Microsoft Denies Windows 8 App Spying Via SmartScreen

An anonymous reader writes "Microsoft has denied Windows 8 SmartScreen is spying after research by Nadim Kobeissi indicated otherwise." Whether it's "spying" or not, Microsoft is collecting certain information with SmartScreen — the key is what's done with it: The article quotes a Microsoft spokesperson: "We don’t use this data to identify, contact or target advertising to our users and we don’t share it with third parties."

Disable it!

[zenlessyank]

There is a check box where you can disable this 'feature' before installation. Nothing to see here....

Re:Disable it!

[menegator]

There is a check box where you can disable this 'feature' before installation. Nothing to see here....

Why is the parent moded -1?

Re:Disable it!

[fnj]

Maybe because he completely misses the point.

Re:Disable it!

[CrazyDuke]

Look in his history: His Karma is negative. The comment hasn't even been modded.

Re:Disable it!

There is a check box where you can disable this 'feature' before installation.
Nothing to see here....

Because at least 1% of Windows users are capable of installing the OS themselves.

Re:Disable it!

[bloodhawk]

FFS, where do these retards come from, read the damn article or better still read a non tin foil hat version from somewhere like Ars Technica. It is purely an anti malware prevention system that checks if the hash is a known malware when you go to install. There is a lot to hate windows 8 about, but this is actually one of the beneficial features that should help everyone, from the dumb users that install malware to the rest of us that get spammed by the botnets created by that malware.

Re:Disable it!

[fustakrakich]

The elevator has a "close door" button inside. Do you believe it actually functions?

Re:Disable it!

Meaning it's checked by default? Usually the things I see set as opt-out are not in my best interest.

Re:Disable it!

[ThatsMyNick]

How hard would it be to do it locally (like every other anti-malware/antivirus tool does)? If so why choose to do it remotely?

Re:Disable it!

[Sir_Sri]

Well that, and you entered into an arrangement with MS when you chose to install their operating system, whatever you may think of that arrangement, microsoft kinda needs to know what you're doing on the computer to know what's causing problems, because lets face it there are a lot of copies of windows in the world an even rare errors can cause huge chaos.

That doesn't mean you can't (or shouldn't) opt out of anything you're not comfortable with, but if you want stuff to work microsoft needs to know what's breaking.

Re:Disable it!

The close door buttons of the elevators in my apartment works. Quite often I chose to use that when I am in a hurry when there are people that really take their time locking their doors etc.

Re:Disable it!

[king+neckbeard]

Most users do not install their own OS, and being on by default is problematic.

Re:Disable it!

[Zero__Kelvin]

... and it is clearly marked "Allow Microsoft to Spy on You (Don't Worry, We're Benevolent)" and defaults to Don't Allow right? Because otherwise your point is pointless, since most users don't have the sophistication to understand what they are accepting by default.

Re:Disable it!

[Zero__Kelvin]

Horrible point, since in many cases it does function.

Re:Disable it!

[ThatsMyNick]

It does work in my workplace. I guess it depends on whether you trust your users to use the button properly. My workplace does, my apartment does not.

Re:Disable it!

[Shining+Celebi]

Just read the Ars Technica article. The Slashdot headline is ridiculously slanted, as was the previous story.

While I disagree with it in principle - I'd rather it be local, like how Firefox uses a local version of the bad-sites list, this is not in any way unusual or awful behavior, and it's mostly a good idea, and Microsoft has been completely open about how and why they're doing this and giving you an easy way to turn it off. It is not some privacy invading nightmare. Microsoft is not keeping track of what programs you download (unless, obviously, you get them through the Microsoft store.)

Slashdot stories are becoming more and more ridiculous. The summaries are never even worth reading anymore.

Re:Disable it!

doesn't windows come preinstalled on consumer pcs ? wi

Re:Disable it!

[Missing.Matter]

Not only do they allow you to turn it off during install, they provide a detailed explanation of what the feature does, what data they collect, how they use the data, and how you can turn the feature off during install and after install. This seems to be just about all the information a user needs to make an informed decision about whether or not to leave smart screen on. if the user opts not to read this information and clicks right through the express settings without caring about the consequences, perhaps that's exactly the kind of user this smart screen filter aims to protect; odds are they have the same lackadaisical attitude when install Ing random software from the internet. Its self selecting really.

Here is a link to my comment from yesterday, which has the exact text relevant to smart screen you encounter on install: http://slashdot.org/comments.pl?sid=3070309&cid=41111521

Re:Disable it!

[Shining+Celebi]

I'd rather it be done locally as well. I suppose the reason it's done remotely is so the blacklist can be updated and maintained on the server side. That's a perfectly good reason - Chrome sends all your URLs to check against a server-side blacklist as well - and it is probably better from the security standpoint.

Long-term, though, I think the remote check opens up a potential for vector for invading privacy in the future, which I'd rather not have.

Re:Disable it!

[Shining+Celebi]

Should Linux repositories, the Apple App Store, the Google Store, and the Microsoft store provide a similar warning, since they actually glean more information from what you download there?

I mean, all Microsoft gets from this is a filename and a hash. Unless Microsoft has a hash of every program in existence, that doesn't do them much good for spying purposes. On the other hand, they know everything about the app you're downloading from their store.

Re:Disable it!

[hairyfeet]

And if you get it pre-installed there is a checkbox in Action center that kills it, which if you are so clueless that you can't even uncheck a checkbox in a GUI? Really having a hard time feeling sorry for you.

Besides frankly the whole subject is moot anyway, you are talking about an OS that gets articles like Windows 8...yes its THAT bad and is the subject of parody before its even released so I kinda doubt its gonna be seeing much use on anything but tablets. Hell the only reason it'll be seeing ANY use on tablets is because it looks like Ballmer is gonna shit another MSFT billion down the toilet by selling their $500 iPad knockoff for $199 thus taking the Sony way to profitability.../snicker/.

Look its simple folks, anything Apple does MSFT does badly or half assed or just plain wrong under Ballmer...who doesn't know this? I mean you should have gotten the memo when Ballmer was squirting his shit brown Zune all over the place trying to ape iPod. Win 8 is so obviously a "Please God buy our tablets!" move it ain't even funny anymore, so why even care? Anyone with half a brain cell functioning is gonna stay with Win 7 anyway or at least make sure they get a "Win 8" system that is just Win 7 with a DVD in the bottom of the box that'll never get used except as a coaster.

Re:Disable it!

So, this desirable activity? :

When SmartScreen is being used (which is most of the time; it is enabled by default), Internet Explorer sends every URL being visited to Microsoft's SmartScreen servers.

- arstechnica

The article plainly admits the possibility of privacy issues. Maybe it is not the security risk it has been made to be, but what are the exact definitions of "third parties" anyway?

Re:Disable it!

[Missing.Matter]

The check box appears on first account setup, so any use buying a new PC will see it too.

Re:Disable it!

[hairyfeet]

Because then the malware will simply target this just like they do other Windows components? The problem with doing it on the local machine is 1.-The malware guys will know exactly where it is, and 2.- The dancing bunnies problem where the malware writer tricks the user into bypassing the check by offering the right cookie, thus compromising the entire system and allowing the malware writer full control.

By hosting it remotely you've just bypassed both problems as the servers running this at MSFT is gonna be better protected than grandma's Dell is, and there isn't any users to trick with dancing bunnies to bypass the system. I work on Windows PCs 6 days a week and I can tell you that frankly since Vista drivebys and buffer overflows have gone WAAAY down, now its nearly all social engineering like Security Tool, "free porn" codecs, or getting the user to run some "free" program and bypass the checks, why? Because like all criminals malware writers are lazy creatures and will take the path of least resistance and that is PEBKAC in most cases.

Re:Disable it!

[Shining+Celebi]

Nope. I'd rather have a local database, even though I assume that's more difficult to keep up-to-date with what I imagine are rapidly changing blacklists. Firefox, for example does this.

But this behavior is (unfortunately) pretty bog standard, and in the case of IE, it's nothing new, so it seems a little bizarre to get all outraged about it now when all Microsoft has added is a check on file download hashes.

Re:Disable it!

[Ol+Olsoc]

The check box appears on first account setup, so any use buying a new PC will see it too.

The choice should be Opt-in, rather than Opt-out. This is just like their old "everything is enabled" features. It's not hard to have a screen pop up asking you if you want this info reported to Microsoft. Then you say "Yes or no. Then if you are okay, click on that yes, if not, nothing happens.

Re:Disable it!

Yes. On every elevator I've used recently, it does.

It might not in a large skyscraper, but around here, they're ususally in buildings with 4 or fewer floors. Not pushing it takes a solid 10 seconds before the door starts to close. Pushing it starts it closing instantly. Yes, my job is boring.

Re:Disable it!

[Zero__Kelvin]

You don't seem to understand, so allow me to elaborate:

"Should Linux repositories ... provide a similar warning, since they actually glean more information from what you download there?"

