Slashdot Mirror
Microsoft Releases Mobile Data Collection Source Code
mikejuk writes "To avoid the problems that Google and Apple have had with collecting WiFi data and privacy issues Microsoft has just released [some of] the source code used in its mobile data collection system. The code shows how the phones that it drives around don't collect any personal data — just WiFi and cell tower identification so that they can be used in geolocation. The source code is a great educational resouce but as to proving that Microsoft is doing the right thing it just doesn't work. First off, it isn't complete. Second, who is to say that it is the code used in the phones? That's the point of software — it's easy to change. Now if only we can provoke them to release large chunks of Windows or Windows Phone 7...."
Somehow I get the feeling a full release of the source code still wouldn't be enough to satiate the nerdy masses.
A unique way to learn a language: http://languageloom.com
Nothing ever will be. If we get full source they will whine that it's in the wrong license or it needs visual studio/windows to compile. Or they will call it useless and whine about that.
The problem with most people was never that it was gathering info, but that everyone could access it. If someone stole your phone they'd have a footprint of your life in their hands. They encrypt it now and it's fixed.
Google's data is only accessible if you root the phone... And it'll only send info back and forth if you consent (Basically, if you want to use the geolocation boost you are forced to share your info too).
The issue is not a non issue. there is nothing wrong, in my opinion, in gathering information (remember, we are using some pretty neat services for "free", like gps), but you have to do it right.
Without the ability to compile the entire thing for yourself and check the checksums, there is no real way to know that this is the genuine source.
It's never enough for some people. "Check the checksums"??? Come on.
Who's to say that the phone isn't showing you a fake checksum, to lull you into a false sense of security? You'd say: I'd have to be able to compile it myself, of course.
But who's to say that the phone actually runs your compiled version, rather than its own?
Tell us what would satisfy you.
First off, it isn't complete. Second, who is to say that it is the code used in the phones? That's the point of software — it's easy to change.
Blah blah blah. And where's the "REAL" birth certificate??
No amount of proof is enough for some people.
"Ask not what your country can do for you." --John F. Kennedy
I don't know how this one made it through the slashdot filters to be published. Mikejuk's posting sounds like conspiracy drivel. What Microsoft did was clearly a good effort to try and show the worry-warts what they're doing, but to expect them to give away the source code to their operating systems is just crazy.. their whole business model is based on traditional closed source software.
- tensions in our lives that are attacking our minds, unite themselves together to make our consciousness blind - op'ivy
It's very likely Microsoft will never release anything that will satiate people who understand licenses and value freedom. Microsoft likes you to sign crazy NDAs for access to specs and source and ties their own developers and evangelists hands. I was at a WP7 presentation a month ago given by MS's WP7 evangelist for my region. He couldn't hook the WP7 phone he had to the projector like he normally does because Microsoft's legal department took away the cable he had been using for presentations...
It's better than nothing but does not prove much. MS could release the compilation script that build that piece of the code to be able to verify that the binary version of these function is present in WP7
But once again, that code could not be activated at all. Once again, you could offer to recompile that part of the code to insert some profiling. But then, you would know the code is gone trough but maybe discarded.
Soon we will have the discussion about trusting trust again (if you don't know, what it is, it is the prolem of "how to trust your compiler")
Never mind that you would have to use visual studio to compile it and we all know that secretly inserts backdoors in all software made with it.
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
Somehow I get the feeling a full release of the source code still wouldn't be enough to satiate the nerdy masses.
I disagree. If it can be fully compiled and tested, then there would be no rational place for the "OAMG they have something they're hiding!" argument. OTOH, Microsoft is kind of notorious for only doing their PR stunts half-assed, and this latest one kind of proves it. Even SCO did a better job of convincing Joe Reporter that they truly showed off code/evidence (and let's face it - their attempts were hella laughable at best).
'course, you can still check things WP7-wise as it is now... that is, if you can capture every packet coming out, decrypt the payloads accurately, then assemble and analyze the results.
IMHO, releasing only part of the source code is indeed, like GP said, more dangerous than no release at all. Just that he forgot to mention that it's potentially dangerous in both directions - both to the world at large ("oh look, stuff to test for exploits!"), and to Microsoft ("OAMG they're hiding something! You can't even test what's there without violating a license!").
It'd be better off if they didn't even bother, considering that the bits they did release are worthless in and of themselves.
Quo usque tandem abutere, Nimbus, patientia nostra?
