Security updates for Windows 7 ostensibly end tomorrow, but also officially continue until 2023

[mr moose]

Just now, Lady Fitzgerald said:

Have you not been reading this thread? Many good reasons have been presented, such as factory machinery, etc. software not being compatible with an OS higher in number than Win 7 that would cost thousands of dollers to replace.

RorzNZ was referring to majority of ordinary users, not specific business use cases. 

[JZStudios]

Just now, mr moose said:

 

defined telemetry and a backdoor are not the same thing.   

 

 

It's an access portal.

And based on the information in the link you posted, it's still not stuff I want sent to MS.

Quote

• Common Data, like the Operating System’s name, the Version, Device ID, Device Class, Diagnostic level selection and so on.
• Device Connectivity and Configuration such as device properties and capabilities, preferences and settings, peripherals, and device network information.
• Product and Service Performance data that show device health, performance and reliability data, movie consumption functionality on the device and device file queries. It’s important to note that this functionality is not intended to capture user viewing or, listening habits.
• Product and Service Usage data includes details about the usage of the device, operating system, applications and services.
• Software Setup and Inventory such as installed applications and install history, device update information.

I don't care if you or others see it as non-issues, I don't want MS just having access to my stuff. I don't want them knowing what I have installed, how I'm using it, or how long I'm using it. I don't understand why I can't just not have MS collect my data.

[Guest]

Just now, Lady Fitzgerald said:

Have you not been reading this thread? Many good reasons have been presented, such as factory machinery, etc. software not being compatible with an OS higher in number than Win 7 that would cost thousands of dollers to replace.

For a consumer there is no good reason. Even if your business uses it, probably time to upgrade and spend the money. 

[leadeater]

1 hour ago, JZStudios said:

Not if you're a small scale independent contractor like my dad happens to be. He's not going to be buying a $10,000 copy of Windows when he can just use standard Win7 and keep the files on a secure PC.

Doesn't matter, if it's actually classified information that requires you to have higher level security clearance then it's not going to be just on some computer. If it is to be on a portable device like a laptop then it has to be a complaint device that meets the standards and a lot of the time devices are used for remote access in to a secure system and the data never even lands on the device other than remote screen updates over secure connections using secure connection client software.

 

My country alone has 7 different levels of classification:

https://www.digital.govt.nz/standards-and-guidance/governance/managing-online-channels/security-and-privacy-for-websites/foundations/classify-information/

 

Which classification level are we talking because anything above "In-Confidence" has hard and fast rules with some pretty serious punishment if you break those.

 

This is why things like VDI is so popular in the private sector, much tighter control over data as company information stays in the datacenter at all times always.

 

As to $10,000 Windows copy, that isn't a thing. You can't even buy certain editions of Windows, they don't cost more you just aren't allowed them.

[mr moose]

1 minute ago, JZStudios said:

It's an access portal.

And based on the information in the link you posted, it's still not stuff I want sent to MS.

I don't care if you or others see it as non-issues, I don't want MS just having access to my stuff. I don't want them knowing what I have installed, how I'm using it, or how long I'm using it. I don't understand why I can't just not have MS collect my data.

In that case everything has a backdoor so we can stop demanding they don't put them in.

[Lady Fitzgerald]

1 minute ago, RorzNZ said:

For a consumer there is no good reason. Even if your business uses it, probably time to upgrade and spend the money. 

I disagree about there being no good reason for consumers. Again, plenty of perfectly good reasons have already been given.

 

As far as machinery requiring Win 7 goes, as long as the computer used with the machinery does not connect to the internet and the machinery itself is still in good condition, it would not be cost effective (not mention it would be foolish) to replace it just because Win 7 reached EOL. What you don't realize is how expensive some machinery can be. Even if the computer for the machinery had to connect to the internet, it would be far, far less expensive to pay Microsoft's ransom for continued security updates.

 

Back when I worked in warehousing (I'm retired now), my department heads decided to bypass the IT department to purchase some computerized carousels for our three big warehouses. On the surface, they were a good idea and greatly steamlined filling small part orders. But the carousels used software that only worked with the current OS (which is why they were as cheap as they were). A year later, the company upgraded their computer network to NT. We needed the carousels to be able to integrate with the company network to be effective but the company we bought them from refused to write new software for them. I a deaperate attempt to salvage the carousels, my department hired a contract programmer to upgrade the software. I was assigned to liaise with him to make sure the upgraded software would meet our needs. The idiot paid no attention to me (after all, I was just a lowly warehouse flunky  ) and not only was unable to get the carousel computer to integrate with our material system, the moron made all entry to be via a drop down menu with no option to even manually enter a stock code number. Considering we had several thousand stock code items in the carousels at each warehouse, saying that getting to the material was cumbersome was like saying Hitler was just a little stinker. By then, everyone else was so disgusted with the mess, we wound up scapping all tha carousels at a loss of several million dollars (I tried to talk our brass into hiring another programmer that knew what the hell he was doing or let our IT department do the work but I was the only one who could see how beneficial they could be and was overruled).

