More about the interlocking GWX patches, KB 3035583 and 2952664

Topic

New Reply

I assume y’all have read Andrew Orlowski’s article at The Reg. Reader JIY did a little more sleuthing, and here’s what he found: After reading your li
[See the full post at: More about the interlocking GWX patches, KB 3035583 and 2952664]

Reply | Quote

Replies

Interesting find about the files and registry entries for patches which are not installed. I am wondering if this is normal WU behaviour for all scanned and not installed updates or some updates and we all know which ones are more special than others.

Reply | Quote

With all the upsets with Win 10 and the apparent dissatisfaction, why don’t more users, including Woody, simply switch over to Apple who appears to have no such issues and no security problems? A little money, a little learning time and all will apparently be well .. and secure!!

Reply | Quote

KB2952664 is still a mystery for me. From my list of M$ malware (notes to myself):

KB2952664—Installed itself on RH computer 12/1/15 even though not selected. Installed itself on RH computer in 3/3/16 update even though not checked.

Reply | Quote

I must say I am getting a bit fed up with all this obsessing about which patches to install on Win 7. I decided yesterday to install ALL outstanding patches including all the non security ones. I ran GWX control panel both before and after the updates and my computers (several of them) are still running perfectly with no Win 10 nagging. Maybe we all worry too much.

Reply | Quote

GWX Control Panel cuts out the Get Windows 10 ad campaign.

People are worrying about other things, including snooping. We’ve had no definitive word on it, but a lot of speculation.

Reply | Quote

John R wrote: “I am getting a bit fed up with all this obsessing about which patches to install on Win 7. I decided yesterday to install ALL outstanding patches including all the non security ones.”

That is what they want people to do. They are wearing folks down.
It takes a really stubborn person (and it takes so much precious time and attention) to keep track of all this silliness and stay on top of it.
They will probably wear most of us down eventually, or ‘break’ the few machines that are still holding out.

I don’t know why — I have no knowledge of it, haven’t tried it yet myself, and have only heard great things about it from all quarters — but I just fear relying on the third-party program GWX Control Panel to be my whole GWX security system. It’s by a third party, it’s free, it’s not guaranteed to be around for the long term, it’s surely a target for MS’ crafty teams who are trying to wrench the world into Windows 10 come he^^ or high water, and maybe somehow the very fact of having it installed could be a signal to them (MS) to come at a computer with all guns blazing, so to speak (I am just speculating wildly, obviously) [that is why I avoid using the VPN that I subscribe to for some things, would rather do some of my internet activity in the normal flow of my ISP’s traffic along with the vast herd — not that I do anything remotely shady, it’s just my internet banking and emails and whatever, but somehow I feel slightly less exposed as an individual when using the more common, less “secure” route].

I just hope I get a couple more years out of Win 7 and my computer.
I have no idea what I’ll do after that, because they will NOT get me to use Windows 10 and I know for a fact that Linux is not a good solution for *me* (I understand that it is a fine solution for many people).

The point in my life when I decided between Apple or MS was 27 or 28 years ago when my large university had the grand total of one Apple computer lab and one MS computer lab (about 20 computers in each lab) for the use of undergrad students of all majors (the Computer Science students had a private lab). Even though I think it was just DOS prompts and the glorious chunky clicky beige IBM keyboard with MS, and Apple had the windows and the mice and the fancy fonts and stuff, I chose MS then and never looked back. I have never even operated an iphone or ipad or anything. (I’m not a techie person, don’t really have much interest). I’m gonna be eligible for AARP by the time I am faced with the second fork in the road — about whether to invest a lot of money and learning-time in the Apple phenomenon just to have a bit of computing privacy, and I’m not looking forward to it.

Reply | Quote

Tom, while I am all in favour of using alternative products like MacOS, Linux, iOS, Chrome and I think Woody says somewhere that he uses alternative products too, this site is about Windows and Windows patching.

Reply | Quote

I think it is more or less of a mystery for a lot of us. I think it shifts between Optional at the release time for the particular version and Important on the Patch Tuesday like other patches chosen by Microsoft to behave in the same way.
I am still on the point of view that too much attention is paid to the potential negative effects of KB2952664 when it is documented and proved by now that the associated act KB3035583 and its settings are those that matter most.
It is interesting that Windows 7 Enterprise does get KB2952664 but not KB3035583 and does not experience the Windows 10 Upgrade push.
Also the Enterprise Management tool WSUS which acts like Windows Update offline does not offer KB3035583 but installs KB2952664 if approved by the WSUS Administrator. Again systems managed by WSUS which do not manually install KB3035583 do not have the Windows 10 Upgrade pushed as an advertisement.
I think it is the same approach in the design of GWX Control Panel plus some extras.
The idea is that it would be nice to have KB2952664 under control for certainty, but being such a big job to monitor it after each release and I think there are over 15 releases by now, it is really not practical to keep uninstalling it every time when it sneaks into our systems.
I accept that there may be other points of view different than mine about how to restrict various updates, I just presented here what I think is reasonable in terms of time spent vs outcome.