When I download a binary from another location or build from source Linux distributions don't report that to a corporation. If Microsoft had a repository then that would be different. They don't. You would have to be a moron not to know that, in those other scenarios, they know your IP and what you are installing.

Re:Disable it!

Should Linux repositories, the Apple App Store, the Google Store, and the Microsoft store provide a similar warning, since they actually glean more information from what you download there?

App stores know which apps you download because... you know... that's their job. They don't scan your computer for other apps.

Linux repos don't scan your computer for apps, and since your computer pulls binaries from mirror sites they have no centralised tracking of what you install. And many of us use local caches so they have no idea of what is installed on an individual machine.

So your post is just the same old completely bogus 'but XYZ do it too!' crap.

Re:Disable it!

[Shining+Celebi]

Microsoft doesn't "scan your computers for apps." They compare the filename and hash of executables downloaded with Internet Explorer with a known blacklist.

Re:Disable it!

[Shining+Celebi]

So much users are too dumb to understand the simple description of SmartScreen, but bright enough to think through the implications of downloading apps through the Microsoft Store?

Re:Disable it!

[Zero__Kelvin]

You just don't want to get it. Installing software that reports what you install outside of the company's install channel is the issue. There is no way to install software inside a given install channel without knowing the IP address and software title. They are two completely different scenarios. Stop comparing them and acting like they are similar.

Re:Disable it!

[Shining+Celebi]

What difference does that make from a privacy perspective? How do I legitimately install apps on my (imaginary) iPhone outside of Apple's install channel?

Again, Microsoft is not reporting what you install. It is sending a filename and hash of executables you download via IE to Microsoft to compare against a blacklist.

This is on top of the regular SmartScreen filter, which reports URLs to Microsoft to compare against a blacklist and which has been pretty uncontroversial for years, same as Chrome. (I still disagree with it.)

So you don't like it? Well, there's a big notice explaining what it does giving you the option to disable it. Or you could use Firefox, Chrome, Safari, or whatever and it gets reported to Google instead of Microsoft.

Re:Disable it!

[ThatsMyNick]

Because then the malware will simply target this just like they do other Windows components?

What makes you think service cannot be targeted just because the list of hashes is stored remotely? The service still has create the hash locally and query the remote hash list. This service would be as effective if the hash list is local.

Re:Disable it!

I doubt this would be as effective local, they need the information from users to determine what is 'bad'.
Being that malware is such a huge problem, I want the most effective solution possible.
If I had to pick someone to trust with this information it would be Microsoft.
They are not primary an advertising or search company, and understand business/corporate needs/logic much better most others, they would not jeopardize this, and have been doing it a very long time.

Re:Disable it!

Not only do they allow you to turn it off during install, they provide a detailed explanation of what the feature does, what data they collect, how they say use the data today, and how you can turn the feature off during install and after install.

FTFY - you missed a couple of critical words.

History has shown repeatedly that "features" like this, that are initially identified as for benevolent use only, tend to eventually be used malevolently. Far too many laws suffer from the same failing, but that's for a separate tin foil hat discussion.

Re:Disable it!

That happens here when you legitimately defend Microsoft.

Re:Disable it!

[PNutts]

I prefer all security settings default to enabled and I turn off what I don't need. Especially considering the wider Windows audience.

Re:Disable it!

[swell]

"Look in his history: His Karma is negative. The comment hasn't even been modded."

Don't believe the history of zenlessyank, or anyone else. At least in my case, every comment score is wrong, on the low side. How's yours? The history function should be fixed or removed- it's been broken far too long.

OTOH, zenlessyank is remarkably fond of exclamations--used in most titles. Those exclamations tend to be rants, many with a religious undercurrent. Zenlessyank is not given to subtlety which may have something to do with his low ranking by a thinking population.

Re:Disable it!

[VortexCortex]

The summaries are never even worth reading anymore.

No one reads TFA any more, you're just now coming around to the idea of not reading the summaries, while many of us have been just reading the headlines for quite some time...

Re:Disable it!

[VortexCortex]

How hard would it be to do it locally (like every other anti-malware/antivirus tool does)? If so why choose to do it remotely?

The answers are: Not hard at all. Vendor lock in.

Re:Disable it!

[slick7]

There is a check box where you can disable this 'feature' before installation. Nothing to see here....

Critical Update required, for national security.

Re:Disable it!

[Khith]

Sure! It works just as well as those crosswalk signal buttons.

Re:Disable it!

Oh no worries you paranoid sillies! You can modify your hosts file to route the toxic addresses to 127.0.0.1 ...

Hmm ...

Odd ...

Something is wrong with the hosts files... uh oh...

Re:Disable it!

[Penguinisto]

And if you get it pre-installed there is a checkbox in Action center that kills it, which if you are so clueless that you can't even uncheck a checkbox in a GUI? Really having a hard time feeling sorry for you.

Normally I would agree with you, but having done a whole lot of Windows support over the years? There are way too many people out there (I daresay a majority among the consumers) who doesn't even know what an Action Center is, or what the smartscreen feature really does, let alone know to go there and uncheck the box. To top it off, odds are good (disclosure, I haven't looked) that disabling the feature will come with a pop-up window warning dire consequences if the user goes through with opting-out. (similar to the way HP warns that the printer will probably no longer work if you remove their stupid HP Shopping application.)

That alone will scare off most folks, keeping them compliant.

Re:Disable it!

ITT people are clueless about timed queues and assume if a button doesn't produce an instant response, it does nothing.

Re:Disable it!

[b4dc0d3r]

Mine is pretty accurate, considering I have a +2 Karma bonus, so I don't need many pluses to get a 5, and usually get 15 mod points at a time, with a rare 5 from time to time.

zenlessyank's history is not informative based on the scores, because negative karma grants you anywhere from +2 to -1 automatically. It doesn't matter what a post score is. Just read the comments. I find history invaluable when moderating, because it can help when I can't determine when someone is sarcastic or genuinely idiotic.

A few insightful posts among funny ones, and you get some "benefit of the doubt". Mostly un-moderated posts, or blatant trolls, and I will at least consider keeping you karma-negative until you post something worth reading. Based purely on zenlessyank's history, I would not moderate any posts under that account at all unless they genuinely, on their own, would be obviously meta-moderated the same way.

Based on your history, I assume you have positive, but not excellent, karma, and your history scores look about like mine - except for the troll post. Given that the troll is in the context of ThinkPad (which runs Windows), and you mentioned both OS X and BSD, I'd say that's fair. Even if we grant you the Carbon pun from Apple's API, the BSD mention puts you in the *nix camp on a Windows story.

Automatic troll. Even though most Slashdot readers are probably curious whether it *can* run *nix operating systems, that's not what the story was about, and you are completely incorrect in assuming the main questions for buyers of this hardware.

I hope this post has helped you in some way, as you are the only intended audience. If I feel so inclined I will offer critiques of other peoples' history as well, in the interest of fairness, but I usually just go post-by-post.

Re:Disable it!

[b4dc0d3r]

Yes, it appears as a check-box (or equivalent), labeled "SmartScreen".

Who do you think knows what that means? Especially when you are setting up your computer and can't just search for what it means because the desktop is not yet available?

It sounds safe and secure, so you statistically will leave it allowed. Will you write it down for further research on whether to leave it checked, and if not how to un-check it? Statistically, no.

Users will see it, but not understand it.

Since I have already posted here, consider yourself -1 (idiot) Missing.Matter (1845576) and zenlessyank (748553) -1 (missing the point).

Too bad moderation options don't include these, so I have to reply instead.

Re:Disable it!

[hairyfeet]

Dude, I've been building, repairing, and selling Windows machines since 1993, so I know of which I speak, and those people? Those are MY CUSTOMERS and I happily turn off any cycle sucking bullshit, just as I turn off all the extra "bling bling" animations in Windows. You'd be surprised how many compliments of "Wow, I don't know what you did, but its sure fast and snappy now!" when all I did was kill all the cycle sucking horseshit.

So don't worry friend, because people THAT clueless? Come to me soon enough or guys like me and we kill that shit like Raid kills bugs, dead.

Re:Disable it!

[Aighearach]

The summaries are never even worth reading anymore.

No one reads TFA any more, you're just now coming around to the idea of not reading the summaries, while many of us have been just reading the headlines for quite some time...

I've been doing it that way for at least 10 years. Now be a good boy sonny and fetch my pills for me, I can't seem to find them...

Re:Disable it!

[Missing.Matter]

Yes, it appears as a check-box (or equivalent), labeled "SmartScreen".

No, it does not. The exact text next to the checkbox is: "Use Windows Smartscreen Filter to Check Files and Apps with Microsoft." This is a very brief yet clear description of what the feature is and that you will indeed be checking in with Microsoft with respect to files and apps.

