All Microsoft Updates Phone Home 233
juct writes "In the wake of heise Security's report on the garrulous WGA Notification, Microsoft has now supplied additional details on the data sent. They have revealed to developers that apparently all updates relay information to the company in Redmond."
What if. . . (Score:4, Insightful)
Since you've never activated WGA, does that mean you're invisible to Microsoft?
Re: (Score:3, Insightful)
Windows Defender for instance, comes as local executable - but obviously, the WGA authentication is remote.
probably a non-issue anyway.
Re:No (Score:5, Informative)
Again, it's been this way for quite a while, and the information does not "perfectly" identify you, but each install has it's own signature as far as I can tell so they can deduce who you are pretty quickly.
Why do you care now as opposed to all of the other Microsoft's-evil-OS stories on
Re: (Score:2)
Besides, since I'm on dial-up at home, whatever information is sent must take forever to get to them.
Re:What if. . .piracy were more difficult? (Score:4, Interesting)
My hope is that is all of these things make running pirated versions of Windows more difficult -particularly in the developing countries where internet connectivity is spotty such that OSS can gain in popularity and use. This could end up being a real win for Linux and other OSS.
cue stories of entire countries running off a single pirated copies of Windows and Office.....
-I'm just sayin'
All updates relay Information... (Score:2, Insightful)
Considering that most of these applications are installed via the windows-update site...
I doubt you could even maintain a session without sending information back to the web-server.
I say: nothing to see here, move along.
Nothing to see (Score:4, Insightful)
Re: (Score:2)
Re:Nothing to see (Score:5, Insightful)
Re: (Score:3, Insightful)
Am I the only one who thinks this:
is incompatible with this:
I mean, if a legitimate copy gets authenticated, and later on
Killing suggestions (Score:3)
With respect to "ulterior motives" most American consumers are nearly completely compromised by their consumerism mindset. People, in general, need careful guidance
Re: (Score:3, Interesting)
Kansas City Shuffle (Score:2)
Re: (Score:3, Insightful)
One wonders what happens when M$ does this over international boundaries.
Not to mention the WGA 'agreement' basically constitutes extortion, "agree to our pervasive invasion of your privacy, or we leave your computer exposed to publicly disclosed security threats that we created in the software".
M$ speak yet again, 'they' will not use it t
Re: (Score:2)
Re: (Score:2)
Success/Failure/______/etc./ (Profit?) (Score:5, Insightful)
Kinda sad that we just assume letting vendors capture all this info is part of the game (i.e. necessary to make the update work right). Wrong. When I do "yum upgrade" -- as far as I know -- not a single piece of information about my system goes up the wire. Correct me if I'm wrong.
Re: (Score:2)
Re: (Score:3, Informative)
YIKES! SQLServer, DB2, Oracle, or TeraData? (Score:5, Insightful)
"In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date"
There are what - like a billion or so computers in the world running an M$FT operating system?
And e.g. Windows 2000 is now up to something like 125 or 150 Critical Updates since SP4?
And they're keeping track of all of that data?
That's a database that would make the NSA green with envy.
Can SQLServer handle a load like that?
Or would you be looking at something specialized, like what National Cash Register built for Wal-Mart?
Re: (Score:2)
Re:Success/Failure/______/etc./ (Profit?) (Score:4, Insightful)
Kinda sad that we just assume letting vendors capture all this info is part of the game
It's a gradual process. Ever been stopped on the way out the door at Costco? You're basically proving to the door lackey that you're not stealing anything. Since when is proving you didn't steal anything between the check stand and the door become part of the game? Because people let them get away with it.
Companies will keep doing whatever until customers push back. MSFT will keep being the invasive, WGA promoting rat bastards they can be until people extend their middle finger toward Redmond and learn a different operating system.
The door lackey at Wal-Mart tried stopping me the other day and I refused to prove I didn't steal anything, especially considering she had just watched me walk away from the check stand. I told her that if she thought I stole something to call the cops and walked out.
Re: (Score:3, Funny)
you mean...they're not checking to make sure i didn't get overcharged?
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
Re:Next privacy policy change (Score:2)
I just wonder why Windows doesn't just phone home the entire contents of the user's drive... and then realize that the only reason that hasn't happened yet, is because storage of this data would be expensive for Microsoft.
Re: (Score:2)
Ok, I'll bite: Do you have any hard proof to these allegations?
I really think there's a big difference between "tracking down users" for marketing purposes, or to track down cracked software users... That kind of thing will be mostly transparent to a non-knowledgeable user.
