Tag Archives: Windows 10

Revival of an old Terra 1541 Pro with Opensuse Leap 15.5

Posted on by

My wife and I use the expression “Windust” for the Windows operative system. A “dust” is a somewhat stupid person in Norwegian. I will use this expression below.

My wife has a rather old laptop (Terra 1541 Pro). I has survived Windust 7 up to the latest Windust 10. It was the only one of our laptops with a full Windows installation. We used it for communication with some customers that had Windows, only. Skype, Teams are the keywords.

During the last Windust 10 updates the laptop got slower and slower. In addition, according to MS, the laptop does not qualify for Windows 11. A neighbor of us had the same problem. What do Windust users (as our neighbor) do in such situations? They either try a full Windows (10) installation from scratch – and/or buy themselves a new laptop. It is so typical and so “dust” …

Revival with Linux?

My wife and I are retired persons. We no longer need to care about customers who depend on Windust. For the few remaining ones a small virtual installation under KVM on a workstation is sufficient for all practical purposes. So, we thought: This old laptop is a typical case for a revival cure with Linux.

A good friend of us organized a new rechargeable battery block for us and we ordered a 1 TB SSD in addition. The screen has a 1920×1080 resolution, the RAM is 16GB. Graphics is Intel based. All in all, for non-professional purposes it is a well equipped laptop. We therefore decided to finally say good bye to our last Windows installation which slowed down the laptop.

Opensuse Leap 15.5 installation

Yesterday, I installed Opensuse Leap 15.5 on the laptop. From an ISO-image on DVD. No problems occurred during the installation process.
[At least as long as I did not try to add special SW repositories with YaST2. Opensuse has build a remarkable bug into Yast2’s software(= RPM) management. More about this in another post.]

The good news is: The laptop works with Leap 15.5 and KDE like a charm. And it is now less noisy (ventilation!) than with Windows 10. All special keys for controlling screen brightness and speaker levels work. No problem to attach Kontact (with Kmail) and Thunderbird to our IMAP-server. Multimedia programs like Clementine do their work. Our standard browsers (FF, Chromium, Opera), too. Yesterday we watched the Norwegians handball team play against Slovenia during the EM in Germany via a live stream on Firefox on this laptop and on an HDMI-attached HD TV that extended the laptop screen. Automatically recognized and after answering a question, in which direction we wanted to extend, automatically activated.

After a short configuration network connections can be set up via Ethernet cable, if we want to work in our inner LAN network with Linux systems, only. These systems are configured via firewalls to trust each other partially and with respect to certain services. Internet connection happens via routing through a perimeter firewall. Alternatively my wife can directly connect to a WLAN of our router, when she just wants to access the Internet. Networkmanager, priorities for automatic connections and sensing a plugged-in network cable are used to make an adequate automatic choice of the system: If the Ethernet cable is plugged in a cable based connection is used, only. If the cable is unplugged WLAN is activated automatically. And vice versa.
A small script for avoiding double connections (LAN and WiFi) can be added to the “/etc/NetworkManager/dispatcher.d”. This is discussed in “man nmcli-examples” and at [1]. I recommend all users of Linux laptops with Network manager to study the little script: 

#!/bin/bash
export LC_ALL=C

enable_disable_wifi ()
{
    result=$(nmcli dev | grep "ethernet" | grep -w "connected")
    if [ -n "$result" ]; then
        nmcli radio wifi off
    else
        nmcli radio wifi on
    fi
}

if [ "$2" = "up" ]; then
    enable_disable_wifi
fi

if [ "$2" = "down" ]; then
    enable_disable_wifi
fi

Do not forget to give the script executable rights. Works perfectly.

Do we miss any Windows SW on the old laptop?

Straight answer: No. My wife has used GIMP, Gwenview, showFoto (with ufraw) and Inkscape for image manipulations for years. GIMP and Inkscape also on Windust. We both use Libreoffice Draw for drawings and simple graphics. Libreoffice (with Writer, Calc, Impress) has been a sufficient and convenient replacement for MS Office already for many years. For creating tax reports we use LinHaBU. The little we do with Web development these days can be done with Eclipse. Linux offers a variety of FTP-tools. All in all our needs are covered and our requirements very well fulfilled.

The old laptop will get a hopefully long 2nd life with Linux at our home in Norway.

Some security considerations

One thing that may be important for professional people: You may want to have a fully encrypted system. This can, of course, be achieved with LUKS. And in contrast to an often heard argument it is not true that this requires an unencrypted and therefore insecure “/boot”-partition. I have written articles on setting up a fully encrypted Linux system with the help of LUKS on laptops in this blog.

TPM offers options to detect HW-modifications of your system. See e.g. [5]. This is certainly useful. But, as you have an old laptop with Windust, you probably have lived with many more and SW-related risks regarding your security for a long time. So, no reason to forget or replace your laptop by a new one. Most Windust users that I know do not even have a Bitlocker encryption active on their systems.

While the BitLocker encryption of Windust may require TPM 2.0 to become safe again (unsafe SHA-1 support in TPM 1.2), we can gain a high level of security regarding disk encryption on Linux with LUKS alone. One can even find some arguments why TPM (2.0) may not make fully encrypted Linux laptops more secure. Opensuse and other distributions do support TPM 2.0 and secure boot. So, the question is not whether some Linux distribution actively supports TPM, but whether we really need or want to use it. See e.g. the discussion and warnings here.

In my private opinion, the old game of Windows supporting the HW-industry and vice versa just goes into a new cycle and the noise about HW- and firmware based attacks ignores at least equally big risks regarding SW (OS and applications).

Even under security considerations I see no major reason why one should not use older laptops with a full LUKS encryption. A major difference is that we do not put secrets and keys for an automatic decryption into a TPM-chip which could have backdoors. A LUKS setup is a bit more inconvenient than Bitlocker with TPM, but with all partitions encrypted (no separate /boot-partition!) not really un-safer. The big advantage of LUKS full encryption without TPM is: No knowledge of the key passphrase, no decryption. But this is all stuff for a more detailed investigation. A fully LUKS encrypted Linux setup would in any case probably be significantly safer than an old Windust installation with Bitlocker and TPM 1.x.

If your security requirements are not top level most reasons not to use old laptops are not valid in my opinion. So, give Linux a try on your old machines before throwing them away.

Conclusion and some preliminary security considerations

Old laptops can remain a valuable resource – even if they are not fit for Windows 11 according to MS. Often enough they run very well under Linux. If you have major security requirements consider a full disk encryption with LUKS. This may not be as safe as LUKS with TPM 2.0 and a two-phase-authentication, which you would have to take care of during setup, but it may be much safer as the Windust installation you have used before.

And do not forget: TPM is no protection against attacks which use vectors against SW-vulnerabilities.

Links

[1] https://unix.stackexchange.com/ questions/ 346778/ preventing-double-connection-over-wlan0-and-usb-0-in-network-manager-gnome

[2] TPM and Arch Linux: https://wiki.archlinux.org/ title/ Trusted_Platform_Module
See also the warnings in
https://wiki.archlinux.org/ title/ User:Krin/ Secure_Boot, _full_disk_encryption, _and_TPM2_unlocking_install

[3] Bruce Schneier on TPM attacks: See https://www.schneier.com/tag/tpm/ and
https://www.schneier.com/ blog/ archives/2021/08/ defeating-microsofts-trusted-platform-module.html

[4] TPM 2.0 vulnerabilities: https://www.tomsguide.com/ news/ billions-of-pcs-and-other-devices-vulnerable-to-newly-discovered-tpm-20-flaws

[5] A positive look on TPM from Red Hat: https://next.redhat.com/ 2021/05/13/ what-can-you-do-with-a-tpm/

Samba 4, shares, wsdd and Windows 10 – how to list Linux Samba servers in the Win 10 Explorer

Posted on by

These days I relatively often need to work with Windows 10 at home (home-office, corona virus, …). Normally, I isolate my own Win 10 instance in a VMware virtual machine on my Linux PC – and reduce any network connections of this VM to selected external servers. Under normal conditions all ports on the Linux host are closed for the virtual machine [VM]. But on a few temporary occasions I want to the Win 10 system to access a specific Samba exchange directory on a KVM virtualized Linux instance on the same host.

