decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Sunday, June 11 2006 @ 11:18 AM EDT

No doubt many of you saw on Slashdot the article "Microsoft Talks Daily With Your Computer" or in Steven J. Vaughan-Nichols article for eWeek titled, Big Microsoft Brother, about allegations that Microsoft's Windows Genuine Advantage validation tool phones home daily to report information to Microsoft about you on each boot. Lauren Weinstein broke the story on his blog. Microsoft has now put out a statement, asserting that the Windows Genuine Advantage tool is not spyware, that they're going to change it some, and that one thing that distinguishes it from spyware is that they get consent before installing it. I question the accuracy of the statement.

David Berlind did a fabulous job of discovering that in fact the tool has two parts, one of which is new, the Notification part, as you can see in his helpful series of screenshots. First, he explains how the applications actually work. His research indicated to him that Microsoft asks permission for only one of the two, but the wrong one. I think it's muddier even than that, after reading the EULA. Thanks to Berlind's work, I believe I see a legal problem with consent, which I noticed by reading the EULA. I think I also see a problem with the statement Microsoft has issued with regard to what information it collects. And something in the EULA needs to be explained, because it doesn't match Microsoft's statement. Let me explain.

Vaughan-Nichols lists the information Microsoft says it is collecting, which matches the Microsoft statement's list:

Now, when you use Windows Genuine Advantage for the first time, it gathers up, Microsoft tell us, and it will grab your PC's XP product key, PC manufacturer, operating system version, PC BIOS information and user locale setting and language.

Nothing at all, Microsoft assures us, that could identify us or what programs we use, or anything like that. No siree. No chance of that.

Microsoft actually collects more information than that. I have some additional details I found on Microsoft's own website that I thought you'd want to know.

Let's look at what Microsoft currently tells customers about the validation tool and what information it collects:

Information collected during validation

Q: What information is collected from my computer?

A: The genuine validation process will collect information about your system to determine if your Microsoft software is genuine. This process does not collect or send any information that can be used to identify you or contact you. The only information collected in the validation process is:

* Windows product key
* PC manufacturer
* Operating System version
* PID/SID
* BIOS information (make, version, date)
* BIOS MD5 Checksum
* User locale (language setting for displaying Windows)
* System locale (language version of the operating system)
* Office product key (if validating Office)
* Hard drive serial number

Q: How does Microsoft use this information?

A: The information serves three purposes:

* It provides Web page flow, tailoring the pages you see based on your responses.

* It conveys demographics, which help Microsoft to understand regional differences in Windows or Office usage.

* It confirms user input. User input is often compared against data collected from the PC in order to determine whether to grant a user’s request for additional access.

I think we can discount those three items as being the purpose behind taking in our hard drive serial numbers. Microsoft is not checking our hard drive serial numbers to provide web page flow, convey usage demographics, or confirm user input, unless they are also perusing the contents of our hard drives, which they claim they are not. Of course, once they are inside your computer, there's really nothing much stopping them, if they felt like it. So why does Microsoft collect information like that and what are they doing with it? The above statement surely isn't all. They don't need such information about you as your hard drive's serial number, the company that built your computer, what language you use, PID/SID, Bios information with an MD5 checksum, and where you are located to do any of the three things they say they are doing it for. Obviously, they are checking to know if you are a pirate, and they should say so straightforwardly. But does Microsoft need your hard drive serial number to know if you are a pirate? If you change it, is it any of Microsoft's business? Did they sell you that hard drive? But my point is, it's not mentioned in the EULA at all, so I don't see consent having been given. But it gets worse.

Here's part of what Lauren Weinstein wrote about his discovery in his blog entry on June 5th:

It appears that even on such systems, the MS tool will now attempt to contact Microsoft over the Internet *every time you boot*.... The connections occur even if you do not have Windows "automatic update" enabled.

I do not know what data is being sent to MS or is being received during these connections. I cannot locate any information in the MS descriptions to indicate that the tool would notify MS each time I booted a valid system. I fail to see where Microsoft has a "need to know" for this data after a system's validity has already been established, and there may clearly be organizations with security concerns regarding the communication of boot-time information.

I'll leave it to the spyware experts to make a formal determination as to whether this behavior actually qualifies the tool as spyware.

Shortly thereafter, he was contacted by Microsoft and so he had a chance to ask his questions, and he tells what happened next in his blog entry for June 6:

Why is the new version of the validity tool trying to communicate with MS at every boot? The MS officials tell me that at this time the connections are to provide an emergency "escape" mechanism to allow MS to disable the validation tool if it were to malfunction....

I was told that no information is sent from the PC to MS during these connections in their current modality, though MS does receive IP address and date/timestamp data relating to systems' booting and continued operations, which MS would not necessarily otherwise be receiving.

Apparently these transactions will also occur once a day if systems are kept booted, though MS intends to ramp that frequency back (initially I believe to once every two weeks) with an update in the near future. Further down the line, the connections would be used differently, to provide checks against the current validation revocation list at intervals (e.g., every 90 days) via MS, even if the user never accessed the Windows Update site directly.

Oh, excellent. So they get your ip address too, and date/timestamp data "relating to systems' booting and continued operations". No way to contact customers, eh? No information sent? In what way is this not spyware? I am reminded of what the gentleman from Homeland Security said after the Sony rootkit was revealed: yes, it's your intellectual property; it's not your computer. (video.) Again, there is nothing in the EULA that gets your consent for that information to be collected that I can find.

Microsoft, of course, says it is not spyware, and this is a one of their statements explaining their point of view, from Berlind's article:

"Broadly speaking, spyware is deceptive software that is installed on a user’s computer without the user’s consent and has some malicious purpose. WGA is installed with the consent of the user and seeks only to notify the user if a proper license is not in place. WGA is not spyware."

Now, as we've already seen, they didn't clearly notify customers that they were installing something that calls home daily, by their own acknowledgment. Here's what their website says about the ease of the validation process:

Q: Is genuine Windows validation a one-time process?

A: We’ve designed validation to be as easy as possible. Validation itself just takes a moment. The lengthiest part of the process is downloading the ActiveX control that performs validation. The ActiveX control is downloaded on the first validation and when a new version is available from Microsoft. So, while it’s not a one-time process, it is still quick and easy.

Aside from breaking out in hives at the thought of having ActiveX running constantly on my computer, is this a clear description of how often it checks? Does it even indicate? How often does Microsoft release a new version? Daily? Weekly?

Microsoft's statement distinguishes between the two tools:

Q: What information is collected in this check? Is Microsoft collecting Personally Identifiable Information?

A: Other than standard server log information, no information is collected. Unlike validation, which sends system information to Microsoft, this operation is limited to the download of the new settings file. No additional information is sent to Microsoft.

Q: Why were customers not told that their PCs would periodically check in with Microsoft?

A: Microsoft strives to maintain the highest standards in our business conduct and meet our customers' expectations. We concentrated our disclosure on the critical validation step that would occur when validating through WGA. Not specifically including information on the periodic check was an oversight. We believe that being transparent and upfront with our customers is very important and have updated our FAQ accordingly. We have gone to great lengths to document any time a Microsoft product connects with Microsoft servers and will continue to do so. For example, we published a white paper that covers the topic of connecting with Microsoft Servers in Windows XP SP2. It is located at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/intmgmt/download.mspx

I understand that to be saying that the validation tool collects information about the computer, but the new notification tool does not, that it only checks to see if you should be sent a notice that you are not running validly licensed software. But if you think about it, that is the same as saying that it is checking every day on your validation, so the statement on their website about checking only once and then again when a new system is released isn't matching this information. And remember what they told Weinstein: "MS does receive IP address and date/timestamp data relating to systems' booting and continued operations, which MS would not necessarily otherwise be receiving."

Berlind was the one who noticed that there are actually two tools, and the Validation tool never asks consent before installation. The Notification tool does, but without telling you that what you are downloading will be calling home daily. The notion of informed consent is that you have to know what you are saying yes to, and the party asking for your consent has an obligation to tell you the things you need to know to make an informed decision. A hospital, for example, can't get your consent to try a new, untested drug without telling you that it is new, untested, that you are a guinea pig, and exactly what the risks are and what your choices are. And if you refuse treatment, it can't force you to take the drug. And your doctor can't remove your gall bladder while doing surgery on your appendix, just because he notices a tumor in the gall bladder. Why not? Because that is battery, if he didn't get your prior consent to remove your gall bladder. You might wish to treat the tumor a different way, after all. Motive doesn't matter. There is no, "I was only trying to help" excuse. It's your right to say yes or no, because it's your body and medicine isn't a field where one has sufficient certainty to determine in advance if a certain treatment is or isn't going to work.

What about Microsoft's statement that it isn't spyware because it has no malicious purpose? First, I don't think spyware has to have a malicious purpose to be spyware. That's Microsoft's definition, but spyware companies no doubt would object. And that's also taking Microsoft's word for their good purposes. We don't actually know what they do with the information. There's no way to check. Do they store it? I'm sure they must. And let's face it, "malicious purpose" depends on where you are standing, doesn't it? Did Sony's rootkit have a malicious purpose? Or was its purpose very much like Microsoft's here? The "content industry" has gotten so used to waxing indignant about the harm being done to them by piracy, and getting laws to suit, that they now, evidently, believe that anything they do to reduce or prevent piracy is acceptable. It's not. My computer is mine, not Microsoft's.

But what purpose does Microsoft have? They tell us that their purpose is to notify the user if a proper license is not in place. Why would the user care if they are running a validly licensed copy of the software? Does this have anything at all to do with an "improved" experience for them? I suppose they care because Microsoft holds back updates unless they agree.

But if you look at the screenshots Berlind took, you'll see something else that doesn't seem so straightforward. The notice you get to prompt you to download and install the tools describes it as "updates," not new installations, which would lead a customer to believe that he already has the tool on his computer and just needs to tweak it. The Notification part is labeled "high priority updates", which would lead me to think that I really needed it to be safe. Microsoft says this is what it's for:

The Windows Genuine Advantage Notification tool notifies you if your copy of Windows is not genuine. If your system is found to be non-genuine, the tool will help you obtain a licensed copy of Windows.

Here's the screenshot Berlind took of what you see if you try to update without already having the Windows Genuine Advantage tool in place, although they don't mention it by name at the starting gate, which is devious enough for me right there. [Update: A reader tells me that Berlind missed a tiny Details link, which he says would have provided more information. I have asked him to send me a screenshot.] [Update 2: He has sent me the screenshot,1 and if Berlind had clicked on it, he would have seen the following: "Windows Genuine Advantage Validation Tool (KB892130) 734 KB, less than a minute. The Windows Genuine Advantage Validation Tool enables you to verify that your copy of Microsoft Windows is genuine. The tool validates your Windows installation by checking Windows Product Identification and Product Activation status." So, if he had clicked on that link, he would have know what was about to download, but this also confirms that there is no EULA until after the download. The description of what the tool does is clearly inadequate, in my view, because it doesn't link to the page on the website that tells you they will be harvesting your hard drive number, your machine number, etc., or even duplicate the information here in the details box. Nor does it tell you about any phoning home or how often you will be checked. Instead it says "you" will be enabled to verify that your copy is genuine. It doesn't say Microsoft will be enabled to verify if your copy is genuine, nor is there any information on what will be done with that information.]

If you agree, and who wouldn't, given the description, the next thing you see is your first mention of the Validation tool, but it is already downloading. That isn't consent, let alone informed consent.

It is actually a little more complex, as you can see beginning in the explanation of this screenshot. After you "successfully update" your computer with the Validator tool, if you click Continue, you get your notice of another vital update, the Notification tool. Notice you can't uninstall it, under the terms of the EULA, nor can you "test the software in a live operating environment unless Microsoft permits you to do so under another agreement." You do get a notice, very vague, about consent but only after the Validator tool is already installed, which raises the question of what happens if you say no? Berlind clicked yes all the way through, so I don't know because there is no way in the world I would put my computer through this. Here's part of the language of the "consent":

Consent for Internet-Based Services. The software feature described below connects to Microsoft or service provider computer systems over the Internet. In some cases, you will not receive a separate notice when they connect. You may switch off this feature or not use it.

Now, I have read a lot of contracts in my time, as part of my job, and I have no idea what this is saying. Are they saying I can switch off the daily notification? Or that I don't have to install it in the first place? Or is it talking about the "in some cases" feature whereby I don't get notice? Clearly folks have not been getting notices of the daily contact with Microsoft's servers, so what "services" is Microsoft talking about?

