Slashdot Mirror
Microsoft WGA Phones Home Even When Told No
Aviran writes "When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send information stored in your registry and the fact that you choose not to install WGA back to Microsoft's servers."
So?
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
Anyone have any insight what exactly they're sending back?
probably all the apps information. naysayer, meet the Business Software Association, also known down around the docks as "the muscle."
can't RTFA because they're slashdotted already.
if this is supposed to be a new economy, how come they still want my old fashioned money?
notepad %windir%\system32\drivers\etc\hosts
127.0.0.1 genuine.microsoft.com
Who is general failure, and why is he reading my hard drive?
Doesn't that make it spyware? I'm sure there's something about it in the license agreement to make it legal. Boy that does suck.
It actually uploads an entire bit-for-bit copy of your hard drive so that MS investigators can perform a forensic analysis on it and determine exactly what MS software you have installed illegally since not installing WGA is an implicit admission of guilt. You can expect to be arrested by the MS Police within a few days of declining to install WGA if you have any pirated MS software on your machine.
The English version of the Heise article is at:d e%7Cen&u=http://www.heise-security.co.uk/news/8629 4
http://64.233.179.104/translate_c?hl=en&langpair=
Yay, I believe RMS's essay on treacherous computing may apply here. Not to start an argument over RMS and his stance with open source and free software. But i believe we should all have the right if you use windows to know what they are sending. I use gnu/linux so i really don't affect me much.
... Now you're going to tell me that all Microsoft is in business for is to make money. You're ruining a perfectly good fantasy. Thanks a lot!
Take your mod and shove it!
Use Zone Alarm or other free firewall, problem solved.
Libertarian Leaning Political Discussion Forum.
From the image in TFA, it looks like they're sending back the Windows version code, and the installation-unique CSID, along with some other stuff that I didn't recognize.
There didn't appear to be any identification of the specific user in there.
It seems to me that it would be easy enough to determine what port WGA is using to send this stuff, and lock down said port at one's firewall. That's the method I'd choose to deal with it (if I were even running anything with WGA installed -- which, thankfully, I'm not).
Bruce Lane, KC7GR,
Blue Feather Technologies
It matters because it could give them justification to pursue an investigation along the lines of "Well, if they are innocent, why not prove it? So, they must be hiding something. knock knock knock - Microsoft Police."
Seems you haven't read the past story about MS bypassing HOSTS file for microsoft sites.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
While many think this is bad and invasion of privacy, think of it as this:
when we normally click "I DONT Agree" the software does nothing. But if it sends the message back home with statistics of how many dont agree, it tells the software company some people dont agree.
We can argue EULA's till our fingers are raw and bloody, but it doesnt matter if the company in question doesnt read the conversations.
In short, by clicking the Dont agree button and having it sent home to MS we're telling them we dont want that crap on our machines. Maybe (deity willing) MS will start to listen. More companies may adopt that approach and we'll get less and less one sided (retarded) EULA's.
anyone Remember Borland's |"like a book" EULA? Great stuff.
This is kinda old, but some years ago my neighbor got a new Win ME (!!!) machine, and I helped him put in a NIC and put it on our little neighborhood network. I was curious if it was going to phone home, so I had a sniffer running on my router...
The damn thing picked/guessed a valid (NATted) IP address, netmask, and gateway without using DHCP (arp tricks?), and sent a load of mystery packets to an address in a Microsoft IP block. Only then did the computer do the "new device detected" routine, but could not find a driver for the NIC and I had to go fetch one on another machine.
W T F ?
Unfortunately I have since lost the pcap dump.
Moderation: -1, no proof
.... is it as simple as going to add and remove programs to uninstall the two components for WGA or does it "break" something when you try to uninstall it? Or worse, does it leave anything behind?
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
"Those who want to protect themselves from unsolicited data transfers can do so, for instance, by using an application-based firewall that detects and blocks the attempted contact."
Really? You really want to keep using the OS that is doing things against your wishes? This kind of advice is ridiculous. Get a different OS, quickly.
