Examining Microsoft Update

eggsovereasy writes "The Inquirer is reporting that a group in Germany has deciphered the information sent to Microsoft during an update using Windows Update and says that information on all software installed on your computer is sent, even that which is not Microsoft's own software." The original article is, unfortunately, pay-per-view. Update: 02/26 18:19 GMT by T : ionyka points to this "related article from ITWorld that deals with Microsoft's transferring of information through Windows Media Player. When you open up Media Player it sends information back to Microsoft like what movies you play, what songs you listen to and where they come from."

Haha

[mao che minh]

Remember the little "No information is being sent to Microsoft at this time...." message during updates? Wait, why am I laughing?

Re:Haha

[duckpoopy]

Their defense: The information is sent right before this message appears.

Re:Haha

[Ian Wolf]

A cow-orker of mine actually argued with me one day that "No Information" really meant nothing, nada, zilch was sent back to MS.

I should have taken him out back and beaten him with a frozen salmon. Hello!? How do they know what patches you need if they can't look at your system and tell their servers what you've already got.

The fact that the program takes the time to rifle through the system is of no surprise to me. While, I think the practice stinks it hasn't stopped me from using the service though. Given the choice between MS finding my installation of UT2003 or some script kiddie looting my system, I'll choose the former.

Re:Haha

[AyeRoxor!]

"I should have taken him out back and beaten him with a frozen salmon. Hello!? How do they know what patches you need if they can't look at your system and tell their servers what you've already got."

They could send a complete list of available patches to your system and let the client running on your computer pick which ones are neccesary, without microsoft ever knowing what software you have installed. Granted, they could deductively determine what hardware you use based on what patches you then request, but since you can only download patches for microsoft software, the best they could do would be to determine what hardware and microsoft software you currently have installed.

Re:Haha

[ArsonSmith]

my debian system does it everyday, sometimes twice a day if I feel like getting something new to play with.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Haha

[Zocalo]

Frankly, I've always wondered why they didn't adopt this approach in the first place. Not only would it have avoided all the issues with privacy that people get all worked up about, but has the potential to be extended to third party apps too. All you would need is a local database of vendor/server(s) to tell the local client which server to go to for your updates which could be ammended by any software during it's install process. There is an issue with re-pointing a vendor's update server to another offering a trojan disguised as a patch, so you'd need a security mechanism, but apart from that...

Hell, since this is Microsoft we're talking about, they could have even *sold* the back-end update server software to the third parties and made a few more dollars for Bill to roll around in.

Re:Haha

[pmz]

The process would look something like:

1. Client downloads latest Update Management Software + Config File from server
2. Client runs Update Management Software.
3. UMS determines what patches are needed from inbuilt logic and information in configuration file
4. UMS downloads and applies relevent patches


XEmacs does exactly this! It works pretty well from what I've seen.

Re:Haha

[Gunzour]

You cow-orker was right. When Microsoft Update said "No information is being sent to Microsoft", no information -- at all -- was being sent to Microsoft. The update server sent your computer a list of available updates, and code ran on your computer which determined which ones were necessary.

Microsoft Update no longer says "No information is being sent...", which is what this article is about.

Hey now.

[waldoj]

You cow-orker was right.

Now, look here, there's no need to be mean.

-Waldo Jaquith

Re:Haha

[mobiGeek]

It would be a [] huge file... it would have to send all patches of all time

I strongly suspect that it would be smaller than that of, say, Red Hat's RHN since MS is only worried about the OS and a few of its software titles. RHN on the other hand offers thousands of packages.

And even if the list was quite massive, why would it have to resend everything all the time? Why not send a list of the changes since the last time the user downloaded (the client could say "everything since 2003/01/21 08:45:00" or something similar).

If RHN and other upgrades can download a list of packages, why can't MS? They not smart enough? No, the answer is that they don't get enough "feedback" when they do it that way.

During the beta of Win95 they tried this trick and the press was all over them. They realized they made a mistake introducing such a shocking "big brother" utility at the same time that they were releasing such a major product. Instead, MS is beginning to learn that when it goes to violate people's privacy (and rights), it should do things in small increments:

1. Tightly couple software into the OS
2. Make s/w upgrades hard for the average user
3. Create an "upgrade" system that is "easy" and doesn't infringe on users rights.
4. Release second version of upgrade system (make it mess up less systems)
5. Release third version of upgrade system (people begin to trust it)
6. Release fourth version of upgrade system (invade privacy)
7. Claim piracy is killing jobs in the U.S. (see previous point)
8. ???
9. Eliminate Free software

Re:Haha

[Catbeller]

Solution:

First, user sends the version number of the patch list present on the user's hardware to MS. The version number represents what hardware/MS software is present, and what patches have been previously applied.

A match is found.

A list of patches is generated, and sent to the user.

MS transmits ONLY the patches that the user's version number indicates is necessary.

User patches.

After successful patch, the version number of the patch list is updated on the user's hard drive.
Operation complete.

