Slashdot Mirror
Examining Microsoft Update
eggsovereasy writes "The Inquirer is reporting that a group in Germany has deciphered the information sent to Microsoft during an update using Windows Update and says that information on all software installed on your computer is sent, even that which is not Microsoft's own software." The original article is, unfortunately, pay-per-view. Update: 02/26 18:19 GMT by T : ionyka points to this "related article from ITWorld that deals with Microsoft's transferring of information through Windows Media Player. When you open up Media Player it sends information back to Microsoft like what movies you play, what songs you listen to and where they come from."
Remember the little "No information is being sent to Microsoft at this time...." message during updates? Wait, why am I laughing?
Is this not a complete breach of the TOS that Microsoft offers when you sign up for Windows Update?
If not, it's at least a huge breach of trust, and users should not stand for it.
Trying to figure what other companies they should push out of business.
How can we comment, if we can't read the article?
Oh, wait...
This may also be an alterior motive to Microsoft buying Virtual PC from Connectix last week. They want this same data from Mac Users. I imagine if it's not there then it will be added to read all partitions mac/Linux/PC
Knowing what your customers have on their hard drives is sensitive corporate data. Basically, you know the Hot or Not Programs in the industry and then develop programs based on their hard drive residency!
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
According to the EULA for the latest versions of the OS Microsoft has the right to read any data you have stored on a computer which runs the OS.
Theoretically this includes data dumps of hard drive formats which the OS does not even support.
The reason why it sends info about other applications (and third party drivers for that matter) is so that they can attempt to be a single-source vendor of patches if needed.
While the intentions may not be all that honest, it's not a horrible idea. I've noticed numerous times when running Windows Update that it's offered to upgrade my Cisco Wireless LAN software as well as my Epson print drivers. Kind of nifty and not all that bad, if you ask me.
Sig (appended to the end of comments you post, 120 chars)
Here is the rest of the article, in PDF format. I'd suggest grabbing it and mirroring as soon as possible... this one won't hold up too long.
http://home.byu.net/~btc25/WindowsUpdate.pdf
One of the more interesting parts deals with how Microsoft can tell the difference between product keys they generated and those done with a keygen.
I made the same mistake...it is ppv...you can read freely until the heart of the article, then it's 1.99 (euro) for the rest.
Nice claims, but we the free part of the article doesn't show any actual examples of data that's transmitted. At least not data apart from some generic xml tags.
Any easy way to verify this ourself?
I'm suspecting their claim is true, but I'd like to see the data...
Reinout
Reinout van Rees
Although I often semi-sorta-half-hearted-defend Microsoft when people make unsupported categorical statements or otherwise speak mindlessly, I am also willing to speak out against them when they are wrong. As in this instance.
I would have to do some research, but I believe this might violate their own privacy policy. Even if it doesn't, they really have no moral right to send any information about your system without letting you know what it is and giving you a chance to abort the whole thing. Yet I am unsurprised, in fact I expect every big company is doing this kind of thing when they can get away with it.
Not that I am saying "Everyone is doing it, so what is the big deal?" My attitude is more "Let's stop this crap now!"
So I have a suggestion -- someone should start an open source project to create a re-writing proxy for updates that strips out all the stuff Microsoft is sending in the updates, except what is absolutely needed. Make it open enough that we can plug it re-writers for other companies as well.
- -
Are you an SF Fan? Are you a Tru-Fan?
got the new ultra psyware
Great! Where can I get psyware? I've been looking for a way to get rid of my mouse and keyboard. Dos it allow a USB 2.0 connection to my nervous system, or does it use 1394?
GF.
Lots of petrified grits
below from the M$ site... they tell you outright that they are collecting this info. What's the big deal?
Windows Update Privacy Statement (Last Updated 10/15/2002)
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:
Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting
The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.
Note: Windows Update does not collect any form of personally identifiable information from your computer. Read our privacy statement.
Windows Update Privacy Statement (Last Updated 10/15/2002) Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:
The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.
Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session.
To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.
They've updated the story to give the full info on what gets sent back here: http://www.tecchannel.de/betriebssysteme/1126/14.h tml
> or does it use 1394?
I think it uses 1984.
Client Info Schema and System Info Schema.
They appear to get a copy of your registry, as well as information like processor architecture, manufacturer, printer(s?) etc
http://clients.fbagroup.co.uk/slashdot/WindowsUpd
What I want to know is why fricking Windows Media Player tries to "Phone home" all the time? That thing is harder to get rid of than the clap, and about half as useful. I have my firewall specifically tuned to stomp on it every time it opens its digital mouth.