Does the user need to know its license is valid every single day? What is Microsoft expecting to happen in 24 hours, after it first checks that a license is in place and valid? And why does Microsoft need to check every day? Obviously, they don't, because they've said they intend to cut back to every 14 days, and then, oddly, they say that once the beta test if over -- and that's another issue, Microsoft installing beta software for you to test for them without making it clear until it is already downloading that it is "Beta PreRelease" software (see the last Berlind screenshot) -- they will end the daily phoning home, according to InformationWeek:

The company plans to change the settings of the application in its next release, so that it dials in to Microsoft every two weeks, the spokeswoman said. The call-in feature would be disabled permanently when the program is generally available worldwide later this year.

That actually worries me even more. Why do they need it now but they won't once the software is available worldwide? Have they got something even more effective coming next? Perhaps they will say it's because once it isn't beta, then they won't need to maybe turn it off. All right. But surely they don't intend to stop validating, and that's the tool that sends Microsoft all the personal information about you, so I find their statement misleading, in that it talks about the notification component, which doesn't, they claim, send any info about you to them, rather than the validation part, which certainly does. People aren't just disturbed about the tool calling home; they are concerned about what the conversation includes.

That brings me to the problem I see in the EULA. Before I explain, some of you might like to know how to get rid of it. Here is what the Rob Pegoraro in the Washington Post says:

Notifications also looks for new instructions from Microsoft every day. The company says these daily checks (which it plans to slow to once every 14 days) let it adjust the program's behavior if problems arise. That raises an alarming point: Notifications is pre-release software, tested without users' consent.

Worse yet, Notifications -- unlike other Microsoft updates -- cannot be uninstalled. (You can, however, erase it by restoring your PC back to its condition before Notifications' install: From the Start Menu, select All Programs, then Accessories, then System Tools, then System Restore.)

Microsoft is out of line here. The Notifications program is not the kind of critical update that should be installed automatically, much less excluded from uninstallation. And if people respond to this intrusive behavior by turning off automatic updates -- thus severing their PCs from the Microsoft patches they do need -- the already-bad state of Windows security can only get worse.

Actually it already is worse, because even if you turn off automatic updates, the notification tool continues to run. So, what about the EULA? Let's take a look at it. First, as Berlind so ably demonstrates, you are asked to consent to the notification tool, but not to the validation tool, which is the part that, according to Microsoft's statement, is the tool that sends them information about you and your computer. That's a hole in the consent process right there, according to Berlind's research. That's the same as saying that you never gave consent for your information to be sent, or only after the fact. You are presented with this EULA only when you are considering whether to install the Notification tool. But it's more complicated, because the EULA you are presented with -- and remember that the notification tool only recently was offered, as of April 24, according to Microsoft's statement -- describes the validation tool's actions, at least according to what Microsoft is telling us. My question is, what was the EULA like before? When did you first see it? And my next question is, if you say no to the EULA, and you don't install the Notification tool, have you ever said yes to the Validation tool? On what terms? Here's Microsoft's description of the two, from the statement:

The WGA program consists of two major components, WGA Validation and WGA Notifications. Validation determines whether the copy of Windows XP installed on a PC is genuine and licensed. WGA Notifications reminds users who fail validation that they are not running genuine Windows and directs them to resources to learn more about the benefits of using genuine Windows software.

They ask for your consent regarding the notification installation only, but it seems as if the EULA is intended to cover both tools, in which case they only ask for consent after the Validation tool is already installed. Here's what Microsoft says the Notification tool does:

Recent public discussions about WGA Notifications have raised questions about its operation. Shortly after logon, WGA Notifications checks whether a newer settings file is available and downloads the file if one is found. The settings file provides Microsoft with the ability to update how often reminders are displayed and to disable the program if necessary during the test period. This functionality enables Microsoft to respond quickly to feedback to improve the customer's experience. Unlike validation, which sends system information to Microsoft, this operation is limited to the download of the new settings file. No additional information is sent to Microsoft. There have been some questions on this issue, and Microsoft is working to more effectively communicate details of this feature to the public.

Just telling the truth would work. I think it's obvious no customer wants this software, Microsoft knows that, and so they tried to finesse it so as to get customers to agree to install it. And now they've been caught, just like Sony. Do you remember the time lag after that story broke, before Microsoft would say anything condemnatory? Now we probably know why.

Berlind notices issues remaining after Microsoft's statement. I would only add the following about the EULA: it isn't just a matter of timing, of when you get asked for consent. It's a matter of what you are asked to consent to. From the EULA:

This software is a pre-release version of the software intended to update the technological measures in Windows XP which are designed to prevent unlicensed use of Windows XP.

By using the software, you accept these terms. If you do not accept them, do not use the software. As described below, using some features also operates as your consent to the transmission of certain standard computer information for Internet-based services.

So far, so good. They are letting you know that there will be some transmission of information about your computer sent to Microsoft. They don't however tell you precisely what they mean by "certain standard computer information." They describe the process as being done in connection with services, which implies you are getting something out of it, but you actually are getting nag screens, which by no stretch of my imagination is a service I would ask for. Additionally, this EULA first appears when you are being asked to download the Notification tool. You already have the Validation tool on your computer without any EULA or request for consent, and according to Microsoft, the Notification tool doesn't send any information about you to them. So this part of the EULA must be about the Validation component, unless they haven't been truthful about what the Notification tool does.

Let's continue:

When you install the software on your premises, it will check to make sure you have a genuine and validly licensed copy of Microsoft Windows XP (“Windows XP”) installed. If you have a genuine copy of Windows XP, you receive special benefits, which are listed on the following link: http://go.microsoft.com/fwlink/?linkid=39157.

· If the software detects you are not running a genuine copy of Windows XP, the operation of your computer will not be affected in any way. However, you will receive a notification and periodic reminders to install a genuine licensed copy of Windows XP. Automatic Updates will be limited to receiving only critical security updates.

· You will not be able to uninstall the software but you can suppress the reminders through the software icon in the system tray.

The first part of this seems to be talking about the Validation tool, because it talks about checking to make sure you have a valid copy of the software, unless the Notification component does that too. But the end part, about not being able to uninstall it, which part is that talking about? Can you not uninstall either? Or was the Validation tool you already downloaded uninstallable too? If so, then you have installed software that you can't uninstall that does God knows what without being given an opportunity to say yes or no.

Next comes the Privacy clause2:

PRIVACY NOTICE: The validation process of the software does not identify you and is used only for the purpose of reporting to you whether or not you have a genuine copy of Windows XP. The software does not collect or send any personal information to Microsoft about you. The sole purpose of the software is to inform you whether or not you have installed a genuine copy of Windows XP. However, Microsoft may collect and publish aggregated data about the use of the software.

Now, this is the part I find misleading. Here they say that the validation process doesn't collect anything about you or send it to Microsoft. But in fact, they have already told us in their statements and on their website that in fact the Validation tool does both. Remember the hard drive and the IP address? So this part of the EULA appears to be talking about the Notification tool, but it calls it "the validation process" which means either that the Notification tool has in fact a validation aspect also, or it means that Microsoft never asked you for your consent to send that information to them, because this says they don't do so in the validation process and the software is only for the purpose of notifying you. If this EULA purports to be for both tools, it is inadequate and inaccurate. The validation process does collect information about you and it sends it to Microsoft, and they need to tell us that and get our consent.

So. Where's the information about the Validation tool, which does collect information about us and does send it to Microsoft? I think it's this part:

3. INTERNET-BASED SERVICES. Microsoft provides Internet-based services with the software. It may change or cancel them at any time.

a. Consent for Internet-Based Services. The software feature described below connects to Microsoft or service provider computer systems over the Internet. In some cases, you will not receive a separate notice when they connect. You may switch off this feature or not use it. For more information about this feature, see http://go.microsoft.com/fwlink/?LinkId=56310. By using this feature, you consent to the transmission of this information. Microsoft does not use the information to identify or contact you.

i. Computer Information. The software uses Internet protocols, which sends to Microsoft computer information, such as your Windows XP product key, PC manufacturer, operating system version, Windows XP product ID, PC BIOS information, user locale setting, and language version of Windows XP.

ii. Use of Information. We may use the computer information to improve our software and services. We may also share it with others, such as hardware and software vendors. They may use the information to improve how their products run with Microsoft software.

In reality, the information we have indicates that you can't turn off this feature. What feature is it you can turn off? Paragraph a is talking about connecting to Microsoft's servers. You can't turn that off, can you? This is so unclear that I consider it no notice at all. What is it that you are agreeing to? It doesn't tell you how often you will be connecting or all of the information that it turns out is sent. Microsoft, for example, in the EULA never mentions your hard drive's serial number or your IP address, unless that is what they mean by standard computer information, in which case they need to explain how very personal and identifying it actually is. If that isn't personal, what is?

And in what way is the customer "using" the software or getting a service? Don't forget that by this point, you already have the Validation tool on your computer and there is a question as to whether you can uninstall it. The EULA purports to cover both tools, as far as I can make out, without ever fully telling you precisely what it is actually doing. There is no notice of daily calling home on each boot, for example. Next, Microsoft's EULA lets you know it is beta, but which tool are they talking about? Let's assume both:

4. PRE-RELEASE SOFTWARE. This software is a pre-release version. It may not work the way a final version of the software will. We may change it for the final, commercial version. We also may not release a commercial version.

Now, it's on your computer, half way already, and apparently you can't uninstall it, so if Microsoft changes it for a final commercial version, what happens to you? Do you then have to pay for it? Do you get any choice? Speaking of which, let's look at clause 6:

6. Scope of License. The software is licensed, not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not

· disclose the results of any benchmark tests of the software to any third party without Microsoft’s prior written approval;

· work around any technical limitations in the software;

· reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite this limitation;

· make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;

· publish the software for others to copy;

· rent, lease or lend the software;

· transfer the software or this agreement to any third party; or

· use the software for commercial software hosting services.

You have been given a vision of the future, where software will be a service, and all you get is a license to use it the way they allow you to use it. How do you like Microsoft's Brave New World?

Surely they will find a way to check that you are complying with all the above, so I think it's clear that if you stay with Microsoft products, you have to agree to share your computer with them, that your privacy will be in their hands, and that they can control your computer without your say so. And they won't necessarily tell you clearly what they are doing, judging by this incident, or perhaps there will be no notice at all, as mentioned in the EULA. It's not about you buying a product and using it any way you wish. They let you use their software only within strict limitations they set which by the way do not conform to your rights under Copyright Law. This is a license, a kind of contract, whereby you waive rights you would otherwise have in order to use their software. And you are presented with a EULA at least one paralegal can't even understand, too late to say no in a meaningful way.

Is that your only choice? This unintentionally funny article "Windows anti-piracy program causes shock for doing its job," says Microsoft has been "pretty upfront about the WGA program," and if we don't like it, we should switch to Linux. That's a very good idea. You could use GPL software instead. It doesn't care how you use it. Share it, lend it, rent it, install it on as many computers as you wish, write about it, test it, transfer it to a third party, work around any technical limitations of the software, improve it, personalize it to make it do what you want it to do, and use it for commercial services. Do all of the above and you still haven't violated the software license, and by the way, the software is yours. You own it. No one has a need or even a right to check to see if you are using it properly or if you have the right license or if you swapped in a new hard drive or where you live or what your IP address is. Think about it. And then ask yourself, which do I prefer?

The world is at a crossroads, where for the first time there really is a choice. You don't have to accept Microsoft's demeaning and insulting EULA terms. If you are a business, do you want Microsoft having free access to your computer? If you are a government? I'm just an individual, and I don't.

If you wish to remove the Windows Genuine Advantaage tools, and I expect most of you do, why not go the whole hog and remove the entire software package, replace it with GNU/Linux, and find out what it feels like to be treated with respect and to breathe free?

Update: There was a class action lawsuit over this, Johnson et al v. Microsoft, but in my view they sued over the wrong thing, breach of the EULA. The EULA was carefully enough crafted that it was ambiguous, as both parties agreed, so they lost. Here's the order [PDF]. Later, they were given the right to amend the complaint [PDF], but not in a way that would have really helped them, because the judge wouldn't let them sue for fraudulent misrepresentation, negligent misrepresentation, and fraudulent concealment, which is what I think they should have sued for in the beginning. Had they done so, who knows what the outcome would have been? But as it was, they didn't and then they couldn't, and so Microsoft prevailed, and in a way that enabled them to do all of the above without fear of consequences. And then the parties settled by stipulation [PDF], on terms unknown, wiping out the appeal as well as the cause of action on any amended complaint.


1This is the screenshot of what Berlind would have seen if he had clicked on the Details link:

2The same individual has now sent me another screenshot, but I'll just provide the text, so our servers don't get overloaded. It's the information Windows provides in the ironically named privacy statement regarding Windows Updates, and I believe if you are a techie, you will be hyperventilating at the implications to your privacy:

Windows Update privacy statement
Last updated May 16, 2005
Microsoft is committed to protecting your privacy.