So, a massive transmittal of a list of ALL patches is not necessary: only the version number of the patch list needs to be communicated.

The "so much data needs to be sent" argument for MS's snooping presupposes their method of applying patches to be the only one. A little thinking comes up with an alternative.

They snoop because they want to snoop.

Re:Haha

[skinfitz]

Remember the little "No information is being sent to Microsoft at this time...."

The more astute amongst you may have noticed that the "No information" message has not been there since Win2kSP3 came out.

Now it says this:

Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you.

Which essentially means that so long as they don't take an email address or phone number they can take what they want.

Re:Haha

[sckeener]

None of this configuration information can be used to identify you.

They might not be able to identify you, but they can identify the machine at least for XP. Since XP requires registration, I'd say they know your machine and who paid for XP to go on there.

I wouldn't be surprised if at some later date they claim this is for the catch all 'security reasons.'

Complete Breach of Trust

[SUB7IME]

Is this not a complete breach of the TOS that Microsoft offers when you sign up for Windows Update?

If not, it's at least a huge breach of trust, and users should not stand for it.

Windows Update Privacy Policy

[jamesbulman]

Has anybody actually read the policy [microsoft.com]? If you read it it doesn't really sound like they've done anything they said they wouldn't.

Re:Complete Breach of Trust

[kevlar]

Microsoft merely states that they do not send any PERSONAL information. As I see it, having them receive an inventory of what is installed on the machines helps greatly with statistical analysis for errata. If they send data about whats installed but you're anonymous, what difference does it make? Its not like they're tracking webclicks or personal information.

Re:Complete Breach of Trust

[teeker]

This isn't just some random company that nobody has ever heard of, with a clean slate. It's 2003. When people deal with Microsoft they know what they're getting into, regardless of what Microsoft says.

Sorry, I'm gonna call bullshit on this one. While it's true that people involved in the industry generally know what's up, many people outside of it don't. People who have better things to do than read IT-related media get all of their news about MS from totally mainstream sources in the first place, and lot of people could really give a rat's ass about today's MS article on Yahoo's front page. As far as Joe Sixpack is concerned, it's an IT-related story, and he probably doesn't care what it says. If you are not into the theatre scene, do you read reviews for every play in your area? If you are not interested in business, do you read every story in the business section? Probably not, and my mother doesn't read every store about Microsoft.

Saying that the victim is at fault is not a solution to the problem, and is not an excuse for bad behavior on MS's part.

Re:Complete Breach of Trust

[BWJones]

Give me a break. Your acting like windows users should be living with a constant fear that Microsoft "agents" will suddenly appear at their front door to give them a beating.

Ummm, years ago when I was in high school and working for my mother, we had purchased a software package from a company that wrote medical office management software. I had noticed that all of the manuals were photocopied and we had no original disks for Microsoft software that was included in the package. I called Microsoft about this and they had in our office the *next* day two dudes from Microsoft and an FBI agent asking to examine our computers. We ended up getting screwed because the guy whose software we purchased was smacked hard by M$ as the package we bought went unsupported after that.

Of course this guy was absolutely stealing and should have gotten what he deserved, but my point is simply that, yeah, there are Microsoft agents of a sort and they do show up at your door.

Makes sence

[Anonymous Coward]

Trying to figure what other companies they should push out of business.

Re:Makes sence

[ReelOddeeo]

Trying to figure what other companies they should push out of business.

This should not be modded Funny. This is serious.

BillG: Look, everyone has Acrobat Reader, we need to develop XDoc.
Everyone has some SimXXX game, we need to develop Zoo Tychoon.

Business as usual. Take advantage of monopoly position of control. Discover what anyone else might be doing that is popular. Develop a competing product. Give it away, or bundle it into OS.

pay-per-view

[sys49152]

The original article is, unfortunately, pay-per-view.

How can we comment, if we can't read the article?

Oh, wait...

Re:pay-per-view

[essdodson]

Welcome to slashdot. You're obviously new here or you've just not been paying attention, would you like a tour?

I wonder what Virtual PC sends ...

[adzoox]

I wonder what Virtual PC sends, whether it sends only the info in the Windows Drive image or everything on the Mac.

This may also be an alterior motive to Microsoft buying Virtual PC from Connectix last week. They want this same data from Mac Users. I imagine if it's not there then it will be added to read all partitions mac/Linux/PC

Knowing what your customers have on their hard drives is sensitive corporate data. Basically, you know the Hot or Not Programs in the industry and then develop programs based on their hard drive residency!

How the well would it be able to see the Mac?

[Inoshiro]

This is a Virtualized PC -- all it sees are the hardware components emulated by the host operating system.

This is akin to saying that VMWare can somehow tell my that I have an SB Live! -- it can't. All it knows is that it has SB16 emulation inside, and that it writes the output of that to /dev/dsp.

This is pure paranoia talking. Perhaps you should invest in more aluminium for your head.