[Master Disaster]

8 hours ago, jagdtigger said:

Except the user had to expose smb to a untrusted network........

Now you're just clutching at straws. SMB V1 was enabled as a default service on all machines and the internet would count as an untrusted network. Here in the UK WannaCry brought the NHS to its knees simply because a lot of their computers were running Windows XP so unless you're suggesting doctors & nurses are exposing their computers to "untrusted networks" you obviously have no idea what you're talking about. Fun fact, Microsoft didn't fix the exploit used by WannaCry, the security patch they issued simply disabled SMB V1 globally. To this day MS recommend that users keep SMB V1 disabled on any machine that supports it.

 

EternalBlue is another example of malware that can spread without the user needing to do anything. The Sasser worm can also spread between machines automatically (though to be fair that one needs a direct network connection).

 

While we're here lets also talk about your other analogy. Driving an older vehicle might not mean you're going to have an accident however it does mean the chances of you having an accident are increased. Older vehicles are not as mechanically sound as new ones and don't contain the same amount of safety tech either. Running an outdated OS doesn't necessarily mean you will get a virus (though as we discussed it can mean that) but it does increase the chances you will quite significantly.

 

Coming to a tech forum as large as this one and telling users its OK to run an outdated OS as long as you're careful is frankly absurd. When these users get infected will you take the time to help them fix their issues?

[Yongtjunkit]

6 hours ago, CalintzJerevinan said:

I did some updates I didn't get that screen....

This pop up only appear if your date is set to 15/01/2020, I've timeshift the VM to get this to pop up

[Bitter]

8 hours ago, mr moose said:

does your scan tool need to be connected to access vehicle data bases? if so do snap on offer a download feature so the machine can run offline?

 

EDIT: asking purely out of interest, I haven't seen scan tools that require internet access before.

It needs to be connected online to get updates from time to time and to access 'the fast fix' information which is just a bunch of 'i had this code and i replaced these parts', and connected to the network to print.

[startrekdude]

5 hours ago, Master Disaster said:

Now you're just clutching at straws. SMB V1 was enabled as a default service on all machines and the internet would count as an untrusted network. Here in the UK WannaCry brought the NHS to its knees simply because a lot of their computers were running Windows XP so unless you're suggesting doctors & nurses are exposing their computers to "untrusted networks" you obviously have no idea what you're talking about. Fun fact, Microsoft didn't fix the exploit used by WannaCry, the security patch they issued simply disabled SMB V1 globally. To this day MS recommend that users keep SMB V1 disabled on any machine that supports it.

 

EternalBlue is another example of malware that can spread without the user needing to do anything. The Sasser worm can also spread between machines automatically (though to be fair that one needs a direct network connection).

 

While we're here lets also talk about your other analogy. Driving an older vehicle might not mean you're going to have an accident however it does mean the chances of you having an accident are increased. Older vehicles are not as mechanically sound as new ones and don't contain the same amount of safety tech either. Running an outdated OS doesn't necessarily mean you will get a virus (though as we discussed it can mean that) but it does increase the chances you will quite significantly.

 

Coming to a tech forum as large as this one and telling users its OK to run an outdated OS as long as you're careful is frankly absurd. When these users get infected will you take the time to help them fix their issues?

That is a much better way of saying what I was originally trying to say, and why I would never want a normal user on an unsupported OS. I would never take the risk ether, but if some one feels they know what they are doing all the more power to them. But I agree with @Master Disaster pushing every one to use an outdated OS is a bad Idea.

[Touch My Hamm]

Well it has been a good run old friend. Time for you to go the way of XP. Where alot of poeple will still use the OS for years to come and watch as it slowly dies out over the next 1-10 year...

[Sauron]

On 1/14/2020 at 1:54 AM, jsweet said:

Upgrading a large company to new computers can cost a company hundreds of thousands of dollars fairly easily. As well, many companies use integrated software that has yet to be fully updated, has incompatibilities with windows 10 at it's core, or simply can not be ran on current hardware.

 

On 1/14/2020 at 11:34 AM, LeSheen said:

I work as an IT-consultant, because of this I have been working in varying industries. There are several reasons why some companies still have some windows 7 or older os running. For example a chemical plant has a very expensive machine that can only be controlled with a windows 7 or older. Some of the manufacturers of those machines might be out of business, so no software support.

