Slashdot Mirror
All Microsoft Updates Phone Home
juct writes "In the wake of heise Security's report on the garrulous WGA Notification, Microsoft has now supplied additional details on the data sent. They have revealed to developers that apparently all updates relay information to the company in Redmond."
you don't go through Microsoft Updates but instead go to their Security Search and manually download each patch?
Since you've never activated WGA, does that mean you're invisible to Microsoft?
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
That's hardly surprising.
Considering that most of these applications are installed via the windows-update site...
I doubt you could even maintain a session without sending information back to the web-server.
I say: nothing to see here, move along.
Sigs are for the weak.
"When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data, the company has said. In the blog, the company once again explicitly states that it does not use the information gathered to identify or contact users." ...so we are expected to believe (by this wording) that they WILL keep the information relating to illegal installations, but not use it to identify the person using it.
Why does that sound like a lie?
http://wstewart.php0h.com - the sugarbuzz project blog
There really is nothing to see for those who are technically literate to the operation of modern systems. This sort of thing, however, should be included as a sticker on the front of all MS products as the majority of the population probably does not think about the consequences of callbacks. Most consumers, whom I've met, actively avoid products which obviously track their movements unless the product is highly desirable (eg. cellular telephones). Making the reality of callbacks more popularly known would have a definite impact on the decisions which consumers make.
the NPG electrode was replaced with carbon blac
At the bank cashing their checks.
You think you can flee?? You can run, but you can't hide [from M$!]
No sig for now.
*In his best E.T. voice*
P.C. Phone Home
*ahem* I mean.. uhh.. I can understand wanting some information about the machines running one's software, as it helps understand the market and improve upon current design. But SOME of this information seems a bit excessive. Unless one plans to start banning specific pieces of hardware, but that's just evil.
Help me.. somebody please protect me. I'm helpless. Big government.. protect me please
It's been this way for some time. For example, I regularly get outgoing connections when using .msi packaged apps. For an app that has no real reason as it is free for nokia owners this makes no sense to me. They go to a verisign certificate server and then a certificate revocation list.
Older apps used custom ports, nearly all apps I've installed recently do it on port 80. Denying the connection doesn't seem to change anything.
I've got recent screenshots in case anyone is interested. BTW I'm running Kerio personal firewall, which is excellent for this kind of thing.
Got Trader Joe's? friendwich.com RSS feeds work now!
software vendors are firmly locked into the attitude that you, LICENSOR, have no rights other than to buy new stuff when we drop support for the old stuff and design the new stuff to only superficially work with the old stuff.
like, for instance, all of the "cool features" use new runtimes and new features, and none of it is backwards compatible.
so is anybody really surprised here? if the user hash code field they recover is all over the warez circuit, no matter what the EULA says, someday the number of hits on you is going to run over some trigger number in update. at that point, you will run into a block.
had to reinstall windows ME legally on a machine last weekend. got all the critical updates pulled off on IE, and from that point on, update kept returning "thank you, you have a Mac, you can't update here." everything worked fine the next day, and I got the rest of the criticals done.
I can only assume they have all sorts of wonderful blocks and trigger numbers over there, and since they own the software and you own only a cancelled check, it's just tough damn luck.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Oh noes! MS is using teh regis tree infos!
> By learning at what point in the install process some users decide to abandon, we can put more effort into the right places in the installation wizard. Remember our goal with the wizard is to give more information so customers will be better informed. We heard from customers that they wanted more information about what the software was and how it worked so we created the install wizard to provide that greater context. Knowing this kind of information about the install wizard installations is critical for us to continue to improve the customer experience of WGA. If we are not hitting that mark, we can use this method to improve.
By learning at what point in the install process some users decide to say "Fuck this, I didn't sign up for this!", we can put more effort into the right places in the installation wizard. Remember our goal with the wizard is to obfuscate and misdirect so customers will either not know how we're spying on them, or for those who figure it out, at least they won't be able to sue us over it. We heard from customers that they wanted to know what else were doing behind their backs so we created the install wizard to provide us with plausible deniability. Knowing this kind of information about the install wizard installations is critical for us to continue to propagate the viral meme of WGA and other notions, like software as a service, and ultimately the notion of an operating system as a subscription-based service, like we're doing with the Windows Vista self-destruct sequence. If we are not hitting that mark, we can use this method to slowly increase the amount of DRM we've crammed up your ass until you look like the Goatse Guy, and if we do it slowly enough, you'll not only pay us, you'll thank us for the privilege!.
