Microsoft WGA Phones Home Even When Told No

Aviran writes "When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send information stored in your registry and the fact that you choose not to install WGA back to Microsoft's servers."

This is good

[Devir (671031)]

While many think this is bad and invasion of privacy, think of it as this:

when we normally click "I DONT Agree" the software does nothing. But if it sends the message back home with statistics of how many dont agree, it tells the software company some people dont agree.

We can argue EULA's till our fingers are raw and bloody, but it doesnt matter if the company in question doesnt read the conversations.

In short, by clicking the Dont agree button and having it sent home to MS we're telling them we dont want that crap on our machines. Maybe (deity willing) MS will start to listen. More companies may adopt that approach and we'll get less and less one sided (retarded) EULA's.

anyone Remember Borland's |"like a book" EULA? Great stuff.

Re:This is good

[Lumpy (12016)]

So let's have fun.

anyone got a way to dissect it completely so we can write a little app to send maybe 20-30 fake entries a day? now spread that across 100-300 people and microsoft thinks that there is a mass rejection of WGA starting to brew.

on a related note

[jjeffries (17675)]

This is kinda old, but some years ago my neighbor got a new Win ME (!!!) machine, and I helped him put in a NIC and put it on our little neighborhood network. I was curious if it was going to phone home, so I had a sniffer running on my router...

The damn thing picked/guessed a valid (NATted) IP address, netmask, and gateway without using DHCP (arp tricks?), and sent a load of mystery packets to an address in a Microsoft IP block. Only then did the computer do the "new device detected" routine, but could not find a driver for the NIC and I had to go fetch one on another machine.

W T F ?

Unfortunately I have since lost the pcap dump.

Moderation: -1, no proof

Perfect marriage of technologies?

[Joe Random (777564)]

Sounds like a perfect place to use MS speech recgonition:
Computer: "Where do you want to go today?"
You: "Nowhere."
C: "I heard 'Microsoft Validation Site'. Is this correct?"
Y: "No!"
C: "I'm sorry. I heard 'Dear aunt, let's set so double the killer delete all'. Is this correct?"
Y: "NO!!"
C: "I understand. So 'Microsoft Validation Site' was correct. Redirecting now. Thank you for using My Microsoft Live Enterprise Genuine Advantage Ultimate. Have a nice day."

I detect hypocrisy

[suv4x4 (956391)]

I can understand people not wanting WGA on their PC-s as it can cause issues on legitimate installations as well, in certain situations.

But sending back a little XML that you denied the EULA? Don't you detect hypocrisy here. You send your "identification" in the form of IP, browser user agent string and what not to virtually any site you visit, without "agreeing" to this every time. Why is nobody whining about this?

Having privacy and right to deny something is cool. But I think some of the most vocal opposition is simply using pirated Windows and not being honest about it.

I don't install WGA on existing (legit) computers as it doesn't help me with anything. I don't have any problem with Microsoft getting my "no" back though. In fact, I *want* them to hear my no.

Re:I detect hypocrisy

[mwillems (266506)]

I disagree. When I send my IP to a web site, it is because I have chosen to browse there.

In the WGA example, on the other hand, one chooses NOT to do something, and yet data is sent. That is very different to browsing voluntarily to a web site.

Report this to "StopBadware.org"

[Animats (122034)]

This should be reported to "StopBadware.org". StopBadware.org's definition of badware [stopbadware.org] requires prior consent to send personally identifiable information to a site. This should be enough to put WGA on the Badware list.

Google is now flagging sites that have been identified by StopBadware.

StopBadware is run by law professors from Harvard and Oxford, with assistance from Consumer Reports. StopBadware is effective. They complained about the Jessica Simpson screensaver, which installed spyware in May 2006. The makers of that didn't listen. In October of 2006, a US federal judge shut that outfit down.

Re:So?

[sqlrob (173498)]

Ethics. If you choose not to install something, it shouldn't do anything.

Re:So?

[Rob the Bold (788862)]

Perhaps people need to read the licensing agreements they agree to before agreeing to them, instead of just clicking "yes, I agree" like a madman.

