sman

A lively band.. I really love country music and used to watch TCN network, but of late it has become premium , so watching the YT channel of it in freeintertv..

"http://www.freeintertv.com/view/id-3334/1-1-0-1"

CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections. "https://seclists.org/oss-sec/2019/q4/122" From: "William J. Tolley" <william () breakpointingbad com> Date: Wed, 04 Dec 2019 19:37:07 -0700 Hi all, I am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website. Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections. Most of the Linux distributions we tested were vulnerable, especially Linux distributions that use a version of systemd pulled after November 28th of last year which turned reverse path filtering off. However, we recently discovered that the attack also works against IPv6, so turning reverse path filtering on isn't a reasonable solution, but this was how we discovered that the attack worked on Linux. Adding a prerouting rule to drop packets destined for the client's virtual IP address is effective on some systems, but I have only tested this on my machines (Manjaro 5.3.12-1, Ubuntu 19.10 5.3.0-23). This rule was proposed by Jason Donenfeld, and an analagous rule on the output chain was proposed by Ruoyu "Fish" Wang of ASU. We have some concerns that inferences can still be made using slightly different methods, but this suggestion does prevent this particular attack. There are other potential solutions being considered by the kernel maintainers, but I can't speak to their current status. I will provide updates as I receive them. I have attached the original disclosure I provided to distros () vs openwall org and security () kernel org below, with at least one critical correction: I orignally listed CentOS as being vulnerable to the attack, but this was incorrect, at least regarding IPv4. We didn't know the attack worked against IPv6 at the time we tested CentOS, and I haven't been able to test it yet. William J. Tolley Beau Kujath Jedidiah R. Crandall Breakpointing Bad & University of New Mexico ************************************************* **General Disclosure: We have discovered a vulnerability in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android which allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel. This vulnerability works against OpenVPN, WireGuard, and IKEv2/IPSec, but has not been thoroughly tested against tor, but we believe it is not vulnerable since it operates in a SOCKS layer and includes authentication and encryption that happens in userspace. It should be noted, however, that the VPN technology used does not seem to matter and we are able to make all of our inferences even though the responses from the victim are encrypted, using the size of the packets and number of packets sent (in the case of challenge ACKs, for example) to determine what kind of packets are being sent through the encrypted VPN tunnel.

Europe’s digital future starts now! We equip Europe with key technologies such as browsers and an independent search engine. "https://cliqz.com/en/" A New Search Engine Cliqz Journey "https://0x65.dev/blog/2019-12-05/a-new-search-engine.html"

Wow @David H. Lipman a myriad of alerts collection.. could not play flash version(.swf) had to convert .swf to .mp4 and watch in player.. I too will miss flash, since I use chrome extn's to capture flash media (YT, other sites embedded media)..

Faulty Driver Coding Exposes Microsoft Windows to Malware Risks "https://www.technewsworld.com/story/86187.html" Numerous driver design flaws by 20 different hardware vendors expose Microsoft Windows users to widespread security compromises that can cause persistent malware attacks. A report titled "Screwed Drivers," which Eclypsium security researchers presented at DEF CON last weekend, urges Microsoft to support solutions to better protect against this class of vulnerabilities. Microsoft should blacklist known bad drivers, it recommends. The insecure drivers problem is widespread, Eclypsium researchers found, with more than 40 drivers from at least 20 different vendors threatening the long-term security of the Windows operating system. The design flaws exist in drivers from every major BIOS vendor, including hardware vendors Asus, Toshiba, Nvidia and Huawei, according to the report. The research team discovered the coding issues and their broader impacts while pursuing an ongoing hardware and firmware security study involving how attackers can abuse insecure software drivers in devices. "Since our area of main focus is hardware and firmware security, we naturally gravitated into looking at Windows firmware update tools," said Mickey Shkatov, principal researcher at Eclypsium. "Once we started the process of exploring the drivers these tools used we kept finding more and more of these issues," he told the E-Commerce Times. The driver design flaws allow attackers to escalate user privilege so they can access the OS kernel mode. That escalation allows the attacker to use the driver as a proxy to gain highly privileged access to the hardware resources, according to the report. It opens read and write access to processor and chipset I/O space, model specific registers (MSR), control registers (CR), debug registers (DR), physical memory and kernel virtual memory. "Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible. For the best protection, we recommend using Windows 10 and the Microsoft Edge browser," a Microsoft spokesperson said in comments provided to the E-Commerce Times by company rep Rachel Tougher.