EULA says they can take what they want

[RichMan]

According to the EULA for the latest versions of the OS Microsoft has the right to read any data you have stored on a computer which runs the OS.
Theoretically this includes data dumps of hard drive formats which the OS does not even support.

Re:EULA says they can take what they want

[Nursie]

Well yeah, they're going to make sure they cover their arses.
I thought this sort of outrage was already covered by the change in TOS brought in by WinXP SP1? (i.e. we will take whatever info we want from your machine, and if we don't like it we'll lock you out.)

Re:EULA says they can take what they want

[Ezrem]

And where did you find that piece of info?

Direct from About Windows Update :

Windows Update Privacy Statement (Last Updated 10/15/2002)
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

* Operating-system version number
* Internet Explorer version number
* Version numbers of other software for which Windows Update provides updates
* Plug and Play ID numbers of hardware devices
* Region and Language setting
The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.

Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session.

To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.

Hardly "We can scan your computer for any information we want, and there's not a damned thing you can do about it!" as you've implied.

Re:EULA says they can take what they want

[leviramsey]

Read the parent comment.

This isn't Windows Update he's talking about, it's the EULA for recent versions (XP, IIRC) of Windows.

Re:EULA says they can take what they want

[malfunct]

I'm not defending microsoft here but nothing in the blurb that you posted says that MS won't collect the list of software on the machine. To play devils advocate its pretty easy to say that the installed software is part of the configuration information on the machine. Further it makes some sense how this is useful in picking which patches are presented to you. If there is a patch in windows update that fixes a bug that affects 1 software package in the world that 1% of users use then wouldn't it be useful to scan to see if that is installed and only present the patch to the 1% of users that need it. Especially given that many bug fixes cause bugs in other software that relies on the broken behavior or some kludgy work around.

Re:EULA says they can take what they want

[mrpuffypants]

notice, however, that it says it includes that information...that can very well just be a part of what they are collecting, and the only part they are telling you about.

What, did you miss this?

[sammy baby]

And I quote:

Warby -- who is the chief information officer at Seattle Metropolitan Credit Union -- believes that the terms for the end user license agreement (EULA) for Microsoft's Windows 2000 Service Pack 3 (SP3) and XP Service Pack 1, might well put the credit union in violation of new federal privacy laws... To use the "auto update" feature, according to the Microsoft Windows 2000 SP3 license, "it is necessary to use certain computer system, hardware, and software information..." By using these features, users authorize Microsoft or its designated agent to access and utilize the necessary information for updating purposes."

Full article can be found here [internet.com].

Re:EULA says they can take what they want

[aug24]

Clearly YANAL (You are not a lawyer)!

Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

If a lawyer writes "this information includes...", then that's exactly what they mean. They don't mean that it is a complete list; there may be other stuff that they're not explicitly telling you about.

Justin.

Re:EULA says they can take what they want

[gmuslera]

The EULA also says that they can delete what they want (at least what they say that violates DRM, and their sofware is not know to be very intelligent), and have others that says something like they own all what you transmit thru they servers...

In fact using their software (and then accepting the EULA) is like simply close your eyes and pray that the big depredator which is in front of you isn't hungry right now, and will not be all the long time you be there.

/Tin Foil Hat Off

[GLX]

The reason why it sends info about other applications (and third party drivers for that matter) is so that they can attempt to be a single-source vendor of patches if needed.

While the intentions may not be all that honest, it's not a horrible idea. I've noticed numerous times when running Windows Update that it's offered to upgrade my Cisco Wireless LAN software as well as my Epson print drivers. Kind of nifty and not all that bad, if you ask me.

Re:/Tin Foil Hat Off

[Atzanteol]

But why must this be done on the server, and collected at Microsoft? Can't the client download a list of what MS has for updates, and decide what the local system has?

Re:/Tin Foil Hat Off

[Zathrus]

The list of patches that Microsoft must have is HUGE

Yes, as it is for any OS vendor. But so what? How much data to you actually have to send? Not a whole lot - just enough to identify what piece of software it's for and what version it is. If you can't store all of that in, oh say, 20 bytes, then you're screwed in oh-so-many ways. Hint - encode the software identifier in a 32-bit or 64-bit number, and the version string in the remaining bytes.

So, let's say you have 1000 patches available for the OS in question -- and, yes, patches are OS specific and MS has that much info from you already. That's a 20,000 byte download. Even at 14.4k it's only 20 seconds. Big deal.

The system then has to process the list and figure out what it may need, then request additional data for each potential patch... but you're going to have to download that information anyway, and there is minimal additional overhead.

It might take slightly longer, particularly over slow links, but it's a hell of a lot more user and security friendly.

Re:/Tin Foil Hat Off

[Com2Kid]

• While the intentions may not be all that honest, it's not a horrible idea. I've noticed numerous times when running Windows Update that it's offered to upgrade my Cisco Wireless LAN software as well as my Epson print drivers. Kind of nifty and not all that bad, if you ask me.

Driver updates? No problem.

SOFTWARE updates? Uh. Problem.