Off topic: You see that I never present directories of my Linux host directly to a Win 10 guest via Samba. Instead I transfer files via an exchange directory on an intermediate VM whose Samba service is configured to disallow access of the Win system on shares presented to the host. A primitive, but effective form of separation. The only inconvenient consequence is that synchronization becomes a two-fold process on the host and the Linux VM. But we have Linux tools for this, so the effort is limited. )

Of course we want to use the SMB protocol in a modern version, i.e. version 3.x (SMB3), over TCP/IP for this purpose (port 445). In addition we need some mechanism to detect and browse SMB servers on the Windows system. In the old days NetBIOS was used for the latter. On the Linux side we had the nmbd-daemon for it – and we could set up a special Samba server as a WINS server.

During the last year Microsoft has – via updates and new builds of Windows 10 – followed a consistent politics of deactivating the use of SMB V1.0 systematically. This, however, led to problems – not only between Windows PCs, but also between Win 10 instances and Samba 4 servers. This article addresses one of these problems: the missing list of available Samba servers in the Windows Explorer.

There are many contributions on the Internet describing this problem and some even say that you only can solve it by restoring SMB V1 capabilities in Win 10 again. In this article I want to recommend two different solutions:

  • Ignore the problem of Samba server detection and use your Samba shares on Win 10 with the SMB3 protocol as network drives.
  • If you absolutely want to see and list your Samba servers in the Windows Explorer of a Win 10 client, use the “Web-Service-Discovery” service via a WSDD-daemon provided by a Python script of Steffen Christgau.

I myself got on the right track of solving the named problem by an article of a guy called “Stilez”. His article is the first one listed under the section “Links” below. I recommend strongly to read it; it is Stilez who deserves all credit in pointing out both the problem and the solution. I just applied his insight to my own situation with virtualized Samba servers based on Opensuse Leap 15.1.

SMB V1.0 should be avoided – but NetBIOS needs it to exchange information about SMB servers

SMB, especially version SMB V1.0, is well known for security problems. Even MS has understood this – especially after the Wannacry disaster. See e.g. the links in the section “Links” => “Warnings of SMBV1” at the end of this article. MS has deactivated SMB V1 in the background via some updates of Win 8 and Win 10.

One of the resulting problem is that we do not see Samba servers in the Windows Explorer of a Win 10 system any longer. In the section “Network” of the Windows Explorer you normally should see a list of servers which are members of a Workgroup and offer shares.

Two years ago we would use NetBIOS’s discovery protocol and a WINS server to get this information. Unfortunately, the NetBIOS service detection ability depends on SMB1 features. The stupid thing is that we for a long while now had and have a relatively secure SMB2/3, but NetBIOS discovery only worked with SMB V1 enabled on the Windows client. Deactivating SMB V1 means deactivating NetBIOS at the
same time – and if you watch your Firewall logs for incoming packets from the Win 10 clients you will notice that exactly such a thing happened on Win 10 clients.

This actually means that you can have a full featured Samba/NetBIOS setup on the Linux side, that you may have opened the right ports on the firewalls for your Samba/WINS server and client systems, but that you will nevertheless not get any list of available Samba servers in Win 10’s Explorer. 🙁

Having understood this leads to the key question for our problem:

By what did MS replace the detection features of NetBIOS in combination with SMB-services?

Settings on the MS Win side – which alone will not help

When you google a bit you may find many hints regarding settings by which you activate network “discovery” functionalities via two Windows services. See

https://www.wintips.org/fix-windows-10-network-computers-not-showing/
https://winaero.com/blog/network-computers-not-visible-windows-10-version-1803/

You can follow these recommendations. If you want to see your own PC and other Windows systems in the Explorer’s list of network resources you must have activated them (see below). However, in my Win 10 client the recommended settings were already activated – with the exception of SMB V1, which I did and do not wish to reactivate again. The “discovery” settings may help you with other older Windows systems, but they do not enable a listing of Samba 4 servers without additional measures on Win 10.

There is another category of hints which in my opinion are contra-productive regarding security. See https://devanswers.co/network-error-problem-windows-cannot-access-hostname-samba/
Why activate an insecure setting? Especially, as such a setting does not really help us with our special problem? 🙁

A last set of hints concerns the settings on the Samba server, itself. I find it especially nice when such recommendations come from Microsoft :-). See: http://woshub.com/cannot-access-smb-network-shares-windows-10-1709/

[global]
server min protocol = SMB2_10
client max protocol = SMB3
client min protocol = SMB2_10
encrypt passwords = true
restrict anonymous = 2

Thanks to MS we now understand that we should not use SMB V1 …. But, actually, these hints are again insufficient regarding the Explorer problem …

What you could do – but should NOT do

Once you have understood that NetBIOS and SMB V1 still have an intimate relation (at least on a Windows systems) you may get the idea that there might exist some option to reactivate SMBV1 again on the Win 10 system. This is indeed possible. See here:
https://community.nethserver.org/t/windows-10-not-showing-servers-shares-in-network-browser/14263/4
https://www.wintips.org/fix-windows-10-network-computers-not-showing/

If you follow the advice of the authors and in addition re-open the standard ports for NetBIOS (UDP) 137, 138, (TCP) 139 on your firewalls between the Win 10 machine and your Samba servers you will – almost at once – get up the list of your accessible Samba servers in the Network section of the Win 10 Explorer. (Maybe you have to restart the smb and nmb services on your Linux machines).

But: You should not do this! SMB V1 should definitely become history!

Fortunately, a re-activation of SMB V1
on a Win 10 system is NOT required to mount Samba shares and it is neither required to get a list of available Samba servers in the Win 10 Explorer.

What you should do: Win 10 service settings

There are two service settings which are required to see other servers (and your own Win10 PC itself) in the list of network hosts presented by the Windows explorer:
Start services.msc ( press the Windows key + R => Enter “services.msc” in the dialog. Or: start services.msc it via the Control Panel => System and Security => Services)

  • Look for “Function Discovery Provider Host” => Set : Startup Type => Automatic
  • Look for “Function Discovery Resource Publication” => Set : Startup Type => Automatic (Delayed Start) !!

I noticed that on my VMware Win 10 guests the second setting appeared to be crucial to get the Win 10 PC itself listed among the network servers.

What you should do: Use the SMBV3 protocol!

As you as a Linux user meanwhile have probably replaced all your virtualized Win 7 guests, you should use the following settings in the [global] section of the configuration file “/etc/samba/smb.conf” of your Samba servers:

[global]

“protocol = SMB3”.

This is what Win 10 supports; you need SMB2_10 with some builds of Win 8 (???), only. Remember also that port 445 must be open on a firewall between the Win 10 client and your Samba server.

For Linux requirements to use SMB3 see
https://wiki.samba.org: SMB3 kernel status
For “SMB Direct” (RDMA) you normally need a kernel version > 4.16. On Opensuse Leap 15.1 most of the required kernel features have been backported. In Win 10 SMB Direct is normally activated; you find it in the “Window-Features” settings (https://www.windowscentral.com/how-manage-optional-features-windows-10)

Not seeing Samba servers in the Explorer does not mean that mounting a Samba share as a network drive does not work

Not seeing the Samba servers in the Win 10 Explorer – because the NetBIOS detection is defunct – does not mean that you cannot work with a Samba share on a Win 10 system. You can just “mount” it on Windows as a “network drive“:

Open a Windows Explorer, choose “This PC” on the left side, then click “Map network drive” in the upper area of the window and follow the instructions:
You choose a free drive letter and provide the Samba server name and its share in the usual MS form as “\\SERVERNAME\SHARE”.
Afterwards, you must activate the option “Connect using different credentials” in the dialog on the Win 10 side, if your Win 10 user for security reasons has a different UID and Password on the Samba server than on Win 10. Needless to say that this is a setting I strongly recommend – and of course we do not allow any direct anonymous or guest access to our Samba server without credentials delivered from a Windows machine (at least not without any central authentication systems).
So, you eventually must provide a valid Samba user name on your Samba server and the password – and there you happily go and use your resources on the Samba share from your Win 10 client.

I assumed of course that you have allowed access from the Win 10 host and the user by respective settings of “hosts allow” and “valid users” for the share in your Samba configuration.
Note: You need not mark the option for reconnecting the share in the Windows dialog for network drives if you only use the Samba exchange shares temporarily.

On an Opensuse system this works perfectly with the protocol settings for SMB3 on the server. So, you can use your shares even without seeing the samba
server in the Explorer: You just have to know what your shares are named and on which Samba servers they are located. No problem for a Linux admin.

