Slashdot Mirror
Microsoft WGA Phones Home Even When Told No
Aviran writes "When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send information stored in your registry and the fact that you choose not to install WGA back to Microsoft's servers."
Or use a firewall that checks egress, too. I use one, and find that RealPlayer and Adobe Reader also phone home even when you tell them not to.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
0.0.0.0 genuine.microsoft.com
is better, because 127.0.0.1 redirects the request to a local webserver.
From the image in TFA, it looks like they're sending back the Windows version code, and the installation-unique CSID, along with some other stuff that I didn't recognize.
There didn't appear to be any identification of the specific user in there.
It seems to me that it would be easy enough to determine what port WGA is using to send this stuff, and lock down said port at one's firewall. That's the method I'd choose to deal with it (if I were even running anything with WGA installed -- which, thankfully, I'm not).
Bruce Lane, KC7GR,
Blue Feather Technologies
Seems you haven't read the past story about MS bypassing HOSTS file for microsoft sites.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Interesting you say it's slashdotted because I can read it fine.
It's very light on details, however. There is a screenshot from wordpad of the data sent; it's an XML-type document which appears to have pulled a couple of id/hash numbers out of the system registry, e.g. OS version, but no personal info. They can't really get any personal info anyway, since data protection laws here in the UK and other countries would land them in shite, and also I suspect that they have more important things to do than snoop random people's names.
Personally, I think that they're just trying to get an idea of the number of people who won't install it. These people either have pirate copies and know they'll fail validation, or simply are opposed to the idea of their OS phoning home. From a cynical viewpoint, it's important for MS to gauge the reaction to this early so they know how far they can push these sorts of thing without there being a massive backlash.
Don't you just hate it when people reply to your signature?
I have no idea, but it looks like some sort of unique id.
n g
an image from the now slashdotted page is here, it shows what gets sent to MS
http://img266.imageshack.us/my.php?image=wgahp5.p
Signature v3.0, now with 42% less memory usage.
AC said: "Have you ever tried to read the GPL?"
The GPL is not a consumer product license. In order to use the software you don't even have to agree to the GPL. Only if you distribute are you bound by its terms, and software distribution is a complicated topic.
Even so, when you compare it to proprietary EULAs, the GPL is entirely readable in its main parts. Furthermore, the GPL is not written in caps as most EULAs are (IMHO this obvious attempt at obfuscation alone should make EULAs unenforceable).
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
http://www.heise-security.co.uk/news/86294
There's an english language article about the same packet dump
Some of the data is encrypted, some of it are just acronyms you don't know
[Fuck Beta]
o0t!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Anybody do installs without a network connected? I wouldn't install any MS OS with a broadband connection live. Is the program silent then? Does it complain that it can't find your connection? MS assumes everyone is online.
Back when Optical Mice first hit the scene, I picked up a MS optical mouse for a machine I was building on my coffee table. I loaded the driver and the install stalled and nagged me because it could not find my network connection. Please configure up your networking or start your dialer...without a mouse driver installed! I wonder to this day if the software would have informed me that it was attempting to phone home if it did find a connection. That mouse got put back in the package and passed along to some other sucker. I would rather throw the brand new mouse away than permit that driver on my system. The lack of a configured network connection is probably the only way I would have discovered that the mouse driver phones home. I've stuck with Logitech mice since then for that very reason.
With several Linux distro's being easy to install and use, when WGA came out, I stopped MS upgrades and started moving to Linux. Love my Ubuntu box.
Anybody tried a WGA refusal with the network disconnected? Does it nag for a connection?
The truth shall set you free!
Probably got modded as a troll by somebody who works at/for Microsoft.
Add an entry in your (hardware) firewall or router. Most modern routers allow "Block by URL" and "Block by IP" for outgoing connections.
Try DD-WRT. I use it and love it.
It's poetry with a beat behind it! And guns! They're like beatniks with automatic weapons.
This should be reported to "StopBadware.org". StopBadware.org's definition of badware requires prior consent to send personally identifiable information to a site. This should be enough to put WGA on the Badware list.
Google is now flagging sites that have been identified by StopBadware.
StopBadware is run by law professors from Harvard and Oxford, with assistance from Consumer Reports. StopBadware is effective. They complained about the Jessica Simpson screensaver, which installed spyware in May 2006. The makers of that didn't listen. In October of 2006, a US federal judge shut that outfit down.
Um... No. The GPL doesn't to take away your rights to distribute a closed source program. You can distribute them all the time. But if you link against a GPL program/lib THEN distribute your program/lib, you would have to follow the GPL. If you don't accept the GPL you have to follow normal copyright law which means you can't distribute it REGARDLESS of your license if you link against it.
The GPL is NOT limiting anyones rights beyond copyright law, you might say its more limiting than the LGPL or modified BSD, but you can't say its more restrictive than no license at all.
Also an EULA is an agreement the end user is supposed to agree to to be able to use the software, the GPL is a copyright license that a distributor must agree to to be legally able to distribute any program that includes/links against GPL code.
The GPL gives you a right you would otherwise not have. That is, redistributing and modifying the software. All it asks in return is that you give others the same freedoms you received yourself. This is in contrast to the BSD license which would allow you to profit off of the work of others without giving back and denying everyone else the freedom you received. The GPL gives everyone more freedom.
"The Federal Reserve is a fraudulent system."--Lew Rockwell
End The FED. -
Stop the obvious trolling. For the record:
- If you use a GPL'd product, it does not influence your rights to distribute your closed-source program in any way. Or do you think IBM cannot distribute AIX because some web guy they employ edited a photo in the Gimp?
