Examining Microsoft Update 805
eggsovereasy writes "The Inquirer is reporting that a group in Germany has deciphered the information sent to Microsoft during an update using Windows Update and says that information on all software installed on your computer is sent, even that which is not Microsoft's own software." The original article is, unfortunately, pay-per-view. Update: 02/26 18:19 GMT by T : ionyka points to this "related article from ITWorld that deals with Microsoft's transferring of information through Windows Media Player. When you open up Media Player it sends information back to Microsoft like what movies you play, what songs you listen to and where they come from."
Surprise, surprise... (Score:2, Insightful)
Complete Breach of Trust (Score:3, Insightful)
If not, it's at least a huge breach of trust, and users should not stand for it.
I wonder what Virtual PC sends ... (Score:4, Insightful)
This may also be an alterior motive to Microsoft buying Virtual PC from Connectix last week. They want this same data from Mac Users. I imagine if it's not there then it will be added to read all partitions mac/Linux/PC
Knowing what your customers have on their hard drives is sensitive corporate data. Basically, you know the Hot or Not Programs in the industry and then develop programs based on their hard drive residency!
EULA says they can take what they want (Score:3, Insightful)
Theoretically this includes data dumps of hard drive formats which the OS does not even support.
/Tin Foil Hat Off (Score:5, Insightful)
While the intentions may not be all that honest, it's not a horrible idea. I've noticed numerous times when running Windows Update that it's offered to upgrade my Cisco Wireless LAN software as well as my Epson print drivers. Kind of nifty and not all that bad, if you ask me.
No verification possible... (Score:5, Insightful)
Any easy way to verify this ourself?
I'm suspecting their claim is true, but I'd like to see the data...
Reinout
And I should be surprised why? Also, a suggestion. (Score:5, Insightful)
I would have to do some research, but I believe this might violate their own privacy policy. Even if it doesn't, they really have no moral right to send any information about your system without letting you know what it is and giving you a chance to abort the whole thing. Yet I am unsurprised, in fact I expect every big company is doing this kind of thing when they can get away with it.
Not that I am saying "Everyone is doing it, so what is the big deal?" My attitude is more "Let's stop this crap now!"
So I have a suggestion -- someone should start an open source project to create a re-writing proxy for updates that strips out all the stuff Microsoft is sending in the updates, except what is absolutely needed. Make it open enough that we can plug it re-writers for other companies as well.
Predictable (Score:2, Insightful)
Re:EULA says they can take what they want (Score:3, Insightful)
I thought this sort of outrage was already covered by the change in TOS brought in by WinXP SP1? (i.e. we will take whatever info we want from your machine, and if we don't like it we'll lock you out.)
Re:Haha (Score:5, Insightful)
I should have taken him out back and beaten him with a frozen salmon. Hello!? How do they know what patches you need if they can't look at your system and tell their servers what you've already got.
The fact that the program takes the time to rifle through the system is of no surprise to me. While, I think the practice stinks it hasn't stopped me from using the service though. Given the choice between MS finding my installation of UT2003 or some script kiddie looting my system, I'll choose the former.
Duh (Score:2, Insightful)
Re:/Tin Foil Hat Off (Score:5, Insightful)
Re:Haha (Score:5, Insightful)
They could send a complete list of available patches to your system and let the client running on your computer pick which ones are neccesary, without microsoft ever knowing what software you have installed. Granted, they could deductively determine what hardware you use based on what patches you then request, but since you can only download patches for microsoft software, the best they could do would be to determine what hardware and microsoft software you currently have installed.
Re:/Tin Foil Hat Off (Score:3, Insightful)
Driver updates? No problem.
SOFTWARE updates? Uh. Problem.
Windows Update is responsible for updating my SYSTEM, thus the term Windows update, not "universal software updator" or some other such silly name.
Besides, last time I let Windows Update update my drivers it replaced my Matrox G400 driver with a French G400 driver that refused to be uninstalled. . . .
Re:EULA says they can take what they want (Score:5, Insightful)
Re:Surprise, surprise... (Score:3, Insightful)
And, yes, I am lazy. How did you know?
Re:Surprise, surprise... (Score:5, Insightful)
No they don't. They can just send a list of updates to the client, and the client can display the updates that apply to your computer. This is why Microsoft can claim no information is being sent to their server: because sending information isn't necessary.
