Visual Studio 2015 C++ Compiler Secretly Inserts Telemetry Code Into Binaries

Reader edxwelch writes: Reddit user sammiesdog discovered recently that Visual Studio 2015 C++ compiler was inserting calls to a Microsoft telemetry function into binaries. "I compiled a simple program with only main(). When looking at the compiled binary in IDA, I see a call for telemetry_main_invoke_trigger and telemetry_main_return_trigger. I cannot find documentation for these calls, either on the web or in the options page," he wrote. Only after the discovery did Steve Carroll, the dev manager for Visual C++ admit to the "feature" and posted a workaround to remove it.A Microsoft spokesperson confirmed the existence of this behavior to InfoQ, adding that the company wil be removing it in a future preview build. For those who wish to get rid of it, the blog writes: Users who have a copy of VS2015 Update 2 and wish to turn off the telemetry functionality currently being compiled into their code should add notelemetry.obj to their linker command line.

MS Spyware

[allo]

No escape.

Ken Thompson Attack

[goombah99]

Boy this is at the scale of the Ken Thompson attack. Compilers that insert backdoors

http://c2.com/cgi/wiki?TheKenT... [c2.com]

Classified or secure operations invalidated

[goombah99]

So one can imagine a case where a program crashes and sends telemetry to microsoft from inside a secure computing enviornment or otherwise exports secret bussiness data. This could invalidate MS from all government computing.

Re:

[HiThere]

s/could/should/

I note the claim that this only stores stuff locally, so it MAY not be that serious. Depending. But this has no business being there at all, and it adds hooks that could be activated later.

Re:

[eth1]

So one can imagine a case where a program crashes and sends telemetry to microsoft from inside a secure computing enviornment or otherwise exports secret bussiness data. This could invalidate MS from all government computing.

It wouldn't just affect MS software, but anything from anyone with any component built with MS development tools, anything built by tools built by MS dev tools, etc.

Re:Ken Thompson Attack

[Geoffrey.landis]

Reading through the long Reddit thread, it looks as if the "telemetry" call saves the telemetry data locally; it does not seem to export it. So it's hard to call it "inserting backdoors".
From https://www.reddit.com/r/cpp/c... [reddit.com]

[–]flashmozzg 68 points 1 month ago
Apparently it's only VS15 feature. It logs at least when your app is executed. You can access logs via logman and tracerpt. Some investigation was done here recently: (lang: Russian) https://habrahabr.ru/post/2813... [habrahabr.ru]

[–]sammiesdog[S] 30 points 1 month ago
Are the logs a local feature (i.e. stays on the user's computer)?
And can it be disabled?

[–]flashmozzg 29 points 1 month ago
Seems to be that way. At least right now they only keep main invoked/returned, exit/abort called and such. Nothing serious.
The suggested way to disable it is adding this to your project:

extern "C"
{
        void _cdecl __vcrt_initialize_telemetry_provider() {}
        void _cdecl __telemetry_main_invoke_trigger() {}
        void _cdecl __telemetry_main_return_trigger() {}
        void _cdecl __vcrt_uninitialize_telemetry_provider() {}
};

Re:

[Insanity Defense]

So what happens to it then? Does a Windows component detect it and send it on?

Re:Ken Thompson Attack

[ljw1004]

Boy this is at the scale of the Ken Thompson attack. Compilers that insert backdoors

http://c2.com/cgi/wiki?TheKenT... [c2.com]

No it's not. Ken Thompson's work was beautiful and subtle - a compiler disguised all evidence of its backdoor even when you write code to search for these backdoors or when you compile the compiler itself.

If Ken Thompson had gone on stage to say "hay guys I made a compiler which inserts a call at the entrypoint of your program" -- well, that's trivial.

David A. Wheeler Defense to Ken Thompson Attack

[tepples]

Ken Thompson's work was beautiful and subtle - a compiler disguised all evidence of its backdoor even when you write code to search for these backdoors or when you compile the compiler itself.

True. But that works only when there's one compiler available for a particular language. If you bootstrap a compiler with three independent compilers, the backdoor is highly unlikely to persist into all three according to "Diverse Double-Compiling" by David A. Wheeler [dwheeler.com]. Compile the compiler A with multiple compilers B, C, and D, and then compile A with (A compiled with B), (A compiled with C), and (A compiled with D), and you end up with (A compiled with A), (A compiled with A), and (A compiled with A). If they're identical, then B, C, and D have either no backdoor or an identical backdoor. Which is more likely?