In my opinion this approach is the most secure one among all “peer to peer”-approaches which have to work without a central network wide authentication service. It only requires to open port 445 for the time of a Samba session to a specific Samba server. Otherwise you do not provide any information for free to the Win 10 system and its “users”. (Well, an open question is what MS really does with the provided Samba credentials. But that is another story ….)

What you should do: Use the WSDD service on your Samba server

If you allow for some information sharing between your virtualized Win 10 and other KVM based virtual Samba machines in your LAN – and are not afraid of Microsoft or Antivirus companies on the Windows system to collect respective information – then there is a working option to get a stable list of the available Samba servers in the Windows Explorer – without the use of SMB V1.0.

Windows 10 implements web service detection via multiple mechanisms; among them: Multicast messages over ports 3702 (UDP), TCP 5357 and 1900 (UDP). For a detection of Samba services you “only” need ports 3702 (UDP) and 5357 (TCP). The general service detection port 1900 can remain closed in the firewalls between your Win 10 instances and your Linux world for our specific purpose. See
https://www.speedguide.net/port.php?port=5357
https://www.speedguide.net/port.php?port=3702
https://techcommunity.microsoft.com/t5/ask-the-performance-team/ws2008-the-wsd-port-monitor/ba-p/372760
https://en.wikipedia.org/wiki/Simple Service Discovery Protocol

The mechanism using ports 3702 and 5351 is called “Web Service Discovery” and was introduced by MS to cover the detection of printers and other devices in networks. In combination with SMB2 and SMB3 it is the preferred service to detect Samba services.

OK, do we have something like a counter-part available on a Linux system? Obviously, such a service is not (yet?) included in Samba 4 – at least not in the 4.9 version on my system with Opensuse Leap 15.1. The fact that WSD is not (yet?) a part of Samba may have some good reasons. See link.
One can understand the reservations and hesitation to include it, as WSD also serves other purposes than just the detection of SMB services.

Fortunately, a guy named Steffen Christgau, has written an (interesting) Python 3 script, which offers you the basic WSD functionality. See https://github.com/christgau/wsdd.

You can use the script in form of a daemon process on a Linux system – hence we speak of WSDD.

Using YaST I quickly found out that a WSDD RPM package is actually included in my “Opensuse Leap 15.1 Update” repository. People with other Linux distros may download the present WSDD version from GitHub.

On Opensuse it comes with an associated systemd service-file which you find in the directory “/usr/lib/systemd/system”. 

[Unit]
Description=Web Services Dynamic Discovery host daemon
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
AmbientCapabilities=CAP_SYS_CHROOT
PermissionsStartOnly=true
Environment= WSDD_ARGS=-p
ExecStartPre=/usr/lib/wsdd/wsdd-init.sh
EnvironmentFile=-/run/sysconfig/wsdd
ExecStart=/usr/sbin/wsdd --shortlog -c /run/wsdd $WSDD_ARGS
ExecStartPost=/usr/bin/rm /run/
sysconfig/wsdd
User=wsdd
Group=wsdd

[Install]
WantedBy=multi-user.target

Reading the documentation you find out that the daemon runs chrooted – which is a reasonable security measure.
Opensuse even provides an elementary configuration file in “/etc/sysconfig/wsdd“.

I used the parameter

WSDD_WORKGROUP=”MYWORKGROUP”

there to announce the right Workgroup for my (virtualized) Samba server.

So, I had everything ready to start WSDD by “rcwsdd start” (or by “systemctl start wsdd.service”) on my Samba server.

On the local firewall of the SMB server I opened

  • port 445 (TCP) for SMB(3) In/Out for the server and from/to the Win-10-Client,
  • port 3702 (UDP) for incoming packets to the server and outgoing packets from the server to the Multicast address 239.255.255.250,
  • port 5357 (TCP) In/Out for the server and from/to the Win 10 client.

And: I closed all NetBIOS ports (UDP 137, 138 / TCP 139) and eventually stopped the “nmbd”-service on the Samba server! (UDP 137, 138 / TCP 139)

Within a second or so, my Samba 4 server appeared in the Windows 10 Explorer!

Further hints:
As the 3702 port is used with the UDP protocol it should be regarded as potentially dangerous. See: https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps.html
The port 1900 which appeared in the firewall logs does not seem to be important. I blocked it.

So far, so good. However, when I refreshed the list in the Win 10 Explorer my SAMBA server disappeared again. 🙁

What you should do: Take special care about the network interface to which the WSDD service gets attached to

It took me a while to find out that the origin of the last problem had to do with the fact that my virtualized server and my Win 10 client both had multiple network interfaces on virtualized bridges. There are no loops in the configuration, but it occurred that multiple broadcasts packets arrive via different paths at the Samba server and were answered – and thus multiple return messages appeared at the Win 10 client during a refresh – which Win 10 did not like (see the discussion in the following link.
https://github.com/christgau/wsdd/issues/8

As soon as I restricted the answer of the Samba server to exactly one of the interfaces on my virtual bridge via the the parameter “WSDD_INTERFACES” in the “/etc/sysconfig/wsdd”-configuration file everything went fine. Refreshes now lead to an immediate update including the Samba server.

So, be a little careful, when you have some complicated bridge structures associated with your virtualized VMware or KVM guests. The WSDD service should be limited to exactly one interface of the Samba server.

Note: As we do not need NetBIOS any longer – block ports 137, 138 (UDP) and 139 (TCP) in your firewalls! It will make you feel better instantaneously.

Conclusion

The “end” of SMB V1 on Win 10 is a reasonable step. However, it undermines the visibility of Samba servers in the Windows Explorers. The reason is that NetBIOS requires SMB1.0 features on Windows. NetBIOS is/was therefore consistently deactivated on Win 10, too. The service detection on the network is replaced by the WSD service which was originally introduced for printer detection (and possibly other devices). Activating it on the Win 10 system may help with the detection of other Windows (8 and 10) systems on the network, but not with Samba 4 servers. Samba servers presently only serve NetBIOS requests of Win clients
to allow for server and share detection. Therefore, without additional measures, they are not displayed in the Windows Explorer of a regular Win 10 client.

This does, however, not restrict the usage of Samba shares on the Win 10 client via the SMB3 protocol. They can be used as “network drives” – just as before. Not distributing name and device information on a network has its advantages regarding security.

If you absolutely must see your Samba servers in the Win 10 Explorer install and configure the WSDD package of Steffen Christgau. You can use it as a systemd service. You should restrict the interfaces WSDD gets attached to – especially if your Samba servers are attached to virtual network bridges (Linux bridges or VMware bridges).

So:

  • Disable SMBV1 in Windows 10 if an update has not yet done it for you!
  • Set the protocol in the Samba servers to SMBV3!
  • Try to work with “networks drives” on your Win 10 guests, only!
  • Install, configure and use WSDD, if you really need to see your Samba servers in the Windows Explorer.
  • Open the port 445 (TCP, IN/OUT between the Win 10 client and the server), 3072 (UDP, OUT from the server and the Win 10 client to 239.255.255.250, IN to the server from the Win 10 client / IN to the Win 10 client from the server; rules details depending on the firewall location), port 5357 (TCP; In/OUT between the Samba server and the Win 10 client) on your firewalls between the Samba server and the Win 10 system.
  • Close the NetBIOS ports in your firewalls!
  • You should also take care of stopping multicast messages leaving perimeter firewalls; normally packets to multicast addresses should not be routed, but blocking them explicitly for certain interfaces is no harm, either.

Of course you must repeat the WSDD and firewall setup for all your Samba servers. But as a Linux admin you have your tools for distributing common configuration files or copying virtualization setups.

