Forgot your password?
typodupeerror
Microsoft Security IT Your Rights Online

All Microsoft Updates Phone Home 233

Posted by samzenpus
from the always-watching-you dept.
juct writes "In the wake of heise Security's report on the garrulous WGA Notification, Microsoft has now supplied additional details on the data sent. They have revealed to developers that apparently all updates relay information to the company in Redmond."
This discussion has been archived. No new comments can be posted.

All Microsoft Updates Phone Home

Comments Filter:
  • What if. . . (Score:4, Insightful)

    by smooth wombat (796938) on Thursday March 08, 2007 @04:12PM (#18280192) Homepage Journal
    you don't go through Microsoft Updates but instead go to their Security Search and manually download each patch?

    Since you've never activated WGA, does that mean you're invisible to Microsoft?
  • by HateBreeder (656491) on Thursday March 08, 2007 @04:15PM (#18280218)
    That's hardly surprising.
    Considering that most of these applications are installed via the windows-update site...
    I doubt you could even maintain a session without sending information back to the web-server.

    I say: nothing to see here, move along.

  • Re:What if. . . (Score:3, Insightful)

    by HateBreeder (656491) on Thursday March 08, 2007 @04:17PM (#18280248)
    Some apps, require "validating" your copy of windows before installation.

    Windows Defender for instance, comes as local executable - but obviously, the WGA authentication is remote.

    probably a non-issue anyway.
  • by blakmac (987934) <blakmac@gmail.com> on Thursday March 08, 2007 @04:18PM (#18280252) Homepage
    "When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data, the company has said. In the blog, the company once again explicitly states that it does not use the information gathered to identify or contact users." ...so we are expected to believe (by this wording) that they WILL keep the information relating to illegal installations, but not use it to identify the person using it. Why does that sound like a lie?
  • Nothing to see (Score:4, Insightful)

    by HomelessInLaJolla (1026842) * <lajollahomeless@hotmail.com> on Thursday March 08, 2007 @04:18PM (#18280256) Homepage Journal
    There really is nothing to see for those who are technically literate to the operation of modern systems. This sort of thing, however, should be included as a sticker on the front of all MS products as the majority of the population probably does not think about the consequences of callbacks. Most consumers, whom I've met, actively avoid products which obviously track their movements unless the product is highly desirable (eg. cellular telephones). Making the reality of callbacks more popularly known would have a definite impact on the decisions which consumers make.
  • by punxking (721508) on Thursday March 08, 2007 @04:33PM (#18280440)
    I can understand wanting some information about the machines running one's software, as it helps understand the market and improve upon current design.

    Agreed, but they could tell users they are collecting up front, or even *gasp* ask for it first!
  • by dannannan (470647) on Thursday March 08, 2007 @04:38PM (#18280502)
    Without telling Windows Update which software and hardware you have, and which patches you have installed in the past, your only option would be to download every patch for every application and device ever released. This would quickly become unworkable.

    D
  • by cdrguru (88047) on Thursday March 08, 2007 @04:39PM (#18280512) Homepage
    Is the executable digitally signed?

    Has the certificate covering the signer been revoked?

    Are you installing some Nokia application or are you installing a disguisted copy of Claria adware? If I get my hands on the private key for the company Nokia is using to build their application, I can sign anything I want as that company. It is up to them to revoke the certificate. Wouldn't you like to know?

    I know, if you had the source code you wouldn't need a digital certificate because you could compile it yourself and then you would know. After downloading the libraries it uses. And after checking through all of the source code and comparing MD5 signatures to make sure you have the correct version of all of the libraries, not some spyware-infected trojan.

    Sounds sort of like a digital signature to me.
  • by Rob the Bold (788862) on Thursday March 08, 2007 @04:48PM (#18280644)

    I can understand wanting some information about the machines running one's software, as it helps understand the market and improve upon current design.

    True. They want the information. Maybe even for a reasonable purpose. So what's wrong with asking for it? I want 100 Billion Dollars. But if I just take it without asking, it makes people upset. I have a good reason: it would make me happy. It takes more than just a "want" to justify taking something, even for corporations.

    But SOME of this information seems a bit excessive. Unless one plans to start banning specific pieces of hardware, but that's just evil.
    I hadn't even thought of that angle. That is evil.
  • by Mateo_LeFou (859634) on Thursday March 08, 2007 @04:51PM (#18280674) Homepage
    TFA: "In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date"

    Kinda sad that we just assume letting vendors capture all this info is part of the game (i.e. necessary to make the update work right). Wrong. When I do "yum upgrade" -- as far as I know -- not a single piece of information about my system goes up the wire. Correct me if I'm wrong.
  • by Lothsahn (221388) <Lothsahn@@@SPAM_ ... u_bastardsyahocm> on Thursday March 08, 2007 @04:57PM (#18280742)
    I'll bite:
    Computer make and model -- needed for drivers for specific manufacturers and models. Do you really want to apply a HP patch on a Dell system?

