XP, Phone Home

Randomeyes writes: "The Register reports that Windows XP has functionality built-in to the Search Companion module that allows Microsoft to log users internet searches. Information collected includes user IP address, search term and related information. A cookie is also set. 'TrustUnWorthy Computing' anyone?" Tanveer1979 writes: though, that "the bright side is that it doesn't send anything to internet, it only downloads files, and compares the files on your computer with the files on server. And I guess a little effort is needed for the malicious to program it to send your data to web."

Microsoft Baseline Security Analyzer ���

I just saw it on my Microsoft Baseline Security Analyzer ©®(TM):

View Security Report

Sort Order: Score (worst first)

Computer name: MYADSDOMAIN \WindozePeeCee
IP address: 225.-1.65535.1
Security Report Name: MYADSDOMAIN - WindozePeeCee (04-12-2002)
Scan date: 12/04/2002 12:00AM
Hotfix database version: v2.0.10^23+[1/(planks constant)]
Security assessment: Sever Risk (As usual)

Windows Scan Results

Vulnerabilities

Windows Hotfixes
1. Local Account Passwords are simple or Weak. Please change them to something overtly convoluted and difficult to remember. It wont matter anyway because the Active Directory Server©®(TM) you authenticate against is probably not patched.

2. IIS©®(TM) Installed. Please update to Apache 1.3.24 or 2.0.35

3. JRE 1.4 is installed. Wow. That's even more bloated than the first revision of .NET ©®(TM).

4. Auto-login is enabled. This is inherently dangerous because this OS has no inkling as to what multi-user means, for whatever reason, everyone is a su-doer.

5. Passwords are too short. This is weak because the domain controller isn't patched. If you are running Samba 2.2, please disregard this. We can't tell the difference.

6. File systems. They all appear to be running NTFS. Good (you should have two UPS for this. If its get corrupted, snicker.........)

7. Your Cell Phone, Palm Device, monitor, printer, hub, DSL router, joystick, speakers, KVM, other PCs, scanner and filing cabinet do not have Client Access Licenses.

8. Sent all info to Microsoft.

© 1999 - 2009 (We paid of the US DOJ until then, they only take kick in decade increments), All your rights are belong to us.

xenon baxter meowmix purina

In places where Internet is still expensive

[fruey]

But when we run an application for some local business like a file search, we don't expect it to connect silently to the Net, even for a good reason. When we discover something like this, it feels like someone else is in control of our computer, and that is definitely not a good feeling.

In the USA, Internet access is usually a monthly subscription and that's it. No phone charges, no charge per minute, just a certain amount of bandwidth per dollar spent.

In Europe, some people have now got access to 2 types of "free" Internet (neither is free).

• Free, in the sense that there is no subscription, but you pay local call charges. This is possible because the phone company pays a percentage to the ISP for call traffic generated
• Free calls, in the sense that local calls are to a no-charge phone number, so you can stay online as long as you like without a per-minute charge, but you have to pay a monthly fee of at least $20 US or more.

Which brings me to my point. If Internet connections are configured in such a way (as often they are) that the connection happens transparently because the username and password are stored, then people are going to pay call charges to search their local disk. If they don't realise this (especially in the case of ISDN connections) then they may run up quite a bill when they do an extensive search every time they lose a file.

I don't like this Internet-integration with the desktop in the OS. Sure, if I want it to happen, I can download some software helper. No doubt by hacking the registry or something equally scary for any novice user, you may be able to switch this off. But it reeks of abuse of my phone line.

It's interesting, no, that Microsoft do not necessarily take account of the European market when it comes to actual Internet access. Sure, they do multi language support but what about this particular Internet case?

I have clients who have been caught with huge bills due to shit like this before. Like transparent connections happening when they are not surfing when connected to an ISDN router which connects when any packet that is non-local causes a router to connect. I know that this can (and is) fixed on the router with better access lists, but the packets themselves come from crappy Microsoft things like MSN Messenger trying to auto-connect at boot and various SMB packets.

It's time that the Internet was a separate part of the desktop. Plenty of people embrace the Internet, but many others will not, especially in countries where it is still expensive just to stay online an hour costs me $2. That's right, a crappy 33.6K connection costs me $2 due solely to phone connection charges.

Surprised? No. Opportunity? Yes.

[pryan]

Obviously this isn't surprising. You have information Microsoft could possibly sell, and it is certainly information they can use. Of course they're gonna try to get it, and try to keep it quiet. This is happening more and more often, and it's everyone, not just Microsoft.