Links

The real story
!!!! https://www.ixsystems.com/community/resources/how-to-kill-off-smb1-netbios-wins-and-still-have-windows-network-neighbourhood-better-than-ever.106/ !!!

https://forums.linuxmint.com/viewtopic.php?p=1799875

https://devanswers.co/discover-ubuntu-machines-samba-shares-windows-10-network/

https://bugs.launchpad.net/ubuntu/ source/ samba/ +bug/ 1831441

https://forums.opensuse.org/ showthread.php/ 540083-Samba-Network-Device-Type-for-Windows-10

https://kofler.info/zugriff-auf-netzwerkverzeichnisse-mit-nautilus/

WSDD and its problems
https://github.com/christgau/wsdd
https://github.com/christgau/wsdd/issues/8
https://forums.opensuse.org/ showthread.php/ 540083-Samba-Network-Device-Type-for-Windows-10

Warnings of SMB V1
https://docs.microsoft.com/de-de/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/
https://securityboulevard.com/2018/12/whats-the-problem-with-smb-1-and-should-you-worry-about-smb-2-and-3/
https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
https://www.cubespotter.de/cubespotter/wannacry-nsa-exploits-und-das-maerchen-von-smbv1/

Problems with Win 10 and shares
https://social.technet.microsoft.com/ Forums/ en-US: cannot-connect-to-cifs-smb-samba-network-shares-amp-shared-folders-in-windows-10-after-update?forum=win10itpronetworking

RDMA and SMB Direct
https://searchstorage.techtarget.com/ definition/ Remote-Direct-Memory-Access

Other settings in the SMB/Samba environment of minor relevance
http://woshub.com/cannot-access-smb-network-shares-windows-10-1709/
https://superuser.com/questions/1466968/unable-to-connect-to-a-linux-samba-server-via-hostname-on-windows-10
https://superuser.com/questions/1522896/windows-10-cannot-connect-to-linux-samba-shares-except-from-smb1-cifs
https://www.reddit.com/ r/ techsupport/ comments/ 3yevip/ windows 10 cant see samba shares/
https://devanswers.co/network-error-problem-windows-cannot-access-hostname-samba/

 

Upgrading Win 7 to Win 10 guests on Opensuse/Linux based VMware hosts – I – some experiences

Posted on by

As my readers know I am not a fan of MS or any “Windows N” operating system – whatever the version number N. But some of you may be facing the same situation as me:

A customer or an employer enforces the use of MS products – as e.g. MS Office, clients for MS Exchange, Skype for Business, Sharepoint, components for effort booking and so on. For the fulfillment of most of your customer’s demands you can use browser based interfaces or Linux clients.

However, something that regularly leads to problems is the heavy use of MS Office programs or graphics tools in their latest versions. Despite other claims: A friction-less back and forth between Libreoffice and MS Office is still a dream. Crossover Office is nice – but the latest MS Office versions are often not yet covered when you need them. Another very reasonable field of using MS Windows guests on Linux is, by the way, training for pen-testing and security measures.

So, even Linux enthusiasts are sometimes forced to work with or within a native Windows environment. We would use a virtualized Windows guest machine then – on a Linux host with the help of VMware, KVM or Virtualbox. Regarding graphical performance, support of basic 3D features, Direct X and of the latest USB-versions in the emulated system environment I have a tendency to use VMware Workstation, despite its high price. Get me right: I practically never use VMware to virtualize Linux systems – for this purpose I use LXC containers or KVM. But for “Win 7” or “Win 10” VMware seemed to be a good choice – so far.

Upgrade to Win 10

During the last days of orchestrated panic regarding the transition from Windows 7 to Windows 10 I eventually gave in and upgraded some of my VMware-virtualized Windows 7 systems to Windows 10. More because of having some free time to get into this process than because assuming a sudden drop in security. (As if we ever trusted in the security of Windows system … I come back to security and privacy aspects in a second article.) However, on a perspective of some weeks or months the transition from Win 7 to Win 10 is probably unavoidable – if you cannot isolate your Windows machine completely from the Internet and/or from other external servers which bring a potential attack risk with them. The latter may even hold for servers of your clients.

I was a bit skeptical about the outcome of the upgrade procedure and the effort it would require on my side. A good friend of mine, who sells and administers Windows system professionally, had told me that he had experienced a whole variety of different problems – depending on the Win 7 setup, the amount and character of application SW installed, hardware drivers and the validity of licenses.

Well, my Windows 7 Pro clients were equipped with rather elementary SW: MS Office in different versions, MS Project, Lexware, Adobe Creative suite in an old version, some mind mapping SW, Adobe Reader, Anti malware SW. The “hardware” of the virtual machines is standard, partially emulated by VMware with appropriate drivers. So, no need to be especially nervous.

To be on the safe side I also ordered a VMware WS Pro upgrade to version 15.X. (I own WS 12.5.9 and WS 14 licenses.) Reason: I had read that only the WS 15.5 Pro supports the latest Win 10 versions fully. Well reading without thinking may lead to a waste of resources – see below.

Another rumor you often hear is that Windows 10 requires rather new hardware and is quite resource-demanding. MS itself recommends to buy a new PC or laptop on its web-sites – of course often followed by advertisement for MS notebook models on the very same web page. Yeah, money makes the world turn around. Well, regarding resources for my Windows guest systems I was/am rather restrictive:

Virtual machines for MS Win never get a lot of RAM from me – a maximum of 4 GB at most. This is enough for office purposes. (All really resource craving
things I do on Linux 🙂 ). Neither do my virtualized Win systems get a lot of disk space – typically < 60 GB. I mostly use vmdk-files to provide virtual hard disks – without full space allocation at startup, but dynamically added 4GB extents. vdmk files allow for an easy movement of virtual machines and simple backup procedures. And I usually give my virtual Win machines a maximum of 2 processor cores. So, these limitations contributed a bit to my skepticism. In addition I have 3D support on for my Win 7 guests in the virtual machine setup.

Meanwhile, I have successfully performed multiple upgrades on a rather old Linux host with an i7 950 CPU and newer hosts with I7 6700 K and modern i9 9900 processors. The operative system on all hosts run Opensuse Leap 15.1; I did not find the time to test my Debian hosts, yet.

I had some nice and some annoying experiences. I also found some aspects which you should take care of ahead of the Win 7 to Win 10 upgrade.

Make a backup!

As always with critical operations: Make a backup first! This is quite easy with a VMware virtual machine based on “vmdk”-files: Just copy the machines directory with all its files to some Linux formatted backup medium and keep up all the access rights during copying (=> cp -dpRv). In case of partition based virtual machines – make a copy of the partition with “dd”.

If you should need to restore the virtual machine in its old state again and to copy your backup files to their old places: VMware will notice this and will ask you whether you moved or copied the guest. Then answer “moved” (!) – which appears a bit paradox. But otherwise there is a very high probability that trouble with your Windows license will follow. VMware interprets a “copy”-operation as a duplication of a virtual machine and puts a related information somewhere (?) which Windows evaluates. Windows will almost certainly ask for a reactivation of your installation in case that your Win license was/is an individual one – as e.g. an OEM license.

Good news and potentially bad news regarding the upgrade to Win 10

The good news is:

  • Provided that you have valid licences for your Win 7 and for all SW components installed and provided that there is enough real and virtual disk space available, the Win 7 to Win 10 upgrade works smoothly. However, it takes a considerable amount of time.
  • I did not experience any performance problems after the upgrades – not even regarding transparency effects and other gimmicks in comparison to Windows 7. VMware’s 3D support for Win works – in WS 15 even for DirectX 10.

The requirement for time depends partially on the bandwidth of your Internet connection and partially on the performance of your disk access as well as your CPU and the available RAM. In my case I had to invest around 1 hr – in those cases when everything went straight through.

The potentially bad news comprises the following points:

  • The upgrade requires a considerable amount of free space on your virtual machine’s hard disk, which will be used temporarily. So, you should carefully check the available disk space – inside the virtual machine and – a bit surprising – also on the Linux filesystem keeping the vmdk-files. I ran into problems with limited space for multiple upgrades on both sides; see below. Whether you will experience something similar depends on your safety margin policies with respect to disk space in the guest and on the host.
  • A really annoying
    aspect of the upgrade had to do with VMware’s development and market strategy. From advertisement you may conclude that it would be best to use VMware WS 14 or 15 to handle Windows 10. However, on older Intel based systems you should absolutely check whether the CPU is compatible with VMware WS 14 and 15. Check it, before you think upgrading a Vmware WS 12 license to anything higher. On my Intel i7 950 neither WS 14 nor WS 15 did work at all. Even if you get these WS versions working by a trick (see below) they perform badly.
  • Then there is a certain privacy aspect. As said, the upgrade takes a lot of time during which you are connected to the Internet and to Microsoft servers. This is only partially due to the fact that Win 10 SW has to be downloaded during the upgrade process; there are more phases of information exchange. It is also quite understandable that MS has to analyze and check your system on a full scale. But do we know what Big Brother [BB] MS is doing during this time and what information/data they transfer to their own systems? No, we do not. So, if you have any sensitive data files on your system – how to protect them? You cannot isolate your Windows 10 during the upgrade. And even worse: Later on you will be more or less forced to perform updates within certain periods. So, how to keep sensitive data inaccessible for BB during the upgrade and beyond?

