dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2977
share rss forum feed


howardfine

join:2002-08-09
Saint Louis, MO

Windows8 tells Microsoft everything you install

Including your IP address: »log.nadim.cc/?p=78

1) The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install.

2) This problem can however get even more serious: It may be possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception.

3) The user is not informed of this while installing and setting up Windows 8



JohnInSJ
Premium
join:2003-09-22
Aptos, CA

I'm not quite so sure he didn't click through some settings to get where this is enabled. Microsoft publishes its personal data retention policies already, usually its 6 months max retention on anything that can be identifying

(bing knows your IP address and everything you search for!)
--
My place : »www.schettino.us



Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13
reply to howardfine

Click for full size
It can be disabled in Action center, for those so inclined. Otherwise I think it is a good feature designed to prevent the malware infiltration. Some AV have something similar that checks, and therefore knows what is and if the installed apps are know as good/bad. But writing a slightly alarmist article brings readers

Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2012/13


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5
reply to howardfine

Privacy like this concerns me. Let us fix some of the factual errors and get the real story out so that those concerned can make clear and wise choices.

said by howardfine:

1) The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install.

No, it does not. Download away, no one is tracking. When an application begins installation, from any source, not just downloaded applications, the installer's checksum and your current IP address are hashed and uploaded by SmartScreen.

said by howardfine:

2) This problem can however get even more serious: It may be possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception.

Man in the middle attacks are possible to intercept ANY data you send, including your bank account. The SmartScreen data is no more or less secure than online banking, it is using HTTPS with CA root. The hashes would still need decrypted and decoded. This is a large concern in non-free countries where state-run internet and freedom hating governments will desperately try to break "the code" to see what applications are being installed. It is of little-to-no concern for the 99.9% of people able to come here and read this and the least of worries for the 0.1% of oppressed internet dwellers who have issues with great firewalls and complete sniffing/knowledge of internet traffic anyway. In other words, no changes happen. Where government was already watching, they already knew...

said by howardfine:

3) The user is not informed of this while installing and setting up Windows 8

The user IS informed during EULA acceptance. They are not, however, hand-held to the exact check-box to disable SmartScreen. SmartScreen can be shut off/down and is enabled by default.
--
Show off that hardware: join Team Discovery and Team Helix


howardfine

join:2002-08-09
Saint Louis, MO

said by markofmayhem:

1) The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install.

quote:
No, it does not. Download away, no one is tracking. When an application begins installation, from any source, not just downloaded applications, the installer's checksum and your current IP address are hashed and uploaded by SmartScreen.
But he shows where it is apparent something is being sent to Microsoft.

said by howardfine:

2) This problem can however get even more serious: It may be possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception.

quote:
Man in the middle attacks are possible to intercept ANY data you send, including your bank account.
He's stating the form of encryption they are using is insecure, not that data can be intercepted, iirc.

said by howardfine:

3) The user is not informed of this while installing and setting up Windows 8

quote:
The user IS informed during EULA acceptance. They are not, however, hand-held to the exact check-box to disable SmartScreen. SmartScreen can be shut off/down and is enabled by default.

And we all read through EULA, don't we?


JohnInSJ
Premium
join:2003-09-22
Aptos, CA

said by howardfine:

And we all read through EULA, don't we?

No, but if we don't it's our fault.
--
My place : »www.schettino.us


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5

1 edit

2 recommendations

reply to howardfine

said by howardfine:

blah blah blah...

You completely misinterpreted the intention of my post, the factual data you paraphrased as well as the article's intention to hype known HTTPS short-comings should be communicated alongside the privacy concern of data collection and retention without specific authorization.

- General authorization is given through acceptance of the EULA
- The collection and retention of the installer's hash can be turned off
- It affects ALL installations, not just downloads
- It affects ONLY installations, no record of downloads is collected
- The HTTPS protocols used is the same as online-banking, by default Windows uses SSLv3 and TLS 1.0
- The server that the information is sent to responded to an SSLv2 request, it is not using SSLv2 for this transmission, but the server is able to use this protocol if you wish
- Man in the middle attacks are possible, what data transmission isn't?
- Not different from Symantec's "reputation" and similar security suite measures to identify installers that lead to malware/virus.
- Tin-foil hat wearing people already know that every 1 and 0 on the internet is recorded to the person sending/receiving in a detailed, instantly available database. This is no threat either.
- Linux distro's have recorded "download and install" statistics for many years from their repo's with no way to "opt out" and many do not use HTTPS.
- Apple does this too.

