Slashdot Mirror
Microsoft WGA Phones Home Even When Told No
Aviran writes "When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send information stored in your registry and the fact that you choose not to install WGA back to Microsoft's servers."
Anyone have any insight what exactly they're sending back?
probably all the apps information. naysayer, meet the Business Software Association, also known down around the docks as "the muscle."
can't RTFA because they're slashdotted already.
if this is supposed to be a new economy, how come they still want my old fashioned money?
notepad %windir%\system32\drivers\etc\hosts
127.0.0.1 genuine.microsoft.com
Who is general failure, and why is he reading my hard drive?
Ethics. If you choose not to install something, it shouldn't do anything.
Yay, I believe RMS's essay on treacherous computing may apply here. Not to start an argument over RMS and his stance with open source and free software. But i believe we should all have the right if you use windows to know what they are sending. I use gnu/linux so i really don't affect me much.
... Now you're going to tell me that all Microsoft is in business for is to make money. You're ruining a perfectly good fantasy. Thanks a lot!
Take your mod and shove it!
You chose to install the Windows Update ActiveX control, didn't you? And you clicked "I agree" when it told you it could send this info to Microsoft, didn't you? So why would you be angry when it does exactly that? Perhaps people need to read the licensing agreements they agree to before agreeing to them, instead of just clicking "yes, I agree" like a madman.
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
From the image in TFA, it looks like they're sending back the Windows version code, and the installation-unique CSID, along with some other stuff that I didn't recognize.
There didn't appear to be any identification of the specific user in there.
It seems to me that it would be easy enough to determine what port WGA is using to send this stuff, and lock down said port at one's firewall. That's the method I'd choose to deal with it (if I were even running anything with WGA installed -- which, thankfully, I'm not).
Bruce Lane, KC7GR,
Blue Feather Technologies
Seems you haven't read the past story about MS bypassing HOSTS file for microsoft sites.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
While many think this is bad and invasion of privacy, think of it as this:
when we normally click "I DONT Agree" the software does nothing. But if it sends the message back home with statistics of how many dont agree, it tells the software company some people dont agree.
We can argue EULA's till our fingers are raw and bloody, but it doesnt matter if the company in question doesnt read the conversations.
In short, by clicking the Dont agree button and having it sent home to MS we're telling them we dont want that crap on our machines. Maybe (deity willing) MS will start to listen. More companies may adopt that approach and we'll get less and less one sided (retarded) EULA's.
anyone Remember Borland's |"like a book" EULA? Great stuff.
This is kinda old, but some years ago my neighbor got a new Win ME (!!!) machine, and I helped him put in a NIC and put it on our little neighborhood network. I was curious if it was going to phone home, so I had a sniffer running on my router...
The damn thing picked/guessed a valid (NATted) IP address, netmask, and gateway without using DHCP (arp tricks?), and sent a load of mystery packets to an address in a Microsoft IP block. Only then did the computer do the "new device detected" routine, but could not find a driver for the NIC and I had to go fetch one on another machine.
W T F ?
Unfortunately I have since lost the pcap dump.
Moderation: -1, no proof
Ya, that would fix it. Maybe, just maybe, some of us don't have an army of lawyers at our disposal to determine if what we're clicking on really means what we think it means. It seems to me that it is unethical to have a consumer product license that is unreadable/unparsable to an average consumer. The "madman" here would be anyone who thought that such nonsense was an enforceable contract.
I am not a crackpot.
Do you really think the people who wrote the kernel can't get around all that ZoneAlarm silliness if they want to? They already ignore the hosts file and such for *.microsoft.com.
Sounds like a perfect place to use MS speech recgonition:
Computer: "Where do you want to go today?"
You: "Nowhere."
C: "I heard 'Microsoft Validation Site'. Is this correct?"
Y: "No!"
C: "I'm sorry. I heard 'Dear aunt, let's set so double the killer delete all'. Is this correct?"
Y: "NO!!"
C: "I understand. So 'Microsoft Validation Site' was correct. Redirecting now. Thank you for using My Microsoft Live Enterprise Genuine Advantage Ultimate. Have a nice day."