This is hardly a surprise, and definitely adds a good bit of weight to all those people who call Palladium the death of privacy.
Just my 2.34539 yen worth.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
You mean they can see my Kenny G. pr0n screensaver?!?!?!?
Got sushi? The Sushi FAQ
The manufacture's website was in Japanese only, and I had no idea how to navigate let alone install a Japanese application.
And, yes, I am lazy. How did you know?
... you'll see that - contrary to the Inquirer story - it doesn't include anything about 'installed software', with the exception of device drivers. No applications, no utilities - nothing that MS is likely to want to compete with, and indeed nothing that MS doesn't overtly mention in its own privacy policy.
So what's the problem?
I have to say that it's not nearly as scary as advertised. There are two complaints:
1. The Windows Update tool sends to Microsoft a complete list of what hardware you have.
2. If the Windows Update server claims to have an update available for product X, the Windows Update tool will check to see if you have product X installed, and report back to Microsoft.
Well, *duh*. The only way to avoid doing this would involve downloading a complete list of all the updates available for every supported piece of hardware or software. Based on the size of the windows HCL, I'd guess that this would require tens of megabytes of bandwidth -- all so that Windows Update could pick out the half dozen entries which are relevant.
Tarsnap: Online backups for the truly paranoid
Microsoft needs to collect this information for driver updates and other *useful* updates.
No they don't. They can just send a list of updates to the client, and the client can display the updates that apply to your computer. This is why Microsoft can claim no information is being sent to their server: because sending information isn't necessary.
This is actually how APT works.
So you have to remember who manufactured all of your hardware, then individually trawl through their sites and hope they keep old drivers on there? Sounds like Linux-style usability to me. I much prefer Microsoft's style of doing it: fast and easy, because I like being lazy.
If I tell windows to look for the drivers for a particular device than by all means probe the device for information about it. How does scanning all installed applications aid in this endeavor?
If the reasoning was to better detect and avoid application conflicts I would possibly agree with this method, but the software clearly doesn't do that.
"The words of the prophets are written on the Slashdot walls."
Dear Steven,
Good point. Your previous Slashdot postings are also good, except for that one about Linux.
Sincerely, Bill G.
Never confuse "Lazy_ass_user computing" with "computing for people who have better things to do with their time than fuck around searching for drivers on some poorly designed manufacturer website".
The more data that gets sent to microsoft, the harder it becomes to manage. Someone should figure out a way to send them Junk data with wrong version numbers. Windows 3.11 running IE 6.0... that'll leave them scratching there heads.
Has anybody actually read the policy? If you read it it doesn't really sound like they've done anything they said they wouldn't.
Here in Holland (I don't know the laws in the rest of the world too well) any contract that you sign which contains clauses that are illegal, is null and void. Any statement of MS having the right to download anything off MY computer would seem to me totally illegal and would probably void the whole EULA. ;-)
I did read the EULA of the Dutch version of Win2K SP3 completely and never found any clause that would allow them to download anything off my PC without my consent.
Sadly I'm stuck with Windows since I cant (yet) afford a mac to run Adobe apps on. When oh when will Linux/FreeBSD/X get decent colour management and ports of proper graphics apps like Illustrator, Photoshop and InDesign??? The GIMP is a nice toy, but it's hardly of any use for print production work. And KIllustrator and the like are simply a laugh too for any real work.. The Linux/BSD vs. Windows ratio is now 4:1 in the favor of the free, but I'd like to get rid of Windows altogether. Give me my killer graphics apps!! I'll even pay for them!
Saving up for that Mac in the mean time..
Learn from the mistakes of others. There isn't enough time to make them all yourself.
so this person with a so precious time should think twice before buying products from a company with such a "poorly designed website" or that don't ship a version of the drive with the product
-- SouNerd.com
According to the (full) article, Windows Update sends a list of hardware installed on your system, but not a list of software. Version numbers for Windows stuff, like IE, are sent, but not any info about other software on your compouter.
To provide you with the best possible service, Windows Update also tracks and records how many unique machines visit its site and whether the download and installation of specific updates succeeded or failed. In order to do this, the Windows operating system generates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any personally identifiable information and cannot be used to identify you. Windows Update records the GUID of the computer that attempted the download, the ID of the item that you attempted to download and install, and the configuration information listed above.
Yes, we don't not track you.
