Windows 10 Upgrades Are Being Forced On Some Users

Windows 10 Upgrades Are Being Forced On Some Users

URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/JpOsLJfTByA/windows-10-upgrades-are-being-forced-on-some-users

grimmjeeper writes: According to Ars Technica the Windows 10 upgrade option is being selected by default for some users. A dialogue box is appearing that only permits them to reschedule the upgrade process, not cancel it. "For the first year of its availability, Windows 10 is available for free to most Windows 7 and 8 users, and Microsoft has been trying to coax those users to make the switch by delivering the operating system through Windows Update. Until now, the OS has been delivered as an optional update; while Windows Update gives it prominent positioning, it shouldn't be installed automatically. This system has already generated some complaints, as Windows Update will download the sizeable operating system installer even if you don't intend to upgrade any time soon, but, over the last couple of days, the situation seems to have become a little more aggressive. We've received a number of reports that people's systems are not merely downloading the installer but actually starting it up." Update: 10/16 11:35 GMT by S : Microsoft said, "In the recent Windows update, this option was checked as default; this was a mistake and we are removing the check."

Read more of this story at Slashdot.

Microsoft sites expose visitors’ profile info in plain text

Microsoft sites expose visitors' profile info in plain text

URL: http://arstechnica.com/security/2015/10/microsoft-sites-expose-visitors-profile-info-in-plain-text/

The CID, a unique identifier for Microsoft accounts, is used as part of the hostname for the location of user data for Outlook.com, Microsoft accounts, and other Live services. (credit: Sean Gallagher)

If you think using secure HTTP would be enough to protect your privacy when checking webmail, think again. When users connect to their Microsoft user account page, Outlook.com, or OneDrive.com even when using HTTPS, the connection leaks a unique identifier that can be used to retrieve their name and profile photo in plaintext.

A unique identifier called a CID is exposed because it's sent as part of a Domain Name Service lookup for the address of the storage server containing profile data and as part of the initiation of an encrypted connection. As a result, it could be used to track users when they connect to services from both computers and mobile devices, possibly even identifying users as their requests leave the Tor anonymizing network.

In a lab test, Ars confirmed the leak, first publicized this weekend by a blogger based in Beijing. Packet captures of connections to Outlook.com, the Windows account page, and OneDrive.com revealed DNS lookup requests for a host with the format cid-[user's CID here].users.storage.live.com. The CID is also embedded in the Server Name Indication (SNI) extension data exchanged during the Transport Layer Security "handshake" that secures the session to the services, as Ars confirmed in an inspection of the packets.

Read 2 remaining paragraphs | Comments