Re:Next privacy policy change (Score:4, Insightful)
How many slashdotters look at their website logs to see how many people visit and what they use to do so? I'm willing to bet a huge amount of people do, and they're the same people who bitch about MS updates phoning home. To complete HTTP requests you don't *need* anything more than the actual request and an IP address, yet somehow the logs include things like browser versions, screen resolutions and operating systems. You don't complain about those.
Aggregate data is needed to gauge how a product is being used in order to improve it, be it your website, software, a car, a lawnmower or something else. When MS start actively using personally identifiable information to personally target things then I'll worry, but until that day I have no problems with them knowing that 82% of their user base has installed security patch XYZ.
Re: (Score:2, Flamebait)
Such a volume of information almost automatically prohibits targetting individuals, no strategy to target individuals could work. The most that could be hoped for is statistics from which new strategies to combat piracy could be developed.
I think people take an ego centric view of this and don't like to see that theirs is just an insignificant particle of data in an ocean of information.
Re: (Score:3, Insightful)
Hey! May
Re:All updates relay Information... (Score:5, Interesting)
Yeah totally, because:
- Computer make and model
- Version information for all installed Microsoft software
- Plug&Play ID numbers of hardware devices
- Globally Unique Identifier (GUID)
- BIOS name, revision number, and revision date
are all necessary to download a single specific update not to mention maintain a session to the web-server.Re:All updates relay Information... (Score:5, Insightful)
Computer make and model -- needed for drivers for specific manufacturers and models. Do you really want to apply a HP patch on a Dell system?
Version information for all installed Microsoft software -- Needed to calculate whether or not updates are needed for Windows Media player, etc. Remember, Windows update does more than just Windows--it also updates all included bundled software with Windows.
Note: Sending information about non-bundled software is needed for Microsoft Update, but not Windows Update. Perhaps lazy coding there--wouldn't YOU want to share the hardware/software detection code for both update utilities?
Plug&Play ID numbers of hardware devices -- Well, it does update hardware drivers...
# Globally Unique Identifier (GUID) -- This seems completely unnecessary.
BIOS name, revision number, and revision date -- I'm not sure, but I believe they may also provide manufacturer-supplied BIOS updates for some manufacturers.
I'm no huge fan of Microsoft, and I'm not saying Microsoft isn't misusing the information, but in 4 out of 5 cases this seems necessary for the service they are providing. Remember, Windows Update updates drivers, hardware, and bundled software too. Microsoft Update services Microsoft software as well.
Re:All updates relay Information... (Score:4, Insightful)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2)
I also don't see what the big deal is. Microsoft is getting some information about the hardware and software co
Re: (Score:2)
The questio
Re: (Score:2)
Anyway, if I'm not too mistaken, there are only two (or at the most three) major versions of windows that are supported.
Sorry, missed a few... Windows 2003 Server... Windows CE... Longhorn... the twenty seven flavours [penny-arcade.com] of Vista... the 64-bit versions of all of the above (x86 as well as the unobtanium)... etc... All of which probably have less binary compatability than you seem to believe.
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Big Difference.
Re:All updates relay Information... (Score:5, Insightful)
I seem to remember Windows Update in Win2000 prominently displayed a message: "Checking your computer for installed updates...this is done without sending any information to Microsoft." And it only downloaded the updates I needed, not every one for every supported product.
Did something fundamental change as to why that system can't work anymore?
Re: (Score:3, Informative)
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:3, Interesting)
Mu.
HP and Dell don't do their own driver patches. They do roll up other people's drivers in their own packages, but they simply use the drivers of others.
There ARE non-driver patches for both, but they're related to special, custom software. For example HP has their own version of the software that goes with the Infineon TPM chip inside this HPQ laptop. But Microsof
Re: (Score:2)
I take 'personally identifiable data' is still able to identify my machine, my ISP, my IP, my location, my programs, my browser, etc. but it doesn't know my name. Not altogether sure my name is actually in the computer for it to get in fact.
So, i guess it doesn't send any data back but each update you download using it will...pretty sleazy definitions
Re: (Score:2)
The only personally identifiable info I can think of inside the Windows installation is if you were prompted to enter during Windows setup or later changed the name and organization fields that appear on the System properties panel (WinKey+Break). I know that some OEMs preset these fields -- IBM sets them to IBM CUSTOMER -- so I don't see why MS would waste time having that data transmitted other than to tick off /.ers, privacy advocates and the EFF. If you've registered your copy of Windows though (and who
Re: (Score:2)
I'll bite:
Computer make and model -- needed for drivers for specific manufacturers and models. Do you really want to apply a HP patch on a Dell system?