Somehow I get the feeling a full release of the source code still wouldn't be enough to satiate the nerdy masses.
The source code is a great educational resouce but as to proving that Microsoft is doing the right thing it just doesn't work. First off, it isn't complete. Second, who is to say that it is the code used in the phones? That's the point of software — it's easy to change.
It explains it right there! You see Microsoft, with their history of deceit, lies and downright badliness are obviously hiding something. And I know what it is.
The real software gets passwords, IP, MAC addresses, of everyone connected and people's names and SSNs - that's how devious they are.
And on authority that I can't name right now, Microsoft has in fact bought the Illuminati and is planning on calling it "Microsoft Illuminati"! Really it's true.
But there's more and here's the really scary part: they bought the NSA. Yep! That's where they got the software from!
I can't go into more because the Microsoft Brain Scanner is running, but they also are behind Al-Qaeda!
Microsoft is spying on everyone and be careful!
The full source code should ring alarm bells, too. It runs on their phones, in their vans. You don't have access to the hardware to verify it's running the source code they provided (and only the source code they provided). You don't have access to their compilers to verify it's not inserting other code.
Do you even lift?
These aren't the 'roids you're looking for.
Likes open source, goes ballistic when MS throws them a bone.
And here I thought it was about letting the user accomplish something they consider useful. I didn't realize the point of software was to allow you to change it. Silly me.
You don't even have to use your "feelings", he says it in the next sentence:
Second, who is to say that it is the code used in the phones? That's the point of software â" it's easy to change.
"Please give us all your source code! And proof that it's exactly the source code on my phone! And that you didn't push an OTA update! And that you are verifying the MD5 checksum of the source code to the build on my phone! And a UN panel to supervise the foundry in which the hardware md5 check was being performed! And a background check on all the people supervising the foundry to make sure nobody changes the hardware to mis-report the checksum! And...."
There is no way to please them. At least they were up front about it.
... and while I don't work with this team, I can tell you that it will have been released in good faith, and that the code in the phones will not be any different. I've seen nothing but honesty and integrity in the two years that I've worked for the company.
Somehow I don't think you realize that this is about Microsoft's equivalent of the Google StreetView car and nothing at all to do with the phone. You're not intended to run this code, ever. It's for them to run. What they are doing is, is showing that they're doing it "right" as compared to Google's way of doing it "wrong."
And the funny thing is that in the Google threads there are tons of people who do all sorts of speculation in order to absolve Google, and in the summary of this story they go to all sorts of speculation to incriminate microsoft. Way to go people.
Good question. Very insightful. But how far do you go?
How would you know that if they released the code that this code is what's really running on your phone? How do you know there isn't a backdoor inserted post compilation?
How do you know that Linux isn't just a shell around an obscenely stenographed copy of Windows? Do you inspect every single line of code that goes into your machine personally? How do you know the code's not kept in a tiny hardware ROM on all modern chipsets and injected into Linux during boot? Do to read them all, personally? Well you should!
The sheeple must know! It's a plot by the Skull and Bones society, the Illuminati and the masons, IE9 has links to stuff they put in our water and Windows mobile uses fillings in your teeth as an antenna so the greys can track you from space. Soylent Windows 7 is people! Oh God in heaven it's PEOPLE! ...
More seriously, yes, it is possible they wouldn't use that actual code in their phones... but Occom suggests they probably do, while Hanlon agrees but clarifies if they aren't it's probably a slightly different version due to that idiot new developer in section 8 that ran the wrong script.
Eventually, at some point, you just have to either accept what someone's saying or accept there's no trust there and move on. Keep in mind it's practically impossible to avoid cell-tower based snooping and tracking, making this whole point useless because the NSA etc don't need your phone to cooperate for them to get what they want.
Check out my sci-fi book "Lacuna" at http://goo.gl/MVxX8
When they are sued by privacy groups or federal regulators, they will be able to show to the court that this is the code being used in their phones.
Yeah, sorry, they are not going to prove it to some random joes on the slashdot.
Not with comments like "Second, who is to say that it is the code used in the phones?" coming from the person who wrote the summary. You could ship that jackball straight to Redmond, sit him down in front of a workstation at Microsoft, let him review the code himself and press the build button himself, and he'd still think it was a clever ruse on Microsoft's part.
I was under the impression that the Wifi sniffing software that Google used was at least based on open source code as well. I'm not sure if that's the case, but I remember hearing something about it when it originally happened.