 

In multiple companies windows 7 will live on, but I hope not connected to the internet or any other network.

That's proprietary software for you.

On 1/14/2020 at 10:13 AM, CookieSmasherGus said:

My brother still uses win 7 because he can't be bothered to get legitimate win10. Though I was also surprised when he mentioned that he's considering moving to Linux because it's free. I've considered that idea myself, but I'd like to try it out first somehow.

You can try Linux using a live image or in a virtual machine, it's quite simple!

[jagdtigger]

7 hours ago, Master Disaster said:

Now you're just clutching at straws.

Did the user had to mark the network as "Home Network" to expose SMB or not? It seems to me the "w7 is dangerous now" crowd is the one who clutching at straws now......

[Master Disaster]

3 minutes ago, jagdtigger said:

Did the user had to mark the network as "Home Network" to expose SMB or not? It seems to me the "w7 is dangerous now" crowd is the one who clutching at straws now......

On XP? No such option existed so they had no choice.

[jagdtigger]

5 minutes ago, Master Disaster said:

On XP? No such option existed so they had no choice.

Now you are moving the goalpost, whic OS the topic is about? Or you know what? Dont even answer, im finished with this topic.

 

Eh, sorry. Night shift totally screws up my head.

[jagdtigger]

Hm, okay, there wasnt an option for home/public network. But interestingly File and printer sharing is blocked by default by the firewall....  (Only had a Pro around so keep that in mind.)

[Curious Pineapple]

19 hours ago, Master Disaster said:

Not the point though, Jagd said that not updating isn't dangerous as long as you're smart. WannaCry needed no user intervention at all and it's not alone either.

It's exactly the point. That issue affected the other 2 Major OS's in the market and it was nothing to do with them, one infected Windows machine could easily pass an infection on to an entire network of mixed systems.

[jagdtigger]

10 hours ago, mr moose said:

Or maybe the data MS is collecting isn't as nefarious as everyone makes out.

Then why did they sneak it in? Even on older operating systems without sayin anything about it?   If there is nothing nefarious there is no reason to do it in secret.....

[YellowJersey]

16 hours ago, Lady Fitzgerald said:

 

I made my switch to Linux Mint Cinnamon 19.1 (I'm now on 19.3) and my only regret is I didn't do it sooner. I'm so through with MS!

 

For the record, switching to any flavor of Linux (Mint and POP OS with the Cinnamon desktop are the two recommended most for refugees from Windows) will not be a plug and play kind of thing. You can get it up and running fairly quickly but Linux operted under the hood completely differently from Windows (or MAC) so you have to unlearn pretty much everything you learned about Windows and start from scratch with Linux.

 

Navigating the learning curve went faster for me than I expected, though (and I have various learning disabilities). I've been on Linux only a month and I already use it as my daily driver. So far, it has done everything I wanted to do with it (although it took a while for the first time for many things until I learned how to do it) and I fire up my Win 7 machine only to copy some data onto a USB Stick to transfer to the Linux machine (which will take a while because I have a lot of data and I'm weeding out the Windows only stuff).

I personally use the MATE desktop, but I know I'm in the minority there.

 

 I never thought an OS could be exciting, but switching to Mint changed that.

[Master Disaster]

4 hours ago, jagdtigger said:

Then why did they sneak it in? Even on older operating systems without sayin anything about it?   If there is nothing nefarious there is no reason to do it in secret.....

The tinfoil hat is huge with you. They didn't do anything in secret, just because they didn't shout about it on every website does not mean they we're trying to sneak it in unnoticed.

 

If they REALLY wanted to sneak the update in they could have released an update rollup and added it but they didn't. They released it as a KB update which means it got a breakdown on MS's KB and it also got a listing and description in Windows Update.

 

Seems a bit odd that they'd do a full breakdown in the usual place for an update you're so sure they wanted to sneak in. Listing exactly what the update does on a website is not exactly covert now, it is. The process they used was identical to the process used by every other update they delivered.

 

People want Windows to be this perfect system and get really mad when it falls down while at the same time the same people also get mad at MS for trying to improve the OS by collecting usage statistics. You cannot have it both ways (btw not you personally).

 

[Master Disaster]

5 hours ago, jagdtigger said:

Now you are moving the goalpost, whic OS the topic is about? Or you know what? Dont even answer, im finished with this topic.

 

Eh, sorry. Night shift totally screws up my head.

I know that feeling well

[mr moose]

4 hours ago, jagdtigger said:

Then why did they sneak it in? Even on older operating systems without sayin anything about it?   If there is nothing nefarious there is no reason to do it in secret.....

