Slashdot Mirror
Microsoft Sued Over WGA
Hope Thelps writes "The Seattle PI is reporting on a lawsuit being brought against Microsoft in response to their WGA spyware. Groklaw is also covering the story. Although there are a lot of similarities to Sony's rootkit, the actual harm done is less concrete. It'll be interesting to see how this turns out."
Sued by the same moneymonger who sued Sony.
whoopie, M$ loses and donates another $1,000,000.00 worth of software to some high school system or third world country as retribution (at a cost of about 35 cents to the evil empire).
win or lose this will deter Microsoft from using wga to shut down any unlicensed (or otherwise) computers...for a while at least.
I told Windows to download and not install updates, this one installed itself. On another machine I had notify only, and it downloaded and installed this one as well, even rebooted without my approval. It was not a typical update.
"I just only wish there was an alternative..." typed the man in his slashdot repsonse on his Linux workstation.
FLR
How can an official component of Windows be spyware? It's their operating system, they allready own you if you use it. Pull down your pants and get it over with allready.
"If you don't have eyes you shouldn't have wings" -- Carl Pilkington
A Microsoft spokesman, Jim Desler, agreed with the allegations. "Spyware is deceptive software that is installed on a user's computer without the user's consent and has some malicious purpose," Desler said.
Well, actually he claims to have disputed the allegations, but then he said what's quoted above, and finally (to the press corp's horror and astonishment), proceeded to shove his entire foot, ankle, and leg (up to his knee), firmly down his own throat.
Let's break this down:
[x] Deceptive software...check!
[x] Installed without user's consent...check! (Well, basically with as much consent as any other spyware package, so I think there's a good case to be made for this point.)
[x] Malicious purpose...check! It beams data back to the mothership every day and can be used to remotely break the computer. I think that qualifies as "malicious."
So apparently by Microsoft's own admission, WGA is spyware.
I'd personally argue for a more expansive definition of spyware (or malware, or scumware, etc...), but even given the relatively constrained definition proposed by Microsoft itself, WGA seems to qualify.
A: On a pile of money.
In the case of Windows Updates, I would argue that it is even more out of the user's control. For alot of malware, you have to click "yes install" at some point. For Windows Updates, the recommended state is to "automatically download and install in the background." In theory a user could examine each and every update to figure out what they all do, but in practise the actual purpose of each update is heavily obfuscated. Worse yet, in the case of WGA, once you allow it to install (it seems innocent enough at first), it is used against you to force further installations.
Frankly the tactic Microsoft is using in their updates is not ethical. Everyone is told to do their Windows Updates (for security reasons), and Microsoft is exploiting this to slip in some other software that the user does not necessarily need. Worse yet, this software sends back information to Microsoft HQ without user permission. If this does not count as spyware, I don't know what does.
I hope this lawsuit makes Microsoft wake up to the illegitimacy of their tactics.
Hey, at least the Sony rootkit comes with music!... this thing comes with worse: Windows!
A computer once beat me at chess, but it was no match for me at kick boxing.
I've got my machine set to notify only, and it never installed it. I told it not to install it, and it asked if it wanted me to not be shown the update again. I said yes, and it stopped showing it. It only comes back in the update list if there's a new version of WGA - or at least every time it's reappeared, it happened to coincide with a Slashdot story saying MS changed something about WGA.
Call BS on this one.
I would have seen that behavior on one of hundreds of PCs. I have not.
You're either posting for FUD, or your machine isnt' configured how you think it is.
Or the problem is between the keyboard and the chair.
-Malakai
A Dragon Lives in my Garage
1. WGA communicates with Microsoft HQ. The information transferred may or may not be 'sensitive' but this could be considered an invasion of privacy.
2. Any program that uses up system ressources without performing a task explicitly requested by the user is harmful in the sense that it slows down the computer. This is one of the main complaints with spyware/adware: they slow down your computer for no purpose (or at least no purpose that you, the user, are interested in).
3. WGA appears to effectively give someone else (specifically Microsoft) control over your machine (for instance the recently announced "remote shutoff" function). To the user, a program that limits their control of the computer (and gives someone else more control) is harmful. Note that the argument "but Microsoft would only shut off illegitimate versions of Windows" doesn't make any difference. Even if that's true, there is still a loss of control for the user. This is harmful to the user.
To the same extent that any other piece of so-called "spyware" is harmful (installed in a tricky way; sends info back to some company; wastes CPU cycles and disk space; etc.), WGA should also be considered "harmful."
The problem with WGA is that is not an update, security-patch, or feature upgrade. It does *nothing* for the user, and only installs in order to give Microsoft more control/leverage over your machine. From the user perspective, it is a net negative, hence harmful.