You posted a short, one word post with no information content and an inane question in order to get first post. Mods love to bitchslap anyone who does this.
The question "So?" is redundant because it doesn't need to be asked. If you feel this isn't an important issue, explain why you think it isn't important.
Software that sends personal information about you back to its master when you say you don't want to install it is generally considered spyware.
I see your "So?" and raise you a "Because!"
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
it is unethical to have a consumer product license that is unreadable/unparsable to an average consumer.
Oh my fucking god.
Have you ever tried to read the GPL?
You chose to install the Windows Update ActiveX control, didn't you? And you clicked "I agree" when it told you it could send this info to Microsoft, didn't you?
Why yes, I did. And yes, I did agree.
So now, explain what that has to do with me telling WGA to not install, and not agreeing to allow it to send this information, and it sending it anyway. You are aware that contracts do have limits and only apply to the particular transaction, right? If I buy two cars from a dealership and agree to pay $300/mo for one and $200/mo for the other, the dealership cannot bill me $600/mo while claiming that my agreement to pay $300/mo covers both cars, as you seem to claim that my agreement to allow WU to send information to microsoft overrides my disagreement for WGA to do the same.
Yeah, and?
The world's burning. Moped Jesus spotted on I50. Details at 11.
You chose to install the Windows Update ActiveX control, didn't you? And you clicked "I agree" when it told you it could send this info to Microsoft, didn't you? So why would you be angry when it does exactly that? Perhaps people need to read the licensing agreements they agree to before agreeing to them, instead of just clicking "yes, I agree" like a madman.
Okay, despite your trollish comments, I'll bite.
1. WGA != Windows Update. RTFA.
2. Has the validity of an EULA ever been tested? AFAIK, an EULA cannot violate your privacy rights, even if you sign those away. Argue as you like, statute always trumps contracts.
3. Microsoft releases an OS that's broken and tells you the only way they'll fix it is if you'll subject yourself to their privacy terms. Not freaking cool. My copy of Windows is paid for, but that doesn't mean I want them invading my privacy.
Ever installed XP without any service packs? Do you know how many minutes it takes before the machine is pwn3d? IMO that's not a functional OS any more.
Ever tried getting that refund from your hardware manufacturer for the part of your purchase that went to Microsoft? It's a freaking pain in the arse, and one where you have to usually drag a vendor to small claims court to get your money.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Nice response....
Plus, on this occasion I thought "So?" was a reasonable response too.
It's not sending personal information, so I'm assuming it's tracking pirated keys stats or something, for which you can't really blame Them (ooh no, not Them!).
But it's good to bash MS anyway...
I can understand people not wanting WGA on their PC-s as it can cause issues on legitimate installations as well, in certain situations.
But sending back a little XML that you denied the EULA? Don't you detect hypocrisy here. You send your "identification" in the form of IP, browser user agent string and what not to virtually any site you visit, without "agreeing" to this every time. Why is nobody whining about this?
Having privacy and right to deny something is cool. But I think some of the most vocal opposition is simply using pirated Windows and not being honest about it.
I don't install WGA on existing (legit) computers as it doesn't help me with anything. I don't have any problem with Microsoft getting my "no" back though. In fact, I *want* them to hear my no.
This should be reported to "StopBadware.org". StopBadware.org's definition of badware requires prior consent to send personally identifiable information to a site. This should be enough to put WGA on the Badware list.
Google is now flagging sites that have been identified by StopBadware.
StopBadware is run by law professors from Harvard and Oxford, with assistance from Consumer Reports. StopBadware is effective. They complained about the Jessica Simpson screensaver, which installed spyware in May 2006. The makers of that didn't listen. In October of 2006, a US federal judge shut that outfit down.
That would be true if it was just a message saying "Someone said no". But it doesn't. It includes a variety of information to uniquely identify the machine.
"That's ok, it's not personally identifiable" you say? Well, indeed it does not contain your name, address, phone number, bank account details and gender preferences directly in the message, no. But all it takes is for the user at some point to provide their personal details to Microsoft or any affiliates of Microsoft, or vendors with suitably worded contracts with Microsoft, using some program that also sends the machine's unique ID, and now you can match someone to the computer. Not just in future, but with all anonymous (or so you thought) dealings with Microsoft in the past.