Especially when you are setting up your computer and can't just search for what it means because the desktop is not yet available?

Clearly you don't know what you're talking about. Have you ever actually installed Windows 8? There are two links right there in the overview screen for Express Settings. One goes into detail what each setting is for and what it does. The other details privacy information for each settings including: what it does, what data they collect, how they use the data, and how you can manage the feature (how to turn if on and off once you start using Windows). This is pretty much everything you need to make an informed decision about which settings to use.

I really don't see how you can claim given all the information Microsoft provides right there during setup that they're not being forthcoming about what this feature is and what they're doing with the data they collect.

Here is the exact privacy text relevent to SmartScreen, in very plain english, available when you are choosing default settings. Do yourself a favor and made install Windows 8 and actually use it before commenting any further about it. M'kay?

Re:Disable it!

[hairyfeet]

Because if it can't make the hash or its own files don't check it'll probably have a screaming shitfit and let the user know something is up? Look I'm no Windows 8 fan, in fact I'm quite happy that all my customers, as well as my family, are sticking with Win 7. I'll be picking me up one of those $40 Pro deals just to learn the tricks but I sure as hell ain't dealing with metro day to day, just running the CP for a month at the shop made me want to pull an Elvis on the screen.

That said I don't see any real difference between something like this and VirusTotal or how both MSE and Comodo CIS will ask to send a copy of a file its unsure of to be scanned. Its simple easier to lock something down on a remote server with no PEBKAC users running the show, or are you seriously gonna argue that grandma's Dell has better security than the MSFT security severs in Redmond?

Re:Disable it!

[rtfa-troll]

There are a whole load of "suddenly technically knowlagable" people dissembling here (I'd hate to say shills; but somewhere someone is feeding in disinformation).

• the application sends checksums to Microsoft
• those checksums correspond one to one to applications
• Microsoft will normally know which application is which
• that information will be discoverable by the Police / authorities etc.
• the application is no by default and does not ensure the user knows how it functions.

Now let's have a look at some of the language being used in the Ars Technica article.

This would allow the company to make some estimates of which IP addresses were running which software.

"some estimates" implies that there wold be uncertainty; that Microsoft wouldn't be able to say 100% that you were using a piece of software. Maybe it is Tor; maybe it's actually Tornado the game. The implication is a humal level of uncertainty which just doesn't apply.

"which IP addresses" implies that Microsoft would not know who you are. This shows an even greater level of deception. It's even trying to imply that your information may not be linked, if, for example, you change IP addresses. Microsoft has your software registration. Microsoft knows about your usage of Bing. Microsoft has your passport account. If any company other than Google can link your IP address to a particular person; that company is Microsoft.

Compared to this Ars Technica article, Slashdot is a haven of technical superiority and higher journalistic ethics and integrity. Maybe Anonymous Coward could set up a journalism course for the guys at Ars Technica.

Finally let's look at Microsoft's statement in the article (N.B. we don't get told what question this is an answer to; note that it might potentially be Microsoft answering to a question about their web sites in which case Ars Technica is again doing the deception; let's take it at face value however).

We can confirm that we are not building a historical database of program and user IP data. Like all online services, IP addresses are necessary to connect to our service, but we periodically delete them from our logs.

The entire point of this service is to build up a "historical" database of executables. It works by identifying those downloads which are known and safe by how often they are downloaded and builds up a "reputation". Ars Technica describes this as "anonymised" without going into details. If you think that they don't at least have the IP network address then I have a bridge to sell you. Let me explain a simple exploit for you: before releasing your malware, repeatedly download it on each of your computers Microsoft will sign it as as having a good reputation. Microsoft's only possible defence against this is to ensure that it knows, at least to some level, which IP addresses used which software.

Re:Disable it!

Yes, the system always favors elaborate trolls over obvious trolls.

Re:Disable it!

[ThatsMyNick]

If a hacker can modify its files, he can easily make it to not submit the hash at all (or always submit a different hash for a specific set of hashes). Unless you have hardware support (like trusted computing device), you have no way of verifying your own program has been modified. If the hacker cannot change any of your files, he cannot change your local hash list file either. So I dont see the benefit of having the hashes remotely.
 
My question still is why do they opt to do this. If I submit a completely file for unidentified hashes, I can understand. It would help them investigate it and update the hash list. I still dont see the purpose of having the hash list remotely.

Re:Disable it!

[rtfa-troll]

Horrible point, since in many cases it does function.

No no. It just seems to function because you have something to do (press the button) whilst you wait.

After I heard this story first time I actually had to go to my local lift with a stop watch and time the closing of the door repeatedly, pressing or not pressing the button more or less randomly. There was a real difference (4 seconds rather than 7 seconds from the moment that the doors reached maximum open)

Re:Disable it!

[antdude]

How about after installation? :P

Re:Disable it!

[slashmydots]

People stupid enough to not disable it are the type that also install MyWebSearch and Freeze and Maps Galaxy and I'd name more but I probably already set off your protection program with this post lol. So that actually fits perfectly, as it sounds like it may warn people about rogue co-installers on "free" games and registry utilities and crap.

Re:Disable it!

[golodh]

And you actually believe that checking the "Disable it" box will disable this facility? Or that it will not be re-enabled with just about any update?

This, unfortunately, is where the disadvantage of closed-source strikes: you cannot really verify that a device serves you instead of someone else. As soon as you install a binary, or a patch, you hand over control of your device to whoever wrote the code. We all know that. You basically need to trust the one pushing the patches to you.

Now that's not the end of the world. We've all been using proprietary (paid) software for ages and we're not exactly worse off because of that.

Unfortunately Microsoft (like most other corporate entities, from Facebook to Sony to the tobacco industry to our dear trustworthy banks) have shown that they cannot be trusted any further than they are bound by their own (commercial) interests.

And then only to the extent that their actions can be verified by independent means (such as monitoring the Internet traffic they generate). Even now (in the face of objective evidence) Microsoft trots out the denials and the weasel-wording. Imagine what they'd say if someone hadn't stumbled on to their cute little logging practice.

Unfortunately it's not in Microsoft's interest to forego a data-source like this. Far too much consumer information to be mined from this kind of thing. And besides there's the all-time favourite deal-clincher: "others are doing it too".

So there's a universal trend against this "disable it" checkbox having much significance.

Re:Disable it!

[RocketRabbit]

You'd have to be a drooling moron to go without a tinfoil hat these days. The Ars article reeks of weasel words.

Re:Disable it!

[advocate_one]

should be opt-in, not opt-out... should never be ticked on by default... the decision for the user should be whether to turn it on... not whether to turn it off...

Re:Disable it!

[rtfa-troll]

Yes, the system always favors elaborate trolls over obvious trolls.

Eventually the trolls will all be like me; posting intelligent, insightful, factual and knowedgable articles. There was an XKCD about that.

Re:Disable it!

[Zero__Kelvin]

"There was a real difference (4 seconds rather than 7 seconds from the moment that the doors reached maximum open)"

Again, on many systems it does function, as you readily agree. (though you contradict yourself in your post as well)

Re:Disable it!

[fa2k]

If Comment 13 here is right, Fedora Linux reports back every time you mistype a command... https://bugzilla.redhat.com/show_bug.cgi?id=643778#c13

Re:Disable it!

[Shining+Celebi]

What? Can you cite a source that says it works via reputation and not by a simple black list?

Re:Disable it!

[Shining+Celebi]

OK. Care to show me what about that statement is untrue?

Re:Disable it!

On the elevator I use at work, it does function. When I heard the story on slashdot that it was merely some kind of psychological placebo, I paid attention next time I used it. The "close door" button cuts more than half the time it would automatically take to close the door, depending upon when you press it (e.g., if you press it in the last second before it would automatically close anyway, obviously there isn't much difference, but if you press it immediately, it responds within a second or so). That the "close door" button does nothing might be a feature of some elevators, but not this one.

It was a ThyssenKrupp model if anyone is keeping count.

Re:Disable it!

[Zero__Kelvin]

Searching the repo is not "reporting back", and it's a bug not something designed in to the system intentionally. Furthermore, we already addressed the fact that you cannot install or download from a source without them knowing the name of the file to download and where to send it. Finally, there are many, many mirrors so unless you use Redhat's mirrors they actually don't know you installed anything.

When the system sends a notification to Redhat that you have installed something that you did not grab from the Redhat repo on Redhat's machines let me know. Until then you either don't understand how things work or are just being absurd.

Re:Disable it!

[Zero__Kelvin]

What the hell do you think a hash is? Learn about them and then you will see why your statement is absurd. Maybe. How do you think the blacklist works if the hash doesn't uniquely identify the file? Just give it up. You don't have a clue what you are talking about. That in and of itself is not bad, but acting as though you do is absurd.

Re:Disable it!