Don't give a shit. Seriously. Do not give a shit. Who has the time anymore to care.
My firewall detects the connections after doing manual installs. I know this because I've got production equipment we can't just let windows auto-update on. Based on my experience, WGA is just one of many apps/updates that phones home.
/.?
Again, it's been this way for quite a while, and the information does not "perfectly" identify you, but each install has it's own signature as far as I can tell so they can deduce who you are pretty quickly.
Why do you care now as opposed to all of the other Microsoft's-evil-OS stories on
Got Trader Joe's? friendwich.com RSS feeds work now!
So I guess it might be a bit sneaky, but it has all been covered by WGA disclosures.
An example of the XML returned when a user cancels an installation is available here, "just to allay any fears that Microsoft is using any personal information".
So ya, I don't think this is a huge deal, nor particularly unexpected.
The next change is Microsoft's privacy policy will allow them to view, copy, alter, or delete any and all data located on a computer running any Microsoft software.
I just wonder why Windows doesn't just phone home the entire contents of the user's drive... and then realize that the only reason that hasn't happened yet, is because storage of this data would be expensive for Microsoft.
I can see MS making WGA a good thing, with some significant changes:
1: Redefine "genuine" to mean a clean copy, with no modifications or tampering. For example, a PGP signature on ISO images.
2: Have WGA do a periodic, fast check for the obvious malware in the process table or RAM.
3: Check for obvious rootkitting while being run. For example, if an unsigned program has hooked the keyboard interrupt. If its a signed program, no biggie. Otherwise, post a dialog, and have an option to ignore the issue in the future.
4: Offer functionality to "vet" install media, so a CD/DVD of a VLK install can be scanned to check if it has not been modified to install malware. This is important, because a lot of install media comes from downloaded images, not physical CD or DVDs.
I don't think anyone would mind a lightweight process that checks for the following (and can be of course be easily turned off.)
It was a combination legitimate question as well as snarky question.
Besides, since I'm on dial-up at home, whatever information is sent must take forever to get to them.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Seeing that Microsoft has done very poorly in correctly determining which installations of Windows are legitimate, how competently can they track legal software?
Funtime Candy Wow! - my plan for eventually conquering Japan.
I wouldn't be surprised at all that M$ has done this. its been in their "security model" for a better part of the last 5 years or so.
what surprises me is that all the folks who haven't realized this are making such a stink (and its been rather public for some time).
anyway, the assumption here is this:
a little paranoia with regards to windows is a good thing. never assume they aren't "watching".
- TMH
Understanding is much like a 3-edged-sword. in this: there are always 2 sides and the truth.
This kind of thing is much less of a concern after removing Windows' network drivers, unplugging the network cable, and configuring the router to lock the MAC address out of the internet completely.
Unfortunately, I've gotten myself into a bit of online gaming lately, so I can't do any of that any more.
TFA: "In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date"
Kinda sad that we just assume letting vendors capture all this info is part of the game (i.e. necessary to make the update work right). Wrong. When I do "yum upgrade" -- as far as I know -- not a single piece of information about my system goes up the wire. Correct me if I'm wrong.
My turnips listen for the soft cry of your love
Usually you will be forced to download WGA before you can get to other updates -and your new install of Windows XP or Vista will stop booting after about 45-60 days if it has not been validated online. Obviously there are OEM and corporate versions cracked versions which will install without online validation, but the requirement for WGA for software updates is probably still on.
My hope is that is all of these things make running pirated versions of Windows more difficult -particularly in the developing countries where internet connectivity is spotty such that OSS can gain in popularity and use. This could end up being a real win for Linux and other OSS.
cue stories of entire countries running off a single pirated copies of Windows and Office.....
-I'm just sayin'
We're talking about a few thousand bytes of info tops, so you wouldn't really recognize the slowdown.
Got Trader Joe's? friendwich.com RSS feeds work now!
I doubt M$ will want to retain THAT information...