I address the first two aspects below. The last point of privacy is an interesting but complicated one. I shall discuss it in a separate article.

Which VMware workstation version should I use?

Do not get misguided by reports or advertisement on the Internet that certain MS Win 10 require the latest version of VMware Workstation! WS 12 Pro was the first version which supported Win 10 in late 2015. Now VMware 15.X has arrived. And yes, there are articles that claim incompatibility of VMware WS 12, WS 14 and early subversions of WS 15 with some of the latest Win 10 builds and updates. See the following links and discussions therein:
https://communities.vmware.com/thread/608589
https://www.borncity.com/blog/2019/10/03/windows-10-update-kb4522015-breaks-vmware-workstation/
https://www.askwoody.com/forums/topic/vmware-12-and-newer-incompatible-with-windows-10-1903/

But read carefully: The statements on incompatibility refer mostly (if not only) to using a MS Win 10 system as a host for VMware! But we guys are using Linux systems as hosts.

Therefore the good message is:

Windows 10 as a VMware guest is already supported by VM WS 12.5.9 Pro, which runs also on older CPUs. For all practical purposes and 2D graphics a Win 10 guest installation works quite well on a Linux host with VMware 12.5.9.

At least, I have not yet noticed anything wrong on my hosts with Opensuse Leap 15.1 and VMware WS 12.5.9 PRO for a Win 10 guests. (Neither did I see problems with WS 14 or WS 15 on those hosts where I could use these versions).

The compatibility of WS 12.5 with Win 10 guest on Linux is more important than you may think if your host has an older CPU. If you really want to spend money and use WS 14 or WS 15 please note:

WS 14 Pro and WS 15 Pro require that your CPU provides Intel VT-x virtualization technology and EPT abilities.

So, the potentially bad message for you as the still proud owner of an older but capable CPU is:

The present VMware WS versions 14 and 15 which support Win 10 fully (as guest and host system) may not be compatible with your CPU!

Check
compatibility twice BEFORE you intend to upgrade VMware Workstation ahead of a “Win7 to Win 10”-upgrade. It would be a major waste of money if your CPU is not supported. And as stated: Win 12.5 does a good job with Win 10 guests.

VMware has deserved a lot of criticism with their decision to ignore older processors with WS Pro versions > 14. See
https://communities.vmware.com/thread/572931
https://vinfrastructure.it/2018/07/vmware-workstation-pro-14-issues-with-old-cpu/
https://www.heise.de/newsticker/meldung/VMware-Workstation-14-braucht-juengere-Prozessoren-3847372.html
For me this is a good reason to try a bit harder with KVM for the virtualization of Windows – and drop VMware wherever possible.

There is a small trick, though, to get WS 14 Pro running on an i7 950 and other older processors: In the file “/etc/vmware/config” you can add the setting

monitor.allowLegacyCPU = “true”

See https://communities.vmware.com/thread/572804.

But: I have tested this and found that a Win 7 start takes around 3 minutes! You really have to be very patient… This is crazy – and for me unacceptable. After you once are logged in, performance of Win 7 seems to be OK – maybe a bit sluggish. Still I cannot bear the waiting at boot time. So, I went back to WS 12 Pro on the machine with an i7 950.

Another problem for you may be that the installation of WS 12.5.9 on both Opensuse Leap 15.0 and 15.1 requires some special settings and tricks which I have written about in this blog. See:
Upgrade auf Opensuse Leap 15.0 – Probleme mit Nvidia-Treiber aus dem Repository und mit VMware WS 12.5.9
Upgrade Laptop to Opensuse 42.3, Probleme mit Bumblebee und VMware WS 12.5, Workarounds
The first article is relevant also for Opensuse 15.1.

Use the Windows Upgrade site and the Media Creation Tool page to save money

If you have a valid Win 7 license for all of your virtualized Win 7 installations it is not required to spend money on a new Win 10 license. Microsoft’s offer for a cost free upgrade to Win 10 still works. See e.g.:
https://www.cnet.com/how-to/windows-10-dont-wait-on-free-upgrade-because-windows-7-officially-done/
https://www.techbook.de/apps/kostenloses-update-windows-10
Follow the steps there – as I have done successfully myself.

Problems with disk space within the VMware Windows 7 guest during upgrade

My first Win7 to Win10 upgrade trial ran into trouble twice. The first problem occurred during the upgrade process and within the virtual machine:
I got a warning from the upgrade program at its start that I should free at least some 8.5 GByte.

Not so funny – as said, I am a bit picky about resources. The virtual guest machine had only a 60 GB C-disk. Fortunately, there were a lot of temporary files which could be deleted. Actually Gigabytes and partially years old – makes you wonder why Win 7 kept those files piled up. I also could move a bunch of data files to a D-disk. And I deinstalled some programs. All in all – it just worked out. The upgrade itself afterwards went friction-free and without

So one
message is:

Ensure that you have around 15 GB free on your virtual C-disk.

It is better to solve the problems with freeing C-disk space inside Win 7 without pressure – meaning: ahead of the upgrade to Win 10. If you run into the described problem it may be better to abort the Win 10 upgrade. I have tested this – and the Win 7 system was restored – apparently in good health. I got a strange message during reboot that the system was prepared for first use – but after everything was as before.

On another system I got a warning during the upgrade, when the “search for updates” began, that I should clear some 10 GByte of temporarily required disk space or attach an external drive (USB) to be used for temporary operations. The latter went OK in this case. But be careful the USB disk must be kept attached to the virtual machine over some reboots. Do not touch it until the upgrade has finalized.

So, a second message is:

Be prepared to have some external device with some free 20 GB ready if you have a complex installation with a lot of application SW and/or a complex virtual HW configuration.

I advise you to check your external USB drive, USB stick or whatever you use for filesystem errors before attaching it. And have your VMware window active whilst attaching the device! VMware will then warn you that the Linux host may claim access to the device and you just have to click the buttons in the dialog boxes to give the VMware guest full control instead of the host OS.

If you now should think about a general enlargement of the virtual disk(s) of your existing Win 7 installation please take into account the following:

On the one hand side an enlargement is of course possible and relatively easy to handle if you use vdmk files for disk virtualization and have free space on the Linux partition which hosts the vmdks. VMware supports the resizing process in the disk section of the virtual machine “settings”. On Win 7 you afterward can use the Win admin tools to extend the NTFS filesystem to the full extent of the newly configured disk.

But, on the other side, please, consider that Windows may react allergic to a change of the main C-disk and request a new activation due to major hardware changes. 🙁

This is one of the points why we do not like Windows ….
So, how you solve a potential free disk problem depends a bit on what you think is the bigger problem – reactivation or freeing disk space by deletions, movement of files or deinstallations.

Addendum: Also check old restore points Win 7 may have created over time! After a successful upgrade to Win 10 I stumbled across an option to release all restore information for old installations (in this case for Win 7 and its kept restore points). This will give you again many Gigabytes if you had not deleted “restore point” data for a long time in your Win 7. In my case I gained remarkable 17 GB! => Should have deleted some old restore points data already before the upgrade.

Problems with disk space on the Linux host

The second problem with disk space occurred after or during some upgrades to Win 10: I ran out of space in the Linux filesystem containing the vmdk files of my virtual machine. In one case the upgrade simply stopped. In another case the problem occurred a while after the upgrade – without me actually doing much on the new Win 10 installation. VMware suddenly issued a warning regarding the Linux file system and paused the virtual machine. I was first a bit surprised as I had not experienced this lack of space during normal usage of the previous Win 7 installation.

The explanation was simple: As said, I had set up the virtual disk such that the required space was not allocated at once, but as required. Due to the upgrade the VMware had created all 4GB-extends
to provide the full disk space the guest needed. In addition I had activated “Autoprotect Snapshots” on VMware (3 per day) – the first automatically created snapshot after the upgrade required a lot of additional space on the Linux file system – due to heavy changes on the hard disk.

My virtualized machines most often reside on specific (encrypted) LVM-based Linux partitions. And there it just got tight – when VMware stopped the virtual machine only 3.5 GB were left free. Not funny: You cannot kill snapshots on a paused virtual guest – the guest must be running or be shut down. And if you want to enlarge a Linux partition – which is possible if there is (neighboring) space free on your hard disk – then the filesystem should best be unmounted. Well, you can enlarge a GPT-partition with the ext4-filesystem in operation (e.g. with YaST) – but it gives you an uncomfortable feeling.