Obviously if you refuse a "Genuine Advantage" you must be up to no good.
Sounds like a perfect place to use MS speech recgonition:
Computer: "Where do you want to go today?"
You: "Nowhere."
C: "I heard 'Microsoft Validation Site'. Is this correct?"
Y: "No!"
C: "I'm sorry. I heard 'Dear aunt, let's set so double the killer delete all'. Is this correct?"
Y: "NO!!"
C: "I understand. So 'Microsoft Validation Site' was correct. Redirecting now. Thank you for using My Microsoft Live Enterprise Genuine Advantage Ultimate. Have a nice day."
It won't from my network.
I am no lawyer, but this seems very similar if not the same as wiretapping. The user, quite explicitly, doesn't want to even have the software installed on his/her computer, let alone have his information (the information stored in the registry is private) sent to a company or individual.
Maybe I am just not used to spyware (never had a piece of spyware installed on any of my computers) so I am still quite allergic to this stuff. But no matter how I look at this issue, I am outraged.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
it is unethical to have a consumer product license that is unreadable/unparsable to an average consumer.
Oh my fucking god.
Have you ever tried to read the GPL?
Are you getting the picture yet? Powerful organisations (and politicians) really CAN and DO get away with anything they want. Microsoft is a prime example. I'll be very surprised if they ever get in any serious trouble for this (and no, for MS, a multi-million-dollar fine is not "serious trouble", it's a slap on the wrist. A $10,000,000 fine wouldn't hurt them. A $10,000,000,000 fine... maybe, yes.
With spending like this, exactly what are "conservatives" conserving?
Or use a firewall that checks egress, too.
How does a firewall check female herons?
That is what an egress is, right?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
The masses are not concerned with threachery, privacy, liberty and other high-browed virtues. Give them a full belly and a reality TV show and they are happy. Take away XP and substitute Vista and they will buy Vista.
Engineering is the art of compromise.
I have an older version of Kerio's firewall and most recent "phone home" applications do so on port 80. Older apps use custom ports. Kerio's product is very good in this way.
I'm not sure why this is an issue _now_. It's been this way for years starting with Microsoft's MSI installers that phone home to certificate servers and certificate revocation list servers. I have screenshots to prove it should there be any doubt. It should be obvious by now they are slowly paving the way to a PC with their OS that is mostly like an Xbox.
Given the Microsoft fan boys/astroturfers typically don't post on stories where there is no opportunity to spin the story in a manner that enhances their image, I'm probably preaching to the choir when I state this is another reason users should choose another OS. Today.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
I can understand people not wanting WGA on their PC-s as it can cause issues on legitimate installations as well, in certain situations.
But sending back a little XML that you denied the EULA? Don't you detect hypocrisy here. You send your "identification" in the form of IP, browser user agent string and what not to virtually any site you visit, without "agreeing" to this every time. Why is nobody whining about this?
Having privacy and right to deny something is cool. But I think some of the most vocal opposition is simply using pirated Windows and not being honest about it.
I don't install WGA on existing (legit) computers as it doesn't help me with anything. I don't have any problem with Microsoft getting my "no" back though. In fact, I *want* them to hear my no.
CGI overload message. this means server fart under load.
if this is supposed to be a new economy, how come they still want my old fashioned money?
When I get a FUCKING UPDATE on a piece of software, I have to agree to a *new* EULA. What a choice! Keeps bugs and security holes, or click "agree".
Anyway, here in Canada, an EULA is non-binding (in theory, nobody has the money to test this in court) because you have to pay before being able to read the contract.
This should be reported to "StopBadware.org". StopBadware.org's definition of badware requires prior consent to send personally identifiable information to a site. This should be enough to put WGA on the Badware list.
Google is now flagging sites that have been identified by StopBadware.