[swell]

"Comment: Re:Disable it! (Score 1)
by b4dc0d3r on 12-08-25 21:14 (#41127109) Attached to: Microsoft Denies Windows 8 App Spying Via SmartScreen

Mine is pretty accurate..."

Actually, it's not... Your History (excerpt above) says that comment is a Score 1, while the comment in the context of TFA says you earned a Score 2.

Likewise, my comment in History: "Re:Recourse (Score 4, Interesting)" actually earned a Score 5. As I mentioned, almost all my History is wrong, in a negative way.

I've checked my history several times this year and found that typical. I'll look more often to compare others' history, but I think the error is endemic to the system.

Thanks for the thoughtful reply, b4dc0d3r.

Re:Disable it!

[bloodhawk]

IF someone is not smart enough to work out how to turn it off, then chances are these are the EXACT people that should have this feature on.

Re:Disable it!

[rtfa-troll]

Maybe if I read the Microsoft blog linked from the original Sladot article about this or if I searched for the word "reputation" in the Ars Technica article, however that would involve reading the fine article and nobody on Slashdot does that; so I can't. Sorry. It would be immoral.

Re:Disable it!

[kheldan]

Why is the parent moded -1?

Likely because the jackass population on /. is too high and they enjoy modding people down for no damned good reason.

Personally I don't care if this feature is used to spy or not. I won't buy or use Windows 8 if I can possibly avoid it. I'd dump everything and finally switch to some flavor of Linux first.

Re:Disable it!

[rtfa-troll]

(though you contradict yourself in your post as well)

Damnit; Poe's law wins again.

Re:Disable it!

[Paradise+Pete]

Yes, it's really stupid to think that no response means nothing's going to happen. Sure. That's some fine interface work there, Lou.

I suppose you think a good way to solve it would be like those web "designers" who don't know what else to do but put up a message saying "do not click Submit more than once!"

Re:Disable it!

Its a little hard to to really speculate that anyone would want this function switched on as it will automatically reduce their privacy. Seems like the kind of thing MS would in fact use if it were seen as beneficial in, say, identifying people spreading file with a known signature, like Cofee for example. This sets up a bunch of flags on your account that MS later uses to determine your computer is a network risk or hands over this information to law enforcement.

Re:Disable it!

[Hatta]

Around here the crosswalk buttons are at least hooked up and responsive. I will get a walk signal if and only if I press the button, otherwise the traffic lights change but the don't walk signal stays lit. I do still doubt that they affect the timing of the lights, but they are connected to something.

Re:Disable it!

[fast+turtle]

Yet no one cares that Firefox and Google do exactly the same thing, plus that they do it with a unique key for every Firefox install. That key allows Google to identify a firefox session, even when it's "In Private"

If you block the connection to Google's Safe Browsing service at either the firewall or proxy server, then the firefox installs silently fail. You Must disable the check in about:config (safe) to do so and there are six entries and every one has to be reset to off otherwise safe browsing is not disabled. At least MS offers a straight forward method the first time IE starts up to not use the Smart Screen/Safe Browsing filter unlike Firefox/Google where they don't even tell you that they use it. Because of this, I'm more willing to trust MS instead of the Firefox/Google folks.

Re:Disable it!

[Zero__Kelvin]

Ah, yes. I see now that you were simply pointing out that some people claim that it doesn't do anything. Because I have heard this claim before, I thought you were one of those folks. I stated it works in many cases, rather than all, because it is certainly true that there has to be at least one elevator where the damn button is broken even if there is no such thing as an elevator that ignores it by design.

Re:Disable it!

[Shining+Celebi]

A hash doesn't identify an executable unless you have a list of the hashes of every executable rather than just a blacklist of malware hashes.

And again, this applies only to files downloaded with IE.

And again, the logs are wiped on a regular basis.

Even ignoring all this, you've yet to explain why it is the common man understands perfectly the ramifications of downloaded from an app store, but not that of SmartScreen. Especially when SmartScreen's potential problems are explained.

Re:Disable it!

[Shining+Celebi]

Thanks. I had not seen that. I have actually seen that notification in IE9 before, actually.

Re:Disable it!

should be opt-in, not opt-out... should never be ticked on by default... the decision for the user should be whether to turn it on... not whether to turn it off...

Based on what GP said in his old post, it is opt-in. To quote from that post (emphasis mine):

If you choose express settings while setting up Windows, you can turn on Windows SmartScreen. If you choose to customize settings, you can control Windows SmartScreen by selecting Use Windows Smartscreen Filter to Check Files and Apps with Microsoft under Help protect your privacy and your PC. After setting up windows, you can change this setting in Action Center in the Control Panel.

Additionally, they state that they will not use it to identify people. Unlike Google, Microsoft would burn if they broke their word.

I strongly oppose privacy invasive measures, but this seems like one of the better approaches possible.

Re:Disable it!

[Zero__Kelvin]

"A hash doesn't identify an executable unless you have a list of the hashes of every executable"

I guess you've never heard of Bing.

"Even ignoring all this, you've yet to explain why it is the common man understands perfectly the ramifications of downloaded from an app store, but not that of SmartScreen."

I explained it in excruciating detail. You just don't posses the mental acuity required to understand said explanation. Just accept that you aren't very bright and move along, as I ave wasted enough time trying to help you get a clue.

Re:Disable it!

Your History (excerpt above) says that comment is a Score 1, while the comment in the context of TFA says you earned a Score 2

The History has never included the karma bonus

Re:Disable it!

[drkstr1]

If you look at your "comments" list, the karma should be the same as the comment in the story. I don't think the score on your home page counts any bonus karma points ( like when you post at +2, or get an insightful bonus, for example).

Re:Disable it!

[Missing.Matter]

Why are opt-out features being bad treated as some sort of truism here? There are *reasons* why opt-out features can be bad, and I don't think they apply in this particular case. Opt-in vs. opt-out is the difference between 10% participation and 90% participation. Here we're talking about a security feature, which is especially important for mass participation for the health of the internet and singular computer systems. Further, it's a security feature which relies on reputation building, so mass participation is even more important.

Opt-out features are only bad when those features deceive or mislead the user. In this case, the user is given everything he needs to know to make an informed decision as to whether or not to keep the feature on, in very plain non-technical language. The user is told data about apps and files will be collected and sent to Microsoft, and that it will be associated with an ID that will track data over time; none of the data is personally identifiable or traceable back to him, and that it will not be used for anything other than checking files against a database and improving the service. Any user who cares about their privacy has all the information he needs to make an informed decision. There is no deception or hiding of intentions here. Even the short one sentence description says you'll be checking app and file data with Microsoft. It's all about personal choice and informed decisions. You have the choice whether to use the feature or not. You have the ability to make an informed decision. If you don't care enough to read a couple paragraphs and then turn around and complain your privacy is being violated by an opt-out feature, I have no sympathy for you.

Re:Disable it!

[cayenne8]

If you block the connection to Google's Safe Browsing service at either the firewall or proxy server, then the firefox installs silently fail. You Must disable the check in about:config (safe) to do so and there are six entries and every one has to be reset to off otherwise safe browsing is not disabled.

Interesting....do you by chance have any links to instructions on how to disable all of this in FF?

Re:Disable it!

[hairyfeet]

Because you can have the basic send files locked down as read only and unable to be modified by the user, this makes it a hell of a lot harder to crack, you'll have to find a buffer overflow or some other system crashing crack to get around it which thanks to DEP and ASLR is a lot harder than it ever was.

Whereas if you have the files themselves locally then by extension they HAVE to have read/write access or else they will quickly become as useless as that 6 year old 30 day trial of Norton that grandpa thinks is "protecting his machine" which just FYI I get a couple of those a month, people thinking that as long as they have ANY kind of security on a machine its fine, no matter if it hasn't been updated since Bush's first term.

Its simply easier to make something that only reads and lock it down than it is to make something read/write and lock it down, that's security 101. By having the read only files hashed with a salt short of taking control of the entire system and replacing all the files required to alter it at boot (no small task) it should be extremely hard to crack a system that is read only, but I come across infected machines with supposedly functional AVs all the time. How do they do it? By changing a couple of settings that are user writeable at boot, that's how.

Re:Disable it!

I'm going to go ahead and say it, but those people you describe are the EXACT people who need this forced upon them. Yes forced.

Infected and malware ridden spam hosts do nothing but cause problems and damage to others on the Internet.
These are the people running every exe they can find from the Internet and then some, spewing out spam and DDoS attacks that people such as admins have to deal with.

It was obvious these type of people can not keep their own computers clean, and they absolutely need a 3rd party to do it for them.

If they can't comprehend the consequences of turning off anti-virus functions, then I for one am very happy they will not know how to turn off this anti-virus function!

While Microsoft could have made the blacklist one that is downloaded, like most other anrivirus packages do, the fact remains that they didn't, and this small cost of privacy (only a cost to those who have shown they only use that privacy to get infected) perhaps do not particularly deserve it.

