Examining Microsoft Update 805
eggsovereasy writes "The Inquirer is reporting that a group in Germany has deciphered the information sent to Microsoft during an update using Windows Update and says that information on all software installed on your computer is sent, even that which is not Microsoft's own software." The original article is, unfortunately, pay-per-view. Update: 02/26 18:19 GMT by T : ionyka points to this "related article from ITWorld that deals with Microsoft's transferring of information through Windows Media Player. When you open up Media Player it sends information back to Microsoft like what movies you play, what songs you listen to and where they come from."
Pay per view? (Score:-1, Informative)
Check out the rest (Score:5, Informative)
http://home.byu.net/~btc25/WindowsUpdate.pdf [byu.net]
One of the more interesting parts deals with how Microsoft can tell the difference between product keys they generated and those done with a keygen.
Re:Pay per view? (Score:5, Informative)
Re:Pay per view? (Score:2, Informative)
Yes, it is pay-per-view beyond a certain point, but the meat of the story is in the stuff sent back to MicroSoft, which they've updated to be free at this link here: http://www.tecchannel.de/betriebssysteme/1126/14.h tml [tecchannel.de]. It seems to be information on hardware in the machine. I'd like to see MicroSoft's response to this.
Re:EULA says they can take what they want (Score:4, Informative)
Direct from About Windows Update
Windows Update Privacy Statement (Last Updated 10/15/2002)
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:
* Operating-system version number
* Internet Explorer version number
* Version numbers of other software for which Windows Update provides updates
* Plug and Play ID numbers of hardware devices
* Region and Language setting
The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.
Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session.
To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.
Hardly "We can scan your computer for any information we want, and there's not a damned thing you can do about it!" as you've implied.
big deal - they've confirmed the M$ privacy stmt. (Score:4, Informative)
Windows Update Privacy Statement (Last Updated 10/15/2002)
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:
Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting
The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.
YES IT DOES! Full example of sent data here: (Score:5, Informative)
Re:Check out the rest (Score:5, Informative)
http://home.byu.net/~btc25/windowsupdate.pdf [byu.net]
Aren't caps great? Heh.
XML Schemas available here (Score:5, Informative)
Client Info Schema [windowsupdate.com] and System Info Schema [windowsupdate.com].
They appear to get a copy of your registry, as well as information like processor architecture, manufacturer, printer(s?) etc
Re:EULA says they can take what they want (Score:5, Informative)
Read the parent comment.
This isn't Windows Update he's talking about, it's the EULA for recent versions (XP, IIRC) of Windows.
Yes (Score:1, Informative)
- a list of hardware devices
- it can detect what software you're running by listing it as a "product category" - ie. the server sends down a list of available products and the client says "give me the updates for Windows XP, Windows XP Home, IE6" Potentially this could be used to see what you've got installed by setting up a "product category" for any product they want (ie. "Mozilla").
Of course, the easy explanation is that sending down a list of *all* available Microsoft updates (especially if they expand Windows Update to include all server products, office products, developer products, etc etc etc) to anyone who runs Windows Update (or Automatic Update) would get a bit prohibitive. Or it's a insidious plot to find out what software people are running.
Another PDF mirror (Score:3, Informative)
http://clients.fbagroup.co.uk/slashdot/WindowsUpd
An iteresting NTBugtraq post (Score:1, Informative)
Re:Haha (Score:5, Informative)
Microsoft Update no longer says "No information is being sent...", which is what this article is about.
Having read the article... (Score:5, Informative)
1. The Windows Update tool sends to Microsoft a complete list of what hardware you have.
2. If the Windows Update server claims to have an update available for product X, the Windows Update tool will check to see if you have product X installed, and report back to Microsoft.
Well, *duh*. The only way to avoid doing this would involve downloading a complete list of all the updates available for every supported piece of hardware or software. Based on the size of the windows HCL, I'd guess that this would require tens of megabytes of bandwidth -- all so that Windows Update could pick out the half dozen entries which are relevant.
Re:Surprise, surprise... (Score:3, Informative)
Re:Haha (Score:5, Informative)
The more astute amongst you may have noticed that the "No information" message has not been there since Win2kSP3 came out.
Now it says this:
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you.
Which essentially means that so long as they don't take an email address or phone number they can take what they want.
EULA could still be illegal in spite of agreement (Score:5, Informative)
I did read the EULA of the Dutch version of Win2K SP3 completely and never found any clause that would allow them to download anything off my PC without my consent.