Windows Update is responsible for updating my SYSTEM, thus the term Windows update, not "universal software updator" or some other such silly name.

Besides, last time I let Windows Update update my drivers it replaced my Matrox G400 driver with a French G400 driver that refused to be uninstalled. . . .

but

[mrpuffypants]

i'll bet it totally gets confused if WinXP iteslf is pirated in the first place =]

along with Office and just about everything on the computer..oh well...I guess the police outside are for me

Re:but

[Mitchell Mebane]

I proudly use this version of Windows XP [themexp.org], and I've never had any problems with Windows Update. I even use SP1. Maybe your friend was using the infamous Devil's Own key?

Check out the rest

[joshmathis]

Here is the rest of the article, in PDF format. I'd suggest grabbing it and mirroring as soon as possible... this one won't hold up too long.

http://home.byu.net/~btc25/WindowsUpdate.pdf [byu.net]

One of the more interesting parts deals with how Microsoft can tell the difference between product keys they generated and those done with a keygen.

Re:Check out the rest

[Com2Kid]

The correct link is:

http://home.byu.net/~btc25/windowsupdate.pdf [byu.net]

Aren't caps great? Heh.

Another PDF mirror

[wilstephens]

http://clients.fbagroup.co.uk/slashdot/WindowsUpda te.pdf [fbagroup.co.uk]

No verification possible...

[Reinout]

Nice claims, but we the free part of the article doesn't show any actual examples of data that's transmitted. At least not data apart from some generic xml tags.

Any easy way to verify this ourself?

I'm suspecting their claim is true, but I'd like to see the data...

Reinout

YES IT DOES! Full example of sent data here:

[illtud]

They've updated the story to give the full info on what gets sent back here: http://www.tecchannel.de/betriebssysteme/1126/14.h tml [tecchannel.de]

And I should be surprised why? Also, a suggestion.

[Jack William Bell]

Although I often semi-sorta-half-hearted-defend Microsoft when people make unsupported categorical statements or otherwise speak mindlessly, I am also willing to speak out against them when they are wrong. As in this instance.

I would have to do some research, but I believe this might violate their own privacy policy. Even if it doesn't, they really have no moral right to send any information about your system without letting you know what it is and giving you a chance to abort the whole thing. Yet I am unsurprised, in fact I expect every big company is doing this kind of thing when they can get away with it.

Not that I am saying "Everyone is doing it, so what is the big deal?" My attitude is more "Let's stop this crap now!"

So I have a suggestion -- someone should start an open source project to create a re-writing proxy for updates that strips out all the stuff Microsoft is sending in the updates, except what is absolutely needed. Make it open enough that we can plug it re-writers for other companies as well.

big deal - they've confirmed the M$ privacy stmt.

[erik1474]

below from the M$ site... they tell you outright that they are collecting this info. What's the big deal?

Windows Update Privacy Statement (Last Updated 10/15/2002)

Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting

The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.

From the Windows Update Privacy Policy

[neile]

Note: Windows Update does not collect any form of personally identifiable information from your computer. Read our privacy statement.

Windows Update Privacy Statement (Last Updated 10/15/2002) Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

• Operating-system version number
• Internet Explorer version number
• Version numbers of other software for which
• Windows Update provides updates
• Plug and Play ID numbers of hardware devices
• Region and Language setting

The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.

Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session.

To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.

XML Schemas available here

[cobyrne]

Client Info Schema [windowsupdate.com] and System Info Schema [windowsupdate.com].

They appear to get a copy of your registry, as well as information like processor architecture, manufacturer, printer(s?) etc

No software collected

[IamTheRealMike]

No, sorry, Microsoft doesn't collect lists of softare, not even the article says that. What it does say is that if they wanted to, they could locate what software you have by looking for registry keys or files specific to that app.

In fact the article says the biggest privacy concern is the hardware list, which doesn't seem that big a deal to me.

Who cares about windows update?

[SatanicPuppy]

What I want to know is why fricking Windows Media Player tries to "Phone home" all the time? That thing is harder to get rid of than the clap, and about half as useful. I have my firewall specifically tuned to stomp on it every time it opens its digital mouth.

This is hardly a surprise, and definitely adds a good bit of weight to all those people who call Palladium the death of privacy.

Just my 2.34539 yen worth.

uh-oh.

[war3rd]

You mean they can see my Kenny G. pr0n screensaver?!?!?!?

If you actually *look* at the information sent...

[Anonymous Coward]

... you'll see that - contrary to the Inquirer story - it doesn't include anything about 'installed software', with the exception of device drivers. No applications, no utilities - nothing that MS is likely to want to compete with, and indeed nothing that MS doesn't overtly mention in its own privacy policy.

So what's the problem?

Having read the article...

[cperciva]

I have to say that it's not nearly as scary as advertised. There are two complaints:
1. The Windows Update tool sends to Microsoft a complete list of what hardware you have.
2. If the Windows Update server claims to have an update available for product X, the Windows Update tool will check to see if you have product X installed, and report back to Microsoft.