What data is collected – and why?
Windows Update collects general system information from your computer with each visit, so that you receive the updates that work best with your computer. The information is also used to generate aggregate statistics about how the Windows Update web site is used and which systems need support, so that we can improve our service. This information includes:

Computer make and model
Version information for the operating system, browser, and any other Microsoft software for which updates might be available
Plug and Play ID numbers of hardware devices
Region and language setting
Globally Unique Identifier (GUID)
Product ID and Product Key
BIOS name, revision number, and revision date

Your Internet Protocol (IP) address is logged when you connect to the Windows Update site, but this address will only be used to generate aggregate statistics.

How is this data used?
Windows Update collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows. The Product ID and Product Key collected are not retained after you are finished using Windows Update, unless the Product ID is not valid.

To generate accurate statistics, Windows Update evaluates a Globally Unique Identifier (GUID) that is stored on your computer to uniquely identify it. The GUID does not contain any information that can be used to identify you. A GUID is assigned and tracked in the following cases:

To provide customers with the best possible service, Windows Update tracks and records the number of individual computers that visit the site and whether the download and installation of specific updates succeeded or failed. Windows Update records the GUID of the computer that attempted the download, the ID of the item that was requested, whether updates were required, and the configuration information listed above.

Windows Update logs an additional GUID if you provide responses about whether help and troubleshooting articles were useful in resolving your problem. This allows Windows Update to provide you with increasingly helpful and relevant information.

Microsoft collects information about the pages our customers visit within microsoft.com, including Windows Update. This information might include: your IP address, browser type, operating system, domain name, the time at which you accessed the site, and referring web site addresses. This site visitation data is identified only by a unique ID number used solely for this purpose.

About surveys
Occasionally you might be invited to participate in a survey about the way you use the Windows Update web site. Each survey includes a privacy statement that details the terms and use of any information submitted with that survey.

View sample data
If you have additional concerns about the data being evaluated to determine which updates apply to your machine, you can view a sample of the information Microsoft will collect from your computer . Note the data provided is sample data only—individual results may vary based on your specific machine configuration.


  


Microsoft's Calling Home Problem: It's a Matter of Informed Consent | 496 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Corrections here
Authored by: MathFox on Sunday, June 11 2006 @ 11:33 AM EDT
All typos in one place for Pamela.

---
If an axiomatic system can be proven to be consistent and complete from within
itself, then it is inconsistent.

[ Reply to This | # ]

Off Topic Posts Here...
Authored by: the_flatlander on Sunday, June 11 2006 @ 11:49 AM EDT
If you please. And make you links clickable, if you got 'em.

The Flatlander

[ Reply to This | # ]

Just run Linux.
Authored by: Anonymous on Sunday, June 11 2006 @ 11:51 AM EDT
Mandriva is good.

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: dkpatrick on Sunday, June 11 2006 @ 11:58 AM EDT
Perhaps stating the obvious, Microsoft is unwilling to adapt to the current
world. They view pirated software as lost revenue and will make it as painful as
they can for the general population to do the "right thing".

Microsoft refuses to see pirated software as a reaction to their horrendous
pricing scheme. Remember the good old days of $99 video tape releases? Now, with
prices way down, the right decision is to buy the high quality original tape
rather than get an illegal, fuzzy, copy.

Look at iTunes to see how cheap music affects the bottom line. It's very very
profitable for everyone.

Ultimately it's clear that Microsoft, in their arrogance, view their operating
system on your computer as "their system" and they claim the right to
load spyware into your system with the spurious statement that it is "for
your benefit".

I remember the time I bought a pair of shoes and the clerk wanted to see my
drivers license to verify the credit card. Why? "It's for your
protection".

As an aside, yesterday we sold what remains of our Microsoft stock (got it way
long ago). Besides performing poorly with a dubious future, they've locked up
their extra cash in 'development' instead of increasing the dividend. Finally,
my wife and I agree that Microsoft is an unethical company, willing to continue
monopolistic practices because litigation is cheaper than "doing the right
thing".

---
"Keep your friends close but your enemies closer!" -- Sun Tzu

[ Reply to This | # ]

License, a kind of contract
Authored by: nyk on Sunday, June 11 2006 @ 12:00 PM EDT

Before any crazy people start saying that the GPL is a licence, and therefore a
kind of contract, I hasten to add that it is not a contract.

Licenses can be created by contract, but they don't have to be. Licenses can be
"bare" licences, meaning a non-contractual permission to use
something.

The key point in a licence is that you don't have a proprietary interest in the
thing you are licensing. This is true of both the GPL and M$oft. In each case,
the authors own the copyright, and licence the software to you. The difference
is that M$oft has to use a contractual licence to obtain your agreement to
restrict your rights, or you are not allowed to obtain a copy of their software.
But in the case of the GPL, no contract is necessary because the GPL is a
permissive licence, and it actually grants you more rights than you would have
under Copyright law.

[ Reply to This | # ]

Fix your router
Authored by: Anonymous on Sunday, June 11 2006 @ 12:00 PM EDT
Why not just disable internet access when you are running windows? I dual boot
for some of the games. My gaming certainly does not need to ever hit the
internet. I disable all internet traffic, both ways, when I boot windows. That
should solve the problem.

-- Alma

[ Reply to This | # ]

It's malicious and it's spyware, by Microsoft's definition
Authored by: Anonymous on Sunday, June 11 2006 @ 12:09 PM EDT

According to Microsoft "Broadly speaking, spyware is deceptive software that is installed on a user’s computer without the user’s consent and has some malicious purpose."

PJ has dealt with "informed consent".

Now, this software steals resources from my computer to accomplish some Microsoft purpose. Stealing resources sounds malicious to me. I paid for every operation that my computer performs, so Microsoft is a thief for using them without my consent. What is the difference between somebody taking my car to joyride, and Microsoft using my computer without my consent? There's a difference of degree, sure, but they're no different in kind.

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Anonymous on Sunday, June 11 2006 @ 12:16 PM EDT
I for one didn't agree that it phones home, i was coerced to install it because
i wouldn't get security fixes otherwise. Still i didn't know it would phone
home...
I guess the only way to fix this is to start with the cable unplugged.

[ Reply to This | # ]

Definition of "update"
Authored by: sk43 on Sunday, June 11 2006 @ 12:19 PM EDT
Microsoft has an entire web page devoted to Microsoft's Security Glossary. There are many types of updates: critical, security, software, etc. The definition of a "high priority update" is given as:
high priority update
A classification used on the Windows Update Web site and by the Windows Update Service to recommend Microsoft software updates and drivers that help protect against the latest publicly known security threats and reliability issues. All software updates and drivers that can be installed by turning on Automatic Updates on your computer are classified as high priority. These can also be installed by visiting the Windows Update Web site.
A "software update" is defined as:
Software Update
Any update, update rollup, service pack, feature pack, critical update, security update, or hotfix that is used to improve or to fix a software product that is released by Microsoft Corporation.
The only relevant category of "software updates" that might apply to WGA is a "feature pack", which is defined on this web page:
Feature Pack

Definition: A feature pack is new product functionality that is first distributed outside the context of a product release and that is typically included in the next full product release.

So, according to Microsoft, WGA provides new product functionality that helps protect against the latest publicly known security threats and reliability issues.

[ Reply to This | # ]

Microsoft "forcing" us to run beta software
Authored by: Anonymous on Sunday, June 11 2006 @ 12:24 PM EDT
If you want patches, you must install this tool. If you don't install the
patches, your PC is vulnerable to all the exploits (the reason you want the
patches).
So it seems that Microsoft is giving you a choice between unsecure computing, or
unreliable computing. The third choice is to not use their OS.
I think they're making it really easy for lots of people to decide to switch to
something else.

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Anonymous on Sunday, June 11 2006 @ 12:27 PM EDT
I run XP because my major software package only runs on it. The next release (I
hope within the next year) will support OS X and Linux - then I'll be M$ free
and happy. In the mean
time, I keep getting a notice informing me that an Automatic Update is
available (Windoze "found 1 update. This update requires that you first
accept an End User Licnese Agreement." "Express Install (Recommended)
is checked). I keep declining their invitation - I don't want to have any
dealings with M$, period. Two questions: 1) Is this the update described in
this article? 2) How do I check to see if the GWA (WGA - whatever it is) is
already installed? I will gladly reset if necessary - but don't know if it is
necessary. Thank you, in advance, for any information on these questions.

[ Reply to This | # ]

Fundamental Problem: EULAs as "Informed Consent"
Authored by: Anonymous on Sunday, June 11 2006 @ 12:43 PM EDT
I think the fundamental problem is really the fact that EULAs should not be
considered valid contracts in the first place. They were not recognized for a
long time, until a few damaging court cases (like ProCD) set bad precedent,
opening the door for so-called "consent" by EULA. So even if
Microsoft's EULA had accurately and completely described the operation of the
WGA "tool", I believe the entire process is still morally wrong.

There is no true "negotiation" process with a EULA. There might be an
implied one, that is, "take it or leave it", but "contracts"
created by this sort of situation are invariably one-sided and not truly in
spirit with "freedom to contract". For other situations in life where
one party has significantly greater power than the weaker, laws have been made
to protect the rights and interests of the weaker party. (For example,
employment contracts and rental contracts.) But there is nothing in the
software industry, leaving users to the whim of one-sided contracts.

Is the EULA a legal and moral escape clause that allows software to violate any
rights a user might have, in the name of alleged "informed consent"?

I believe that significant changes are warranted before we, as a society, even
consider the validity of EULAs.

[ Reply to This | # ]

People aren't just disturbed about the tool calling home; they are concerned about what the conv
Authored by: Anonymous on Sunday, June 11 2006 @ 12:48 PM EDT
Re: People aren't just disturbed about the tool calling home; they are concerned
about what the conversation includes.

What about those backdoors that were found that were intentinally there (that
GRC, was all upset about) in Windows that were there by design regarding some
image related handling issues?

What about is Microsoft is hacked or has an employee go bad... don't they all
get Administrator privilages at Microsoft for all employees... well, what if
this access to the data and the tool gets into the wrong hands... and/or someone
developes a way to use the same tool on a users Microsoft computer to then have
the users Microsoft computer call HOME TO SOMEONE ELSE BESIDES MICROSOFT and
because this will bypass all secruity settings to get out to Microsoft will also
bypass all security as well to get to whoever hyjacks this Microsoft auditing
tool with the call home feature set.

I call it breaking in. This is a huge security problem.

[ Reply to This | # ]

Microsoft's Calling Home Problem: IBM and Novell attorneys take notice
Authored by: Anonymous on Sunday, June 11 2006 @ 12:51 PM EDT
Given that, with the exception of some early luck, Bill Gates has not, and
probably cannot, competed fairly; I hope that the IBM and Novell attorneys are
not running Windoze products. I know that PJ tells us most attorneys use
WordPerfect, the underlying OS probably is Windoze. I don't consider myself a
conspircy theorist or part of the tin-hat crowd, however; given the stakes, it
is not beyond my belief that this whole 'update' thing is a way to gain access
to IBM and Novell information relating to SCO's sloooowly dying law suit and a
way to breath some new life into the putrifying case.

[ Reply to This | # ]

Inconsistant Terminology?
Authored by: glimes on Sunday, June 11 2006 @ 12:57 PM EDT
By way of prolog -- hidden amongst the Linux boxes, I have
a couple of Windows partitions. One of these is Sacrificial
in that it does everything the Microsoft way, with automatic
updates and everything.

This morning, I was presented with what seemed to be a very
pushy update from Microsoft, presented as a Critical Update
that I REALLY MUST INSTALL. Very Important!

The package also characterized itself as "pre-release".

Now, where I come from, "pre-release" is a copy of a package
that is not yet really released, and is provided as a
service to folks willing to take a chance on stuff that has
not yet been tested.

At no time is "pre-release" software generally pushed out
as a "must install" -- shoot, if they really want everyone
to install THIS VERSION of the software, it's not PRE,
it's the real push.

This may be the time that I wipe my Windows partitions and
rebuild them from recovery disks, then let them be simple
frozen-in-time XP SP1 (or maybe SP2) images. Microsoft is
going too far even for my cloistered machines.


---
Greg "Celebrating (nearly) 50 years of FORTRAN" Limes

[ Reply to This | # ]

On upgrading your system...
Authored by: dnl on Sunday, June 11 2006 @ 12:59 PM EDT
The only information collected in the validation process is:
   * Windows product key
   * PC manufacturer
   * Operating System version
   * PID/SID
   * BIOS information (make, version, date)
   * BIOS MD5 Checksum
   * User locale (language setting for displaying Windows)
   * System locale (language version of the operating system)
   * Office product key (if validating Office)
   * Hard drive serial number

So, replacing your CPU or disk, or upgrading your BIOS will trigger some manner of the system has changed event. MS would have to go out of their way to distinguish platform upgrades from platform replacements. How hard are they going to work on getting this right?