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
Apparently tom brady got his girlfriend knocked up... No, the NEW one. Oh, and OJ Simpson is the father of Anna Nicole Smith's baby... Must be a slow news day.
Yes, my girlfriend is a BitchX
And the next logical step is to control what you can install. But before that, Microsoft will most likely force a developer to buy a microsoft approved cert to "protect their users" and raise income. This of course will be a huge chilling effect for developing new things on a Microsoft OS. Given their monopoly status, it only makes Windows PC's and the apps running on them more expensive to consumers.
It's not spyware. Kerio personal firwall would alert me. It has in the past anyway....
Got Trader Joe's? friendwich.com RSS feeds work now!
MS is really running a P2P network through all its zombies (er, I mean, installs).
Engineering is the art of compromise.
For example, if you are using the Visual Studio 2005 IDE and use the integrated access to the online MSDN documentation, you can copy the URL from the address bar in VS2005 and paste it into firefox. What you'll find, in many cases, is Firefox asking you if you would like to download "HiddenCheck.exe". Though I have not seen this for some time now, I have recently found that there are a few pages in the online MSDN docs that load fine with IE, yet say the "Resource is not available" in Firefox. Of course, while I'm sort-of whining a little, I may as well go on to complain about how several of the MSDN pages only render properly in IE. :-( I can't trust them enough to use their own browser without feeling like I'm being watched, and I can't use an alternative browser in an attempt to try to protect my privacy. Granted, I'm not doing anything wrong, but that feeling of always being watched is enough to make anybody feel uneasy.
The bandwidth costs must be huge.
Libertarian Leaning Political Discussion Forum.
So, I live in the EU. We have rather stronger laws regarding companies holding information on people than you Americans do. I object to this information being collected on me. Whilst I can't stop them collecting it, I CAN force Microsoft to reveal all information they hold about me, after I pay an admin fee of around £10 and it'll cost them far more than that to provide it. One person is nothing, but if a whole bunch of irate people were to start asking for this information - MS would be very unhappy. Now if only EFF Europe or some other organisation would organise a pro-forma, and encourage a mass "ask MS to reveal what they hold on you" - as many people as possible in as small a window as possible. Geurilla consumerism is great fun!
todo - The developer's equivalent of confession: "Forgive me Father, for I have sinned..."
I'm not suggesting that it will keep people from buying MS products (though that would be nice, in the long run). What is more important is to encourage a frame of mind in the American consumers that such things can and do happen, on a regular basis, and the people who are making use of those systems may have some very severe ulterior motives.
With respect to "ulterior motives" most American consumers are nearly completely compromised by their consumerism mindset. People, in general, need careful guidance to stay focused on things which are important but which may be hidden from plain sight.
the NPG electrode was replaced with carbon blac
I'm currently trying to figure out how to COMPLETELY block my new PC with XP from going out of the local network. Until I'm sure I have it right, I don't even have an ethernet cable connected to it.
So believe it or not, I'm simply transferring files via usb drive.
I use a Mac most of the time, and given all the hoopla about evil Micro$oft, I wonder if evil Apple is doing a bit of the same thing and maybe they are just not getting the press ?
Absolute statements are never true
You would not have to download every patch. Patches could have separate metadata saying "Only install if a device with such and such device is installed" (and similarly for other stuff). The client software could then decide whether to download the full patch based on metadata. Yes, one would have to download all the metadata, but at, say, ~1k bytes per update that would not be prohibitive at all.
HAND.
Use Windiz Update!
Screw the rules, I have green hair!
The next change is Microsoft's privacy policy will allow them to view, copy, alter, or delete any and all data located on a computer running any Microsoft software.
...but if Windows update starts deleting mp3 collections, 3rd party apps or utilities, etc. from users computers, people are bound to notice!
Ok, I'll bite: Do you have any hard proof to these allegations?
I really think there's a big difference between "tracking down users" for marketing purposes, or to track down cracked software users... That kind of thing will be mostly transparent to a non-knowledgeable user.
And this can easily turn into a major backlash.
No sig for the moment.
"In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date"
There are what - like a billion or so computers in the world running an M$FT operating system?
And e.g. Windows 2000 is now up to something like 125 or 150 Critical Updates since SP4?
And they're keeping track of all of that data?
