An immensly powerful and useful tool. Can't live without it. Hopefully the situation resolves soon.
What is it with MS these past few months? It's like they're trying to throw away the little community goodwill they managed to build up over the years.
Quite a lot of community goodwill, unfairly granted. I've lost count of how many times I've read on this very forum, "calling it Micro$oft is childish, they're a changed company, Nadella is better than Ballmer, etc".
They are as hostile to free software as they ever were. Why wouldn't they be? It's antithetical to their business model. The only thing that's changed is how sneaky they are about their time-honored tactic - embrace, extend, extinguish.
Microsoft took the same approach as Bill Gates. Gate's ruthlessness made the public hate him(remember the milkshaking?).
He took public relations serious and put on the nice guy public facing image while still being as devious and wretched as he was back then. The Microsoft leaders saw how well this worked him and used the same tactic.
I lived through the dark days, they are definitely not as hostile as they used to be. However, that could change at any point with a change in leadership or a bad quarter.
I was thinking the same. It's not been a good few weeks for them. They're quickly losing trust which was hard to acquire in the first place given their history. Maybe a timely reminder to mention Halloween [1] ?
Are they losing trust though? Many young developers don't remember the height of the EEE days in the 90s and 00s when MS was trying very hard to extinguish free software. These are just stories to them.
Now, MS runs the world's largest source code sharing service and many of these young developers launch proprietary MS code editing tools daily.
We old timers always knew what the end game was, but young people lack the context and so many are already hooked on MS now. It's not obvious to me that they will ever care enough to switch no matter how hostile MS behaves.
> young people lack the context and so many are already hooked on MS now. It's not obvious to me that they will ever care enough to switch no matter how hostile MS behaves.
Not all of us. I had just barely started being willing to trust Microsoft again, and they've repeatedly shown themselves to be hostile since the initial "Github is cool! And WSL! And VSCode!", enough is enough.
I've read the Halloween documents, I know where this goes.
Young free software advocates exist - I'm one. I know about EEE and agree we're in a sorry state.
I have a feeling MS will continue to dominate due to network effects and vscode/wsl being a nice enough experience. It'll take them resting on their laurels or some great act of user hostility to change this status quo.
I remember. It’s also hard to turn down WSL and VSC. They are wonderful products and I’m fairly certain I’m sadly contributing to all this nonsense but I also need to get my day job done and pay the bills.
One day large corporations I hope will allow Linux. But at least mine it’s windows or macOS and apple is far behind the wsl/vsc curve right now and apparently doesn’t have any motivation to catch up. They rely on “you have to use Xcode” right now which is unfortunate.
They've always been acting as a strong monopolistic corporation with a "fuck you" attitude. Here's a summary of Microsoft attitude these part 5 years:
- rebrand as open-source friendly, only open-source whatever narrow side-projects they barely care about but could be run on other systems (VSCode, Powershell); distribute official packages with spyware
- monopolize the education system by offering bribes including gratis hardware devices to whoever in State education will work with them to pretend Microsoft loves kids and kids need computers (with Microsoft software, obviously) to learn anything in the 21st century
- force manufacturers to deploy "TPM v2.0" on their new machines so they can run Windows 11, continuing the push so that people have 0 understanding and control over the machines they own (instead are controlled by the machines), and don't have a choice of system because "SecureBoot" [0]
- love Linux! let them integrate all your POSIX/Linux APIs in a VM on their system, so that you never have to use anything else than Windows ever again (embrace...) ; it's just like reverse-Wine (execute Windows program on free systems) except they have an army of developers with $$$$ and don't have to waste time reverse-engineering anything because they have the source code to both systems... how convenient!