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Tufty on Sunday, June 11 2006 @ 01:03 PM EDT
I have recently had the wonderful experience of dealing with WGA (come on, we
need a backronym for this). I wanted to try one of the CVS tools (I can't
remember which) but found I had to update the Microsoft installer. The update is
redistributable but I had to use WGA to get it. No way IE and plugins were not a
favorite either. The alternative was to run an .exe to generate a code. I had
some concerns, not because I had anything but a genuine copy, but rather that
Microsoft might buck at my using a UK version in Mexico and in English not
Spanish (see how paranoid this makes you). All went well and I managed the
update and installed the program.

Note to FOSS builders - please don't do installs this way on Windows and avoid
stuffing the registry.

I ran into the beast again the other day, installing a new video card. I needed
to install W2k SP4 plus it's update plus .NET framework. The SP was no trouble
and the updates seem to fix the broken programs that I had the last time I tried
SP4 that caused me to completely re-install my machine. The .NET needed WGA!

The feeling I had was of standing in front of a raised desk trying to prove I
was legitimate to a 300lb 6 foot 6 gorrilla sitting behind it especially after
having 'proved myself' just a couple of weeks before. Is this really how
Microsoft wants to be seen by it's customers? I really don't want to have to go
through this again, it felt so unclean. Yes, I know the answer is a switch to
Linux and I am working towards that, can't get beep out of my new mobo for the
Linux machine - yet!

Oh, I disabled updates on the XP machines I herd and now I am convinced to
never, ever let it raise it's ugly head.


---
There has to be a rabbit down this rabbit hole somewhere!
Now I want its hide.

[ Reply to This | # ]

Hard drive serial number - virtual drives
Authored by: Anonymous on Sunday, June 11 2006 @ 01:19 PM EDT
I need to run WIN/XP for some software that,
unfortunately,is not available with Linux. Rather than
dual booting, I installed XP under VMware Player
(available at no cost). XP runs in a virtual hardware
machine as a window under Linux. The XP file system is a
"virtual drive" that occupies a portion of my Linux file
system. Apparently, the hard drive serial number is
reported as a standard VMware drive ID
(3030303030303030303), and does not change, even if the XP
file system is copied to a different hard drive on my
computer - thus rendering the information almost
useless/harmless.

The existence of MS spyware is still a problem. However,
in addition to complaining, you might also render the
reporting software useless to Microsoft.

[ Reply to This | # ]

Spying machines - XP vs Vista
Authored by: SpaceLifeForm on Sunday, June 11 2006 @ 01:19 PM EDT
It should be clear to most at this point as to what the hidden agenda of Microsoft is, and how it will be unavoidable later.

Since Vista is again late, it appears that Microsoft will be backporting these 'features' from Vista to XP. This is a good thing, as XP is an un-trusted spying machine (from the MS point of view), and it allows additional investigation into these shady practices.

Once MS has the bugs worked out, this spying functionality will be sealed in tightly to Vista, and the end-user will have no idea what data the machine is sending to Microsoft.

Futhermore, since Vista is a trusted spying machine (from MS point of view), and importantly, because of encryption, it will be very difficult to determine what is being sent to Microsoft.

And because of the encryption, and DMCA, even if you could prove that Microsoft is spying on you (by breaking the encryption on captured ip packets), you would have a difficult time in court because you had to violate DMCA to get your proof.

So, avoid the spying, avoid the hassle, avoid Microsoft.

And, especially, never, ever use Vista.

---

You are being MICROattacked, from various angles, in a SOFT manner.

[ Reply to This | # ]

Gates and the law school
Authored by: freeio on Sunday, June 11 2006 @ 01:21 PM EDT
This is entirely consistent with the trends in corporate behavior with respect
to software and the law. The law has been bent to make it possible for a
so-called EULA to be forced upon computer users, and that the original agreement
(if any) ends up being replaced by the latest verbage crafted to create a
one-sided contract which entirely favors the software vendor, at the total
expense of the users. What is wrong here is that any computer, as an appliance,
requires a EULA at all. The user buys a computer, and upon first use is
required, as a condition that the computer be operational whatsoever, to agree
to an infinite series of progressively more draconian "agreements"
with a software vendor who is a third party to the original purchase of the
computer. This is wrong. It is, however, perfectly normal in today's
environment.

Two years ago, our daughter received her Ph.D. from the University of
Washington. We of course visited her to see the big event, and she gave us the
full tour of the campus. What I thought more interesting than anything else
about the campus was that Microsoft/Bill Gates had donated a very modern
facility for one of the campus schools, and that it was not at all related to
computer science, engineering, or anything related. It is William H. Gates
Hall, the home of the law school. This tells me more about what is important to
Mr. Gates than anything else I have ever read about the man. It would appear
that he has realized that he needs to be in a position to influence the practice
of law in order to achieve his ends, and that such an interest is more important
than any technology involved in what he sells/leases/provides/pushes.

There is an excellent picture of William H. Gates Hall in this wikipedia
article:

http://en.wikipedia.org/wiki/University_of_Washington

My response is to forsake all Microsoft products, and to shift entirely to free
software. Software which constrains my freedom with ever-changing EULAs is
worse than useless: it is evil. I see no reason to participate in such an
enterprise. So this workstation is running SuSE 9.3 linux, the router/firewall
is running IPCop 1.4.10 Linux, and the servers are running OpenBSD 3.9. None of
it requires a EULA, none of it phones home, and all of it is completely stable -
I have not had a BSOD since I lift Microsoft. I can do without Microsoft, and
have chosen to do so.

---
Tux et bona et fortuna est.

[ Reply to This | # ]

The DHS press conference
Authored by: fotoguzzi on Sunday, June 11 2006 @ 01:24 PM EDT
Did DHS assistant secretary for policy Baker mean to say, "It's your
computer, but it's not your intellectual property?" Saying it that way
might give a rationale for effective "IPR protection," though how a
computer full of hidden files can still be considered _your_ computer and how,
further, this is related to a hypothetical Avian flu outbreak is another matter

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Aim Here on Sunday, June 11 2006 @ 01:26 PM EDT
What with the phone home schemes and the WGA program and the DRM for media
player files and Vista's DRM for High-def video and the serial code check and
the post-install license key verification and the post-hardware upgrade license
key verification, Microsoft has built an incredible amount of infrastructure
into it's Windows products into making sure that they just don't work except in
very particular circumstances dictated by someone you've never met, somewhere in
Washington State.

The developers of free software spend their time making their software work, not
trying to make it break.

Who do you think will produce the better software, in the end?

[ Reply to This | # ]

COMING SOON TO A COMPUTER NEAR YOU...
Authored by: Anonymous on Sunday, June 11 2006 @ 01:32 PM EDT
Exploit that allows a hacker access to your machine via "Genuine
Advantage" ping mechanism.

[ Reply to This | # ]

Software Firewall and this Licensing
Authored by: rharvey46 on Sunday, June 11 2006 @ 01:50 PM EDT
I already have the WGA software installed on my (hardly ever used) Windows XP
instance - normally, I run Linux.
After reading the eweek article, I decided to disallow the WGATray.exe from
being able to connect to the local and internet zone within ZoneAlarm. I realize
that Microsoft already got its information (since the software had connected
previously).
I am curious about a few items.
Based on the EULA/Licensing, was I permitted to disable the software from
connecting to Microsoft? - I suspect not, but spyware has no place on my machine
(and by my definition, this is spyware), since it connects and provides
information without my consent or (especially) user action!
If the software is disabled, over time, will I still be able to get Software
Updates?
Technically (my machine came with Linux originally), the computer may not be
licensed to run Windows. What happens when the manufacturere discovers that?

More importantly, I do not trust (or believe) Microsoft's
authentication/verification methods. After having installed XP on the same
hardware multiple times, it finally stopped working (would reboot every time)
because it had been "over-activated" (activated too many times on the
same hardware). I very much suspect that Microsoft (or their software) will
decide that (even though the license is fully legitimate), the software is now
not permissable any longer - which may require a reinstall of a new key.

Fortunately, my fallback (at least at home), is already to use Linux. I do wish
I had the same choice at work.

[ Reply to This | # ]

Cant uninstall= malware.
Authored by: Anonymous on Sunday, June 11 2006 @ 02:00 PM EDT
Theres no bigger red flag to me for malware than it being hard to unistall.

To me any software that cant be unistalled is malware, regardless of any quibles
the manufacturer has with it being called "spyware".

[ Reply to This | # ]

VMware virtual machine clones
Authored by: leguirerj on Sunday, June 11 2006 @ 02:01 PM EDT
David Berlind has written a few articles expounding of the virtues of having
multiple virtual machines of Windows XP confgiured for specific purposes.
Perhaps Microsoft would like to get a handle on how many cloned copies of the
same virtual machine is used at one time. Having mutliple systems reporting back
to the mothership with the same hard drive, but different Ip addresses would
indicate thievery going on.

[ Reply to This | # ]

The biggest genuine advantage...
Authored by: Nick_UK on Sunday, June 11 2006 @ 02:01 PM EDT
...is to kosher buyers/users of genuine MS stuff.

I am damn sure hooky/pirated stuff will not have this
anyway, so MS are targeting their very own customers with
annoyances.

How does that ring a *bell* of what we have seen here?

Nick

[ Reply to This | # ]

Block it at the firewall
Authored by: Carla Schroder on Sunday, June 11 2006 @ 02:18 PM EDT
Thanks PJ, this is the kind of reporting that is woefully
lacking in the "real" press. I'm surprised that ZDNet even
lets David Berlind do any of this.

This isn't a solution, but a band-aid- if you have a nice
stout Linux iptables firewall, run a packet sniffer like
tcpdump or Ethereal (now called Wireshark) to figure out
what ports microshaft is using to phone home, then block
them. It may be that they are using ever-changing
high-numbered ports, so you'll have to block everything
and allow only permitted traffic. Or they may be
piggybacking over HTTP (port 80), which means don't let
your windoze PCs connect to the Internet at all.

Which means no updates & patches. Oopsie. But hey, they
said they're doing it improve customer's experiences.

[ Reply to This | # ]

Some info regarding the WGA install
Authored by: Anonymous on Sunday, June 11 2006 @ 02:32 PM EDT
After reading this, I decided to see if this was installed on my windows
computer (it is not, thankfully). I decided to search for "wgatray"
on my harddrive, and found that it was downloaded, but it was not yet installed
(yes, I am lazy in that regard). Looking in the update.inf file contained in
the download, I found the following lines relating to the registry keys that are
created on install. I hope that this info helps others, and that it allows more
discoveries.