China Introduces Mandatory Face Scans For New Mobile Phone Users "https://www.bbc.com/news/world-asia-china-50587098" People in China are now required to have their faces scanned when registering new mobile phone services, as the authorities seek to verify the identities of the country's hundreds of millions of internet users. The regulation, announced in September, was due to come into effect on Sunday. The government says it wants to "protect the legitimate rights and interest of citizens in cyberspace". China already uses facial recognition technology to survey its population. It is a world leader in such technologies, but their intensifying use across the country in recent years has sparked debate. What are the new rules? When signing up for new mobile or mobile data contracts, people are already required to show their national identification card (as required in many countries) and have their photos taken. But now, they will also have their faces scanned in order to verify that they are a genuine match for the ID provided. China has for years been trying to enforce rules to ensure that everyone using the internet does so under their "real-name" identities. In 2017, for example, new rules required internet platforms to verify a user's true identity before letting them post online content. The new regulation for telecom operators was framed by the Ministry of Industry and Information Technology as a way to "strengthen" this system and ensure that the government can identify all mobile phone users. Most Chinese internet users access the web via their phones. Xinjiang police 'monitor citizens by app' 'Deepfake' app causes fraud and privacy fears in China China teen killing sparks internet boot camp debate Jeffrey Ding, a researcher on Chinese artificial intelligence at Oxford University, said that one of China's motivations for getting rid of anonymous phone numbers and internet accounts was to boost cyber-security and reduce internet fraud. But another likely motivation, he said, was to better track the population: "It's connected to a very centralised push to try to keep tabs on everyone, or that's at least the ambition." Are people worried? When the regulations were announced in September, the Chinese media did not make a big deal of it. But online, hundreds of social media users voiced concerns about the increasing amount of data being held on them. "People are being more and more strictly monitored," one user of the Sina Weibo microblogging website said. "What are they [the government] afraid of?" In September, the Chinese government said it planned to "curb and regulate" the use of facial recognition technology in schools after reports a university was trialling using it to monitor the attendance and behaviour of students. Mr Ding said it was clear that there is increasing backlash against China's widespread adoption of facial recognition technology. Such criticism used to focus on fears of data theft, hacking and abuses by commercial companies, he said. However, increasingly, citizens seem willing to criticise how the Chinese government might exploit such data to track the population.

ScreenWings can block malicious programs from taking screenshots ScreenWings is a free anti-screenshoting software that prevents (malicious) software from capturing your screens. If you want to test the security of ScreenWings, try Snipping Tool, pressing "Print" or any capturing software! By starting ScreenWings with the "-Ghost" parameter, you can hide all UI elements and automate its protection. "https://schiffer.tech/screenwings.html" "https://schiffer.tech/" "https://www.ghacks.net/2019/11/22/screenwings-can-block-malicious-programs-from-taking-screenshots/" Let's take a look at a freeware anti-screenshot tool, ScreenWings. First of all, we need to answer a question: why do we need such an application. Short answer, privacy. There are many kinds of malware out there on the internet, some of which are intended to steal user information. While most target user credentials, i.e., your username and password, low-level malware like screen loggers may capture a screenshot of the content on your monitor and secretly send it to the malware creator. There is also the case where someone else who has physical access to the system may capture screenshots, or may install software that does so automatically. ScreenWings can block malicious programs from taking screenshots So, let's say a screen logger infects your computer, and even if your password is obscured by the password field box, your username which is normally an email address becomes compromised. Well, technically such a malware can take screenshots of other information too, like your email inbox, bank statement, social network, private information and anything you do online. This is the problem that ScreenWings tries to address. How to use ScreenWings It is a portable application which means you can carry it with you on a USB Flash drive and use it to secure your data even on a publicly accessible computer. The program does not require administrator privileges to run so any user can use it. Extract the archive that you downloaded, run the EXE and you should see a small pop-up window appear. This minuscule interface has a monitor icon which has a colorful Windows logo inside it. Click on it: the logo should disappear and the monitor icon should appear black. This means ScreenWings is in anti-screen shot mode. Click on the monitor icon in ScreenWings to disable the protection, and you can resume capturing screenshots as normal. That's it, how simple was that? There are no settings or menus that you need to tinker with. Testing the protection To test whether it blocks screenshots, use the Print Screen key, or Snipping tool or any other tool and it should block the screen capture. When you try to paste the clipboard content after using trying to capture the screenshot, you will see just see a blank screenshot which is black (no text or picture appears). That's the proof you need. This works with all applications, system-wide. Now for a bit of good news and bad news. The Good news is that ScreenWings has a Ghost mode, which can be used from the Command line. It makes the program run silently in the background without the pop-up and automatically enables the protection. Bad news? It's not available in the free version, which is meant for non-commercial usage. The program is compatible with Windows 7 and above and runs on basically any hardware. The developer claims that ScreenWings can protect up to six screens, so multi-monitor setups are supported as well. The application is about 3.28MB in size, and uses about 60MB of RAM, which is quite acceptable for the level of protection that it offers. Closing Words ScreenWings is a specialized problem to protect against a special kind of threat. While that means that only some users will find it useful, those who do may use it on any system that runs Windows, even on public computer systems as it does not require elevated rights to run.