- viruses are such a huge problem, if only we had some sort of digital signatures for software, and trustworthy places to get it from?! sure let's have a Microsoft market where you can buy adware/spyware signed by Microsoft, with two key advantages: 1) it's super faster because signed software is not inspected real-time by Windows defender 2) noone else can make their own "appstore" repository with their own signature keys (like we do with Flatpak/APT/nix/guix) ; very soon they can start to hide how to run programs unapproved by Microsoft like Android or MacOS [1] have been doing... and it's all for security, right? because app-store monopoly has definitely stopped malware (oooh that's a nice flashlight app you got there Google Play) without harming FLOSS/hobbyist devs (yeah sure)
It's just *washing (openwashing here) straight out of marketing textbooks. If you know/learn anything about capitalism and public relations, you won't be tricked next time!
[1] There was even this worrying story at some point that MacOS would refuse to open applications (whether signed or not) because their centralized server could not be reached: https://news.ycombinator.com/item?id=25074959 <-- Soon coming to your Windows setup
Ah, I don't really care about telemetry, but their amazing outlook.com SMTP service rejects mail from small senders, and there's no way to successfully appeal.
Hello,
My name is [Kumar/Numan/Punith/Suresh/Sachin] and I work with the
Outlook.com Sender Support Team.
I do not see anything offhand for the IP (xx.xx.xx.xx) that would
be preventing your mail from reaching our customers.
Good bye and fuck off.
In response to complaining that their servers say -
550 5.7.1 Unfortunately, messages from [xx.xx.xx.xx] weren't sent.
Please contact your Internet service provider since part of their
network is on our block list (S3150).
At least you got a response! Most people don't. According to some previous blogposts and threads on this topic, apparently if you just contact them often enough, they will after a few months escalate the problem to the competent team and get you unblocked.
- is the exact same message being sent to many users?
- does it look like previous spam?
- are messages from this host being reported as spam by users?
We have plenty of techniques to filter out spam (those above and technical ones like DKIM to enable host reputation systems) and they mostly work great. What Google/Microsoft are doing is just monopolistic attitude and has nothing to do with spam filtering. Spam from big email servers is still common, but legit emails from smaller servers will not reach intended recipients, and will not produce any indication of that on either side of the communication. It's just silently going in the trash.
If there was at least a decent way to get allowlisted on their side, we could give them the benefit of the doubt and accept that email ecosystem has turned to an opt-in federation model. But the way they do it and prevent recourse is a clear abuse of dominant position to crush the competition.
What's similar between them? A spam host will likely be high volume of similar-looking email sent to users who will never reply and most probably trash/spam-categorize the email. A small, single-user sender will likely be *very* low volume of fairly different-looking email sent to users who will likely answer and otherwise interact with the mail. They have literally nothing in common.
Before I moved to fastmail, my email was consistently getting nullrouted by microsoft. Everything was setup correctly (SPF, DKIM, DMARC, ARC, etc...), and every other mail host I tried would receive my mail correctly. I send out a very low amount of email (3-4 per month?).
My old university mailbox got migrated to Microsoft, and now people who don't use a professional mail provider (gmail, yahoo, etc..) basically can't send to that address.
We (small devshop + some hosting + self-hosted email) hosted a few things for a foundation for years, and about two years ago they migrated the mail stuff to MS. (We continue to host a few sites, domains, DNS.) Now when they need something and send us an email we can't reply, because our IP is "listed".
Okay, I know spam can be bad, and fine-tuning spam filters is a PITA, so let's go through the delisting process, surely with enough perseverance eventually MS will tolerate us into their graces.
Well, it has been more than a year now, and still no luck.
---
We have completed reviewing the IP(s) you submitted. The following table contains the results of our investigation.
Not qualified for mitigation
x.x.x.x
Our investigation has determined that the above IP(s) do not qualify for mitigation.
Re: app store. That's not quite fully correct. It's obscure and not well known but actually, Microsoft isn't doing what you claim.
1. Any signed app with good reputation will be ignored by Windows Defender and other AV tools. That's how Windows security works: the anti-virus programs focus their attention on activity by code that they don't recognize. Signatures are how to handle "good" polymorphic code like app updates whilst stopping "bad" polymorphic code like viruses that constantly rewrite themselves. This isn't connected to the app store.