Those who know what they are doing (in running random exe's) will know what they are doing (to disable this feature).
For those who don't know, the benefit to themselves and others far far out weighs the cost.

Re:Disable it!

[ThatsMyNick]

I am not sure where you getting at. There is no such thing as a read only file. Someone (or some account) has to have a write privilege. I say give the same account write privileges to the hash file.
 
I am sorry I dont think you understand user account management or security 101.

Re:Disable it!

[ThatsMyNick]

Sorry about the name calling, I was a bit pissed.
 
To make that point a bit clear, I am proposing to give write privileges to both binaries and hash files only to a user account called "windefender". Every body else has read and execute privileges. When the binary runs, it also gets to update the list of hash files.

This is how most antivirus/antimalware programs work. Now, do you see a problem with this approach?

Re:Disable it!

[CAIMLAS]

Yes, I'm sure that's precisely the option most people who purchase a new Dell/Lenovo/HP/whatever will receive when they power on their computer for the first time.

"Would you like to prevent Microsoft from spying on you?"
"Would you like to disable SmartScreen, a revolutionary new display technology from Microsoft?"

No, there will be no such option presented to common OEM customers. It will just be left on, in much the same way that SAV and various other crapware still ships with OEM computers.

Re:Disable it!

[Waccoon]

I can also disable "Install useless 3rd-party product?" when I download a driver or runtime platform. It's still going to annoy me when I have to very carefully scrutinize every step of an install or a EULA to make sure I don't screw myself.

I've already made my decision about Windows 8 at this point. Anything else revealed about the OS will just be icing.

Re:Disable it!

[Waccoon]

They also must understand what "SmartScreen" does before being able to make an educated decision. It's kind of hard to Google it when you're computer isn't even set up yet.

Re:Disable it!

And if you get it pre-installed there is a checkbox in Action center that kills it, ...

Until the next autoupdate unchecks it for you, & the next & the next ad nauseum.

Re:Disable it!

A third advantage is that an online list is going to be more up to date, especially given that Windows typically updates once per month. Of course since it's going to access the internet anyway, SmartScreen could update the local list and then check locally.

Re:Disable it!

Well, the button is required to work for the elevator to remain operational, but it only needs to work when normal operation is overridden. The newer the elevator, the more likely that the door close button doesn't work during normal operation. That's actually to prevent people from trying to force a door closed on somebody to cause injury and later claim it was caused by the elevator so they can sue.

When the elevator is taken out of normal service, holding down the door close button will cause the doors to close, but they will open again if the button is released before the doors are fully closed. Just repeatedly pressing the door close button, or even just pressing it once and releasing it, won't do anything except cause the doors to stutter.

Re:Disable it!

[swell]

thanks drkstr1

After all these years, I should have explored my account page more carefully. Haven't figured out the reason for the difference between 'history' and 'comments' list yet, but given a few more years it may yet come to me.

Re:Disable it!

I want XP and no ribbon clutter!

Re:Disable it!

Mod bloodhawk up!

Re:Disable it!

[Ol+Olsoc]

I prefer all security settings default to enabled and I turn off what I don't need. Especially considering the wider Windows audience.

Don't know if you remember the Windows mail programs coming with all the features enabled. There were a lot of people hit by macro viruses, because yup, it was enabled in mail programs, and in office. So considering the wider Windows audience, I come to a different conclusion.

Re:Disable it!

[bjb]

Actually, the button does work but in most cases is probably disabled.

In an apartment building, most likely the button does function.

In an office building, most likely the button is disabled. Specifically, the button is disabled by the operator switches (usually those fire marshall keys below the buttons) since they do need to control the doors in some situations. On some of the more advanced elevator systems, I think they might work after a period of specified delay (just an observation).

I forget where I read about this, but it was in the same article explaining how most of the cross walk buttons in NYC aren't even hooked up though at one time they were; when the systems were computerized and synchronized with the rest of the grid, the cost of removing the buttons outweighed the small perceived benefit of having people think they're making a difference.

Re:Disable it!

Interesting....do you by chance have any links to instructions on how to disable all of this in FF?

I was confused when my browser started spontaneously opening connections to unknown IP addresses in Google's netspace. (At the time, I was restricted to - horrors! - dialup, and I really got pissed at the way the modem would keep dialing away even after I was disconnected.)

It turned out to be Firefox getting updates to the safebrowsing list.

I don't remember all the about:config settings I changed, but one of the last ones that did it was:

browser.safebrowsing.dataProvider = -1
browser.safebrowsing.enabled = false
browser.safebrowsing.malware.enabled = false

(That is, "I have/want no data provider for safebrowsing service, therefore please don't try to call any of them to get updates.")

I think I also had to do

extensions.blocklist.enabled false

...to stop it from phoning home every (extensions.blocklist.interval, by default 86400 seconds) to get a renewed blocklist of extensions.

I also had to kill off "live bookmarks" (a feature I've never used) with:

browser.microsummary.enabled false
browser.microsummary.updateGenerators false

in order to stop other unsolicited outbound network connections.

tl;dr: if you think it's hard to get a Firefox installation to stop being so chatty, wait'll you try and make a Windows machine not chatty.

Re:Disable it!

Yes, it appears as a check-box (or equivalent), labeled "SmartScreen".

Who do you think knows what that means? Especially when you are setting up your computer and can't just search for what it means because the desktop is not yet available?

It sounds safe and secure, so you statistically will leave it allowed. Will you write it down for further research on whether to leave it checked, and if not how to un-check it? Statistically, no.

Funny. Every time I see an OS feature that claims to be "smart", the first thing I want to do is deactivate it, because "smart", to me, now implies "will invade privacy or expose more security holes than it purports to close." (UPnP in XP pre-SP1, Bonjour/Zero-configuration networking in Apple-land, etc...)

Sounds lke the same thing as Google

[Meshach]

Using all user's "anonymous" information to offer a better experience. Lets of people accept it from Google. Will they accept it from Microsoft?

Re:Sounds lke the same thing as Google

[toolo]

Yep.. when you get a new 'droid, iPhone or iPad, all of your apps automatically reinstall...wonder how that happens. Just because it's Microsoft this is an issue. Actually SmartScreen on Windows 8 is a good way to see what my kid is doing on the Internet without some 3rd party crapware that is definitely using your shit in ways you don't know about. And as other posters have said you can just turn it off.

Re:Sounds lke the same thing as Google

[kwark]

"Yep.. when you get a new 'droid....automatically reinstall...wonder how that happens."

Not much to wonder about, on Android you have to opt-in to this service.
Settings -> Privacy:
Back up my data [ ]

Re:Sounds lke the same thing as Google

"Just because it's Microsoft this is an issue. "

Perhaps you'd prefer "Just because this is a company with a history of saying one thing and doing another this is an issue".

Re:Sounds lke the same thing as Google

[Shining+Celebi]

Do you opt-in to Chrome sending your URLs to Google?

Because that would be the equivalent analogy. SmartScreen sends URLs and file hashes to Microsoft, the exact same way Google's anti-malware sends URLs to Google to compare against a blacklist.

And besides, that, Google "collects" information about what you download through their store, in the same sense - you can't download the app without them knowing your IP, which is the same information Microsoft is getting. If you really cared about this kind of privacy, the app-store model is a much bigger threat than some file hashes being sent to Microsoft.

Re:Sounds lke the same thing as Google

[kwark]

-you opt to install/use chrome, it doesn't come standard. I presume people read the EULA if they install software! Same goes for Firefox BTW.
-Google collects info on what you download from the Google store. Flip the checkbox to install from other sources, Google doesn't get that info. So not exactly the same as all downloads are send to OS manufacturer.

Re:Sounds lke the same thing as Google

[Shining+Celebi]

Flip the checkbox to turn SmartScreen off then.

It's equally as simple. Probably simpler - never used an Android phone. Both are opt-out from your description, and the SmartScreen functionality seems to be outright presented as an option on installation.

I am also pretty sure that Chrome does, in fact, come standard on Chrome OS and I assume that the default web browser on Androids is Chrome or some variant thereof that sends your URLs to Google same as Chrome does.

Re:Sounds lke the same thing as Google

[wvmarle]

I think it's more like the Play Store knows what you have/had installed and will automatically re-install this. After all they do keep track of what you have installed. Backing up data is, afaik, just data: your own data. Not the apps themselves.

No direct experience with that reinstall part myself, still on my first Android.

Re:Sounds lke the same thing as Google

[shutdown+-p+now]

It actually asks you about that when you activate the new device and specify your Google ID during initial setup. And if I remember correctly, the default was "yes".

Win8 similarly asks when you run it for the first time, while setting up the user account (and the default is also "yes").