@Gt-truth @exile360 Is Your Antivirus Tracking You? You’d Be Surprised At What It Sends "https://www.makeuseof.com/tag/antivirus-tracking-youd-surprised-sends/" This is a 2014 article but would say very valid.. Only Antlab & Emsisoft are exceptions with least tracking, no sensitive info is paseed on by these products. Your antivirus software is watching you. A recent study shows that popular antivirus applications like Avast assign your computer a unique identifier and send a list of all web addresses you visit to the manufacturer. If the antivirus finds a suspicious document, it will send the document to the antivirus company. Yes, your antivirus company might have a list of web pages you’ve visited along with your sensitive personal documents! AV-Comparatives’ Data Transmission Report We’re getting this information from AV-Comparative’s Data transmission in Internet security products report, released on May 8, 2014. AV-Comparatives is an antivirus testing and comparison organization. The study was performed by analyzing antivirus products running in a virtual machine to see what they sent to the antivirus company, reading each antivirus product’s end user license agreement (EULA), and sending a detailed questionnaire to each antivirus company so they could explain what their products do. Your Antivirus Knows All About You "https://www.pcmag.com/article/338379/your-antivirus-knows-all-about-you" Your antivirus knows a heck of a lot about you. It knows what programs you run, because it has to make sure they're legit. It knows the websites you visit, and steers you away from frauds and dangers. In addition, the antivirus company may learn a lot about you as you interact with sales, support, and so on. But that's fine, right? Well, a recent attempt by free antivirus giant AVG to clarify its privacy policy caused quite a fuss. Wired reported on the new policy using the headline "AVG can sell your browsing and search history to advertisers." As it turns out, that inflammatory headline wasn't accurate. A little digging convinced me that AVG's policy isn't much different from that of its competitors—it's just spelled out more clearly. I checked the policy for several other free antivirus tools, and also for Wired's website. Free Isn't Free No security company in the world could survive solely by giving away free antivirus protection. There has to be some income, or the company will dry up and blow away. Yes, some vendors use the free version as a teaser and profit from upgrades, but those aren't the giants. AVG needs to monetize the anonymous data and telemetry received from the more than 200 million users; the same is true of Avast, Avira, and other major publishers of free security products. It would be suicide for a security company to actually misuse private data. I can't see it happening. But if you're at all worried, dig in and read your own antivirus's privacy policy. Just make sure you have a college graduate handy to interpret the complex language.