Reply | Quote

Just a quick note. The shift from Optional to Recommended is usually documented in the Windows Update master patch list, KB 894199.

The switch is noted by

Metadata has changed.
Binaries have not changed.
This update does not need to be reinstalled.

Reply | Quote

True, the site’s about Windows and Windows patching.

But I like to slip in a recommendation for the opposition from time to time.

Seriously, as you say, I’m a big believer in Android (phones and tablets), iOS (phones and tablets), and ChromeOS (which I recommend for anyone who doesn’t specifically need Windows). I even have, and use, a gorgeous MacBook Pro.

There are lots of good options out there. But this is a sanctuary that’s particularly devoted to exorcising the devils in Windows.

Reply | Quote

Josh Mayfield – who wrote GWX Control Panel – shares your concerns. There’s no telling what MS will do next. BUT

But Microsoft has documented the settings that tell the upgrading program to keep its hands off. The settings are in wide use by large companies – and Microsoft doesn’t want to tick off those companies. So I think we’re safe, at least for now.

(I still use a clunky keyboard, like the old IBM keyboards.)

When the time comes to lay out more money, you’re going to find that (1) powerful computers are cheaper than ever and (2) for most people, most of the time, ChromeOS works great. You lose your privacy, but gain quite a bit.

Reply | Quote

Re snooping – I have also disabled the Diagnostic Tracking Service and the CEIP options in Windows and Office. Anyway I don’t really care if Microsoft knows what I do on the computer, and on sensitive stuff I use a VPN for good measure.

Reply | Quote

“You lose your privacy, but gain quite a bit.”

Eh- did I just read that for sure, or am I still stoned?

Reply | Quote

HA! Yep, if you use the Chrome browser or ChromeOS, or Google Search, or Google Photos, Google keeps track of everything.

I’ve come to peace with that. Similarly, I’ve come to peace with the idea that Windows 10 in general, and Bing/Cortana in particular, have my data stored in Microsoft’s cloud.

In many respects, it’s the price you pay for the benefits you get. How could, say, Google Maps guide you to your destination if it doesn’t know where you are? How could Cortana tell you about your appointments if it doesn’t scan your mail? All of the individual data gathering activities are handled by separate privacy settings, but in general, I feel that the benefits I get outweigh the loss of privacy.

It’s not all that different from using a credit card (where the credit card company gets all of the data and credit reporting agencies get much of it), or an affiliation card at a grocery store. Or for using an ISP, for that matter, where the ISP can gather information about which sites you visit.

I know that’s a terrible admission. But it’s the truth.

Reply | Quote

I think that’s a good compromise. Password-protect sensitive information (I do that with various financial spreadsheets), and if the rest of it’s no big deal, then it’s no big deal.

I, too, use a VPN from time to time.

Reply | Quote

By the way… I should also add…

People who are going to move to Windows 10 – or buy a ChromeOS computer, or use the Chrome browser, buy an iPhone, or whatever – should be aware that the “snooping” times are changing. Information is being collected. Massive amounts. If they object to the snooping – and there are perfectly valid reasons why they may – then they should actively look for products and services that don’t snoop, or snoop less than current products.

I’m by no means an expert on the subject, but at a bear minimum that would mean Windows 7 or OS X, or Linux (each has its own strengths) and Firefox (or another non-snooping browser) and DuckDuckGo (or another non-snooping search engine).

Reply | Quote

Woody,
Your observations on the snooping are all on point and you suggests individuals need to make their own choices about what they will tolerate and accept. All good so far! However, I think what is missing is that transparency is required for individuals to make informed choices. As an example, if a person requires a surgical procedure, a physician/hospital will not proceed without the patient or responsible person executing an “informed consent” and the legal position which is operative is that the consent was sought and received in good faith. If the consent was secured by only “selectively disclosing” the risks and morbidity factors such that the patient did not have a reasonable basis to structure their decision, you have a problem. The informed part requires the information to be complete and accurate. The other thing that bothers me is how MS and others attempt to force people to “opt out” of default settings. This places people at a significant disadvantage and I would note that the FCC has just proposed a new rule requiring ISPs to seek “opt in” consents from customers allowing data collection on their internet traffic. Software companies have been getting away with far too much for too long and as they attempt to push their bits into other product venues such as “autonomous vehicles”, the rules of the road will need to be changed.

