Ars Technica reported on Windows 10 talking to Microsoft even when told not to.

For example, even with Cortana and searching the Web from the Start menu disabled, opening Start and typing will send a request to www.bing.com to request a file called threshold.appcache which appears to contain some Cortana information, even though Cortana is disabled. The request for this file appears to contain a random machine ID that persists across reboots.

[…]

Some of the traffic looks harmless but feels like it shouldn’t be happening. For example, even with no Live tiles pinned to Start (and hence no obvious need to poll for new tile data), Windows 10 seems to download new tile info from MSN’s network from time to time, using unencrypted HTTP to do so. While again the requests contain no identifying information, it’s not clear why they’re occurring at all, given that they have no corresponding tile.

Other traffic looks a little more troublesome. Windows 10 will periodically send data to a Microsoft server named ssw.live.com. This server seems to be used for OneDrive and some other Microsoft services. Windows 10 seems to transmit information to the server even when OneDrive is disabled and logins are using a local account that isn’t connected to a Microsoft Account. The exact nature of the information being sent isn’t clear—it appears to be referencing telemetry settings—and again, it’s not clear why any data is being sent at all. We disabled telemetry on our test machine using group policies.

When disabling services doesn’t really disable them.

ZDNet reported on how hackers can remotely steal fingerprints from Android phones.

The attack, which was confirmed on the HTC One Max and Samsung’s Galaxy S5, allows a hacker to stealthily acquire a fingerprint image from an affected device because device makers don’t fully lock down the sensor.

Making matters worse, the sensor on some devices is only guarded by the “system” privilege instead of root, making it easier to target. (In other words: rooting or jailbreaking your phone can leave you at a greater risk.) Once the attack is in place, the fingerprint sensor can continue to quietly collect fingerprint data on anyone who uses the sensor.

“In this attack, victims’ fingerprint data directly fall into attacker’s hand. For the rest of the victim’s life, the attacker can keep using the fingerprint data to do other malicious things,” Zhang said. And that’s a big problem. Fingerprints might be commonplace in mobile payments and unlocking devices, but they have been used more in the past five years also for identity, immigration, and for criminal records.

Fault lies firmly with the device makers. Food for thought for people who like to root their Android devices.

Android Central reported on Bubble Cloud Widget + Wear.

Convenience is the name of the game when it comes to Smartwatches, but at times getting to the app you need quickly can be a hassle in Android Wear. Bubble Cloud Widgets + Wear is a launcher that brings you gorgeous icons for all of your apps within swiping range. You’ve also got tons of options, and choices to personalize how everything looks and behaves.

If you haven’t seen it yet, check it out below.

I see it every time I raise my wrist.

Re/code reported on Apple Pay competitor CurrentC possibly not launching until next year.

CurrentC, the payments app being created by a consortium of big retailers known as MCX, may not launch widely this year as originally planned, MCX CEO Brian Mooney told Re/code in an interview on Tuesday. The company will begin a public pilot of its app in Columbus, Ohio, in a few weeks and will not rush a wider rollout if the product is not ready, he said.

[…]

MCX attracted a bunch of attention last year when two of its member merchants, CVS and Rite Aid, shut down support for Apple Pay after briefly accepting it as a payment option. On Tuesday, though, Rite Aid said it would start accepting Apple Pay later this month, and other MCX merchants such as Best Buy have announced plans to accept Apple Pay later this year. MCX members had signed exclusivity agreements which prevented them from accepting competitive wallets, but those expire this month — so it’s quite possible we will hear about other MCX retailers choosing to accept mobile wallets other than CurrentC.

One more reason not to use CurrentC.

Bloomberg reported on HTC trading below cash leaves smartphone brand with no value.

A 60 percent plunge in HTC Corp.’s stock this year pushed its market value to below its cash on hand. That means investors were effectively saying the smartphone maker’s brand, factories and buildings were worthless.

HTC’s market price fell Monday to NT$47 billion ($1.5 billion), below the NT$47.2 billion cash it had at the end of June. A drop of as much as 9.8 percent in its stock before a late rally signaled investors put no value on the rest of the company.

“HTC’s cash is the only asset of value to shareholders,” said Calvin Huang, who has a NT$46.50 price target on the stock at Sinopac Financial Holdings Co. in Taipei. “Most of the other assets shouldn’t be considered in their valuation because there’s more write-offs to come and the brand has no value.”

Another victim in the race to the bottom.

MIT Technology Review reported on the security flaw Google built into Android.

When security problems are discovered in Microsoft’s Windows operating system, or Apple’s mobile or desktop equivalents, those companies can push out an update to affected computers. You get a message telling you to install the update, direct from the company who made the software. In the case of Microsoft’s Windows 10, being released Wednesday, such updates are automatic and mandatory for home users. (This model doesn’t always work perfectly—Apple, for example, has been accused of being too slow to roll out important security patches.)

Google can’t push you an update for Android. It hands out the operating system to device manufacturers for free. They get to tinker with it to add features or apps of their own and are the only ones—along with cellular carriers in some cases—that can push updates to the devices they sell. Google does bind companies that use Android with some restrictions (for example to do with using its app store) but doesn’t require them to push out security updates quickly.

What’s a possible solution?

Google’s desktop operating system, Chrome OS, has a much smarter design when it comes to security updates. They download in the background and install themselves. Many security engineers at Google surely wish they could do the same with Android. But the way Google has established Android’s business model makes that unlikely. Device makers and carriers appear to prioritize their own businesses and independence from Google above keeping their customers’ devices secure. Expect more news of worrying Android security holes that won’t be fixed.

Either you live with it, keep up with the newest Android phones that come with the latest OS software, or walk away.