Privacy concerns:
- The installer file only is used (research still underway)
- The file name of the installer is recorded (new finding)
- Information is hashed and sent over HTTPS to apprep.smartscreen.microsoft.com
- Data is retained
- This is done without specific action authorization, but instead from general authorization of having agreed to install Windows 8.
- Your IP address may be recorded

More in-depth analysis without the fear mongering here:

»www.withinwindows.com/2012/08/24···n-scare/
--
Show off that hardware: join Team Discovery and Team Helix


howardfine

join:2002-08-09
Saint Louis, MO

said by markofmayhem:

said by howardfine:

blah blah blah...

You completely misinterpreted the intention of my post, the factual data you paraphrased as well as the article's intention to hype known HTTPS short-comings should be communicated alongside the privacy concern of data collection and retention without specific authorization.

I believe he does just that in the article I link to. What you link to essentially says "No, Microsoft would never do that." As if Microsoft is to be trusted to do nothing with what they are collecting for some reason.

The point is, what you download/install and your IP are sent to Microsoft and collected/stored insecurely.


MSeng
Premium,Ex-Mod 2001-08
join:2000-07-13
Ork
kudos:6
reply to markofmayhem

Great post. It's always nice to see unprofessional FUD shot down in a professional manner.
--
A)bort, R)etry, I)nfluence with large hammer.



markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5
reply to howardfine

said by howardfine:

said by markofmayhem:

said by howardfine:

blah blah blah...

You completely misinterpreted the intention of my post, the factual data you paraphrased as well as the article's intention to hype known HTTPS short-comings should be communicated alongside the privacy concern of data collection and retention without specific authorization.

I believe he does just that in the article I link to. What you link to essentially says "No, Microsoft would never do that." As if Microsoft is to be trusted to do nothing with what they are collecting for some reason.

The point is, what you download/install and your IP are sent to Microsoft and collected/stored insecurely.

There is no evidence that IP's are captured or stored. The only sent information is file name and SHA256 checksum of the installation file itself.

There is no evidence the data is collected/stored insecurely (Socket Layer's don't protect stores, it is similar to saying that carbon fiber is stronger than iron, so do NOT take your kids to the zoo because the lions will eat them).

The privacy concern is that the file name and hash is sent to Microsoft in any program you install on Windows 8. That's it. The rest is FUD and technical naivety over servers, clients, and how the internet communicates between them; greatly misunderstood by Nadim Kobeissi and those paraphrasing him to further exaggerate.
--
Show off that hardware: join Team Discovery and Team Helix


Woody79_00
I run Linux am I still a PC?
Premium
join:2004-07-08
united state

»www.withinwindows.com/2012/08/24···n-scare/

just by taking a quick glance at the file above, These fields stand out to me:

ID 0F98AD9C-D498-42B3-B421-E6C97A8E61E7
GB68802CA-B396-4773-8FD9-EEECA4DE65D9
LZW4tVVM=
OS6.2.9200.0.0
IOS4xMC45MjAwLjE2Mzg0
C10.00.9200.16384


Now a few of those fields look like "hardware hashes" to me. (Incase you don't know, Windows takes hashes of your motherboard, hard drive, etc when installing and activating Windows)

So if those are indeed hardware hashes (i figure they are) then that means Microsoft can identify the hardware of the computer that installed the app which means the computer itself can be identified. This means the owner of the PC can be uniquely identified because they have the ID's of the hardware and can match them to the Windows Activation Database.

Yup i doubt i'll be getting Windows 8 at home, and i will be purchasing a bunch of Windows 7 licenses before Windows 8 releases because i'll just take a pass on this one. If folks want to buy/use this please by all means go for it. I just choose not too. I will wait for Win 9



digitalfutur
Sees More Than Shown
Premium
join:2000-07-15
BurlingtonON
kudos:2

Even if the owner is "unique", it's no more personal now than it was before; but I know that won't stop you from believing it is, as a reason not to get Windows 8.



markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5
reply to Woody79_00

said by Woody79_00:

»www.withinwindows.com/2012/08/24···n-scare/

just by taking a quick glance at the file above, These fields stand out to me:

ID 0F98AD9C-D498-42B3-B421-E6C97A8E61E7
GB68802CA-B396-4773-8FD9-EEECA4DE65D9
LZW4tVVM=
OS6.2.9200.0.0
IOS4xMC45MjAwLjE2Mzg0
C10.00.9200.16384


Now a few of those fields look like "hardware hashes" to me. (Incase you don't know, Windows takes hashes of your motherboard, hard drive, etc when installing and activating Windows)

So if those are indeed hardware hashes (i figure they are) then that means Microsoft can identify the hardware of the computer that installed the app which means the computer itself can be identified. This means the owner of the PC can be uniquely identified because they have the ID's of the hardware and can match them to the Windows Activation Database.