Reply | Quote

I agree. In fact, I expect the battle for both full warning upfront, and for the ability to edit after the fact, will be a major political push in the next decade.

Credit reporting agencies currently have to do that. (And they do it, poorly, but that’s another story.) The giant electronic storage repositories should have similar requirements.

Reply | Quote

Woody,

Thank you for your response.

I was nodding along until your last sentence, then I screamed silently!

To me, privacy is important. I think it’s important for everyone, for our “civilization”.

I try to stay away from googly things as much as possible.
On my computer, I block them every which way from Sunday as best as I can (with my limited knowledge) – firewall rules, a complex Peerblock setup of blocklists, etc.
To search, I use Ixquick and Startpage (which are soon to be just one search engine), which are only fair-to-middling at search (even though they use results from Yahoo and Google), and who knows if their claims at lilywhiteness are true, but they feel more private.
Because it was the least-worst (for my purposes) phone system I could find, I have an Android phone, but I have all but a handful of its apps and communications disabled to within an inch of its life (however, I’m not knowledgable enough to do the rooting thing, so I have to keep it somewhat beholden to google), which has been helped by its recent update to the latest iteration of their operation system, which lets one do a lot more configuration and pruning.
It sits around so much on airplane mode, no data, no wifi, no phone calls or texts, no calendar entries (ever), no cloud backup, no location service, that it complains that it’s an over-educated $280 calculator (though I don’t really use the calculator part either).
Yes, I choose to hobble the few technology devices that I have, losing out on some of the pizazz and convenience and amazing things they can do, but, in my view, that appears to be part of the price I have to pay to keep a modicum of my privacy, even if it’s probably a losing battle – I admit; and it breaks my heart for our society -, so I’m okay with the cost.

In other words, I probably wouldn’t wish to move from Windows to ChromeOS, but in a couple of years, as we all say, who knows how the technology/manufacturing landscape will have changed.

—
Ooh, I love the clicky keyboard that I’ve used for a couple of years — it’s a tenkeyless mechanical keyboard that’s so satisfying to type on.
When I decided that the typical keyboard these days is just a milquetoast, low-profile, squishy, badly-spaced mess (for me), I researched mechanical keyboards a couple of years ago, and because I was on something of a budget, I chose one that goes for about 90 dollars which is really comfortable, durable, spaced-well, and so forth. It is actually a “Razr” tenkeyless model, and I know that that brand is aimed at budget gamers, but the keyboard I got is really good. (I turn off all the snake-y logo and key backlights and things like that, mine’s just solid black.)
I wanted a tenkeyless because I wanted a smaller keyboard, with less of a distance for my right hand to go to my mouse, and to allow for more open space on my pull-out keyboard drawer. My typing speed and accuracy are better with it, too.

Reply | Quote

Razr’s a good brand! I bought a daskeyboard. Liked it so much, I bought a second one for my test machine.

I’m OK with folks who fight tooth ‘n’ nail for their privacy. I’m OK with the ones who aren’t particularly concerned. The main thing, IMHO, is that people know what they’re getting in to before they make the leap.

Reply | Quote

I looked into DuckDuckGo a couple of years ago, and in some mainstream online information, I read some disconcerting accounts of the founder’s past behavior regarding the privacy reassurances he had given and apparently had broken regarding his prior internet venture (which was one of the early social-networking sites). I wasn’t comfortable with that aspect, plus it’s headquartered in the US within easier reach of authorized snooping, and I actually didn’t like it very much when trying it out as a search engine.

So I tried Ixquick and Startpage — and I’ve been fine with those. Headquarted in the EU, promise not to track etc.

Ixquick has results from Yahoo, Startpage has results from Google (and this, they claim, is done with the big search engines’ blessing – not stealing anything).

Each is better at some kinds of searches and worse at others. Overall, it’s workable for me.

I think in a few weeks they are merging the two search engines at one address; I don’t know if they are going to show both the Yahoo and Google search results mixed together, or how they will handle that.

Reply | Quote

It seems that is worrying about fastening the barn door shut after the horse has already bolted.

