Reviews:
 ·AT&T Southwest
| Windows8 tells Microsoft everything you install Including your IP address: »log.nadim.cc/?p=78
1) The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install.
2) This problem can however get even more serious: It may be possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception.
3) The user is not informed of this while installing and setting up Windows 8 |
|
 JohnInSJPremium
join:2003-09-22
San Jose, CA
 ·PHONE POWER
 ·Comcast
| I'm not quite so sure he didn't click through some settings to get where this is enabled. Microsoft publishes its personal data retention policies already, usually its 6 months max retention on anything that can be identifying
(bing knows your IP address and everything you search for!)
--
My place : »www.schettino.us |
|
 CudniLa Merma - VigiladoPremium,MVM
join:2003-12-20
Someshire
kudos:13 | reply to howardfine
It can be disabled in Action center, for those so inclined. Otherwise I think it is a good feature designed to prevent the malware infiltration. Some AV have something similar that checks, and therefore knows what is and if the installed apps are know as good/bad. But writing a slightly alarmist article brings readers 
Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2012/13 |
|
 markofmayhemWhy not now?Premium
join:2004-04-08
Pittsburgh, PA
kudos:5
·Comcast
| reply to howardfine
Privacy like this concerns me. Let us fix some of the factual errors and get the real story out so that those concerned can make clear and wise choices.
said by howardfine:1) The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install. No, it does not. Download away, no one is tracking. When an application begins installation, from any source, not just downloaded applications, the installer's checksum and your current IP address are hashed and uploaded by SmartScreen.
said by howardfine:2) This problem can however get even more serious: It may be possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception. Man in the middle attacks are possible to intercept ANY data you send, including your bank account. The SmartScreen data is no more or less secure than online banking, it is using HTTPS with CA root. The hashes would still need decrypted and decoded. This is a large concern in non-free countries where state-run internet and freedom hating governments will desperately try to break "the code" to see what applications are being installed. It is of little-to-no concern for the 99.9% of people able to come here and read this and the least of worries for the 0.1% of oppressed internet dwellers who have issues with great firewalls and complete sniffing/knowledge of internet traffic anyway. In other words, no changes happen. Where government was already watching, they already knew...
said by howardfine:3) The user is not informed of this while installing and setting up Windows 8
The user IS informed during EULA acceptance. They are not, however, hand-held to the exact check-box to disable SmartScreen. SmartScreen can be shut off/down and is enabled by default.
--
Show off that hardware: join Team Discovery and Team Helix |
|
Reviews:
·AT&T Southwest
| said by markofmayhem:1) The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install. quote:
No, it does not. Download away, no one is tracking. When an application begins installation, from any source, not just downloaded applications, the installer's checksum and your current IP address are hashed and uploaded by SmartScreen.
But he shows where it is apparent something is being sent to Microsoft.
said by howardfine:2) This problem can however get even more serious: It may be possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception. quote:
Man in the middle attacks are possible to intercept ANY data you send, including your bank account.
He's stating the form of encryption they are using is insecure, not that data can be intercepted, iirc.
said by howardfine:3) The user is not informed of this while installing and setting up Windows 8
quote:
The user IS informed during EULA acceptance. They are not, however, hand-held to the exact check-box to disable SmartScreen. SmartScreen can be shut off/down and is enabled by default.
And we all read through EULA, don't we? |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| said by howardfine:And we all read through EULA, don't we?
No, but if we don't it's our fault.
--
My place : »www.schettino.us |
|
markofmayhemWhy not now?Premium
join:2004-04-08
Pittsburgh, PA
kudos:5 Reviews:
·Comcast
1 edit | reply to howardfine
You completely misinterpreted the intention of my post, the factual data you paraphrased as well as the article's intention to hype known HTTPS short-comings should be communicated alongside the privacy concern of data collection and retention without specific authorization.
- General authorization is given through acceptance of the EULA
- The collection and retention of the installer's hash can be turned off
- It affects ALL installations, not just downloads
- It affects ONLY installations, no record of downloads is collected
- The HTTPS protocols used is the same as online-banking, by default Windows uses SSLv3 and TLS 1.0
- The server that the information is sent to responded to an SSLv2 request, it is not using SSLv2 for this transmission, but the server is able to use this protocol if you wish
- Man in the middle attacks are possible, what data transmission isn't?
- Not different from Symantec's "reputation" and similar security suite measures to identify installers that lead to malware/virus.