And without much ado, the part of the file I found:

[Product.Add.Reg]
;Register LegitCheckControl.dll
HKCR,AppID{2DE6426A-0708-415C-8C19-623CC4855F80},,0,"LegitCheckControl&quo
t;
HKCR,AppIDLegitCheckControl.DLL,"AppID",0,"{2DE6426A-0708-415C-8
C19-623CC4855F80}"
HKCR,LegitCheckControl.LegitCheck.1,,0,"Windows Genuine Advantage
Validation Tool"
HKCR,LegitCheckControl.LegitCheck.1CLSID,,0,"{17492023-C23A-453E-A040-C7C5
80BBF700}"
HKCR,LegitCheckControl.LegitCheck,,0,"Windows Genuine Advantage Validation
Tool"
HKCR,LegitCheckControl.LegitCheckCLSID,,0,"{17492023-C23A-453E-A040-C7C580
BBF700}"
HKCR,LegitCheckControl.LegitCheckCurVer,,0,"LegitCheckControl.LegitCheck.1
"
HKCR,CLSID{17492023-C23A-453E-A040-C7C580BBF700},,0,"Windows Genuine
Advantage Validation Tool"
HKCR,CLSID{17492023-C23A-453E-A040-C7C580BBF700}ProgID,,0,"LegitCheckCont
rol.LegitCheck.1"
HKCR,CLSID{17492023-C23A-453E-A040-C7C580BBF700}VersionIndependentProgID,,0,&q
uot;LegitCheckControl.LegitCheck"
HKCR,CLSID{17492023-C23A-453E-A040-C7C580BBF700}InprocServer32,,0,"%11%l
egitcheckcontrol.dll"
HKCR,CLSID{17492023-C23A-453E-A040-C7C580BBF700}InprocServer32,"Threading
Model",0,"Apartment"
HKCR,CLSID{17492023-C23A-453E-A040-C7C580BBF700},"AppID",0,"{2DE
6426A-0708-415C-8C19-623CC4855F80}"
HKCR,CLSID{17492023-C23A-453E-A040-C7C580BBF700}TypeLib,,0,"{5E649A63-7EE
9-43F4-9926-0DEAA462A8FB}"
HKCR,TypeLib{5E649A63-7EE9-43F4-9926-0DEAA462A8FB}1.0,,0,"Windows Genuine
Advantage Validation Tool"
HKCR,TypeLib{5E649A63-7EE9-43F4-9926-0DEAA462A8FB}1.0FLAGS,,0,"0"
HKCR,TypeLib{5E649A63-7EE9-43F4-9926-0DEAA462A8FB}1.0win32,,0,"%11%Le
gitCheckControl.dll"
HKCR,TypeLib{5E649A63-7EE9-43F4-9926-0DEAA462A8FB}1.0HELPDIR,,0,"%11%&q
uot;
HKCR,Interface{36CFF953-FB06-45AD-896F-94A0259AB3DD},,0,"ILegitCheck"

HKCR,Interface{36CFF953-FB06-45AD-896F-94A0259AB3DD}ProxyStubClsid,,0,"{0
0020424-0000-0000-C000-000000000046}"
HKCR,Interface{36CFF953-FB06-45AD-896F-94A0259AB3DD}ProxyStubClsid32,,0,"
{00020424-0000-0000-C000-000000000046}"
HKCR,Interface{36CFF953-FB06-45AD-896F-94A0259AB3DD}TypeLib,,0,"{5E649A63
-7EE9-43F4-9926-0DEAA462A8FB}"
HKCR,Interface{36CFF953-FB06-45AD-896F-94A0259AB3DD}TypeLib,"Version"
;,0,"1.0"
;Hook up WgaLogon.dll
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"Logon",0,"WLEventLogon"
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"Logoff",0,"WLEventLogoff"
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"Startup",0,"WLEventStartup"
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"Shutdown",0,"WLEventShutdown"
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"StartScreenSaver",0,"WLEventStartScreenSaver"
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"StopScreenSaver",0,"WLEventStopScreenSaver"
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"Lock",0,"WLEventLock"
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"Unlock",0,"WLEventUnlock"
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"StartShell",0,"WLEventStartShell"
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"PostShell",0,"WLEventPostShell"
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"Disconnect",0,"WLEventDisconnect"
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"Reconnect",0,"WLEventReconnect"
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"Impersonate",0x10001,1
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"Asynchronous",0x10001,0
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"SafeMode",0x10001,0
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"MaxWait",0x10001,0xFFFFFFFF
HKLM,SOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon,
"DllName",0x20000,"WgaLogon.dll"
;Add ARP entry
HKLM,%ARP_Link%%SP_SHORT_TITLE%,"InstallLocation",20000,"%SYSTEMR
OOT%system32"
HKLM,%ARP_Link%%SP_SHORT_TITLE%,"HelpLink",,%HelpLink%
HKLM,%ARP_Link%%SP_SHORT_TITLE%,"URLInfoAbout",,%URLInfoAbout%
HKLM,%ARP_Link%%SP_SHORT_TITLE%,"Publisher",,%Publisher%
HKLM,%ARP_Link%%SP_SHORT_TITLE%,"DisplayName",,%SP_TITLE%
HKLM,%ARP_Link%%SP_SHORT_TITLE%,"DisplayVersion",,%PRODUCT_VERSION%
HKLM,%ARP_Link%%SP_SHORT_TITLE%,"VersionMajor",,2
HKLM,%ARP_Link%%SP_SHORT_TITLE%,"VersionMinor",,0
HKLM,%ARP_Link%%SP_SHORT_TITLE%,"ParentKeyName",0,"OperatingSyste
m"
HKLM,%ARP_Link%%SP_SHORT_TITLE%,"NoRemove",0x10001,1
HKLM,%ARP_Link%%SP_SHORT_TITLE%,"NoModify",0x10001,1
HKLM,%ARP_Link%%SP_SHORT_TITLE%,"NoRepair",0x10001,1
HKLM,%ARP_Link%%SP_SHORT_TITLE%,"UninstallString",,""

[ Reply to This | # ]

Definitions of Spyware
Authored by: PeteS on Sunday, June 11 2006 @ 02:39 PM EDT
There are a lot of definitions, so I'll first give the link I used for the search

They all seem to agree that any process / program that sends information about a system or user habits without direct notification qualifies, without the qualifier of malicious intent (although I consider trying to track my system usage as malicious, de facto).

Now the reason for doing this at boot time is a number of sysadmins deliberately disable the Microsoft domains in the HOSTS file because they maintain local copies of updates and roll them out as needed. Of course, Microsoft didn't like that, (see this post), and decided their own domains (including MSN.com) could not be filtered.

There are other methods (such as local firewalls) to prevent outbound traffic, but by doing this at boot, they get around that, as the blocking products have (probably) not yet been started.

Seems to me M$ is doing it's absolute best to be considered a lawless company determined to do what it wants and ignore all conventions and indeed, even common courtesy.

PeteS

---
Artificial Intelligence is no match for Natural Stupidity

[ Reply to This | # ]

My firewall stopped WGA
Authored by: Anonymous on Sunday, June 11 2006 @ 02:39 PM EDT
The firewall I use stopped WGA the first time the program was run. The
firewall notified me and I locked it out. I renamed and moved the executable
and my PC boots fine. I use a firewall to denied most programs access to the
internet. Allowing access only to those programs that are needed to boot and
gain access to the internet.
I have to use MS because my employer is a Microsoft shop.

[ Reply to This | # ]

IP address and time stamp is a big deal?
Authored by: Anonymous on Sunday, June 11 2006 @ 02:41 PM EDT
Oh, excellent. So they get your ip address too, and date/timestamp data "relating to systems' booting and continued operations". No way to contact customers, eh? No information sent? In what way is this not spyware?

Pray, tell me how an app on your computer could contact, via TCP/IP, a server -- anyone's server -- without leaving behind a trace of your IP address and a timestamp. They could send "12345" as the data and still get your IP address and the time it was sent. (Sure, they could route it through a proxy that adds a random delay, but then the proxy would have the info.)

If that constitutes spyware, then every website on the planet is spyware. This statement undermines the rest of the argument, because it's equivalent to those "Your system is broadcasting an IP address!" scaremongering ads.

[ Reply to This | # ]

"Microsoft strives to maintain the highest standards in our business conduct "
Authored by: tiger99 on Sunday, June 11 2006 @ 02:44 PM EDT
I think that quote has much to say about the honesty and integrity of the person who made it!

"Highest Standards" == "Criminal Monopoly"

I have not allowed my one remaining XP machine to go online for many months, and it never, ever will now.

Gates is shooting himself in both feet by his continued obsession with mainatining a totalitarian monopoly regardless of laws, or privacy, or now customer satsifaction. This sort of thing drives potential customers to leave their cheque books in their pockets and download Kubuntu, OpenSuse or Fedora Core 5 (to name but 3 contenders, there are many more which are equally useful).

But it is arguably not much worse than what a previous version of his vile, bug-ridden products (was it 95 or 98, or maybe Office, I can't remember?) did by sending to M$ a list of competitors products it found on the machine.

As I have said before, Gates and his henchmen regard themselves as above the law, and it will never stop until a few stiff jail sentences are applied.

[ Reply to This | # ]

BIOS info and checksum -> what about BIOS password
Authored by: Anonymous on Sunday, June 11 2006 @ 03:17 PM EDT

From a technical and legal standpoint, both of which I am not
an expert on, could this ever constitute password theft?

Comments anyone?

bj

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Anonymous on Sunday, June 11 2006 @ 04:14 PM EDT
A few issues with this matter have occured to me.

First getting a *German* legal firm to say that you are compling with *German*
privacy law is one thing. MS was paying the bills there. It may be that the
legal advice they recieved will turn out to be incorrect.

Second it was *only* a *German* law firm. I remind readers that there are 26
other countries in the EU all governed by the same privacy directive but all of
which have implemented it into thier own laws differently.

Thirdly the EU is not the only jurisdiction MS sells to. Japan and S Korea both
spring to mind here. There are others of course. Im not sure how up to date this
German law firm is on Japanese law.

The position in the US is a bit different. The US at least until it became
public knowledge that creit card theft was rife had no real privacy laws. The
few that exist now are no where near as severe as the EU ones.

1 will get you 10 that this is illegal under laws in several states - thinking
of Texas and Calfornia and Sony here.

The EU Court has ruled EU govs cannot share airline data with the US gov. MS is
a mere company. This is almost certainly illegal in most of the EU.

Class action anyone?

The issue of the BIOS and hard disc numbers. There is NO way this has anything
to do with MS per se. This is being used to keep a hold on manufacturers. WE
know how many XP systems you sold and where you sold them. This sort of
information will be of interest to anti trust authorities world wide.

If this doesnt spawn a bunch of law suits all over the place MS will have bought
off the judicary.

--

MadScientist

[ Reply to This | # ]

Reinstall issues...
Authored by: Anonymous on Sunday, June 11 2006 @ 04:44 PM EDT
I recently had to reinstall Windows from scratch, and the update process refused
to let me have any security updates because an unknown error occurred during
validation.

The kicker, is that it's a legitimate copy.

I eventually had to manually download the "network install" version of
SP2 for XP, at which point Windows Update validated my installation.

I forget the exact error code, but I found hundreds of hits when I searched for
it on Google, about half seemed to be from people with questionable copies, and
the rest were people like me, who knew beyond any doubt that their copy was
legit.

[ Reply to This | # ]

It doesn't work anyway...
Authored by: Anonymous on Sunday, June 11 2006 @ 04:49 PM EDT
I was forced to download WGA the other day in order to install Windows Messenger
onto my pirated W2K. It didn't complain...

Go Figure.

Deliberately anon...

[ Reply to This | # ]

It's all in one of the EULA's
Authored by: Anonymous on Sunday, June 11 2006 @ 05:31 PM EDT
I don't Microsoft is in any kind of legal danger, they have probably something
covering this and a lot of other nastiness in several of their EULA's that a lot
of people just click through.

I remember reading one of Microsofts EULA's when I connected to Windows Update
one of the first times, and this was before they started with "Windows
Genuine Advantage", and that agreement gave Microsoft Carte-blanche to use
any means possible to gather what-ever information they wanted from my
computer.
I thought it was a bit over-reaching EULA as the only "restriction"
was that if they relayed the information to third parties they would do it in a
way that couldn't identify me or my computer. There were no restriction put on
what Microsoft themselves could do with or based on the information.

I guess as long as they didn't break any insider trading laws they could use any
information on my computer to aid them in whatever decisions or
business-practices they would seem fit. I'm not a lawyer, nor familiar with what
laws that might apply here.

My initial reaction was that any company mad enough to sign that agreement
better hope they never try to compete with Microsoft.

- Mikael

[ Reply to This | # ]

Testing the Waters for New Services
Authored by: Anonymous on Sunday, June 11 2006 @ 05:36 PM EDT
WGA is possibly a proto-type or test platform for future software services. As
well as on-line validation of MS-Windows and MS-Office, they could sell this
service to third party software publishers who want their licenses verified.
This would likely be in the form of charging the publisher an annual fee per
account validated.

Have a look at "Windows Marketplace". This is a Microsoft site which
is full of links to third party software which you can purchase on line. The
MS-Windows Vista Beta has a link to it directly from the "start" menu.
Most of what is on there now is just useless demo-ware, but there are some
genuine third party products for sale.

MS could also sell "metered" access to software. If you paid according
to the amount by which you used the software, the publisher would need frequent
on-line updates for billing purposes. Again, Microsoft could charge for a
percentage of the billing.

The third party software providers could do this themselves (and some already
do), but it is probably cheaper to outsource license compliance to Microsoft.
They could also license the Microsoft DRM system to provide more reliable copy
protection.

This would require the computer be given internet access, but that is something
most people and virtually all businesses have anyway.

WGA may not make much sense in its current form, but it is a good way for them
to acquire real world experience which they can develop into new products
later.

[ Reply to This | # ]

Informed Consent
Authored by: tyche on Sunday, June 11 2006 @ 05:47 PM EDT
PJ, You commented on informed consent as regards the Health Industry (by this is
implied doctors and hospitals). The following was a number of years ago
(1978-79) but I would venture to say is still in existence today.