Having hoodwinked the generations (maybe people born before 1980 or so) that would have cared the most about the massive loss of their privacy and the very-long-term recording by strangers, corporations, and governments of much of their lives (including some very personal information), announcing to the generation that were whiling away hours on their own tablets while still infants that their private information has always been and might always continue to be collected is not going to have such an impact.

Reply | Quote

Your description of the informed consent with a surgery in the US isn’t quite my experience in the last 2 years — I’ve had 3 surgeries here, and each time, they waited until about 5 minutes before rolling me into the operating theatre, shoved me a clipboard with the several-pages-long form I had to sign which I’d had no prior opportunity to read through, and stood there holding out a pen and tapping their foot until I signed it.

Before only one of the three surgeries was I told by the doctor that there was a small chance of death (which there had been, of course, in all three surgeries).

I won’t go further into my personal experiences, but overall there seems to be quite a lot of fudging and active non-mentioning in the medical system.

We have to take the time to research and be very informed patients/consumers — knowledge is power, being politely assertive is critical, asking for second opinions and objective-testing confirmations is worth the time and expense: these things can even save our lives.

Reply | Quote

Nothing wrong with clunky old keyboards. I stumbled on an old Microsoft PS2 ergonomic keyboard in a thrift store a couple of weeks ago for $5. The box was still in the plastic. I have a form of muscular dystrophy that affects my hands and feet and is very painful at times, so this big, clunky, ergonomically correct keyboard was a godsend. Call me a Luddite, but for some people, the old is much better than the new.

Reply | Quote

I’ve done it several times before, and most recently I looked into switching from IE to Firefox just last month.
I did use it for a while a couple of years ago when I was trying out Linux Ubuntu (during that experience, I didn’t think Firefox was anything amazing, but it was fine).
Last month I read that apparently there is some kind of recently-exposed leak or problem with Firefox that they don’t have a fix for — I know that sounds unlikely and I don’t remember any details about it because after I had skimmed several apparently-legitimate articles about it, I crossed Firefox off my list as a possible replacement for my IE and I went back to battling my recently-very-grumpy IE 11.

I guess I’m saying that it’s not a browser without its own problems, which isn’t surprising and is hardly their ‘fault’, as it’s a very complicated type of product.

But if you are concerned about privacy etc., do spend a bit of time looking into recent reviews (in the last year, I’d say) of Firefox to see if you come across the info that swayed me last month against moving over to it (for now) as my primary browser.

Reply | Quote

Bookmarked KB894199, thanks.

Reply | Quote

Woody, I respect your opinion on the wholesale capturing of our data, conversations, geographical movements, behaviors, and thoughts, but I don’t share that opinion.

For someone who is so informed, careful, and caring-about-truth-and-integrity, you seem to be quite sanguine about this loss of privacy — but I realize that certainly it’s a fact of life in the modern world and it isn’t practical to battle against. And there are many benefits that are associated with the products that take the personal information.

I have a lot of concerns about it, which I won’t go into, but I will say that anything that happened in the last century anywhere in the world can easily happen again in a blink of an eye, even in our part of the world, but even worse, and this slippery slope is steep and greasy. I grew up in a short span of our country’s history when it was conventionally thought and taught that everything was getting fairer, more equal, more just, more free, just brighter overall, and junior high and high school English-class books like The Jungle, 1984, Dickens, Anne Frank, so on and so forth were of a long-lost-time or way-out imaginative fiction. But no. And it’s scary. It’s easy to lose precious things that we have taken for granted, especially when they are given away slowly – and presumably in exchange for benefits that appear to almost be worth it, or of course when they are taken by stealth.

Reply | Quote

HA! Yep, if you use the Chrome browser or ChromeOS, or Google Search, or Google Photos, Google keeps track of everything.

… and Microsoft is catching up quickly…

Reply | Quote

I think it’s great that you’re willing to take up the battle!

You’ve identified the core cause – times are changing, for better or worse.

Reply | Quote

What surprises me is how the old is turning new again. Mechanical keyboards are coming back in fashion, driven by gamers.

Reply | Quote

I think if you so overly concerned about privacy issues and I know that they are legitimate concerns, give a try to Tor which is built on top of Firefox.
Tor is very good tool which can be used like any other tool for legitimate and less legitimate purposes.

Reply | Quote

My first Gateway computer in 1992 came with an AnyKey Keyboard, which is technically not a clicky keyboard but comes close, with a nice robust click when pressed. Its main distinction, in additional to programmability, is a number keypad on the RH side, making the overall width 20 inches.

