Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft WGA Phones Home Even When Told No

Posted by CmdrTaco on from the huge-shocker-here dept.

Aviran writes "When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send information stored in your registry and the fact that you choose not to install WGA back to Microsoft's servers."

13 of 403 comments (clear)

  1. the route your kids take to school, of course by swschrad · · Score: 3, Interesting

    probably all the apps information. naysayer, meet the Business Software Association, also known down around the docks as "the muscle."

    can't RTFA because they're slashdotted already.

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
    1. Re:the route your kids take to school, of course by lazlo · · Score: 5, Interesting

      So, how hard might it be to generate random but valid data to fill out this XML? And then have a little daemon that does nothing but post it over and over 24/7? "Wow. Looks like a NAT/proxy server with millions of users behind it who really don't like WGA."

      Petty, I know, but fun.

      --
      Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
  2. This is good by Devir · · Score: 5, Interesting

    While many think this is bad and invasion of privacy, think of it as this:

    when we normally click "I DONT Agree" the software does nothing. But if it sends the message back home with statistics of how many dont agree, it tells the software company some people dont agree.

    We can argue EULA's till our fingers are raw and bloody, but it doesnt matter if the company in question doesnt read the conversations.

    In short, by clicking the Dont agree button and having it sent home to MS we're telling them we dont want that crap on our machines. Maybe (deity willing) MS will start to listen. More companies may adopt that approach and we'll get less and less one sided (retarded) EULA's.

    anyone Remember Borland's |"like a book" EULA? Great stuff.

    1. Re:This is good by Lumpy · · Score: 4, Interesting

      So let's have fun.

      anyone got a way to dissect it completely so we can write a little app to send maybe 20-30 fake entries a day? now spread that across 100-300 people and microsoft thinks that there is a mass rejection of WGA starting to brew.

      --
      Do not look at laser with remaining good eye.
  3. on a related note by jjeffries · · Score: 4, Interesting

    This is kinda old, but some years ago my neighbor got a new Win ME (!!!) machine, and I helped him put in a NIC and put it on our little neighborhood network. I was curious if it was going to phone home, so I had a sniffer running on my router...

    The damn thing picked/guessed a valid (NATted) IP address, netmask, and gateway without using DHCP (arp tricks?), and sent a load of mystery packets to an address in a Microsoft IP block. Only then did the computer do the "new device detected" routine, but could not find a driver for the NIC and I had to go fetch one on another machine.

    W T F ?

    Unfortunately I have since lost the pcap dump.

    Moderation: -1, no proof

  4. Re:time to modify the hosts file by rainman_bc · · Score: 3, Interesting

    and find that RealPlayer and Adobe Reader also phone home

    All the old Macromedia studio products also phone home too...

    That means Adobe Dreamweaver etc...

    --
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
  5. Re:So? by Anonymous Coward · · Score: 3, Interesting

    You chose to install the Windows Update ActiveX control, didn't you? And you clicked "I agree" when it told you it could send this info to Microsoft, didn't you?

    Why yes, I did. And yes, I did agree.

    So now, explain what that has to do with me telling WGA to not install, and not agreeing to allow it to send this information, and it sending it anyway. You are aware that contracts do have limits and only apply to the particular transaction, right? If I buy two cars from a dealership and agree to pay $300/mo for one and $200/mo for the other, the dealership cannot bill me $600/mo while claiming that my agreement to pay $300/mo covers both cars, as you seem to claim that my agreement to allow WU to send information to microsoft overrides my disagreement for WGA to do the same.

  6. Re:Gibberish by Anonymous Coward · · Score: 2, Interesting

    HDSLN is your Hard Disk SeriaL Number, so no, that's not particularly anonymous, given they could do a join into their WGA Validations database.

    In fact, that looks almost exactly like the WGA Validation POST.

    Question is, why's it doing it before installation, and even if you declined the WGA EULA? That's not right, and it's quite possibly in breach of regulations. It should just quit in that circumstance.

  7. MS knows when you PC is on? by brunascle · · Score: 2, Interesting

    i've noticed that whenever i try to upgrade to SP2/etc on a new install of XP, it will fail if any other PC using the same CD key is online at that moment. but once i unplug the other PCs, the upgrade works fine.

    assuming this isnt a fluke, that really frightmens me, the fact that MS knows when any of my PCs are online.

  8. Re:Like the GPL? by FiloEleven · · Score: 2, Interesting

    But how do you know the difference? The GPL concept is familiar enough to most of us even without having read it, but think back to the arguments over GPL2 vs. GPL3. If you can't easily read the license and you don't read Slashdot, the differences between the versions could go unnoticed, and (from what I gathered reading the discussions here) the differences are enough to potentially bite someone who doesn't know them in the ass.

    Clear language is necessary for clear communication. It could be argued that licensing language is necessarily esoteric and complex because of the way our legal sytem has developed, but if that is the case then there should be a layman's summary in the license preamble. If hundreds of slashdotters can concoct concise, accurate summaries in response to every GPL question posted, why not put one in the license itself so people will actually read it and understand what they're getting into? And aren't we geeks supposed to abhor inefficiency? =)

    The GPL is used as an example and is not a specific target - I am arguing that all licenses should clearly inform licensees of their effects, and that even a good license can contain gotchas.

    --
    Your brain is not a computer.
  9. Re:Like the GPL? by T.E.D. · · Score: 2, Interesting

    The GPL is a distribution license. If you're doing anything that causes it to apply to you, you're no longer an "average consumer!"


    I'm not trying to pick on you, I've seen something like this said in a couple of places. However, it is simply not true. If it were, then no-one would be able to run the software (as the default in the US is "no rights").

    However, it is true that the part of the license that applies to running the software is rather short:
    "The act of running the Program is not restricted".

    Your point about the GPL being more understandable is bang on though. Perhaps sheer size isn't the best indicator, but the GPL (sans preamble and other unrelated fluff) is only about 2k words long, with a total of 12 clauses. The Microsoft XP (Home) EULA (sans identification info, foreign language versions, etc.) is nearly 4k words long, with a total of 30 numbered and subnumbered clauses and 6 more paragraphs.

    At the risk of going back on-topic, I notice that 2.3 and 2.4 give the software the right to "phone home" without notice to you.
  10. Maybe I'm misunderstanding something here, but ... by Keeper · · Score: 2, Interesting

    Isn't WGA validation required to download non-security updates off of the Microsoft website? Meaning if you refuse to run WGA you are not allowed to download non-security updates? Shouldn't your refusal to run WGA send a "user refuses to run WGA" notification to the website so that it does not allow you to download those non-security updates (you have 4 states that need to be tracked: "new" machine [send user to download WGA stuff], user refuses WGA [tell user they can't download xyz because WGA was refused], user passed WGA [let user download stuff], user failed WGA [send user to priracy reporting site])?

    Where's the fire here?

  11. Looks like by TwistedSpring · · Score: 2, Interesting

    All this is conjecture, but this is what I'm guessing the elements in the ID block are.

    UGD: Not sure. Looks like a UUID.
    HDSLN: Hard disk serial
    USID: User security identifier (id of logged in user, Microsoft can tell if you're any of the default SIDs like Administrator)
    CSID: Computer security identifier

    So Microsoft can tell whether you're an admin or not, they know the unique ID of the computer (CSID), your account if you aren't "Administrator" and - perhaps - the hard disk. If UGD turns out to be something that is unique to each individual copy of Windows, then all the people who've ripped it off could find life inconvenient in the future. I'm not sure what the tracking implications are, it depends how many Microsoft products report the HD serial or USID to them.