Of course, all this requires that source code for A be available to the public or at least to a person trusted by the public to release compiler binaries. This is true of TCC, GCC, and Clang, not so much for Microsoft C++.

Re:Ken Thompson Attack

[AntronArgaiv]

Boy this is at the scale of the Ken Thompson attack. Compilers that insert backdoors

http://c2.com/cgi/wiki?TheKenT... [c2.com]

No, I think that requires one more level of indirection -- reinserting the backdoor in the compiler when it is recompiled without the backdoor.

Re:

[Anonymous Coward]

Microsoft Telemetry - dedicated to fast-tracking the confirmation of Richard Stallman as public visionary.

Re:

[kheldan]

Oh, I think there's an 'escape' available: Stop using Microsoft products entirely. Also, Microsoft needs to be brought up on charges for violating anti-hacking laws. Their compiler is, by default, inserting unwanted and malicious code into other people's code. I think that qualifies as 'hacking' under the anti-hacking laws, doesn't it? Where's the indictments against Microsoft for this and all the other malicious things they've been doing?

Re:MS Spyware

[Assmasher]

Found in release builds.

Re: MS Spyware

[rochrist]

Personally, I figure you're all the same person, Coward.

Re:

[JustBoo]

Debug performance telemetry? Yep. Clearly spyware.

Like the other comment said, (but I can't help myself here): One does not put debug information in release builds. Period.

I'm sorry, you are either an Uneducated Idiot or a Shill. Which is it?

Let see another way.

Do you think that "debug performance telemetry" should be in a mission critical embedded application build in release mode? Do you?

I await your answer.

Re:MS Spyware

[bondsbw]

Do you think that "debug performance telemetry" should be in a mission critical embedded application build in release mode? Do you?

I don't believe any mission critical application (or any production application) should be built in unreleased software.

That said, I'm pretty pissed about this, Microsoft is screwing themselves over by withholding things like this until they get found out, and by not making it a simple obvious setting that remains the way you left it. I'm ok with the idea of telemetry, but that should be my decision, not theirs. I'm not ok with how they push it on everyone. Doing this to developers is burning some of the only good bridges they have left.

Re:

[Anonymous Coward]

I'm ok with the idea of telemetry

I would be interested in hearing your reasoning here.
To locally measure performance of an application I get, but the "tele" part of this is something that I'm not OK with.
What I develop and who my customers are is something I don't wish to share with Microsoft.
I have no contract with Microsoft that says that they can't take my customers from me. They can afford developing some applications at a loss. I can't.

Re:

[bhcompy]

Except for the part that it's only storing data locally for your own purposes and not sending anything to Microsoft.

Re:

[Gr8Apes]

Nothing MS does today is solely local. Haven't you been paying attention? Win10 is a cloud service OS, and if you think telemetry data stays local, there's some beach front property in Kansas I'd like to sell you.

Re:

[bhcompy]

The proof is in the pudding, and someone in this thread already linked the pudding.

Re:MS Spyware

[bondsbw]

You seem to have stopped before reading to the end of the sentence. I went on to say:

but that should be my decision, not theirs.

It's the same reason you give feedback for beta software, you want to help make the final product better. Either way, regardless of whether it's automated, it should still be your choice.

Re:

[sqlrob]

Visual Studio 2015 Update 2 is released software.

What's your next excuse?

Re:

[bondsbw]

Oops, I read the article too quickly, as it also mentions VS "15":

while this behavior does currently exist in "15", it will be removed in a future preview release.

I didn't realize the article also was talking about VS 2015.

Re:MS Spyware

[Anonymous Coward]

Quote from wiki
"Visual Studio "15" Preview 2 was released 10 May 2016."

In other words, this isn't a final MS product. Think of it as more of a beta. Aka the other poster titling it "unreleased". He meant more than it's not a retail build. It also has telemetry. However it's still inexcusable that MS did this without notification. So MS is at fault here. And I don't believe for a minute they would have removed it before final build. See win 10.

On the other hand, it's also a STUPID move for developers to program production applications in a preview product.
Production meaning, you are deploying it, you are giving it to customers, you are selling it, etc.
No one with a clue should have released any software built in this non final build version.
Doing anything in a preview/beta product you run huge risks of a screwup biting you on the butt.
EXACTLY LIKE THIS .