    Version information for all installed Microsoft software -- Needed to calculate whether or not updates are needed for Windows Media player, etc. Remember, Windows update does more than just Windows--it also updates all included bundled software with Windows.

    Note: Sending information about non-bundled software is needed for Microsoft Update, but not Windows Update. Perhaps lazy coding there--wouldn't YOU want to share the hardware/software detection code for both update utilities?

    Plug&Play ID numbers of hardware devices -- Well, it does update hardware drivers...

    # Globally Unique Identifier (GUID) -- This seems completely unnecessary.

    BIOS name, revision number, and revision date -- I'm not sure, but I believe they may also provide manufacturer-supplied BIOS updates for some manufacturers.

    I'm no huge fan of Microsoft, and I'm not saying Microsoft isn't misusing the information, but in 4 out of 5 cases this seems necessary for the service they are providing. Remember, Windows Update updates drivers, hardware, and bundled software too. Microsoft Update services Microsoft software as well.
  • by ValentineMSmith (670074) on Thursday March 08, 2007 @05:10PM (#18280944)
    Um, no. None of this needs to be sent back to Microsoft to determine which updates need to be downloaded. The local Windows Update control should download a list of all available patches, make the comparisons locally, and then download only the needed patches. They have no need to know what my computer make, model, shoe (and/or bra) size is. Which is one of the reasons that this is being written on a brand spanking new MacBook Pro
  • by W2k (540424) <wilhelm.svenselius@gma i l .com> on Thursday March 08, 2007 @05:17PM (#18281042) Homepage Journal
    You realize that the complete list of patches and optional downloads, for all supported versions of all supported products, is likely to be freaking huge? You wouldn't want it downloading that every time you run Windows Update - especially not dial-up users.
  • by ValentineMSmith (670074) on Thursday March 08, 2007 @05:22PM (#18281132)
    Define "freakin' huge". Depending on how they wished to encode it, I'd put a guess in at a document around 150-200k or so. I'll go so far as to say 500k tops. That may be an extra 10 seconds on my DSL line. Compared how long it took that stinkin' ActiveX control to initialize in IE, even an extra minute or two would get lost in the underflow.
  • Re:Nothing to see (Score:5, Insightful)

    by Mr2cents (323101) on Thursday March 08, 2007 @05:23PM (#18281156)
    First the say:

    With some updates such as the WGA Notification, the installer transmits data that Microsoft says it merely requires for quality control purposes and to improve the installer itself.
    and in the next paragraph:

    When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data,
    So when you are a legit user, they don't care about the quality of your software. They're only interested in the quality of pirated software.
  • by mosel-saar-ruwer (732341) on Thursday March 08, 2007 @05:33PM (#18281322)

    "In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date"

    There are what - like a billion or so computers in the world running an M$FT operating system?

    And e.g. Windows 2000 is now up to something like 125 or 150 Critical Updates since SP4?

    And they're keeping track of all of that data?

    That's a database that would make the NSA green with envy.

    Can SQLServer handle a load like that?

    Or would you be looking at something specialized, like what National Cash Register built for Wal-Mart?

  • by QRDeNameland (873957) on Thursday March 08, 2007 @05:39PM (#18281338)

    You realize that the complete list of patches and optional downloads, for all supported versions of all supported products, is likely to be freaking huge? You wouldn't want it downloading that every time you run Windows Update - especially not dial-up users.

    I seem to remember Windows Update in Win2000 prominently displayed a message: "Checking your computer for installed updates...this is done without sending any information to Microsoft." And it only downloaded the updates I needed, not every one for every supported product.

    Did something fundamental change as to why that system can't work anymore?

  • by HangingChad (677530) on Thursday March 08, 2007 @05:55PM (#18281602) Homepage

    Kinda sad that we just assume letting vendors capture all this info is part of the game

    It's a gradual process. Ever been stopped on the way out the door at Costco? You're basically proving to the door lackey that you're not stealing anything. Since when is proving you didn't steal anything between the check stand and the door become part of the game? Because people let them get away with it.