Tell that to the Melissa author, and some number of other people who's GUID was used to identify them. Even if you aren't a criminal, this could be misused in so many ways.
Despite loving many Microsoft products and the line of NT OS'es, I wouldn't trust Microsoft as far as I could throw them.
You cow-orker was right.
Now, look here, there's no need to be mean.
-Waldo Jaquith
Why doesn't some enterprising individual simply monitor Microsoft's various OS's for updates and then link to the downloadables? Of course, it would be possible for MS to remove downloadables but then this really causes frustration for those who are maintaining systems that cannot access windowsupdate.com. I'm not sure that they could do it - they'd have to install spyware in the actual patches. But then we could configure the firewall to block everything MS.
Or we could all just get Mac's. I'm almost there, unless someone can put together a KDE or Gnome with some usable functionality (like device management and system configuration in ONE GODDAMMED FUCKING LOCATION).
Apple!!!! Bring OSX to X86 and we will make it worth your while!
Life is the leading cause of death in America.
Even if the poorly designed manufacturer's website is the only one with the working driver?
I had a bad experience along those lines with the Windows Update site, where a particular sound driver (I forget which, at the moment) from them would not work with my hardware, where the one from the manufacturer's website did.
All I want is a kind word, a warm bed and unlimited power.
I am running Win 3.11 with IE 6.0 and what you're suggesting will interfere with my support!
And I quote:
Full article can be found here.
Comment removed based on user account deletion
Comment removed based on user account deletion
The Devil came to Redmond, looking for some souls to steal,
and there he met with Billy G, who was just about to make a deal.
Said the Devil, "Hey Billy, you look bored, would you care to make a bet?"
And Billy he smiled slyly, and said "Dude, there ain't a deal that I've missed yet."
So the Devil took his keyboard and showed Billy his new game,
Saying "I wrote this quick, in VB6, now see if you can do the same."
Billy G, he just smiled his smile, and took the keyboard away,
and said, "Devil, you're behind the times, and you clicked on the EULA,
"Now you've run Windows Update, and your soul belongs to me."
And the Devil knew he'd met his match, so he turned and tried to flee,
But Billy G was much to fast, and he caught the Devil's long black cape,
Saying, "Devil, stay and play a while, we have a whole wide world to rape."
Sig for sale or rent. One previous user. Inquire within.
First of all, the example data sent is available free, as one poster above already listed. There's no software described there other than Windows itself.
Second, the System Info Schema, as posted by another above, is pretty explicit about what registry keys are available to be sent, and it's pretty tame.
Frankly, I have no problem letting them know exactly what hardware I've got running. How can they harm me there? Perhaps a malicious hacker could grab this data and find ways to abuse my network card? Pretty slim.
Call me too open, if you will, but I'd be happy if it would let me know about other MS updates, such as Office, without having to also visit MS' office site. Update those automatically? Never. But it's much less convenient than the Windows Update site.
I greatly doubted that it would be sending large quantities of personal data, because it just doesn't take that long. The ones to worry about are the virus scanners, that take the time to examine every freakin' file.
In summary:
Design for Use, not Construction!
But why send a complete list of all of the programs on the computer? Why not send "Windows 98 SE, IE 6.0," and a few things that windows update can actually help with, and not that I am using the WordPerfect suite and not MSOffice (quick, apply the "SlowWordPerfect() operation! and the MakeMozillaCrawl() one two!)
I know it's a bit of paranoia, but I'd rather them not know what I've got running at all, but I'll let them know what MS software I have because that's what I'm getting fixes for.
"Giving money and power to government is like giving whiskey and car keys to teenage boys" P. J. O'Rourke
There are a lot of people in this thread that realize that WU does NOT send a list of all software installed, but they are being drowned out by the highly rated comments about the evils of MS. The "software list" is actually a list of drivers installed, which is fine, because MS will post updated drivers for you to download. It should also be noted that one of the articles posted is from the Inquirer, the same people who predicted hell on earth in y2k, and believe in tinfoil hats.
"No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
HKEY_LOCAL_MACHINE\Software\IllegalMicrosoftStuff\ BillGatesVISAnumber\8605412399653153
h Da te\2003.06.21
.... hey, why not have some fun with it? q:]
HKEY_LOCAL_MACHINE\Software\MSKillerVirus\Launc
HKEY_LOCAL_MACHINE\Software\Linux\"format c:\; install Linux"
MadCow.
I used to have a sig, but I set it free and it never came back.