So if anyone had used this to release production software, they would be at fault for doing it with preview/beta crap from MS.

Re:

[bondsbw]

Actually I was wrong, the article mentions both VS "15" and VS 2015.

Re:MS Spyware

[cfalcon]

> Debug performance telemetry? Yep. Clearly spyware.

While Microsoft offers a profiler, this is NOT that. I'm puzzled how someone could could confuse the two. Profilers / debuggers / all manner of code analysis tools are all hooks that allow the developer (not Microsoft) to analyze how something works in development. They are usually stripped out of release builds, but, more importantly, are only ever present at the convenience of the developer.

The mysterious telemetry calls are not even claimed by MICROSOFT to be debugging or profile hooks. "The event data can only be interpreted if a customer gives us symbol information (i.e. PDBs) so this data is only applicable to customers that are actively seeking help from us and are willing to share these PDBs as part of their investigation. ". This means that the hooks make data available to a telemetry subsystem, on production code, which Microsoft can usefully access in some fashion- while to make use of this in any way would require a developer to know about it (it is not publicized), contact the "right" part of Microsoft (which no one knows), and ask to use the data Microsoft has been collecting about their shipped code, using an undocumented system to gather unknown data.

If this was in any way benign:
1- It would have been documented: you'd know what it gathers
2- Microsoft would offer this data to the developer in some fashion, including what it is
3- It would have been opt-in: you'd have to link in the telemetry, instead of linking it OUT.
4- It wouldn't be present in secret on ALL code Microsoft compiles. This affects run times in some fashion, even if you ignore the massively spooky privacy issues.
5- The data wouldn't be available for Microsoft's use, but not the developer: what right do they have to gather data on your code as you build it, much less on your code as it runs for your customer?

This whole thing gets crazier. That Microsoft is putting hooks into as much code as they can may actually be illegal, or it may be buried in some document- all I know is, this is just what has been FOUND so far. Every couple weeks, someone finds more stuff. All of it is found by acting on some highly technical layer Microsoft hasn't been able to obscure yet. How much more is there? We really have no way to know.

Re:MS Spyware

[pagebt]

It is documented. When this whole windows 10 is spyware thing started, I started searching. The telemetry is exactly that. how many times an application is run. For how long? did it exit clean or with errors? etc... Microsoft has been giving speeches @ Dev conferences for a while now shopping this new feature set. Not a secret. it it a service called "Application Insights" https://www.visualstudio.com/e... [visualstudio.com] Nothing secret, an apparently an advertised service. Another way to make money for Microsoft, not spyware for nefarious purposes.

Re:MS Spyware

[Darinbob]

Debugging my program is my job. No information needs to go to Microsoft unless I am talking to them directly and I offer to send it. Maybe they ask me to send them a core file or whatever post-mortem info I have. There is no legitimate reason for telemetry here, "telemetry" means that data is being sent to Microsoft rather than just being an event stored locally. For Microsoft to know how often my program ran and how often it crashed without my telling them, then that is indeed spyware. They're not offering to help debug everyone's code, no way do they have that amount of manpower, so this is in no way a service to help out customers.

Re:

[Killall -9 Bash]

If you're gonna same the same shit again and again day after day, can you at least make it funny? Luddite programmers use C++, while enlightened programmers know that only rust apps app appy apps....?

Re:

[HiThere]

Is Visual Studio even a compiler? To me it sounds like an IDE. Didn't the complier used to be called "Microsoft C++"?

Of course, it's possible that the compiler is the one inserting the code, but it could also be the IDE applying a binary patch.

This is just nitpickery, as I don't use either, but the story seems to need more precision.

Re: What about Rust? Is it any better?

[Aighearach]

No, you're just lying about what the FOSS position ever was.

Nobody ever said, "having a lot of users means their eyeballs are looking for unknown bugs."

The position was always that when you have a known bug, more eyeballs makes the bug shallower. It is easier to solve known problems when the information is available, and lots of people (who are presumably affected by the problem) can look at it. Some of them will have more insight into the causes than others, because of different backgrounds and use cases.

When you have to lie about what people say just to argue against it, that pretty much refutes not just your claims, but your claim to have even considered the issue. I reject that your analysis was even well-considered. You are just trolling, in addition to be wrong on the merits.