 

Depends on how you define "in secret",  failing to properly notify people on install about certain data collection could be construed as "doing it in secret", however their PP has always outlined everything they collect.    That is why the DPA etc has never been able to find them guilty of collecting data beyond the scope of their PP.

 

It's more accurate to say that at worst they obfuscated the data collection policy upfront (in some cases) because the data they want is so important to maintaining the system when everyone is online doing things and shit goes wrong frequently.  Trying to work out what problems your OS has when you don't know who did what.  installed what software, had which updates let alone what hardware they are using or trying to use would make maintaining the OS almost impossible.  

[Lady Fitzgerald]

5 hours ago, jagdtigger said:

Now you are moving the goalpost, whic OS the topic is about? Or you know what? Dont even answer, im finished with this topic.

 

Eh, sorry. Night shift totally screws up my head.

 

17 minutes ago, Master Disaster said:

I know that feeling well

So do I. I worked third shift for 5 1/2 years before retiring for keeps. That was almost ten years ago and I still have bouts of what I "affectionately" call "shift lag" because it is similar to jet lag (Mama told me not to use the more accurate terms for it). In fact, I had a bout of it last night and didn't get to sleep until after 3AM.

[LAwLz]

On 1/14/2020 at 9:12 PM, Curious Pineapple said:

I believe it also affected Linux and Mac as it was a in Samba itself not just the implimentation.

I am pretty sure that was not the case.

It might have been able to spread through GNU/Linux and Mac machines, but the payload itself was Windows-only.

 

 

On 1/14/2020 at 9:16 PM, Commodus said:

Antivirus software only protects against known exploits that it can defend against.

This is not true and hasn't been true for ages. Modern anti-virus software uses heuristic and are able to detect and block previously unknown threats too. Of course it's not something you can and should rely on 100%, but I think it's dangerous to give out false information like that.

 

On 1/14/2020 at 10:30 PM, Master Disaster said:

Not the point though, Jagd said that not updating isn't dangerous as long as you're smart. WannaCry needed no user intervention at all and it's not alone either.

WannaCry wasn't really something home users needed to be worried about either. It was mostly businesses that got affected (which is why it got so much news coverage in the first place).

Home users were entirely protected because they most likely sit behind a NAT device, and have a limited amount of machines on their network.

But WannaCry is a good example of how an exploit might cause damage to a computer without the user needing to do something stupid.

 

 

19 hours ago, JZStudios said:

And if you want an airtight system, you don't run an OS that auto applies updates and sends telemetry back to the manufacturer, especially when it can just, at it's own volition, re-enable a bunch of highly insecure options like Cortana that will just record conversations and potentially send that shit back to MS. And they have their own gaping back door into your system, like that's something that won't be exploited.

Gonna have to agree with that. If security is your top priority, you shouldn't run Windows, period.

Want security? Install OpenBSD.

 

 

18 hours ago, leadeater said:

If you were doing classified work you'd be doing it on the government edition of the OS. If not it's only sensitive data not classified or you're breaking protocol. There's other measures too but either case I'm pretty skeptical of "classified work" claims because those real situations have real measures to deal with that nature of data.

I do work for a very sensitive Swedish state agency and I do it on my Windows 10 computer. No special "government edition OS".

And yes, it is classified data, and no, I am not breaking any protocols. There are other security measurements in place though.

 

 

16 hours ago, mr moose said:

does your scan tool need to be connected to access vehicle data bases? if so do snap on offer a download feature so the machine can run offline?

 

EDIT: asking purely out of interest, I haven't seen scan tools that require internet access before.

Might be some DRM thing.

 

15 hours ago, mr moose said:

Or maybe the data MS is collecting isn't as nefarious as everyone makes out.  You know all those companies spend up big on security,  not too mention the thousands of security cowboys all after their 15 seconds of fame after finding anything serious in MS intentions or windows releases that is intentional. lets not forget every government agency and consumer group who is also pulling windows apart piece by piece looking for that smoking gun.

That depends on what you define as "nefarious". I mean, Google hasn't been caught any more than Microsoft has but they are still a privacy nightmare (just like Microsoft). It's just that what they are doing hasn't been too illegal so they can't really be punished. The reason why I say "too illegal" is because both Google and Microsoft have been caught violating several privacy laws in the last couple of years, but have received little more than slaps on their wrists.