Without the ability to compile the entire thing for yourself and check the checksums, there is no real way to know that this is the genuine source.
Check the checksums against what?
isn't this an admission that their current method of security, security by obscurity(closed source), isn't as secure as opening up the source?
No, this isn't even about security. It's about saying 'yes we are collecting data, this is the code we are using to collect that data' so people can see what data they are collecting. Had google done the same thing people would have seen that their code was collecting more information than they said it was.
Now ... if they give all the source code then ...Oh wait!... those hardware manufacturers are very suspicious too!!.... and I truly believe that "that" compiler is embedding fingerprints and call home code.
Now if we can provoke them to release the hardware specs, software (complete dev chain) and manufacture all the pieces of hardware in front of me... then I'd be sure that ... oh wait ... then I would have to use wifi with that shady router that is probably sniffing my very important personal information!!!
Yeah dude, the world is doomed with your point of view. We'd have to build everything from source after reviewing each file one by one.
Nonsensical article getting to front page by bashing microsoft. At least there are no ads in his page.
I guess this guy repositories are only source and he has inspected each bit of code by himself ... after all you can trust no one.
who gives a shit if its open source, they shouldnt be using me and my resources to collect "my" data for them in the first place, shit like this stops me from ever getting a "smart phone" at least my s40 nokia aint logging every fucking thing i do with it and then selling it to any shitty business that comes along with a pile of cash
keep your open source spyware, until i can rip that shit out entirely or invoice you for my data, i aint interested.
Wow. They finally open source something and the Slashdot can only post an article that is pure backlash?
Really teach them to open things up. How do you know the pieces of WebKit that Apple releases really is what runs under Safari? Stock, precompiled Android? Probably both filled with backdoors!
This is so stupid. This crap is killing Slashdot.
Are you really sure you want to see more? It might harm you in ways you can't imagine.
It's very likely Microsoft will never release anything that will satiate people who understand licenses and value freedom. Microsoft likes you to sign crazy NDAs for access to specs and source and ties their own developers and evangelists hands.
And yet here they are releasing the code without requiring crazy NDAs. That is not to say that they haven't required NDAs in the past (like when they have released the full code for Windows for specialised uses), but that doesn't mean that everytime they release some code that it get tied up in paperwork.
He couldn't hook the WP7 phone he had to the projector like he normally does because Microsoft's legal department took away the cable he had been using for presentations...
Why? Was there an actual legal reason behind this, or did someone just pinch his cable? It seems pretty unlikely that the legal department would prevent them from advertising a released product.
IMHO, releasing only part of the source code is indeed, like GP said, more dangerous than no release at all. Just that he forgot to mention that it's potentially dangerous in both directions - both to the world at large ("oh look, stuff to test for exploits!"), and to Microsoft ("OAMG they're hiding something! You can't even test what's there without violating a license!").
That is not correct in this case. The problem is that everyone believed the article when they said that this was the code from Windows Phone 7. This is actually the code from Microsoft's vans that collected geolocation data. (similar to Google's vans that logged everyone's WiFi packets that got them into strife). The fact that they didn't release the entire code is irrelevant because none of us have the binaries with which to compare the source code. Therefore there are also no security problems with them releasing this code either.
Interesting info, but I'm glad you cleared that up a bit. :)
Quo usque tandem abutere, Nimbus, patientia nostra?
Somehow I get the feeling a full release of the source code still wouldn't be enough to satiate the nerdy masses.
Satiate?? Really?? Does anything even suggest that we find the phone relevant enough to care? If one had to pick a group most likely to avoid the phone, wouldn't "the nerdy masses" be a good first pick? The phone seems to be targeted at people that perceive Apple and other offerings as too scary and complicated... That's the opposite of the "nerdy" demographic.
Opening the source would not have prevented Google from inadvertently collecting that information and it won't do anything to help Microsoft not get caught in the same problem.
The difference is that Google used someone else's code whereas Microsoft wrote their own. Neither company actually wants to log everyone's WiFi packets, but it would be far easier for Google to accidentally click a checkbox in a third party app to enable this feature than for Microsoft to accidentally write code to do the same thing.
Both companies had access to their respective source code, and I would argue that in this case it was the closed source code that received more scrutiny. Microsoft would have actually looked closer at their source (because they wrote it themselves), while Google could easily use their package without giving the code a glance.
Most likely, Microsoft would have a custom version of Visual Studio running that would simply inject nefarious bits at the right point.