Yup i doubt i'll be getting Windows 8 at home, and i will be purchasing a bunch of Windows 7 licenses before Windows 8 releases because i'll just take a pass on this one. If folks want to buy/use this please by all means go for it. I just choose not too. I will wait for Win 9

Using Base64 decoder and common sense:

ID and G are public CA keys, way too small for "hardware hashes"
L is locale (this decodes to "en-US" for Base64)
OS is the OS version
I and C are versions of installer and C, D, etc. are secondary versions (I in Base64 decodes to "9.10.9200.16384"

»gist.github.com/3448961

Here's a request and response. The more information the installer has attached to it, the more is sent in the request. You will notice that "ID" is missing here. The request is to get the response. Notice the "Rep", Y and "Rep level", 100, in the response. Nefarious things may be done with the data sent, but the goal is to get the reputation and malware "index" of the installer, not collect information. Though, we know information will be collected, which brings us back to the privacy concerns.
--
Show off that hardware: join Team Discovery and Team Helix

OZO
Premium
join:2003-01-17
kudos:2
reply to markofmayhem

said by markofmayhem:

said by howardfine:

2) This problem can however get even more serious: It may be possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception.

Man in the middle attacks are possible to intercept ANY data you send, including your bank account. The SmartScreen data is no more or less secure than online banking, it is using HTTPS with CA root. The hashes would still need decrypted and decoded. This is a large concern in non-free countries where state-run internet and freedom hating governments will desperately try to break "the code" to see what applications are being installed. It is of little-to-no concern for the 99.9% of people able to come here and read this and the least of worries for the 0.1% of oppressed internet dwellers who have issues with great firewalls and complete sniffing/knowledge of internet traffic anyway. In other words, no changes happen. Where government was already watching, they already knew...

Don't be ridiculous. If they were concern about "freedom hating governments", they would not send all that information, tracking computer usage, in a first place...

I think they better be more concern about their own bottom line, since they start pushing that Windows 8 new design, which seems like a big failure now. Couple of days ago we have discussed how Windows 8 Defender (enabled by default too) silently removes ad.doubleclick.net from hosts file. And now this... Who is going to buy Windows 8 with all of that???
--
Keep it simple, it'll become complex by itself...


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5

said by OZO:

said by markofmayhem:

said by howardfine:

2) This problem can however get even more serious: It may be possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception.

Man in the middle attacks are possible to intercept ANY data you send, including your bank account. The SmartScreen data is no more or less secure than online banking, it is using HTTPS with CA root. The hashes would still need decrypted and decoded. This is a large concern in non-free countries where state-run internet and freedom hating governments will desperately try to break "the code" to see what applications are being installed. It is of little-to-no concern for the 99.9% of people able to come here and read this and the least of worries for the 0.1% of oppressed internet dwellers who have issues with great firewalls and complete sniffing/knowledge of internet traffic anyway. In other words, no changes happen. Where government was already watching, they already knew...

Don't be ridiculous. If they were concern about "freedom hating governments", they would not send all that information, tracking computer usage, in a first place...

Who is not concerned? Microsoft or the people claiming that the server allowing SSLv2 connections is the largest security threat of Windows 8? I am not a Microsoft apologist, I am only calling bullshit on Nadim Kobeissi's lack of knowledge and those propagating exaggerated security threats of an unused, yet supported, socket layer.

Pro tip: add hosts to the excludes list in Defender and your changes will stick.
--
Show off that hardware: join Team Discovery and Team Helix


howardfine

join:2002-08-09
Saint Louis, MO
reply to markofmayhem

said by markofmayhem:

There is no evidence that IP's are captured or stored.

Yet the IP can be known and associated with what you install. One of the points of the article. It CAN be done.
quote:
There is no evidence the data is collected/stored insecurely
So Microsoft is being sent the data for what reason? Only to discard it?
quote:
The privacy concern is that the file name and hash is sent to Microsoft in any program you install on Windows 8. That's it.

And that's the whole point. Why are you fighting it?


JohnInSJ
Premium
join:2003-09-22
Aptos, CA

said by howardfine:

quote:
There is no evidence the data is collected/stored insecurely
So Microsoft is being sent the data for what reason? Only to discard it?

The data is being sent to check against a list of known bad software, which is then used to send back a "uh, did you mean to install this spyware" prompt, ONLY if the option is enabled.

If you don't like it, turn off the feature. Problem solved.

Hey, did you know Google knows EVERY APP you install on your android phone? And Apple knows EVERY APP you install on your iOS phone, and EVERY APP you install on you Mac through the App store?

Sheesh.
--
My place : »www.schettino.us


markofmayhem
Why not now?
Premium
join:2004-04-08
Pittsburgh, PA
kudos:5
reply to howardfine

said by howardfine:

said by markofmayhem:

There is no evidence that IP's are captured or stored.