I do use XP, mostly as a gaming platform, but I use Mozilla, and when I'm not playing games often I am running Linux on the same box. This doesn't have me worried one bit. Some people are gonna get all in a twist about this, but this is just a small step towards the ultimate goal: human batteries. :)

This does make me wonder, however, since Microsoft is causing bandwidth to be used on my network for activities I have not expressly envoked, can I charge them for use of my connection?

I say, charge them for use of my bandwidth. They won't get it free out of me. I just wonder where do I send my bill..

Re:Please explain

[Zico]

Yes, but Bash, Netscape etc. doesn't trasmit that dat back to an 800lb gorrila, my friend.

Preach on, brother! Erm, oh wait...

Newsbytes: Netscape Navigator Browser Snoops On Web Searches

"According to a network traffic analysis performed by Newsbytes, Netscape is capturing Navigator 6 users' search terms, along with their Internet protocol (IP) address, the date Navigator was installed and a unique identification number."

Hmmm, a unique identification number, eh? So forget logging your IP address with your search (which Microsoft and the other search engines claim not to do), forget gathering demographic data (which the XP Search Assistant also doesn't do), but Netscape is actually using a unique ID numbers to tie searches to specific individual users.

Wanna try again? ;)

Isolation and Culture

[Observer]

The writer makes the point at the end that it's not so much what is being done that is the problem, but the fact that it's done without telling you and without giving you a choice about whether you want it to happen.

To which I'd add, it also shows a problem with the culture in the organisation that makes the stuff. It's not so much arrogance, but something more akin to carelessness: an inability to appreciate that other people - including some of your customers - may have different criteria and preferences than yours. I personally doubt whether the people who developed this even thought to ask themselves whether this behaviour would be considered reasonable, nor that it was ever considered in any formal reviews that may have taken place. And it's far from the first time that I've got that impression about MS: their use of that reserved field in the Kerboros protocol feels similar: not so much malicious as just a failure to know and appreciate the etiquette that had grown up in an area that they were entering for the first time.

RTFA

[evilviper]

Would you all kindly read the damn article before you start your ranting.

It all boils down to the fact that when you use the file search tool, it connects you to the internet and downloads a privacy policy type of file.

That's it, the end. Period.

When you are on the internet and perform a web search through XP, they log what you searched for... Even google does this for purposes of finding the most popular sites, and creating a table of the most popular searches and all that. This subject is not only trivial, but misleading in the context of the article... They quickly switch from talking about an offline file search which downloads a single text file when you first use it, to a completely different subject of a search tool recording what you searched for.

Of course, the ironic thing being that this web search tracking is no worse than the Netscape 6 tracking discussed a short while ago.

And if you haven't heard it enough so far, local file searches download a single damn file when you first use it. May seem a stupid thing to do, but it's not phoning home, it's not tracking your habbits, etc.

Re:What a non story! A waste of space!

[Hektor_Troy]

Sadly the two posters above me haven't read the article properly.

True, when searching local files and intranet, nothing about that search is sent to Microsoft.

Now, I haven't used XP, so I don't know how the Search Assistant works, but apparently you can tell it NOT to use MSN for searches, but something like Google. I don't mind Google collecting info about my searches, but I do mind when Microsoft collects info about my searches on Google - that's simply none of their business.

As a poster above me mentioned, many people in Europe have to pay for the call-time they use when surfing. Why should they have to pay a minimum of 5 cents to their ISP, just to search their own harddrive? I can't think of a single good reason for that.

Read this post: http://slashdot.org/comments.pl?sid=30967&cid=3328 359 for a good comment on that subject.

The privacy statement for Search Assistant has the following provisions, which is what I base some of my arguments on:

http://sa.windows.com/privacy/

"No information is ever collected by Search Companion when you search your local system, LAN, or intranet for any reason."

"When you search the Internet using the Search Companion, the following information is collected regarding your use of the service: your IP address, the text of your Internet search query, grammatical information about the query, the list of tasks which the Search Companion Web service recommends, and any tasks you select from the recommendation list."

"Search Companion does not record your choice of Internet search engine, and does not collect or request any personal or demographic information. Information collected by the Search Companion cannot be used to identify you individually, and is never used in conjunction with other data sources that may contain personal data."

Now, like I said, I don't use XP, I don't know how Search Assistant works, and I probably wouldn't even use it, but it's still a bad thing to do for two reasons:

1) Making people pay their ISP/phone company to search their local harddrives.
2) IF I can make Search Assistant use another search engine (like Google), it's none of Microsofts business what I search for. If I can't use another search engine, then obviously Microsoft has to know what I'm searching for.