Well, *duh*. The only way to avoid doing this would involve downloading a complete list of all the updates available for every supported piece of hardware or software. Based on the size of the windows HCL, I'd guess that this would require tens of megabytes of bandwidth -- all so that Windows Update could pick out the half dozen entries which are relevant.

EULA could still be illegal in spite of agreement

[Beetjebrak]

Here in Holland (I don't know the laws in the rest of the world too well) any contract that you sign which contains clauses that are illegal, is null and void. Any statement of MS having the right to download anything off MY computer would seem to me totally illegal and would probably void the whole EULA.
I did read the EULA of the Dutch version of Win2K SP3 completely and never found any clause that would allow them to download anything off my PC without my consent.
Sadly I'm stuck with Windows since I cant (yet) afford a mac to run Adobe apps on. When oh when will Linux/FreeBSD/X get decent colour management and ports of proper graphics apps like Illustrator, Photoshop and InDesign??? The GIMP is a nice toy, but it's hardly of any use for print production work. And KIllustrator and the like are simply a laugh too for any real work.. The Linux/BSD vs. Windows ratio is now 4:1 in the favor of the free, but I'd like to get rid of Windows altogether. Give me my killer graphics apps!! I'll even pay for them! ;-)
Saving up for that Mac in the mean time..

Story is incorrect

[doug363]

According to the (full) article, Windows Update sends a list of hardware installed on your system, but not a list of software. Version numbers for Windows stuff, like IE, are sent, but not any info about other software on your compouter.

From the Windows Update website privacy statement

[greygent]

To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.

Yes, we don't not track you.

Tell that to the Melissa author, and some number of other people who's GUID was used to identify them. Even if you aren't a criminal, this could be misused in so many ways.

Despite loving many Microsoft products and the line of NT OS'es, I wouldn't trust Microsoft as far as I could throw them.

The Devil Came to Redmond...

[ites]

The Devil came to Redmond, looking for some souls to steal,
and there he met with Billy G, who was just about to make a deal.
Said the Devil, "Hey Billy, you look bored, would you care to make a bet?"
And Billy he smiled slyly, and said "Dude, there ain't a deal that I've missed yet."
So the Devil took his keyboard and showed Billy his new game,
Saying "I wrote this quick, in VB6, now see if you can do the same."
Billy G, he just smiled his smile, and took the keyboard away,
and said, "Devil, you're behind the times, and you clicked on the EULA,
"Now you've run Windows Update, and your soul belongs to me."
And the Devil knew he'd met his match, so he turned and tried to flee,
But Billy G was much to fast, and he caught the Devil's long black cape,
Saying, "Devil, stay and play a while, we have a whole wide world to rape."

Don't panic, here's a summary

[unfortunateson]

First of all, the example data [tecchannel.de] sent is available free, as one poster above already listed. There's no software described there other than Windows itself.

Second, the System Info Schema [windowsupdate.com], as posted by another above, is pretty explicit about what registry keys are available to be sent, and it's pretty tame.

Frankly, I have no problem letting them know exactly what hardware I've got running. How can they harm me there? Perhaps a malicious hacker could grab this data and find ways to abuse my network card? Pretty slim.

Call me too open, if you will, but I'd be happy if it would let me know about other MS updates, such as Office, without having to also visit MS' office site. Update those automatically? Never. But it's much less convenient than the Windows Update site.

I greatly doubted that it would be sending large quantities of personal data, because it just doesn't take that long. The ones to worry about are the virus scanners, that take the time to examine every freakin' file.

In summary:

• They're not sending your entire hard drive
• They're not sending your entire registry
• They're not sending a full software inventory
• They're probably gathering a little more than they need
• They're probably not doing anything with it (yet)

WU doesn't send software list

[phasm42]

There are a lot of people in this thread that realize that WU does NOT send a list of all software installed, but they are being drowned out by the highly rated comments about the evils of MS. The "software list" is actually a list of drivers installed, which is fine, because MS will post updated drivers for you to download. It should also be noted that one of the articles posted is from the Inquirer, the same people who predicted hell on earth in y2k, and believe in tinfoil hats.

Great, I've added THIS to my registry then

[MadCow42]

HKEY_LOCAL_MACHINE\Software\IllegalMicrosoftStuff\ BillGatesVISAnumber\8605412399653153

HKEY_LOCAL_MACHINE\Software\MSKillerVirus\Launch Da te\2003.06.21

HKEY_LOCAL_MACHINE\Software\Linux\"format c:\; install Linux" .... hey, why not have some fun with it? q:]

MadCow.

*ahem*

[vmfedor]

Windows Update Privacy Statement
(Last Updated 10/15/2002)
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:

Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting

The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.

Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session.

Maybe you should verify the information before automatically declaring "Microsoft is evil" to any and all anti-Microsoft posts.

How does this differ from RH Update?