Re:Sounds lke the same thing as Google

Ahem. My Android device does NOT automatically reinstall all apps until I point it to MY personal server where backups exist on the local network. I will not let it restore otherwise (and it physically can not until it has local ssh access to my backup server). Google accounts of course have to sync with Google, but everything else is handled locally for my family's devices.

use of information doesn't matter

[sylvandb]

Collecting the information IS spying.

How the information is used after being collected does not matter for determining spying, only the motivation for spying.

Re:use of information doesn't matter

Spying is done when it's surreptitious. When it's done pretty openly (assuming you pay attention), it's surveillance.

Which can be just as creepy, but let's not pretend spying is an accurate word.

Re:use of information doesn't matter

It is surveillance when the FBI is observing a known murderer (though this is surely NOT surreptitious). That's because it is legitimate.

It is spying when one company digs through another's garbage. Or through your garbage. Or through your install logs. That's not legitimate. It's spying.

Re:use of information doesn't matter

[poity]

I thought SmartScreen just sends the name and hash of the download file. You didn't list that as spying, and while you did list "digging through your install logs" that's not the same thing.

Re:use of information doesn't matter

So should we avoid Debian as well?
After all, you're asked if you want to participate in Debian's popularity-contest, which collects information about which programs you use and sends that to Debian, when you install Debian.

Could use it in the future

[Chirs]

Note that they only say they don't do these things *now*. They don't say they won't in the future.

Re:Could use it in the future

[Ultracrepidarian]

and if they collect it, our government will demand access to it.

Re:Could use it in the future

:s/government/BSA

Sensationalism

[Altanar]

I see /. is in for another round of anti-Windows 8 sensationalism. Please read the Ars Technica article talking about this before commentating.

Re:Sensationalism

I see /. is in for another round of anti-Windows 8 sensationalism. Please read the Ars Technica article talking about this before commentating.

Ars Technica nowadays is only good for its science coverage.
For computer related stuff no way, it is plenty of apple shills and microsoft shills.

Re:Sensationalism

As opposed to slashdot's Linux and Apple shills..

Re:Sensationalism

[LateArthurDent]

I see /. is in for another round of anti-Windows 8 sensationalism. Please read the Ars Technica article talking about this before commentating.

Ah, sweet irony. Your Ars Technica article links to a wired article that argues cryptocat is no more secure than using no crypto at all, because it relies on host security, and then proceeds to defend Smart Screen using a host-security argument.

If you don't care Microsoft gets access to which programs you run / trust that they will keep the data anonymized and periodically delete the logs as you claim, by all means, don't turn off Smart Screen. That said, they have all the data they need to keep a record if every program you run, and I'd rather not take them at their word that they won't do anything bad with it.

Re:Sensationalism

As opposed to slashdot's Linux and Apple shills..

/. trumps Ars Technica.
Feel free to disagree.

Re:Sensationalism

[Eirenarch]

In other news Apple collects information for every app users install on their iPhones. So will MS on WinRT tablets and Win 8 Metro environment. In a world like this only an idiot can point a finger in a security service that uses hashes and can be turned off.

Re:Sensationalism

"Billy, don't hit people!"
"But moooom, Dennis hit people too!"
Hmmm...nope. Didn't work then, won't work now.

Re:Sensationalism

[Eirenarch]

More like "Billy, don't hit people with a stick. I don't mind if you hit them with baseball bat"

Re:Sensationalism

[cbhacking]

I was wondering how long it would take before somebody brought up Cryptocat, and whether the person doing so would have a clue or not. Looks like the answers are "not long" and "no".

The goal of SmartScreen is to warn the user against running malicious software. The goal of Cryptocat is to make a user's chat session completely untappable. Not only are these two goals quite different, but most of the weaknesses of Cryptocat are based on an environment that SmartScreen simply doesn't have. Also, it's not "no more secure than using no crypto at all"; it's "no more secure than using a web-based chat client over https without any additional crypto".

Note that of course I'm talking about the web-app version here, not the local client (browser plugin, etc).

Cryptocat has two major weaknesses against its current implementation, and a few potential weaknesses. Let's compare them against SmartScreen
1. Cryptocat is served over https, but by default most browsers will try http first. Cryptocat will redirect you to https, but if somebody is running SSLStrip (or any of the other proxying tools built using it) on your network, you'll never see the redirect. Instead, the site and all of its javascript will be sent to the proxy over https, and to your browser (potentially after modification, such as injection of a script that just steals the chat data) over http.
1.1 Smartscreen will only ever attempt to connect over SSL. SSLStrip is no threat to it

2. Cryptocat relies on the server being trusted, because it gets its code from the server. If you want to make sure somebody (some government?) doesn't intercept your chat session... don't use Cryptocat, or you're screwed. This is a promise that the web-based Cryptocat can't make, even though it really wants to.
2.1 Smartscreen relies on the server being trusted, because that's where the authoritative version of the blacklist is. This is true whether the blacklist is local or remote, so from the perspective of SmartScreen's functionality, it makes no difference. As for privacy, if somebody (government, etc.) wants to spy on you... don't use Windows. Microsoft doesn't need SmartScreen to be able to tell a lot more info about your PC than "anonymous user #1403947 executed the following downloaded programs". If you don't trust them, why the fuck are you running their OS in the first place?

3. Cryptocat, being browser-based, is vulnerable to a family of attacks against the browser and its session. For example, things like clickjacking, XSS, CSRF, and so on. Security is only as strong as the weakest link, and Cryptocat has a lot of weak links. However, even if your browsing session is compromised, your secret chat conversation isn't leaked until you hold it overa browser-based chat system.
3.1 SmartScreen runs before before the downloaded program could have a chance to take over your computer. However, if your computer is already compromised, the attacker has no need of SmartScreen, and if your computer isn't compromised, SmartScreen doesn't offer any new way for a (non-MS) attacker to compromise your privacy.

Re:Sensationalism

Stoopid peeple like get fuck by MS cock.

Re:Sensationalism

[VortexCortex]

I see /. is in for another round of anti-Windows 8 sensationalism.

Yep, reminds me of all the Visa BS. Win will they learn, eh? Just because MS sometimes makes a shit OS every once in a while, doesn't mean any of the others are any more acceptable.

Re:Sensationalism

[LateArthurDent]

Cryptocat has two major weaknesses against its current implementation

I wasn't arguing for the security of cryptocat. I hadn't even heard of it before I saw the article. I was merely commenting on the irony that the same (in my opinion, very valid arguments) against cryptocat in the wired article linked in the Ars Technica article would also apply to Smart Screen.

Also, it's not "no more secure than using no crypto at all"

Right, I doubt that would be the case too, but from the article I'm talking about, "More generally, your security in a host-based encryption system is no better than having no crypto at all."

Basically, that article really slams cryptocat for the host security issue, or as you've worded it yourself:

Cryptocat relies on the server being trusted, because it gets its code from the server.

I think this is a good point, but you try to argue against it when talking about Smart Screen by following it through with a logical fallacy:

Smartscreen relies on the server being trusted, because that's where the authoritative version of the blacklist is. This is true whether the blacklist is local or remote, so from the perspective of SmartScreen's functionality, it makes no difference. As for privacy, if somebody (government, etc.) wants to spy on you... don't use Windows. Microsoft doesn't need SmartScreen to be able to tell a lot more info about your PC than "anonymous user #1403947 executed the following downloaded programs". If you don't trust them, why the fuck are you running their OS in the first place? [emphasis mine]

There are levels of trust. I trust that the guy changing my oil isn't going to cut my brakes just because he'd like to see me burn. I don't trust him enough to leave $500 in cash lying around in the car when I hand it over to him. Similarly, I trust Microsoft enough to feel comfortable using their OS, and I may even trust them that they don't plan on doing anything with the Smart Screen data NOW. I don't trust that in the future some company exec isn't going to go, "you know, we have all this data coming in...let's monetize it!" in a way I wouldn't approve of, and by then it's too late.

hahahahahaha

Trust us, we promise, cross our heart and pinky swear, that just because we have built this feature into Windows 8 doesn't mean we will actually use it. It's there because of out incredible commitment to customer service and making the windows experience as user friendly as possible because we... uhhh excuse me, are you downloading firefox? Uh huh.. stop it. We said STOP IT!! Aright, you leave us no choice but for your safety and browsing ease your copy of Windows 8 has just been declared non genuine and will be locked.

So what is it?

[jimmydevice]

"We donâ(TM)t use this data to identify, contact or target advertising to our users and we donâ(TM)t share it with third parties."
Used internally for non-advertising purposes?

trust us

[frovingslosh]

Might as well say "We put a lot of work into collecting that information, and exposed ourselves to the risk that people concerned with privacy (or even someone in the government that we don't own) might accuse us of something, but we are not going to use the information for anything". They have no credibility no matter what lie they come up with.

Um.. They didn't exactly deny it.

[Ransak]

TFA just says they aren't doing anything with the information... for now. That doesn't mean the FBI or whatever 3 letter agency can't put a shunt between the Internet and their SmartScreen servers. It's a sniffing vector.

