Microsoft Adds Risky System-Wide Undelete to Vista

douder writes "Windows Vista will have a new 'previous versions' feature when it ships next year. According to Ars Technica, the feature is built off of the volume shadow copy technology from Windows XP and Windows Server 2003. Now turned on by default, the service stores the modified versions of a user's documents, even after they are deleted. They also report that you can browse folders from within Explorer to see snapshots of what they contained over time. It can be disabled, but this seems like a privacy concern." From the article: "Some users will find the feature objectionable because it could give the bossman a new way to check up on employees, or perhaps it could be exploited in some nefarious way by some nefarious person. Previous versions of Windows were still susceptible to undelete utilities, of course, but this new functionality makes browsing quite, quite simple. On the other hand, it should be noted that 'Previous Versions' does not store its data in the files themselves. That is, unlike Microsoft Office's 'track changes,' files protected with 'Previous Versions' will not carry their documentary history with them."

It can be disabled, right?

[ShaunC]

FTA:

With Windows Vista, the operating system will make "shadow" (that is, backup) copies of files and folders for users who have "System Protection" enabled (the default setting).

Sounds to me like those of us who turn "System Protection" off, which would be one of my first few post-install steps, don't have to worry about the new features. Much ado about nothing, it appears...

i dont get it...

[Anonymous Coward]

"could give the bossman a new way to check up on employees"

Um, your work computer is the property of your employer. If you want to do something that would get you in trouble with your boss - put it on your own computer. Plus all this does is back up files that you have made, how is this a privacy concern? Even if this was happening and you never knew it and uploading all your files to a central server, it's still an option of your employer, and not an invasion of privacy, it's crappy, but the option of your boss and his/her company. Just like the fact that they can read your business email. No different, and to me even less intrusive than that since you can't control incoming mail.

This is only a good thing

[HotNeedleOfInquiry]

Amazing that a Good Thing gets turned into a big-brother or privacy issue just because it's Microsoft. Shadow copy has saved my ass twice in the past year and the more it's available, the better. If employees are worried about the boss checking up on them, then maybe they should just do their job.

Keep in mind that the goal and justification of a desktop is productivity, not some vaguely defined "monitoring" issue.

Just more overhead

[gasmonso]

As with System Restore, Windows Firewall, Remote Assistance, etc... just disable, delete and install better applications to provide the same functionality. MS should just focus on security, stability, and releasing the damn thing.

http://religiousfreaks.com/ [religiousfreaks.com]

Looks cool

[Sloppy]

I don't get the privacy concern. If someone gains physical access to your machine, then the contents are vulnerable unless you take active steps to prevent it. People have known forever that stuff may not be lost forever just because it's deleted. This feature doesn't change that.

The issue is that this makes it "easier" but I can't help but see that as a neat feature.

The really silly part is this:

Some users will find the feature objectionable because .. perhaps it could be exploited in some nefarious way by some nefarious person.

If that's what keeps you up at night, then you better give up on all technology, not just this.

Re:This is only a good thing

[iMaple]

I agree.

It wont really affect performace since it uses 15% of the available space for the system restore including the shadow copies. That isnt too heavy (in terms of harddsik space). It shouldnt really take noticeably more time as the system doesnt really copy over the old file to a physically different location.

Anyway if I ever use Vista I'm going to turn this off (I dont like undelete like utilities). But I think this would still be very useful feature for say, my grandma.

Translation:

[Ayanami Rei]

Vista comes with the Previous Version Explorer extension installed by default, and System Restore now watches the whole disk.

Ok. So what? This feature has been around for awhile, and if you have privacy issues, well just disable system restore (or whatever the equivalent option will be in Vista).

Never mind that as you make new versions of a file, the old ones are still hanging around in your drives' free space for a long time (about the same amount of time the previous-versions feature would keep them). So basically you're making the distinction between being able to access the deleted files explictly, vs. having to use a drive recovery tool.