Sadly I'm stuck with Windows since I cant (yet) afford a mac to run Adobe apps on. When oh when will Linux/FreeBSD/X get decent colour management and ports of proper graphics apps like Illustrator, Photoshop and InDesign??? The GIMP is a nice toy, but it's hardly of any use for print production work. And KIllustrator and the like are simply a laugh too for any real work.. The Linux/BSD vs. Windows ratio is now 4:1 in the favor of the free, but I'd like to get rid of Windows altogether. Give me my killer graphics apps!! I'll even pay for them!
Saving up for that Mac in the mean time..
NOT PAY PER VIEW (Score:1, Informative)
Story is incorrect (Score:5, Informative)
From the Windows Update website privacy statement (Score:5, Informative)
Yes, we don't not track you.
Tell that to the Melissa author, and some number of other people who's GUID was used to identify them. Even if you aren't a criminal, this could be misused in so many ways.
Despite loving many Microsoft products and the line of NT OS'es, I wouldn't trust Microsoft as far as I could throw them.
Re:Tell MS What you think, apparently... (Score:2, Informative)
Yeah ... Can you say "spammer troll"?
Bleh. Just contact Microsoft directly at:
http://support.microsoft.com/default.aspx?scid=fh; EN-US;FEEDBACK [microsoft.com]
-/-
Mikey-San
The article says MS tells you this beforehand (Score:2, Informative)
Sounds like they already told you what they were going to do.
Basically, I completely back this. Much in the way that Redhat scans my computer to tell me what packages I have installed and then tells me what I need to download for updates, this scans the HW and SW I have installed and tells me about updates.
Re:Complete Breach of Trust (Score:2, Informative)
What, did you miss this? (Score:4, Informative)
And I quote:
Full article can be found here [internet.com].
Re:Inquirer? (Score:3, Informative)
Re:The article says MS tells you this beforehand (Score:3, Informative)
Sure, updates downloaded from MS sites could be tracked easily anyway, each download request could be associated with IP and such. But if non-MS programs are being probed, then they are wrongly exploiting the updater.
Comment removed (Score:5, Informative)
Re:YES IT DOES! Full example of sent data here: (Score:1, Informative)
Don't panic, here's a summary (Score:5, Informative)
First of all, the example data [tecchannel.de] sent is available free, as one poster above already listed. There's no software described there other than Windows itself.
Second, the System Info Schema [windowsupdate.com], as posted by another above, is pretty explicit about what registry keys are available to be sent, and it's pretty tame.
Frankly, I have no problem letting them know exactly what hardware I've got running. How can they harm me there? Perhaps a malicious hacker could grab this data and find ways to abuse my network card? Pretty slim.
Call me too open, if you will, but I'd be happy if it would let me know about other MS updates, such as Office, without having to also visit MS' office site. Update those automatically? Never. But it's much less convenient than the Windows Update site.
I greatly doubted that it would be sending large quantities of personal data, because it just doesn't take that long. The ones to worry about are the virus scanners, that take the time to examine every freakin' file.
In summary:
Re:Easy Solution (Score:3, Informative)
The point you are forgetting is that Apple makes and sells hardware, and only makes software so that they can sell that hardware. They'll give you the OS for free, as long as you pony up for the box. They have no interest, financially, to port or sell OS 10 to X86.
Re:Haha (Score:1, Informative)
Microsoft's hfnetchk tool does this, and it's currently a 1465KB XML file. (~185KB compressed)
That covers NT4, all W2000 SP levels, WinXP, all IE releases, and SQL Server 7/2000 and some other things not covered by Windows Update.
If the client sent the the OS, the service pack level, and the IE version, the file wouldn't be that large.
Re:pay-per-view (Score:2, Informative)
Re:Easy Solution (Score:3, Informative)
Then why do they charge $120 for existing users (owners) to upgrade to each new point release for OSX?
Re:Easy Solution (Score:3, Informative)
Personally, I find the whole patch thing ridiculous. I tried to stay abreast of the current security patches by subscribing to the security mailing list and making my own decision about whether a patch applies. It's impossible. Every time you think you've gotten it right, there's another patch to figure into the situation. I use Windows Update to find out what updates I need, but since the home connection is ridiculously slow, I just make a list and download the
Who cares ? I run WinUpdate right after I install (Score:2, Informative)
After that, subscribe to one or two good security mailing lists and never use Windows Update again (you will probably find out faster about new vulnerabilities anyway), and download the appropriate patches directly from Microsoft's web site, by following the security advisories.
Agreed, it's a little extra work, but as far as I care, it's worth it.
