Windows 10 - Deeper Impressions

[dencorso]

BTW... is it impossible to get IE11 to use Flash 20.0.0.267 ???

Never had IE11 before, but I'm just now configuring a machine that has it in (it's on Win 8.1 SL (ENU)).

[bpalone]

Bit OT, but carries with theme of a lot of the discussion.

 

It isn't just Microsoft, the Linux community seems to be losing its way as well.  I had reason to NEED Adobe Acrobat Reader 9 and found a version for Linux from the good folks at Adobe.  Talk about an ill behaved program, it totally took over ALL PDF activity and did not respect browser settings. That to me is really BAD MANNERS.  It does appear that it uninstalled in entirety.  But, I still wonder with its behavior.

 

The flat interfaces has also shown up many of the desktops.  The good thing about the penguin is that it is a piece of cake to install a different desktop.  The kids/youth are now making the decisions and a large number of them are not good.  I can't understand why they have failed to learn from history, they are he!! bent on repeating the same mistakes that were made in the past.

 

I'll return you to your normally scheduled programming now.

[NoelC]

 

Noel, you've said a couple of times that IE has the best or one of the best security models. Could you elaborate on that?

 

What I like most is the ability to configure dozens and dozens of settings based on zone (e.g., Internet zone, Trusted Sites zone, etc.) means that you can shut off the basic ability of the browser to run dangerous things in the Internet zone (i.e., any web site you happen to visit that's not in your Trusted Sites list), while still maintaining the automatic ability to run ActiveX (should you need to do so) in the Trusted Sites zone.  So if your bank, for example, were to require an ActiveX be run in order to be able to complete a transaction, you could simply add their server (or domain using *.thebanksdomain.com) to your Trusted Sites list.  You can also limit what scripts can do by zone. 

 

In practice, because only IE runs ActiveX, very few sites actually require it, so the Trusted Sites list can be virtually empty.

 

Like I said, there are dozens and dozens of settings.  The TL;DR of it is that you can set things up to be just capable enough (e.g., allow active scripting, but limited) so that you can do most everything online in the Internet Zone, but still be quite well protected from basic things, like programs running in iFrames.

 

I also choose to run IE with just which add-ons I choose - which is a very small list.  The list is directly manageable, as is the list of search providers, translation services providers, etc.  Quite probably Microsoft finds it difficult to support all this configurable functionality, which is why they're trying to foist Edge on hapless users.

 

What I *DON'T* care to use is Microsoft's "SmartScreen Filter", which isn't really necessary if one has taken other measures to blacklist badware sites.  That's okay, that's de-configurable.  I also don't choose to use UAC, which is much less a problem if ActiveX is simply blocked by settings.

 

I guess what I'm saying is that I've been all through the IE settings, and they fit nicely in my overall strategy.  And it must work - I get a very responsive browsing experience and have never gotten a malware infection.

 

-Noel

[JorgeA]

BTW... is it impossible to get IE11 to use Flash 20.0.0.267 ???

Never had IE11 before, but I'm just now configuring a machine that has it in (it's on Win 8.1 SL (ENU)).

 

IR11 (and 10, IIRC) have incorporated Adobe Flash into the browser, such that they're automatically updated and you're no longer in charge of making sure you're on the latest version.

 

Their updating seems to run on its own mysterious schedule; for example, IE11 on my Win10 test machine is still on Flash version 228, and since then there have been at least two newer versions, 235 and now 267. So much for the vaunted protection of the paternalistic "you stay out of the way, we'll do it for you" model of software updating.

 

As we've noted so many times before, those who give up liberty for security, end up with neither.

 

--JorgeA

[JorgeA]

The flat interfaces has also shown up many of the desktops.  The good thing about the penguin is that it is a piece of cake to install a different desktop.  The kids/youth are now making the decisions and a large number of them are not good.  I can't understand why they have failed to learn from history, they are he!! bent on repeating the same mistakes that were made in the past.

 

As the philosopher's observation goes, "Those who cannot remember the past are condemned to repeat it."

 

Speaking of Linux desktops, when I find one that looks like Vista or Longhorn, that'll pull me faster to the penguin. One thing that's been holding me back is how grainy and unpolished a lot of these Linux desktops still look, compared to what Microsoft was putting out ten years ago.

 

--JorgeA

[JorgeA]

 

 

Noel, you've said a couple of times that IE has the best or one of the best security models. Could you elaborate on that?

 

What I like most is the ability to configure dozens and dozens of settings based on zone (e.g., Internet zone, Trusted Sites zone, etc.) means that you can shut off the basic ability of the browser to run dangerous things in the Internet zone (i.e., any web site you happen to visit that's not in your Trusted Sites list), while still maintaining the automatic ability to run ActiveX (should you need to do so) in the Trusted Sites zone.  So if your bank, for example, were to require an ActiveX be run in order to be able to complete a transaction, you could simply add their server (or domain using *.thebanksdomain.com) to your Trusted Sites list.  You can also limit what scripts can do by zone. 