If you're security concious, you disable the old restore points, fill the drive with a big file full of random data, then delete it. This isn't going to change...

Such a great idea

[xeos]

Yes, other people have thought of it before, but kudos to Microsoft for implementing it. Disks are cheap, whereas the documents I create are not. Anything which helps protect those documents from mistakes is going to be a good thing.

guess what

[Cinquero]

I have a little and simple rsync-backup script that does basically the same: runs every day, uses locate to search for .rsync-backup files and then stores the directories containing these files. Simple. Elegant. Transparent. Efficient. No need to mess around with system-internals.

Re:It can be disabled, right?

[Bios_Hakr]

Every time MS releases a new ServicePack or OS, I find that I'll have to disable more and more shit to make it work like Win2k.

How about MS disables the service by default. If a user right-clicks on a trackable file (I'm assuming that this won't track changes on updated game executables, my PHP/CSS templates, OpenOffice documents, etc), then have an option to start tracking. If the user selects that, then enable the appropriate services.

Same with the Firewall and FastUserSwitching. When you connect to the internet, have a well-worded dialog box that asks me to enable the firewall service. When I select Switch User from the logoff options, popup a dialog asking if I want to enable that too.

Turn off more shit by default. Don't just enable everything. Seriously, who the fuck needs Remote Registry, Portable Media Serial Number, TCP/IP NetBios, and all that other useless shit? Sure, you might need one or two things, but do you need 55 services starting on a default install?

Build in the functionality. Disable it by default. When the user triggers an event that needs the service, ask him if he really wants to do that. From that point on, leave that service enabled.

Same thing with NTFS

[Sycraft-fu]

It doesn't actually delete your data, just flag the space as free. The problem is that undeletion in that matter is unrelaible at best. A fiel is at any time subject to partial or complete overwrite, even if there's ample free space on the drive. When it's flagged as free the OS sees it as free period. There's no prioritisng the free space to not overwrite newley delete files (DOS was the same way).

This gives you more reliability. The files are stored and aren't messed with until the space is needed. So if you delete something and still have 500GB free, it'll keep the file since you can afford the space and it'll be marked as allocated and thus not overwritten. Also, it looks like it does version tracking too. If you overrote a file on a FAT or NTFS volume, it writes it to the same space it occupies before, makes sense to do it that way. However that means if you mess up and make a change you didn't want to, there's no undo. You replaced the bytes, it's too late. This will go and keep a copy prior to the change you can roll back to.

Basically it's similar to how NetApp units work. It provides storage that's reliable even against user faults. Things like RAID are great, but they protect only against hardware falure. You can still fuck your data up. There's a market, and MS seems to think the home desktop includes it, for systems that are resiliant against that. You decided to delete 5 paragraphs of that paper and save it, and then deleted it form the disk but now want it? Ok no problem, not only do we have the deleted version, we have the pre modificaiton version.

We use a NetApp FAS 270 at work for home directories for this reason. We aren't really concerned about disk reliability, though it's excellent for that too, and we go to tape nightly. We want to be able to save people from themselves. When they screw something up, we want to be able to get a non-screwed up copy.

MS wants to bring that to home computers. Will it be worth the performance impact? Guess that's too be seen. However it's certianly a good idea in general. What most users really need and want, even if they don't know it, is protection from their own mistakes.

Re:This is only a good thing

[Vancorps]

talk about a terrible way to do business. Those "working" papers could save your neck as well as hang it depending on the lawsuit in question. Course the company I work for will always make an attempt to make it right before proceeding with any kind of litigation. In situations like these should a suit come to discovery we'll need every piece of information we can get our hands on. With todays patent minefield I don't think this is a bad stance to take at all.

Re:This is only a good thing

[ewl1217]

You seem to be missing an important point here: most users probably wont be aware of this. It really is a great feature, I agree, but it really should be made known to the user during the install. When I delete a file, I want it to be gone, with no undelete possibility. With this undelete feature, what's to stop someone from gaining remote control over your computer via a security flaw, or just hopping on it while you take a break (not logging off), and undeleting your confidential files?