This is actually how APT works.
Re:EULA says they can take what they want (Score:4, Insightful)
Re:Surprise, surprise... (Score:5, Insightful)
If the reasoning was to better detect and avoid application conflicts I would possibly agree with this method, but the software clearly doesn't do that.
Re:Complete Breach of Trust (Score:2, Insightful)
This isn't just some random company that nobody has ever heard of, with a clean slate. It's 2003. When people deal with Microsoft they know what they're getting into, regardless of what Microsoft says.
When it comes to Windows users, I really do blame the victim. There's a point where a reputation becomes so soiled, so repeated, and so publically, that it really is either dishonest or stupifyingly negligent for someone to say they didn't know. There just aren't any rocks in the world that are big enough for someone to live under and not hear about Microsoft.
Re:Surprise, surprise... (Score:5, Insightful)
Re:Tell MS What you think, apparently... (Score:2, Insightful)
Re:Haha (Score:2, Insightful)
Thank You (Score:3, Insightful)
Windows Update has offered me updated device drivers in the past, so I think the inclusion of hardware info could be defended on that basis.
Privacy and Trustworthy computing (Score:1, Insightful)
Ok, done. No wonder I use Linux and Mac
Windows Update Privacy Policy (Score:3, Insightful)
Re:Haha (Score:2, Insightful)
Windows Update can be used for non-MS software, hence the need to send some info about non-MS software. And as you pointed out, they could "guess" most of the information that's being sent anyway.
Open Source solution already in place. (Score:2, Insightful)
Just had to say that, but on a more serious note, I use Red Hat Network to keep a few Red Hat Linux boxes updated with current patches and it does much the same thing. But there is a big difference.
When you register a box it tells you exactly what information will be sent to RHN about software on your box and allows you to opt out.
The benefit here is two fold in that RHN only sends you updates for the software that is installed on your system and you get updates for any software package that Red Hat supports beyond patches for just the kernel.
What I'm not sure of is if they track all applications you've installed even if they don't support them. Although I still wouldn't be concerned because they tell you up front what information you will be sending to them and you can say NO.
burnin
It's not the personal identification.... (Score:2, Insightful)
I don't mind tivo using my info to better programming ala the neilson ratings. BUT I do have a problem with Microsoft using my data (without asking) to adjust their business plans and/or methods of sales, tracking, schemes, etc.
ie "Software maker X has sold 500K copies, BUT our windowsupdate show's that there are 600k copies being use...."
Re:Surprise, surprise... (Score:5, Insightful)
so this person with a so precious time should think twice before buying products from a company with such a "poorly designed website" or that don't ship a version of the drive with the product
Re:Check out the rest (Score:1, Insightful)
Why "I" think a lot of people are pissed at this.. (Score:2, Insightful)
You know what? I don't care if they can check to see what I have running on my computer. If I use an updating service made by Microsoft for products made by Microsoft, I almost automatically assume they are getting just about every piece of info off of my computer that they can get. As long as its not anything important (like e-mail, names, credit card numbers, etc) I could care less, I have nothing to hide. If MS wants to see how many people use a certain piece of software, all the power to them.
I guess it all comes down to reading the fine print and knowing that most of the time, the company is looking out for the company, not the customer.
I'm not saying MS should get away with everything it wants to do, but I do think its funny that people are surprised that a service that gets information about your computer actually gets information about your computer.
Or (Score:1, Insightful)
Oh hey, he did!
Re:Haha (Score:2, Insightful)
A download is a file that you have and can keep so you don't have to download it the next time your system crashes.
There is no way to keep the update, patch, or driver now so how is that a download.
Sure one can go to the corporate site and download update's however not all patches and updates are made available there.
One used to be able to go to the Temporary Internet File folder and copy and paste the file to another folder however one cannot even do that now.
It's remote installation but it is not a download in any way shape or form as the files are not saved to disk for future use.
For example the hoops one has had to jump through to install the latest secure version of MSJava left a bad taste in my mouth so I downloaded Sun Java and now use it.
Microsoft stated that one should remove them from trusted sites status due to a problem with COM and certificates which to my knowledge still hasn't been properly fixed. Anyone with Active X enabled in Internet Zone is an Idiot and Microsofts Windows Update does not work without these settings. This lead's me to belive that it was one more attempt to ruin Sun.