Whenever I sat down at somebody’s stock keyboard at work, it felt wrong due both the smaller size and the mushy touch. So I kept using the AnyKey keyboard there and at home. A few years ago I bought several backups from an Ebay refurbisher. Their build dates range from 1992 to 1995.

With the last couple of computer purchases I have had to take the new boxes into the local shop to have PS2 ports installed; USB to PS2 is tricky–I went through three adapters before I found one that worked on one of my machines, and it still acts up occasionally. The oldest of the refurb units came with an AT plug and PS2 to AT adapter.

Reply | Quote

The conversation has taken a turn into the privacy realm, so I’ll add my two cents. I find it amazing that the same people who decry Big Government, i.e. the NSA, willingly roll over for Big Corporations, e.g. Google, Facebook, Microsoft, etc. Not to mention that Apple is shedding crocodile tears over the FBI’s efforts to push it into creating a version of iPhone software to investigate the San Bernardino murders when it already gave the Chinese government its source code. http://qz.com/332059/apple-is-reportedly-giving-the-chinese-government-access-to-its-devices-for-a-security-assessment/

Some people mentioned Ixquick as an alternative to Duckduckgo. I have already changed my bookmark to http://www.ixquick.eu to avoid the new Google results as suggested by Ixquick’s webpage. And one must never do any searches when logged into any Google, Facebook, or Microsoft product.

Reply | Quote

I’m nowhere near savvy enough to understand Registry entries – what they do, whether they can safely be deleted, whether the associated “data” can safely be changed and if so to what, etc.

However, this post on KBs 3035583 and 2952664 piqued my curiosity enough to search (Ctrl-F) my Registry to see what, if any, references to those two KB numbers might pop up.

I found several – two for 3035583 and at least eight for 2952664 (at which point I quit searching because the scroll bar indicated I was only about 10% through the Registry).

At that point I ran GWX Control Panel and it reported I have no evidence whatsoever of any Win-10 garbage.

My lack of Registry-related knowledge and skills leaves me wondering just what the heck those Registry entries are doing and where they came from since GWX Control Panel doesn’t see them as anything hazardous related to Win-10.

Just for grins, here’s one of the entries I found for 3035583 (the forward slash denotes a sub-entry of the immediately preceding entry):

HKEY_LOCAL_MACHINE/SOFTWARE/ Microsoft/Windows/Current Version/Component Based Servicing/Applicability Evaluation Cache/Package_for_KB303558~31bf3856ad364e35~amd64~~6.1.2.17

My computer does NOT have an AMD CPU (it’s an Intel quad-core), so the “amd64” reference also confuses and puzzles me.

Anyone have any thoughts on what’s happening here?

Reply | Quote

amd64 stands for 64-bit binaries for the simple reason that the current 64-bit CPU implementation was developed by AMD and it was later licensed by Intel from AMD. The binaries are common for both AMD and Intel.
Otherwise, please do not modify any registry keys if you are not totally comfortable with it or try to become a Windows expert and accept a certain amount of OS damage while testing. Modifying registry directly is not part of the normal use of Windows.

Reply | Quote

@ch100,

Actually, I’ve read a number of articles from legitimate-seeming security observers who mention that Tor usage is often watched, and actually it often flags a person up as someone who might be getting into shady stuff and deserving of more attention.

I’ve also read that it can be quite slow.

It’s also apparently a bit complicated to set up. …Delving into technical stuff is not one of my interests, unless necessary.

I have looked into Tor a bit in the past, and I don’t think that it would offer me any benefit over my current little personal “system”.

I am NOT someone who does torrenting or drug buying or pron or anything like that. I am relatively rule-following, straight-laced, careful with my health and my doing-unto-others, etc.
It is merely the idea of our having no privacy anymore that is very concerning to me, and its future ramifications – and the immense loss of heavily-sacrificed-for liberty that it represents.

Reply | Quote

I don’t know if I’d say I’ve taken up the battle… I have not done so in a wide sense.

I am privately battling in my own life to keep ahold of privacy in the small everyday ways, being stubborn without becoming too obsessive. (Well, some others who are more blase than I am about this stuff might think I do too much, like using Peerblock constantly for non-torrenting reasons, and disabling/hobbling the vast majority of things my smartphone can do!) I sometimes mention privacy in intelligent, civil discussion forums like this one here, if the context is relevant,
or if an acquaintance asks me something about it for her/his own information.

But to take up the battle in a public way, or for many more people than just oneself and one’s close family, is not to be undertaken lightly and can be risky.
(Even those with law degrees and/or military training can find it tough going….)