 

 

13 hours ago, Master Disaster said:

Now you're just clutching at straws. SMB V1 was enabled as a default service on all machines and the internet would count as an untrusted network. Here in the UK WannaCry brought the NHS to its knees simply because a lot of their computers were running Windows XP so unless you're suggesting doctors & nurses are exposing their computers to "untrusted networks" you obviously have no idea what you're talking about. Fun fact, Microsoft didn't fix the exploit used by WannaCry, the security patch they issued simply disabled SMB V1 globally. To this day MS recommend that users keep SMB V1 disabled on any machine that supports it.

This is wrong. There were patches out for Windows XP that fixed the SMB security issue. The patches were released in April 2017 and the first WannaCry outbreak happened in May 2017.

 

The reason why NHS got infected was not because they were running XP machines. It's because they weren't patched and because WannaCry managed to get into the network somehow (probably some stupid user downloading and running a shady program from an email).

 

Any half-assed network, even home networks, doesn't allow SMB connections from the Internet straight into computers on the inside network.

And yes, the patch actually fixes the exploit. It didn't just turn off SMBv1. I have no idea where you got that idea from but it's completely wrong.The reason why SMBv1 was and still is recommended to be kept disabled is because:

1) At the time the WannaCry fix was released, Microsoft were not sure if a slight modification to WannaCry could circumvent the patch.

2) Often with these large scale attacks, several mitigation strategies are offered in case some computers are unable to use one or the other.

3) SMBv1 is in general a poor protocol and probably has a ton of vulnerabilities in it. You really shouldn't have it enabled at all so disabling it would only improve the situation.

 

I don't know where you get your info from, but you're severely misinformed about this entire situation.

Here is the detailed advisory for the EternalBlue exploit published by Microsoft.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0146

 

Quote

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.

 

To exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

 

The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.

 

If you don't believe me you can get a Windows 7 VM with the patch and SMBv1 enabled, and then run Metasplot with the EternalBlue module and you will see that it fails.

 

 

13 hours ago, Master Disaster said:

Coming to a tech forum as large as this one and telling users its OK to run an outdated OS as long as you're careful is frankly absurd. When these users get infected will you take the time to help them fix their issues?

Security is always a question of weighing benefits vs drawbacks. If everyone here were dead serious about security then nobody would even recommend running Windows at all. But people make compromises. Maybe some extra security isn't worth the hassle, or causes other issues. Where people draw the line differs from person to person. I mean, you're posting on the Internet right now. Don't you know that having your computer connected to the Internet is one of the biggest security risks? "How can a tech forum recommend people connect to the Internet!? It's such a massive security risk!".

[LAwLz]

30 minutes ago, mr moose said:

 

Depends on how you define "in secret",  failing to properly notify people on install about certain data collection could be construed as "doing it in secret", however their PP has always outlined everything they collect.    That is why the DPA etc has never been able to find them guilty of collecting data beyond the scope of their PP.

 

It's more accurate to say that at worst they obfuscated the data collection policy upfront (in some cases) because the data they want is so important to maintaining the system when everyone is online doing things and shit goes wrong frequently.  Trying to work out what problems your OS has when you don't know who did what.  installed what software, had which updates let alone what hardware they are using or trying to use would make maintaining the OS almost impossible.  

I disagree with some points there.

1) Microsoft were caught not disclosing what they were collecting on several occasions.

2) Making blanket statements like "we might collect a ton of info about you, hope you're okay with that" is not exactly "outlining everything they collect". If you ask me, even now they just barely "outline everything they collect" because they allow you to actually see what they collect. In the beginning users really had no way of knowing what they were collecting, or not collecting. We could make some guesses based on the privacy policy (which was not only found to be extremely difficult to read, but also not sufficiently detailed to hold up to the privacy laws in certain countries and had to be altered) but that was it.

3) Microsoft has admitted to having collected way too much data. They reduced the number of data points they collected by more than 50% slightly before GDPR came into effect (if I recall correctly). That was also before we were able to see what they were collecting. I mean, if even Microsoft admits to collecting way too much data I don't really see how you can defend them going "oh they have handled this well". If you ask me, the situation now is quite decent. I still would like an actual off button, but it's still WAAAAY better than it used to be. I don't think people who defended Microsoft in the beginning truly understood how horrible their data harvesting practices were. Luckily for us it has changed a lot over the years Windows 10 has been out. I suspect that they are collecting maybe 1/3 as much data now as they were when Windows 10 was released. And because of legal treats from several countries for breaking privacy laws, it is pretty decent now.

4) I don't think you have to collect a bunch of telemetry to develop an OS. I especially don't believe it is required to force your users to send telemetry. Microsoft is the only OS developer doing this and other OSes seems to do just fine without it. I find the claim that "Microsoft have to collect telemetry" completely unfounded and ludicrous.