Ya, that would fix it. Maybe, just maybe, some of us don't have an army of lawyers at our disposal to determine if what we're clicking on really means what we think it means. It seems to me that it is unethical to have a consumer product license that is unreadable/unparsable to an average consumer. The "madman" here would be anyone who thought that such nonsense was an enforceable contract.

Like the GPL?

[by Anonymous Coward]

it is unethical to have a consumer product license that is unreadable/unparsable to an average consumer.

Oh my fucking god.

Have you ever tried to read the GPL?

Re:Like the GPL?

[Knuckles (8964)]

AC said: "Have you ever tried to read the GPL?"

The GPL is not a consumer product license. In order to use the software you don't even have to agree to the GPL. Only if you distribute are you bound by its terms, and software distribution is a complicated topic.
Even so, when you compare it to proprietary EULAs, the GPL is entirely readable in its main parts. Furthermore, the GPL is not written in caps as most EULAs are (IMHO this obvious attempt at obfuscation alone should make EULAs unenforceable).

Re:Like the GPL?

[mrchaotica (681592)]

1. The GPL is much more understandable than any Microsoft EULA
2. The GPL is a distribution license. If you're doing anything that causes it to apply to you, you're no longer an "average consumer!"

Re:Like the GPL?

[BarryJacobsen (526926)]

The GPL isn't about freedom. It's about being selfish in the guise of supporting the community. If you aren't going to profit off the code, you don't want anybody else to be able to either.

Yup, I tend to think of the GPL like that bratty kid on the playground with the ball. Every group of kids had one, the kid who would say "If you don't play by my rules I'm taking my ball and going home".

God I hated that kid.

Odd, as all the other kids are saying "you can play with my ball if you pay me a bunch of money, but it's still my ball, and at any time I can change what you're allowed to do with my ball" and this kid is just saying "if you don't play by my rules of sharing the ball with everyone, I'm taking my ball and going home". I may not like that I have to play by that kids rules, but it's better than playing by his rules and paying him to do so...or going out and making my own ball.

Re:So?

[rainman_bc (735332)]

You chose to install the Windows Update ActiveX control, didn't you? And you clicked "I agree" when it told you it could send this info to Microsoft, didn't you? So why would you be angry when it does exactly that? Perhaps people need to read the licensing agreements they agree to before agreeing to them, instead of just clicking "yes, I agree" like a madman.

Okay, despite your trollish comments, I'll bite.

1. WGA != Windows Update. RTFA.
2. Has the validity of an EULA ever been tested? AFAIK, an EULA cannot violate your privacy rights, even if you sign those away. Argue as you like, statute always trumps contracts.
3. Microsoft releases an OS that's broken and tells you the only way they'll fix it is if you'll subject yourself to their privacy terms. Not freaking cool. My copy of Windows is paid for, but that doesn't mean I want them invading my privacy.

Ever installed XP without any service packs? Do you know how many minutes it takes before the machine is pwn3d? IMO that's not a functional OS any more.

Ever tried getting that refund from your hardware manufacturer for the part of your purchase that went to Microsoft? It's a freaking pain in the arse, and one where you have to usually drag a vendor to small claims court to get your money.

Re:time to modify the hosts file

[$RANDOMLUSER (804576)]

Or use a firewall that checks egress, too. I use one, and find that RealPlayer and Adobe Reader also phone home even when you tell them not to.

Doesn't work

[alexhs (877055)]

Seems you haven't read the past story about MS bypassing HOSTS file [slashdot.org] for microsoft sites.

Re:Doesn't work

[peragrin (659227)]

In MSFT's defense it is a smart move. That way a virus can't modify update.microsoft.com .

The last time i had to set apt-get's update I used the IP address as well.

Re:the route your kids take to school, of course

[DarthChris (960471)]

Interesting you say it's slashdotted because I can read it fine.

It's very light on details, however. There is a screenshot from wordpad of the data sent; it's an XML-type document which appears to have pulled a couple of id/hash numbers out of the system registry, e.g. OS version, but no personal info. They can't really get any personal info anyway, since data protection laws here in the UK and other countries would land them in shite, and also I suspect that they have more important things to do than snoop random people's names.