Re:Um.. They didn't exactly deny it.

[Penurious+Penguin]

A fair point, no doubt; but the word "deny" in Microsoft-context carries pretty strong connotations of incredulity. I think the title simply serves as a sort of aperitif, which worked well enough for me. In other words, Microsoft can deny whatever it wants and (knock on wood) people will still proceed to think.

Re:Um.. They didn't exactly deny it.

[cbhacking]

So what? If the feds want to know what you're downloading and such, it's a hell of a lot easier to go through your ISP. Smartscreen as a sniffing vector is technically true but completely irrelevant to the difficulty of the attack you propose.

Re:Um.. They didn't exactly deny it.

[Penurious+Penguin]

That confuses me slightly. I have vague recollections of using my computer while away from home. And if laptops are actually becoming more popular than desktops, I fear I may become more confused. Naive as I am though, I'd probably even say that laptops are already more popular than desktops, and 'mobility' seems to be one their most marketable features. Now if I changed my MAC address before connecting to another random ISP, how would they identify me? Maybe you are like me in assuming ISPs like Verizon have been logging MACs? Unlikely, I know. So please explain.
PS: My sarcasm is immediately null upon any sincere reply. It's just that your comment seemed to warrant a teaspoon or so of it. I have indeed been threatened with 'multiple assholes' here on slashdot, and one is enough for me, and presumably for anyone else too. You may consider me benign.

Re:Um.. They didn't exactly deny it.

Oh no! The FBI would know the MD5 hash and the name of my executable files I downloaded! Of course, when I say "I", what I really mean is a really long GUID that the FBI and/or Microsoft might or might not know is "me"... But let's face it. If the FBI is that interested in you, they know every site you've visited, every file you've downloaded, every page you've read, and probably installed a keylogger on your machine since you were stupid enough to not be using linux for your web-browsing.

Re:Um.. They didn't exactly deny it.

[Ransak]

I'd hardly call it irrelevant, think about it for a moment. Let's say the authorities (pick your country) decided that anyone installing a specific application (for example, the Bitcoin wallet app, or even a specific political party app if you're more inclined to believe in conspiracies) is a 'person of interest'. It doesn't take a huge leap of imagination to picture what a little data mining could do from there.

A more reasonable story

[MSTCrow5429]

http://arstechnica.com/information-technology/2012/08/windows-8-privacy-complaint-misses-the-forest-for-the-trees/

Re:A more reasonable story

[Ol+Olsoc]

It's a matter of credibility.

That screen is telling you that Microsoft is protecting your privacy. Perhaps sending the IP of every site you visit and every file you download is protecting your privacy? Doubleplusgood!

Oh, wait. You send the "Do not Track" button. With all due respect, I suspect that once you hit the do not track button, your IP addresses, history and downloads will be considered much more interesting to people who might find them interesting because you asked them not to track you.

Re:A more reasonable story

[PNutts]

I'm more worried about Comcast / AT&T than Microsoft.

However

Apple knows not only what applications you have, when you use them, how many times you use them, but where you are down to a resolution of 10m anywhere on the planet you are, at anytime.
doesnt matter if you are a politician, gangster or regular joe

and you are worried about Microsoft ? lol

bottom line is:
do you trust an "American" multi national company with your personal data ?

Re:However

I doubt that people concerned with privacy intrusion by MS are iPhone users

Re:However

10m? Are you basing that on GPS? Or are you (more realistically) basing it on a combination of GPS, distances to cell towers, distances to wifi hotspots, accelerometers and the distance to other devices (which also supply the same positioning information)? Or you can use variations in the signal strength on both GSM and wifi correlated with accelerometers to detect movements around you, and if two nearby devices detect a similar movement nearby they get additional information about their relative position to each other. Heck, using the microphones you could detect differences in ambient sounds to compare the relative distance between two devices and a noisy common source.

10 meters is highly optimistic/pessimistic. I'd be surprised if they can't uniquely identify poeple solely based on their position.

we don’t share it with third parties

[fustakrakich]

Unless they have a warrant, right? Sorry MS, we don't want you to collect anything that can be used against us. But since there's no way of knowing, we just have to assume that you are going to anyway, despite whatever statement you make to the contrary.

Is it possible to downmod an entire submission?

[93+Escort+Wagon]

Because this particular story needs to be marked "-1, Flamebait".

Re:Is it possible to downmod an entire submission?

[fustakrakich]

More like 'Redundant'. How times must we be told what we already know? Microsoft, and Apple, and the whole internet are spying. Nobody cares. They still suck it up, and buy their shit as fast as they can.

Its My IP Microsoft, I'll send ya a bill!

I charge $10,000 USD for a 1 year subscription to my metrics. Where shall I send the bill?

Developers...

http://www.youtube.com/watch?v=KMU0tzLwhbE

Re:sucks to be u

double hipster

Question?

[cyberzephyr]

Is there a way to turn it off after installation? I will also mention the fact that a bunch of bundled software can be gotten rid of after you turn on your brand new laptop/PC.

Re:Question?

[cbhacking]

Yes. It can be turned off at install, at first boot (for pre-loaded images), or at any time while logged in. There are even instructions from Microsoft for doing so!

Re:Question?

[cyberzephyr]

Well then why is there an argument about a question? (i know it's not you).

"we don’t share it with third parties"

Oh, no, of course not. They just share it with the first party; the National Fascist Party.

Microsoft - same as it ever was (repeat)

It remains a proprietary OS. XP & 7 continue to have remote exploits patched, some, like with XP, were open for years without patches.

I would consider my privacy and security to be null and void in such an environment, whether or not there is an 'opt-out' of this particular feature.

Users should really opt-out by choosing a more open platform and storage space for their precious data.

Computers are designed to collect information

[aNonnyMouseCowered]

I wouldn't go that far. Or do we call news reporters "spies" as well?

More to the point, whenever we connect to another computer or information storage device, information is collected. Our own smart phones do that when it connects to a WIFI hotspot and retains that information for at least the duration of the connection. Web servers continuously collect information from clients. That's one of the ways you prevent a DDOS attack by dropping clients known to make too many requests within a short period.

As far back as when the first punch cards were manufactured, computers have been designed to collect and possibly retain information. Hell, even a flesh-and-blood human standing in a corner collects information. That's how we form memories of that hot chick or hunk standing across the street. Now, it would be a different matter if I started following the object of my casual observation. In real life, that would be stalking, and would definitely fall in the category "spying".

Re:Computers are designed to collect information

[10101001+10101001]

I wouldn't go that far. Or do we call news reporters "spies" as well?

News reporters have neither the inclination nor the means to look over our shoulder every minute of the day while using any particular device or do any particular activity, as a point--with the exception of specific people of interest. If they did, yes, we'd call them spies.

More to the point, whenever we connect to another computer or information storage device, information is collected. Our own smart phones do that when it connects to a WIFI hotspot and retains that information for at least the duration of the connection. Web servers continuously collect information from clients. That's one of the ways you prevent a DDOS attack by dropping clients known to make too many requests within a short period.

Well, what do you know, the point that web sites do collect such information is an actual point of contention for precisely the reason that the gathered information can be used to form a picture of a person's browsing habits. This is one reason why there's been such broad discussion about Google and Facebook and the privacy concerns of their users. In fact, it goes to the point that journalists do speak of Google and Facebook "spying" on its users precisely because of the degree of data collection. But, then, I'd presume you recognize that the "collection" being spoke of is more than the transient and necessary stateful information needed for common transaction which is quickly forgotten as a matter of course.

As far back as when the first punch cards were manufactured, computers have been designed to collect and possibly retain information. Hell, even a flesh-and-blood human standing in a corner collects information. That's how we form memories of that hot chick or hunk standing across the street. Now, it would be a different matter if I started following the object of my casual observation. In real life, that would be stalking, and would definitely fall in the category "spying".

And with computers (or license plate cameras), that "flesh-and-blood human standing in a corner collect[ing] information" becomes an impersonal, vast data bank of information. Couple that with fantastic computing power and data mining algorithms, and you have the recipe for the potential for inherent stalking on a massive scale. So, every time it's possible that information is being warehoused, people want to know *before* it gets to the point that the warehouse is full and the data mining begins. But, you know, that's just crazy conspiracy theory stuff. I mean, it's not like some mostly faceless corporation has ever been caught doing such things before... And golly, it's not like the government would buy or coerce a company for that information at a later date to effectively blackmail whoever of the population they need/want to.

Tin Horns & Tin Opinions

[Penurious+Penguin]

Only because the term "tin foil hat" when used to express contempt for those who contort reality is actually and properly an "aluminum foil hat" (or aluminium if you insist), I call you a hypocrite. There is enough even in the sacred arstechnica version of this story to warrant liberal paranoia. Why not save the tin-card for a better occasion, like one where someone is denying a tangible and verified reality and not just making a simple mistake?

