Microsoft WGA Phones Home Even When Told No 403
Aviran writes "When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send information stored in your registry and the fact that you choose not to install WGA back to Microsoft's servers."
Re:time to modify the hosts file (Score:5, Informative)
Re:time to modify the hosts file (Score:1, Informative)
0.0.0.0 genuine.microsoft.com
is better, because 127.0.0.1 redirects the request to a local webserver.
Easy enough to deal with (Score:3, Informative)
There didn't appear to be any identification of the specific user in there.
It seems to me that it would be easy enough to determine what port WGA is using to send this stuff, and lock down said port at one's firewall. That's the method I'd choose to deal with it (if I were even running anything with WGA installed -- which, thankfully, I'm not).
Doesn't work (Score:5, Informative)
Re:the route your kids take to school, of course (Score:5, Informative)
It's very light on details, however. There is a screenshot from wordpad of the data sent; it's an XML-type document which appears to have pulled a couple of id/hash numbers out of the system registry, e.g. OS version, but no personal info. They can't really get any personal info anyway, since data protection laws here in the UK and other countries would land them in shite, and also I suspect that they have more important things to do than snoop random people's names.
Personally, I think that they're just trying to get an idea of the number of people who won't install it. These people either have pirate copies and know they'll fail validation, or simply are opposed to the idea of their OS phoning home. From a cynical viewpoint, it's important for MS to gauge the reaction to this early so they know how far they can push these sorts of thing without there being a massive backlash.
Re:Gibberish (Score:5, Informative)
an image from the now slashdotted page is here, it shows what gets sent to MS
http://img266.imageshack.us/my.php?image=wgahp5.p
Re:Like the GPL? (Score:5, Informative)
The GPL is not a consumer product license. In order to use the software you don't even have to agree to the GPL. Only if you distribute are you bound by its terms, and software distribution is a complicated topic.
Even so, when you compare it to proprietary EULAs, the GPL is entirely readable in its main parts. Furthermore, the GPL is not written in caps as most EULAs are (IMHO this obvious attempt at obfuscation alone should make EULAs unenforceable).
Re:Gibberish (Score:3, Informative)
There's an english language article about the same packet dump
Some of the data is encrypted, some of it are just acronyms you don't know
Re:Like the GPL? (Score:5, Informative)
Re:time to modify the hosts file (Score:3, Informative)
Back when Optical Mice first hit the scene, I picked up a MS optical mouse for a machine I was building on my coffee table. I loaded the driver and the install stalled and nagged me because it could not find my network connection. Please configure up your networking or start your dialer...without a mouse driver installed! I wonder to this day if the software would have informed me that it was attempting to phone home if it did find a connection. That mouse got put back in the package and passed along to some other sucker. I would rather throw the brand new mouse away than permit that driver on my system. The lack of a configured network connection is probably the only way I would have discovered that the mouse driver phones home. I've stuck with Logitech mice since then for that very reason.
With several Linux distro's being easy to install and use, when WGA came out, I stopped MS upgrades and started moving to Linux. Love my Ubuntu box.
Anybody tried a WGA refusal with the network disconnected? Does it nag for a connection?
Re:Doesn't work (Score:2, Informative)
Anyway as I was saying, once a virus takes over the HOSTS file, it could fool the common user into downloading malicious "updates". If someone put a little effort into it, they could use McAfee/Symantec's auto-update feature to replace the scanner with a 100% evil application that merely simulates the scanner's interface. The user points it to his/her/its sensitive files and lets the dumb app chug away for hours.. rather than scanning for viruses, it could be compressing and shipping off confidential data over the net.
While it may seem like just another entry vector to vulnerable machines, it's actually far more dangerous than most security holes because it has the potential to impersonate trusted hosts and exploit that trust to full effect.
Re:What it really does... (Score:2, Informative)
Re:time to modify the hosts file (Score:2, Informative)
Re:time to modify the hosts file (Score:2, Informative)
Report this to "StopBadware.org" (Score:5, Informative)
This should be reported to "StopBadware.org". StopBadware.org's definition of badware [stopbadware.org] requires prior consent to send personally identifiable information to a site. This should be enough to put WGA on the Badware list.
Google is now flagging sites that have been identified by StopBadware.
StopBadware is run by law professors from Harvard and Oxford, with assistance from Consumer Reports. StopBadware is effective. They complained about the Jessica Simpson screensaver, which installed spyware in May 2006. The makers of that didn't listen. In October of 2006, a US federal judge shut that outfit down.
Re:Like the GPL? (Score:4, Informative)
The GPL is NOT limiting anyones rights beyond copyright law, you might say its more limiting than the LGPL or modified BSD, but you can't say its more restrictive than no license at all.