When my oldest son was tentatively diagnosed as having cancer he was transferred
from our local hospital to Children's Hospital in Buffalo, New York. On
checking him in, we had to sign a contract with the hospital (insuring payment,
etc). On reading the contract, I discovered that the "etc." in the
preceeding sentance included absolving the hospital and doctors of all
responsibility for the future well-being of my son. Prior to signing the
contract, I went back through it and changed all appropriate areas so that they
read that NO procedures would be applied without the consent of myself or my
wife.

BACKGROUND: My wife was, at that time, an Accredited Records Technician (for
medical records), and was (and/or had been) a Utilization Review Coordinator in
the medical records field. We had discussed this problem at some length,
particularly its moral and ethical value, and had long since decided how we
would handle the possibility.

CONTINUATION: The hospital intake person took one look at what I had done, and
said, "you can't do this!" I told her to check with her lawyers. She
did. The lawyer and the hospital administrator both came down to the office and
said that I COULD, in fact, do it. That I was taking personal responsibility
for the care of my son. A responsibility that I, in fact, held on the basis of
being the child's parent.

END GAME: A doctor in that hospital waited until I was out of my son's room to
have him removed to another area. There, the doctor performed a procedure
without my knowledge and consent (a bone marrow biopsy - a very painful
procedure which, to a 12 year old boy, was terrifying). My son was transferred
out of that hospital within the next 4 hours to a state run facility in the same
city. The Children's hospital administrator got an earfull, and should feel
fortunate that we didn't have him, the doctor, and the hospital up on civil and
criminal charges. The state run facility had no problem with the same changes
being made to their contract, and honored it throughout his treatment.

Craig
Tyche

---
"It is a tale, told by an idiot, full of sound and fury....
signifying nothing."
Shakespear, Macbeth (The Scottish Play)

[ Reply to This | # ]

Is WGA really requried for updates?
Authored by: cmc on Sunday, June 11 2006 @ 06:10 PM EDT
I've heard in the past, and again in this article, that installing the Windows
Genuine Advantage (WGA) tool is required in order to obtain updates. Is this
still the case? I have not installed the tool, and I refuse to. However, I
continue to get updates. Similarly, any new system I build downloads updates
without me having to install the WGA tool. Of course, I don't use the
"Windows Updates" website, either. I know that you can't get updates
from there without it. But it seems (or is it just me?) that you can set
Windows' automatic updates to automatically install (or automatically download
and let you manually install, which is what I do), and it will install the
updates without you having to install the WGA tool.

cmc

[ Reply to This | # ]

What to do?
Authored by: rsmith on Sunday, June 11 2006 @ 06:56 PM EDT
Well, if you're capable of doing so, switch to free software.

If that is not feasible, at least use a good open-source statefull firewall
between your windows boxen and the internet (OpenBSD's pf comes to mind), to
intercept and block this "service".

One wonders if Windows' own firewall (firefence?) is able to stop this?

---
Intellectual Property is an oxymoron.

[ Reply to This | # ]

Unplugged, once and for all...
Authored by: w00t on Sunday, June 11 2006 @ 07:03 PM EDT
I read this article, reached over, and removed my MS boxes' network connection.
It will not be reattached.

Good riddence.

-w00t

[ Reply to This | # ]

This is trespass
Authored by: Anonymous on Sunday, June 11 2006 @ 07:17 PM EDT

I look forward to the development of the concept of trespass as it applies to
computers.

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: LaurenceTux on Sunday, June 11 2006 @ 07:21 PM EDT
mark this down somewhere
dateline USA 2009/06/12
Random Inc files bankruptcy due to loss of data.
Today Random Inc files for chapter 11 bakrupcty due to a failure of their
computers. Frank Fubar (CTO) stated "We had a fully patched Microsoft Vista
System (r) but one day the DRM server farm for some unknown reason stopped
working. This then caused all of our systems to terminate thier licences. As we
are now considered a "Pirate" the current cost of new licenses is 150%
of our total assets." ...

I would bet this will happen to some company and the EULA allows this!!!

[ Reply to This | # ]

Personal Identifiable information
Authored by: Anonymous on Sunday, June 11 2006 @ 07:22 PM EDT
Q: What information is collected from my computer?
A: The genuine validation process will collect information about your system to determine if your Microsoft software is genuine. This process does not collect or send any information that can be used to identify you or contact you. The only information collected in the validation process is:
* Windows product key ...
Okay, so the Windows XP Activation process may be anonymous, but what if you purchased your license on-line?
Did MS store your email address and product key together?
If you registered the product, I'd guess your product key is part of the information along with some personal details.
So, for some, it would be possible to identify contact information. Of course, the use of that information is protected by a privacy policy and was given as part of a voluntary process.

[ Reply to This | # ]

MS definition of Spyware.
Authored by: Anonymous on Sunday, June 11 2006 @ 08:16 PM EDT
"Broadly speaking, spyware is deceptive software that is installed on a
user’s computer without the user’s consent and has some malicious purpose. WGA
is installed with the consent of the user and seeks only to notify the user if a
proper license is not in place. WGA is not spyware."


Pay attention world! According to Microsoft, anyone can install software to spy
on you and it's not spyware unless it has a "malicious purpose" and
you didn't know it was installed. If you knew it was installed, but didn't know
it was spying on you, or if it didn't have a "malicious purpose" MS
doesn't consider this spyware.

Remember this when you think about trusting MS anti-spyware software.

[ Reply to This | # ]

How do they do this?
Authored by: Anonymous on Sunday, June 11 2006 @ 08:24 PM EDT
A few years ago, there was a massive virus outbreak on Windows, I forget the
precise name of it, "Love" something, or something like that I vaguely
recall. I think it was an Office/Word virus.

Anyway, with Microsoft's help, the originator of the virus was tracked down in
the Phillippines and was a teenage boy.

I seem to recall there was some kind of signature in the virus, from which they
were able to track back to his location or computer.

My question: Is how did they do that?

It seems to me that it would not be possible to track back from a signature to a
particular computer, unless they had some sort of databaase of every computer's
signature.


Sorry the above is a bit vague. Hopefully I've given enough details for somebody
to find the link to the news stories from the time?

And once again: How do they do it? And what does it imply for what information
they are collecting?

Quatermass
IANAL IMHO etc

[ Reply to This | # ]

Hard Drive Serial Number
Authored by: PM on Sunday, June 11 2006 @ 08:29 PM EDT
I remember there was a big hue and cry over electronically readable serial
numbers with respect to Intel P3 processors, so much so that motherboard
manufacturers added a feature to hide the serial number from view. Microsoft
seems to have 'end run' this by using the Hard Drive serial number instead, it
is also possible to use ethernet card 'serial number' (I cannot remember its
proper name, but it is important for network operation - have two cards with the
same serial, the network runs into trouble) for identification purposes.

Presumably an organisation who has ghost installed one instance of Windows or
Office onto a significant number of equal machines can be expecting a knock on
the door from BSA armed with an Anton Pillar once the calls to 'mothership' are
collated.

[ Reply to This | # ]

Who actually reads (and discusses) licenses? Not Windows users ...
Authored by: RichardR on Sunday, June 11 2006 @ 08:41 PM EDT
About a week ago, I was also confronted with the WGA license - the Dutch version
that is, while hooking up my sister-in-law's machine after her moving house -
and I didn't like what I saw right away.
Regrettably, I neglected to copy and save the actual Dutch text, so I started
searching for it. The first annoyance was that I couldn't locate the license
anywhere on the machine any more - so how is one supposed to check out what
conditions were agreed to after the fact?
And alas, the Dutch version so far isn't to be found on the Internet anywhere
either, but that isn't the real issue here. What I did find, was - to me, at
least - a lot more disturbing: when searching with Google, I couldn't find *any*
discussion *at all* about Microsoft's license terms in *any* Dutch Windows
newsgroups. Nothing. Nada. Zilch. From 1998 onwards.
Not a single one of tens of thousands of visitors of Dutch Windows newsgroups
ever questioned any of Microsoft's ubiquitous license agreements, or even any
single license term. The vast majority of hits I found were from people
requesting "hacks'n'cracks", in order to circumvent license
restrictions; most other hits were about when one should get extra licenses and
the likes.

I then expanded my search to the English language territory. Obviously, I got
many more hits, so I just counted hits for more or less identical queries, both
for "Windows" and "Linux". These are the results for Google
Groups:

windows license terms group:*.windows.* 12,600
windows license terms legal group:*.windows.* 1,250
windows license conditions group:*.windows.* 797
windows eula terms group:*.windows.* 318
windows eula conditions group:*.windows.* 176

linux license terms group:*.linux.* 42,800
linux license terms legal group:*.linux.* 9,790
linux license conditions group:*.linux.* 9,780
linux eula terms group:*.linux.* 807
linux eula conditions group:*.linux.* 366
linux GPL terms group:*.linux.* 22,700
linux GPL conditions group:*.linux.* 7,090

The results speak for themselves, even without filtering out all the Windows
requests for "hacks'n'cracks": Windows users don't care squat about
the licenses for the software they're using. And I'm very much afraid that this
is because they don't even read, much less correctly interpret, these licenses.
Are these people completely ignorant of the legal implications of what they
agree with? Do they actually realize that they're giving up normal consumer
rights wholesale, to the great benefit of a company which is not exactly
renowned for fair and square dealing?
In other words: are Windows users on average really dumb sheep, not caring about
who leads them, and where, and under which rules and pretences? Looking at what
I found (or rather: didn't find), I'm afraid they are ...

I find this deeply disturbing.

[ Reply to This | # ]

No updates for 98/ME/XP-SP1 anyway
Authored by: Anonymous on Sunday, June 11 2006 @ 09:22 PM EDT
For XP-SP1, that happens in October; for the rest, within a month. So say MS
themselves.

I have several Linux installs notably older than Win98 running perfectly updated
and patched, so why can't mr sixty-billion-in-cash and his bunch of clowns
achieve the same thing with smaller, simpler Win98?

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Slimbo on Sunday, June 11 2006 @ 09:29 PM EDT
I received a Microsoft Update last weekend for WGA. I had my system set to
download, but not install. When it came up and asked me if I wanted to install
it, I said no. Not trusting MS to do the right thing I turned off the Automatic
Update service. Reading this artical I did a search for "WGA" and
found a copy of it's install log, C:windowsWGA.log.

Ok, why is there an install log if I said no? Now I'll see what breaks while
trying to clean this garbage out. Good thing I spent this weekend fixing an
issue I had with Mandriva and the drivers for my Nvidia video card. Below is
the WGA log file.

Later,
Randy

[WGA.log]
0.047:
================================================================================