 

In practice, because only IE runs ActiveX, very few sites actually require it, so the Trusted Sites list can be virtually empty.

 

Like I said, there are dozens and dozens of settings.  The TL;DR of it is that you can set things up to be just capable enough (e.g., allow active scripting, but limited) so that you can do most everything online in the Internet Zone, but still be quite well protected from basic things, like programs running in iFrames.

 

I also choose to run IE with just which add-ons I choose - which is a very small list.  The list is directly manageable, as is the list of search providers, translation services providers, etc.  Quite probably Microsoft finds it difficult to support all this configurable functionality, which is why they're trying to foist Edge on hapless users.

 

What I *DON'T* care to use is Microsoft's "SmartScreen Filter", which isn't really necessary if one has taken other measures to blacklist badware sites.  That's okay, that's de-configurable.  I also don't choose to use UAC, which is much less a problem if ActiveX is simply blocked by settings.

 

I guess what I'm saying is that I've been all through the IE settings, and they fit nicely in my overall strategy.  And it must work - I get a very responsive browsing experience and have never gotten a malware infection.

 

-Noel

 

 

Thanks for the rundown, this jibes with my own view of it (at a much lower level of sophistication ). It does seem to be possible to tune your settings more finely in IE than in (say) FF.

 

One feature that I particularly like is the ability to put websites on a Restricted Sites list. In my research I visit a lot of news sites, and some of them have the extremely annoying habit of refreshing themselves every few minutes, which is a PITA if you're trying to make your way down the text or the headlines and then all of a sudden you're sent back to the top and things are slightly different, so that you have to find your way back and by the time you get there, the page refreshes yet again. Aaaaarrrrggghhhhh!!!!!!!!

 

Chrome and Firefox don't seem to have this capability. I doubt that Edge does.

 

--JorgeA

[JorgeA]

One more anti-spying Windows 10 tool:

 

W10Privacy is a smarter Windows 10 telemetry blocker

 

However, based on NoelC's research, I'm skeptical of the effectiveness of this tool's use of the Windows firewall and hosts file to do much of its work:

 

W10Privacy gives you quite fine control over some areas. There’s not just a vague "block telemetry" option: instead you can choose to "block IP addresses of known Microsoft telemetry servers" through either a firewall rule or your HOSTS file, in both full-strength and lightweight versions.

 

--JorgeA

[TELVM]

Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key

[NoelC]

W10Privacy seems like a good tool, as is O&O ShutUp10, but they aren't end-all solutions.  They get you a lot of the way there, and you may find it's better to use them (both) than not to use them at all.

 

I have used them both to achieve a much quieter system, but there are tweaks still needed after, especially if you prefer to run a non-standard configuration without any trace of the store or Cortana.  I have found there are still some communications that Win 10 attempts, occasionally.  Just in the last 5 minutes (right after bootup) I see that it tried http connections with 23.14.84.17 and 23.14.84.27.

 

I didn't use W10Privacy before the 10586 "upgrade" (because I didn't know about it), and observed that O&O ShutUp10 had many of its settings reverted when the installation dust had settled (I posted screenshots around here somewhere).  THEN, after that, I found more settings to change to be "more private" with W10Privacy.  I haven't done a rigorous study to see where and how much they overlap, but again, it seems like W10Privacy is a good tool to have around.  If nothing else, looking at the settings it provides makes you think.  W10Privacy also goes a bit beyond privacy issues and gets into "tweaks" - e.g., what icons to show on the desktop, removing shortcut arrows, scheduled task maintenance, uninstallation of Apps, etc.  I don't know how effective the uninstallation of the System-Apps is, as I already had them all out before trying the tool.

 

As I use a 3rd party firewall, I have left alone all the Windows Firewall settings W10Privacy provides (i.e. the Telemetry and Firewall sections).

 

In the W10Privacy version I tested (1.8.0.2), I didn't find evidence of malware or spyware.

 

There doesn't seem any harm in trying it to see what settings it offers, and FYI, if you try it, know that it can take quite a long time (tens of seconds) to start.  It's not stuck; be patient.  I watched Process Hacker while it was doing so and behind the scenes it apparently runs a lot of system commands (e.g., DISM) to gather information.  I don't advocate checking every box.  Read each one and understand what it does first.

 

-Noel

Edited December 29, 2015 by NoelC

[Tripredacus]

Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key

And also there is no way to know if the keys are deleted from your account, rather it doesn't show up when you log in. Think of it this way, when we delete a post on the forum, it doesn't go away. You can't see it, it doesn't show up in your history (except the increased post count) but it isn't deleted. Its still in there. I would be surprised if said key was actually deleted out of a database (not counting backups) rather just de-linked from your account, or hidden from your view.

Here's an example of an account without any keys.

You don't have any BitLocker recovery keys in your Microsoft account.

Note: If someone else helped you set up your PC, the BitLocker keys you're looking for might be in their account.

I used my testing account which has been used to set up Windows 10 systems. I'm not entirely certain that Bitlocker is as automatic as they say.