There have been psychology research studies on children, and how bendable they are to suggestion or pressure, how easily they will pretend/believe/say that something happening in reality is not true even if they can perceive directly that it IS true, in the situation when a person in authority (or a group of their peers) tells them it is not true or makes it seem like it is a cost of being liked or being included in the group for them to go along with it and say it isn’t true; or if they won’t take an attractive object (a food treat or a toy, etc.) when they are alone, after having been told ahead of time not to take it, even if there seems to be no way they would be found out as the one who did it; and apparently just 1 in 20 kids is pretty self-directed, self-denying, honest even in the presence of influential others who want them not to be and who might ostracize them if they don’t “go along to get along”. To me, this small % in the population explains a lot, and it’s often no fun and lonely to be an individualist goody-two-shoes, but if you are, you are, and you know it . You just have to watch it in the dog-eat-dog world where there are hidden currents, double agents, purposeful obfuscations, thuggery, whatever.

Reply | Quote

@PC Cobbler,

I am glad you pointed out that there is an “ixquick.eu” address, which I was not aware would still offer a way to see Ixquick’s from-Yahoo search results on their own, without having StartPage’s from-Google search results mixed in with them.

I, too, will bookmark the .EU address, because I actually prefer Yahoo’s results over Google’s anyway (I know, I’m an oddball!)

Were you indicating that you are a bit suspicious of the Google-derived results from Startpage.com which the Ixquick.COM address will begin to show on March 26?
I think that their Google-derived search results will still be “private” and not recorded in any way by Google — their site says:
“Starting March 26, you’ll receive private StartPage search results on Ixquick.com.
We’re merging our two search engines so we can focus on fighting Big Brother, rather than maintaining two different brands.
Ixquick has been serving terrific search results since 1999, but when we introduced StartPage in 2009, it quickly grew to become our most popular search engine. In light of changing market conditions, it made sense to combine the two products into a more potent force for good.
**StartPage gives you actual Google search results with the full privacy guarantees of Ixquick. Google never sees you – and, of course, neither do we.**
We think you’re going to love StartPage, but if you prefer current Ixquick search results, don’t worry. They will still be available at http://www.ixquick.eu.”

Reply | Quote

@Roger,
Had you ever installed those 2 updates via Window Updates?

Reply | Quote

“amd64” is the old notation for anything 64-bit related. I think it was because the AMD processors were first out the gate, early on, anything that had to do with 64-bit apps or OS’s was given the amd64 label to easily separate it from x86 (for 32-bit). It caused no end of confusion, and more recently we’ve started seeing x64, but because of legacy, amd64 will still be embedded in older components for a long time to come. (It’s like a 2-digit date in a post 2K world: it’s just confusing, but still works.)

Reply | Quote

One “news report” from a government-run newspaper doth not the full truth maketh. Apple recently denied this when it was brought up in this case.
http://www.macobserver.com/tmo/article/reuters-gets-it-wrong-on-apple-encryption-and-china

Reply | Quote

You don’t have to be doing anything nefarious in order to use Tor. Remember it was developed by the US Navy (and the CIA?) to ensure privacy.

Reply | Quote

Not that I know of. I’ve always had Windows Update set to “notify but let me decide which to install”, and I’ve been running GWX Control Panel since shortly after Woody suggested it. GWX comes back clean – always has – and I’ve never had any indication of Win-10 stuff having somehow gotten into my machine. That’s why I’m confused about why I’ve got references to those two KB numbers.

Reply | Quote

Thanks – I wasn’t aware of that. I’ve got 64-bit Win-7 so that’s why there are 64-bit references.

Reply | Quote

Woody please use your discretion as to whether you consider this pertinent… but
just thought to mention for those interested in using a browser akin to Google Chrome….but without the privacy/security issues that I’m trialling a browser called Iron, https://www.srware.net/en/software_srware_iron.php
SRWare Iron: The browser of the future – based on the free Sourcecode “Chromium” – without any problems at privacy and security

and I also came across a link
http://www.techsupportalert.com/content/how-harden-your-browser-against-malware-and-privacy-concerns.htm
that has some v. good tips in strengthening one’s privacy and security when surfing online.

So far so good……. I like it and it seems easy to familiarise one’s way around it. LT

Reply | Quote

Just got the update notification (1pm Pacific) for the next iteration of KB3035583.