[Canabinol]

I use the Update Agent in RedHat almost on a daily basis - the RH Network knows absolutely everything about my setup (programs, modules, etc.) right down to what version of the Kernel I'm running - that way they can inform me of vulnerabilities and problems that I'm probably susceptible to as soon as there's an update available...it's a "good thing".

Why is it that when Microsoft does this kind of thing, suddenly there's a more sinister motive behind it all?

I don't hear anyone complaining about Redhat's privacy policies...

Re:How does this differ from RH Update?

[Anonymous Coward]

When you sign up for RHN, you're given the option of uploading information about which packages you have installed. You can decline [1]. You won't get email about particular packages you have which need updating, but you can still use the update agent.

The update agent will still work because it polls the servers for which packages are current for your release [2] and compares that list to what you have installed, and the comparison is done locally.

[1] https://rhn.redhat.com/help/basic/register-system- profile.html [redhat.com]
[2] https://rhn.redhat.com/help/basic/up2date-setup.ht ml#PACKAGES-TO-UPDATE [redhat.com]

People will believe anything

[EggMan2000]

First of all, nowhere in either article does it say that Windows Update is sent info on what software you have installed. The payper view article mentions that it does send hardware info, though. But we knew that via both the EULA, and the fact that this is the intended purpose, to update drivers for hardware and OS patches.

Don't believe the alarmist titles to articles. Do you all fall into this trap with the evening news as well? "Tune in for the Radon discover that just might save your familyu's life."

I know that you guys are smarter than this. Use your brains.

Re:Pay per view?

[Call Me Black Cloud]

I made the same mistake...it is ppv...you can read freely until the heart of the article, then it's 1.99 (euro) for the rest.

Thank You

[mikey504]

Thanks for posting a link to this information. Based on what is here, I see no reason to panic. First, it doesn't appear that any information is sent which would identify the machine the information came from. All they get is, "There is a macine somewhere with a Lite-On CDR in it."

Windows Update has offered me updated device drivers in the past, so I think the inclusion of hardware info could be defended on that basis.

Re:I FAILED IT

[guacamolefoo]

got the new ultra psyware

Great! Where can I get psyware? I've been looking for a way to get rid of my mouse and keyboard. Dos it allow a USB 2.0 connection to my nervous system, or does it use 1394?

GF.

Re:I FAILED IT

[jetmarc]

> or does it use 1394?

I think it uses 1984.

Dear Steven, From Bill Gates

[joelparker]

any chance they get to know more about you.... they're going to take it.

Dear Steven,

Good point. Your previous Slashdot postings are also good, except for that one about Linux.

Sincerely, Bill G.

Re:Surprise, surprise...

[Anonymous Coward]

The more data that gets sent to microsoft, the harder it becomes to manage. Someone should figure out a way to send them Junk data with wrong version numbers. Windows 3.11 running IE 6.0... that'll leave them scratching there heads.

YOU INSENSITIVE BASTARD!

[Anonymous Coward]

I am running Win 3.11 with IE 6.0 and what you're suggesting will interfere with my support!

Easy Solution

[swordboy]

Why doesn't some enterprising individual simply monitor Microsoft's various OS's for updates and then link to the downloadables? Of course, it would be possible for MS to remove downloadables but then this really causes frustration for those who are maintaining systems that cannot access windowsupdate.com. I'm not sure that they could do it - they'd have to install spyware in the actual patches. But then we could configure the firewall to block everything MS.

Or we could all just get Mac's. I'm almost there, unless someone can put together a KDE or Gnome with some usable functionality (like device management and system configuration in ONE GODDAMMED FUCKING LOCATION).

Apple!!!! Bring OSX to X86 and we will make it worth your while!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Linkee no workee

[Wee]

Try going to that link with Opera. Even Opera in Windows. You get a nice message needing to install IE "in order to use Windows Update". Can't view their web page or get a list of updates with any other browser apparently. So much for HTML being the lingua franca of the Internet.

Life's far too short to use IE.

-B

This is the link

[Wee]

Here's the page which doesn't care about your browser:

http://www.microsoft.com/downloads/search.aspx?dis playlang=en [microsoft.com]

-B

Re:Easy Solution

[wizarddc]

Apple!!!! Bring OSX to X86 and we will make it worth your while!


The point you are forgetting is that Apple makes and sells hardware, and only makes software so that they can sell that hardware. They'll give you the OS for free, as long as you pony up for the box. They have no interest, financially, to port or sell OS 10 to X86.

Re:Easy Solution

[Zendar]

They'll give you the OS for free, as long as you pony up for the box.

Then why do they charge $120 for existing users (owners) to upgrade to each new point release for OSX?

Re:Easy Solution

[chefren]

A GUI in the Linux kernel tree? That would be like..windows. It's the distros that are the operating systems, Linux is just the kernel. In order to have, say KDE in the kernel tree you would also need to have all libraries and other packages you need to run it in the tree as well, like glibc, X and a big bunch of other things. An entire desktop distro in fact. Bury that idea in your back yard, right next to those irritating ex-neighbors of yours (joke). I give thumbs up for more desktop cooperation between distros, though.