This is the link (Score:5, Informative)
http://www.microsoft.com/downloads/search.aspx?dis playlang=en [microsoft.com]
-B
How the well would it be able to see the Mac? (Score:3, Informative)
This is akin to saying that VMWare can somehow tell my that I have an SB Live! -- it can't. All it knows is that it has SB16 emulation inside, and that it writes the output of that to
This is pure paranoia talking. Perhaps you should invest in more aluminium for your head.
Windows Update is crap (Score:5, Informative)
As explained by Russ Cooper of NTBugTraq in a lengthy rant [ntbugtraq.com] on Tax Day of 2002, Windows Update is a horrible piece of crap. He followed it with another lengthy rant about what he thinks Microsoft should be doing [ntbugtraq.com] instead of Windows Update.
In the meantime, while downloads are large (~1.5MB), the XML package you get for HFNETCHK searches your system for proper file versions and remains the most reliable way to ensure your system is properly patched. Unfortunately, the best tool for checking your patch state (HFNETCHK) doesn't help you download the patches you need. It does identify the MS security alert addressed and even the KB article, but it's not painless. MBSA gets you one step closer by actually having the URL of the KB article, but it's not as painless as downloading updates via Windows Update (when WU properly identifies your patches).
Anybody who's used the atrociously-bad Automatic Update Service will know that it doesn't cover many important software updates and neither does Windows Update. In fact, if you use all three products, you'll frequently find that each product identifies a different set of patches that are required, and usually, none of them list all the patches identified by the others.
What I've found is that HFNETCHK actually identifies truly critical patches, while Windows Update improperly identifies non-critical updates as being critical. For instance, it tells you that installing Internet Explorer 6.0 SP1 is critical (even when you're running a fully-patched IE 5.5SP2) or even worse, it tells you that a patch meant to improve functionality of using a non-IE default browser is critical.
Sorry, but as much as I hate MS and as much as I prefer Mozilla to IE for my own browsing needs (and even though it works better), I don't make it my default browser anywhere, especially on servers, so this update is hardly critical.
In short, while sysadmins at least have a chance to stay fully-patched these days--unlike the days before Code Red--MS still has incredibly shoddy patch management tools, incredibly inconsistent patch installation mechanisms and still takes liberties with customer data it shouldn't need to take.
If Microsoft ever gets serious about patch management, they'll have a common tool that sysadmins can use to patch any and all of their MS software with a common interface and no unnecessary transmission of system-specific data to MS. Is that too much to ask? Apparently.
Re:How the well would it be able to see the Mac? (Score:2, Informative)
How would it do this? The "partition" that the Windows OS runs in is a virtual partition, and is really just a disk image. The virtual OS only has knowledge of this partition and up to two other virtual partitions that you set in the preferences of that virtual machine. When you copy something between the Mac side and the Windows side on VPC, a temporary share is created for the duration of the copy.
It is possible to set up VPC to see your entire Mac partition by setting up folder sharing from the Mac's root directory. You'd have to go out of your way to do this, there'd be little to no point, and it would be in no way something MS could count on to happen.
Re:How does this differ from RH Update? (Score:5, Informative)
The update agent will still work because it polls the servers for which packages are current for your release [2] and compares that list to what you have installed, and the comparison is done locally.
[1] https://rhn.redhat.com/help/basic/register-system
[2] https://rhn.redhat.com/help/basic/up2date-setup.h
Re:Haha (Score:4, Informative)
A list is a lot of bandwidth? (Score:3, Informative)
First, the client would be a one-time install. No biggie there. Next, text is pretty small. I mean, you have to review the patches yourself anyway (please tell me you don't allow MS to decide what gets "updated"...). I can read pretty fast, but not as fast as my modem can d/l text. So I don't think the bandwidth is a problem.
And I would still rather have this client-side. They can deduce all they want, but they won't have things like reg codes, CD keys, etc, which I bet they collect. And I bet they also collect PCI serials. So, if they ever decided to bust you, they'll have all your hardware ID's and software codes. Yay!
The original article that started it all (Score:2, Informative)
He posted it to ntbugtraq on Monday Feb 24th
Here [ntbugtraq.com] is the original post, where it describes the issue in a clear fashion, and does point out that Microsoft do tell you exactly what information they gather, however most people are unaware of this as they don't read the EULA - like me
kai
Windows Update Privacy Statement (Score:2, Informative)
Re:Linkee no workee (Score:2, Informative)
Re:pay-per-view (Score:1, Informative)
Oh, this post is redundant too, but since I don't expect the other reply to be modded up, I thought I'd post anyway (yeah, throw an Offtopic in there as well...)