- Tin-foil hat wearing people already know that every 1 and 0 on the internet is recorded to the person sending/receiving in a detailed, instantly available database. This is no threat either.
- Linux distro's have recorded "download and install" statistics for many years from their repo's with no way to "opt out" and many do not use HTTPS.
- Apple does this too.
Privacy concerns:
- The installer file only is used (research still underway)
- The file name of the installer is recorded (new finding)
- Information is hashed and sent over HTTPS to apprep.smartscreen.microsoft.com
- Data is retained
- This is done without specific action authorization, but instead from general authorization of having agreed to install Windows 8.
- Your IP address may be recorded
More in-depth analysis without the fear mongering here:
»www.withinwindows.com/2012/08/24···n-scare/
--
Show off that hardware: join Team Discovery and Team Helix |
|
Reviews:
·AT&T Southwest
| said by markofmayhem:You completely misinterpreted the intention of my post, the factual data you paraphrased as well as the article's intention to hype known HTTPS short-comings should be communicated alongside the privacy concern of data collection and retention without specific authorization. I believe he does just that in the article I link to. What you link to essentially says "No, Microsoft would never do that." As if Microsoft is to be trusted to do nothing with what they are collecting for some reason.
The point is, what you download/install and your IP are sent to Microsoft and collected/stored insecurely. |
|
 MSengPremium,Ex-Mod 2001-08
join:2000-07-13
Ork
kudos:6 | reply to markofmayhem
Great post. It's always nice to see unprofessional FUD shot down in a professional manner.
--
A)bort, R)etry, I)nfluence with large hammer. |
|
markofmayhemWhy not now?Premium
join:2004-04-08
Pittsburgh, PA
kudos:5 Reviews:
·Comcast
| reply to howardfine
said by howardfine:said by markofmayhem:You completely misinterpreted the intention of my post, the factual data you paraphrased as well as the article's intention to hype known HTTPS short-comings should be communicated alongside the privacy concern of data collection and retention without specific authorization. I believe he does just that in the article I link to. What you link to essentially says "No, Microsoft would never do that." As if Microsoft is to be trusted to do nothing with what they are collecting for some reason. The point is, what you download/install and your IP are sent to Microsoft and collected/stored insecurely. There is no evidence that IP's are captured or stored. The only sent information is file name and SHA256 checksum of the installation file itself.
There is no evidence the data is collected/stored insecurely (Socket Layer's don't protect stores, it is similar to saying that carbon fiber is stronger than iron, so do NOT take your kids to the zoo because the lions will eat them).
The privacy concern is that the file name and hash is sent to Microsoft in any program you install on Windows 8. That's it. The rest is FUD and technical naivety over servers, clients, and how the internet communicates between them; greatly misunderstood by Nadim Kobeissi and those paraphrasing him to further exaggerate.
--
Show off that hardware: join Team Discovery and Team Helix |
|
 Woody79_00I run Linux am I still a PC?Premium
join:2004-07-08
united state | »www.withinwindows.com/2012/08/24···n-scare/
just by taking a quick glance at the file above, These fields stand out to me:
ID 0F98AD9C-D498-42B3-B421-E6C97A8E61E7
GB68802CA-B396-4773-8FD9-EEECA4DE65D9
LZW4tVVM=
OS6.2.9200.0.0
IOS4xMC45MjAwLjE2Mzg0
C10.00.9200.16384
Now a few of those fields look like "hardware hashes" to me. (Incase you don't know, Windows takes hashes of your motherboard, hard drive, etc when installing and activating Windows)
So if those are indeed hardware hashes (i figure they are) then that means Microsoft can identify the hardware of the computer that installed the app which means the computer itself can be identified. This means the owner of the PC can be uniquely identified because they have the ID's of the hardware and can match them to the Windows Activation Database.