- Even if you include GPL'ed code in your proprietary software and distribute the result, no court will take away your distribution rights immediately, unless the vast majority of your code is actually infringing. The usual course of action is to remove the infringing parts, or to negotiate an license with the owner of the GPL'ed code
Just read up on the cases where companies were found infringing."When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
The difference is that you can directly install a new, fully patched version of Apache. You can't directly install a fully patched version of Windows. Instead, you have to install what you have on CD, which will at best be the most recent service pack not including patches released since then but is more typically an older service pack or the original version of the OS, and then patch it while it is running. When I install, for instance, Debian's 'stable' distribution, I have the option of doing so using packages from the internet, which means that there is never a point at which my system is running an old or known-insecure version of any piece of software.
At least they send out the cpu ID. So they know how many copies you owned and how many you've installed. For example, I am sure lots of us already experienced when XP trys to reinstall on other machines, hardware configuration changes will lead to re-enter the 20 digits serial. If it fails (WGA), you just have to call in Microsoft to get a new code. I did that several times already. It seens like WGA did keep track on serial and your CPU ID that hardcoded into your cpu. That way they know how many copies of windows you have. which machine you've installed, and which you've tried to reinstalled.
Comparing that with software that's sold usurping the "right" to call home by means of an obfuscated EULA is the height of disingenuousness.
I too have felt the cold finger of injustice.
You could look at it that way, but I think that's kinda a warped view of the GPL.
BSD license is all well and good, but if it wasn't for the GPL there wouldn't be so many people involved in development of GPL software. Your view does have some merit, but not because of selfishness. Novell doesn't want Microsoft to take their code, put it in Windows, and blast Novell away again. Red Hat doesn't want IBM to secretly switch AIX to all Linux code, and sell it for a mint, and never give anything back. So, that's understood, and everyone can feel free to develop the code base without worrying about it. Your payment for being able to use everyone else's work (and saving a lot of money by doing so) is to also release your improvements to everyone else. So your PROFIT is the improvements you get back on the code you wrote.
It should be noted that the big companies pushing Linux actually do turn a bit of a profit, in terms of cash.
The GPL *is* about supporting the community. If a piece of software is community developed, that same community (as well as anyone that uses it) really wants the software to improve. If ACME Corporation wants to use the software in their product, because it would be a LOT cheaper then developing in-house, they'll take it, improve it, and package it with their product. In the meantime, they'll also make their improvements available to everyone else. That's their payment for saving millions in licensing or development. How is this selfish?
If you don't want to release your code under the GPL, then simply don't. If you don't LIKE the GPL, then don't use GPL code, it's as simple as that. Or, are you pissed that you can't just do whatever you want with someone else's work?
The GPL, in fact, does allow a lot more freedom for the code you write then general copyright laws allow for. It's obviously a lot more open then closed-source. Why must you compare it to the BSD license? (Extra Points: If the BSD License worked so well, why did it take the GPL to bring open source software to the forefront? Explain and cite references.)
- It's not the Macs I hate. It's Digg users. -
You might want to read the original article WGA notification just doesn't stop by heise Security instead of the gibberish google translation of the german version ;-).
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
And both are left in a cloud of dust by Foxit.
Microsoft ignores the hosts file for Microsoft addresses - they are hard coded in the TCP/IP stack. If you read Slashdot you'd know this.
So, you're saying Microsoft has some secret way for it's OS to phone home without a driver for the ethernet card?
Yeah, it's called NE2000. Almost all cards support it. If you don't have the drivers for a card, you can usually force Windows to use generic NE2000 drivers and the card will work. But if it can't identify the card, or identifies it and doesn't have drivers, then it will tell you that it can't install it, even when it knows it can use it just fine with the generic drivers. So yes, I do think it quite plausable that Windows can use a NIC it does not have drivers for. But I wouldn't call NE2000 a secret.
Learn to love Alaska
In the UK, at least, it would appear to be in breach of Section 1 of the Computer Misuse Act 1990:
1 -- (1) A person is guilty of an offence if--
(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b)the access he intends to secure is unauthorised; and
(c)he knows at the time he causes the computer to perform the function that that is the case.
The data sent home is noted by (a). As the user has expressly not agreed to the WGA EULA, unauthorised access is noted by (b) and (c) - in particular (c) as there was no agreemnt to the EULA; assuming of course that the data sent home is that that would be sent home IFF the EULA had been agreed and WGA installed.
As an aside, the Sony rootkit that installed something even when the EULA or whatever was decined was probably in breach of Section 3 of the same Act - doing "...any act which causes an unauthorised modification of the contents of any computer..." - those discs weren't sold in the UK?
The question is who is the responsible entity for a company: they have programmers that have written the code that does the unauthorised access (are they responsible), or is it their managers (who defined the specs) or the company as a whole (the directors)?
A rose by any other name would smell as sweet;
A chrysanthemum by any other name would be easier to spell
Did that IP resemble 169.254.x.x by any chance?
:)
No, it was a valid, unused rfc1918 address in the correct subnet. MAC address was the one on the card in the computer in question.
My home shorewall box correctly drops 169.254.x.x made-up addresses, and my ISP does not forward traffic from IPs not assigned to it. I know, I configure the routers.
But really there's no point trying to find technical explanations when the obvious one is at hand - you can't read a sniffer trace for shit.
Having the ability to install Ethereal does not magically confer on you the ability to interpret the results correctly.
tcpdump, actually. I know what I saw, and I get to practice my sniffing skills on several hundred DSL & T1 subscribers daily.
And I agree with the ne2000 thing, I think it was a card that worked with the ne2k-pci driver on linux (an old linksys maybe?)
anyway, creepy and very real.
I'm assuming it sends this info when you click "No"?
This is why on a fresh install I never plug my network cable in until all that crap is disabled.
Homonyms are fun!
You're driving your car, but they're riding their bikes there.