Wow. gr8 that MBAM stands tall among others.. On Av's tracking, is there anything in T&C's that gives them this liberty? Busted: Kaspersky AV Tracks Your Every Click "https://securityboulevard.com/2019/08/busted-kaspersky-av-tracked-your-every-click/" Kaspersky Lab’s endpoint security products track your web activity. All of it—the Russian company even monitors visits to https-secured websites. The AV software inserts a JavaScript bug in every webpage you load. Incredibly, Kaspersky included a unique identifier that allows any other website to track you, too. The company has patched that latter behavior, but the Russian tracking remains in place. Yevgeny Valentinovich “Eugene” Kaspersky (pictured) is probably right to look red-faced. In today’s SB Blogwatch, we click Uninstall. Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: humorless 74’ driver. KAV is Spyware What’s the craic? Ronald Eikenberg puns it up—“Kasper-Spy: Kaspersky Anti-Virus puts users at risk”:  A data leak allowed third parties to spy on users while they were surfing the web. For years. … An external JavaScript script named main.js was being loaded from a Kaspersky domain. … When I checked the HTML source of other websites … I found the strange code on each and every page. Without exception, even on the website of my bank, a script from Kaspersky was introduced. … The simple conclusion was that Kaspersky’s virus protection was manipulating my traffic. Without my permission, it was injecting that code. [And] the address from which the Kaspersky script was loaded contained a … permanently assigned ID … (UUID). … That’s a remarkably bad idea. Other scripts … can read the Kaspersky ID [so] any website can read the user’s Kaspersky ID and use it for tracking. … Kaspersky has created a dangerous tracking mechanism that makes tracking cookies look old [and] can even overcome the browser’s incognito mode. … At this point, it was clear that this was a serious security issue. Um, no ****, Sherlock. A well-read Shaun Nichols asks, “Quis custodiet ipsos custodes?”:

yes. quiteman no longer recommends Avg & Avast Av's..

Avast Online Security and Avast Secure Browser are spying on you "https://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/" Are you one of the allegedly 400 million users of Avast antivirus products? Then I have bad news for you: you are likely being spied upon. The culprit is the Avast Online Security extension that these products urge you to install in your browser for maximum protection. But even if you didn’t install Avast Online Security yourself, it doesn’t mean that you aren’t affected. This isn’t obvious but Avast Secure Browser has Avast Online Security installed by default. It is hidden from the extension listing and cannot be uninstalled by regular means, its functionality apparently considered an integral part of the browser. Avast products promote this browser heavily, and it will also be used automatically in “Banking Mode.” Given that Avast bought AVG a few years ago, there is also a mostly identical AVG Secure Browser with the built-in AVG Online Security extension. When Avast Online Security extension is active, it will request information about your visited websites from an Avast server. In the process, it will transmit data that allows reconstructing your entire web browsing history and much of your browsing behavior. The amount of data being sent goes far beyond what’s necessary for the extension to function, especially if you compare to competing solutions such as Google Safe Browsing. Avast Privacy Policy covers this functionality and claims that it is necessary to provide the service. Storing the data is considered unproblematic due to anonymization (I disagree), and Avast doesn’t make any statements explaining just how long it holds on to it.

I would suggest 'Slimjet' for Windows.. https://en.wikipedia.org/wiki/SlimBrowser

Passive-Aggressive Email Phrases: Here's What They Really Mea "https://www.inc.com/minda-zetlin/18-passive-aggressive-email-phrases-heres-what-they-really-mean.html" 1. "Thanks in advance." Translation: I'm already thanking you for doing me this favor, even though you haven't yet agreed to it. Therefore, you must do it. 2. " ... I'd be most grateful." As in, "If you could respond to this inquiry any time within the next 24 hours, I'd be so grateful." Another form of thanking someone in advance, with the same expected result. 3. "Can I send you some information?" This is a classic sales technique that, as someone who gets lots of pitches, can drive me straight up the wall. If you're going to mail me a book, it makes sense to ask my permission first. For anything else, the investment on your end is exactly the same whether you send me an email asking to send information or just go ahead and email the information. The only purpose of asking first is to create some sort of commitment that I'll pay attention to that information. And to waste everyone's time with two emails instead of one.