Plug&Play ID numbers of hardware devices -- Well, it does update hardware drivers...
Why? If you're computer's working just dandy, why change the drivers? Last time I did a driver update through the MS Update thing, I ended up wtih 8-bit color and a 640x480 resolution on an nVidia card (not some relic from the 80s). Update, my ass! That's a downgrade! I don't trust their driver updates. They just break stuff. And hey, if it ain't broke, don't "fix" it!
BIOS name, revision number, and revision date -- I'm not sure, but I believe they may also provide manufacturer-supplied BIOS updates for some manufacturers.
Not that I've ever seen. If I recall correctly, BIOS updates are generally done from boot floppies.
Remember, Windows Update updates drivers, hardware, and bundled software too. Microsoft Update services Microsoft software as well.
They update your hardware? I
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Basically like how most Linux distributions handle things.
Reverse double-speak? (Score:3, Insightful)
Re: (Score:3, Informative)
So Microsoft isn't using that info (and certainly not that sp
I've said it before, and I'll say it again... (Score:4, Funny)
P.C. Phone Home
*ahem* I mean.. uhh.. I can understand wanting some information about the machines running one's software, as it helps understand the market and improve upon current design. But SOME of this information seems a bit excessive. Unless one plans to start banning specific pieces of hardware, but that's just evil.
Re: (Score:2, Insightful)
Agreed, but they could tell users they are collecting up front, or even *gasp* ask for it first!
Re: (Score:2, Insightful)
D
No. (Score:2)
Re: (Score:2)
As I posted upthread, Windows Update in Win2000 prominently displayed a message: "Checking your computer for installed updates...this is done without sending any information to Microsoft." And it only downloaded the updates I needed, not every one for eve
Re: (Score:2)
Hmm, seems logical.
Re: (Score:3, Insightful)
True. They want the information. Maybe even for a reasonable purpose. So what's wrong with asking for it? I want 100 Billion Dollars. But if I just take it without asking, it makes people upset. I have a good reason: it would make me happy. It takes more than just a "want" to justify taking something, even for corporations.
Re: (Score:2, Interesting)
I have a few friends that play in the stock market and have said for a long time that they bet Bill uses this information to buy/sell stocks and $$$. Think of the unbelievable wealth of information. Which hardware/software/etc... are folks buying and what are they not buying? etc... etc...
it's the price you pay, alas (Score:3, Informative)
like, for instance, all of the "cool features" use new runtimes and new features, and none of it is backwards compatible.
so is anybody really surprised here? if the user hash code field they recover is all over the warez circuit, no matter what the EULA says, someday the number of hits on you is going to run over some trigger number in update. at that point, you will run into a block.
had to reinstall windows ME legally on a machine last weekend. got all the critical updates pulled off on IE, and from that point on, update kept returning "thank you, you have a Mac, you can't update here." everything worked fine the next day, and I got the rest of the criticals done.
I can only assume they have all sorts of wonderful blocks and trigger numbers over there, and since they own the software and you own only a cancelled check, it's just tough damn luck.
Re: (Score:2)
on an old POS (Score:2)
died from windows rot, so it needed a refresh.
Re: (Score:2)
(heck, I've got webservers with less horsepower than that)
Re: (Score:2)
Don't bother installing a modern Linux on a machine 500MHz, though. I've tried it many times as recently as November (a few weeks after Edgy was released) on a few PIII 450MHz machines with 384mb-512mb ram (Dell Optiplex GX-1). It's barely usable.
Blog Translation (Score:5, Funny)
> By learning at what point in the install process some users decide to abandon, we can put more effort into the right places in the installation wizard. Remember our goal with the wizard is to give more information so customers will be better informed. We heard from customers that they wanted more information about what the software was and how it worked so we created the install wizard to provide that greater context. Knowing this kind of information about the install wizard installations is critical for us to continue to improve the customer experience of WGA. If we are not hitting that mark, we can use this method to improve.