Re:Easy Solution

[nachoboy]

Because the value of Windows Update doesn't lie in the fact that it gives you the patches. Its value to consumers is that it will automagically detect what kind of system you have and provide a list of the necessary patches. Yes, it also conveniently lets you install all of them with just one more click, but Microsoft already offers all their patches in downloadable .exe form. The problem is that every time a patch comes out, a user must read the accompanying documentation, determine whether their system is vulnerable, and apply the patch. And this is no easy task. There are patches for Windows (no brainer), Office (mostly a no-brainer) [these are usually obtained at Windows Update's little sister site, Office Update], Internet Explorer (easy enough), IIS (do you know whether it's installed?), the Java Virtual Machine (getting a little tricky now), the HTML Help subsystem (woah), the MDAC components that probably got installed when you installed Windows (what luser knows what MDAC is?), and the FrontPage Server Extensions (sounds like Office, no? don't worry, it's conveniently included in Windows). Oh and if that wasn't hard enough, there are patches that supercede patches, late, missing, or broken patches, patches you think you have to apply twice, the list just doesn't end. Windows Update in its current incarnation can get rid of the user hassle for most of that by moving all of the guesswork out of the luser's hands and into Microsoft's engineers' hands.

Personally, I find the whole patch thing ridiculous. I tried to stay abreast of the current security patches by subscribing to the security mailing list and making my own decision about whether a patch applies. It's impossible. Every time you think you've gotten it right, there's another patch to figure into the situation. I use Windows Update to find out what updates I need, but since the home connection is ridiculously slow, I just make a list and download the .exe's from http://download.microsoft.com. (Search by the KB article #). As long as you save them, the syntax for installing them quietly is mostly uniform, and you can apply them with little hassle next time you install.

Re:Surprise, surprise...

[Anonymous Coward]

Microsoft needs to collect this information for driver updates and other *useful* updates.

No they don't. They can just send a list of updates to the client, and the client can display the updates that apply to your computer. This is why Microsoft can claim no information is being sent to their server: because sending information isn't necessary.

This is actually how APT works.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Surprise, surprise...

[japhmi]

But why send a complete list of all of the programs on the computer? Why not send "Windows 98 SE, IE 6.0," and a few things that windows update can actually help with, and not that I am using the WordPerfect suite and not MSOffice (quick, apply the "SlowWordPerfect() operation! and the MakeMozillaCrawl() one two!)

I know it's a bit of paranoia, but I'd rather them not know what I've got running at all, but I'll let them know what MS software I have because that's what I'm getting fixes for.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Surprise, surprise...

[Hal Roberts]

There are still solutions that allow no meaningful information to be sent. For example, why not have the client just ask for new updates since a given date and cache the rest? That took me all of about 15 seconds to think up and would result in far less bandwidth use than sending the user every upgrade applicable to her system every time she connects.

Either 1) privacy is just not a factor for the folks at all or 2) they want the data for other uses. Most likely it's the former, but the fact that the makers of the 95% market share OS don't care enough about privacy to make it even a small concern when designing systems like this is Really Scary, maybe scarier than them purposefully collecting my data, because at least then there's the possibility that they'll be careful with my data once they've got it.

Windows Update is crap

[McSpew]

As explained by Russ Cooper of NTBugTraq in a lengthy rant [ntbugtraq.com] on Tax Day of 2002, Windows Update is a horrible piece of crap. He followed it with another lengthy rant about what he thinks Microsoft should be doing [ntbugtraq.com] instead of Windows Update.

In the meantime, while downloads are large (~1.5MB), the XML package you get for HFNETCHK searches your system for proper file versions and remains the most reliable way to ensure your system is properly patched. Unfortunately, the best tool for checking your patch state (HFNETCHK) doesn't help you download the patches you need. It does identify the MS security alert addressed and even the KB article, but it's not painless. MBSA gets you one step closer by actually having the URL of the KB article, but it's not as painless as downloading updates via Windows Update (when WU properly identifies your patches).

Anybody who's used the atrociously-bad Automatic Update Service will know that it doesn't cover many important software updates and neither does Windows Update. In fact, if you use all three products, you'll frequently find that each product identifies a different set of patches that are required, and usually, none of them list all the patches identified by the others.

What I've found is that HFNETCHK actually identifies truly critical patches, while Windows Update improperly identifies non-critical updates as being critical. For instance, it tells you that installing Internet Explorer 6.0 SP1 is critical (even when you're running a fully-patched IE 5.5SP2) or even worse, it tells you that a patch meant to improve functionality of using a non-IE default browser is critical.

Sorry, but as much as I hate MS and as much as I prefer Mozilla to IE for my own browsing needs (and even though it works better), I don't make it my default browser anywhere, especially on servers, so this update is hardly critical.