This really should be off by default (doubtful), prompted for at installation, or at the very least a simple notice during the install telling you what it is and how to remove it.

As for privacy at work, your employer should have every right to make sure that you're actually working, and not goofing off. Why on earth would you expect to be able to do non-work-related stuff at work? After all, you're getting paid to do work, so your employer should be able to check up on you, even if it means viewing your deleted and edited files.

Re:Translation:

[grcumb]

"Ok. So what? This feature has been around for awhile, and if you have privacy issues, well just disable system restore (or whatever the equivalent option will be in Vista)."

I think that's a fair enough response. But nonetheless, I think it's also fair to question the design philosophy which MS is following here, and to challenge it on its merits. Personally, I think enabling extra features on the principle that they might be useful to a subset of users is a questionable practice. I'm especially leery of enabling features that make it possible for ignorant (i.e. not savvy) or careless users to do really bad things. And I'm most leery of features that actually encourage carelessness.

A lot of computerised data is important and needs to be treated carefully. This includes planning when and how to manage change. The prospect of a PHB telling staff to simply use a built-in and poorly understood versioning feature fills me with concern. For corporate data at least, I think an explicit, formalised process for change management should be required. I've consulted with very large corporations and advised such action in the past, to varying effect.

I'll be the first to agree that the sane thing to do is not to demand the feature be pulled (which, in fairness has not yet been suggested in this discussion) but to get a fuller understanding of its positive and negative attributes. I hesitate to come to a quick conclusion, but on the face of it, this feature seem to create more problems than it solves in a corporate environment:

• It works across the entire file system, which creates questions about its efficiency;
• Its 'all or nothing' implementation does create significant liability in places like law offices, as other have already noted;
• It encourages laxness in data management; yet
• It doesn't seem to be rich enough to support proper change management processes.

So without throwing the baby out with the bathwater, I think it's fair and reasonable to suggest that this feature should be disabled by default, with an easy interface to enable it for those who decide they want it. I wouldn't equate this design decision with fiascos like ActiveX in IE (which IMO borders on criminal negligence), but I would suggest that its source is the same lack of focus coupled with the desire to make things easy without considering the costs of having done so.

Ahh.

[Ayanami Rei]

I see your point.
However I will submit the following counterpoints:

        * It works across the entire file system, which creates questions about its efficiency:
A disk-wide snapshotting system will be less resource intensive that a system that has to make multiple, discrete metadata updates per write transaction. Since system restore is enabled by default on XP and I haven't heard much complaint about it performance-wise, I think this is a non-issue. (An exception might be systems that have very slow disks and limited RAM, like a palmtop).
        * Its 'all or nothing' implementation does create significant liability in places like law offices, as other have already noted;

Enabling this system doesn't make you or your data more or less at risk. The reality is that old copies of files will stick around on disk for about as long as the Restore feature will keep old versioned copies. The difference between enabling and disabling the feature is whether you want to be able to _definitively_ access an old file or attempt a recovery with a tool booted from CD-ROM, which has to operate with less definitive metadata, and may only be able to give you a corrupted or incomplete copy.
Keep in mind that if you are concerned about hackers accessing your deleted files and you don't feel the need to use this service for recovery, the hacker will probably be able to resurrect enough of the files anyway for it to be moot.
That is, if you get penetrated by a hacker, the issue is moot. You are already in trouble. The real issue is whether you would like a safety net for legitimate recovery. Since the additional resources consumed are neglible, I would posit it would be foolish not to take advantage of it.

Furthermore, when deleting files, if you don't want anyone to get at them ever, then whether you use this system or not is irrelevant. Once you delete a file, you need to use a secure undelete facility to make sure all non-allocated space on your system is overwritten. Even with this undelete feature operational, such a tool will invalidate and overwrite ALL the restore points as well as free space. (That is because the facility gives up restore points when disk space gets tight, and the tool operates by attempting to fill up the entire disk with random data, thus it will demand-release all undeleted files, which will then be overwritten).
I would recommend you DISABLE the versioning feature before wiping a machine, to ensure all undeleted files are irrecoverable.

