Disabling the WIN 10 Upgrade Nagging

In June 2016, this nagging became much more intrusive. MS began squatting on your machine with the Win 10 install files. They then began installing Win 10 without warning on unsuspecting users.

Given the privacy and security concerns with Win 10, you may not  want to be nagged to update, here’s how to stop the Windows 10 upgrade notifications and run Windows 7 or 8 forever.

There are a few methods which worked in the past but no longer stop the nagging and surreptitious install of Win 10. Never10 is the current tool that most easily disables the upgrade.

Windows 10 as Spyware

Current users of Windows 7 or 8 have been offered free upgrades to Windows 10. This would be tempting except for the liability that this may create. As we all know, there is no such thing as a free lunch.

Many experts deem lots of the new so-called features to be spyware. It is one thing to find an application misbehaving; it is entirely different to use an OS designed to allow Microsoft (MS) to monetize your data and squat on your computer hard drive. Built into the Windows 10 OS are spying and data-mining features that deliver data to MS which MS then uses to generate profits.

The long-winded Microsoft Services Agreement runs to 40,000 words of impenetrable legalese and you must agree to everything in it to get your new OS. Unfortunately, or is it predictably, the agreement appears to grant Microsoft the right to read, save, and share anything stored on or accessed using any computer running MS Windows as well as any computer using MS products or services. By default, all of this snooping is turned on and I have serious concerns that it may be impossible to entirely prevent this snooping.

Portions of Microsoft’s privacy policy, which is part of the services agreement, indicates that the MS may use a keylogger to collect users’ data. This means, if you open a file and type, MS has access to what you type, and the file containing the what you type. This may also apply to voice information from speech processing software. Of course, MS offers a way to shut-off all this logging, but you have to believe that it actually works and stays off.

If you are careful in planning your upgrade to Windows 10, and if you have the technical knowledge, then you can probably upgrade the OS while preserving your professional obligation to protect client confidentiality and privacy, at least initially.

To maintain privacy and confidentiality you should use Microsoft’s Media Creation tool. This gives you a copy of the OS installation files. You’ll need at least a 6 GB USB drive. You can use it on multiple PCs. During an upgrade, the installation will look to see if you already have a product key. To do a clean install you may need to have your Windows 7 or 8 product key. You should tape it on your PC. Keep the USB since there’s no other way to get back to Windows 10 if anything unexpected happens. Doing the installation otherwise may allow MS to scrape data from your computer.

By clicking on “Express Settings” during installation you give away your contacts, calendar details, text and touch input, location data, and a whole lot more. It is clear that MS wants to monetize the confidential information on your computer. This creates a serious liability for Canadian private investigators who maintain personal identifiers and other confidential information on Windows 10 machines. Under Canada’s Personal Information Protection and Electronic Documents Act (PEPIDA), by accepting the terms of the Microsoft Services Agreement you have chosen to share this information and in most cases that may be illegal. Accepting this agreement may also put private investigators in contravention of their licencing statutes.

If you click on the small “Customise settings” button at installation, you must toggle many settings on two pages to ‘off’. Don’t forget to include Wi-Fi Sense. Using the Privacy App to turn-off the data stream to MS for those who have already installed the OS using “Express Settings” will be even more confusing to the average user. After doing all the above, Windows 10 continues to send confidential data to MS unless you dig into the registry and group policy editor. Stopping the snooping will disable many features like the digital assistant Cortana that MS is marketing as a reason to upgrade to Windows 10. However, what I am describing here only describes what we can see. Without conducting packet-level analysis, we you don’t really know what data is being sent back to Microsoft, and by which service.

You will also need to go into Windows Firewall and turn-off the rules that allowed a whole slew of Microsoft applications to transmit information.

Windows 10 Home comes with full-disk BitLocker encryption. To enable it, you must use a Microsoft account and the recovery key needed to decrypt your drive resides on Microsoft’s servers. Doing this violates your professional obligations. However, Windows 10 Pro doesn’t have this restriction: you can use BitLocker with a local account and keep your key out of the cloud. Most investigators would use Windows 10 Home and theoretically, a third party could decrypt their drives remotely.

The data stream from your PC to MS is bad enough, but somebody will learn to intercept this data stream and this will leave you open to a targeted attack. If the hacker releases the stolen data and it is tracked back to you or your computer, then your career is likely over. You can expect some form of action under PEPIDA and/or prosecution under your licencing statute. This data breach will almost certainly result in a civil suit and adverse publicity. Who would hire a PI or researcher like that?