Re:

[Killall -9 Bash]

No one listen to this man! He's just a hologram!!!

Apparently...

[ChodaBoyUSA]

Microsoft has shed all pretense of shame and is adamant to infect everything with their spyware/malware behavior. This is very unfortunate. They keep removing any remaining reason to stick with Windows over OSX or Linux. Sad.

Re:Apparently...

[Aighearach]

I've been saying for awhile, post-anti-trust MS has finally realized that they can't leverage a monopoly and so don't gain from having lots of users/followers/fans who won't subscribe. They're in an intensive process right now to drive away the people who don't want to be part of their subscription-based future. Those people are just a dead weight to them, an expense, a liability. They're not the only option, they can't leverage being the default, and there is not significant financial value in being the default anymore. They can't use it to coerce additional payments or higher rates from wholesalers, so there isn't value in it.

This is probably intentionally designed to drive away people who like to use their compiler, but consider subscription-style information flows to microsoft to be "spyware." Those people will never ever pay for the type of services that MS is building their future around. They are just past lovers who are guaranteed to become disgruntled and angry at some point, because MS has grown in a different direction than them, chosen a new and different lifestyle. It is time for these people to move on, find a new compiler, find a new OS, etc.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Apparently...

[johnnys]

What he said.

A few years ago, I handed a netbook to my 80-year old father-in-law. He was used to a Windows PC, but he was visiting and he wanted to check the BBC website. After about 10 minutes I asked him if he knew that it was running Linux (Xubuntu) and he was surprised, as he had no problems at all doing just what he wanted to do.

So Linux on the desktop Just Works. It is a genuine and viable alternative to anyone who wants to use a system that isn't continually monetizing *you* as the product to everyone's benefit except you.

Re:

[Mitreya]

The vast majority of software will run under Linux in one way or another.

Linux did not gain more ground precisely because of this. I believe the devil is in the one way or another part. You probably can get almost any software to work, but it is not a "double-click this" level of effort.

I usually forget what software I started to install (on CentOS, typically) by the time the 5th library had to be added.

The only major exceptions are games, and even many of those will work.

Do you mean natively or through Wine (or such)? With all of the fun of determining the required configuration settings online?

The user interface in Ubuntu is "good enough for grandma".

It is really time for someone to do a proper study

Re:

[i.r.id10t]

There are cross platform programs that many/most of us use, or programs that have cross platform support for the file formats they use. Long ago I got my Mom on OpenOffice, Firefox, Chrome, Thunderbird and GIMP. She recently switched to Linux with no problem, because the apps she was already using were Just There (along with her data after I moved it over)

Re:

[jacekm]

Right. AutoCAD, Photoshop, Microsoft Office just to name a few do not run on Linux. Those are key programs for many professionals.

Re:

[TapeCutter]

Yep. Microsoft's money comes from corporate licenses/partnerships, the programs you listed, plus exchange, msdn accounts. Since my mega-corp employer pays for a full msdn account for devs I can have all that stuff on my home pc too. Most large corporates do this and call it SOE (Standard Operating Environment). There are plenty of *nix variants and open source in the backroom, eg: KVM is popular right now. However a basic fact of business is that if you're a subcontractor/supplier to a mega-corp, you will n

Re:

[Immerman]

Inertia can only carry you so far. Especially when 90% of your software probably runs just fine on Linux using Wine.

If I were feeling cynical I'd almost think Microsoft' shift to Win10 "apps" was at least partially due to Wine support for traditional programs getting dangerously good. Time to add a new layer of incompatibility.

Re:

[maharvey]

databases of beard hairs on your neck

Nifty. Download link?

Re:

[LynnwoodRooster]

I the real world Linux is vastly superior for the deployments is do for work.

But apparently using Linux really screws with your ability to write understandable English sentences.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mattventura]

I actually wish someone would hurry up and complete a Debian fork without systemd

What's wrong with apt-get install sysvinit-core?

Re:

[HiThere]

The only thing that's wrong with all attempts to avoid systemd ... programs and libraries that depend on it. That KDE is planning to depend on systemd is a clear sign that this is not a minor worry.

Next time it will be hidden better

[flyingfsck]

I suppose MS will learn from this and hide it better in the future.