[jaclaz]

Well, this:

https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html

Total number of vulnerabilities : 673

 

 

does seem a bulletin of war , Flash is actually something I wouldn't have (updated or not) automatically running on my system when browsing ...

It is entirely possible that the "integrated" versions are somehow "safer", still I personally would not like them to be around.

 

jaclaz

[dencorso]

BTW... is it impossible to get IE11 to use Flash 20.0.0.267 ???

Never had IE11 before, but I'm just now configuring a machine that has it in (it's on Win 8.1 SL (ENU)).

 

IR11 (and 10, IIRC) have incorporated Adobe Flash into the browser, such that they're automatically updated and you're no longer in charge of making sure you're on the latest version.

 

Their updating seems to run on its own mysterious schedule; for example, IE11 on my Win10 test machine is still on Flash version 228, and since then there have been at least two newer versions, 235 and now 267. So much for the vaunted protection of the paternalistic "you stay out of the way, we'll do it for you" model of software updating.

 

As we've noted so many times before, those who give up liberty for security, end up with neither.

 

Sure.

Then again, there's some light at the end of the tunnel (which might just be another train, comming towards one, of course)!

 

KB3132372 was released today. It is Flash 20.0.0.267 for IE11. They actually even do it for you... just not fast enough!!!

[JorgeA]

As bad as we have it with Microsoft, things could be a lot worse:

 

North Korea's Red Star OS leaves the government in control of computers

 

North Korea’s Linux-based Red Star OS is as oppressive as you’d expect

 

Germany researchers from the security company ERNW have probed Red Star OS, examined the code and determined that it is a home grown operating system that leaves the government in control of many aspects of its use, including encryption. It has been suggested that North Korea is paranoid that the west will try to infiltrate through software, but it is North Korean citizens that should be more worried.

 

...So panicked is Pyongyang about Western influence and spying, that rather than embracing the internet as most of us know it, it instead relies on its own basic intranet to provide access to officially sanctioned websites.

 

The Red Star operating system makes it very hard for anyone to tamper with it. If a user makes any changes to core functions -- like trying to disable its antivirus checker or firewall -- the computer will display an error message, or reboot itself.

 

One of the more invasive and concerning feature of the operating system is the way in which it watermarks every file found on a computer and the drives connected to it. This makes it possible to trace files back to individual users -- something which the government uses to crack down on legal file sharing.

 

...It’s geared toward enabling and maintaining a total surveillance state, all while giving the illusion of technological progress to its citizens.

 

[...]

 

The researchers found that among Red Star 3.0’s capabilities, if you’d call them that, are watermarking different file types in order to track the distribution of documents and media files via USB stick, in a presumed effort to crack down on Western media creeping into the country.

 

--JorgeA

 

 

[JorgeA]

W10Privacy seems like a good tool, as is O&O ShutUp10, but they aren't end-all solutions.  They get you a lot of the way there, and you may find it's better to use them (both) than not to use them at all.

 

I have used them both to achieve a much quieter system, but there are tweaks still needed after, especially if you prefer to run a non-standard configuration without any trace of the store or Cortana.  I have found there are still some communications that Win 10 attempts, occasionally.  Just in the last 5 minutes (right after bootup) I see that it tried http connections with 23.14.84.17 and 23.14.84.27.

 

I didn't use W10Privacy before the 10586 "upgrade" (because I didn't know about it), and observed that O&O ShutUp10 had many of its settings reverted when the installation dust had settled (I posted screenshots around here somewhere).  THEN, after that, I found more settings to change to be "more private" with W10Privacy.  I haven't done a rigorous study to see where and how much they overlap, but again, it seems like W10Privacy is a good tool to have around.  If nothing else, looking at the settings it provides makes you think.  W10Privacy also goes a bit beyond privacy issues and gets into "tweaks" - e.g., what icons to show on the desktop, removing shortcut arrows, scheduled task maintenance, uninstallation of Apps, etc.  I don't know how effective the uninstallation of the System-Apps is, as I already had them all out before trying the tool.

 

As I use a 3rd party firewall, I have left alone all the Windows Firewall settings W10Privacy provides (i.e. the Telemetry and Firewall sections).

 

In the W10Privacy version I tested (1.8.0.2), I didn't find evidence of malware or spyware.

 

There doesn't seem any harm in trying it to see what settings it offers, and FYI, if you try it, know that it can take quite a long time (tens of seconds) to start.  It's not stuck; be patient.  I watched Process Hacker while it was doing so and behind the scenes it apparently runs a lot of system commands (e.g., DISM) to gather information.  I don't advocate checking every box.  Read each one and understand what it does first.

 

-Noel

 

Thanks for the tips, Noel.

 

I had wondered if it would be possible to run more than one of these Win10 privacy tools at the same time. Sounds like the answer is yes.

 

--JorgeA

[NoelC]

They don't really install or run continuously, so they won't really interfere with one another.  They're more like integrators of the many, many settings available under the covers.  No doubt there's some redundancy, but they're not particularly difficult to run.

 

-Noel