Personally, I think that they're just trying to get an idea of the number of people who won't install it. These people either have pirate copies and know they'll fail validation, or simply are opposed to the idea of their OS phoning home. From a cynical viewpoint, it's important for MS to gauge the reaction to this early so they know how far they can push these sorts of thing without there being a massive backlash.

Re:the route your kids take to school, of course

[lazlo (15906)]

So, how hard might it be to generate random but valid data to fill out this XML? And then have a little daemon that does nothing but post it over and over 24/7? "Wow. Looks like a NAT/proxy server with millions of users behind it who really don't like WGA."

Petty, I know, but fun.

Re:the route your kids take to school, of course

[rben (542324)]

I refused to install WGA for a long time for several reasons, not the least was the fact that it was marked in the EULA as BETA software. Why should I be forced to install software that MS admits hasn't been fully tested yet? I have enough problems with MS bugs. Also, I resent the implication that I have to constantly prove that my software was purchased legally. I've always paid for the software I use, even when I was a poor college student.

Most copies of Windows in the U.S. are paid for, because Windows comes installed, by default, on almost every retail machine sold. That alone makes piracy a non-issue in the U.S. However, WGA does give Microsoft a way to shut down every Windows computer connected to the Internet. What a scam. Once they've got everyone using WGA, they can start dictating terms to governments instead of dealing with irritating lawsuits.

Lets say that the kind souls at MS never even think of using WGA as leverage on say, Europe. I still think it's possible for a clever hacker to use WGA to do some real damage. The hacker would have to do some DNS spoofing and probably crack some encryption, but then, that's what these guys do. Whose to say someone might not use WGA to pull off the biggest Denial of Service extortion in history? Perhaps I'm a bit paranoid, but my caution has kept me from ever having one of my computers compromised.

Piracy is a problem, but not nearly as big a problem as MS would have us believe. If people are stealing you blind, you don't make billions of dollars in profits, you lose money. If MS is feeling a pinch lately, it's due to their own foolish policies and assumptions that they would be able to dictate terms to the world forever. Google Apps and Open Source software will, hopefully, eliminate the need to put our computers at risk simply because a company is greedy.

Microsoft seems to believe that if there were no piracy, everyone in the third world who is now stealing their software would pay for it instead. Yeah right. One of the reasons they steal it is because there is no way they could possibly pay for it. If MS ever finds a way to shut down piracy, it will merely hasten the move to Linux in 3rd world countries. Ironically, that will speed the demise of Windows.

Re:Great...

[Catbeller (118204)]

That Free Markets religion again. Businesses cannot do anything they like; they are corporations, fictional entities created by license of the people of the country through their government. They are granted super-powers as non-existent individuals, exempting real operators from liablity for their own actions. In return, they hew the line we set for them. They have more responsibilty to the nation that created them other than pleasing shareholders, no matter what propoganda they pump to the contrary. They are not gods. And Microsoft is a monopoly, ruled so by the courts, and is under even more stringent strictures, because they have constantly abused their power in the past to invade and hold new markets.

So, no, making money is not all they have to worry about. Deceit and chicanery should have consequences other than making them more money. And if they need to cheat to win, it might be time to think about a new concept: revoking the corporate license, and reinstituting personal responsibility for their underhanded actions, with civil and criminal penalties.

Re:Easy enough to deal with

[drinkypoo (153816)]

From the image in TFA, it looks like they're sending back the Windows version code, and the installation-unique CSID, along with some other stuff that I didn't recognize. There didn't appear to be any identification of the specific user in there.

so let me get this straight. the ID that identifies your installation is there, and you don't recognize all of the other information, so you concluded that there doesn't be any identification of the user?

Truly, your intellect is astonishing.

Re:Gibberish

[Rogerborg (306625)]

We're not sending anything. Trust us.

Oh, you checked, did you?

Then what we meant to say was... it's nothing to worry about.

Trust us.

Re:Gibberish

[gigne (990887)]

I have no idea, but it looks like some sort of unique id.

an image from the now slashdotted page is here, it shows what gets sent to MS

http://img266.imageshack.us/my.php?image=wgahp5.pn g [imageshack.us]

Re:Holy cow, this is Bad

[MightyMartian (840721)]

I am no lawyer, but this seems very similar if not the same as wiretapping.

You're right. You're no lawyer.