Optional, unchecked, italicized. [Win 7 x64 Ult]

Reply | Quote

Interesting. The update master list says it’s “Recommended”

The combination you see — optional, unchecked italicized – corresponds to you NOT checking “Give me recommended updates the same as….”

Reply | Quote

You bet. Any observations most welcome. Hey, we’re all in this leaky ol’ boat together.

Reply | Quote

Correct … that checkbox has been cleared for some time.

Reply | Quote

Correction: Several companies were early out the gate for 64 bit CPUs. Biggest name was DEC (now HP) Alpha, which had to run a special 32 bit version of Windows until Microsoft finally made a 64 bit edition of Windows 2000 Beta (but then HP defunded the project and Windows 2000 ended up as the first 32-bit-x86-only edition of NT). Intel came up with their unique and potentially powerful Intel Architecture 64 (Itanium), which flopped. AMD, who had previously only been a maker of alternative x86 clones, designed the x86_64 architecture themselves and decreed that when comparing it to Intel Architecture 64, it should be named amd64, but when comparing it to generic x86 it was OK to call it x86_64. Intel then made a clone of amd64 called EMT64, Microsoft released a 64 bit windows XP 2003 version that ran on both x86_64 variants, while discontinuing updates for the XP version that ran on IA64. Windows Server 2003, 2008 and 2008 R2 (not sure about 2012 R2) are still available for IA64, but the desktop editions are not.

In the Apple/IBM world, there is/was a 64 bit PowerPC variant that could run OS/X. In the phone/tablet world there is now a 64 bit ARM variant.

So “AMD64” is not like a 2-digit date in a post Y2K world. It is more like remembering to spell the country USA and not just US, to avoid confusion with also-rans such as USSR, and to refer to the first leader of the USA as George Washington, to avoid confusion with his arch enemy King George or his much later successors George Walker Bush and George W Bush.

Reply | Quote

Woody wrote, “You don’t have to be doing anything nefarious in order to use Tor.”

I know — I wasn’t suggesting that a person would have to be doing something nefarious in order to use Tor!

I was just explaining that since there isn’t anything that I personally do that I think is worth MY going to extremes to hide, Tor does not seem, to me, to be a good solution _for me_.

In other words, in my _individual_ decision that I made a couple of years ago about whether or not to think about using Tor — for my situation and no one else’s — I have looked at what I am trying to aim for when it comes to my internet security, how complicated it might be for someone of my limited technical knowledge to set up and use Tor, how slow it might be to use, how secure it might be, whether it actually makes it more likely that a user would come under suspicion/surveillance, etc. In my personal reckoning, there isn’t much to recommend Tor for my situation. I don’t want the hassle and slowness, and I don’t see any reason that I need it. I am not trying to entirely hide my internet actions. However, I am against the idea of having my internet actions probed and wrested from me without my consent by the likes of Google, Facebook, and the rest. I will do what I can which is not too cumbersome or technical in order to put roadblocks in their way. Maybe I do not understand Tor, but to my mind, it would be overkill for my modest requirements.

And, it does not seem to be as secure as people make it out to be. I am only going on newspaper articles I read the last time I looked into it, which was 2013. (I also think I read several posts about it then on Bruce Schneier’s blog.) Here are some of the 2013 newspaper articles that I saw:

“Today, the Guardian is reporting on how the NSA targets Tor users, along with details of how it uses centrally placed servers on the internet to attack individual computers.”
http://www.theguardian.com/commentisfree/2013/oct/04/nsa-attacks-internet-bruce-schneier

“NSA and GCHQ target Tor network that protects anonymity of web users”
http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption

“Attacking Tor: how the NSA targets users’ online anonymity.
Secret servers and a privileged position on the internet’s backbone used to identify users and attack target computers”
http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity

All of that appears, to me, to be much deeper and more serious than I am ever going to need to get with my internet usage. Therefore, my conclusion in 2013 was that Tor didn’t sound very appealing to me for my very modest needs, and I am of the same opinion today.

That is what I was trying to explain in my prior post, in response to the suggestion that if I’m so interested in privacy, I should just use Tor.

Another serious reason that I would not want to use Tor is that I am under the impression it is a finite resource, and the more users of it there are, the slower it is, and the harder it is for those who really need to hide their online activities to be able to use it. I would not want to be taking up “space” on Tor from my position of relative freedom and comfort in the US when there are some people in China, Burma, Syria, etc. facing terrible hardships and who really need to be on it.