In my case I decided to brutally power down the virtual machines. In one case where this problem occurred I could at least eliminate one snapshot. I could start the virtual machine then again and let Windows check the NTFS filesystems for errors. Then I shut down the virtual machine again, deleted another snapshot and used the tools of VMware to defragment and compact the virtual disks. This gave me a considerable amount of free GBs. Good!
Afterwards I additionally reduced the number of protection snapshots – if this still seemed to be necessary.

On another system with a more important Win 7/10 installation I really extended the Linux partition and its ext4 filesystem by 20 GB – I had some spare space, fortunately – and then followed the steps just described.

So, there is a whole spectrum of options to regain disk space after the upgrade. See also:
thebackroomtech.com : reduce-size-virtual-machine-disk-vmware-workstation/

My third message is:

Ensure a reasonable amount of free space in the Linux filesystem – for required extents and snapshots!
After the backup of your old Win 7 installation, eliminate all VMware snapshots which you do not absolutely need – in the snapshot manager from the left to the right. Also use the VMware tools to defragment and compact your virtual disks ahead of the upgrade.

By the way: I hope that it is clear that snapshots do NOT replace backups. You should make a backup of your successfully upgraded Win 10 installation after you have tested the functionality of your applications and before you start working seriously with your new Win 10. You do not want to go through the upgrade procedure again ..

Addendum: Circumvent the enforcement of Windows 10 updates after your upgrade

Updates on Windows 7 have often lead to trouble in the past – and as an administrator you were happy to have some control over the download and installation points for updates in time. After reading a bit, I got the impression that the situation has not changed much: There have occurred some major problems related to updates of Win 10 since 2016. Yet, Windows 10 enforces updates more rigidly than Win 7.

I, therefore, generally recommend the following:

Delay or stop automatic updates on Win 10. Then use VMware’s snapshot mechanism before manual updates to be able to turn back to a running Win 10 guest version. In this order.

The first point is not so easy as it may seem – there are no basic and directly accessible options to only get informed about available updates as on Win 7. Win 10 enforces updates if you have enabled “Windows Update”; there is no “inform only” or “download only”. You have to either disable updates totally or to delay them. The latter only works for a maximum period of 35 days. How to deactivate updates completely is described here:

https://www.easeus.com/todo-backup-resource/how-to-stop-windows-10-from-automatically-update.html
https://www.t-online.de/digital/software/id_77429674/windows-10-automatische-updates-deaktivieren-so-geht-s.html

There is also a description on “Upgrade” values for a related registry entry:
www.deskmodder.de/wiki/index.php/Automatische-Updates-deaktivieren-oder-auf-manuell-setzen-Windows-10#Windows_10_1607.2C-1703-Pro-Updates-auf-manuell-setzen-oder-deaktivieren

I am not sure whether this works on Win 10 Pro build 1909 – we shall see.

Conclusion

Win 7 and Win 10 can be run on VMware WS Pro versions 12.5 up to 15.5 on Linux hosts. Before you upgrade VMware WS check for compatibility with your CPU! An upgrade of a Win 7 Pro installation on a VMware virtual machine to Win 10 Pro basically works smoothly – but you should take care of providing enough disk space within the virtual machine and also on the host’s filesystem containing the vdmk-files for the virtual disks.

It is not necessary to change the quality of the virtualized hardware configuration. Win 10 appears to be running with at least the same performance as the old Win 7 on a given virtual machine.

In the next article I will discuss some privacy aspects during the upgrade and after. The main question there will be: What can we do to prevent the transfer of sensitive data files from a Win 10 installation?

 

Windows 10 und die Süddeutsche Zeitung

Posted on by

Man würde meinen, dass die Technik-Sparte einer seriösen Zeitung wie der SZ von Journalisten gestaltet wird, die die Kunst der kritischen Distanzwahrung und der sachlichen Informationsweitergabe zu kontroversen Themen gelernt haben. Oder im Zweifel zumindest Fachleute (!) mit unterschiedlichen, aber begründeten Ansichten zu einem kontroversen Thema zu Wort kommen lassen.

Hrn. Hurtz von der SZ hat es heute mit seinem Artikel
“Heute noch geschenkt, bald richtig teuer”
(http://www.sueddeutsche.de/wirtschaft/windows-betriebssystem-heute-noch-geschenkt-bald-richtig-teuer-1.3095229)
zur kommenden Kostenpflichtigkeit von Windows 10 geschafft, technischen Journalismus in ungeahnte Tiefen zu führen. Und er hat den erreichten Tiefpunkt dann nochmal durch einen nachgeschobenen Online-Artikel
http://www.sueddeutsche.de/digital/microsoft-warum-sie-keine-angst-vor-windows-haben-muessen-1.2835023
tiefer gelegt.

Ich habe die genannten Artikel gleich dreimal lesen müssen, weil man es ja kaum für möglich hält, wie distanzlos sich die SZ – hoffentlich ungewollt – vor den Karren der Interessen Microsofts spannen lässt. Ich persönlich halte bekanntermaßen wenig von MS-PC-Produkten – das ist eine, nämlich meine Sache. Aber Artikel, in der die Presse in fast humorigem Ton die Werbe-Arbeit von MS verrichtet, ist eine andere. Ich erlaube mir, in diesem Fall ein großes Fragezeichen hinter die Seriosität der genannten Artikel und hinter die interne Qualitätssicherung bei der SZ zu setzen. Ehrlich, die Lektüre ist mir aufs Gemüt geschlagen – ich hätte es nicht für möglich gehalten, dass die SZ so was publiziert. Der Frust macht ein wenig Polemik zur erneuten Gewinnung des inneren Gleichgewichts fast unerlässlich. Wohlgemerkt, mir geht es dabei gar nicht um Microsoft. Das vertritt wie jedes Unternehmen legitimerweise seine Interessen – und Windows 10 interessiert mich nun wirklich nur peripher. Mir geht es darum, wie abgrundtief schlecht die obigen Artikel sind.

Welche neutrale Sachinformationen liefert uns der erste der genannten Artikel, der sich in der heutigen Druckausgabe der SZ über 5 Spalten erstreckt und vom nicht bebilderten Teil der Seite etwa die Hälfte einnimmt? Genau zwei: Windows 10 wird ab August etwas kosten. Und MS hat das eigene Ziel von 1 Milliarde Upgrades bislang weit verfehlt. Das war’s. Dafür würde man wohl kaum 5 Spalten brauchen. Nun könnte sich an die Sachinformationen ja z.B. eine Gegenüberstellung begründeter (!) Argumente für und gegen ein Upgrade von Windows 10 anschließen. Aber was lesen wir?

Da ist zunächst wortgewaltig von “religiösem Eifer” und “Glaubenskriegen” der Gegner von Windows 10 die Rede. Wir erfahren unter Zuhilfenahme eines Zitats von Umberto Ecco von 1994 (!), dass die IT-Welt schon immer in 2, seit kurzem aber sogar 3 religiöse Lager geteilt sei: Apple-Anhänger, Windows 10- und Windows 7-Anhänger. Dass die schärfste Kritik an Windows 10 möglicherweise gar nicht von Apple- oder Windows 7 Anhängern kommt, muss man sich als Leser erst viel später aus der beiläufigen Erwähnung von Klagen deutscher Verbraucherschutz-Verbände erschließen.

Der Rest des verfügbaren Platzes wird durch die Wiedergabe von Einschätzungen des Leiters des Geschäftsbereichs für Windows von MS Deutschland zur Kritik an Win 10 in Anspruch genommen. Von diesem Herrn erfahren wir dann lang und breit, welche wenig stichhaltige Argumente die Windows 10 Gegner (angeblich) ins Feld führen – etwa “never touch a running system” (gemeint ist Windows 7). Das sitzt … ich reibe mir die Augen und bin echt betroffen. So hatte ich das Thema Windows 10 zwar noch nie gesehen; aber wenn ein Geschäftsführer von MS das sagt ….. Richtig beeindruckend, diese
saubere, gründliche Journalistenarbeit von der SZ ….

