Visual Studio compiler inserts telemetry into compiled code without users knowledge
-
Unbelievably, the latest version of Visual Studio inserts "telemtry" into compiled code: Reviewing Microsoft's Automatic Insertion of Telemetry into C++ Binaries[^] :mad:
-
Unbelievably, the latest version of Visual Studio inserts "telemtry" into compiled code: Reviewing Microsoft's Automatic Insertion of Telemetry into C++ Binaries[^] :mad:
How many times are they going to shoot themselves in the foot before an amputation is required?
New version: WinHeist Version 2.2.2 Beta
I told my psychiatrist that I was hearing voices in my head. He said you don't have a psychiatrist! -
Unbelievably, the latest version of Visual Studio inserts "telemtry" into compiled code: Reviewing Microsoft's Automatic Insertion of Telemetry into C++ Binaries[^] :mad:
-
Unbelievably, the latest version of Visual Studio inserts "telemtry" into compiled code: Reviewing Microsoft's Automatic Insertion of Telemetry into C++ Binaries[^] :mad:
It's not unbelievable. Governments want data about their "subjects", and MS is obliging. Come into the parlour of the all-new world-wide web.
I wanna be a eunuchs developer! Pass me a bread knife!
-
Unbelievably, the latest version of Visual Studio inserts "telemtry" into compiled code: Reviewing Microsoft's Automatic Insertion of Telemetry into C++ Binaries[^] :mad:
-
Unbelievably, the latest version of Visual Studio inserts "telemtry" into compiled code: Reviewing Microsoft's Automatic Insertion of Telemetry into C++ Binaries[^] :mad:
Thinking on it, this is probably their way of trying to get around the fact that so many people have disabled win 10's telemetry -- and therefore yet another "We don't care what you want! What We want is more important!"
I wanna be a eunuchs developer! Pass me a bread knife!
-
How many times are they going to shoot themselves in the foot before an amputation is required?
New version: WinHeist Version 2.2.2 Beta
I told my psychiatrist that I was hearing voices in my head. He said you don't have a psychiatrist!Microsoft likely has 2 options: Do stuff like this as mandated, and let it hurt their business Shut down completely without violating gag order (TrueCrypt, Lavabit, etc)
-
Thinking on it, this is probably their way of trying to get around the fact that so many people have disabled win 10's telemetry -- and therefore yet another "We don't care what you want! What We want is more important!"
I wanna be a eunuchs developer! Pass me a bread knife!
It's remarkably inconsistent though. I would have expected a call to the GWX loader, no less! ;P
GOTOs are a bit like wire coat hangers: they tend to breed in the darkness, such that where there once were few, eventually there are many, and the program's architecture collapses beneath them. (Fran Poretto)
-
Unbelievably, the latest version of Visual Studio inserts "telemtry" into compiled code: Reviewing Microsoft's Automatic Insertion of Telemetry into C++ Binaries[^] :mad:
spongo2 comments on Visual Studio adding telemetry function calls to binary?[^] hi everyone. This is Steve Carroll, the dev manager for the Visual C++ team. Tl;dr: thanks folks for the feedback. Our team will be removing this from our static libs in Update 3. Our intent was benign – our desire was to build a framework that will help investigate performance problems and improve the quality of our optimizer should we get any reports of slowdowns or endemic perf problems in the field. We apologize for raising the suspicion levels even further by not including the CRT source, this was just an oversight on our part. Despite that, some of you already investigated how this mechanism works in nice detail. As you have already called out, what the code does is trigger an ETW event which, when it’s turned on, will emit timestamps and module loads events. The event data can only be interpreted if a customer gives us symbol information (i.e. PDBs) so this data is only applicable to customers that are actively seeking help from us and are willing to share these PDBs as part of their investigation. We haven’t actually gone through this full exercise with any customers to date though, and we are so far relying on our established approaches to investigate and address potential problems instead. We plan to remove these events in Update 3. In the meantime, to remove this dependency in Update 2, you should add notelemetry.obj to your linker command line. If you’re generally concerned about phone-home scenarios, more information about how to configuring Windows 10 appropriately to your needs can be found here: https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft#bkmk-priv-feedback Thanks.
-
spongo2 comments on Visual Studio adding telemetry function calls to binary?[^] hi everyone. This is Steve Carroll, the dev manager for the Visual C++ team. Tl;dr: thanks folks for the feedback. Our team will be removing this from our static libs in Update 3. Our intent was benign – our desire was to build a framework that will help investigate performance problems and improve the quality of our optimizer should we get any reports of slowdowns or endemic perf problems in the field. We apologize for raising the suspicion levels even further by not including the CRT source, this was just an oversight on our part. Despite that, some of you already investigated how this mechanism works in nice detail. As you have already called out, what the code does is trigger an ETW event which, when it’s turned on, will emit timestamps and module loads events. The event data can only be interpreted if a customer gives us symbol information (i.e. PDBs) so this data is only applicable to customers that are actively seeking help from us and are willing to share these PDBs as part of their investigation. We haven’t actually gone through this full exercise with any customers to date though, and we are so far relying on our established approaches to investigate and address potential problems instead. We plan to remove these events in Update 3. In the meantime, to remove this dependency in Update 2, you should add notelemetry.obj to your linker command line. If you’re generally concerned about phone-home scenarios, more information about how to configuring Windows 10 appropriately to your needs can be found here: https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft#bkmk-priv-feedback Thanks.