Bingo

[Anonymous Coward]

A Microsoft spokesperson confirmed the existence of this behavior to InfoQ, adding that the company wil bel removing it in a future preview build

...because it was finally discovered. If it hadn't been discovered, does anyone honestly think they would be removing it? Of course not.

Re:Next time it will be hidden better

[null etc.]

I suppose MS will learn from this and hide it better in the future.

Or, they'll just update their operating system to dynamically inject telemetry into every executable that runs.

Ooops, I hope I didn't just give Microsoft a new idea. Wait, they're probably already thought of it, and more.

Re:

[LichtSpektren]

Because you can turn it off easily and clearly. It's not stealthily inserted into binaries you compiled.

Re:Where's the outrage over Firefox's telemetry?

[Aruta]

Difference, and it's a whopping one, is that the Firefox telemetry is fully documented on, shock-horror, the mozila site. You get it clear and simple, and if you don't like it, you don't use it.

The MS stuff was undocumented, and now they are making up BS excuses as to how it's for the developer's benefit.

HOLY FREAKIN' FRIP-FROP!

[Thud457]

Ken Thompson [cmu.edu] must be spinning in his grave!

1984 wasn't intended as an instruction manual.

Re:HOLY FREAKIN' FRIP-FROP!

[vadim_t]

He's not dead yet.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[RavenLrD20k]

He's not dead yet.

Well he will be soon, he's very ill; despite his claims to be getting better. He really isn't, he'll be stone dead at any moment. Now here's your nine pence.

Re:

[epine]

Ken Thompson must be spinning in his grave!

I don't think they've shuffled Ken or his progeny into the Google graveyard just yet. There was a close call a long time ago, but it crawled onto the shore and sprouted lungs (since renamed "types") just in time.

During 1971 and 1972 B evolved into "New B" (NB) and then C.

Personally, I don't think he wrote his classic paper about the behaviour of the malicious; he wrote it about the behaviour of the naive, which at the time was an exceptionally wide net encompassin

MS still the shitheel of the tech world

[bazmail]

Embedding malware via their compiler? Wow a new low

No matter how Nadella tries to spin things and give them a new image, MS still sucks worse than ever.

Re:MS still the shitheel of the tech world

[Anonymous Coward]

Embedding malware via their compiler? Wow a new low

No matter how Nadella tries to spin things and give them a new image, MS still sucks worse than ever.

The moment I'll believe that Microsoft has created a product that doesn't suck is when they start selling vacuum cleaners.

Re:

[Killall -9 Bash]

Xbox360 controllers make excellent PC game controllers. I can't think of a 2nd one.

Re:

[DoofusOfDeath]

No matter how Nadella tries to spin things and give them a new image, MS still sucks worse than ever.

I think you're exaggerating, but only slightly. This is probably on par with some of their other, sleaziest moves from years past.

g++ adds same feature!

[Anonymous Coward]

Little known fact: g++ has had the same ability to insert spyware for a long time. It's described about line 39885 of the manpage. All you have to do is invoke is via:

g++ --mrelocate --use-upper-reg-halfs --insert-telemetry-libs --mnetwork-lib --include-nsa-stubs --include-fbi-stubs --omit-eff-stubs --no-powerpc --no-fpu --disable-optimization --use-network-capture-prologs --fuck-snowden --section215-includes --fort-meade-includes --fiveeyes-libs --use-eschelon-libs --omit-greenwald-reporting --prism --enable-gchq-sharing myfile.cpp -o myfile

That does the same thing as Visual Studio. Easy peasy. Dunno why Microsoft always acts like they invented everything.

Re:

[flyingfsck]

You forgot the Amazon and Google modules. Linux always makes everything so complicated.

Re:

[maharvey]

>It's described about line 39885 of the manpage.

So close, and yet so far... 3985 [wikipedia.org]

Backdoored compiler

[sinij]

When you consider that MS backdoored OS, compromised compiler is, comparatively, much lesser sin.

Re:

[LichtSpektren]

When you consider that MS backdoored OS, compromised compiler is, comparatively, much lesser sin.

Not at all. I can avoid their OS. I have almost no way of knowing what binaries were compiled by VS.

Re:

[mrchaotica]

Realistically, is anybody likely to use the Microsoft toolchain to compile software for any platform other than Windows? I doubt it. Therefore, considering the fact that Windows 10 (and patched versions of 8.1 and 7) are spyware at the OS level anyway, this compiler-trojaned-application issue is only of real concern among users of carefully-unpatched older Windows versions.