0.047: 2006/03/14 19:04:42.656 (local)
0.047:
C:WINDOWSSoftwareDistributionDownload8b8c30d92a5a722c5d42566e03bea22dupdate
update.exe (version 6.2.29.0)
0.047: Failed To Enable SE_SHUTDOWN_PRIVILEGE
0.047: Hotfix started with following command line: -q /Z -ER
/ParentInfo:3ecb85614ce1c045a8df420ff6b1f79f
1.344: InstallInfCatalogFile: Installing
c:windowssoftwaredistributiondownload8b8c30d92a5a722c5d42566e03bea22dupdate
WGA.cat as _000000_.cat...
1.344: VerifyTargetFileSize: Unable to verify size as Source = NULL for file
c:windows_000000_.cat
1.484: InstallInfCatalogFile: Installation succeeded.
1.500: ---- Old Information In The Registry ------
1.500: Source:C:WINDOWSsystem32_000110_.tmp.dll (3.0.3790.2180)
1.500: Destination:
1.500: Source:C:WINDOWSsystem32_000114_.tmp.dll (3.0.3790.2180)
1.500: Destination:
1.500: ---- New Information In The Registry ------
1.500: Source:C:WINDOWSsystem32_000110_.tmp.dll (3.0.3790.2180)
1.500: Destination:
1.500: Source:C:WINDOWSsystem32_000114_.tmp.dll (3.0.3790.2180)
1.500: Destination:
1.515: SetProductTypes: InfProductBuildType=BuildType.Sel
1.515: SetAltOsLoaderPath: No section uses DirId 65701; done.
1.750: DoInstallation: FetchSourceURL for
c:windowssoftwaredistributiondownload8b8c30d92a5a722c5d42566e03bea22dupdate
update.inf failed
1.750: CreateUninstall = 0,Directory = C:WINDOWS$NtUninstallWGA$
1.750: LoadFileQueues: UpdSpGetSourceFileLocation for halaacpi.dll failed:
0xe0000102
1.750: BuildCabinetManifest: update.url absent
1.750: Starting AnalyzeComponents
1.750: AnalyzePhaseZero used 0 ticks
1.750: No c:windowsINFupdtblk.inf file.
1.750: SetupFindFirstLine in LoadExclusionList Failed with error: 0xe0000102
1.750: SetupFindFirstLine in LoadExclusionList Failed with error: 0xe0000102
3.469:
C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}oem1.CAT
trusts inf c:windowsinfoem1.inf of device
PCIVEN_10DE&DEV_0264&SUBSYS_34021565&REV_A23&2411E6FE&0&am
p;51
3.953:
C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}oem0.CAT
trusts inf c:windowsinfoem0.inf of device
PCIVEN_10DE&DEV_0270&SUBSYS_34021565&REV_A23&2411E6FE&0&am
p;48
4.078:
C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}oem0.CAT
trusts inf c:windowsinfoem0.inf of device
PCIVEN_10DE&DEV_0272&SUBSYS_34021565&REV_A23&2411E6FE&0&am
p;52
4.203:
C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}oem0.CAT
trusts inf c:windowsinfoem0.inf of device
PCIVEN_10DE&DEV_027E&SUBSYS_34021565&REV_A23&2411E6FE&0&am
p;07
4.328:
C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}oem0.CAT
trusts inf c:windowsinfoem0.inf of device
PCIVEN_10DE&DEV_027F&SUBSYS_34021565&REV_A23&2411E6FE&0&am
p;06
4.515:
C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}oem0.CAT
trusts inf c:windowsinfoem0.inf of device
PCIVEN_10DE&DEV_02F8&SUBSYS_34021565&REV_A23&2411E6FE&0&am
p;03
4.640:
C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}oem0.CAT
trusts inf c:windowsinfoem0.inf of device
PCIVEN_10DE&DEV_02F9&SUBSYS_34021565&REV_A23&2411E6FE&0&am
p;04
4.765:
C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}oem0.CAT
trusts inf c:windowsinfoem0.inf of device
PCIVEN_10DE&DEV_02FA&SUBSYS_34021565&REV_A23&2411E6FE&0&am
p;01
5.000:
C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}oem0.CAT
trusts inf c:windowsinfoem0.inf of device
PCIVEN_10DE&DEV_02FE&SUBSYS_34021565&REV_A23&2411E6FE&0&am
p;02
6.125:
C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}oem0.CAT
trusts inf c:windowsinfoem0.inf of device
PCIVEN_10DE&DEV_02FF&SUBSYS_34021565&REV_A23&2411E6FE&0&am
p;05
7.359: OEM file scan used 5609 ticks
7.359: AnalyzePhaseOne: used 5609 ticks
7.359: AnalyzeComponents: Hotpatch analysis disabled; skipping.
7.359: AnalyzeComponents: Hotpatching is disabled.
7.359: AnalyzePhaseTwo used 0 ticks
7.359: AnalyzePhaseThree used 0 ticks
7.359: AnalyzePhaseFive used 0 ticks
7.359: AnalyzePhaseSix used 0 ticks
7.359: AnalyzeComponents used 5609 ticks
7.359: Downloading 0 files
7.359: bPatchMode = FALSE
7.359: Inventory complete: ReturnStatus=0, 5609 ticks
7.359: Num Ticks for invent : 5609
7.359: Allocation size of drive C: is 4096 bytes, free space = 21149085696
bytes
7.359: Drive C: free 20169MB req: 7MB w/uninstall 0MB
7.359: CabinetBuild complete
7.359: Num Ticks for Cabinet build : 0
7.359: DynamicStrings section not defined or empty.
7.359: FileInUse:: Detection disabled.
8.359: Registering Uninstall Program for -> WGA, WGA , 0x0
8.359: LoadFileQueues: UpdSpGetSourceFileLocation for halaacpi.dll failed:
0xe0000102
8.359: System Restore Point set.
8.390: Copied file: C:WINDOWSsystem32spmsg.dll
8.922: PFE2: Not avoiding Per File Exceptions.
8.937: GetCatVersion: Failed to retrieve version information from
C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}WGA.cat with
error 0x57
8.969: GetCatVersion: Failed to retrieve version information from
C:WINDOWSWGA.cat with error 0x80092004
9.187: Copied file: C:WINDOWSsystem32LegitCheckControl.dll
9.297: DoInstallation: Installing assemblies with source root path:
c:windowssoftwaredistributiondownload8b8c30d92a5a722c5d42566e03bea22d
9.297: Num Ticks for Copying files : 1938
9.437: Num Ticks for Reg update and deleting 0 size files : 140
9.437: Starting process: C:WINDOWSsystem32spupdsvc.exe /install
"Enables Installer to complete its scheduled post-reboot tasks"
10.625: Return Code = 0
10.625: ---- Old Information In The Registry ------
10.625: Source:C:WINDOWSsystem32_000110_.tmp.dll (3.0.3790.2180)
10.625: Destination:
10.625: Source:C:WINDOWSsystem32_000114_.tmp.dll (3.0.3790.2180)
10.625: Destination:
10.625: ---- New Information In The Registry ------
10.625: Source:C:WINDOWSsystem32_000110_.tmp.dll (3.0.3790.2180)
10.625: Destination:
10.625: Source:C:WINDOWSsystem32_000114_.tmp.dll (3.0.3790.2180)
10.625: Destination:
10.625: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot] section is empty;
nothing to do.
10.625: Starting process: C:WINDOWSsystem32spupdsvc.exe /delete
10.640: Return Code = 0
11.531: CleanupTrustedInfFile: GetFileAttributes for
C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}oem8.cat
failed: 0x2
11.531: RebootNecessary = 0,WizardInput = 1 , DontReboot = 1, ForceRestart = 0

[ Reply to This | # ]

"this feature will be disabled when WGA Notifications launches worldwide later this year"
Authored by: Anonymous on Sunday, June 11 2006 @ 09:45 PM EDT

So ... why do we need that daily Notification ping?

Good question. I guess we really don't need it that much because Microsoft has also clarified that, "As a result of customer concerns around performance, we are changing this feature to only check for a new settings file every 14 days. This change will be made in the next release of WGA. Also, this feature will be disabled when WGA Notifications launches worldwide later this year." from Steven J. Vaughan-Nichols.

Changing the check from 1 to 14 days was an easy change to make.

Easy changing of the data collected and where to send it is probably already built in.

M$ could check these other functions by changing the servers involved and changing details of the collection(in response to these complaints?).

The spying potential of this software is obvious and as I note someone above has pointed out it's commercial potential.

It's this statement which has intrigued me:

feature will be disabled when WGA Notifications launches worldwide later this year

By implication it can be enabledin various incarnations. As Mad Scientist noted above - some things are probably illegal in some jurisdictions.

The most obvious are problems in Europe, but variations will probably exist OR BE REQUIRED everywhere.

I haven't checked the geographic areas where the tests are being carried out. Do they conform in any way to areas of the world where MS have "legal problems" to overcome?

Is a successfull test required for Vista to pass privacy law in Europe?

Encryption is already creating problems and is an "option".

Government wants your view on encryption keys

...The Home Office also claimed that the law was needed due to the inclusion of encryption technologies in standard operating systems, such as Microsoft's Vista which will include an encryption tool called Bitlocker.

"This, and the rapidly growing availability of encryption products including the advent of encryption products as integrated security features in standard operating systems, has led the Government to judge that it is now timely to implement the provisions of Part III," said the Home Office on its Web site.

Businesses and individuals can raise concerns about the draft code of practice at: http://www.homeoffice.gov.uk/documents/cons-2006-ripa-part3/ ZDnet UK


At least the UK government is looking at the various problems created by encryption NOW, complete with a Web Site where they want comments.

Could WGA be taloured to compose "National Distributions".

I can think of some countries where the powers that be would like encryption locked with their own key and a full report to government daily to ensure censorship has been enforced.

Brian S.

[ Reply to This | # ]

List of Data collected
Authored by: Anonymous on Sunday, June 11 2006 @ 09:57 PM EDT
not including the already known key checks

clientTime
cookie
PingResponse
PingResult
pingLevel
Cookie
EncryptedData
Expiration
MonitoredServicesResponse

CustomInfo:
DatabaseInfo:
ConfigFileExpirationModuloInMinutes
sConfigFileNextExpirationTime
ConfigFileVersion
ConfigFileLastModifiedTime
ConfigFileEnvironmentName
ConfigFileProjectName
ConfigFilePath
RequestContentType
IsHttps
sServicesMachine
eServicesName
ServicesTime
SuccessFlag
ReportingEvent

PrivateData:
UserAccountName
eComputerDnsName

ExtendedData:
DeviceID
OSLocaleID
OSVersion
BiosRevision
ComputerModel
ComputerBrand

MiscData:
ReplacementStrings
DetailedVersion
ServicePackMinor
ServicePackMajor
Revision
Build
Minor
Major
BasicData
AppName
SourceID
EventID


notice this collects your User Logon Name (private data) and your machines DNS
name along with cookie information, if the machine is directly connected to the
internet this will report your IP hostname which means MS have a way to
correlate your logon name with your IP which will create all sorts of
interesting advertising opportunities for MSN


[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Anonymous on Sunday, June 11 2006 @ 10:24 PM EDT
It seems pretty clear to me why MS is gathering both the IP and the HD Serial.
It identifies systems sitting behind a proxy. IP for locating them
geographically, HD serial to identify them internally.

So much for not gathering personally identifiable information...

[ Reply to This | # ]

Microsoft's Calling Home Problem: Sounds like a setup for BSA raids
Authored by: Juggler9 on Sunday, June 11 2006 @ 11:19 PM EDT
They may not care about XP anymore since Vista is "just around the
corner" but it appears that they could be using XP as a test bed for
collecting information for BSA raids.

Anyone wanna take bets on this?

[ Reply to This | # ]

"DailyTech Receives its Microsoft WGA Kit"
Authored by: Anonymous on Sunday, June 11 2006 @ 11:29 PM EDT

...DailyTech labs just received its Windows Genuine Advantage Kit. We ordered the kit on May 15, 2006, but had the online WGA update installed via the online software update....

We received a standard letter from Microsoft along with our WGA Kit that reads the following:

"The counterfeit report you submitted with your order will be treated by Microsoft as confidential. Microsoft's anti-piracy team investigates each and every lead we receive. Since investigations are ongoing and extremely confidential, we are unable to provide you with the status of a particular lead you have submitted. The length of time to bring about enforcements varies depending on the nature of a particular investigation.".... DailyTech


How many journalists will this catch?

:)

Brian S.

[ Reply to This | # ]

MS phones home
Authored by: Slimbo on Sunday, June 11 2006 @ 11:35 PM EDT
Reposted from a couple of post I made aerlier, but are buried deep under
multiple replies.

Doing a string search in wgalogon.dll produced these beauties:

BuyNowDelayUnactivated
BuyNowDelayNonGenuine
LegitCode ReducedReminders

Kinda says what thay want. Legit code reduces reminders not gets rid of them. I
think it's to force people to buy Vista because they won't be selling XP
anymore. Found these URLs too along with a couple of Verisign URLs.

http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.cr
http://www.microsoft.com/pki/certs/CodeSignPCA2

Here are a few more strings from "legitcheckcontrol.dll"

http://www.microsoft.com/SoftwareDistribution/Server/IMonitorable
http://www.microsoft.com/SoftwareDistribution
http://localhost/ReportingWebService/WebService.asmx
http://stats.update.microsoft.com/reportingwebservice/reportingwebservice.asmx
http://go.microsoft.com/fwlink/?LinkId=33171&LegitCheckError=%s
http://crl.verisign.com/tss-ca.crl

SOAPAction:
"http://www.microsoft.com/SoftwareDistribution/ReportEventBatch

These are probably from their editor.
soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/

[ Reply to This | # ]

Microsoft crippled inside?
Authored by: golding on Monday, June 12 2006 @ 12:20 AM EDT
I call MS's behaviour "crippled inside" from the song of John Lennon.

Essentially, this means they are inclined to believe others will behave the same
as they do, thus, it is fact Bill and Co 'stole' computer time and read every
little bit of code from bins to make up BASIC for the early IBM 8088/6's.

They stole, so they think everybody else is the same, like men who stray are
convinced their partners are also ready to stray, I hope you get the idea.

I have been told I am too honest for my own good, as I would rather get 'burned'
every now and then, than start to treat people with mistrust on the outset.

---
Regards, Robert

..... Some people can tell what time it is by looking at the sun, but I have
never been able to make out the numbers.

[ Reply to This | # ]

There are some ways to wrest back some control.
Authored by: Anonymous on Monday, June 12 2006 @ 12:49 AM EDT

All of this is getting us (and our systems) ready for the day that we will have to pay daily/weekly/monthly/yearly fees to continue using the operating system, applications, or other features. Pay the tribute, or we shut you down (on purpose, not with root kits, bugs, viruses, or "normal" software from MS).