2. You can in fact make your own app store. Windows 10 comes with something called App Installer. You put an MSIX file and a .appinstaller file on your web server, and open the XML file with a special protocol handler. The app is downloaded, installed, lightly sandboxed (but not aggressively so: win32 apps will work fine), and Windows keeps it up to date for you. This is basically the same experience as the App Store itself, but decentralized.
Note that secureboot does have a minor advantage for encryption at rest. Making much weaker passwords acceptable. I am happy my work laptop has secureboot.
And I get why they lock down their device for me to use.
For devices I own, I gotta control the secure boot, or I simply don't own it.
In theory, yes. In practice, what control do you have over the hardware? Can't basically anyone with a few million dollars to throw at the problem compromise any form of Secure Boot? If you're NSA, no need to go so far... they've probably got access to the Microsoft root signing key.
If the schematics and code to the TPM were free and there were "tamper evidence" mechanisms in place, we could argue secure boot had some benefits for security. But in its current forms, it's just preventing users from owning their devices with little evidence for security for determined attackers.
Machines should be simpler and auditable: that's how reliable security works. Adding piles of shit on top the other piles of shit is just producing more overall shit.
> Can't basically anyone with a few million dollars to throw at the problem compromise any form of Secure Boot?
Probably. But if my laptop gets stolen I would rather have the thief needing to spend a few million dollars in order to defeat Secure Boot.
Now if I were to worry about state level espionage I would combine the secure boot with a strong password for device theft, and not bring the device anywhere a long-term evil maid attack might occur. But in that case I am still happy if my stolen laptop requires a few million dollars, and that an evil maid also needs to somehow defeat secure boot before being able to do anything to some of my device.
Secure boot isn't perfect. But no practical security measure is. Secure boot is effective at making attacks more difficult, and that means it has value.
It just so happens that such value is most relevant for company-based security. And sadly it seems to be pushed on private devices for other reasons. But the move towards abuse of secure boot does not mean we should ignore the security benefits it gives to company-issued laptops.
Yup, we're still far from having open source Windows, Active Directory, SQL Server, Teams, Github, Office... or any "central" product essential to their business offers.
It's honestly weird to see "Telemetry" labeled as "Spyware" by a technical people that, quite frankly, should know better.
Spyware is NOT the same as gathering Telemetry data.
You can also just turn off Telemetry in VSCode in the settings.
I think a vast majority of people on HN gather data on customer usage of the products that they build. Because it ultimately makes us able to tailor the products better for our customers. It's just ignorant to put this in the same category as applications that slurp up as much data as they can for e.g. ad-profiles or to sell that data off to the highest bidder.
> It's honestly weird to see "Telemetry" labeled as "Spyware" by a technical people that, quite frankly, should know better.
It's precisely because it's technical people who know better that you see "telemetry" labeled as "spyware", which it is, and it's how we called it back in the 1990s/2000s.
The only reason people these days call spyware "telemetry", is because it got normalized by large companies, and is now defended by devs who figure it's better to ship spyware to people than to give a damn and talk with users.
I would say the intent very much dictates the what and how of Telemetry as well. There's a huge difference between gathering data on feature usage of VSC vs e.g. slurping up the code from its users.
A lot of software lets you opt-out from Telemetry gathering when you install it. I would not think Spyware would do this.
And I feel like saying it's "only in the way collected data is used" really makes a small thing out of something that is very important.
There's a very big difference in doing something maliciously and doing it to genuinely try to make your software better!
Actually there are of course different levels of bad like in any other area of human endeavor. Many criminals who would happily break your car window to steal your laptop wouldn't kill you to sell your Kidneys.
Lots of spyware that wants to remain on one side of a less dramatic divide simply provides "options" for example in the installer that are opt in and vaguely defined that no sane individual fully understanding his options would opt for.
Such software isn't usually cryptolocking your family pictures instead its frequently grossly violating your privacy and selling your time and attention to third parties who in turn may opt to use this bought and paid for back door into your computer to waste your time or cryptolock your family pictures.
Here's a clue. If you have to make a feature opt out because nobody on earth would opt in given time and expertise sufficient to understand your offer then you are victimizing your user. I cannot think of a case where any data collection being anything other than opt in would be acceptable.