    Companies will keep doing whatever until customers push back. MSFT will keep being the invasive, WGA promoting rat bastards they can be until people extend their middle finger toward Redmond and learn a different operating system.

    The door lackey at Wal-Mart tried stopping me the other day and I refused to prove I didn't steal anything, especially considering she had just watched me walk away from the check stand. I told her that if she thought I stole something to call the cops and walked out.

  • So send them "I'm running WindowsXP, SP2 (or later)" and get the list of drivers, etc. for just that sub-version, and then all applications. I mean, I do an update for my Ubuntu system, and that has MANY more packages that Microsoft even ships. And it still goes pretty quickly. There's no need to send them all kinds of info about your system unless something fails, and you click "Yes, of my own free will, I'll help this giant corporation that treats me like a criminal fix their buggy software for no recompense"
  • by zmollusc (763634) on Thursday March 08, 2007 @06:48PM (#18282450)
    Well, there is probably only a few k of data per machine, so you could easily maintain a database of all the copies of windows phoning home. It would just take a few computers, some bespoke software and a fair bit of cash. You could work out what to do with the data later, maybe a targetted "you have been using this pirated os for yonks, give us fifty bucks or we will sue your ass, here are some of the data we will be showing the judge.." mailshot? It would cost pennies to send out, but rake in $$$.
    Hey! Maybe that is where all the real programming effort at redmond is going?
  • by jacksonj04 (800021) <nick@nickjackson.me> on Thursday March 08, 2007 @06:51PM (#18282502) Homepage
    They're not even tracking down individual users for marketing purposes.

    How many slashdotters look at their website logs to see how many people visit and what they use to do so? I'm willing to bet a huge amount of people do, and they're the same people who bitch about MS updates phoning home. To complete HTTP requests you don't *need* anything more than the actual request and an IP address, yet somehow the logs include things like browser versions, screen resolutions and operating systems. You don't complain about those.

    Aggregate data is needed to gauge how a product is being used in order to improve it, be it your website, software, a car, a lawnmower or something else. When MS start actively using personally identifiable information to personally target things then I'll worry, but until that day I have no problems with them knowing that 82% of their user base has installed security patch XYZ.
  • Re:Nothing to see (Score:3, Insightful)

    by cp.tar (871488) <cp.tar.bz2@gmail.com> on Thursday March 08, 2007 @07:17PM (#18282892) Journal

    Am I the only one who thinks this:

    your Product ID and Keys are legitimate. Here is the authorization to download the software you requested; while you're doing that, I'll just take the Product ID & Key and toss it in the garbage, since I don't need it.

    is incompatible with this:

    the Product ID and Keys you just sent me for authorization to receive downloads appears to be on a list of previously used and hence suspicious Product IDs and Keys;

    I mean, if a legitimate copy gets authenticated, and later on an illegitimate copy using the same key cannot authenticate, somebody or something somewhere remembered the product ID and the install keys and whatnot.

    Therefore, they store everyone's data.

  • by Anonymous Coward on Thursday March 08, 2007 @08:53PM (#18283912)
    I'm a legit Windows XP Home user, have been for a few years now. I'm also on dial-up. It would be nice if WGA would remember that this goddamned machine is legit somehow and leave me alone. I'm tired of sitting around and waiting while the "Quality" of my machine is ensured each time I need a damned patch.
  • by rtb61 (674572) on Thursday March 08, 2007 @09:31PM (#18284236) Homepage
    I have stopped identifying myself on windows machines some time ago, well at least on the windows partition, I have a different attitude towards the Linux partition.

    One wonders what happens when M$ does this over international boundaries.

    Not to mention the WGA 'agreement' basically constitutes extortion, "agree to our pervasive invasion of your privacy, or we leave your computer exposed to publicly disclosed security threats that we created in the software".

    M$ speak yet again, 'they' will not use it to personally identify you but they didn't say anything about passing on the information to the BSA, RIAA or the MPAA where 'they' will personally identify you and now with Vista tracking and monitoring everything the even partially resembles a media file, doesn't it make you fell all warm and cosy that M$ is keeping you safe from those nasty little pirates in your own family.

  • Re:Surprised? (Score:5, Insightful)

    by HermMunster (972336) on Thursday March 08, 2007 @09:49PM (#18284428)
    It is a violation of privacy and Microsoft is sending information back to their location for storage or not against the wishes of an individual.

    If you break the law it is still up to the police and the courts to follow legal procedure to catch you and prove you broke the law and then to punish you commensurate with the proven charges. Even if you steal something and they know you stole it they can't do anything about it till they prove it. Part of that process is to get the legal search warrants and other court orders to permit them to do this.