Und dann wird es wirklich interessant – es geht um “Die beiden zentralen Kritikpunkte an Windows 10 – Datenschutzbedenken und Zwangsupgrade”. Na, was erfahren wir wohl dazu? Ja, die halte der Leiter des Windows-Geschäftsbereichs Deutschland für “überschätzt”. Ach wirklich? Echt ???… das hätte ich nun überhaupt nicht erwartet…. Der journalistische Tiefgang des Artikels, der das alles kommentarlos weitergibt, beeindruckt mich immer mehr …

Und weiter: Wer wolle, könne ja die “meisten Überwachungsfunktionen abschalten”. usw., usw.. “Und was viele Nutzer als penetrante Aufforderung zum Upgrade empfunden haben” hält der Geschäftsführer von MS für ein vernünftiges Vorgehen. “Niemand sei … zwangsbeglückt worden”. Diese Botschaft freut sicher jeden, der mal versucht hat, die “Beglückung” durch Werkeln in der Wndows-Registry abzuschalten.

Die journalistische Meisterleistung von Hrn. Hurtz wird abschließend von der Wiederholung seiner Erkenntnis gekrönt, dass sich die Tech-Szene in Kürze in drei “Religionen” (Apple, Win 10, Win 7) teilen werde. Halt – da entdeckt der SZ-Journalist doch noch eine weitere Gruppe – nämlich die “Atheisten” – ja, liebe Leute, das sind wir, die mit Linux.

Wem der Salat an MS-Meinungswiedergabe als Haupt-“Information” des Artikels noch nicht gereicht hat, der konnte ergänzend einen 2-spaltigen Kasten mit Kleingedrucktem lesen, in dem die schöne neue Welt von Windows angepriesen wird: Nur noch laufende Updates eines ewigen Windows 10 und verbesserte Funktionen “eines bereits stimmigen Betriebssystems”. Ja, wer’s mag – wie offenbar besagter Redakteur der SZ – für den ist das halt das Höchste ..

In dieser begrenzten Logik bleibt die (IT-) Erde auch weiterhin eine Scheibe … sie wird in Zukunft nur viel runder und noch stimmiger. Never touch a running ideology … die religiösen Eiferer aus dem Apple und Win 7-Lager und wir, die “Atheisten” aus dem Linux-Lager, haben da nur noch nicht genau genug hingesehen. Der Abgrund am Rand der Scheibe ist jetzt dank ausführlicher Nutzungsklauseln sogar markiert und mit dem verbesserten Angebot kann man noch tiefer in ihn hineinsehen – kein Grund mehr ihn zu überschätzen … Danke, liebe SZ, für diese humorig verfasste “Information” – endlich habe ich es begriffen! Bleibt nur die Frage, warum Hr. Hurtz nicht einfach, kurz und prägnant geschrieben hat:

Liebe MS-Gläubigen, die ihr bisher der täglichen frohen Upgrade-Botschaft aus völlig unverständlichen bis ketzerischen Gründen nicht gefolgt seid: Beeilt euch mal – denn sonst muss MS den Klingelbeutel in der Gemeinde rumgehen lassen. Und wie wir aus gewöhnlich bestens informierten Kreisen der MS-Geschäftsführung erfahren haben, sind alle eure Motive, Windows 10 nicht einzusetzen, in der Nähe religiösen Eifertums angesiedelt, aber objektiv nicht nachvollziehbar. Die MS-Geschäftsführung weiß das – und natürlich auch, was wirklich gut für euch ist !! Ihr müsst es einfach nur glauben. Und Datenschutz in Europa und Deutschland ist ja eh’ schon immer überschätzt worden. Nun aber bitte gleich upgraden – damit MS seine Geschäftsziele erreicht. Sonst Strafgebühr ….

Das wäre wenigstens klar, ehrlich und platzsparend gewesen – und man müsste sich als Leser nach der Lektüre nicht verzweifelt die Frage stellen, ob Hr. Hurtz in seinem aufklärerischen Eifer schlicht nicht gemerkt hat, dass dieser Artikel auch aus der Werbeabteilung Microsofts stammen könnte. Bis 15:00 Uhr habe ich noch an Unbedarftheit geglaubt; aber dann wird von der SZ online noch ein weiterer Artikel nachgeschoben mit dem Titel: “Warum Sie keine Angst vor Windows 10 haben müssen”.

Einige Argumente werden auch in diesem Artikel wieder aus dem reichen Erkenntnisschatz von MS geliefert: Das Datenabgreifen erfolge ja im besten Interesse des Nutzers und würde nur in anonyme Statistiken einfließen. Wer die Nutzungsbedingungen ganz lese (was aber wegen der
Länge kaum einer tue) könne das begreifen. Und MS würde nie persönliche Mails durchsuchen, um Werbung zu schalten. Sagt MS – und dann wird es ja wohl stimmen und muss von der SZ unreflektiert verbreitet werden. Offen bleibt in diesem einseitigen Diskurs die Frage der Ketzer: Aber warum werden z.B. die Mails der Windows 10 User dann überhaupt auf MS-Server übertragen?

Ich selbst habe alle Nutzungsbedingungen von MS Win 10 sehr genau gelesen – auch das flankierende Service Agreement: Da bleiben eigentlich keine Fragen offen. Du akzeptierst als Nutzer, dass MS bei Standardeinstellungen und im Zweifel zu Wartungszwecken alle deine Daten auf eigene Server transferiert. Wozu? Tja, da muss der MS-Adept halt einfach glauben, dass das zu seinem Wohle ist. Zu platt? Stimmt, denn selbst Hrn. Hurtz kommt dann auf Seite 2 des Artikels der schlimme Verdacht, das selbst die bislang Gläubigen nicht so einfach von neuen Götzen zu überzeugen sein werden. Und die Predigt nimmt dann eine neue Richtung:

“Komfort gibt es nur im Tausch gegen Privatsphäre …jeder Zugewinn an Komfort geht mit einem kleinen Verlust an Privatsphäre einher. Das ist bei Google und Apple aber nicht anders.” Denn: Das mit dem Komfort funktioniert nur – Zitat – “wenn man bereit ist, einen Teil seiner Privatsphäre zu opfern. Es gibt gute Gründe, diese Entwicklung zu bedauern. Aber es gibt keinen guten Grund, allein Microsoft an den Pranger zu stellen, weil sie mit der Zeit gehen. Wer diesen Weg nicht mitgehen will, hat längst eine gute Alternative zu Windows und iOS. Sie heißt Linux.

Aha, Überraschung: Privatsphäre geht bei Einsatz von Windows 10 womöglich doch verloren – aber ich soll MS halt glauben, dass das zu meinem Besten ist. Und dass andere Anbieter von PC- und Smartphone -Betriebs-Systemen auch nicht besser sind, ist dabei ein wirklich tröstlicher und tiefer Gedanke von Hrn. Hurtz. Habt keine Angst, liebe Gläubigen …in den Paradiesen der zukünftigen IT werden wir alle gleich unfrei sein.

Der Artikel erteilt dann abschließend noch die Absolution für die Ketzer; moderne Botschafter von Betriebssystem-Religionen sind schließlich liberal. Denn wer die beschriebene Opferung der informationellen Selbstbestimmung auf dem Altar des Dogmas “Komfort hat den Preis der Privatsphäre” partout nicht einsehen wolle, könne sich ja (ganz im Sinne des ersten Artikels) als Atheist aus den genannten drei Kirchen abmelden – durch die Benutzung von Linux. Letzteres muss gemäß der Hurtz’schen Argumentation und Logik aber leider höllisch unkomfortabel sein.

Na dann, liebe Linuxer – auf ins Fegefeuer … da muss man wenigstens keinen miserablen Journalismus mehr ertragen …

Win 10 – Statistiken – Cortana – und ein wenig Polemik ….

Posted on by

Vor einiger Zeit habe ich mich in diesem Blog kritisch zu den Standardeinstellungen von MS Win 10 Home und den damit verbundenen Transfers privater Daten auf (amerikanische) Server von Microsoft geäußert.

Mir wurde daraufhin auch im eigenen Bekannten-Kreis immer wieder sehr deutlich klar gemacht, dass das “wohl völlig egal sei und die Vorteile von Win 10 die Nachteile bei weitem überwiegen würden”. Das Datensammeln sei schließlich auch bei Google so – aber man habe ja nichts zu verbergen. Nun will gar nicht erst damit anfangen, MS gegen Google aufzurechnen. Und regelmäßig den Sinn von Privatsphäre als grundlegenden Pfeiler einer demokratischen Informationsgesellschaft freier Bürger auch für hochgebildete Leute begründen zu müssen, bin ich ein wenig müde geworden. In diesem Sinne ist folgender Text nur ein Ausdruck ständiger Verwunderung über die widerspruchslose bis begeisterte Hinnahme bestimmter Entwicklungen ….