His answer is full of holes. Simply logging start and stop times of binaries would be of no use for performance profiling. Secondly, why is it not documentented? Thirdly, why is it inserted into the C runtime? That would seem to be an inappropate place to insert telemetry monitoring software. Forthly, we only found out about this feature by accident. If it hadn't been discovered would have been removed at all?
-
Unbelievably, the latest version of Visual Studio inserts "telemtry" into compiled code: Reviewing Microsoft's Automatic Insertion of Telemetry into C++ Binaries[^] :mad:
-
I'm trying to care, but I just can't. What's the big deal?
There are only 10 types of people in the world, those who understand binary and those who don't.
What's the big deal? From lesser to greater ... 1. Executables bloated with unnecessary code that does not help with the software's purpose. In addition to size (which most won't care about), this potentially reduces reliability, as you are not testing these undocumented "features". 2. Potential for adware and anything else to get inserted into or called from executables. If one unnecessary thing is slipped in, what is next? 3. Microsoft (or whoever) can record all types of things about each executable and its usage. 4. You become a vendor for spyware, not knowing what is being recorded about users of your software. Especially for commercial software vendors, this a death knell for your business when word gets out. And word WILL get out -- this thread proves that. Could this issue be a totally benign thing? Sure, it certainly could. But given Microsoft's current policies and the crap it baked into Win10, I'm going with "distrust and verify". This has got to be the dumbest thing that Microsoft has done under Nadella's watch. Microsoft is fighting for survival in a new world that it doesn't control, and this issue is going to push people away from their products.
-
What's the big deal? From lesser to greater ... 1. Executables bloated with unnecessary code that does not help with the software's purpose. In addition to size (which most won't care about), this potentially reduces reliability, as you are not testing these undocumented "features". 2. Potential for adware and anything else to get inserted into or called from executables. If one unnecessary thing is slipped in, what is next? 3. Microsoft (or whoever) can record all types of things about each executable and its usage. 4. You become a vendor for spyware, not knowing what is being recorded about users of your software. Especially for commercial software vendors, this a death knell for your business when word gets out. And word WILL get out -- this thread proves that. Could this issue be a totally benign thing? Sure, it certainly could. But given Microsoft's current policies and the crap it baked into Win10, I'm going with "distrust and verify". This has got to be the dumbest thing that Microsoft has done under Nadella's watch. Microsoft is fighting for survival in a new world that it doesn't control, and this issue is going to push people away from their products.
BryanFazekas wrote:
Executables bloated with unnecessary code that does not help with the software's purpose
Bloated seems like an overstatement. But OK.
BryanFazekas wrote:
Potential for adware and anything else to get inserted into or called from executables. If one unnecessary thing is slipped in, what is next?
That just sounds like paranoia. I can brake into your house and murder you anytime I want to, but the reality is, it won't ever happen. No reason to worry about all possible bad things in life. You'll go nuts.
BryanFazekas wrote:
Microsoft (or whoever) can record all types of things about each executable and its usage.
Again, who cares?
BryanFazekas wrote:
You become a vendor for spyware, not knowing what is being recorded about users of your software
You already are. Read Microsoft's software agreements sometime.
BryanFazekas wrote:
this issue is going to push people away from their products.
And who would people go to instead of Microsoft?
There are only 10 types of people in the world, those who understand binary and those who don't.
-
BryanFazekas wrote:
Executables bloated with unnecessary code that does not help with the software's purpose
Bloated seems like an overstatement. But OK.
BryanFazekas wrote:
Potential for adware and anything else to get inserted into or called from executables. If one unnecessary thing is slipped in, what is next?
That just sounds like paranoia. I can brake into your house and murder you anytime I want to, but the reality is, it won't ever happen. No reason to worry about all possible bad things in life. You'll go nuts.
BryanFazekas wrote:
Microsoft (or whoever) can record all types of things about each executable and its usage.
Again, who cares?
BryanFazekas wrote:
You become a vendor for spyware, not knowing what is being recorded about users of your software
You already are. Read Microsoft's software agreements sometime.
BryanFazekas wrote:
this issue is going to push people away from their products.
And who would people go to instead of Microsoft?
There are only 10 types of people in the world, those who understand binary and those who don't.
RyanDev wrote:
That just sounds like paranoia. I can brake into your house and murder you anytime I want to, but the reality is, it won't ever happen. No reason to worry about all possible bad things in life. You'll go nuts.
