[pixel_popping]

I doubt workers stealing data (which is more frequent than you might think) will just openly post about it...

Do you really believe it's normal that banks are on Windows? Do you want governments, military and such to be on Windows, really? It's not a popularity contest, we know that most corpos do terrible choice about IT stuff (at least back then and now they are doomed).

It breach basic every security principles, we should be relying on cryptography and not human trust? Would you let your ISP inject a CA in your OS and just rely on the trust of their employees to not look at your traffic? you're building your security model on the assumption that a private corporation's employees won't abuse access they structurally have, you rely on faith which imo is plain wrong. But even, the privacy factor has not been addressed, you are alright with MS correlating your entire life, many wouldn't accept that.

[gambiting]

>>I doubt workers stealing data (which is more frequent than you might think) will just openly post about it.

Can you explain what mechanism is there for Microsoft workers to steal data off my Windows PC that doesn't upload anything to OneDrive? Like I'm genuienly curious - how do they do it?

[pixel_popping]

It depends what you consider data, to me for example, all the devices I use in my home, who comes in my home and such are considered private (as it should, but we might disagree on this), but realize that the moment someone steps-in your home, then the typical correlation of SSIDs, BT devices (to simplify it) is sent as telemtry to MS servers (this is official, I'm not just speculating).

And about pure "data" as in filenames file content and such, then obviously typical Windows Defender, Smartscreen and such that would send file hashes, sometimes content, filenames, mod time and such, making Microsoft directly aware of your filesystem content.

[gambiting]

Right, so there is no way for Microsoft employees to actually steal any data on my PC unless something gets flagged by Microsoft defender and sent to MS for analysis and even then it's not actual full content of the file[0]. Thanks for confirming.

[0] https://learn.microsoft.com/en-us/defender-endpoint/cloud-pr...

[pixel_popping]

Why do you say no way when I just literally pointed you out that they do get data and store them (we don't know the modalities, it's obscure). You took a big shortcut here, you don't consider all your life patterns being data? When your mom visit you at home and MS is aware via your own computer, for you this isn't data? Literally all devices AROUND you are sent and those are directly correlated with real-life identities.

Also, I said "and such" because MS have many mechanisms, for example, they are directly aware of what you download because of SmartScreen, this is data, isn't it?

One more thing, when you type something to search in the Start menu, this is also sent to Microsoft, so for example if you have the habit of searching `XXXFilename`, then this Filename is stored on their servers, this is data. You can disable that by registry sure, but let's be real, users don't disable it.

But keep in mind here we are talking about what's referenced in documentation, while there is so many things that are obscure about it.

You might want to read this article (even tho it's basic): https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-b...

Windows 10 collects unprecedented data, including:

    Location data
    Text, voice, and touch input
    Web pages visited
    App usage (which programs, how long) (beware of CLI flags, they are leaked to MS:))
    Unique device IDs *(that can't be changed, which mean when you go to your friend, plug YOUR mouse to his Windows computer, then MS knows you 2 are besties)*

Also, VSCode by default give away all filepaths you open and more (you can check that yourself), which gives direct data about all projects you work on.

Another example, when you dev, you know that you might have a tendency to install tools, or even install your own output binaries right (let say you build an Electron app), then MS is aware of this, all programs installed are sent, this is data. So, does the MS employees filtering those data can see if you are actively using a Monero wallet? Yes they can. Are you a Tor user? They know immediately (regardless of VPN usage) and so on. This is real data.

Most people enable much more features from MS which then gives away so much more data, the list I gave is only if you disable most of it.

And lastly, about Visual Studio particularly: What's Collected:

- Extension list Every extension you have installed

- Project types What kind of projects you create (web, mobile, desktop, etc.)

- Feature usage Which VS features you use and how often

- Build data Build times, success/failure rates, errors

- Debugger usage Breakpoints hit, debug sessions, time spent debugging

- Search queries What you search for in VS (help, docs, IntelliSense)

- Crash/hang data When VS freezes or crashes, what you were doing

- Performance data Memory usage, responsiveness, load times

- Environment info OS version, hardware specs, screen resolution

- File paths Project folder paths (not file contents)

- Session duration How long you use VS

- Click/interaction events Which menus, buttons, toolbars you interact with

===

Then obviously there is MS Edge but that's a whole beast on its own with next level telemetry (whole history, including admin panels you connect to).

=== What's the definition of data?

[gambiting]

So like I said earlier, thank you for confirming that MS employees have no way of stealing data off my computer outside of information sent either as part of diagnostic info or hashed samples sent to anti virus services. There is no one at Microsoft who can just say "copy gambiting's entire documents folder and send it to us" (afaik). So no, MS employees can't just steal the data off my computer. If you want to be technically anal about this yes, what I type into my start menu is "data" too, sure, you are 100% correct. I don't consider that to be Microsoft employees stealing data off my PC. And that's not even me trying to excuse it - I'm just saying it's not what you initially presented it as.

Going back to your original comment about not using Windows for "serious" work - none of the above stands in the way of serious work, especially given that every above behaviour is disabled by enterprise policy. I will agree with you that personal installations are different, but then we need to agree on the definition of serious work again.

[pixel_popping]

Thanks for debating in good faith, I give you that sure, file content might not be by default (except in multiple scenarios) sent to MS.

For serious work, my philosophy is really regarding the attack surface, I'm mostly working in cybersec/privacy for the last decade and any data that leaves the machine is always a concern, a theoretical one and a practical one, especially if it's obfuscated. Anything that requires human trust to me is a concern (see for example lately the vulnerabilities steaming from npm dependencies, all about human). Privacy is important to me, I don't want anyone to know what I do with my devices (that includes my phones, which has no SIM inside to reduce correlation factor), this is by principle. I have 2 "realms" of work, one where I do accept (example with prompts to commercial LLM providers such as OpenAI...) that privacy and security is compromised, and the other realm where it's non-negotiable.

But I get your point and without being too extreme about it, I can agree that some of my takes are far fetch although they are valid, can I ask why you actually prefer to develop on Windows vs Linux (or MacOS), is it because of habits?

[joe_mamba]

>I doubt workers stealing data (which is more frequent than you might think)

Can you post a source for this? I'm sure every newspaper on the planet would love to publish headlines reading "MS workers are stealing your data", but that would require some actual proof, not made up FUD.

>Do you really believe it's normal that banks are on Windows?

It doesn't matter what I believe, what matters are the facts and reality on the street which is what I'm arguing. You are free to believe whatever you want, that doesn't make you right.

[pixel_popping]

I'm not dying on a hill. From a security standpoint, every "trust" step is a security assumption that you cannot verify (especially on a Samsung phone), I'm just not willing to bet my threat model on the "goodwill" of a corporation whose business model is built on data aggregation, there is no proofs needed (MS has had a ton of breaches the last decade btw), but you do you.

Let me ask you something and make an hypothetical and you must reply in good faith, this is because we don't agree on fundamental points on security:

If you were a wanted criminal that still needs to work online somehow to make money, would you feel safe using Windows?

I think we can agree that privacy and security are heavily intertwined. If your honest answer is no,then that alone tells you something about the OS trust model. And if your answer is "yes", then i'd genuinely like to hear why, because I can't think of a single compelling reason.

[joe_mamba]

You first have to answer my challenges to your original statements, on how banks can use Windows without losing money to hackers, and how MS employees access your data, as per your claims.

I first want to see sources hat back up your claims. Otherwise how can we know you're arguing in good faith and not stringing us along with more FUD and tinfoil conspiracies.