Vor kurzem sind Statistiken zum Einsatz von Win 10 und auch der unter Win 10 benutzten Programme bekannt geworden. Siehe:

http://www.ghacks.net/2016/01/05/microsoft-may-be-collecting-more-data-than-initially-thought/

Nehmen wir mal an, die dort genannten Zahlen stimmen, und greifen wir uns ein Beispiel heraus:

“Users asked Cortana more than 2.5 billion questions since launch.”

Ja, das gute Cortana (s. https://de.wikipedia.org/wiki/Cortana_%28Software%29) – endlich eine MS-Antwort auf Technologie, die von Apple und Google schon lange benutzt wurde und wird. Und wie bei der Konkurrenz geht Cortana über die Stimmerkennung weit hinaus und erforscht ein Personenprofil auch über andere Daten (Notizbuch, E-Mails, Bing-Anfragen, ….). Siehe

http://www.windowsphone.com/de-DE/how-to/wp8/cortana/cortanas-settings
http://windows.microsoft.com/de-de/windows-10/getstarted-what-is-cortana-mobile
und die dortigen Links.

Was mich im Zusammenhang mit Cortana interessiert, ist der kleine, unscheinbare Satz im oben genannten Wikipedia-Artikel:

“Microsoft bestätigt „personalisierte Sprachmodelle“ anzulegen.”

Leider mit Verweis auf einen Zeitungsartkel der TAZ, der sich als echter Beleg nicht eignet.

Die entscheidende Frage ist: Wo werden die personalisierten Sprachprofile gesammelt? Dass das auf MS-Servern passiert, ist schwer zu beweisen, erscheint aber allein schon aus technischen Gründen plausibel. Es ist viel leichter, zuverlässige Sprach- und Stimm-Erkennung auf geeigneten Servern als z.B. Win 8 oder Win 10 Smartphones zu betreiben. Lässt sich diese Plausibilität untermauern? So zeigen folgende Artikel von MS, dass Cortana auf die Stimme des Benutzers trainiert werden kann.

http://windows.microsoft.com/de-de/windows-10/getstarted-what-is-cortana
http://windows.microsoft.com/de-de/windows-10/getstarted-make-cortana-yours

Nix Neues unter der Sonne und ans ich auch nichts Problematisches – wenn denn die zugehörigen Stimmprofil-Daten nur lokal auf meinem Endgerät vorgehalten würden.

Auf der Suche nach mehr Information gucke ich dann mal auf die durchaus lesenswerte Seite
http://www.windowsphone.com/de-de/how-to/wp8/cortana/cortana-and-my-privacy-faq
und da steht:

“Ihre per
Spracherkennung eingegebenen Bing-Suchanfragen werden wie textbasierte Suchanfragen behandelt und können zur Verbesserung der Bing-Suchergebnisse und zum Bereitstellen passender Werbung für Sie genutzt werden.”

Ok, Ok – das ich mit der Preisgabe meiner Persönlichkeit und Vorlieben für die Nutzung eines Betriebssystems bezahlen muss, ist ja laut meiner Bekannten angeblich “egal”. Unklar ist mir aber immer noch, ob die Sprachaufzeichnung – also mein Stimmmuster – selbst auf MS-Server wandert.

Also wage ich doch noch mal (mit Schaudern) einen Blick in das wirklich informative und seitenlange “Privacy Statement” von Windows 10:
https://www.microsoft.com/en-us/privacystatement/default.aspx
Freundlicherweise gibt es da einen Link namens Cortana. Ich zitiere aus dem entsprechenden Text:

“Speech and Input Personalization. To help Cortana better understand the way you speak and your voice commands, speech data is sent to Microsoft to build personalized speech models and improve speech recognition and user intent understanding. On Windows devices, Cortana can only work if Input Personalization is on, so if you turn it off, Cortana will be disabled. See the Windows Input Personalization section for more information.”

(Hervorhebung von mir.)
Aha,: “speech data is sent to Microsoft to build personalized speech models”. Nun, da liegt die Vermutung doch sehr, sehr nahe, dass es sich hierbei wohl um Audio-Stimmaufzeichnungen handelt. Nehmen wir das mal an.

Dann würde die oben erwähnte Statistik im negativen Fall bedeuten, dass nun auch MS personalisierbare Stimmmuster zu Millionen von Menschen sein Eigen nennt. Ohne Kontrolle darüber, was mit diesen biometrischen Informationen geschieht, wie lange sie aufbewahrt werden und vor allem, wofür und von wem die Inhalte der Fragen, die über Cortana gestellt wurden, genutzt werden.

Deshalb ein wenig Real-“Polemik” – wie die MS Anhänger unter meinen Bekannten das nennen würden:

In einigen Jahren bin ich im Urlaub – irgendwo in Brasilien – und das Hotel stellt seinen Hotelgästen Windows 12 Systeme zur freien Benutzung zur Verfügung. Und weil dort keine anderer Browser verfügbar ist, öffne ich Edge und eine freundliche (vermutlich weibliche) Stimme bittet mich auf Englisch, eine Frage zu stellen. Und weil ich meiner Frau einen Konzertbesuch versprochen habe, frage ich in meiner Not nach “concerts in the city”. Und die freundliche Stimme von MS antwortet mir auf Deutsch:

“Hallo Ralph, schön dass du doch mal wieder ein MS-System benutzt. Du redest leider so selten mit uns! Offenbar bist du im Urlaub. Brasilien ist ein tolles Land. Schön übrigens, das es dir wieder besser geht – nach deinem letztjährigen Infarkt, über den deine Frau bei Facebook schrieb. MS wünscht dir gute Erholung! Aber welche Art von Konzert soll ich dir vorschlagen? Du bestellst doch sonst immer Jazz-MP3s bei Amazon. Also ein Jazz-Konzert? Mit Kjetil Björnstadt – den magst du doch so gerne … Und weil wir schon dabei sind: Unsere neue App zur Stadtführung läuft auch auf deinem Samsung S12 Android-Handy. Wir beantworten dir gerne alle deine Fragen auf deinem nächsten Stadtrundgang … und wenn du eine etwas ausgefallene Kneipe suchst – wie in deinem letzten Urlaub – dann habe ich eine wirklich gute Empfehlung für dich … “.

Personenerkennung über Sprachmuster, Geo-Tracking über Sprachmuster, Ankopplung an Daten zu meinem Verbraucherverhalten, die die großen Konzerne im gegenseitigen Nutzen inzwischen gegenseitig austauschen. Einschätzung meiner aktuellen finanziellen Lage (Urlaub in Brasilien!). Konsumverhalten im Urlaub, etc., etc..

Cortana-Anhänger finden eine solche Entwicklung sicher gut und richtig. Egal auch, ob und zu welchen Zwecken diese Daten ggf. noch von anderen interessierten Organisationen benutzt werden. Wen interessiert es denn in Zukunft noch, wohin personenbezogene Daten
wandern ….

MS kann ich im Moment nur beglückwünschen – der bislang noch geringe Anteil am fast schon verteilt geglaubten Kuchen der kommerzialisierten Nutzung von elektronischen Personenprofilen wird mit dem kostenfreien Windows 10 Home und den oben genannten Zahlen sicher massiv wachsen. Statt “Win-dows” nun also “Win-knows” …. Man sollte wieder MS Aktien kaufen … Dabei hatten sie diese Entwicklung doch fast verschlafen …

Meine früher schon gut gemeinte Bitte an die Nutzer von MS Windows 10 Home, im eigenen Interesse sowohl das sog. “Privacy Statement” als auch das “Service Agreement”, zu dem ihr eure Zustimmung gebt oder schon gegeben habt, bitte wenigsten ein einziges Mal genau durchzulesen, halte ich aufrecht …. Es sind ja nur ca. 45 Seiten. Wenn ihr entsprechende Links sucht: Sie befinden sich am Ende folgenden lesenswerten Artikels:
http://thenextweb.com/microsoft/2015/07/29/wind-nos/

Übrigens: Einige User, die einfach upgegradet haben, sind über Win10 offenbar schon so verärgert, dass Klagen angestrebt werden. Siehe:
http://www.zdnet.de/88253055/nutzer-streben-wegen-windows-10-problemen-sammelklage-gegen-microsoft-an/
Mein Bekanntenkreis gehört wohl nicht dazu …