I am shocked.

It has long been known among programmers that one of the most dangerous theoretical attack vectors against legitimate software is to hack the compiler. When we do code reviews and evaluations to verify that a program is OK, we look at the source code.

Today I read that Microsoft has exploited the compiler attack vector. In Visual Studio 2015, they add telemetry code in the programs that are compiled. If I for example create an application for whistle-blowers where they can contact the press in secret, Microsoft will be able to identify the PC's used by the whistle-blowers. Windows 10 will probably already phone home and tell Microsoft what apps /all/ Windows PC's are running. This however adds the same information sharing from Windows applications running in non-Microsoft environments, like emulated Windows under Linux. The "feature" was undocumented, and the source code for the telemetry library withheld "by accident" (it's part of the CRT run-time).

What this means is that no technology, what so ever, that involves anything from Microsoft, should or can be trusted with any confidential data. If you are a whistle-blower, you cannot use Windows or executable files compiled by the Microsoft compiler. If you want any shred of privacy - the same.

Microsoft has broken trust and shocked decent people countless times in the past. They have acted like Mafia. They have done unspeakable things to competitors (and "partners"). However, Injecting telemetry code in /my/ programs, without informing me or asking for my consent is outrageous. It's not just being Evil, - it's turning my legitimate software - and millions of other developers software into spyware. If I compile the War FTP Daemon with this compiler - my 20 year old free software project will turn into a virus over night.

Just to emphasize: It is not (just) the Visual Studio 2015 C++ compiler that phones home. All C++ applications compiled with it will also phone home (to Micro$oft). In secret, without the developers even knowing about it. I don't yet know if the programs call Micro$oft directly, or if they go trough some of the "telemetry" "features" in Windows. So may be this only affect people running actual versions of Windows.

Fuck you Micro$oft! Fuck you so much!



Ref: Thread on reddit about this scandal.

In order to disable this feature for now (the only safe way for developers to deal with this is to use a different C++ compiler, and cross compile to Windows on another operationg system): add this to your code:

extern "C"
{
    void _cdecl __vcrt_initialize_telemetry_provider() {}
    void _cdecl __telemetry_main_invoke_trigger() {}
    void _cdecl __telemetry_main_return_trigger() {}
    void _cdecl __vcrt_uninitialize_telemetry_provider() {}
};