That's a database that would make the NSA green with envy.
Can SQLServer handle a load like that?
Or would you be looking at something specialized, like what National Cash Register built for Wal-Mart?
From the WGA Blog
- Source ID (which product is requesting an update) - necessary to get the right patches
- Event Code - Not sure what sort of events this is tracking, curious, but not necessarily evil
- Version - I assume this means version of the updater, but could mean version of the base software, either way see #1
- Hash of the event - good security check
- Custom Data - completely unexplained, this is what worries me the most in the list
- Return Code - ok from a usability standpoint (most websites track when users leave, so I put this in the same class as that)
- Part of a domain? - no reason for this to be sent, as far as I can see
- Partial binary product key - piracy reasons? Can't think of any other good reason for this
- WPA hash - also unexplained, but probably related to the above
- OS version - see #1
- User locale ID (langauge) - reasonable if they are presenting nationalized dialogs, removes a prompt from the user
- System locale ID (computer default language) - don't see much of a reason for this except as a backup for the first, odd
- Diagnostic code - reasonable for debugging
- Client Id - i.e. GUID - why do they get this if they aren't using it for user tracking
- HD volume serial - no reason for this, except user identification
- Computer security hash - see above
Other than those last identifiers, most of the information I see requested make sense.Clones are people two.
Oh yeah, where's that, cell block F? F, for "full of yourself"? or perhaps F, for "F yourself"?
I am, therefore you think.
Everytime I fire it up, my cablemodem gets busy.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
I've never heard that one before... running interference, the pointing game, distract the farmer while stealing his chickens... the Kansas City Shuffle. Heh. :)
the NPG electrode was replaced with carbon blac
Bandwidth usage is paid at both ends.
So wonder the Internet is getting slow.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
it's in interim use... 800 MHz athlon whitebox machine, 768k, 30 Gb HDA. you don't put anything up to date on a boatanchor like that, especially since anything up to date will eat the whole machine up before you try and start a single app.
died from windows rot, so it needed a refresh.
if this is supposed to be a new economy, how come they still want my old fashioned money?
The acticle states that the Patches themselves ar calling home!
Avoiding WGA and WU doesn't stop MS from getting a jingle.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Does it do that when you update via the Baseline Security Analyzer also? http://www.microsoft.com/technet/security/tools/mb sahome.mspx
Here is the fix,
/etc/hosts
on a *Nix box, say maybe the DNS server
vi
127.0.0.3 genuine.microsoft.com
For windows
edit c:\windows\system32\drivers\etc\hosts
0.0.0.0 genuine.microsoft.com
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
Oh certainly! Along with the other 50% of windows users that never paid for it. I'm sure it's crowded in there.
Anyway, they are evil. Oh well, whatcha gonna do? Vote for a [second] party? Go ahead! Throw your vote away!
Why would i care if Windows tells MS what hardware i'm using. I admit i'm a little embarrassed that i only have a 4x agp port. It's not like it's that personal.
Lots of people gladly store real personal information on google's servers in the form of gmail and google apps, etc.
They're not even tracking down individual users for marketing purposes.
How many slashdotters look at their website logs to see how many people visit and what they use to do so? I'm willing to bet a huge amount of people do, and they're the same people who bitch about MS updates phoning home. To complete HTTP requests you don't *need* anything more than the actual request and an IP address, yet somehow the logs include things like browser versions, screen resolutions and operating systems. You don't complain about those.
Aggregate data is needed to gauge how a product is being used in order to improve it, be it your website, software, a car, a lawnmower or something else. When MS start actively using personally identifiable information to personally target things then I'll worry, but until that day I have no problems with them knowing that 82% of their user base has installed security patch XYZ.
How many people can read hex if only you and dead people can read hex?
3: Check for obvious rootkitting while being run. For example, if an unsigned program has hooked the keyboard interrupt. If its a signed program, no biggie. Otherwise, post a dialog, and have an option to ignore the issue in the future.
Windows x64 already does this. It's one of the things that anti-virus companies are complaining about, they can't patch the kernel interrupt table at all.
4: Offer functionality to "vet" install media, so a CD/DVD of a VLK install can be scanned to check if it has not been modified to install malware. This is important, because a lot of install media comes from downloaded images, not physical CD or DVDs.
