Slashdot Mirror
Examining Microsoft Update
eggsovereasy writes "The Inquirer is reporting that a group in Germany has deciphered the information sent to Microsoft during an update using Windows Update and says that information on all software installed on your computer is sent, even that which is not Microsoft's own software." The original article is, unfortunately, pay-per-view. Update: 02/26 18:19 GMT by T : ionyka points to this "related article from ITWorld that deals with Microsoft's transferring of information through Windows Media Player. When you open up Media Player it sends information back to Microsoft like what movies you play, what songs you listen to and where they come from."
I mean really, did anyone actually think M$ only collected information about patches? It seems like any chance they get to know more about you, or your "computing habits", they're going to take it.
Is this not a complete breach of the TOS that Microsoft offers when you sign up for Windows Update?
If not, it's at least a huge breach of trust, and users should not stand for it.
This may also be an alterior motive to Microsoft buying Virtual PC from Connectix last week. They want this same data from Mac Users. I imagine if it's not there then it will be added to read all partitions mac/Linux/PC
Knowing what your customers have on their hard drives is sensitive corporate data. Basically, you know the Hot or Not Programs in the industry and then develop programs based on their hard drive residency!
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
According to the EULA for the latest versions of the OS Microsoft has the right to read any data you have stored on a computer which runs the OS.
Theoretically this includes data dumps of hard drive formats which the OS does not even support.
The reason why it sends info about other applications (and third party drivers for that matter) is so that they can attempt to be a single-source vendor of patches if needed.
While the intentions may not be all that honest, it's not a horrible idea. I've noticed numerous times when running Windows Update that it's offered to upgrade my Cisco Wireless LAN software as well as my Epson print drivers. Kind of nifty and not all that bad, if you ask me.
Sig (appended to the end of comments you post, 120 chars)
Nice claims, but we the free part of the article doesn't show any actual examples of data that's transmitted. At least not data apart from some generic xml tags.
Any easy way to verify this ourself?
I'm suspecting their claim is true, but I'd like to see the data...
Reinout
Reinout van Rees
Although I often semi-sorta-half-hearted-defend Microsoft when people make unsupported categorical statements or otherwise speak mindlessly, I am also willing to speak out against them when they are wrong. As in this instance.
I would have to do some research, but I believe this might violate their own privacy policy. Even if it doesn't, they really have no moral right to send any information about your system without letting you know what it is and giving you a chance to abort the whole thing. Yet I am unsurprised, in fact I expect every big company is doing this kind of thing when they can get away with it.
Not that I am saying "Everyone is doing it, so what is the big deal?" My attitude is more "Let's stop this crap now!"
So I have a suggestion -- someone should start an open source project to create a re-writing proxy for updates that strips out all the stuff Microsoft is sending in the updates, except what is absolutely needed. Make it open enough that we can plug it re-writers for other companies as well.
- -
Are you an SF Fan? Are you a Tru-Fan?
Come on, be honest. Who's genuinely suprised by this?
Summation 2
A cow-orker of mine actually argued with me one day that "No Information" really meant nothing, nada, zilch was sent back to MS.
I should have taken him out back and beaten him with a frozen salmon. Hello!? How do they know what patches you need if they can't look at your system and tell their servers what you've already got.
The fact that the program takes the time to rifle through the system is of no surprise to me. While, I think the practice stinks it hasn't stopped me from using the service though. Given the choice between MS finding my installation of UT2003 or some script kiddie looting my system, I'll choose the former.
"The words of the prophets are written on the Slashdot walls."
Assuming "nothing is sent" is about as smart as checking that "trust everything from microsoft.com" checkbox for the activeX control Windows Update downloads. You'd have to be a quart short of an oil change to do either.
"I should have taken him out back and beaten him with a frozen salmon. Hello!? How do they know what patches you need if they can't look at your system and tell their servers what you've already got."
They could send a complete list of available patches to your system and let the client running on your computer pick which ones are neccesary, without microsoft ever knowing what software you have installed. Granted, they could deductively determine what hardware you use based on what patches you then request, but since you can only download patches for microsoft software, the best they could do would be to determine what hardware and microsoft software you currently have installed.
According to a WHOIS, that site is registered to a MarketSmart Technologies in Florida... ...I'd be a bit wary of giving out your info.
Well, most of the Linux package/RPM managers allow you to accomplish the same sort of updates without sending out all of your system information. They also seem to work quite well (although I have only used aptget/synaptic and RedCarpet). Just tell the client everything availible. Hell, then we could even CHOOSE what we wanted to update, or just click "everything" to get all new updates.
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
Thanks for posting a link to this information. Based on what is here, I see no reason to panic. First, it doesn't appear that any information is sent which would identify the machine the information came from. All they get is, "There is a macine somewhere with a Lite-On CDR in it."
Windows Update has offered me updated device drivers in the past, so I think the inclusion of hardware info could be defended on that basis.
With all they speel about trustworthy computing, then getting busted doing something like this....let's ponder that thought for a minute.
Ok, done. No wonder I use Linux and Mac
Has anybody actually read the policy? If you read it it doesn't really sound like they've done anything they said they wouldn't.