Sign up for MS Passport? Register for an IE beta? Your personal details could easily have been sent along with your machine's unique ID, and now any other information stored by MS for that unique ID can be matched up with your personal information.
Delist them from the market.
If you really want to punish them, revoke their corporate status.
Is it just my observation, or are there way too many stupid people in the world?
The difference is that you can directly install a new, fully patched version of Apache. You can't directly install a fully patched version of Windows. Instead, you have to install what you have on CD, which will at best be the most recent service pack not including patches released since then but is more typically an older service pack or the original version of the OS, and then patch it while it is running. When I install, for instance, Debian's 'stable' distribution, I have the option of doing so using packages from the internet, which means that there is never a point at which my system is running an old or known-insecure version of any piece of software.
It seems to me that it is unethical to have a consumer product license that is unreadable/unparsable to an average consumer. The "madman" here would be anyone who thought that such nonsense was an enforceable contract.
;)
The problem here is that courts have ruled on this in the past... At least in Canada, if you have the ability to read you can read the terms of the contract yourself or pay a lawyer to explain it to you.
Not being able to understand a contract is not grounds to get a contract thrown out...
Although like someone else has pointed out, the EULA in Canada is untested yet. I'd tell microsoft to lick my balls if they ever waved an EULA in my face. Hell they can lick my balls anyway
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
At least they send out the cpu ID. So they know how many copies you owned and how many you've installed. For example, I am sure lots of us already experienced when XP trys to reinstall on other machines, hardware configuration changes will lead to re-enter the 20 digits serial. If it fails (WGA), you just have to call in Microsoft to get a new code. I did that several times already. It seens like WGA did keep track on serial and your CPU ID that hardcoded into your cpu. That way they know how many copies of windows you have. which machine you've installed, and which you've tried to reinstalled.
i've noticed that whenever i try to upgrade to SP2/etc on a new install of XP, it will fail if any other PC using the same CD key is online at that moment. but once i unplug the other PCs, the upgrade works fine.
assuming this isnt a fluke, that really frightmens me, the fact that MS knows when any of my PCs are online.
You could look at it that way, but I think that's kinda a warped view of the GPL.
BSD license is all well and good, but if it wasn't for the GPL there wouldn't be so many people involved in development of GPL software. Your view does have some merit, but not because of selfishness. Novell doesn't want Microsoft to take their code, put it in Windows, and blast Novell away again. Red Hat doesn't want IBM to secretly switch AIX to all Linux code, and sell it for a mint, and never give anything back. So, that's understood, and everyone can feel free to develop the code base without worrying about it. Your payment for being able to use everyone else's work (and saving a lot of money by doing so) is to also release your improvements to everyone else. So your PROFIT is the improvements you get back on the code you wrote.
It should be noted that the big companies pushing Linux actually do turn a bit of a profit, in terms of cash.
The GPL *is* about supporting the community. If a piece of software is community developed, that same community (as well as anyone that uses it) really wants the software to improve. If ACME Corporation wants to use the software in their product, because it would be a LOT cheaper then developing in-house, they'll take it, improve it, and package it with their product. In the meantime, they'll also make their improvements available to everyone else. That's their payment for saving millions in licensing or development. How is this selfish?
If you don't want to release your code under the GPL, then simply don't. If you don't LIKE the GPL, then don't use GPL code, it's as simple as that. Or, are you pissed that you can't just do whatever you want with someone else's work?
The GPL, in fact, does allow a lot more freedom for the code you write then general copyright laws allow for. It's obviously a lot more open then closed-source. Why must you compare it to the BSD license? (Extra Points: If the BSD License worked so well, why did it take the GPL to bring open source software to the forefront? Explain and cite references.)
- It's not the Macs I hate. It's Digg users. -
Isn't WGA validation required to download non-security updates off of the Microsoft website? Meaning if you refuse to run WGA you are not allowed to download non-security updates? Shouldn't your refusal to run WGA send a "user refuses to run WGA" notification to the website so that it does not allow you to download those non-security updates (you have 4 states that need to be tracked: "new" machine [send user to download WGA stuff], user refuses WGA [tell user they can't download xyz because WGA was refused], user passed WGA [let user download stuff], user failed WGA [send user to priracy reporting site])?