StopBadware is run by law professors from Harvard and Oxford, with assistance from Consumer Reports. StopBadware is effective. They complained about the Jessica Simpson screensaver, which installed spyware in May 2006. The makers of that didn't listen. In October of 2006, a US federal judge shut that outfit down.
surpised? no. scared? not really. Laughing? A lot.
brian botkiller "Condensing fact from the vapor of nuance" - Neal Stephenson, Snow Crash
"It is trivial for any malware to finagle with the HOSTS file on a Windows system, which is hidden in such a dumb obscure place (C:\winnt\system32\drivers\etc), a far cry from the self-explanatory /etc/hosts of every other goddamned OS on the planet."
/etc/hosts self-explanatory? It only makes sense to people who already know *nix. Everybody else would have to look it up, just like they'd have to look up the windows one.
Exactly why is this something that bothers you? If you're savvy enough to know what the HOSTS file is, then you'll know how to go about finding it. Like, say, a search on google or wikipedia. Or bringing up the XP help and support centre and typing "hosts file" in the search box. Name resolution comes up as the second of two topics, right after "glossary".
Why is
With the wonderful array of problems that Microsoft presents you have many opportunities to nitpick about valid issues. This complaint is silly.
do you not understand (to be an oxymoron)?
dave
I'm no software guru but if you just firewall www.microsoft.com, wont it be a cure for all your problems?
Tough times don't last... Tought People last forever....
What more can I say?
If you don't consider things such as your
HDSLN = Hard Drive SeriaL Number
"personal info"
That would be true if it was just a message saying "Someone said no". But it doesn't. It includes a variety of information to uniquely identify the machine.
"That's ok, it's not personally identifiable" you say? Well, indeed it does not contain your name, address, phone number, bank account details and gender preferences directly in the message, no. But all it takes is for the user at some point to provide their personal details to Microsoft or any affiliates of Microsoft, or vendors with suitably worded contracts with Microsoft, using some program that also sends the machine's unique ID, and now you can match someone to the computer. Not just in future, but with all anonymous (or so you thought) dealings with Microsoft in the past.
Sign up for MS Passport? Register for an IE beta? Your personal details could easily have been sent along with your machine's unique ID, and now any other information stored by MS for that unique ID can be matched up with your personal information.
Delist them from the market.
If you really want to punish them, revoke their corporate status.
Is it just my observation, or are there way too many stupid people in the world?
Well, they obviously get the sending IP address, so how about a reverse hostname lookup on the IP address to determine that it's a "Global 2000" company? Perhaps this information could be used as "evidence" to incite an invasion^H^H^H^H^H^H^H^H audit?
https://jamiesonbecker.com
http://www.google.com/translate?u=http%3A%2F%2Fwww .heise.de%2Fnewsticker%2Fmeldung%2F85884&langpair= de%7Cen&hl=en&ie=UTF8
You are no lawyer, and are speculating wildly.
Does anybody know if the Microsoft Baseline Security Analyzer (Windows Update without WGA) sends the same kind of information to Microsoft?
At least they send out the cpu ID. So they know how many copies you owned and how many you've installed. For example, I am sure lots of us already experienced when XP trys to reinstall on other machines, hardware configuration changes will lead to re-enter the 20 digits serial. If it fails (WGA), you just have to call in Microsoft to get a new code. I did that several times already. It seens like WGA did keep track on serial and your CPU ID that hardcoded into your cpu. That way they know how many copies of windows you have. which machine you've installed, and which you've tried to reinstalled.
surprised me!
this is an applet that photo guys care about. it lets you set up color profiling (color managed workflow) on 2 diff monitors on a single video card (assuming dual LUT engines). this is the only way to get 2 color profiles installed, one per display.
damned thing tried to connect to M$ when I booted and had komodo firewall installed.
I added 'never allow' to the list - but still - this is going WAY too far.
(similarly, I'm building a home theater pc and there is a lot of software that seems to 'want' a net connection even if it makes no real sense in that application. sigh.)
--
"It is now safe to switch off your computer."
But in all honesty, RealPlayer is just your fault for letting that shit on your system. My Windows-loving, open-source-mocking friends actually discovered VLC before I did, and one of the reasons they tell me is "RealPlayer behaves like a virus."