Windows Update can be used for non-MS software, hence the need to send some info about non-MS software. And as you pointed out, they could "guess" most of the information that's being sent anyway.
No sig, sorry.
Just thought I'd point out that there is already an open source solution you can use to avoid this invasion of privacy, its called linux.
Just had to say that, but on a more serious note, I use Red Hat Network to keep a few Red Hat Linux boxes updated with current patches and it does much the same thing. But there is a big difference.
When you register a box it tells you exactly what information will be sent to RHN about software on your box and allows you to opt out.
The benefit here is two fold in that RHN only sends you updates for the software that is installed on your system and you get updates for any software package that Red Hat supports beyond patches for just the kernel.
What I'm not sure of is if they track all applications you've installed even if they don't support them. Although I still wouldn't be concerned because they tell you up front what information you will be sending to them and you can say NO.
burnin
OK, so they don't collect information that can personally identify you as the "owner" of software(s) X. It's all about the fact that they are getting a survey of what's out there. How many users have software x, legally or not.
I don't mind tivo using my info to better programming ala the neilson ratings. BUT I do have a problem with Microsoft using my data (without asking) to adjust their business plans and/or methods of sales, tracking, schemes, etc.
ie "Software maker X has sold 500K copies, BUT our windowsupdate show's that there are 600k copies being use...."
Great, and by infringing on the copyright of another news site who tried to make some money and actually reports on news noone else does you are doing noone a service, jerk.
I think a lot of people don't want anyone to know that they use "borrowed" versions of software that they should have payed for. They see that MS might be able to check what they are running and if its being run illegally so instead of thinking I guess the free ride might be over soon. they immediately go into defensive mode, claiming that MS is the devil and that only a "monopoly like them" would ever consider doing this.
You know what? I don't care if they can check to see what I have running on my computer. If I use an updating service made by Microsoft for products made by Microsoft, I almost automatically assume they are getting just about every piece of info off of my computer that they can get. As long as its not anything important (like e-mail, names, credit card numbers, etc) I could care less, I have nothing to hide. If MS wants to see how many people use a certain piece of software, all the power to them.
I guess it all comes down to reading the fine print and knowing that most of the time, the company is looking out for the company, not the customer.
I'm not saying MS should get away with everything it wants to do, but I do think its funny that people are surprised that a service that gets information about your computer actually gets information about your computer.
He could buy any old hardware and simply use microsoftupdate.com
Oh hey, he did!
What download?
A download is a file that you have and can keep so you don't have to download it the next time your system crashes.
There is no way to keep the update, patch, or driver now so how is that a download.
Sure one can go to the corporate site and download update's however not all patches and updates are made available there.
One used to be able to go to the Temporary Internet File folder and copy and paste the file to another folder however one cannot even do that now.
It's remote installation but it is not a download in any way shape or form as the files are not saved to disk for future use.
For example the hoops one has had to jump through to install the latest secure version of MSJava left a bad taste in my mouth so I downloaded Sun Java and now use it.
Microsoft stated that one should remove them from trusted sites status due to a problem with COM and certificates which to my knowledge still hasn't been properly fixed. Anyone with Active X enabled in Internet Zone is an Idiot and Microsofts Windows Update does not work without these settings. This lead's me to belive that it was one more attempt to ruin Sun.
Comment removed based on user account deletion
What about IP address? That can be used to identify you. That'll be in the IIS logs for sure.
Comment removed based on user account deletion
There are a lot of people in this thread that realize that WU does NOT send a list of all software installed, but they are being drowned out by the highly rated comments about the evils of MS. The "software list" is actually a list of drivers installed, which is fine, because MS will post updated drivers for you to download. It should also be noted that one of the articles posted is from the Inquirer, the same people who predicted hell on earth in y2k, and believe in tinfoil hats.
"No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
This type of push model where information regarding the available updates is pushed down to the server is actually quite viable. I've dealt with two companies who used this approach and both companies claimed patents in this area. I wouldn't be suprised if Microsoft chose to ignore privacy concerns in order to avoid patent licensing fees.
The process would look something like:
1. Client downloads latest Update Management Software + Config File from server
2. Client runs Update Management Software.
3. UMS determines what patches are needed from inbuilt logic and information in configuration file
4. UMS downloads and applies relevent patches
XEmacs does exactly this! It works pretty well from what I've seen.
Healthcare article at Kuro5hin
>This has got to stop.
Why do you say that it has "got to stop?"
Do you thing the DOJ consists of a group of people who took power via a coup d'ètat? Or do you concede that the Department consists of individuals who have been appointed by elected executives and confirmed by an elected Congress?
Whether the current government is a true expression of the will of the American people, or the current government is a result of our apathy (even antipathy) toward the democratic process and the political party structure, it is not reasonable to wait until a crisis at the Federal level to take action.
"Something" can be done. In twelve years or less, the Federal government will be largely composed of individuals who are at this moment seeking State and local office. If you have not developed a relationship with these politicians or their parties NOW, while they are accessible, and if you have not participated in the process of putting them in office by CAMPAIGNING and VOTING, you may find yourself in precisely the same position a decade from now, claiming to be powerless to affect the process, and demanding that "something" be done.
