fault that he didn't properly navigate the Kafkaesque nightmare that Microsoft has created in order to thwart people from disabling all this spyware.
Some of the GPO settings make me feel like I'm reading a contract written by a lawyer out to get me.
I don't have any concrete examples, but I swear I've stumbled across settings like this <not a real setting, just an example, probably exaggerated>:
Setting - Disable Windows Error Reports.
Description: Disable the submission of error reports
Options:
Unconfigured - Use client settings.
Disable - Send only minimal information in error reports.
No - Do not send any error reports.
Yes - automatically send full error reports.
So when you Enable the "disable windows security reports" option, it Enables sending of the security reports, and when you "Disable" the option, it still sends reports.
Many of them are extremely confusingly worded like this. It takes several reads to figure out which option actually disables it.
> pretty shoddy security researcher that doesn't read the documentation
What an unnecessary insult. If you can read the incredibly confusing Microsoft documentation better than him (or any of us), then please post the definitive step-by-step instructions for turning off all telemetry and privacy-invasive connections in Windows 10.
So, I search for "teredo group policy" and here's the second link I find, a TechNet article with detailed screenshots about how to disable IPv6 via Group Policy, which is one of the things he talks about:
That's 1 item[ * ]. I'd still like to see your definitive step-by-step instructions for turning off all telemetry and privacy-invasive connections in Windows 10 -- which is what the OP was attempting to do.
[ * ] How do you know that it even works? Plenty of times I've followed instructions from Microsoft's TechNet that didn't solve the problem it purported to solve.
And by the way, that's a helluva lot of steps to disable IPv6. Multiply that by a hundred other things you need to do, and probably a hundred you don't know about, and changes that get undone by updates, and you have a nightmare trying to create a privacy-respecting Windows 10.
IPv6 isn't even part of telemetry per say, it's an IETF standard that can be used to connect with any server that supports it. Yes, some OS-level services require IPv6. Shutting off IPv6 as a way of disabling those services is like... using leeches for bloodletting but for IT practices. If you want to disable telemetry and you're on a supported Windows SKU for Group Policy, here's Microsoft's directions on what you can configure:
It all started with a pretty casual tweet, can we stop crucifying the guy?
No matter your opinion about the subject at least we are talking about it now and from what I can tell he's going to make a more reproducible test with a script so we can all tear it to pieces.
If not, I hope someone else do it. Even better if it's somebody with the proper credentials some of you all are requiring (from a freaking tweet).
There's a difference between "testing things on a reasonable reproduction of real-world systems" and "claiming Windows doesn't work correctly because you don't read the documentation."
It's a huge bummer that the (wildly implausible) results he got didn't discourage him from spreading them widely. He later said they were 'unexpected' and he was working on verifying them from scratch reproducibly, but that comes only after misinformation about telemetry is spreading around the web. :(
I actually didn't spread them widely, I tweeted them. If you follow me you would know I tweet things like that all the time. I observed these connections and showed the settings I have set that should have prevented them.
I haven't published results anywhere and many people, including in the comments here, have corroborated what I saw.
The results are the results. I am re-verifying before I publish anything on this and to provide a script so that others can reproduce the results. That certainly does not make it wildly implausible.
That's surprising. I would expect the Enterprise edition to perform as advertised. It's a major revenue source and this violates all kinds of security policies.
I find the author's point about people using third-party programs to stop Windows spying, and potentially impairing their security, very telling. He's absolutely correct.
I use programs called Shutup10 and WinAero Tweaker to stop the telemetry myself, and both of these programs have settings that would potentially impair your security, primarily by stopping Windows Updates entirely.
So the real question is this-- is this debacle the consumer's fault or Microsoft's? I know which side I'm on.
Frankly, “settings” in an OS don’t fill me with any more confidence than “settings” on Facebook: software has bugs, and other reasons for not working as advertised. A toggle switch coded with the best of intentions may still not be consulted everywhere that it should, and even software that is correct today can be wrong in 3 months when somebody important quits or a feature is added and nobody thought to check the setting for that new feature.
If this is important to you, demand more open and peer-reviewed source code, and demand that things run behind carefully-controlled walls like sandboxes and limited host files. Don’t just run your organization by trusting one software vendor.
every few weeks Microsoft validate my decision to move my (declining) use of Windows entirely into VMs
if gaming is the problem you can run Windows in a VM at 97% native speed with GFX passthrough, been doing this for almost 2 years now without any problems
It doesn't help that Nvidia's drivers intentionally stop working when they detect a consumer card functioning through VT-D in a virtualized environment.
Scary indeed, I've noticed that a Windows 10 'Pro' VM I have at times seems to reset or change privacy / security settings. A first I blamed myself for doing something silly without realising it affected these settings or installing some software that changed them (which is a little scary in itself) but then I realised it was after windows update had run, every few months privacy or security behaviour would change.
This is a little chilling. As a home user on Win7, I've avoided Win10, but thought I'd eventually upgrade, just to enjoy newer hardware. I'd thought I could just invest in Enterprise, about $100 these days, and be able to control the more intrusive aspects.