Reply | Quote

I thought that I’d return to my above comment and try to look online to find out what was the exact issue that last month I had learned of, regarding Firefox (and maybe Chrome), which had convinced me, after about 30 minutes of looking into it, that it was such a technical subject that I was likely not to be able to understand it all or prevent the issue from happening to me, and I decided I had better stick with I.E. 11 for now.

It seems to be this, from the Wikipedia entry on Firefox:
“In January 2015, TorrentFreak reported that using Firefox when connected to the internet using a VPN can be a serious security issue due to the browser’s support for WebRTC.”
https://en.wikipedia.org/wiki/Firefox

That leads to the WebRTC Wikipedia entry:
“In January 2015, TorrentFreak reported that browsers supporting WebRTC suffer from a serious security flaw that compromises the security of VPN-tunnels, by allowing the true IP address of the user to be read. The IP address read requests are not visible in the browser’s developer console, and they are not blocked by common ad blocking/privacy plugins (enabling online tracking by advertisers and other entities despite precautions).”
https://en.wikipedia.org/wiki/WebRTC#Concerns

Articles like the following suggested that there were ways to block the webRTC in Firefox (but maybe not in Chrome, or so it appeared):
http://iconnectdots.com/2015/06/chrome-firefox-users-are-leaking-their-ip-address-even-while-using-a-vpn.html
“How to Disable WebRTC
In Firefox:
To disable WebRTC, go to about:config and click-to-toggle media.peerconnection.enabled to false.
Or install this Firefox add-on:
https://addons.mozilla.org/en-US/firefox/addon/happy-bonobo-disable-webrtc/”

A Lifehacker article that had some edits to it towards the end, and also had later developments that were described only in the comments area and not in the article (which annoys me about some articles on Lifehacker): http://lifehacker.com/how-to-see-if-your-vpn-is-leaking-your-ip-address-and-1685180082

I have searched a little bit for more recent information, but most of the articles are from about a year ago…. I don’t know if this is completely fixed now in both Chrome and Firefox, or what.

There were articles like the following from the middle of last year that suggested that Chrome was fixed, but then the second reader comment there says that the fix stopped working, and I think I read that elsewhere too, but I don’t know what that link was:
http://news.softpedia.com/news/google-fixes-chrome-issue-that-leaked-the-user-s-real-ip-from-behind-a-vpn-488143.shtml

And there are warnings like this: “Just so you know, disabling WebRTC may disrupt some Web apps and services, such as chat or other services involving your computer’s microphone or camera.” http://whatismyipaddress.com/vpn-leaking

All this is too technical for me to handle. Since I don’t know my way around Firefox, the webRTC fixes for it sound (to me as a novice) complicated — I’d have a steep learning curve in getting a new browser set up from scratch in all the ways that I’d want, and this kind of thing I do not enjoy learning about as an end in itself; I only do it if I absolutely must in order to carry on with the rest of my life.

My reasoning was that if IE 11 doesn’t even have WebRTC, if I stay with IE 11 for now, then I don’t have to worry about this issue of VPN IP leakage.

I realize that one day, I’ll probably have to deal with this, since all other browsers (including Microsoft Edge) do have WebRTC, but maybe by the point that they are prying my clenched fingers off of my Win 7, they will have fixed those browsers’ VPN IP-leaking problems and it won’t be something I’d have to fiddle with on my own.

—-
Does anyone know if Firefox and Chrome are now safe from this VPN IP leakage?

—-
…Additionally, I barely recall that there may have been a different/second issue that I discovered last month about Firefox, and it seemed that it would be complicated for me to come up to speed on the whole issue.
It was something about problems in the latest version, and some users were avoiding them by rolling back to an earlier version of Firefox and stopping the program from updating.
I really can’t handle any more of that, it’s bad enough that I must spend hours upon hours of my free time micromanaging every single Microsoft update in order to protect my computer.

—-
Sorry for such a long post, but I don’t like to make vague claims and not back them up with references.

Reply | Quote

D. The suggestion of using Tor is not to have anyone protected against the likes of NSA which I think is close to impossible given their resources. Protecting against abuse committed by individuals working for certain organizations and who have enough access to relevant data is a different matter and while it is very important, I don’t think this is the forum to discuss it.
Tor is just another level of encryption/protection against casual hackers known also as script kiddies sometimes or even commercial entities like Google. Those casual hackers, even if they could compromise protected systems, would normally go after easy targets or high profile entities where there is either a material gain or a gain of any other nature, like publicity in their community.
If one is on the Internet, there will always be a risk that someone else would be a step ahead when it comes to IT security matters.

Reply | Quote