        * It encourages laxness in data management; yet
        * It doesn't seem to be rich enough to support proper change management processes.

That's not what this tool is for. You still need to have change management processes in place. The tool is for recovering files you didn't know were important! (Otherwise, why would a user delete it? If it were important he or she would have checked it into the Subversion repository, right? :-D ) It's to cover corner cases and disastrous events outside the data management model. It's less invasive than a recovery from backup too.

But it would be foolish to rely on this facility alone. Just as it is foolish to rely on RAID alone for data security on the server side.

Re:This is only a good thing

[fermion]

VMS lived in a different world. A world in which an elite controlled the computer in every respect, a world in which one often had to beg for an old tape to be put in so that one could access data. A world in which every bit data was not scrutinized by a forensic team with almost unlimited resources. A world in which data was not transmitted willy nilly to unknown parties. A world in which mysterious metadata hardly existed.

All the flavors of DOS in the 80's were way cool because it allowed us to control our own computer. In the 90's all went to hell as we became connected and the computer started doing more and more things no one really understood. A huge concern MS has not addressed is how to protect confidential information, and more importantly help companies not expose disruptive metadata. For instance, I do not believe they have a setting in outlook to scrub MS Office files as are mailed to external addresses. Nor have the implemented the DRM that would allow firms to track users violate border policy. MS adds features that makes systems less secure, without thought of how to compensate for the breech.

This is clearly an awesome feature. So was the command line shortcuts. But features do not exist in a vacuum. There is only so much that can be done to help careless users. If MS is to provide business class systems, and not just toys that can be used as business systems, they have to get serious about making systems that businesses need. I think that if MS would develop a core competency in business, and leave the consumer side to others, MS would be in much better shape. Imagine how wonderful Vista would be if it did not have to worry about they toys that home user need.

This story is unbelievable

[Anonymous Coward]

Microsoft will include a feature in Vista that has already available in XP since 2003. On your own PC, you can turn it on or off. Your system administrator at work can turn it on or off. Your system administrator at work may also have any number of other activity-logging programs running on your computer.

*scrolls up to check who story was posted by, even though I already know* yup, Zonk.

Zonk, get a job.

Both sides have a point

[bblboy54]

Being a sysadmin, I deal with end-users. About 6 months ago I got an email that said "Bob, I forgot to save an unedited copy of this form and overwrote the file with my data. Is there a way to retrieve the old file?" ... It happens and this previous version feature could be a great tool for us sysadmins if it's deployed correctly. OTOH, I can definately understand the privacy issues -- especially if the user doesnt realize this is going on. A home user types their credit card data into a word document to save it temporarily and then deletes it when they are done with it and they think its gone, but its not. What I dont understand is why Windows doesnt ask some of these questions on install (or on windows setup when you buy a name-brand computer and plug it in for the first time). It would seem that asking whether the user wants windows to do this for them would be a great compromise.

More MS Headlines Gone Bad

[DavidD_CA]

For the benefit of future article submissions, I've predicted a few headlines from the coming future and offer the required Slashdot twist:

Windows 2010 Ships with IPv6 as Default
    - becomes -
Windows 2010 Foresakes Legacy IPs

Microsoft Office 2009 Ships with Photoshop Competitor
    - becomes -
Microsoft Cheats Adobe Out of Millions, Again

Microsoft Ergonomic Mouse Helps Corrects Carpal Syndrome
    - becomes -
Microsoft Mouse Locks Out Porn

Asheron's Call VII Goes Alpha
    - becomes -
700 Bugs Detected in Asheron's Call VII

Please add your own.

