Jump to content

Windows 10 - Deeper Impressions


xper

Recommended Posts

16 hours ago, dencorso said:

And there is a sister NAG for plain vanilla 7 (viz. non-SP1) and 8.0, which was released as KB3163589, too!  :puke:

That has to be the most appropriate use of the "barf" smiley I've seen in a long time.

And Microsoft's actions, where they have co-opted their Windows Update foot-in-the-door for nefarious purposes, are a Very Good definition of "starting down the slippery slope".

17 hours ago, JorgeA said:

Woody Leonhard has emerged as the tech press's most comprehensive and reliable reporter on these tricks and shenanigans:

Woody Leonhard is a good guy with a decent audience who's still willing to tell it like it is in today's world.  Bravo!  Seeing that there are people like him still out there tells me there is some hope for the high tech world.

-Noel

Edited by NoelC
Link to comment
Share on other sites


20 hours ago, dencorso said:

And there is a sister NAG for plain vanilla 7 (viz. non-SP1) and 8.0, which was released as KB3163589, too!  :puke:

Wow, they sure are desperate... I mean, Windows 8.0 and vanilla 7 are EOL. They shouldn't even recieve more updates! M$ are really trying to get every last ounce of the market. Windows 8.0 only accounts for 1% of the market FFS!

I'm actually surprised Vista users haven't been nagged yet. Or better yet, XP users.

Link to comment
Share on other sites

45 minutes ago, dencorso said:

BTM, anyone here has any experience with Pi-Hole? Wouldn't it be interesting to block those meddlesome MS addresses? Your thoughts?

I've no experience with pi-hole, but blocking just "meddlesome MS addresses" is not likely to be as simple as you might hope.

A "deny outgoing connections by default" firewall is a good way to go.  In my case I'm using 3rd party package (Sphinx) along with the disablement of the stock Windows Firewall.

Just for example, from my own wildcard DNS server list:

#
#  Special Microsoft addresses to block
#
*vortex.data.microsoft.com=0.0.0.0
*vortex-win.data.microsoft.com=0.0.0.0
*settings-win.data.microsoft.com=0.0.0.0
*vo.msecnd.net=0.0.0.0
*telemetry*microsoft*=0.0.0.0
a-*.a-msedge.net=0.0.0.0
*.bing.com
*.bing.net

There are others that you might want to block as well under some conditions, e.g.,

go.microsoft.com
www.microsoft.com
statsfe2.update.microsoft.com

I've found these must be allowed in order to succeed a Windows Update:

ctldl.windowsupdate.com
sls.update.microsoft.com
sls.update.microsoft.com.akadns.net
fe2.update.microsoft.com
fe2.update.microsoft.com.akadns.net
ds.download.windowsupdate.com
au.ds.download.windowsupdate.com
fg.ds.download.windowsupdate.com
v4.download.windowsupdate.com
au.v4.download.windowsupdate.com
fg.v4.download.windowsupdate.com
fe2.ws.microsoft.com
download.windowsupdate.com

And there's a whole gaggle of security certificate management sites that the system in general needs to be able to contact, otherwise things tend to get sluggish...

[g,h,s,t].symc[b,d].com
[g,h,s,t]?.symc[b,d].com
crl-ds.ws.symantec.com.edgekey.net
crl.apple.com
crl.certum.pl
crl.comodoca.com
crl.entrust.net
crl.geotrust.com
crl.globalsign.com
crl.globalsign.net
crl.godaddy.com
crl.microsoft.com
crl.omniroot.com
crl.startssl.com
crl.thawte.com
crl.trustwave.com
crl.usertrust.com
crl.verisign.com
crl[0-9].digicert.com
crl2.alphassl.com
csc3-2010-crl.verisign.com
ctldl.windowsupdate.com
evcs-crl.ws.symantec.com
evcs-ocsp.ws.symantec.com
EVIntl-ocsp.verisign.com
EVSecure-ocsp.verisign.com
gtglobal-ocsp.geotrust.com
gtssl-ocsp.geotrust.com
gtssldv-ocsp.geotrust.com
mscrl.microsoft.com
ocsp-ds.ws.symantec.com.edgekey.net
ocsp.comodoca.com
ocsp.digicert.com
ocsp.entrust.net
ocsp.geotrust.com
ocsp.globalsign.com
ocsp.godaddy.com
ocsp.int-x[1-3].letsencrypt.org
ocsp.msocsp.com
ocsp.omniroot.com
ocsp.startssl.com
ocsp.thawte.com
ocsp.trustwave.com
ocsp.usertrust.com
ocsp.verisign.com
ocsp.ws.symantec.com
ocsp2.globalsign.com
pca-g3-ocsp.geotrust.com
pki.google.com
rapidssl-ocsp.geotrust.com
seal.verisign.com
sealinfo.verisign.com
sealserver.trustwave.com
secure.globalsign.com
secure.softwarekey.com
timestamp.verisign.com
tss-geotrust-crl.thawte.com
vassg14[1-2].crl.omniroot.com
vassg14[1-2].ocsp.omniroot.com
www.startssl.com

I CAN tell you, because I've done it, that a balance can ultimately be struck that will allow you to initiate Windows Updates with only a small amount of system reconfiguration, yet keep the system unable to be altered by Microsoft when you're not looking. 

But then, after all that R&D, I've decided to just stop taking Windows Updates on older systems entirely.

-Noel

Link to comment
Share on other sites

IMHO, a Raspberry-Pi is a quite good place to locate an external firawall (and maybe a DNS, too), because it would be sitting between the provider and the router and run a non-MS OS, while protecting every device in a LAN, at the same time.

Link to comment
Share on other sites

Well, I'm sure thinking of a colectively-mantained, but moderated, blacklist, accessible from the net as needed. But not exactly cloud-integrated. The clouds are the place for Little Wing, solely. And rain, maybe. But not for reliable data, of course! :D

Link to comment
Share on other sites

Hm, could be very popular as a turnkey "plug it inline" product with a UI no more complex than, say, O&O ShutUp10 or similar and with at least the capability to be set up to automatically update from a central, managed source.  Market it as both a security-enhancing and performance increasing product - and that would be no lie because it would actually accomplish both.  Most folks don't realize how much extra crap is tacked onto their web communications.

Some possible names...

  • Chaff Blocker
  • Surf Cleaner
  • Web Sanitizer
  • Inline Online Ad Killer
  • Browser Filter

Probably the word "Secure" should be in there somewhere too.

-Noel

Link to comment
Share on other sites

Decent.  Maybe "Supersonic Web Sanitizer".

Wow, I was just doing a little browsing.  Those little Raspberry Pi 2 devices are seriously powerful!

Name-based firewall management is the future, since so many things are today delivered by CDNs or banks of servers.

My Windows 10 test system has just completed at least a month without having tried to contact anyone online that I didn't know about and pre-approve.  The only thing it does on its own is update its virus database (and presumably engine).  Even without Windows Update being running it'll do that.  I've set up to allow C:\program files\windows defender\mpcmdrun.exe to access its data sources.

I haven't had an AV or MBAM catch any potential infections for years.  A box like the one we're discussing here could really put a steel lid on the "unprecedented security" of Windows 10.

-Noel

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...