Something *is* done, and the people who make a priority of participation in the political process of this country are the people who shape government. Whether you choose to participate or not, you are still part of the process.
Apathy elects our leaders.
-fb Everything not expressly forbidden is now mandatory.
I use the Update Agent in RedHat almost on a daily basis - the RH Network knows absolutely everything about my setup (programs, modules, etc.) right down to what version of the Kernel I'm running - that way they can inform me of vulnerabilities and problems that I'm probably susceptible to as soon as there's an update available...it's a "good thing".
Why is it that when Microsoft does this kind of thing, suddenly there's a more sinister motive behind it all?
I don't hear anyone complaining about Redhat's privacy policies...
Life's far too short to use IE.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Trying to figure what other companies they should push out of business.
This should not be modded Funny. This is serious.
BillG: Look, everyone has Acrobat Reader, we need to develop XDoc.
Everyone has some SimXXX game, we need to develop Zoo Tychoon.
Business as usual. Take advantage of monopoly position of control. Discover what anyone else might be doing that is popular. Develop a competing product. Give it away, or bundle it into OS.
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
A GUI in the Linux kernel tree? That would be like..windows. It's the distros that are the operating systems, Linux is just the kernel. In order to have, say KDE in the kernel tree you would also need to have all libraries and other packages you need to run it in the tree as well, like glibc, X and a big bunch of other things. An entire desktop distro in fact. Bury that idea in your back yard, right next to those irritating ex-neighbors of yours (joke). I give thumbs up for more desktop cooperation between distros, though.
Back in the DOS days, I once installed MS Flight Simulator on a friend's laptop (running Windows 3.1) in order to see how bad the ghosting on the laptop screen would be when running games. I copied the files manually, under DOS, using COPY, so that I wouldn't affect the laptops' configuration, and so that I could completely uninstall the program after I was done. Having done that, I started Win 3.1, and went to create a .pif (program informtion file) for the launcher icon. Lo and behold, the dialog box was completely filled out, non standard path and everything, ready to go. It was damn spooky. AFAIK, the only way this could have happened, was if windows looked through the disk for friendly .exe files on startup.
After that experience, my expectation is that MS software keeps very close watch on friendly and, likely, "unfriendly" software on your computer.
Anyone remember the AARD code?
Solution:
First, user sends the version number of the patch list present on the user's hardware to MS. The version number represents what hardware/MS software is present, and what patches have been previously applied.
A match is found.
A list of patches is generated, and sent to the user.
MS transmits ONLY the patches that the user's version number indicates is necessary.
User patches.
After successful patch, the version number of the patch list is updated on the user's hard drive.
Operation complete.
So, a massive transmittal of a list of ALL patches is not necessary: only the version number of the patch list needs to be communicated.
The "so much data needs to be sent" argument for MS's snooping presupposes their method of applying patches to be the only one. A little thinking comes up with an alternative.
They snoop because they want to snoop.
Keep an archive of all service packs for your OS
"Tell that to the Melissa author, and some number of other people who's GUID was used to identify them. Even if you aren't a criminal, this could be misused in so many ways."
Found on the 'Net: "David L. Smith was not caught on the basis of the GUID, he was caught because the feds were able to trace the point of insertion of the virus into alt.sex from the ISP he used, then from the connection logs down to the phone number used to connect to the service. The GUID had nothing to do with it. There was also no indication that he used pirated software, just that he or someone had used a previously written virus and modified it into Melissa, passing on the unique GUID of the original document/macro author."
Just wanted to set that straight.
A GUI in the Linux kernel tree? That would be like..windows
We could only hope...
Face it - the desktop needs to get rid of all that cruft and get some standards before it can become mainstream. Although it is a nice thing to have, this variety hinders standards, therby keeping both users and developers away.
Life is the leading cause of death in America.
Have they actually stated this? I would love to see something in print. Quite deceptive - not surprising to us, but people outside of /. tend to like examples.
-Looking for a job as a materials chemist or multivariat
Windows 2000 SP 2 doesn't have those nasty EULAs in them. And that's what my systems run. I also still run MediaPlayer 6 for the same reasons.
I use Win2K because everything I run needs Windows. I don't use XP because I do not like the invasive EULAs and I think it is a bloated pile of useless eye-candy.
Boobies never hurt anyone. - Sherry Glaser.
This is no different than the typical CD player/MP3 ripper which queries the CDDB to find out the title of the CD and the name of the tracks. No big deal.
So, in addition to downloading a list of all possible patches for all possible applications and all possible hardware configurations (pretty big list), it also has to download some sort of ruleset that goes around all of those to actually figure out locally what udpates are available and necessary. That's a lot of bandwidth.
Actually, no need to download all patches and updates, just metadata about them. Client OS then can easily determine what updates it needs and present a choice to the user. It is actually less bandwidth this way because you don't have to transmit the information about your complete system, including 3rd party apps to MS. MS will only provide metadata about *updates*, not a metadata of a complete system.
In any case, this metadata transmission is not substantial, much less so if compression is used.