By learning at what point in the install process some users decide to say "Fuck this, I didn't sign up for this!", we can put more effort into the right places in the installation wizard. Remember our goal with the wizard is to obfuscate and misdirect so customers will either not know how we're spying on them, or for those who figure it out, at least they won't be able to sue us over it. We heard from customers that they wanted to know what else were doing behind their backs so we created the install wizard to provide us with plausible deniability. Knowing this kind of information about the install wizard installations is critical for us to continue to propagate the viral meme of WGA and other notions, like software as a service, and ultimately the notion of an operating system as a subscription-based service, like we're doing with the Windows Vista self-destruct sequence. If we are not hitting that mark, we can use this method to slowly increase the amount of DRM we've crammed up your ass until you look like the Goatse Guy, and if we do it slowly enough, you'll not only pay us, you'll thank us for the privilege!.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Very nice post, by the way.
Re: (Score:2)
EULA (Score:5, Interesting)
So I guess it might be a bit sneaky, but it has all been covered by WGA disclosures.
An example of the XML returned when a user cancels an installation is available here [msdn.com], "just to allay any fears that Microsoft is using any personal information".
So ya, I don't think this is a huge deal, nor particularly unexpected.
Add Nero to the list (Score:2)
Pirates? (Score:3, Interesting)
Seeing that Microsoft has done very poorly in correctly determining which installations of Windows are legitimate, how competently can they track legal software?
Castration (Score:2)
This kind of thing is much less of a concern after removing Windows' network drivers, unplugging the network cable, and configuring the router to lock the MAC address out of the internet completely.
Unfortunately, I've gotten myself into a bit of online gaming lately, so I can't do any of that any more.
NO PROBLEM (Score:3, Funny)
I doubt M$ will want to retain THAT information...
...and they go further than that! (Score:3, Interesting)
all of them do? (Score:2)
It costs us too. (Score:2)
So wonder the Internet is getting slow.
UK/EU - Data Protection Act (Score:5, Interesting)
Re: (Score:2, Informative)
Why would you have to pay at all?
At least in Finland, I can walk to every place that I suspect might have records on me and ask to be given those records, and the company or what ever, even the police have to comply. AFAIK you can also ask the data to be deleted.
Also, AFAIK according to Finnish law Microsoft (which does have a company in Finland too) they should have in the open a document (or upon request) that specifies what information is being collected in to their registers.
Too bad I don't use Windo
Re: (Score:2, Interesting)
Heh, "common sense that companies can't keep what ever records they want - secretly at least."
It may seem common sense to you and me, but that's not how US citizens have it. And yes, we can ask for information to be deleted, but only if it's inaccurate. In the UK, we have to pay a small fee to cover some of the company's admin costs in getting the information and to act as a deterrent against people using this kind of thing for bullying tactics. Of course, since it's so much hassle for the company, y
So? Don't use Windows Update. (Score:2)
You don't get it (Score:2)
Avoiding WGA and WU doesn't stop MS from getting a jingle.
Re: (Score:2)
List of data sent back (Score:5, Informative)
From the WGA Blog [msdn.com]
- Source ID (which product is requesting an update) - necessary to get the right patches
- Event Code - Not sure what sort of events this is tracking, curious, but not necessarily evil
- Version - I assume this means version of the updater, but could mean version of the base software, either way see #1
- Hash of the event - good security check
- Custom Data - completely unexplained, this is what worries me the most in the list
- Return Code - ok from a usability standpoint (most websites track when users leave, so I put this in the same class as that)
- Part of a domain? - no reason for this to be sent, as far as I can see
- Partial binary product key - piracy reasons? Can't think of any other good reason for this
- WPA hash - also unexplained, but probably related to the above
- OS version - see #1
- User locale ID (langauge) - reasonable if they are presenting nationalized dialogs, removes a prompt from the user
- System locale ID (computer default language) - don't see much of a reason for this except as a backup for the first, odd
- Diagnostic code - reasonable for debugging
- Client Id - i.e. GUID - why do they get this if they aren't using it for user tracking
- HD volume serial - no reason for this, except user identification
- Computer security hash - see above
Other than those last identifiers, most of the information I see requested make sense.Re:List of data sent back (Score:4, Funny)
Other than that, Mrs. Lincoln, how did you enjoy the theatre?
Simple solution (Score:3, Informative)
on a *Nix box, say maybe the DNS server
vi
127.0.0.3 genuine.microsoft.com
For windows
edit c:\windows\system32\drivers\etc\hosts
0.0.0.0 genuine.microsoft.com
Re:Simple solution (Score:5, Informative)
http://yro.slashdot.org/article.pl?sid=06/04/16/13 51217 [slashdot.org]
As I said before about the WGA piece (Score:2, Troll)
But we don't know that they aren't identifying YOU personally. Maybe they are, depending on what other data mining they are doing internally. The point is, we do not KNOW.