Yet the IP can be known and associated with what you install. One of the points of the article. It CAN be done.
quote:
There is no evidence the data is collected/stored insecurely
So Microsoft is being sent the data for what reason? Only to discard it?
quote:
The privacy concern is that the file name and hash is sent to Microsoft in any program you install on Windows 8. That's it.

And that's the whole point. Why are you fighting it?

I'm not fighting the privacy concern, just the cow feces surrounding it with misinformation, naivity, lies, and exaggerations. The IP can be recorded on every external call, if this is of concern, the internet should not be something you use.

What is the intent? The response!

»gist.github.com/3448961

Sent:
<RepLookup v="4">
  <G>7A7E08C8-3FF5-45F2-873D-A84D669DC82F</G>
  <O>DC54AF8F-4219-4BDD-9EFA-DE9C6E10A34C</O>
  <D>10.0.8110.6</D>
  <C>10.00.9200.16384</C>
  <OS>6.2.9200.0.0</OS>
  <I>9.10.9200.16384</I>
  <L>en-US</L>  <RU>aHR0cDovL3d3dy5kcml2ZXNuYXBzaG90LmRlL2VuL2lkb3duLmh0bQ==</RU>
  <RI>0.0.0.0</RI>
  <R>
    <Rq>
      <URL>aHR0cDovL3d3dy5kcml2ZXNuYXBzaG90LmRlL2Rvd25sb2FkL3NuYXBzaG90LmV4ZQ==</URL>
      <O>PRE</O>
      <T>DOWNLOAD</T>
      <HIP>0.0.0.0</HIP>
    </Rq>
  </R>
  <WA/>
</RepLookup>
 

Response:
RepLookupResponse>
  <RepLookupResult>
    <Rs>
      <M>www.drivesnapshot.de/download/snapshot.exe</M>
      <C>UNKN:100:1:1</C>
      <R>1:1</R>
      <L>10080</L>
      <S>0</S>
    </Rs>
  </RepLookupResult>
  <Y>100</Y>
  <T>DC54AF8F-4219-4BDD-9EFA-DE9C6E10A34C</T>
  <E>0</E>
</RepLookupResponse>
 

Knowledge helps determine level of concern. The response is a reputation level to help fight installation of malware/virus. Many would not mind sending the hash and name of the installation file for this response, others would. Without knowing the what, whom, and how of SmartScreen's collection, it is absolutely useless information to make an informed decision to use it or not, as the option exists.
--
Show off that hardware: join Team Discovery and Team Helix


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to howardfine

And the sane followup post:

»www.geek.com/articles/chips/wind···0120824/

And of course this is based on the IE SmartScreen, which has a FAQ and everything

»windows.microsoft.com/en-US/wind···uestions

It's probably safe to remove the tinfoil hat.
--
My place : »www.schettino.us



The Pig
I know you want to be me
Premium
join:2009-09-11
reply to howardfine

I'm sure MS only cares if you do illegal downloads and installing of their software!
Google has your info as well!

Expand your moderator at work


DrModem
Trust Your Doctor
Premium
join:2006-10-19
USA
kudos:1
reply to The Pig

Re: Windows8 tells Microsoft everything you install

If you don't like it, turn it off.

It's for people who are too computer illiterate to determine if what they are installing is safe or not.

_NSAKEY, anyone?



sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1

1 recommendation

reply to howardfine

I don't care what SmartScreen sends to Microsoft when it is turned on. But does it do this even if SmartScreen is turned off?
--
Think Outside the Fox.


OZO
Premium
join:2003-01-17
kudos:2

said by sivran:

I don't care what SmartScreen sends to Microsoft when it is turned on. But does it do this even if SmartScreen is turned off?

That's a good question. I remember times (probably a decade ago) when folks have discovered, that they (and therefore anyone) can see their browsing history in IE6 and start asking m$ how to make sure, that computer does not collect it. Response was simple - you don't want to see history - we will not show it to you. And they made collected stuff just hidden from the users ... until some have discovered that and asked - WTF??? Finally m$ did it right and started actually removing history data, when users explicitly asked for it (and not just hiding from their view)... The history tends to repeat itself. Remember that?
--
Keep it simple, it'll become complex by itself...

BitWeasel

join:2012-05-22
reply to howardfine

This feature has "don't make a choice for the user, ASK them whether they want it enabled or disabled during setup" written all over it. I sure hope it works that way or is quickly changed.

Given the push towards app store and cloud computing, it seems likely that the computer would be associated with one or more accounts for which personal information has been provided. The potential to tie name, purchased apps, other installed apps, checked URLs, etc together is certainly there. I hope there will continue to be many security experts and privacy experts examining the SSL traffic and other aspects.



Jerrie

@sbcglobal.net
reply to howardfine

Not true says Microsoft:
»www.theregister.co.uk/2012/08/25···_spying/