Don't thank God, thank a doctor!
i've noticed that whenever i try to upgrade to SP2/etc on a new install of XP, it will fail if any other PC using the same CD key is online at that moment. but once i unplug the other PCs, the upgrade works fine.
assuming this isnt a fluke, that really frightmens me, the fact that MS knows when any of my PCs are online.
This deserves a "duh" I reckon.
I always pull the ethernet plug and disable wi-fi if I know there's activation built in. Can't trust these buggers.
I haven't watched "The Corporation", but nevertheless I too think that "they're out to make money" should _not_ be a wildcard excuse for everything. Making money is good and fine, but ultimately it's just the incentive we give some people to make them work better for the benefit of society as a whole. Briefly it's a means, not an end.
Turning that on its head and making the means sacrosanct, even at the expense of acting against the very purpose it was supposed to serve... well, is as stupid as forgetting which is means and which is end in the army's using weapons. We let them use weapons to defend us all, not as a means in and by itself. If any army started shooting random people on the street just because they think the whole purpose is to use their guns, you'd probably have no problem understanding why that's contrary to the whole purpose of that army. But when a corporation does the same swapping of means and ends, half the population seems to just assume that, sure, if it's for the purpose of making money _of_ _course_ it's normal to cheat, lie and worse.
A polar bear is a cartesian bear after a coordinate transform.
P.C. Phone Home
This is really the kicker.
Why the hell would Microsoft want the Hard Drive Serial Number just to indicate that someone didn't want to install WGA?
What possible use could that information have in connection with why someone refused WGA - except to be able to IDENTIFY that machine in the future for some OTHER nefarious reason? Obviously Microsoft expects ANYONE who refuses WGA to be intending to use a fake Windows key in the future, if not now.
In other words, Microsoft is TAGGING EVERYONE who refuses WGA as a potential pirate well in advance of their being so - or their being so at all.
I mean, how much more obvious does it get?
They may not be identifying YOU personally - but they are definitely identifying your MACHINE individually.
Which is pretty much the same thing depending on what ELSE they have done or may do in the future.
People need to realize what utter ASSHOLES the management who runs Microsoft ARE. These guys make the jerks at Enron look like Orphan Annie.
And STUPID to boot! I mean, no matter WHAT they've done over the years, they STILL have millions of pirate copies running around. So they spend all this effort dreaming up new activation and detection methods - for what? It's all been an utter waste of everybody's time! Windows Vista has had its activation cracked within a few months despite all their efforts.
Way to go, Bill, you paranoid, greed-sucking moron!
Why not try concentrating on producing an OS that doesn't FUCKING SUCK rather than worrying about nailing down every goddamn dime from everybody's pockets?
If the goddamn OS didn't cost $500 - and wasn't an illegal monopoly to boot - there wouldn't BE that many pirates out there. Not that it matters. Bill doesn't care about "pirates" - he just wants control of everybody's money regardless. He's not trying to prevent "pirates" - he's trying to nail down control of each and every individual customer so as to make sure that customer pays him every single dime HE thinks he's OWED by the world.
"You hobbyists steal your software."
That's Bill's defining mantra.
Get this asshole out of business. Now, please.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
You could look at it that way, but I think that's kinda a warped view of the GPL.
BSD license is all well and good, but if it wasn't for the GPL there wouldn't be so many people involved in development of GPL software. Your view does have some merit, but not because of selfishness. Novell doesn't want Microsoft to take their code, put it in Windows, and blast Novell away again. Red Hat doesn't want IBM to secretly switch AIX to all Linux code, and sell it for a mint, and never give anything back. So, that's understood, and everyone can feel free to develop the code base without worrying about it. Your payment for being able to use everyone else's work (and saving a lot of money by doing so) is to also release your improvements to everyone else. So your PROFIT is the improvements you get back on the code you wrote.
It should be noted that the big companies pushing Linux actually do turn a bit of a profit, in terms of cash.