Another concern is how updates are delivered. Like Bittorrent, Win 10 updates will be distributed from other Win 10 PCs  This presents an extreme risk, as you don’t know where the update is really coming from. You have to know enough to choose how your updates are delivered.

Privacy & the PI

Let’s address this situation realistically from the perspective of the PI or researcher determined to use Windows 10.

Let’s assume that you are a trusting individual. You trust MS government officials, litigants, lawyers, and everybody else to not understand or care that you accepted the Microsoft Service agreement that grants MS access to all your confidential data and the right to save and share it. You must also trust that your own technical expertise is up to the task of properly installing Windows 10 to circumvent all the efforts of MS to access your data.

At the outset, you pay extra for the Pro version to set-up disk encryption with a local account because you are security conscious.

First, you try to install the OS without it being connected to the Internet to ensure it doesn’t scrape data from your PC. This doesn’t work, as it needs connectivity to complete the installation. You discover that you must use the clean install method (using Microsoft’s Media Creation tool) described above to isolate your PC from the Internet to ensure that MS doesn’t scrape data from you computer during the installation. There are reports of Win 10 install files being placed on your computer on Patch Tuesday to use your PC to further distribute the OS installation files. You must learn how to get your patches from only a trusted source and to prevent MS from using your PC to distribute the OS.

Second, upon ensuring that it will not scrape data from your PC during installation, you toggle two pages of settings to ‘off’ and lose many of the new features.

Third, you edit registry and group policies to staunch the continuing flow of data to MS. Doesn’t everybody know how to do this without damaging the usability of the OS?

Fourth, in Windows Firewall, you turn-off the rules that allow MS applications to transmit information to MS.

Fifth, you then choose how your updates are delivered to prevent updates from untrusted sites. You ensure that updates come from trusted computers in your own network.

Sixth, you conduct packet-level analysis and shut-off any service that continues to send data to MS. Doesn’t everybody know how to do this and have the time to do it?

Finally, with every update and patch, you do a packet-level analysis to make sure your privacy and security is intact.

Of course, sending all this private and confidential data to MS is not necessary to have a functioning OS and applications. It is only necessary for MS profits and probably some government snooping.

Next, how to stop the Win 10 install nagging.

Drones and the PI (UK Edition)

Back in November I wrote about the Drones and the PI and the Canadian Air Regulations.

In Britain, the Civil Aviation Authority has approved three companies to provide training for unmanned aerial vehicles (UAVs) operators who fly UAVs weighing less than 45 pounds.

Upon completion of the training, the pilot must provide the Civil Aviation Authority with an explanation of how the drone will be used and  provide proof of liability insurance. Then the pilot may receive flight permission, with a few stipulations. Generally, those stipulations are that they must fly in the line of sight and not within 50 meters of people or buildings. UAVs weighing over 15 pounds must get clearance from air traffic control and those under 15 pounds may operate freely in airspace that isn’t congested, such as near airports.

This seems to rule out their legal use for surveillance and security purposes.

Chrome is Listening

So you want to use Chrome as your browser. Are you aware that it has recently been reported that a Chrome Bug Allows Sites to Listen to Your Private Conversations?

The best way to avoid this threat is as follows:

  • Go to chrome://settings/content
  • Scroll down to Media
  • Select “Do not allow any sites to access my camera and microphone.

This will disable Google’s Conversational Search, etc. but security will be increased.

I never liked the way Chrome ‘phoned home’ to Google with user tracking, bug tracking etc. I have also found extensions that had malware-filled updates. However, it is faster than Firefox, which over the course of a research project may save hours of extra time. I resisted using Chrome due to security & privacy issues.

I now use is Comodo Dragon, which is based on the open-source Chrome browser, however, it is more private and secure if used properly. I disable the camera & mic as SOP, so I haven’t investigated how Dragon responds to this exploit. The setting change that I outlined was in reference to the actual Chrome browser and this particular exploit, there may be more that I don’t know about.

I am very careful about exposing myself to the internet. My outward-facing computers don’t have cameras or mics to entirely circumvent malicious software like this and the likes of Finspy.

Surveillance in a WiFi World

I sat in a hotel lobby recently enjoying a coffee while waiting for someone. I decided to write an entirely different blog article than this one while I waited. This lobby has convenient tables for road warriors and their portable computers–that is why I often arrange short meetings in that lobby.

At another table, I notice something rather familiar connected to someone’s laptop. It was a WiFi Pineapple. This was a bit disturbing.

Do you know what the WiFi Pineapple can do?