Guess not.
On a semi-related note, I'm using uMatrix, and it never ceases to amaze me how promiscuous every single web site is these days. It's not just in Soviet Russia. You don't use the internet. The internet uses you.
I always use Linux as my preferred OS and a "Just Works" OS like macOS or Windows.
I run Linux as a dual-boot and I run it in a VM from Windows/mac.
It's frustrating because Apple has fallen far behind on hardware I want. I need 3840x2160, a touchscreen, a card reader, both USB 3.0 and 3.1, 16GB of RAM, and full-size HDMI. They've jumped too far ahead into their 'revolutionary' view of the future. I can find better hardware for much cheaper. Dell XPS 13, HP Envy 2-in-1, Toshiba Radius 12... the build quality on the Toshiba is pretty bad, but it out-performs a would-be Macbook. I'm not spending 2 -fucking- thousand dollars for sub-standard hardware simply because I like the OS better than Windows. Apple spies on its users, but at least when you turn it off it's actually off.
I can't continue using Windows because it's clearly hostile to users, and I can't go with Apple because the hardware sucks.
Linux requires so much involvement to keep it running "well".
We just need a billionaire benevolent dictator to fund a distribution of Linux and relevant programs that turns it into something stable and user friendly.
Not intended, but I do think Ubuntu was a missed opportunity by trying to innovate instead of focusing on stability, familiarity, and user-friendliness.
The "Year of the Linux Desktop" has been a running joke for a long time, but perhaps it's no longer a joke. Not wanting to lose control as far as updates and privacy is concerned, I switched to Linux when Windows 10 came out.
Running Debian Testing with Gnome has been a joy. In my opinion the user experience is easier and better than that of Windows 7 or 8. Office staff could quite easily be trained to click on the Start key or the drop-down Activities menu or move the mouse to the top-left corner to start a program. Office software is quite good. Program-switching keyboard combinations are excellent. The Evolution mail client is very good. Browser software is the same as on Windows or a Mac. Problems with bad fonts, poorly designed UI, lacking drivers etc. are things of the past (with the notable exception of very new hardware).
This may not be possible due to the necessity of using specific proprietary programs that run only on Windows, for example. On the other hand, the level of tech support required is perhaps not significantly greater than what is necessary for installing and maintaining Windows on a bunch of machines.
On the plus side, everything is very fast, tasks like backing up files or systems are simple with GUI or terminal interface, and if you want to learn iptables and set up that router/firewall you can do that too. Everything you learn is an investment instead of an annoyance. Nobody is going through your company or personal files to serve you ads.
There's no reason any more, besides defaults and inertia, why Linux should have 2% desktop market share instead of 10% of somewhat technical people or even 20 or 30% of the general population.
The connections in the first screenshot[0] aren't necessarily from Microsoft. This screenshot shows a DNS lookup for google-analytics.com followed by an attempt to use Teredo. If Chrome is installed then this could be from the Google Update service. It seems unlikely that Microsoft would send usage information to a Google site.
I saw that tweet but I still doubt that any Windows 10 service would connect to analytics.google.com. It seems more likely that he has a Google application installed.
Doesn't have to be a user installed google app. Google analytics use is ubiquitous for mobile and web apps could easily be something Microsoft bundled into their os like for example candy crush (not implying that's the culprit) or something that carries over that pervasive track every click and mousemove type mentality.
Wouldn't it be better to log that traffic from outside of the client? There's nothing that prevents Windows/Process Monitor from hiding this traffic from an application.
Has anyone done an analysis of MacOS and Chrome OS using similar methodologies? I would be curious as to the extent of the information being sent back to each of the "Mother Ships" in a side by side comparison, if that's even possible.
Little Snitch is a popular bit of software on the Mac, and pretty much everyone who uses thst goes through the first week of googling "so what's this weird background process do?"
This might actually be a pretty huge opportunity for a company which can hand hold the transitioning from Windows to Linux in an enterprise. After all, if the new Windows OS is provably non-compliant, shouldn't the enterprise customers be very willing to investigate this option? Are there already companies which do this?
I read that Windows 10 uses peer-to-peer file sharing with any other Windows hosts it locates on the same network.
This way each Windows computer does not have to connect to Microsoft to download, e.g., the Windows 10 "upgrade". It seems like this could also be used to evade attempts by users to block such downloads by blocking Microsoft IP addresses.
Windows 10 could propagate itself through a network of Windows computers, like a ...
Seriously, how does this work in pratice?
Windows 10 does peer-to-peer file sharing automatically without requiring any user interaction?
Yes, this is called "delivery optimization" and it's on by default. By default, Windows Enterprise/Education only pull updates from Microsoft and the local domain, while Windows Home/Pro will also pull updates from other peers on the internet.
You can turn it off, or disable pulling from internet peers, but given the OP, who knows if MS actually respects that setting? I guess we have to roll the dice now.
Yes, but you needed to configure that. This comes enabled by default. And on Windows Home/Pro, it downloads updates from third-parties on the internet too.