Maybe they don't care to identify you personally UNTIL they want to at some point in the future - maybe to sell your machine info to the RIAA in the event that your DRM use is suspect.
Maybe they don't care to identify you personally but are intent on TAGGING your machine
Re: (Score:2)
Re:This is News Now? (Score:4, Insightful)
Has the certificate covering the signer been revoked?
Are you installing some Nokia application or are you installing a disguisted copy of Claria adware? If I get my hands on the private key for the company Nokia is using to build their application, I can sign anything I want as that company. It is up to them to revoke the certificate. Wouldn't you like to know?
I know, if you had the source code you wouldn't need a digital certificate because you could compile it yourself and then you would know. After downloading the libraries it uses. And after checking through all of the source code and comparing MD5 signatures to make sure you have the correct version of all of the libraries, not some spyware-infected trojan.
Sounds sort of like a digital signature to me.
Perhaps.... (Score:4, Funny)
Re:Surprised? (Score:5, Insightful)
If you break the law it is still up to the police and the courts to follow legal procedure to catch you and prove you broke the law and then to punish you commensurate with the proven charges. Even if you steal something and they know you stole it they can't do anything about it till they prove it. Part of that process is to get the legal search warrants and other court orders to permit them to do this.
Microsoft is a civil organization which is usurping the rules of law that were well established. In fact, they are effectively searching everyone's home every time to prove they are not in possession of stolen goods. The government can't do that. Microsoft should not either.
Any information sent to them without our express permission is a violation of our privacy whether they store it or not. It is not permissible for them to blatantly flaunt in our faces the fact that there is no one there to stop them and if you try you won't have the resources to do so.
Again people, remember the computer you have is an extension of your home. It is not a playground for microsoft to do what they want. Would you allow them to come into your home to inventory your belongings and then make you account for all those things you may purchase after the fact? Would you let them check on you any time they choose? Hell no. You would never let anyone into your home to do that. So, why on fucking hearth are you letting them search your computer to inventory your system to send private information back to their offices? Is it because it isn't an inconvenience to you to allow them to do this? Because you have no recourse to stop them?
So, you say that it doesn't hurt you to have them to enter your home and search it and report back to their offices? So, then would it hurt you to allow the government to do this if they could do it in such a non-invasive way? How about putting hidden camera's in say 20% of homes and no one knows they are there so you have at least an 80% chance of not being spied on!?! Would that be acceptable to you? Hell, 1 if 5 chance of being someone that is observed by the government. Once you got used to it, wouldn't it be acceptable to have the government then say 40% and up it over the next 10 years to 60% and then all the way? You would have become accustomed to having the government spy on you?
I think you understand what I'm getting at. This is the same thing. You would not let the government do such a thing, and even some people feel cameras in public are a violation of our privacy.
Microsoft is not the government and they have no rights to do what they are doing. They should not be collecting any information unless you explicitly permit it.
As I have said in other posts. This is about them collecting as many pieces in their databases as possible. Having this information gives them a lot of leverage.
Have you heard about how the patent office has claimed that file sharing software is a threat to national security? How about a monopoly power that has control over 90% of the worlds computers able to go into your computer and home unchecked by any sort of mechanism that is designed for checks and balances? You think that is less a threat to national security than it is to allow people to share information between 1 or 2 or more party members. Either the comments by the patent office are totally ludicrous or no one is willing to accept that this sort of unchecked behavior by a company in control of 90% of the worlds computers is a threat to national security.
Re: (Score:3, Insightful)
The Microsoft vs. Government analogy is not quite right: Using Microsoft products (and agreeing to their EULAs) is like granting cops access to your home on your own free will. Cops don't need warrants if you invite them to come in! Government needs special authorization (search warrant) to enter, because we have no way of escaping their power, so a safeguard is needed to prevent abuse. But Microsoft doesn't need a warrant or something similar, because, basically, you're free NOT to use their software, and
Re: (Score:2)
Blocking a Windows PC from the internet (Score:2)
1. Assign a fixed IP address to the Windows PC, instead of grabbing a dynamic address from the router.
2. In the router, block that IP address from being able to get outside the local network.
3. You can now share files across your local intranet while forbidding outside access.
Actually, I only run Windows in a VMWare virtual machine in Linux, and block the Virtual machine's IP address from getting out. Works fine, and has the added benefit of properly sandboxing Win