Re:

[ceoyoyo]

Easy enough. Just avoid their OS, it gets you two for one. Or do VS binaries run on other OSes now?

Hello, world!

[__aaclcg7560]

You would think that the IDE would be smart enough not to insert extraneous calls for trivial programs.

Re:

[Dwedit]

You're going to get junk for every trivial program no matter what. It includes the CRT or runtime library into all statically linked programs, no matter how much of the CRT or runtime library it actually needs.
The only way to not get junk is to turn on "ignore all default libraries", which is tough to do, but possible. You lose a lot of features of the compiler, such as the built-in standard library, converting floats to ints, etc.

Here's a minimal Hello World program that includes no junk whatsoever:
#incl

Re:

[__aaclcg7560]

it's the compiler, idiot, nothing to do with the IDE

IDE stands for Integrated Development Environment. That includes the compiler.

it still happens if you run the compiler from the command line

I wasn't aware that VS2015 C++ was available for Linux.

Re:

[__aaclcg7560]

Linux is an operating system kernel, not a command line program such as cmd.exe or bash (or command.com).

I commonly use the command line on Linux via SSH or serial console. If the Linux box has a GUI available, I'll have several terminal windows open and nothing else.

There very much is a command line version of the Visual Studio compiler, which is what the IDE invokes.

When I went to community college to learn computer programming after the dot com bust, we had to learn all flavors of Java because the CIS department couldn't afford to renew the Microsoft site license. Apparently, no could learn how to program C++ without Visual Studio. Local employers demanded that students be well versed in Visual Studio. The d

Re:

[__aaclcg7560]

A few years back, I was in a car wreck. Therefore, my house tried to kill me.

That's what you get for driving forward when you meant to drive out of the garage in reverse. Being drunk and beating your spouse doesn't help either. :P

Now we know

[Alumoi]

What compiler MS used for Windows 10.
'We did not add any telemetry in Windows 10. It was the compiler, I tell you.'

Re:

[LichtSpektren]

Reminds me of those scammers that call people and say "Hi we're from Microsoft and we found a virus on your computer. Do you want us to clean it?" Then they pass the phone to somebody in the sales department to piddle some 'antivirus suite' (really malware). The scammer technically didn't sell you anything so he's not liable for it; he just told you something (outrageous it may be) and forwarded your call to somebody to sell you something.

So far so bad

[Impy the Impiuos Imp]

I see a call for telemetry_main_invoke_trigger and telemetry_main_return_trigger

Did he ever find out what feed_all_keystrokes_and_web_sites_to_nsa does?

There is no return version of this, because history shows a nation never returns from it.

A new take on a classic...

[fuzzyfuzzyfungus]

It's so heartwarming to see the long-theorized 'backdoor the compiler' attack finally gaining commercial acceptance and enterprise support!

Source is not enough

[Holi]

And this shows you why access to the source code is not enough to audit software.

Telemetry!

[MrVictor]

"Telemetry! Telemetry! Telemetry!" seems to have been the decree screamed from the ivory tower of MS leadership to the devs crafting Win10.

Seems like desperate flailing to maximize profits from the terminally declining Windows hegemony.

Should be actionable

[mlwmohawk]

There needs to be a law, if one can not be found that already can already cover this, but "faithful" generation of object code from source code is, by definition, what a compiler does. There MUST be *some* product law that covers intentionally inserting functionality without the user's knowledge.

Re:

[swb]

Doesn't the law generally exclude software from "fitness for a particular purpose" and "free from defects"?

It used to seem that these were exclusions that let them just sell buggy software with no consequences, I'd imagine they figure it allows them to insert spyware, too.

I weep for the idea we'll never get a comprehensive privacy law that makes this and all the other forms of commercial electronic surveillance without extremely explicit permission illegal. The major technology players are too invested in

Poison pill puts publishers in legal jeopardy

[mileshigh]

Most of now have privacy policies where we disclose what data we collect and what we do with it. If that disclosure is defective, you're in legal jeopardy for failure to disclose. Thanks for the poison pill, MS!

And, haven't they considered that the whole Apple/FBI thing might have implications for them and their developers, just maybe? If not legal issues, then PR at the very least? Stunning!

Is this in Microsoft's shipping products?