(Last Updated 10/15/2002)
Windows Update is committed to protecting your privacy. To provide you with the appropriate list of updates, Windows Update must collect a certain amount of configuration information from your computer. None of this configuration information can be used to identify you. This information includes:
Operating-system version number
Internet Explorer version number
Version numbers of other software for which Windows Update provides updates
Plug and Play ID numbers of hardware devices
Region and Language setting
The configuration information collected is used only to determine the appropriate updates and to generate aggregate statistics. Windows Update does not collect your name, address, e-mail address, or any other form of personally identifiable information.
Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. A validly licensed copy of Windows ensures that you will receive on-going updates from Windows Update. The Product ID and Product Key are not retained beyond the end of the Windows Update session.
Maybe you should verify the information before automatically declaring "Microsoft is evil" to any and all anti-Microsoft posts.
I like my women how I like my sugar.. granulated.
Secondly, there's no way I can believe that ms would acquire your data and subsequently throw it away. None. They are gathering stats and keeping them.
I use the Update Agent in RedHat almost on a daily basis - the RH Network knows absolutely everything about my setup (programs, modules, etc.) right down to what version of the Kernel I'm running - that way they can inform me of vulnerabilities and problems that I'm probably susceptible to as soon as there's an update available...it's a "good thing".
Why is it that when Microsoft does this kind of thing, suddenly there's a more sinister motive behind it all?
I don't hear anyone complaining about Redhat's privacy policies...
There are still solutions that allow no meaningful information to be sent. For example, why not have the client just ask for new updates since a given date and cache the rest? That took me all of about 15 seconds to think up and would result in far less bandwidth use than sending the user every upgrade applicable to her system every time she connects.
Either 1) privacy is just not a factor for the folks at all or 2) they want the data for other uses. Most likely it's the former, but the fact that the makers of the 95% market share OS don't care enough about privacy to make it even a small concern when designing systems like this is Really Scary, maybe scarier than them purposefully collecting my data, because at least then there's the possibility that they'll be careful with my data once they've got it.
Life's far too short to use IE.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
http://www.microsoft.com/downloads/search.aspx?dis playlang=en
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
First of all, nowhere in either article does it say that Windows Update is sent info on what software you have installed. The payper view article mentions that it does send hardware info, though. But we knew that via both the EULA, and the fact that this is the intended purpose, to update drivers for hardware and OS patches.
Don't believe the alarmist titles to articles. Do you all fall into this trap with the evening news as well? "Tune in for the Radon discover that just might save your familyu's life."
I know that you guys are smarter than this. Use your brains.
what? what I thought we were in the trust tree in the nest, were we not?
As explained by Russ Cooper of NTBugTraq in a lengthy rant on Tax Day of 2002, Windows Update is a horrible piece of crap. He followed it with another lengthy rant about what he thinks Microsoft should be doing instead of Windows Update.
In the meantime, while downloads are large (~1.5MB), the XML package you get for HFNETCHK searches your system for proper file versions and remains the most reliable way to ensure your system is properly patched. Unfortunately, the best tool for checking your patch state (HFNETCHK) doesn't help you download the patches you need. It does identify the MS security alert addressed and even the KB article, but it's not painless. MBSA gets you one step closer by actually having the URL of the KB article, but it's not as painless as downloading updates via Windows Update (when WU properly identifies your patches).
Anybody who's used the atrociously-bad Automatic Update Service will know that it doesn't cover many important software updates and neither does Windows Update. In fact, if you use all three products, you'll frequently find that each product identifies a different set of patches that are required, and usually, none of them list all the patches identified by the others.
What I've found is that HFNETCHK actually identifies truly critical patches, while Windows Update improperly identifies non-critical updates as being critical. For instance, it tells you that installing Internet Explorer 6.0 SP1 is critical (even when you're running a fully-patched IE 5.5SP2) or even worse, it tells you that a patch meant to improve functionality of using a non-IE default browser is critical.
Sorry, but as much as I hate MS and as much as I prefer Mozilla to IE for my own browsing needs (and even though it works better), I don't make it my default browser anywhere, especially on servers, so this update is hardly critical.
In short, while sysadmins at least have a chance to stay fully-patched these days--unlike the days before Code Red--MS still has incredibly shoddy patch management tools, incredibly inconsistent patch installation mechanisms and still takes liberties with customer data it shouldn't need to take.
If Microsoft ever gets serious about patch management, they'll have a common tool that sysadmins can use to patch any and all of their MS software with a common interface and no unnecessary transmission of system-specific data to MS. Is that too much to ask? Apparently.