Not to mention slipstreaming service packs and hotfixes.
God save our Queen, and Heaven bless The Maple Leaf Forever!
Microsoft.... Lightweight? haaaaahaaaaa! now thats funny.
...is a great reason to use Windows for Workgroups 3.11. Think about it: MS makes all the evil for 32/64-bit OS. 16-bit area is clean. Not to mention that Windows Update recognizes WfW + IE5 as Mac and says "go and get some sleep", erm I mean "visit Microsoft site blablabla". But it's a minor flaw; still, you don't have to install WGA.
Erm, I must have been thinking about Microsoft's WLAN penetration or something ;P
don't blame me, I voted for Kotos!
you won't recognize the slowdown of a good rootkit either, does that mean you don't care about those either?
Microsoft is directly identifying your MACHINE, if not YOU personally.
But we don't know that they aren't identifying YOU personally. Maybe they are, depending on what other data mining they are doing internally. The point is, we do not KNOW.
Maybe they don't care to identify you personally UNTIL they want to at some point in the future - maybe to sell your machine info to the RIAA in the event that your DRM use is suspect.
Maybe they don't care to identify you personally but are intent on TAGGING your machine as a potential pirate based on your WGA refusal.
The bottom line is that Microsoft does NOT need this mass of information about each and every one of 900 million machines in order to do their business of selling functional software.
That's BULLSHIT.
Microsoft is doing this for OTHER reasons which are irrelevant to the performance of the primary function and VERY relevant to sucking every last dime out of people's pockets for the benefit of Bill Gates.
Like I said yesterday - put this paranoid, greed-sucking ASSHOLE out of business! NOW!
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
FreeBSD for the Win!!! (waits for the onslaught of flamers)
This is pretty simple if you have a router.
1. Assign a fixed IP address to the Windows PC, instead of grabbing a dynamic address from the router.
2. In the router, block that IP address from being able to get outside the local network.
3. You can now share files across your local intranet while forbidding outside access.
Actually, I only run Windows in a VMWare virtual machine in Linux, and block the Virtual machine's IP address from getting out. Works fine, and has the added benefit of properly sandboxing Windows from damaging my system with malware, etc. Since I don't use my PC for games, this works well for me.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
Usually you will be forced to download WGA before you can get to other updates -and your new install of Windows XP or Vista will stop booting after about 45-60 days if it has not been validated online.
30 Days, and it can be online or a phone call. (Toll free, I believe)
Microsoft being a behemoth company and its poorly written software we shouldn't pick on them on this subject. Many software companies are doing this to control the copies of it has out there, legal liability of illegally used software, and obviously revenue. The main thing is to read you End User Agreement to make sure they won't use that data for any purpose other than gather data and make sure that your firewall prevents any private data from getting out. I remember awhile back when this first started that CIA, Pentagon, NSA, and any other secure group need to stop this from happening since this is not a good idea for and secure network to call anyone from a secure location. They first blocked the ports that Microsoft was sending out the data on and then Microsoft agreed that the copies sold to the CIA, Pentagon, NSA, etc. had no phone home in them.
I'm a legit Windows XP Home user, have been for a few years now. I'm also on dial-up. It would be nice if WGA would remember that this goddamned machine is legit somehow and leave me alone. I'm tired of sitting around and waiting while the "Quality" of my machine is ensured each time I need a damned patch.
It is a violation of privacy and Microsoft is sending information back to their location for storage or not against the wishes of an individual.
If you break the law it is still up to the police and the courts to follow legal procedure to catch you and prove you broke the law and then to punish you commensurate with the proven charges. Even if you steal something and they know you stole it they can't do anything about it till they prove it. Part of that process is to get the legal search warrants and other court orders to permit them to do this.
Microsoft is a civil organization which is usurping the rules of law that were well established. In fact, they are effectively searching everyone's home every time to prove they are not in possession of stolen goods. The government can't do that. Microsoft should not either.
Any information sent to them without our express permission is a violation of our privacy whether they store it or not. It is not permissible for them to blatantly flaunt in our faces the fact that there is no one there to stop them and if you try you won't have the resources to do so.