The GPL *is* about supporting the community. If a piece of software is community developed, that same community (as well as anyone that uses it) really wants the software to improve. If ACME Corporation wants to use the software in their product, because it would be a LOT cheaper then developing in-house, they'll take it, improve it, and package it with their product. In the meantime, they'll also make their improvements available to everyone else. That's their payment for saving millions in licensing or development. How is this selfish?
If you don't want to release your code under the GPL, then simply don't. If you don't LIKE the GPL, then don't use GPL code, it's as simple as that. Or, are you pissed that you can't just do whatever you want with someone else's work?
The GPL, in fact, does allow a lot more freedom for the code you write then general copyright laws allow for. It's obviously a lot more open then closed-source. Why must you compare it to the BSD license? (Extra Points: If the BSD License worked so well, why did it take the GPL to bring open source software to the forefront? Explain and cite references.)
- It's not the Macs I hate. It's Digg users. -
Its not like someone tied you up and said "run windows you stupid fucker" and held you at knife point and made you bleed yourself to death if you didn't authorize WGA to run.
Isn't WGA validation required to download non-security updates off of the Microsoft website? Meaning if you refuse to run WGA you are not allowed to download non-security updates? Shouldn't your refusal to run WGA send a "user refuses to run WGA" notification to the website so that it does not allow you to download those non-security updates (you have 4 states that need to be tracked: "new" machine [send user to download WGA stuff], user refuses WGA [tell user they can't download xyz because WGA was refused], user passed WGA [let user download stuff], user failed WGA [send user to priracy reporting site])?
Where's the fire here?
You might want to read the original article WGA notification just doesn't stop by heise Security instead of the gibberish google translation of the german version ;-).
(if I were even running anything with WGA installed -- which, thankfully, I'm not).
The Linux Genuine Advantage (and possibly Apple as well) is that there is no WGA!
MS owns the software, you do not. It is what you agreed to. MS has always done this and will continue to do more. If they stop in one place it will pop up again. The simple fact is, there is truth in saying that you are owned. Whether it is is by MS or by a cracker (from any number of avenues on the windows platform), you are till owned.
I prefer the "u" in honour as it seems to be missing these days.
If you don't agree with M$ WGA, why choose to install the WGA update(s)?
I understand some may have auto updates configured to install automatically and are choosing 'no' to the EULA as a way to abort the install.
However, updates can be configured so that an end user can choose which updates are installed during the update process.
"...1. WGA != Windows Update. RTFA...." WGA = Windows Genuine Advantage...RTFA! RTFA = Read The Fucking Acronyms
All this is conjecture, but this is what I'm guessing the elements in the ID block are.
UGD: Not sure. Looks like a UUID.
HDSLN: Hard disk serial
USID: User security identifier (id of logged in user, Microsoft can tell if you're any of the default SIDs like Administrator)
CSID: Computer security identifier
So Microsoft can tell whether you're an admin or not, they know the unique ID of the computer (CSID), your account if you aren't "Administrator" and - perhaps - the hard disk. If UGD turns out to be something that is unique to each individual copy of Windows, then all the people who've ripped it off could find life inconvenient in the future. I'm not sure what the tracking implications are, it depends how many Microsoft products report the HD serial or USID to them.
I believe that doesn't actually work. The addresses for Microsoft's update servers are hard coded elsewhere in the system. See this story for a brief overview.
Don't tailgate - the end is near!
No. there is a active X control that checks for a file or registry control VIA WGA. if it cant FIND WGA, it says "Would you like WGA? You need it to install this, you know!", if it finds it, whatever WGA discovered is reported and then its more or less "Your copy may be stolen! Oh No!" or "Have a nice day."