Also an EULA is an agreement the end user is supposed to agree to to be able to use the software, the GPL is a copyright license that a distributor must agree to to be legally able to distribute any program that includes/links against GPL code.
Re:Like the GPL? (Score:3, Informative)
Re:Like the GPL? (Score:3, Informative)
Stop the obvious trolling. For the record:
Re:So? (Score:3, Informative)
Well (Score:2, Informative)
Re:Like the GPL? (Score:3, Informative)
Comparing that with software that's sold usurping the "right" to call home by means of an obfuscated EULA is the height of disingenuousness.
You're just a little bit TOO cynical (Score:5, Informative)
BSD license is all well and good, but if it wasn't for the GPL there wouldn't be so many people involved in development of GPL software. Your view does have some merit, but not because of selfishness. Novell doesn't want Microsoft to take their code, put it in Windows, and blast Novell away again. Red Hat doesn't want IBM to secretly switch AIX to all Linux code, and sell it for a mint, and never give anything back. So, that's understood, and everyone can feel free to develop the code base without worrying about it. Your payment for being able to use everyone else's work (and saving a lot of money by doing so) is to also release your improvements to everyone else. So your PROFIT is the improvements you get back on the code you wrote.
It should be noted that the big companies pushing Linux actually do turn a bit of a profit, in terms of cash.
The GPL *is* about supporting the community. If a piece of software is community developed, that same community (as well as anyone that uses it) really wants the software to improve. If ACME Corporation wants to use the software in their product, because it would be a LOT cheaper then developing in-house, they'll take it, improve it, and package it with their product. In the meantime, they'll also make their improvements available to everyone else. That's their payment for saving millions in licensing or development. How is this selfish?
If you don't want to release your code under the GPL, then simply don't. If you don't LIKE the GPL, then don't use GPL code, it's as simple as that. Or, are you pissed that you can't just do whatever you want with someone else's work?
The GPL, in fact, does allow a lot more freedom for the code you write then general copyright laws allow for. It's obviously a lot more open then closed-source. Why must you compare it to the BSD license? (Extra Points: If the BSD License worked so well, why did it take the GPL to bring open source software to the forefront? Explain and cite references.)
Original article (Score:2, Informative)
Re:Like the GPL? (Score:3, Informative)
Re:time to modify the hosts file (Score:3, Informative)
Re:time to modify the hosts file (Score:2, Informative)
Re:on a related note (Score:5, Informative)
Yeah, it's called NE2000. Almost all cards support it. If you don't have the drivers for a card, you can usually force Windows to use generic NE2000 drivers and the card will work. But if it can't identify the card, or identifies it and doesn't have drivers, then it will tell you that it can't install it, even when it knows it can use it just fine with the generic drivers. So yes, I do think it quite plausable that Windows can use a NIC it does not have drivers for. But I wouldn't call NE2000 a secret.
Re:Gibberish (Score:5, Informative)
1 -- (1) A person is guilty of an offence if--
(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b)the access he intends to secure is unauthorised; and
(c)he knows at the time he causes the computer to perform the function that that is the case.
The data sent home is noted by (a). As the user has expressly not agreed to the WGA EULA, unauthorised access is noted by (b) and (c) - in particular (c) as there was no agreemnt to the EULA; assuming of course that the data sent home is that that would be sent home IFF the EULA had been agreed and WGA installed.
As an aside, the Sony rootkit that installed something even when the EULA or whatever was decined was probably in breach of Section 3 of the same Act - doing "...any act which causes an unauthorised modification of the contents of any computer..." - those discs weren't sold in the UK?
The question is who is the responsible entity for a company: they have programmers that have written the code that does the unauthorised access (are they responsible), or is it their managers (who defined the specs) or the company as a whole (the directors)?
Re:on a related note (Score:3, Informative)
No, it was a valid, unused rfc1918 address in the correct subnet. MAC address was the one on the card in the computer in question.
My home shorewall box correctly drops 169.254.x.x made-up addresses, and my ISP does not forward traffic from IPs not assigned to it. I know, I configure the routers.
But really there's no point trying to find technical explanations when the obvious one is at hand - you can't read a sniffer trace for shit.
Having the ability to install Ethereal does not magically confer on you the ability to interpret the results correctly.
tcpdump, actually. I know what I saw, and I get to practice my sniffing skills on several hundred DSL & T1 subscribers daily.
And I agree with the ne2000 thing, I think it was a card that worked with the ne2k-pci driver on linux (an old linksys maybe?)
anyway, creepy and very real.
Re:Gibberish (Score:2, Informative)
This is why on a fresh install I never plug my network cable in until all that crap is disabled.