Yup i doubt i'll be getting Windows 8 at home, and i will be purchasing a bunch of Windows 7 licenses before Windows 8 releases because i'll just take a pass on this one. If folks want to buy/use this please by all means go for it. I just choose not too. I will wait for Win 9 |
|
|
|
 digitalfuturSees More Than ShownPremium
join:2000-07-15
BurlingtonON
kudos:2 | Even if the owner is "unique", it's no more personal now than it was before; but I know that won't stop you from believing it is, as a reason not to get Windows 8. |
|
markofmayhemWhy not now?Premium
join:2004-04-08
Pittsburgh, PA
kudos:5 Reviews:
·Comcast
| reply to Woody79_00
said by Woody79_00:http://www.withinwindows.com/2012/08/24/thoughts-on-the-windows-smartscreen-scare/
just by taking a quick glance at the file above, These fields stand out to me:
ID 0F98AD9C-D498-42B3-B421-E6C97A8E61E7
GB68802CA-B396-4773-8FD9-EEECA4DE65D9
LZW4tVVM=
OS6.2.9200.0.0
IOS4xMC45MjAwLjE2Mzg0
C10.00.9200.16384
Now a few of those fields look like "hardware hashes" to me. (Incase you don't know, Windows takes hashes of your motherboard, hard drive, etc when installing and activating Windows)
So if those are indeed hardware hashes (i figure they are) then that means Microsoft can identify the hardware of the computer that installed the app which means the computer itself can be identified. This means the owner of the PC can be uniquely identified because they have the ID's of the hardware and can match them to the Windows Activation Database.
Yup i doubt i'll be getting Windows 8 at home, and i will be purchasing a bunch of Windows 7 licenses before Windows 8 releases because i'll just take a pass on this one. If folks want to buy/use this please by all means go for it. I just choose not too. I will wait for Win 9
Using Base64 decoder and common sense: ID and G are public CA keys, way too small for "hardware hashes" L is locale (this decodes to "en-US" for Base64) OS is the OS version I and C are versions of installer and C, D, etc. are secondary versions (I in Base64 decodes to "9.10.9200.16384" » gist.github.com/3448961Here's a request and response. The more information the installer has attached to it, the more is sent in the request. You will notice that "ID" is missing here. The request is to get the response. Notice the "Rep", Y and "Rep level", 100, in the response. Nefarious things may be done with the data sent, but the goal is to get the reputation and malware "index" of the installer, not collect information. Though, we know information will be collected, which brings us back to the privacy concerns. --
Show off that hardware: join Team Discovery and Team Helix |
|
OZOPremium
join:2003-01-17
kudos:2 | reply to markofmayhem
said by markofmayhem:said by howardfine:2) This problem can however get even more serious: It may be possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception. Man in the middle attacks are possible to intercept ANY data you send, including your bank account. The SmartScreen data is no more or less secure than online banking, it is using HTTPS with CA root. The hashes would still need decrypted and decoded. This is a large concern in non-free countries where state-run internet and freedom hating governments will desperately try to break "the code" to see what applications are being installed. It is of little-to-no concern for the 99.9% of people able to come here and read this and the least of worries for the 0.1% of oppressed internet dwellers who have issues with great firewalls and complete sniffing/knowledge of internet traffic anyway. In other words, no changes happen. Where government was already watching, they already knew... Don't be ridiculous. If they were concern about "freedom hating governments", they would not send all that information, tracking computer usage, in a first place...
I think they better be more concern about their own bottom line, since they start pushing that Windows 8 new design, which seems like a big failure now. Couple of days ago we have discussed how Windows 8 Defender (enabled by default too) silently removes ad.doubleclick.net from hosts file. And now this...  Who is going to buy Windows 8 with all of that???
--
Keep it simple, it'll become complex by itself... |
|
markofmayhemWhy not now?Premium
join:2004-04-08
Pittsburgh, PA
kudos:5 Reviews:
·Comcast
| said by OZO:said by markofmayhem:said by howardfine:2) This problem can however get even more serious: It may be possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception. Man in the middle attacks are possible to intercept ANY data you send, including your bank account. The SmartScreen data is no more or less secure than online banking, it is using HTTPS with CA root. The hashes would still need decrypted and decoded. This is a large concern in non-free countries where state-run internet and freedom hating governments will desperately try to break "the code" to see what applications are being installed. It is of little-to-no concern for the 99.9% of people able to come here and read this and the least of worries for the 0.1% of oppressed internet dwellers who have issues with great firewalls and complete sniffing/knowledge of internet traffic anyway. In other words, no changes happen. Where government was already watching, they already knew... Don't be ridiculous. If they were concern about "freedom hating governments", they would not send all that information, tracking computer usage, in a first place... Who is not concerned? Microsoft or the people claiming that the server allowing SSLv2 connections is the largest security threat of Windows 8? I am not a Microsoft apologist, I am only calling bullshit on Nadim Kobeissi's lack of knowledge and those propagating exaggerated security threats of an unused, yet supported, socket layer.