Why do you people bother talking about how evil the WGA is? It's been known for a while now that Microsoft is reaching far beyond its moral limits to prevent piracy, so why even bother to whine. Switch to some other systems (pick your own poison) and forget that MS even exists. Don't like their attitude, don't like their spyware, then don't take it. Sitting around and complaining how much they suck does no good because it encourages them. You talk about WGA and they know people are paying attention, they know that their product is impacting you, and since you've already been branded a thief in their eyes, they now see you as whining about a product that locks you our of your PC. Sure, for most geeks, this is a blatant lie but remember that Windows was not made solely for the technically-savvy. Pick up the pieces and move on, choose your own path, your own operating system. Don't just let MS win!
"When did I realize I was God? Well, I was praying and I suddenly realized I was talking to myself." ~ Jack Gurney
Online Genuine Advantage checks do not appear to be related to the WGAnotify app (yet) that is being pushed as an automatic critical app. I know my organisation pcs are valid, as they're running the VLK assigned to my organisation, and they pass genuine advantage checks on the MS website despite refusing the latest WGANotify update. I see no need to install an application which sole purpose is to popup nag screens on those computers that are determined to be invalid by microsoft's super-secret formulae. I've had several perfectly valid installs fail the old wganotify check (OEM installs only ever used on their original PC), including one on the same VLK, so frankly I'm not letting it near anything I control if I can help it.
They better make damn sure people are copyright infringers before accusing them of it, because WGA so far has done a pretty piss poor job of it with false-negatives all over the shop.
Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
..SHOCKED that Microsoft would fuck their customers up the ass in a brazen act of utter contempt. Who would have thought it?
Comment removed based on user account deletion
I bought a used laptop at a computer show and was promised that even though the restore disc was a copy the S/N was good. So first thing I did was update to SP2 and no dice due to WGA. Called the store which is in queens NY and was told to deal with it, no refund, the windows is fine and I'll get all updates via automatic updates. WGA even told me the serial used was a coporate serial that is no longer valid. You can't get IE7 or media 10 without passing WGA either.
Instead of the MS police knocking down the door it gave me a form to fill out and sent it to them with a copy of the recipt - gave the guy one more chance to make good before sending it in and after a colorful exchange mailed it.
sure enough I got a new serial to activate. Funny but if I wanted an actual disc I have to pay, the copy will work fine I hope.
Funny thing is I just really wanted a discount for not having windows since I'll probably run Fedora or pref. FreeBSD but haven't heard how it works on a laptop hadwarewise yet? This weekend I'll be playing.
I wonder if this would fall into the realm of NOT protecting privacy, similar to the prono guy who tried to wipe out his browser cache. You've said NO you don't want it GA installed, and it STILL sends stuff home.
The other aspect is that having a machine CPUID and even a disk drive ID, and perhaps a NIC card, your account name, etc it would be a PERFECT cache of data for law enforcement to want for the purpose of determine whether or not you WERE on the net grabbing RIAA sensitive data or pron.
Can you imagine surfing on someone's wireless connection, and it's calling home with info all the time? It would seem to be to be a sure fire way to determine whether someone is really downloading copyrighted stuff or can use the "someone else used my wireless connection" defense.
But if it wasn't under the GPL then they wouldn't have the right to use it anyway. It doesn't take away any rights! It adds certain conditional rights, yes, but it doesn't remove any rights that you otherwise would have had. And also it isn't if you "in any way use" something written under GPL, otherwise for example the NVIDIA binary blobs would be breaking the GPL (go ahead and tell me that it isn't using GPL'd 'products' when I install the NVIDIA driver on my debian-based system!).
And honestly, what developer worth his or her salt doesn't understand the GPL enough to make an informed decision on this?
I remember sigs. Oh, a simpler time!
I have always felt, that since MS includes the terms "Microsoft reserves the right to change the terms at any time without prior warning" it also gave me implicit grounds to change the EULA at any time according to my wishes.
/sarcasm off
"***** hereby informs MS that pursuant to changes made to the license that upon termination of said license, all such rights and ownership shall revert to the user ******, any further communication by the former MS products shall be considered an invasive intrusion, and considered to be a criminal computer misuse"
On Fedora Core 5&6, for reasons I cannot determine, bonobo phones google.
You mean like Synaptic on Ubuntu, right?