I'm sure that I'm not the only one who hates all of the BS you get when you buy a new laptop/desktop. First thing I've always done with my Dell laptops/desktops is format, reinstall xp + linux. However, I got frustrated with the activation when I didn't always internet or the activation insisted i make a 30 minute call to MSFT to get a rediculously long key. Long story short, I used the ever-so-famous corporate copy + key (generated with keygen) even though I have XP Pro COAs on the systems. Now, a few years down the road WGA is going to force me to reinstall--now that I have many important business apps installed. How many others are in the situation of "invalid keys" with legit COA licenses?
Just thought that you guys might wanna know that Microsoft has came up with an article on removing WGA.
w00t
I have Windows update set to download and then prompt before installing. WGA did not auto-install itself. However, the KB900485 update did install itself without prompting. I just found out about it from the shutdown message. One friend said that it also installed without prompting on his computer. I did a search and found that it installed for some other people too.
You forgot the part right after where it sends the key number where it sends a list of applications loaded on your system and your hardware configuration.
What peeves people so much about WGA is that MS pushed it out as a Critical Update, meaning that all machines with Auto Update install it without prompting. It is undeniably not a critical security update and to make matters worse it phones home. After taking some heat, MS then conceded that the installation of WGA will be optional (if by optional you mean selectively blocking some non-critical updates). It's still being pushed, but you don't have to install it. For those of you with your less than legit copies worried about not receiving updates, you can always download third-party update packs if you don't mind a bit of a delay. Not necessarily a bad thing considering that MS has been known for having to patch their patches. I'm not an MS fan, but not a huge hater. Just a strategically stupid time to ramp up WGA after the whole rootkit fiasco. I'm not an MS fan, but not a huge hater. Just a strategicly stupid time to ramp up WGA after the whole rootkit fiasco.
Look everybody wga is NOT SPYWARE. I ran Microsoft Windows AntiSpyware Beta on WGA and it came up CLEAN. So drop it okay?
http://www.firewallleaktester.com/removewga.htm
I CANNOT vouch for the legitimacy of that utility (so scan it first, try it on a staging machine, etc., YMMV, Batteries not included, and all that jazz). I just did a quick search for utilities for removing WGA, but being a Linux user I don't have much use for it myself. There are reviews of it on legitimate sites (for example, PC World) but then they've also unknowingly recommended scumware in the past as well.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
In other news, Jack Kevorkian sued the developers of the POSIX-compliant 'NUX commandline program "killall", citing that the application didn't really kill "all" the programs on the computer but instead should be renamed to "killnothingbut". This intellectual Advantage(TM) of Kevorkian stemmed from his introduction of the oft'quoted uber-leet commandline tool "kevork" which injects null pointers into the code and data segments of all programs that are non-responsive to the "TERM" and "KILL" flags. Kevorkian was unable for comment on whether this is a closed or open-source application, though it was rumoured by his assistant that it is a simple library replacement with a namely-fassioned symlink to killall that the library determines based at runtime with argv.
Sincerily,
John "kill'em'all" Dahmer
In other words, false positives. Also, doesn't it phone home every day or something? You'd think you'd only need to check once.
Want a high quality FOSS RTS game? Try Warzone 2100!
The thing is my hijacked copy of Windows XP won't even download updates because it has an 'invalid key', so how are they going to deliver the WGA?
It has been eons since I read the EULA, but it basically says that MS owns the systems. That means that they can do whatever they want. OTH, sony or any 3rd party who does not have explicit permission from MS can then be sued. Oddly enough, if MS and Sony had not been fighting over playstation/xbox, MS probably would have given permission.
I prefer the "u" in honour as it seems to be missing these days.
There will be many arguments presented in court to validate both sides to this, but there is an aspect of this that the Microsoft loving trolls here will never admit. This WGA is doing just what a ton of malware/spyware/crapware is doing, which is exactly why Windows can never be secure.
I would be curious to know how many Windows XP users are no longer able to validate their OS. I bought Windows XP Pro OEM when it first came out. 3 motherboards, 3 video cards, 4 harddrives, I forget how many CD/DVD-RW's, and 3 slipstreams, my Windows has been apparently installed on too many computers(?). I am told that this cannot happen, but oh well. I now use Mac and Slackware Linux.
Let's see... I just ran Microsoft Update, then I clicked "Custom". It tells me:
No mention of WGA. So I click "Details" and lo and behold, it's the WGA Validation Tool that I must install. My only option is "Download and Install Now". There is no skip, ignore, anything. So as far as I can tell, in order to continue receiving updates, I must install this spyware. I don't feel that that qualifies as an "optional" install.
............You own Windows
BUT... step back for a second. Forget the fact that they're a mega-conglomerate. Forget the fact that it's some giant company who you think might be out for world domination, one PC at a time.
Instead, I think of it like this:
You create a piece of software (Those of you who say what about "Sourceforge" or "freshmeat", back off for a few minutes... we're not talking OSS right now, we're talking commercial). You want some level of appreciation. You want to make sure that when people pay the $XXX for the software you made (And let's face it, we're talking a BUSINESS here, not a charity - you'll charge however much is possible, to keep it selling and get as much profit as possible).