Re:Complete Breach of Trust (Score:5, Insightful)
Sorry, I'm gonna call bullshit on this one. While it's true that people involved in the industry generally know what's up, many people outside of it don't. People who have better things to do than read IT-related media get all of their news about MS from totally mainstream sources in the first place, and lot of people could really give a rat's ass about today's MS article on Yahoo's front page. As far as Joe Sixpack is concerned, it's an IT-related story, and he probably doesn't care what it says. If you are not into the theatre scene, do you read reviews for every play in your area? If you are not interested in business, do you read every story in the business section? Probably not, and my mother doesn't read every store about Microsoft.
Saying that the victim is at fault is not a solution to the problem, and is not an excuse for bad behavior on MS's part.
Comment removed (Score:5, Insightful)
Re:Haha (Score:2, Insightful)
Re:Surprise, surprise... (Score:3, Insightful)
I know it's a bit of paranoia, but I'd rather them not know what I've got running at all, but I'll let them know what MS software I have because that's what I'm getting fixes for.
Re:EULA says they can take what they want (Score:4, Insightful)
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:
If a lawyer writes "this information includes...", then that's exactly what they mean. They don't mean that it is a complete list; there may be other stuff that they're not explicitly telling you about.
Justin.
Comment removed (Score:3, Insightful)
Re:Complete Breach of Trust (Score:3, Insightful)
WU doesn't send software list (Score:3, Insightful)
Re:Mac OS X? (Score:1, Insightful)
Re:Haha (Score:3, Insightful)
1. Client downloads latest Update Management Software + Config File from server
2. Client runs Update Management Software.
3. UMS determines what patches are needed from inbuilt logic and information in configuration file
4. UMS downloads and applies relevent patches
XEmacs does exactly this! It works pretty well from what I've seen.
Re:Complete Breach of Trust (Score:2, Insightful)
Or in simpler terms, do software companies have the right to order you to provide on request an inventory and proof of purchase for their products at any time, without just reason to suspect otherwise, and on their own recognizance?
Re:Am I the only one who is not surprised by this? (Score:3, Insightful)
Why do you say that it has "got to stop?"
Do you thing the DOJ consists of a group of people who took power via a coup d'ètat? Or do you concede that the Department consists of individuals who have been appointed by elected executives and confirmed by an elected Congress?
Whether the current government is a true expression of the will of the American people, or the current government is a result of our apathy (even antipathy) toward the democratic process and the political party structure, it is not reasonable to wait until a crisis at the Federal level to take action.
"Something" can be done. In twelve years or less, the Federal government will be largely composed of individuals who are at this moment seeking State and local office. If you have not developed a relationship with these politicians or their parties NOW, while they are accessible, and if you have not participated in the process of putting them in office by CAMPAIGNING and VOTING, you may find yourself in precisely the same position a decade from now, claiming to be powerless to affect the process, and demanding that "something" be done.
Something *is* done, and the people who make a priority of participation in the political process of this country are the people who shape government. Whether you choose to participate or not, you are still part of the process.
Apathy elects our leaders.
How does this differ from RH Update? (Score:5, Insightful)
Why is it that when Microsoft does this kind of thing, suddenly there's a more sinister motive behind it all?
I don't hear anyone complaining about Redhat's privacy policies...
Re:Surprise, surprise... (Score:1, Insightful)
Though I never believed it, I couldn't prove it. Now, it looks like a class action lawsuit is the next step! WOO! I am glad to be a 'doze user now!
Re:Surprise, surprise... (Score:4, Insightful)
Either 1) privacy is just not a factor for the folks at all or 2) they want the data for other uses. Most likely it's the former, but the fact that the makers of the 95% market share OS don't care enough about privacy to make it even a small concern when designing systems like this is Really Scary, maybe scarier than them purposefully collecting my data, because at least then there's the possibility that they'll be careful with my data once they've got it.
Linkee no workee (Score:5, Insightful)
Life's far too short to use IE.
-B
Re:Makes sence (Score:3, Insightful)
This should not be modded Funny. This is serious.
BillG: Look, everyone has Acrobat Reader, we need to develop XDoc.
Everyone has some SimXXX game, we need to develop Zoo Tychoon.
Business as usual. Take advantage of monopoly position of control. Discover what anyone else might be doing that is popular. Develop a competing product. Give it away, or bundle it into OS.