Water-based Air Conditioner cools without harmful Chemicals "https://www.rtoz.org/2018/01/20/water-based-air-conditioner-cools-without-harmful-chemicals/" A team of researchers from the National University of Singapore (NUS) has pioneered a new water-based air-conditioning system that cools air to as low as 18 degrees Celsius without the use of energy-intensive compressors and environmentally harmful chemical refrigerants. This game-changing technology could potentially replace the century-old air-cooling principle that is still being used in our modern-day air-conditioners. https://youtu.be/PkqWVIa0ANQ A team of researchers from the National University of Singapore (NUS) has pioneered a new water-based air-conditioning system that cools air to as low as 18 degrees Celsius without the use of energy-intensive compressors and environmentally harmful chemical refrigerants. This game-changing technology could potentially replace the century-old air-cooling principle that is still being used in our modern-day air-conditioners. Suitable for both indoor and outdoor use, the novel system is portable and it can also be customised for all types of weather conditions. The research team’s novel air-conditioning system is cost-effective to produce, and it is also more eco-friendly and sustainable. The system consumes about 40 per cent less electricity than current compressor-based air-conditioners used in homes and commercial buildings. This translates into more than 40 per cent reduction in carbon emissions. In addition, it adopts a water-based cooling technology instead of using chemical refrigerants such as chlorofluorocarbon and hydrochlorofluorocarbon for cooling, thus making it safer and more environmentally-friendly. To add another feather to its eco-friendliness cap, the novel system generates potable drinking water while it cools ambient air. Protection for pacemakers ETH scientists have developed a special protective membrane made of cellulose that significantly reduces the build-up of fibrotic tissue around cardiac pacemaker implants, as reported in the current issue of the journal Biomaterials. Their development could greatly simplify surgical procedures for patients with cardiac pacemakers. "Every pacemaker has to be replaced at some point. When this time comes, typically after about five years when the device's battery expires, the patient has to undergo surgery," explains Aldo Ferrari, Senior Scientist in ETH Professor Dimos Poulikakos's group and at Empa. "If too much fibrotic tissue has formed around the pacemaker, it complicates the procedure," he explains. In such cases, the surgeon has to cut into and remove this excess tissue. Not only does that prolong the operation, it also increases the risk of complications such as infection. Microstructure reduces fibrotic tissue formation Edit - added articles

After four years, Rust-based Redox OS is nearly self-hosting "https://www.theregister.co.uk/2019/11/29/after_four_years_rusty_os_nearly_selfhosting/" A better operating system thanks to Rust's combination of safety and performance? The Redox OS, written in Rust and currently under development, is only "a few months of work away" from self-hosting, meaning that the Rustc compiler would run on Redox itself, according to its creator Jeremy Soller. Soller, who is also a principal engineer at the Linux hardware company System76, based in Denver, USA, says that he is now running Redox OS permanently on one of his company's laptops, with "full support for the keyboard, touchpad, storage and Ethernet". Redox will be a desktop operating system first, but both embedded and server uses are envisaged eventually. Redox has a POSIX-compliant C library written in Rust, called relibc. It is Linux-compatible both at the syscall API level and at the syscall ABI (Application binary interface) level, subject to the same architecture. You can also run Redox applications on Linux. There is a shell called ion. There is a desktop environment called Orbital, and applications already include a calculator, file browser, image viewer, terminal emulator, 3D renderer, and a vi-like editor called Sodium. It is best described as experimental and not in line to replace any existing OS for the time being. Still, if Rust continues to grow in popularity, its characteristics of safety and unimpeded performance seem ideal for creating a new operating system, so perhaps Redox will become more prominent. ®

Microsoft: We're creating a new Rust-based programming language for secure coding "https://www.zdnet.com/article/microsoft-were-creating-a-new-rust-based-programming-language-for-secure-coding/" Microsoft's Project Verona involves creating a new language for "safe infrastructure programming" to be open-sourced soon. Microsoft can't throw away old Windows code, but the company's research under Project Verona is aiming to make Windows 10 more secure with its recent work on integrating Mozilla-developed Rust for low-level Windows components. The company recently revealed that its trials with Rust over C and C++ to remove insecure code from Windows had hit its targets. But why did Microsoft do this? The company has partially explained its security-related motives for experimenting with Rust, but hasn't gone into much detail about the reasons for its move.

There is always a catch, when anything is offered 'free'.. One cannot have the cake and eat t too.. if one wants to stick with Windows, have to live with any data harvesting to go with it.. So, this will be great news for Windows users on older versions..