Surveillance & the WiFi Pineapple

The WiFi Pineapple allows an attacker to launch a “Man in the Middle” or MiTM attack by inspecting the data flow between the target and any resources he accesses on the web via a WiFi connection. This little Linux box equips the investigator or spy with a versatile surveillance and information-gathering tool.

From a surveillance perspective, it will reveal the names of all the WiFi networks the victim connected to on the highway, in hotels, and far-flung airports. The subject’s computer will cycle through all of the network identities (names) it has previously used. All of this is sent in the clear and can be captured by the WiFi Pineapple. The same applies to smartphones.

All of the network names to which it previously connected are disclosed over a few minutes. Coupled with an online resource such as WiGLE, this information can be used to establish a profile of the device owner–where he lives, works, eats, drinks coffee, his gym, his favorite no-tell motel, and more. Combine the Pineapple with Wireshark and you have an excellent surveillance toolkit or one that could facilitate some real mischief.

Protect yourself

The simplest protection is the best. Shut-off the WiFi on your portable device. Use WiFi in secure environments only.

Bluetooth & Surveillance

I previously wrote about Bluetooth and Surveillance Detection and how Bluetooth could be used to determine if you were being followed.

Prior to a recent surveillance assignment, I scanned for nearby devices and was able to identify each of the other investigators’ mobile phones. This was not a good start. I required all the team members to demonstrate that they had shut off both Bluetooth and WiFi or at least set the Bluetooth signal to be hidden except to authorized devices and shut-off the WiFi.

Getting Out of Google

Google and other search engines are wonderful things for gathering information, we all know that, but what if people with evil intent are gathering information about you?

Getting out of Street View

Google Street View provides a great deal of data that can be used to plan an attack on a facility, a person, or to conduct a kidnapping. Google offers an easy, free, and effective way to restrict access to this data.

At a client’s home, I found that his car licence plate was legible. This usually occurs when the car is parked inside a garage or car port. At the client’s workplace, several security measures were clearly visible as were other features of the facility that raised concerns.

Google’s solution is to place an opaque digital wall around your house or facility. To get out of Google Street View, first search for the street address. Once the property is visible, you will find a small box at the bottom right of the image that says “Report a problem”. Click on this to select a reason for blurring the image of the property. I usually select Other: This image presents security concerns. Add some discriptive data to help Google identify the property and complete the CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) thing that takes me several tries to get right. In 2 or 3 days a blurred wall should appear around the property.

Brains Versus Brawn

Far too often, security relies on brawn alone — uniformed guards, guns, alarms, locks, armoured vehicles, blast and ballistic resisent engineering. Unfortunately, force can be defeated by guile and superior force.

An example of brawn’s failure is that of Alfred Herrhausen, the Deutsche Bank Chief who was murdered by the Red Army Faction in 1989.

He knew that he was a target. He had a thirty-man security detail and armored vehicles. His murderers had work clothes, a city works vehicle, and explosives. Posing as city workers, his murderers engaged in their own construction project to mine the road that their victim frequently used.

Brawn thrice failed. The first failure was to notice the initial surveillance that led to the terrorists identifing the attack site. Second, brawn failed to recognize and regularly inspect an obivous attack location. Finally, the terrorists were engaged in their construction project for about one month and the security detail didn’t call the city to confirm that the construction activity was legitimate.

The brain would have had a surveillance detection detail. The brain would conduct a route survey to identify likely attack locations. The brain would assign the surveillance detection detail to observe possible attack locations to look for unusual activity. The brain would have called the city about the construction activity.

The brain’s greatest enemy is the budget wala. Brawn is tangible, surveillance detection isn’t. Surveillance detection is like insurance — an expense for something you probably won’t use. Budget walas want proof that surveillance detection is worth the cost because when they spend money on brawn they get something tangible.

Threat Spirals

Security professionals undertake planning in relation to threat spirals. As a threat escalates, it inspires new defensive countermeasures. The security professional endeavors to get inside an opponent’s threat spiral. This means anticipating the next escalation and instituting countermeasures that insulate his principal from the future threat. Getting inside an opponent’s threat spiral requires tools, technology, and manpower.

Some form of surveillance usually precedes attacks against people and facilities. This hostile effort will include research using open sources, social engineering, and both technical and physical surveillance.

Surveillance Detection

One powerful tool to get inside the threat spiral is surveillance detection. Hostile surveillance is a precursor to attack – recognising the surveillance activity gets you inside the opponent’s threat spiral.

Are you a Suspicious Person?