Re:This is only a good thing

[ivan256]

Nah. He'd get modded down as off topic, because the story would be about how Apple didn't give somebody a refund when he couldn't undelete the files that were 'deleted' from his hard drive when he threw his laptop down a flight of stairs, and about how he was filing a class action lawsuit against Apple for having a buggy product. The only comments that *wouldn't* be modded as off topic in that thread would be the ones saying how dumb single button mice are, and the ones saying how much cheaper a Dell would have been.

Because they have to care about mroe than you

[Sycraft-fu]

MS's job isn't to make you, the geek happy. MS's job is to make as many people as they can as happy as possible. So let's say they develop a new awesome feature that they think nromal users will really like. However, they know normal users aren't smart enough to turn it on by themselves (this is easy to prove). They have two choices:

1) Disable it by default. This makes a few geeks who know about it and want it happy, more geeks who know aobut it but don'want it indifferent, and doesn't help normal users at all. It's almost worth just leaving out.

2) Enable it by default. This makes some geeks who don't want it a bit annoyed, but makes everyone else happy.

Gee, hard choice. Look, if you want an OS that does nothing by default, get a different OS. Run OpenBSD or something. You won't spend any less time configuring it than you will configuring Windows, you'll just spend that time turning things on rather than off.

Really I fail to see the problem. If you only do it occasionally, it's just a few more minutes of system configuration. I do a hell of a lot of customization to personal systems, it doens't bother me the time I spend turning the things I don't want off. If you do it a lot, develop a system to automate it. There's plenty of ways including customized Windows installs. Don't whine because you haven't done the research to automate tasks for you.

Because MS is an everyman based OS, they need to have the useful stuff turned on by default because normal users won't do it. It's like automatic updates. I don't like them to install on my personal system automatically because I many have something going. So I set it to wait till I give the ok. However it needs to be on by default for normal users. Why? Well otherwise they won't update it. Just today I had to update an XP system that was pre SP2 still. Why? No auto updates. Users didn't know they needed anything, just thought it should take care of itself.

Same shit here. If you don't need file version tracking because you make your own backups, you are smart enough to know how ot turn it off. If you don't know how to turn it off, it's probably a feature you should leave on.

Mostly just the story poster

[SuperKendall]

This was an awesome feature in VMS,
and a privacy concern in Vista.

Those of us who have used versioning in filesystems or elsewhere think this is a pretty nice feature, even if we prefer other OS'es. So I would say not nearly so many people are against Microsoft on this one (or at least agree with the summary).

Now if you really wanted to see a storm of negativity from Slashdot imagine what would happy if Sony announced this feature on the PS3!

Re:i dont get it...

[mwilliamson]

Regardless of the fact it is a work-owned machine, it will indeed give micro-managers more crap to hang their otherwise good employees with. I've seen some micro-managing types over the years set up cameras, install remote desktop monitoring software and even record employee's phone calls. If you treat your employees like s*** insist on finding stuff to hang your employees with, you're going to find it. Reward a job well done give your employees enough trust and autonomy to do their jobs. If feel you can't give your employees this trust and autonomy, learn to hire better. Micromanaging your employees will _NOT_ improve quality, production, nor morale, but it will almost certainly make them resent you for it.

"I think not"

[Chris whatever]

"Some users will find the feature objectionable because it could give the bossman a new way to check up on employees, or perhaps it could be exploited in some nefarious way by some nefarious person"

Hum! i think a company that OWNS the computer and PAYS their employee to WORK has a god damn right to make sure people aren't wasting their time having their entire photo album on their computer or music or other personal material whatsoever and that goes for network shares too.

If a company can filter e-mails of their employees i think they can also filter the content of what they are copying unto their machines.

Keep your stuff at home if you dont want prying eyes invading your computer at work.

This is retarded.

[Wakko Warner]

"System-wide undelete", also known as filesystem snapshotting, has been available for years in various incarnations, both native to Linux (and other operating systems) and as part of NAS storage devices.

Why the hell is it suddenly bad when Microsoft does it? (Hint: it isn't.) What the hell are you doing on your PC at work that could get you fired if your boss found out?

FUD indeed.