All Microsoft Updates Phone Home

juct writes "In the wake of heise Security's report on the garrulous WGA Notification, Microsoft has now supplied additional details on the data sent. They have revealed to developers that apparently all updates relay information to the company in Redmond."

it's the price you pay, alas

[swschrad]

software vendors are firmly locked into the attitude that you, LICENSOR, have no rights other than to buy new stuff when we drop support for the old stuff and design the new stuff to only superficially work with the old stuff.

like, for instance, all of the "cool features" use new runtimes and new features, and none of it is backwards compatible.

so is anybody really surprised here? if the user hash code field they recover is all over the warez circuit, no matter what the EULA says, someday the number of hits on you is going to run over some trigger number in update. at that point, you will run into a block.

had to reinstall windows ME legally on a machine last weekend. got all the critical updates pulled off on IE, and from that point on, update kept returning "thank you, you have a Mac, you can't update here." everything worked fine the next day, and I got the rest of the criticals done.

I can only assume they have all sorts of wonderful blocks and trigger numbers over there, and since they own the software and you own only a cancelled check, it's just tough damn luck.

Re:No

[asphaltjesus]

My firewall detects the connections after doing manual installs. I know this because I've got production equipment we can't just let windows auto-update on. Based on my experience, WGA is just one of many apps/updates that phones home.

Again, it's been this way for quite a while, and the information does not "perfectly" identify you, but each install has it's own signature as far as I can tell so they can deduce who you are pretty quickly.

Why do you care now as opposed to all of the other Microsoft's-evil-OS stories on /.?

List of data sent back

[trianglman]

From the WGA Blog [msdn.com]

• Source ID (which product is requesting an update) - necessary to get the right patches
• Event Code - Not sure what sort of events this is tracking, curious, but not necessarily evil
• Version - I assume this means version of the updater, but could mean version of the base software, either way see #1
• Hash of the event - good security check
• Custom Data - completely unexplained, this is what worries me the most in the list
• Return Code - ok from a usability standpoint (most websites track when users leave, so I put this in the same class as that)
• Part of a domain? - no reason for this to be sent, as far as I can see
• Partial binary product key - piracy reasons? Can't think of any other good reason for this
• WPA hash - also unexplained, but probably related to the above
• OS version - see #1
• User locale ID (langauge) - reasonable if they are presenting nationalized dialogs, removes a prompt from the user
• System locale ID (computer default language) - don't see much of a reason for this except as a backup for the first, odd
• Diagnostic code - reasonable for debugging
• Client Id - i.e. GUID - why do they get this if they aren't using it for user tracking
• HD volume serial - no reason for this, except user identification
• Computer security hash - see above

Other than those last identifiers, most of the information I see requested make sense.

Re:All updates relay Information...

[W2k]

Apparently. That message is not there anymore. Instead, Microsoft Update displays this:

Concerned about privacy? When you check for updates, basic information about your computer, not you, is used to determine which updates your programs need. To learn more, see our privacy statement [microsoft.com].

Surprisingly, the linked statement is not written in lawyerspeak.

Re:Reverse double-speak?

[AJWM]

Well, see, they don't use the illegal IDs and product keys "to identify or contact users". But they do also grab the IP number that those came from. Now, they may not use that IP info either, but if a list of IP numbers and illegal product tags were to be passed along to, oh, say, the BSA (Business Software Alliance, not the Boy Scouts of America, aka the enforcers), and the BSA were to ask ISPs for a name and address corresponding to that IP...

So Microsoft isn't using that info (and certainly not that specific item of info) to contact users, but they might be passing it on to someone who is.

Typical Microsoft statement; parsed carefully and in the right context, it might well be literally true, and it sounds good, but it could well be misleading.

Re:Success/Failure/______/etc./ (Profit?)

[PitaBred]

The difference is that yum can only infer that from data you voluntarily send to them every time you query for updates. Yum says "Send me the package list for FC6 on the x86 architecture", and that's it. The server gets your IP address as a side effect, and your system version. That's a far cry from that list of crap that Microsoft gets, and never says they're sending. I'm really not comfortable with sending all that info, especially since they don't explicitly state that it's happening. What other info can be asked for through their API? What about limits on info in the EULA? What other info might they send for "research" purposes?

Simple solution

[G00F]

Here is the fix,

on a *Nix box, say maybe the DNS server
vi /etc/hosts
127.0.0.3 genuine.microsoft.com

For windows
edit c:\windows\system32\drivers\etc\hosts
0.0.0.0 genuine.microsoft.com

Re:Simple solution

[schwit1]

Doesn't Windows ignore the HOSTS files when it suits them?

http://yro.slashdot.org/article.pl?sid=06/04/16/13 51217 [slashdot.org]

Re:UK/EU - Data Protection Act

[rzei]

Why would you have to pay at all?

At least in Finland, I can walk to every place that I suspect might have records on me and ask to be given those records, and the company or what ever, even the police have to comply. AFAIK you can also ask the data to be deleted.

Also, AFAIK according to Finnish law Microsoft (which does have a company in Finland too) they should have in the open a document (or upon request) that specifies what information is being collected in to their registers.

Too bad I don't use Windows :) but anyways.. I'm not a lawyer. It's just common sense that companies can't keep what ever records they want — secretly at least.

Not really - here's what it is

[Anonymous Coward]

My brother works on the Windows update team in Redmond. Just to clear things up, here's what I know:

1) Since there are so many update events, the client software only sends a random sample ~10% of all events to the server. This was added in one of the more recent changes to the Windows Update s/w.

2) Yeah, they have a *huge* data warehouse that they store all that info in. It's SQL Server 2005 and one of the larger SQL Server installs in the world. From what he tells me, they get millions of new rows each day, so they can only keep 1 year of data available online in the database (everything else gets moved off to tape or to another database). BTW, it's in the terybytes.

3) They use this data to help better serve their customers. They have a reporting/analytics solution built on top of that Data Warehouse. They can analyze history by region, by service pack, by language, etc. So they can make better strategic decisions with that info and in a more timely manner (it's updated daily).

Look, here's one example where that data is useful for them - if a few customers call up and say there update is failing, a tech support person can look at some data for that customer's region, or service pack, or update and see if there are any trends there to help move the case along (i.e. maybe a trend shows that a bunch of users with that OS are having problems with that update).

No comment on the privacy issues - all they know about is your computer's GUI and your IP address (i.e. city/state/zip or region/country). Some are ok with that, many aren't.