You can only go by what the VPN provider says so, but there are instances of VPN's breach of trust. On this check - Does a VPN Really Protect My Privacy? "https://www.pcwrt.com/2018/08/does-a-vpn-really-protect-my-privacy/" In conclusion, while a VPN may help you to hide your activities from the ISP, bypass any IP address based restrictions, and possibly enhance security when you are connected to public WiFi, in general it does not necessarily provide a more secure connection. Nor does it make you completely anonymous. Can VPNs Really Be Trusted? "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/can-vpns-really-be-trusted/"

Why the free upgrade to Windows 10 still works … "https://borncity.com/win/2019/11/30/why-the-free-upgrade-to-windows-10-still-works/" [German]Some users are aware that the free upgrade from Windows 7 SP1 and Windows 8.1 for private users (in the home and professional versions) to Windows 10 still works. Now there is an unofficial explanation. The facts If you are still working on an older Windows 7 SP1 or Windows 8.1, you can download a new Windows 10 installation file via Media Creation Tool and then upgrade from the current Windows 7/8.1. Afterwards you simply reinstall Windows 10 and use the product key of Windows 7 or Windows 8.1. Windows 10 should be able to be activated with it. This is even described in the Microsoft Answers forum. This tip has been passed around in various forums and websites since the end of the free upgrade offer in July 2016 (see my German blog post Windows 10: Gratis-Upgrade läuft am 31.12.2017 aus). Many observers speculated about what this was all about and when it would end. Microsoft had already let the free upgrade for people with disabilities continue (see Doch noch gratis Windows 10-Upgrade nach dem 29.7.2016?). But still free Windows 10 upgrade after 29.7.2016?). In addition, corporate customers with volume license programs are out of this question anyway – they are allowed to upgrade and downgrade anyway, with corresponding contracts. Unofficial truth released by a Microsoft Employee It probably starts with ‘The cat is out of the bag’, and then a user who claims to be working at Microsoft on Reddit describes why the free upgrade still works. I work at Microsoft and have been since before the Windows 10 launch. That whole “free” upgrade for a year was fully marketing fluff. After the cut off happened, the direction given was that it requires a paid license HOWEVER, this was brought up by the brick and mortar stores that they were doing simple clock changes on customer devices during the upgrade challenge to get around it and then ultimately it was clear two years later that anything Windows 7 and up would go to 10 fully activated and still to this day. In short: After the expiry of the official free upgrade offer, the motto was officially issued that you now need a chargeable product key. But the whole thing was a marketing trick, which came up due to the pressure of the trade. They feared for sales of Windows 10 packages and devices and urged that the ‘free upgrade’ expire after one year. Internally, the then head of the Windows Developer Group (WDG), Terry Meyerson, had other ideas. He was particularly concerned about the 1 billion Windows 10 installations he had announced for 2018. The Microsoft employee writes on reddit: WDG didn’t care pretty much at all because Terry Meyerson at the time cared more about his upgrade stats than license revenue as Windows isn’t Microsoft’s cash cow anymore. It’s the same stance back in the day where Microsoft would allow Windows Updates on pirated copies of Windows 7 as the bigger picture was to thwart security threats based from those copies. You still can do this no problem, however careful, do an upgrade keeping everything as if you choose to yeet everything and start fresh, you lose your free upgrade. That old 7 license converts to a 10 digital license and from there you can clean install no problem. As for audits, this mainly is for volume licensing than anything. An SMB with 10-200 Windows 7 machines that were OEM licensed don’t really matter. If you try this with 1,000 computers, iffy. At the end of the day, Microsoft had four years to close that loophole and never did so if worse came to worse, you could technically go through legal avenues as the EULA for 10 literally doesn’t have a clause for this at all. You can’t ***** on someone taking advantage of an activation workaround when you as the manufacturer never closed it. In the last paragraph, he also discusses the topic of business customers and auditing – which have OEM licenses. Ok, this is not an official position of Microsoft and they would rather seed doubts, that you will never get a valid license for Windows. But it’s the best explanation for the free upgrade even after 4 years – Microsoft didn’t do anything to close this hole. There is a 2nd explanation, why Microsoft ended the official ‘free upgrade period’: Microsoft does not permanently give away a paid product because the lost turnover and lost profit must be communicated to the investors. The operational loss due to the free upgrade between 7.2015 and 7.2016 was 2 billion US dollars, Microsoft lost 1.4 billion profit. (via)