Again people, remember the computer you have is an extension of your home. It is not a playground for microsoft to do what they want. Would you allow them to come into your home to inventory your belongings and then make you account for all those things you may purchase after the fact? Would you let them check on you any time they choose? Hell no. You would never let anyone into your home to do that. So, why on fucking hearth are you letting them search your computer to inventory your system to send private information back to their offices? Is it because it isn't an inconvenience to you to allow them to do this? Because you have no recourse to stop them?
So, you say that it doesn't hurt you to have them to enter your home and search it and report back to their offices? So, then would it hurt you to allow the government to do this if they could do it in such a non-invasive way? How about putting hidden camera's in say 20% of homes and no one knows they are there so you have at least an 80% chance of not being spied on!?! Would that be acceptable to you? Hell, 1 if 5 chance of being someone that is observed by the government. Once you got used to it, wouldn't it be acceptable to have the government then say 40% and up it over the next 10 years to 60% and then all the way? You would have become accustomed to having the government spy on you?
I think you understand what I'm getting at. This is the same thing. You would not let the government do such a thing, and even some people feel cameras in public are a violation of our privacy.
Microsoft is not the government and they have no rights to do what they are doing. They should not be collecting any information unless you explicitly permit it.
As I have said in other posts. This is about them collecting as many pieces in their databases as possible. Having this information gives them a lot of leverage.
Have you heard about how the patent office has claimed that file sharing software is a threat to national security? How about a monopoly power that has control over 90% of the worlds computers able to go into your computer and home unchecked by any sort of mechanism that is designed for checks and balances? You think that is less a threat to national security than it is to allow people to share information between 1 or 2 or more party members. Either the comments by the patent office are totally ludicrous or no one is willing to accept that this sort of unchecked behavior by a company in control of 90% of the worlds computers is a threat to national security.
You can lead a man with reason but you can't make him think.
My brother works on the Windows update team in Redmond. Just to clear things up, here's what I know:
1) Since there are so many update events, the client software only sends a random sample ~10% of all events to the server. This was added in one of the more recent changes to the Windows Update s/w.
2) Yeah, they have a *huge* data warehouse that they store all that info in. It's SQL Server 2005 and one of the larger SQL Server installs in the world. From what he tells me, they get millions of new rows each day, so they can only keep 1 year of data available online in the database (everything else gets moved off to tape or to another database). BTW, it's in the terybytes.
3) They use this data to help better serve their customers. They have a reporting/analytics solution built on top of that Data Warehouse. They can analyze history by region, by service pack, by language, etc. So they can make better strategic decisions with that info and in a more timely manner (it's updated daily).
Look, here's one example where that data is useful for them - if a few customers call up and say there update is failing, a tech support person can look at some data for that customer's region, or service pack, or update and see if there are any trends there to help move the case along (i.e. maybe a trend shows that a bunch of users with that OS are having problems with that update).
No comment on the privacy issues - all they know about is your computer's GUI and your IP address (i.e. city/state/zip or region/country). Some are ok with that, many aren't.
for a class action lawsuit.
Most makers of spyware are supposed to give their users an opt-out option in order to be legal. Where is the opt-out option in updating Windows without phoning home?
Can you set a firewall to block the phoning home, and if so would the updates still work?
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Yeah, well _I_ voted for Kotex, and it weren't no typo, neither!
I'm paranoid, but based on their previous software, I doubt they could do anything with the mass of data they recieve. They probably have a server, in some dark corner of a room, which ominously gets DoS'd to deatch every ten minutes by WGA.
Speaking of which... When programs crash, what do they do with those error reports, if you click the Send button? Is there a bottomless pit in Redmond?
...sending out the pipes? Or is this all bull shit?
if it's true then how come nobody in the medical IT business knows this? Nobody in the financial sector knows this? There are just two examples of where computers sending out unauthorized information put customers and businesses at risk.
Does this mean that every hospital needs to pull the plug on their network access to the outside world?
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
I don't think many pirated software users care much for updates.
What if virii were released that invalidated every single copy of windows (by invalidating part of the WGA information) secretly over the course of a month worldwide? What would happen then?
I'm kinda confused. Why hasn't someone released a fix that removes all of this nonsense a while ago? If I was a Windows user I'd be trying to find out if i can pay someone besides Microsoft to manage my updates at this point, and shield me from the extreme conflict of interests that Microsoft is inflicting on its customers.