The surveillance conscious subject is more common today than forty years ago when I started in the business. Lawyers coach claimants on how to deal with surveillance. Criminals teach each other on how to recognise surveillance. Unfortunately, PI’s do not receive much training on how to avoid detection of their surveillance efforts.

Clumsy choice or use of the initial vantage point may doom the entire surveillance effort. If the subject sees someone repeatedly over Time, in different Environments and over some Distance, and if the surveillant displays poor Demeanor, then he will know that he is under surveillance. This means that initial vantage point, and the PI’s presence there, must not be remarkable in any way.

Don’t chose the initial vantage point without first evaluating the location. Understand the appearance and behaviour of the people likely to be at the vantage point. Don’t be like the inept guy in the old detective movie — you know the one — the guy leaning against a lamp pole reading a newspaper in the middle of the night.

Observe the vantage point from a position that the subject cannot see — you have questions that need answering. What type of person is at or near the vantage point? How long can you remain at the vantage point without arousing suspicion? What appearance, behaviour or persona will allow you to remain in place without arousing suspicion? Can you follow the subject in your adopted persona or must another team member do that?

What’s in an Employee Number

I was reviewing a stalled investigation into an apparent corporate fraud when I noticed something interesting. A surveillance photograph was in the paper file — you don’t see many real surveilance photographs any more, just muddy images taken from video.

This particular photo was so clear and detailed that I had to talk to the investigator who took it. It was taken with a long lens mounted on a camera with a 22 mp full-frame CMOS sensor. The investigator directed me to the server and directory that contained over one hundred images along with video taken using the same camera. All of this data was summarised in two paragraphs in the investigation report. This proved unfortunate, as this fine work happened early in the investigation. The investigator wrote a detailed report that someone summarised without including a proper citation. The person who did this failed to recognise that the problem had been solved. Over one year later I was hired to solve this difficult and persistent problem.

The surveillance picture clearly showed an employee pass card. The pass card clearly showed the name of the security system vendor, employee name, employee picture, and worst of all, the employee number. The employee number was the defacto authentication required for gaining information the crooks needed. During social engineering the crooks were challenged and asked for their employee number. When they provided the number the information flood gates opened.

Further investigation revealed that a fake employee pass card was made and used to gain access to the facility. The card didn’t have any electronic component, but the crook was wearing a authentic-looking employee card just like everybody else, and that was enough for him to repeatedly gain the access he needed. He just walked throughout he front door at the right time of day and followed the real employees to the department where he committed his crime, over and over again.

Once captured, this crook freely admitted that he got everything he needed from the passcards that employees wore prominently around their necks. He copied it from pictures he took, just like the first investigator did.

Surveillance Detection

A colleague with offices in South Korea and Singapore was casting about trying to think of an article to write for his blog, The Erudite Risk Blog, which covers issues related to risk management in Asia.

I was pleased to help out, especially since his blog usually contains longer, more detailed articles than I usually have here. My article, Surveillance Detection, deals with creating a holistic approach to Surveillance Detection (SD). I explain how to evaluate the risk associated with hostile surveillance and the methods employed by the surveillance operative. The basics of a SD operation and organisation are explained along with risks and difficulty of conducting Counter Surveillance.

In conjunction with my SD article, I recommend reading Rodney Johnson’s Social Engineering and Information Theft and Ice to an Eskimo.  Social Engineering (SE) is surveillance’s evil cousin. Physical surveillance, technical surveillance, and SE are all part of the same risk — the loss of critical information.

Surveillance Detection & Bluetooth

I don’t do much surveillance work anymore, but recently I was pressed into service to assist a friend who was injured on the job. I took a file from his caseload at random and this led to a couple of interesting days.

This subject was very ‘surveillance-aware’. He must have been coached or read a book or two. He did all the right things, but in a very obvious and clumsy manner. This was obviously his first rodeo.

On several occasions, I observed him look at his phone then at the surrounding people. I realised that he was doing this with a purpose; I just couldn’t put it into context. It was like his practice of looking at the people in the area when he left a building and then watching the people exiting the door he used to leave the building.  Then I realised my problem was that I am a mobile telephone Luddite and I needed to talk to the younger folks — you know the type, the ones always fiddling with their gadget phone thingy.

My conclusion was that the subject was using his mobile phone to scan the area for Bluetooth devices. To do this, he selected relatively confined areas, or choke-points, where he could see people in the area that he might have seen before. If he saw the same Bluetooth device at more than one of these choke-points, he knew he was being followed, and that he stood a good chance of identifying the person following him.

This was a clever use of Bluetooth technology, but it was wasted on me. I don’t carry a Bluetooth-enabled mobile.