    Microsoft is a civil organization which is usurping the rules of law that were well established. In fact, they are effectively searching everyone's home every time to prove they are not in possession of stolen goods. The government can't do that. Microsoft should not either.

    Any information sent to them without our express permission is a violation of our privacy whether they store it or not. It is not permissible for them to blatantly flaunt in our faces the fact that there is no one there to stop them and if you try you won't have the resources to do so.

    Again people, remember the computer you have is an extension of your home. It is not a playground for microsoft to do what they want. Would you allow them to come into your home to inventory your belongings and then make you account for all those things you may purchase after the fact? Would you let them check on you any time they choose? Hell no. You would never let anyone into your home to do that. So, why on fucking hearth are you letting them search your computer to inventory your system to send private information back to their offices? Is it because it isn't an inconvenience to you to allow them to do this? Because you have no recourse to stop them?

    So, you say that it doesn't hurt you to have them to enter your home and search it and report back to their offices? So, then would it hurt you to allow the government to do this if they could do it in such a non-invasive way? How about putting hidden camera's in say 20% of homes and no one knows they are there so you have at least an 80% chance of not being spied on!?! Would that be acceptable to you? Hell, 1 if 5 chance of being someone that is observed by the government. Once you got used to it, wouldn't it be acceptable to have the government then say 40% and up it over the next 10 years to 60% and then all the way? You would have become accustomed to having the government spy on you?

    I think you understand what I'm getting at. This is the same thing. You would not let the government do such a thing, and even some people feel cameras in public are a violation of our privacy.

    Microsoft is not the government and they have no rights to do what they are doing. They should not be collecting any information unless you explicitly permit it.

    As I have said in other posts. This is about them collecting as many pieces in their databases as possible. Having this information gives them a lot of leverage.

    Have you heard about how the patent office has claimed that file sharing software is a threat to national security? How about a monopoly power that has control over 90% of the worlds computers able to go into your computer and home unchecked by any sort of mechanism that is designed for checks and balances? You think that is less a threat to national security than it is to allow people to share information between 1 or 2 or more party members. Either the comments by the patent office are totally ludicrous or no one is willing to accept that this sort of unchecked behavior by a company in control of 90% of the worlds computers is a threat to national security.
  • by HermMunster (972336) on Thursday March 08, 2007 @10:02PM (#18284566)
    Microsoft is not the police and no they have no right to check, at least not without your explicit permission. The police are enforcement agents put in place by publicly elected officials and they are checked for balance by the court system and the laws of the nation we live in. These individuals are not permitted to enter your home (as your computer is an extension of your home) and search you for stolen goods. Even the police can't do that even if they KNOW themselves that you are in possession of stolen goods. It is about proving it. Another check and balance is by the court system to bring to trail those they believe they can win a case against. They are only allowed to charge you with crimes they can actually prove. They are not allowed to say that they think you are and that they can collect any information they want during that time.

    This process is akin to the government taping your telephone against your wishes and collecting information. It is akin to the phone company taping your phone and listening to see if you commit crimes and then dropping your service. It doesn't happen. The phone company doesn't observe your private conversations even if they think you might be committing a crime because established law and procedures leaves that sort of police action in the hands of the police selected by those agents put in place by the elected officials.

    This is a police action, period. It is a violation of your privacy and to allow them to monitor you is an attack on your home.

    You gave them information when you activated Windows, you gave them information when you validated your copy for updates but when you told them no to the WGN program and others you told them it was not acceptable to send any information back about your computer.

    When are you guys going to get it through your head. You are relinquishing your privacy and that of your children's future privacy because you want to win some obviously flawed debate about whether it hurts you.

    This is infact, Orwellian and it is extremely bad practice. When you say no, it means no. It doesn't mean do it anyway because no one can prove it and no one can stop it.
  • Re:Surprised? (Score:3, Insightful)

    by cpghost (719344) on Friday March 09, 2007 @07:24AM (#18287274) Homepage

    The Microsoft vs. Government analogy is not quite right: Using Microsoft products (and agreeing to their EULAs) is like granting cops access to your home on your own free will. Cops don't need warrants if you invite them to come in! Government needs special authorization (search warrant) to enter, because we have no way of escaping their power, so a safeguard is needed to prevent abuse. But Microsoft doesn't need a warrant or something similar, because, basically, you're free NOT to use their software, and can therefore legally get out of their snooping reach.

The economy depends about as much on economists as the weather does on weather forecasters. -- Jean-Paul Kauffmann

Working...