Why isn't there a product to fix this?
Hell, hasn't the warez world fixed this, or do all the illegal windows users just let their systems phone home too?
-josh
None of these comments are any use. What we want is:
/.er coders when you need 'em?
an indication of the URL or range of URLs the WGA messages are sent to
example firewall rules to divert these packets to a separate machine
a simple translate program which alters the packets and resends them to M$ with different data.
Where are the
I've got legit installs as well and could care less about the privacy issue (although I realize the two ideas are not necessarily combined). I strongly feel WGA is punishment for the real users as it has caused real problems on my machines at times (including two reinstalls) and the real pirates will be able to side step this most of the time, probably in a way that causes them less grief than us...
Good call, AC
This comment does not necessarily represent the views and opinions of the author.
1> It's worth money. Why should MS get it for free just cuz you're a customer? They should pay you for the data. It must be worth money, cuz it must cost millions just to catch and cache all that data from 100,000,000s of MS boxen.
2> They'll eventually start using it RIAA style to attack "pirates" and "hackers". Given how often their WGA software ID's innocent people like you as having illegal copies, this is nothing but trouble for the customer.
3> Given how buggy MS S/W is anyway, how long before a phone home bug kills your box? While doing something that is completely useless to you?
4> How long until MS hands over (sells) this data to the Dept Homeland Perversity (KGB)? You wanna be the first one arrested using a sidewalk-sale-second-hand video card that some "terrorist" (MySpace.com user) got rid of?
5> Oooh, how about real cybercrime? What a plum target. Once a security hole is found in some BIOS or other tidbit, real cyber criminals could really use a database like this for finding victims.
6> While we're on the subject of "free money", is MS paying you for using your bandwidth to make money for them?
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
The Microsoft vs. Government analogy is not quite right: Using Microsoft products (and agreeing to their EULAs) is like granting cops access to your home on your own free will. Cops don't need warrants if you invite them to come in! Government needs special authorization (search warrant) to enter, because we have no way of escaping their power, so a safeguard is needed to prevent abuse. But Microsoft doesn't need a warrant or something similar, because, basically, you're free NOT to use their software, and can therefore legally get out of their snooping reach.
cpghost at Cordula's Web.
..is http://www.windizupdate.com/ - works on Firefox, too. Allows online updating and patching without WGA. Of course, you've got to trust Windizupdate I guess...
First you don't close the italic tag, then you can't see what strategic advantage a live snapshot of your users anonymized data could be?
Are all bugs of type X only coming in from Windows XP with SP2 and the latest Forceware driver? Does it only affect Office users? How many people are using, say, Office with a Welsh language pack - is it worth further development? Are certain unqualified drivers a source of instability? I could go on...
They are running local audits on your machine without direct permission, which is a concern. They have no business, especially as a monopoly position in the software industry, to know the entire scope of the market for software. Unlike the rest of the competition, they know which markets are saturated with FREE and OPEN SOURCE software solutions, therefore they avoid unnecessary development investment of products that would obviously be money losers. Tsk, tsk. So much for free markets.
It means I don't care about it because of the slowdown, however there are plenty of other reasons to care!
Good point.
How many other companies get to do free industry-wide data mining at their customer's expense and without their customers permission? Not many.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
I didn't know Harrison Ford has an Indie comedie. I learn somthing new every day...
People in medical IT do know about this. Last I heard, a number of hospitals were not installing Win2K SP4 or WinXP, because the license changes (yep, they were added to SP4..) violate hospital data protection laws.. (the contract language is pretty vague, and Microsoft can legally hoover almost any data off your machine with this license.) The idea of data being stored on a Win2K system period, let alone one missing some patches (SP3 + manually added patches.>), makes my skin crawl, but typically the info is actually stored in an AS400, and the Win2K boxes are essentially overpriced 3270 terminals.
So if it can be parsed it can be spoofed, and it can be proxied, maybe with a squid handler. I agree many of those fields are needed but some of them could be spoofed by an anonymizing proxy. IIRC, there are algorithms to compute GUID's that pass checks. I'm not sure how you get around the collision problem, and WGA problems with those collisions - maybe it's just better to run a Linux or MacOS box.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)