You also are not a bumbling idiot, you've used emule, bittorrent, google, and astalavista. You are, or know, that "Guy who has everything" for software. You've needed some minor piece of software, and could find / engineer a crack / keygen for it. You get it for free. If you DO have scruples, you know too many who don't.
So you want to protect your software from the evils of "Oh, I can get it for free". Without protection, a couple days and it's spread around the net. You protect it, congratulations, you've bought yourself a week before a serial / crack is released. SO you lock it down good and tight. And hey, if there's something people without scruples love, it's the idea that "They say we can't, so we'll prove them wrong!". Besides, according to crackers / OSS fanatics / the immoral, ALL software should be free, you should be doing this in your spare time, and hoping that you'll get enough donations to live off of if we don't pay for it! (Wait.... they stole the software, but expect the owner to live off of donations, while they're not paying for it anyways?!).
Solution: You use pre-packaged solutions to lock down your software, good and tight. It runs various checks against files for alteration. It might even dial home when run to make sure it's legit, disabling if not. Hell, I'd do it if I wrote still. Does that make you evil? NO! It means you want to protect your investment (Time, effort, energy, money, employees). But somewhere, somebody out there will find a way to defeat it. You've not bought "infinite protection", instead you've bought another month to come up with a better way of protecting your money (Goal here is to delay it as long as possible. Outright prevention is impossible, but delaying is entirely doable).
So you use software to dial home and verify authenticity, check itself and other files to make sure that they're running and not tampered with, restore each other if necessary, and quite possibly re-confirm that they're authentic from the dial home. Does that make you an evil beast who deserves to die? Hell no.
But wait, it's Microsoft. Oh, SCREW THIS! They're too big, make too much money, they're evil! Need to die. Who the hell do they think they are, trying to protect their stuff? They don't need the extra money, I feel good sticking it to them! Imagine, trying to make people pay for their stuff or make people feel bad for having stolen it.
THE NERVE.
the actual harm done is less concrete
Oh yes it is. I don't understand this thinking. Why, "harm" has to mean something really tangible, like breaking a leg or something ? I think not. The harm here does not cause some physically concievable defect - yet. But thing is, they did not tell the people what this WGA does (i.e. calling home every so often), they just told it when some people have found it out. Ok, I know how EULAs work, and how they probably could prove in court that they have every right to change their software as they see fit, still, when it is about using our computers to send _any_ information to _anyplace_ without asking us first, or if not asking then at least telling us about it, is just outrageous. I don't care what they send, I don't care how much or how small amount of information is in it, I don't care who they send it to, it just should not happen without asking us and letting us approve of disapprove the action.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Hmmm.... I have no pitty for people who use MS software. You've chosen to use that software. You've insisted on it. There are pleanty of open source altrenatives at your fingertips now. So I don't think microsoft should be sued over this. Its their choice as to what they put in their software. If you don't like the updates that microsoft decides to put in their software you have choices. Those choices are turn off windows updates, switch to linux, or buy a Mac. I'm sick of people whining about what microsoft does. Really if you don't like the software don't use it. You'll probably save yourself allot of agrivation and money by doing so. Linux has come a long way. Its not the hard to use OS it once was. In fact its easier to use then ever. It just takes getting use to. But in the end it will do everything windows will do.
True story:
I sometimes use my university's wireless network (whenever I bring my laptop). Since the university's IT lab has no way of knowing who is using what laptop[1], they redirect all initial traffic to a portal where you must log in (using the username + password you use on all other university computer systems). Point being, you get a network connection, but must log in to actually get where you want.
Since I installed WGA[2] (at the point I was rather indifferent to it), every time I use the university's network I get 50 entries in the Application Log (error source: crypt32; description: "Failed auto update retrieval of third-party root list sequence number from: with error: [timeout/server cannot perform operation/error code]"). This happens before I have a chance to log in on the university network, which of course means that my laptop can't yet access said site. More annoying, though, is that svchost -k netsvcs starts eating memory like crazy; peaking at over 90 MBs and then falling down to 70-80 (used to stay at 20-30). This only happens when I use the laptop at the university; at home (where obviously no login is required) the process stays at 20-30 MB.
I personally think that some "advantage" component that, when unable to access some site, causes a process to eat up 3-4 times the memory it usually does, taking up an extra 10% of the computer's physical memory in the process, is rather a DISADVANTAGE. I don't know how much memory spyware typically consumes, so I can't reflect on the comparison between WGA and spyware. 50 MB seems a rather hefty price for failing to communicate with some server, though.
Maybe they should rename it WGD?
[1] I guess a) setting up individual users' connections, including keys, is too much work, b1) collecting MAC addresses is too much work, b2) Joe Average won't be able to figure out his computer's wireless' MAC anyway, and c) there are potential security leaks if wireless cards, or laptops, are stolen/sold to non-university users (both a and b1).
[2] Troubles started at that point. Could be something else, I SUPPOSE, but I think it is unlikely.