In short, while sysadmins at least have a chance to stay fully-patched these days--unlike the days before Code Red--MS still has incredibly shoddy patch management tools, incredibly inconsistent patch installation mechanisms and still takes liberties with customer data it shouldn't need to take.

If Microsoft ever gets serious about patch management, they'll have a common tool that sysadmins can use to patch any and all of their MS software with a common interface and no unnecessary transmission of system-specific data to MS. Is that too much to ask? Apparently.

Re:Surprise, surprise...

[Ian Wolf]

If I tell windows to look for the drivers for a particular device than by all means probe the device for information about it. How does scanning all installed applications aid in this endeavor?

If the reasoning was to better detect and avoid application conflicts I would possibly agree with this method, but the software clearly doesn't do that.

Re:Surprise, surprise...

[1010011010]

Microsoft doesn't offer updates for SQL Server or Office, or Photoshop for that matter, via WindowsUpdate. So why do they need that information to NOT supply updates for those programs?

Re:Surprise, surprise...

[wilstephens]

The manufacture's website was in Japanese only, and I had no idea how to navigate let alone install a Japanese application.

And, yes, I am lazy. How did you know?

Re:Surprise, surprise...

[Anonymous Coward]

So you have to remember who manufactured all of your hardware, then individually trawl through their sites and hope they keep old drivers on there? Sounds like Linux-style usability to me. I much prefer Microsoft's style of doing it: fast and easy, because I like being lazy.

Re:Surprise, surprise...

[Ballsy]

Never confuse "Lazy_ass_user computing" with "computing for people who have better things to do with their time than fuck around searching for drivers on some poorly designed manufacturer website".

Re:Surprise, surprise...

[Tellarin]

so this person with a so precious time should think twice before buying products from a company with such a "poorly designed website" or that don't ship a version of the drive with the product

Re:Surprise, surprise...

[Xformer]

Even if the poorly designed manufacturer's website is the only one with the working driver?

I had a bad experience along those lines with the Windows Update site, where a particular sound driver (I forget which, at the moment) from them would not work with my hardware, where the one from the manufacturer's website did.

Re:Surprise, surprise...

[forgetful_ca]

Never confuse "Fast, Easy Computing" with "Lazy_ass_user computing".

Not only that, but using ms update restricts you to using ms signed drivers. I for one don't wish to give ms that particular club to wield over anyone. They've proven to me they aren't responsible enough to be far to anyone, so I don't think they are entitled to be the judge of anything that makes it to my machine.
Secondly, there's no way I can believe that ms would acquire your data and subsequently throw it away. None. They are gathering stats and keeping them.

Re:Surprise, surprise...

[Zeinfeld]

Very profound statement with out any proof or attempt to back it up.

Well heck, the article being pay per view almost nobody in the thread is likely to have read it. Why bother to read the article?

There are a bunch of Win98 programs which are known not to work properly under XP. Every so often Microsoft issues a set of patches that allow these to work properly.

Re:Not news.. but a nice update.

[cperciva]

Personally, I like the way cvsup works. You ask for what you need and a file list. Or so it seems.

cvsup is far more invasive than Windows Update. When you run cvsup, it sends a list of all your files (in the relevant directory, of course) to the server. The server then looks at the list you're sending it and decides what you need to have updated.

Re:Always wondered About That...

[Queuetue]

They could do it all client-side, keeping the data store and package list avaliable locally.

Portage (I assume) doesn't tell gentoo home base what packages I have installed, but it knows which ones I need all the same.

Re:Inquirer?

[Queuetue]

It's not not THAT [nationalenquirer.com] enquirer.

Re:The article says MS tells you this beforehand

[Junta]

No, most other platforms do everything client side. The updater says 'give me a list of all available updates', and then the updater does the filtering client side. Only the release number overall of the OS is known.

Sure, updates downloaded from MS sites could be tracked easily anyway, each download request could be associated with IP and such. But if non-MS programs are being probed, then they are wrongly exploiting the updater.

Re:Am I the only one who is not surprised by this?

[fishbowl]

>This has got to stop.

Why do you say that it has "got to stop?"

Do you thing the DOJ consists of a group of people who took power via a coup d'ètat? Or do you concede that the Department consists of individuals who have been appointed by elected executives and confirmed by an elected Congress?

Whether the current government is a true expression of the will of the American people, or the current government is a result of our apathy (even antipathy) toward the democratic process and the political party structure, it is not reasonable to wait until a crisis at the Federal level to take action.

"Something" can be done. In twelve years or less, the Federal government will be largely composed of individuals who are at this moment seeking State and local office. If you have not developed a relationship with these politicians or their parties NOW, while they are accessible, and if you have not participated in the process of putting them in office by CAMPAIGNING and VOTING, you may find yourself in precisely the same position a decade from now, claiming to be powerless to affect the process, and demanding that "something" be done.

Something *is* done, and the people who make a priority of participation in the political process of this country are the people who shape government. Whether you choose to participate or not, you are still part of the process.

Apathy elects our leaders.