Where's the fire here?
You might want to read the original article WGA notification just doesn't stop by heise Security instead of the gibberish google translation of the german version ;-).
MS owns the software, you do not. It is what you agreed to. MS has always done this and will continue to do more. If they stop in one place it will pop up again. The simple fact is, there is truth in saying that you are owned. Whether it is is by MS or by a cracker (from any number of avenues on the windows platform), you are till owned.
I prefer the "u" in honour as it seems to be missing these days.
Their active x control installation has nothing to do with the WGN installation and the cancellation of it. The "activex" control is just the tool that allows them to invoke the WGA process. Even if you agreed to install it, you didn't agree to let Microsoft (via the cancellation of the installation of a different program) send information about your computer back to their location. When you choose to cancel you choose to NOT allow them to collect and redirect that info to their location. That's the purpose of cancellation.
The use of WGA/WGN is a violation of your privacy and it is similar to a police action. Your computer is an extension of your home and to allow Microsoft to put WGN on your computer is akin to allowing them to put a camera into your home to monitor you. Just because they don't get any physical pictures doesn't mean the process isn't the same.
This is a non-governmental private entity taking a police action against you, even tho you are a legal owner of the product, by monitoring your computer (hence your home). The purpose of the WGA/WGN is to collect information in order for Microsoft to update their database. Everyone knows this deep down. The more of these records they have the easier it is for them to identify pirates. It is unethical to collect that when tell them that you do not want them to make you a participant.
If they collect information without you giving them permission in advance then they are in violation of several state's laws. Microsoft has been sued in both WA and CA over this being spyware. When they collect information even if you so no, it is doing the same thing as a spyware program is doing--sending information about you without your knowledge.
You people need to get it through your heads that your computer is an extension of your HOME. Period. No ifs, ands, or buts. That's what your computer is. Microsoft is not entitled to do anything that is not explicitly permissible under law just because they are the OS. Keep in mind that Microsoft is the type of organization that will continue to do this sort of thing until they are told to stop. You tell them to stop by asking your Congressman and Senators to put and end to this sort of behavior. Write letters to them and let them know you are unhappy. They'll get the message.
Microsoft is the kind of company that knows they have all kinds of cash to throw at lawsuits, etc., and they even have money for fines. But when there are laws enacted that send these people to jail then it will stop.
They are invading your home. Do you really want to allow them to do this? Even the police can't enter your home and monitor your activities without a warrant from a court of law signed by a judge.
You can lead a man with reason but you can't make him think.
All this is conjecture, but this is what I'm guessing the elements in the ID block are.
UGD: Not sure. Looks like a UUID.
HDSLN: Hard disk serial
USID: User security identifier (id of logged in user, Microsoft can tell if you're any of the default SIDs like Administrator)
CSID: Computer security identifier
So Microsoft can tell whether you're an admin or not, they know the unique ID of the computer (CSID), your account if you aren't "Administrator" and - perhaps - the hard disk. If UGD turns out to be something that is unique to each individual copy of Windows, then all the people who've ripped it off could find life inconvenient in the future. I'm not sure what the tracking implications are, it depends how many Microsoft products report the HD serial or USID to them.
I AM a mod, you insensitive clod!
Screw the rules, I have green hair!
Why do you people bother talking about how evil the WGA is? It's been known for a while now that Microsoft is reaching far beyond its moral limits to prevent piracy, so why even bother to whine. Switch to some other systems (pick your own poison) and forget that MS even exists. Don't like their attitude, don't like their spyware, then don't take it. Sitting around and complaining how much they suck does no good because it encourages them. You talk about WGA and they know people are paying attention, they know that their product is impacting you, and since you've already been branded a thief in their eyes, they now see you as whining about a product that locks you our of your PC. Sure, for most geeks, this is a blatant lie but remember that Windows was not made solely for the technically-savvy. Pick up the pieces and move on, choose your own path, your own operating system. Don't just let MS win!
"When did I realize I was God? Well, I was praying and I suddenly realized I was talking to myself." ~ Jack Gurney