[DoofusOfDeath]

I assume that Microsoft compiles its shipping products with some form of Visual C++.

Does anyone know if these telemetry calls are made inside those products? For example, inside Microsoft's shipped versions of SQL Server?

And if so, does this mean using those products for handling HIPPA or PCI workloads is illegal?

Could be worse...

[Mysticalfruit]

The function could have been "windows_10_forced_install"

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:FUD - no, TREASON

[Viol8]

Debugging symbols and hooks should be an OPT IN you idiot. Even if they're harmless they slow down the program and make the binary larger.

Re:FUD

[MightyMartian]

If it's telemetry it's bad. Period.

Imagine writing highly secure software only to find out the fucking compiler is placing a telemetry backend into the binary. Regardless of the purpose or intent out destination, it's bad.

Re:

[Khyber]

"It's for catching application crashes."

And if an application crashes - that's what DRWATSON is fucking for. NOT telemetry code insertion.

Re:

[MightyMartian]

Oblivious to an undocumented telemetry function? Or oblivious to the fact that using Microsoft development tools means your sending out vulnerable binaries that send potentially unknown data to an external server on the Internet?

Re:

[LynnwoodRooster]

And that is exactly what it does. Of course, your code probably also calls - and links in - a lot of THEIR code and THEIR code adds the extra bits. Which means you really didn't do YOUR job and think about the implications of what external code you added to yours before you released it to your customers.

Re:

[fnj]

And that is exactly what it does. Of course, your code probably also calls - and links in - a lot of THEIR code and THEIR code adds the extra bits. Which means you really didn't do YOUR job and think about the implications of what external code you added to yours before you released it to your customers.

Oh, for christ almighty sake. Could you possibly be any more of a sellout?

Re:

[vtcodger]

What is this obsession with spying on users? Seems to me that the potential benefits to MS, Google, et. al. are pretty limited and the risks of eventually getting hit with one or more serious class action suit(s) are substantial -- especially when (not if, when) their data bases are breached and vast amounts of personal information on users are exposed to the world. Am I missing something, or are the folks guiding these companies steering them toward potential big trouble?

Re:

[johnnys]

Either one of two things happens:

1. Nothing bad happens - Company makes lots of money - C*O makes big bonus/stock options/whatever - Profit!!!

2. Bad things happen - Company is sued/destroyed/bankrupt - C*O gets fired - Golden parachute kicks in with lots of money - Profit!!!

Re:

[courteaudotbiz]

To answer your questions:
- no
- yes
period.

Welcome to surveillance land, where all you do is tracked. Every executable you run, every website you visit, every IP you are connected with, all this linked to your real ID with the help of mobile carriers and ISPs.

Re:

[HiThere]

I'm still willing to consider the possibility that "NSA_KEY" may have been something innocent. Possibly. Nobody ever demonstrated what the key did.

What this appears to do is add a couple of hooks to something that is, as the moment, approximately harmless. I.e., it appears that currently what it saves, it only saves to a local file, and the items saved seem probably harmless...depending on what the program does. So this doesn't appear to provide remote access to the information. Of course, which this d

Re:

[__aaclcg7560]

The naughty bit still needs twiddling.

Re:

[ledow]

To be honest, if they'd named them "_main_support" or "_internal", nobody would have been any the wiser.

Lucky that they left the function name, with obvious telemetry marker, in the data areas of the executable, or you'd not know or suspect what was happening without actually disassembling the thing.

Hell, surely an optimised/stripped executable wouldn't show them anyway, so you have really no way of knowing whether someone's put these into major parts of Windows, drivers or applications.

As always, without t

Re:

[fnj]

/facepalm

too much coffee

No, no, it's OK. We figured that.

Re:

[HiThere]

Actually, there *is* a solution to the problem as stated, though it's too much work to bother with when the better answer is to just use a different compiler. But you could build something to go through your binaries and dummy out all links to those libraries.

OTOH, when they control the OS, a better solution is to go elsewhere. If you MUST use MSWind, run an old version in a virtual environment with either no net access, or very tightly filtered. And to move rapidly away from any applications that depend

Re:

[MightyMartian]

And how many binaries are out in the wild now that are happily dumping debug data in production environments? Just because from now on the compiler doesn't perform what really is a very bad fucking idea doesn't mean that binaries compiled while it was doing this moronic and stupid thing aren't creating potential security and usability issues.