> Telemetry and spyware differ only in the way collected data is used.
No, they first and foremost differ in the kind of data is collected. Spying is not spying if you anonymously collect information about how frequently a feature/future/option is used only.
So is your point that what Microsoft is doing is in fact spyware and not technically "telemetry", since what I linked to is what they are actually doing? In that case, to avoid confusion, we should stop referring to it as telemetry.
We're not defending any company here, don't twist my words. I am saying "telemetry" is not spyware, if it actually serves its purpose. Companies abusing "telemetry" to extract more information than they should is a different story.
I disagree - they are correct because once collected, the data is fed into a blackbox, and a user has no way of knowing if the data collected is - by your definition - spyware or telemetry. The beat way to treat this Schrodinger's telemetry, is to assume it's spyware.
What did you expect? Microsoft labeling their data collection actions as "spyware" themselves? "Spyware" is a term used by people who oppose data collection, they didn't ask for. "Telemetry" is an euphemism by the ones that build this data collection into their apps.
I expect professionals to be able to distinguish between the two instead of being suckered into some sort of hive-mind thinking of "all data gathering bad hurr durr".
I'm absolutely all for privacy and limiting unnecessary gathering of data. But there's nuances to this discussion and labeling everything that has any amount of telemetry as "Spyware" does not do anyone any good.
> some sort of hive-mind thinking of "all data gathering bad hurr durr"
Maybe it's not "hurr durr" and people have a legitimate reason to hold that opinion. To those people, any distinction between spyware and "good" telemetry is merely academic and effectively irrelevant.
The MAC address is very important for developers. It tells them which GUI elements are accesed, what error messages are common and what features of the program are accessed.
For some reason developers think they're magically exempt from judgement of their data harvesting. I don't want you monitoring my activity on my goddamn devices, however much you yammer on about having good intentions. The act itself is hostile, and that's why developers are so goddamn sneaky about it. You're invading privacy and creating metadata records that are trivially deanonymized.
There's an honest, non sneaky way of gathering usage information: pay for rigorous testing and price the cost into the product. Telemetry is lazy, invasive, and user hostile by default. Every bit of information acquired from users should be given with informed consent or not collected at all.
From what I've seen the invasive data harvesting often does not come from developers themselves, but is rather requested by product and BI wanting to get more insights into the customers.
It's hard to really stand up to that kind of situation.
The important part of them having the MAC address is that it IS a unique ID. If it wasn't a unique ID, then it wouldn't matter if they had it, because their purpose in taking it is to identify you. So whether it's hashed or not is completely irrelevant.
The fact that they are taking uniquely identifiable information from you, and the fact that their company is as deep in the Ad game as Google, is more than damning enough.
My issue with telemetry is it increases the chances of data leakage. I don't care if Microsoft gets data on what commands I'm selecting from the menus. What I do care about is that they record any free-form entries. Let's say they want to know everything I type in the command palette so they can figure out if they should add aliases for certain actions. That doesn't sound too bad until you consider the case where you tried to paste in what you were looking for, but forgot that you had something very personal in the clipboard. Once that happens, you just have to hope that the first person to see it is a good enough person to wipe all traces of that info out.
By the same standard, Apple telemetry should also be labelled as "spyware" yet nobody would bat an eyelid at Apple mentioning data of their telemetry reports.
I use VSCodium every day, and recommend it over VSCode to everyone, however, due to microsoft's locked down plugins, particulary the ones related to remote development and debug, there are certain things which can be done with VSCode and not VSCodium.
It's worth bearing in mind for those considering switching.
This one is an alternative to the remote development tooling which doesn't work on VSCodium. It is certainly not a full replacement, but you get to poke around the files on the remote system and run commands over SSH.
Yes, but unfortunately if you want to use something like Okteto[0] it requires the microsoft plugin. There are other third party plugins and tools tightly bound to the Microsoft ones making them unfortunately unusable.
What is it with MS these past few months? It's like they're trying to throw away the little community goodwill they managed to build up over the years.