Pro tip: add hosts to the excludes list in Defender and your changes will stick.
--
Show off that hardware: join Team Discovery and Team Helix |
|
Reviews:
·AT&T Southwest
| reply to markofmayhem
said by markofmayhem:There is no evidence that IP's are captured or stored. Yet the IP can be known and associated with what you install. One of the points of the article. It CAN be done.
quote:
There is no evidence the data is collected/stored insecurely
So Microsoft is being sent the data for what reason? Only to discard it?
quote:
The privacy concern is that the file name and hash is sent to Microsoft in any program you install on Windows 8. That's it.
And that's the whole point. Why are you fighting it? |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| said by howardfine: quote:
There is no evidence the data is collected/stored insecurely
So Microsoft is being sent the data for what reason? Only to discard it? The data is being sent to check against a list of known bad software, which is then used to send back a "uh, did you mean to install this spyware" prompt, ONLY if the option is enabled.
If you don't like it, turn off the feature. Problem solved.
Hey, did you know Google knows EVERY APP you install on your android phone? And Apple knows EVERY APP you install on your iOS phone, and EVERY APP you install on you Mac through the App store?
Sheesh.
--
My place : »www.schettino.us |
|
markofmayhemWhy not now?Premium
join:2004-04-08
Pittsburgh, PA
kudos:5 Reviews:
·Comcast
| reply to howardfine
said by howardfine:said by markofmayhem:There is no evidence that IP's are captured or stored. Yet the IP can be known and associated with what you install. One of the points of the article. It CAN be done. quote:
There is no evidence the data is collected/stored insecurely
So Microsoft is being sent the data for what reason? Only to discard it? quote:
The privacy concern is that the file name and hash is sent to Microsoft in any program you install on Windows 8. That's it.
And that's the whole point. Why are you fighting it? I'm not fighting the privacy concern, just the cow feces surrounding it with misinformation, naivity, lies, and exaggerations. The IP can be recorded on every external call, if this is of concern, the internet should not be something you use. What is the intent? The response!» gist.github.com/3448961Sent: <RepLookup v="4">
<G>7A7E08C8-3FF5-45F2-873D-A84D669DC82F</G>
<O>DC54AF8F-4219-4BDD-9EFA-DE9C6E10A34C</O>
<D>10.0.8110.6</D>
<C>10.00.9200.16384</C>
<OS>6.2.9200.0.0</OS>
<I>9.10.9200.16384</I>
<L>en-US</L> <RU>aHR0cDovL3d3dy5kcml2ZXNuYXBzaG90LmRlL2VuL2lkb3duLmh0bQ==</RU>
<RI>0.0.0.0</RI>
<R>
<Rq>
<URL>aHR0cDovL3d3dy5kcml2ZXNuYXBzaG90LmRlL2Rvd25sb2FkL3NuYXBzaG90LmV4ZQ==</URL>
<O>PRE</O>
<T>DOWNLOAD</T>
<HIP>0.0.0.0</HIP>
</Rq>
</R>
<WA/>
</RepLookup>
Response: RepLookupResponse>
<RepLookupResult>
<Rs>
<M>www.drivesnapshot.de/download/snapshot.exe</M>
<C>UNKN:100:1:1</C>
<R>1:1</R>
<L>10080</L>
<S>0</S>
</Rs>
</RepLookupResult>
<Y>100</Y>
<T>DC54AF8F-4219-4BDD-9EFA-DE9C6E10A34C</T>
<E>0</E>
</RepLookupResponse>
Knowledge helps determine level of concern. The response is a reputation level to help fight installation of malware/virus. Many would not mind sending the hash and name of the installation file for this response, others would. Without knowing the what, whom, and how of SmartScreen's collection, it is absolutely useless information to make an informed decision to use it or not, as the option exists. --
Show off that hardware: join Team Discovery and Team Helix |
|
JohnInSJPremium
join:2003-09-22
San Jose, CA Reviews:
·PHONE POWER
·Comcast
| reply to howardfine
And the sane followup post:
»www.geek.com/articles/chips/wind···0120824/
And of course this is based on the IE SmartScreen, which has a FAQ and everything
»windows.microsoft.com/en-US/wind···uestions
It's probably safe to remove the tinfoil hat.
--
My place : »www.schettino.us |
|
 The PigI know you want to be mePremium
join:2009-09-11 | reply to howardfine
I'm sure MS only cares if you do illegal downloads and installing of their software!
Google has your info as well! |
|