Do you lock your car when you park it? Do you lock your doors at night or when you're not at home? Most people are (more or less) honest ... but we take precautions to protect us from the ones who are not. If that's paranoia ... stop locking your car and your doors. :laugh:
-
RyanDev wrote:
That just sounds like paranoia. I can brake into your house and murder you anytime I want to, but the reality is, it won't ever happen. No reason to worry about all possible bad things in life. You'll go nuts.
Do you lock your car when you park it? Do you lock your doors at night or when you're not at home? Most people are (more or less) honest ... but we take precautions to protect us from the ones who are not. If that's paranoia ... stop locking your car and your doors. :laugh:
BryanFazekas wrote:
Do you lock your car when you park it? Do you lock your doors at night or when you're not at home?
Of course. But I don't care if anyone is taking pictures of my car or if there is a security camera in the parking lot recording video for others to see. And many of us have written code that sends us information about the performance of our software or sends us error reports, etc. So what?
There are only 10 types of people in the world, those who understand binary and those who don't.
-
BryanFazekas wrote:
Executables bloated with unnecessary code that does not help with the software's purpose
Bloated seems like an overstatement. But OK.
BryanFazekas wrote:
Potential for adware and anything else to get inserted into or called from executables. If one unnecessary thing is slipped in, what is next?
That just sounds like paranoia. I can brake into your house and murder you anytime I want to, but the reality is, it won't ever happen. No reason to worry about all possible bad things in life. You'll go nuts.
BryanFazekas wrote:
Microsoft (or whoever) can record all types of things about each executable and its usage.
Again, who cares?
BryanFazekas wrote:
You become a vendor for spyware, not knowing what is being recorded about users of your software
You already are. Read Microsoft's software agreements sometime.
BryanFazekas wrote:
this issue is going to push people away from their products.
And who would people go to instead of Microsoft?
There are only 10 types of people in the world, those who understand binary and those who don't.
-
RyanDev wrote:
And who would people go to instead of Microsoft?
:doh: You do realize there are other compilers on the market?
-
BryanFazekas wrote:
Do you lock your car when you park it? Do you lock your doors at night or when you're not at home?
Of course. But I don't care if anyone is taking pictures of my car or if there is a security camera in the parking lot recording video for others to see. And many of us have written code that sends us information about the performance of our software or sends us error reports, etc. So what?
There are only 10 types of people in the world, those who understand binary and those who don't.
RyanDev wrote:
But I don't care if anyone is taking pictures of my car or if there is a security camera in the parking lot recording video for others to see.
That sounds reasonable, but in this case taking pictures of your care or a security camera would be something the OS or anti-virus/anti-malware would be doing. This is more like Ford or GM deciding to make your car honk and flash the lights every time you change the radio station.
-
RyanDev wrote:
But I don't care if anyone is taking pictures of my car or if there is a security camera in the parking lot recording video for others to see.
That sounds reasonable, but in this case taking pictures of your care or a security camera would be something the OS or anti-virus/anti-malware would be doing. This is more like Ford or GM deciding to make your car honk and flash the lights every time you change the radio station.
Member 2652715 wrote:
This is more like Ford or GM deciding to make your car honk and flash the lights every time you change the radio station.
Actually, it isn't like that at all. My application will not behave any differently because of their code.
There are only 10 types of people in the world, those who understand binary and those who don't.
-
BryanFazekas wrote:
Executables bloated with unnecessary code that does not help with the software's purpose
Bloated seems like an overstatement. But OK.
BryanFazekas wrote:
Potential for adware and anything else to get inserted into or called from executables. If one unnecessary thing is slipped in, what is next?
That just sounds like paranoia. I can brake into your house and murder you anytime I want to, but the reality is, it won't ever happen. No reason to worry about all possible bad things in life. You'll go nuts.
BryanFazekas wrote:
Microsoft (or whoever) can record all types of things about each executable and its usage.
Again, who cares?
BryanFazekas wrote:
You become a vendor for spyware, not knowing what is being recorded about users of your software
You already are. Read Microsoft's software agreements sometime.
BryanFazekas wrote:
this issue is going to push people away from their products.
And who would people go to instead of Microsoft?
There are only 10 types of people in the world, those who understand binary and those who don't.
RyanDev wrote:
BryanFazekas wrote:
Executables bloated with unnecessary code that does not help with the software's purpose
Bloated seems like an overstatement. But OK.
The unstated thing is that, while MS claims they added this instrumentation to keep an eye on the performance of your applications, what is the performance and behavior of this telemetry logging functionality (and how will it change as they update their OS)? Can it cause app slowdowns? crashes? Fill your customer's disk? How does it change the attack surface of your app? If you don't know it's there, how will you be able to address any of this? Worse, MS will feel free to change that code at any time, so you may wake up one day to find out that installed versions of your application are suddenly doing very bad things to your customers computers, and you didn't make any change at all to your code that could have caused it. You can deny all you want, but your customers are still going to blame you and your code. And remember, Microsoft had no plans to tell you about this addition, they've been forced to remove it because their attempt to slip unwanted code into everybody's applications was discovered by a user and the community pushed back.
We can program with only 1's, but if all you've got are zeros, you've got nothing.