Re:Easy Solution (Score:3, Insightful)
This isn't new. (Score:1, Insightful)
After that experience, my expectation is that MS software keeps very close watch on friendly and, likely, "unfriendly" software on your computer.
Anyone remember the AARD code?
Re:Surprise, surprise... (Score:3, Insightful)
Well heck, the article being pay per view almost nobody in the thread is likely to have read it. Why bother to read the article?
There are a bunch of Win98 programs which are known not to work properly under XP. Every so often Microsoft issues a set of patches that allow these to work properly.
Re:Haha (Score:3, Insightful)
First, user sends the version number of the patch list present on the user's hardware to MS. The version number represents what hardware/MS software is present, and what patches have been previously applied.
A match is found.
A list of patches is generated, and sent to the user.
MS transmits ONLY the patches that the user's version number indicates is necessary.
User patches.
After successful patch, the version number of the patch list is updated on the user's hard drive.
Operation complete.
So, a massive transmittal of a list of ALL patches is not necessary: only the version number of the patch list needs to be communicated.
The "so much data needs to be sent" argument for MS's snooping presupposes their method of applying patches to be the only one. A little thinking comes up with an alternative.
They snoop because they want to snoop.
Keep an archive (Score:2, Insightful)
Re:From the Windows Update website privacy stateme (Score:3, Insightful)
Found on the 'Net: "David L. Smith was not caught on the basis of the GUID, he was caught because the feds were able to trace the point of insertion of the virus into alt.sex from the ISP he used, then from the connection logs down to the phone number used to connect to the service. The GUID had nothing to do with it. There was also no indication that he used pirated software, just that he or someone had used a previously written virus and modified it into Melissa, passing on the unique GUID of the original document/macro author."
Just wanted to set that straight.
Re:How does this differ from RH Update? (Score:2, Insightful)
On the flip side though, imagine if Redhat's DB was compromised. You'd have an accurate listing of every RedHat box out there, their IP, and what versions of software they were running. Thats a goldmine for a script kiddie.
Re:Surprise, surprise... (Score:1, Insightful)
Re:How does this differ from RH Update? (Score:3, Insightful)
This is such a ridiculous non-issue that completely misses the point. If what this article says turns out to be true, it means that MS is spying on you and offering you NO CHOICE to avoid that spying. On TOP of charging an arm and a leg for PROPRIETARY, SECURITY-FUCKED software.
Another difference is that if you downloaded Red Hat Linux, you got all the software on there from Red Hat. If you add third-party software, it will only register with Red Hat if Red Hat releases a version of it. This is not the case, if this article is correct, with Microsoft. It will record your software whether it can be updated by MS or not. And that is pointless, unless there is a sinister motive.
B
Re:How does this differ from RH Update? (Score:3, Insightful)
Microsoft's entire corporate psyche is built around cultivating that abuse. Bill Gates has, on numerous occasions, stated that Microsoft's main competitor is its own customer base. Unless you've been living under a large rock for the last ten years, you're well aware of how Microsoft treats its competitors (and not coincidentally, its "partners").
Microsoft's known street-thug behavioral history should be enough to send shivers down your spine whenever anyone there has network access to your computer in any form whatsoever.
Re:Easy Solution (Score:3, Insightful)
We could only hope... [onestat.com]
Face it - the desktop needs to get rid of all that cruft and get some standards before it can become mainstream. Although it is a nice thing to have, this variety hinders standards, therby keeping both users and developers away.
True? (Score:3, Insightful)
Re:Or (Score:3, Insightful)
That's why I don't use XP. (Score:3, Insightful)
I use Win2K because everything I run needs Windows. I don't use XP because I do not like the invasive EULAs and I think it is a bloated pile of useless eye-candy.
Re:Along those lines... (Score:3, Insightful)
This is no different than the typical CD player/MP3 ripper which queries the CDDB to find out the title of the CD and the name of the tracks. No big deal.
Re:Haha (Score:3, Insightful)
Actually, no need to download all patches and updates, just metadata about them. Client OS then can easily determine what updates it needs and present a choice to the user. It is actually less bandwidth this way because you don't have to transmit the information about your complete system, including 3rd party apps to MS. MS will only provide metadata about *updates*, not a metadata of a complete system.
In any case, this metadata transmission is not substantial, much less so if compression is used.