Sure, sure.

Yeah right and the government didnt create aids as a way to kill homos.

and now that third parties know its there....

you know they gonna want it you know it and lawsuits and laws and all that gonna cause it to happen by bribed us politicians

buuuulllshiiittt

if you're going to do nothing with it, don't fucking collect it.. and don't give me bs about "to improve our operating system and services"

OBVIOUS...

IT'S A TRAP

Micosoft deny everything

They all stupid cunt. They try fuck us. Stupid sheeple bend over let ballmer shove dick in ass. You don't be stopid. You try apple. Apple dick not so big. Some day you learn computer don't let any dick.

It sound ok but most people still let fuck by bill gates gigacock in ass and mouth.

Re:MS needs effective leadership

They fuck two many asshole. They have rotten brain. User should learn that MS give sifalis and ades.

I'm confused.

It is purely an anti malware prevention system

Is that so that it's not so that it isn't not an anti malware prevention system or is it so that it isn't not so much a so-so anti malware prevention system.

And if so, when?

Re:I'm confused.

[Pikoro]

Is this your entry to the English grammar obfuscation contest? Wow, my head hurts.

Re:I'm confused.

Is this your entry to the English grammar obfuscation contest?

My response was my way of being funny and saying "bullshit!" to both the post and to the dead brains that modded it up (the horrible modding at Slashdot has always pissed me off).

The pp got modded "5, Informative", yet it conations the grammatically-abhorrent statement (and bad logic): "It is purely an anti malware prevention system"

That is totally wrong. It is a "malware prevention system" not "an anti malware prevention system" (I won't even lower myself to debate the errant use of the word "system" - a word so fucked up by modern-age marketing as to lose all meaning).

I just pray that the person who wrote the pp never writes a piece of code on which lives depend.

The pp was dead wrong. End of story.

We will not

>"We don’t use this data to identify, contact or target advertising to our users and we don’t share it with third parties

Yeah but your marketing department will

No spying????

[stanlyb]

So, if i f%^$^%$% you, without your consent, that does not mean that i rape you, nooooo,i am just f^^%$^%$^% you.

Old Technology

How long has SmartScreen been in IE? And nobody complained then. Moving along...

Re:sucks to be u

[phantomfive]

I was hip before it was hip to be hip and put some hip in your hip so I could hip while I hipped. Now everyone's doing it.

Of course Microsoft is spying.

[Animats]

Of course Microsoft is spying. They have admitted that they are receiving the data they were accused of receiving. At best they're saying that they won't use the data for advertising purposes.

If they wanted to do this without spying, they could load the signatures of the top 10,000 known-good executables into a file sent out with Windows Update. Those wouldn't need to be checked. Only when some unknown executable showed up would a remote check be necessary.

When a remote check is necessary, Microsoft only needs to see the hash. They don't have a need to know the URL from which the executable came. Only when the user is presented with a dialog indicating that a never-before-seen executable has been found is there any need to send a URL to Microsoft. At that point the user should have the option to delete the executable and not send the URL to Microsoft.

Instead, Microsoft has designed this system to tell Microsoft more than it needs to know to do this job. Thus, it is spying.

Doesn't really matter

Windows 8 (all its associated 'ecosystem') will be a colossal flop, and whether it spies/collects data/phones home to Redmond should be the least of Microsoft's worries.

If you're not spying, then why collect information at all?

I thought Microsoft was an enlightened champion of privacy, when 'Do Not Track' is turned on by default in IE10.

They said "don't", but not "won't"

[AliasMarlowe]

From TFS and TFA:

The article quotes a Microsoft spokesperson as saying: "We don’t use this data to identify, contact or target advertising to our users and we don’t share it with third parties."

Now, if they had said "don't and won't", then that would mean something. Just saying "don't" means they don't do it today with no guarantee about what they might do with all that data at some future date. Color me unimpressed.

A quibbler might also note that the spokesperson only mentioned the data itself, not results extracted from it. Color me unimpressed yet again.

This is fishy.

[voltorb]

They're not telling what kind of information they're sending over is or for what purposes they're going to use it. Instead, they just rule out a few things. This makes it even more suspicious. And since I don't use Microsoft programs, I don't know, but is it enabled by default?

Re:This is fishy.

[Missing.Matter]

No, in fact if you ever installed Windows 8 you would have been given the opportunity to read the following privacy information with respect to SmartScreen:

Information collected, processed, or transmitted

If you choose to use this feature, information about some of the apps you use and some of hte files you download from the Internet will be sent to Microsoft. This information may include a file name, file ID ("hash"), and digital certificate information along with standard PC information and the Windows SmartScreen filter version number. To help protect your privacy, the information sent to Microsoft is encrypted.

Windows SmartScreen randomly generates a number called a GUID that is sent to Microsoft with your SmartScreen usage data. The GUID lets us determine which data is sent from a particular PC over time. The GUID does not contain any personal information.

Use of Information

Microsoft uses the information described above to provide warnings to you about potentially unsafe files and apps. We also use the information to analyze performance of the feature to improve the quality of our products and services. We use the GUID to determine how widespread the feedback we receive is and how to prioritize it. For example, the GUID allows Microsoft to distinguish between one computer experiencing a problem one hundred times and one hundred customers experiencing the same problem once. Microsoft doesn't use the information to identify, contact, or target advertising to you.

None of this information is new, or surprising. Microsoft has been completely transparent about it, and this information has been in the install of Windows 8 forever. This is just proof that most Slashdot users (including you) have never really actually used or installed Windows 8, since they are suddenly blowing up about a feature they would have known about and been using if they actually used Windows 8.

Re:This is fishy.

[voltorb]

Thank you, Microsoft. However, if you read it carefully, you will see that it says "We will use it for A and B. We won't use it for X and Y" and it doesn't say "We will use it for and only for A and B". This is why they need to mention that "we won't use it for X and Y". Of course I haven't actually used or installed Windows 8! Microsoft is known to lie and subvert their users, and I wouldn't trust anything with them. I haven't forgotten about their smear campaigns and FUDs on Open/Free software, Halloween documents or their beloved manipulation tactics "embrace, extend and extinguish".

Software developers

[fa2k]

I wonder if they'll send a new hash every time I compile my program and run it..? It's not really a problem, but they'll get 20 - 1000 entries from every software developer every day.

It technically isn't "spying"

Actually, I looked up the word "spying" in the dictionary, and I technically think that it is correct in that they aren't doing it.

If you go by the definition, it would only be spying if what they were doing is secret; it isn't since they aren't hiding the fact. Or if they were specifically targeting the secret behavior of someone or collecting this information on behalf of a government etc.

So, while what they are doing is just like "spying", it technically isn't, since they aren't keeping it a secret or doing it for the US government. Perhaps they should have used the phrase "tracking by default" or similar ;)

I don't recognize this company...

Just wondering if /. should follow suit and change the logo of the topic ? :)

Translation from BusinessSpeak

[hyades1]

"We don't use this data to identify, contact or target advertising to our users and we don't share it with third parties."

There are certain grammatical rules in BusinessSpeak which should be kept in mind. For example, in proper BusinessSpeak, the phrase "At this time" which goes before "we" in the preceding quotation is silent.

Spying

[Hatta]

Let's use Microsoft's language to see if we can justify other instances of spying:

"We donâ(TM)t use this hole in the girl's lockerroom wall to identify, contact or target advertising to our users and we donâ(TM)t share it with third parties."

Does that work? No? Then why should it work here?

There you have it folks! apk

"There is a check box where you can disable this 'feature' before installation. Nothing to see here...." - by zenlessyank (748553) on Saturday August 25, @06:51PM (#41125477)

Another /. attempt by /. "penguin trolls" @ making MS look "bad", only to get egg on their faces, lol, & foiled by zenlessyank (good job)...

APK

P.S.=> /. penguin trolls - you KNOW you can't help but FAIL... apk

You and I know you will not be able to

Enable Java script forever were near the end.
I hit a web site the other day and it got me my update flash popped up looked legit I hit OK bam got a very nasty virus. Lost everything had to reinstall.
Getting use to win 8 still don't like it.

This is the end...

The end of Slashdot

The Key

[Digital+Vomit]

Whether it's "spying" or not, Microsoft is collecting certain information with SmartScreen â" the key is what's done with it

No, the key is that it's being done at all, regardless of what they plan on using the information for. Once they have it, it can be stolen, or MS could be lying or change their minds, etc.

All that hard drive space but HISTORY limited?

Maybe we do not need Win 8, but Win XP 10000. Meager 20 days default, and cannot go back to the few pages (some 900 sites) visited in two years. It speaks of miserability. If it comes to accumulating data, HISTORY would be worth it, but MS prefers to accumulate... installations? Why not just ask for a copy of the FAT? Maybe because Search is no longer working swell...