Amusingly, the CAPTCHA for this is "merges."
Do you not see the difference between a potentially but very unlikely faked birth certificate, and a piece of meaningless code which won't compile, is by their own admission incomplete, and can't be tested on working hardware?
How is this insightful? The article was right on the money. This doesn't prove anything.
He couldn't hook the WP7 phone he had to the projector like he normally does because Microsoft's legal department took away the cable he had been using for presentations...
Why? Was there an actual legal reason behind this, or did someone just pinch his cable? It seems pretty unlikely that the legal department would prevent them from advertising a released product.
I believe Windows Phone uses a protected graphics path, similar to the one in Windows Vista & 7, in order to provide DRM so services like Netflix feel all warm & fuzzy that their video content can't be intercepted. Because of this, all phones which are used in demos require a special build of the OS to display on a projector and, no doubt, a special cable recognised by that OS build.
Having said the above, I'm not sure what reason Microsoft would have to reclaim the cable apart from controlling the number of them that exist outside the company. This control would be part of keeping the integrity of the DRM path.
Dead topic,
Android rules, and Apple owns the elitists....
Microsoft and Research in Motion are on life support in the mobile market.
It is extrodinary that M$ would release such source code!
Apple on the other hand has released Mac OS 10.6.8 which has destroyed and Gimped 100s of millions of Mac Desktop and Laptop (Mac Book Pro) world wide!
Google's latest "update" to Chrome and Gmail Gimps both for Mac OS (any version)!
Given the apparent hatrad of Apple and Google toward their customers I MUST re-evaluate my thoughts toward Microsoft!
--
PS I live and breathe UNIX.
I work in an environment where super paranoid measures are imposed to avoid issues. Every piece of software is isolated on a network with a sniffer that will check the nature and content of any data going out or in, while the software is taken through all of it's use cases. Some of these tests are time consuming because the tested software is complex and involves running very many use cases. Compared to some of these, a phone is in fact very simplistic. In many cases we test closed-source appliances but I can guarantee we do know everything the device transmits. No need for code or much reverse engineering. In conclusion, if someone wanted to prove they are doing something mischievous one could have done it without any source code. Microsoft just showed good will here.
It's funny how people react to news about Microsoft and their technology. Take UAC for example. Everyone started complaining that they have to click an OK button every time they performed a task that involved the system. The same people thought that writing your password in Linux every time you perform an administrative task was an excellent idea. I sense a contradiction here. (For the record, I think requesting specific permissions on administrative tasks is a must so I will be happy to have that feature in any OS).
here's the WiFi info the code captures:
ObservationGenerator.cs, line 795
- mac address
- signal strength
- infrastructure mode (ad-hoc/infrastructure, etc..)
- 802.11 network type (frequency-hopping/direct-sequencing, etc...)
wifidriverwrapper.cpp, line 339 would seem to imply that they're also only logging visible infrastructure APs.
they could easily have also captured:
- SSID (alphanumeric ID)
- encryption status (WEP/WPA2 enabled/keyed, etc...)
- frequency band/channel #
this is all high-level information from the driver via the Windows ZeroConfig API. there doesn't seem to be any support in the code for capturing raw packets from the radio.
And showing you the compiler wouldn't help; what if they implemented ken's hack?
And that you are verifying the MD5 checksum of the source code to the build on my phone! And a UN panel to supervise the foundry in which the hardware md5 check was being performed!
nah, not enough. md5 is COMPLETELY BROKEN!!!11!
isn't this an admission that their current method of security, security by obscurity(closed source), isn't as secure as opening up the source?
No, this isn't even about security. It's about saying 'yes we are collecting data, this is the code we are using to collect that data' so people can see what data they are collecting. Had google done the same thing people would have seen that their code was collecting more information than they said it was.
So, then it's showing the Open Source has better PRIVACY provability than Closed Source, no?
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
Microsoft does something...slashdotters complain. More news at 11.
So MS thinks that open source is useful... Very interesting.
isn't this an admission that their current method of security, security by obscurity(closed source), isn't as secure as opening up the source?
No, this isn't even about security. It's about saying 'yes we are collecting data, this is the code we are using to collect that data' so people can see what data they are collecting. Had google done the same thing people would have seen that their code was collecting more information than they said it was.
So, then it's showing the Open Source has better PRIVACY provability than Closed Source, no?
Perhaps, but that's pointless anyway since you still have to trust that the code the company releases is indeed the code it is running.