Slashdot Mirror
Examining Microsoft Update
eggsovereasy writes "The Inquirer is reporting that a group in Germany has deciphered the information sent to Microsoft during an update using Windows Update and says that information on all software installed on your computer is sent, even that which is not Microsoft's own software." The original article is, unfortunately, pay-per-view. Update: 02/26 18:19 GMT by T : ionyka points to this "related article from ITWorld that deals with Microsoft's transferring of information through Windows Media Player. When you open up Media Player it sends information back to Microsoft like what movies you play, what songs you listen to and where they come from."
Here is the rest of the article, in PDF format. I'd suggest grabbing it and mirroring as soon as possible... this one won't hold up too long.
http://home.byu.net/~btc25/WindowsUpdate.pdf
One of the more interesting parts deals with how Microsoft can tell the difference between product keys they generated and those done with a keygen.
I made the same mistake...it is ppv...you can read freely until the heart of the article, then it's 1.99 (euro) for the rest.
They've updated the story to give the full info on what gets sent back here: http://www.tecchannel.de/betriebssysteme/1126/14.h tml
Read the parent comment.
This isn't Windows Update he's talking about, it's the EULA for recent versions (XP, IIRC) of Windows.
You cow-orker was right. When Microsoft Update said "No information is being sent to Microsoft", no information -- at all -- was being sent to Microsoft. The update server sent your computer a list of available updates, and code ran on your computer which determined which ones were necessary.
Microsoft Update no longer says "No information is being sent...", which is what this article is about.
I have to say that it's not nearly as scary as advertised. There are two complaints:
1. The Windows Update tool sends to Microsoft a complete list of what hardware you have.
2. If the Windows Update server claims to have an update available for product X, the Windows Update tool will check to see if you have product X installed, and report back to Microsoft.
Well, *duh*. The only way to avoid doing this would involve downloading a complete list of all the updates available for every supported piece of hardware or software. Based on the size of the windows HCL, I'd guess that this would require tens of megabytes of bandwidth -- all so that Windows Update could pick out the half dozen entries which are relevant.
Tarsnap: Online backups for the truly paranoid
Remember the little "No information is being sent to Microsoft at this time...."
The more astute amongst you may have noticed that the "No information" message has not been there since Win2kSP3 came out.
Now it says this:
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you.
Which essentially means that so long as they don't take an email address or phone number they can take what they want.
Here in Holland (I don't know the laws in the rest of the world too well) any contract that you sign which contains clauses that are illegal, is null and void. Any statement of MS having the right to download anything off MY computer would seem to me totally illegal and would probably void the whole EULA. ;-)
I did read the EULA of the Dutch version of Win2K SP3 completely and never found any clause that would allow them to download anything off my PC without my consent.
Sadly I'm stuck with Windows since I cant (yet) afford a mac to run Adobe apps on. When oh when will Linux/FreeBSD/X get decent colour management and ports of proper graphics apps like Illustrator, Photoshop and InDesign??? The GIMP is a nice toy, but it's hardly of any use for print production work. And KIllustrator and the like are simply a laugh too for any real work.. The Linux/BSD vs. Windows ratio is now 4:1 in the favor of the free, but I'd like to get rid of Windows altogether. Give me my killer graphics apps!! I'll even pay for them!
Saving up for that Mac in the mean time..
Learn from the mistakes of others. There isn't enough time to make them all yourself.
Comment removed based on user account deletion
http://www.microsoft.com/downloads/search.aspx?dis playlang=en
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
As explained by Russ Cooper of NTBugTraq in a lengthy rant on Tax Day of 2002, Windows Update is a horrible piece of crap. He followed it with another lengthy rant about what he thinks Microsoft should be doing instead of Windows Update.
In the meantime, while downloads are large (~1.5MB), the XML package you get for HFNETCHK searches your system for proper file versions and remains the most reliable way to ensure your system is properly patched. Unfortunately, the best tool for checking your patch state (HFNETCHK) doesn't help you download the patches you need. It does identify the MS security alert addressed and even the KB article, but it's not painless. MBSA gets you one step closer by actually having the URL of the KB article, but it's not as painless as downloading updates via Windows Update (when WU properly identifies your patches).
Anybody who's used the atrociously-bad Automatic Update Service will know that it doesn't cover many important software updates and neither does Windows Update. In fact, if you use all three products, you'll frequently find that each product identifies a different set of patches that are required, and usually, none of them list all the patches identified by the others.
What I've found is that HFNETCHK actually identifies truly critical patches, while Windows Update improperly identifies non-critical updates as being critical. For instance, it tells you that installing Internet Explorer 6.0 SP1 is critical (even when you're running a fully-patched IE 5.5SP2) or even worse, it tells you that a patch meant to improve functionality of using a non-IE default browser is critical.
Sorry, but as much as I hate MS and as much as I prefer Mozilla to IE for my own browsing needs (and even though it works better), I don't make it my default browser anywhere, especially on servers, so this update is hardly critical.
In short, while sysadmins at least have a chance to stay fully-patched these days--unlike the days before Code Red--MS still has incredibly shoddy patch management tools, incredibly inconsistent patch installation mechanisms and still takes liberties with customer data it shouldn't need to take.
If Microsoft ever gets serious about patch management, they'll have a common tool that sysadmins can use to patch any and all of their MS software with a common interface and no unnecessary transmission of system-specific data to MS. Is that too much to ask? Apparently.
When you sign up for RHN, you're given the option of uploading information about which packages you have installed. You can decline [1]. You won't get email about particular packages you have which need updating, but you can still use the update agent.
- profile.html t ml#PACKAGES-TO-UPDATE
The update agent will still work because it polls the servers for which packages are current for your release [2] and compares that list to what you have installed, and the comparison is done locally.
[1] https://rhn.redhat.com/help/basic/register-system
[2] https://rhn.redhat.com/help/basic/up2date-setup.h