Any reason why you believe it would respect those rules? Note the one example where a rule was dynamically added to the firewall in the tweets listed here.
I was deeply tempted to setup a Windows 10 Enterprise machine at work, then have my OpenBSD firewall add any IP the W10 machines tries to get to a block list.
Comes in several formats: hosts, firewall, openwrt, dnscrypt. You can choose telemetry, update and extra. Has ip rules aswell as DNS rules.
I am actually thinking of writing a modular openwrt luci plugin to make it easy to add to your router as it is only effective on router level as other have mentioned here.
It's updated regularly, tested and one of the best lists out there, a clean copy and paste works into firewall rules as and there is nothing to install.
Happy user. MS probably really dislikes this because they are adding new domains serving the same function almost every update.
I run Windows in a Parallels VM on my Mac. This VM needs to, on occasion, connect to the Internet. Any way I can--from the outside, without needing to trust Windows--be forced to whitelist what the VM is and isn't allowed connect to?
I can't speak for Parallels, but for VMware Fusion in NAT mode all connections are made via the vmware-natd process which can be filtered by tools such as Little Snitch.
Under KVM the guest has a bridge adapter that you can set rules for on the host OS. So, you can mark, log and all that other fun stuff. Like route all DNS queries from guest to logging-cache DNS running on Host, block ports and full control of egress
outside /etc/hosts redirect to 0.0.0.0 inside (c:\Windows\System32\Drivers\etc\hosts) assuming it is being respected, but how to find list? is very difficult I think, as can change by Redmond c&c server at no notice,
Frankly, I am fed up trying to block the "phone-home" connections between our PCs and Microsoft and we're still only using Windows 7. There is absolutely no way we would ever use Windows 10 unless we could guarantee that we could totally sever all such connections permanently and not have to worry about them again.
Moreover, for some years now we have considered our Windows operating systems as 'hostile' privacy-busting code on our PCs and if there was some easy way we could get rid of them then we would do so in an instant (please don't come at me with the Linux bumph/argument because in many instances it's not a possible option).
This really is tiresome, why can't we just buy Windows/Microsoft busting routers that have a big red button on them that says: "Stop all Phone-home to Microsoft" or alternatively ones that have easily updatable blocking lists/text files that we can easily administer/download to them?
This ought to be an easy no-brainer but it isn't! Why is it that router manufacturers, etc. aren't falling all over themselves to provide such devices? I'm amazed that they're not, one would think there'd be dozens of available by now; are manufactures that timid and afraid of Microsoft that they're not game to make them?
Furthermore, it is not only a Microsoft Windows O/S problem, as these days just about all software talks home without seeking the user's permission to do so beforehand, and none of them tell you exactly what information is being transmitting home. It seems to me that we users will never solve this "talk home" problem until we have easy to use gateways that are external to our PCs, phones etc. that automatically block all "phone-home" addresses.
BTW, anyone thinking of developing such a device needs to keep in mind that for years Microsoft has hard-coded within Windows certain IP address that bypass the hosts file irrespective of how it is set so that it is impossible to block Windows completely from talking home. Thus, there is no other option other than to block these addresses by means that are external to the PC/device!
A final point: Microsoft could claim that as it has provided the upgrade to Windows 10 free and that entitles it to sap the private life info out of its users. I would counter that by saying that if alternatively I actually buy/pay for the operating system then I'm entitled to have complete control over it—and that means no talkback to Microsoft by the OS.
Of course, none of this would be a problem now if the Microsoft monopoly had been busted years ago (i.e. if our fearful democracies had been game enough to use already existing law to thwart the monopoly early on).
That is quite a stupid argument which you seem to just rephrase without having thought about it, as you could aswell say then that healthy eating takes some more time and consideration than running to the next fast food burger, thus you can only eat healthy if your time is worthless. Or how about developing new energy sources if we can just burn all the oil much easier? Sometimes some efforts have to be done to have nice things. See how dumb this 'Only if your time is worthless' sounds now?
Linux has evolved a lot. Some years ago it was very likely for you to have to recompile the kernel to get your box running... I haven't been in that scenario lately (using Ubuntu).
Then, some distros/desktop environments are even friendlier than Windows itself. elementary OS for instance, is very minimalistic and simple.
Ignoring people who need to control what leaves their systems for legal reasons I always find it odd how much the hardcore Windows users freak out over stuff like this.
I mean you trust your entire digital life to this OS yet the idea of analytics being sent back to the people who made the OS terrifies you? They also seem to freak out and declare certain versions near unusable when I've recently started using Win 10 after not using Windows since Win 2K and honestly it's 90% the same thing to me.
Also interested as to how many people freaking out over telemetry use Google software.
I actually like this. Fuck the enterprises who degrade the experience for their users. Disable this disable that. Install shit like McAfee. They just need an excuse for their existence. And the users are the ones to suffer, and the company loses precious productivity without knowing it.
I know companies that will pre install McAfee in the brand new MacBooks they give out to employees! It's insane. Microsoft should just say, if you want to use our OS, stop fucking with it.