Today, those of us that are forced to run Windows XP in some form or another can get some control of the phone-home process by using the Xp-AntiSpy tool, located at xp-antispy. The list of phone-home features this tool disables (including WGA, media player, auto update, ...) is truly amazing. Who knew, for example, that the Windows help facility is at least partially hosted at Microsoft and phones home?

Like all things you add to your computer, be careful. Virus scan the file, make sure you get it from the correct URL, keep backups, etc. With that said, I have used the tool for a number of years without issues. YMMV. Be aware that there is adware masquerading as this tool.

I am working on being completely Windows free, but haven't made it yet. This tool is a little added help to remain somewhat in control. In control, that is, until the MS minions prevent its use in some way.

Enough is more than enough.


[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Anonymous on Monday, June 12 2006 @ 01:07 AM EDT
And Micro$oft probablly doesn't think it's exploitable either...

Steps to create a botnet...
1: run a packet sniffer to determine where WGA is phoning home to
2: create a settings file which tells any victim's computer to phone to a
different address
3: place this settings file where victim computers can get it
4: hack the DNS system to point potential victims to your site so they will get
the new settings file
5: CONTROL THE WORLD!!!

Windows WGA: Just like Sony's Rootkit...

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: gbl on Monday, June 12 2006 @ 01:49 AM EDT
Perhaps it is all preperation for a Vista "push" install/upgrade.

There seems little reason to immediately pay to upgrade to Vista and that could be a problem for MS.

I have this theory that MS will make the lowest version of Vista free and a downloadable upgrade. It will omit most of the shiny parts but will rebrand XP as Vista and allow MS to claim that Vista is a great success.

---
If you love some code, set it free.

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Anonymous on Monday, June 12 2006 @ 03:01 AM EDT
Regarding the post which contained: "WGA is possibly a proto-type or test platform for future software services. As well as on-line validation of MS-Windows and MS-Office, they could sell this service to third party software publishers who want their licenses verified. This would likely be in the form of charging the publisher an annual fee per account validated. Have a look at "Windows Marketplace". This is a Microsoft site which is full of links to third party software which you can purchase on line. The MS-Windows Vista Beta has a link to it directly from the "start" menu. Most of what is on there now is just useless demo-ware, but there are some genuine third party products for sale. MS could also sell "metered" access to software. If you paid according to the amount by which you used the software, the publisher would need frequent on-line updates for billing purposes. Again, Microsoft could charge for a percentage of the billing. The third party software providers could do this themselves (and some already do), but it is probably cheaper to outsource license compliance to Microsoft. They could also license the Microsoft DRM system to provide more reliable copy protection." "Way back" when XP first was being distributed as Beta-grade software, I and many others noted that it appeared that XP was being tailored to allow Gates and Micro$oft to evolve toward charging for software by the use. At that time it became widely known, and most commercial clients (as well as many private individuals and small configuration companies balked at purchasing something that could be triggered to require pay-by-the-use software. Interest in XP was so depressed as a result that Micro$oft backed down and commented out the parts of the code that would allow implementation of this practice. It was the only way they could get business owners to buy into 'upgrading' from Win2K and earlier versions. As a result (if you go back and check, you can verify this in the financial news of the time) the first year of sales for XP were very disappointing for M$, and they had to restate (revise downward) their income and profitability several times. This looks like they are trying an end-run around the issue of refusal on the part of the marketplace to engage in a major shift in how software is marketed. BTW, Bill has stated pulically, in a number of different forae, that he intends to see M$ drive the marketplace into sole distribution of pay-by-the-use software, rather than any distribution of single-charge software or freeware. It is a stated marketing goal that would enable M$ to increase their income by what several market analysts have very conservatively estimated as x 1000, three orders of magnitude. Of course, doing so also increases the cost to the subscriber by the same or more, a factor which would bankrupt many small businesses in the US. This was a major reason that I, as a small business owner, refused to 'upgrade' to XP. I still run Win2K, thank you very much. Yes, it has problems, but at least I know what they are. So far, at least, M$ has not seen fit to go back and 'rertrofit' my OS with their 'helpful' validation or monitoring tools. I will continue to stick with my 'archaic' OS until I can not get any of my software to run on it any more. Then I will go to a *NIX OS and do my stuff under either freeware or shareware tools that will create clones of M$ files. I'm nearly there now. My only question is, why doesn't someone write a freeware OS that is like *NIX, but that can directly run M$ Windows-compatible utilities? I am sure there must be a way to do this.

[ Reply to This | # ]

Genuine definition
Authored by: Anonymous on Monday, June 12 2006 @ 03:31 AM EDT
Genuine is 'not fake', but it surely does imply 'sincere' too. That part is
missing in the discussion.

[ Reply to This | # ]

Personal information - out of curiosity
Authored by: nichughes on Monday, June 12 2006 @ 05:19 AM EDT
Well this makes me curious as to exactly what information MS are processing and
storing so I have contacted them asking them exactly this under the UK data
protection act. It might be interesting to see exactly what sort of data trail
they have put together.

---
Nic

[ Reply to This | # ]

Sorry, PJ, you're wrong about one thing
Authored by: Anonymous on Monday, June 12 2006 @ 06:59 AM EDT
"And your doctor can't remove your gall bladder while
doing surgery on your appendix, just because he notices a
tumor in the gall bladder. Why not? Because that is
battery, if he didn't get your prior consent to remove
your gall bladder."

As a practicing surgeon, I can tell you that the above is
absolutely untrue. When there are unexpected findings at
the time of surgery, we are required to deal with them in
a medically reasonable way, which often means doing
additional surgery that was not specifically discussed
with the patient. Informed consent generally includes
mention of the possibility of unexpected findings that may
require modification of the planned surgery.

The reason for the above is that it may be easier on the
patient to take care of additional problems at the same
setting rather than subject the patient to another
operation. Depending on the magnitude and risks of the
additional procedure, it may be best to either:
1. Take care of the problem and tell the patient
afterward, if it is something clear-cut and low risk.
2. Try to contact family members during the surgery before
doing the "extra procedure".
3. Not do anything extra at the time of surgery, close the
incision, and discuss it with the patient afterwards.

Number 3 sounds like the safe and reasonable option, and
indeed it is if the second procedure is something major
and risky, but it is not always best, because the initial
operation may be the best medical opportunity to treat the
condition.

As a surgeon, I run a risk of being sued no matter what I
do:

"What, you took my gallbladder out without asking my
permission??? I am going to sue you!"

"What, you left my gallbladder in when you knew it was
diseased, and now you are telling me I have to be cut open
again??? I am going to sue you!"

[ Reply to This | # ]

If you can read the above...
Authored by: DaveJakeman on Monday, June 12 2006 @ 07:19 AM EDT
"By using the software, you accept these terms."

If you can read the above, you are already using this software and have accepted
its terms. Now, here's what you've just agreed to...

"If you are a business, do you want Microsoft having free access to your
computer?"

It's more the "others" that I'm concerned about: the
"others" that MS openly state they will pass your very, very personal
information on to.

The EULA is just so many paper-thin lies, lies, lies, that it stinks. It's
worse than a SCO court filing.

There's only one way to use XP safely: never ever, ever, ever let it connect to
the internet. Ever. But if you're into online gaming, that's kind of tough.

One thing I'm still puzzled about: how does MS obtain the "PC
manufacturer"? I build my own PC's and at no point do I define a
"built by" entry anywhere, nor feel the need to.

I've recently wiped a Windows XP system using my "Ubuntu disk cleanup
tool" and it now does all my internet access from home. I'm very impressed
with it. I'll still be using XP for a long time to come, but not on the
internet. No thank you, Microsoft.

---
Shampoo for my real friends, real poo for my sham friends - not Francis Bacon
---
Should one hear an accusation, try it out on the accuser.

[ Reply to This | # ]

Corporate Use, Home Use - Two classes of users
Authored by: Thomas Downing on Monday, June 12 2006 @ 08:50 AM EDT

I deal with security requirements of some of the world's largest financial institutions. There is no way that some, at least, of these organizations will allow this 'phone home' behaviour in return for anything!.

Beyond their own security concerns, they often hit us with S-O as the reason for some of the security requirements. Now what S-O really requires, I don't know, so I just mention it for what it is worth.

My point is, that this implies that MS will provide all services and updates to corporate accounts (medium to large, at least), but will insist on this sort of garbage for the home user.

I think it all fits - Microsoft has sold it's soul to the entertainment industry. The entertainment industry isn't really concerned about media usage on corporate machines. This is only partly about the Windows OS, it is also part of a larger framework being sold to the entertainment industry.

Microsoft has made no secret that they believe all media should use their proposed 'anti-piracy' (read pay-per-view) technology rather than any of the several competing techs being pushed by other players. A phone-home-and-download-new-settings (i.e., restrictions, disablers, ad-ware, etc.) is central to all such schemes.)

---
Thomas Downing
Principal Member Technical Staff
IPC Information Systems, Inc.

[ Reply to This | # ]

"Presently" opt-in?
Authored by: Anonymous on Monday, June 12 2006 @ 09:42 AM EDT
I'm surprised this quote hasn't yet been mentioned here (from this page):
While the program is presently opt-in, as it expands later in the year, it may become a requirement for the AU service.
That doesn't bode well, methinks...

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Jeffrey on Monday, June 12 2006 @ 10:24 AM EDT
We often use my son's computer to troubleshoot other computers (viruses, spyware, etc.). As such, it is in constant state of flux, primarily because hard drives are temporarily added and removed. Of course this just wreaks havoc with MS Genuine Advantage not to mention just WinXP's normal validity checks.

He will finish his Junior year in high school this coming Thursday. Darik's Nuke-N-Boot and Suse 10.1 are standing by. I have two other actively used Windows machines. If we can get satisfactory replacement results for all of the software I've purchased over the years, I'm next; then my daughter in College.

Is Linux the only real logical upgrade to Windows XP? Perhaps this is a better answer for those that bring there infected systems to me asking for help.

[ Reply to This | # ]

Run with the Fox, Hunt with the Hounds
Authored by: Anonymous on Monday, June 12 2006 @ 11:25 AM EDT
This illustrates why it's unwise to rely on MS for security-related products,
particularly anti-virus or anti-malware products. MS has its own self-serving
definition of what constitutes malicious software.

[ Reply to This | # ]

So-called 'security' updates are in the same boat
Authored by: Superbowl H5N1 on Monday, June 12 2006 @ 11:41 AM EDT
MS' treatment of so-called "security" updates appear to have a similar problem with veracity. The bundling of non-security changes to functionality under the guise of essential security changes is exploitative at the least. A strong argument can be made that it crosses the line into fraudulent since these "patches" are not the security patches which they are made out to be, but actually changes in functionality, licensing or worse.

The efficacy is also questionable.

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Anonymous on Monday, June 12 2006 @ 11:41 AM EDT
QUUOTE:
Does the user need to know its license is valid every single day? What is
Microsoft expecting to happen in 24 hours, after it first checks that a license
is in place and valid? And why does Microsoft need to check every day?

SCENARIO:
EULA is giving you license to use the software. AFAIK the License is subject to
withdrawal by M$ unilaterally (e.g. Win98 - which caused so much uproar) So in
future the call home feature would inform you of the fact that the License you
paid for has now been revoked go and pay some more to M$

Comments??

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Anonymous on Monday, June 12 2006 @ 11:52 AM EDT
It's not spyware because they have a "business model".

[ Reply to This | # ]

Could we have fun with this?
Authored by: Anonymous on Monday, June 12 2006 @ 11:55 AM EDT
A bogus-WGA program could be written to send plausible, but fictional
information to Microsoft's servers at semi-random intervals. Once enough bogus
information is in their database, the database will become unusable.

I realize that they probably use some kind of encryption or hashing of the OS's
software key to prevent bogus entries. But it it were possible and I had
copious free time, it'd sure be a lot of fun.

I switched to Linux in 1995, so I'm not worried personally, but I have friends
and family who insist on running MS OSs. YECCCH!!!

[ Reply to This | # ]

Don't make too much of this...
Authored by: Anonymous on Monday, June 12 2006 @ 11:59 AM EDT
"Oh, excellent. So they get your ip address too, and date/timestamp data
"relating to systems' booting and continued operations".

To be totally fair the very act of connecting gives up your IP address and that
information is logged. I would be willing to bet that Groklaw's servers log
connections and gives each entry a date/time stamp. This is a non-issue.

I use Suse Linux and there is a program that runs each time I boot called Suse
Watcher that checkes in with Suse looking for updates. I'm sure that Suse's
servers log my IP address and datetime that I connect. This is a non-issue.

I think the difference here is that I trust Novel but I don't trust Microsoft.
So although the fact that when I connect to Microsoft I give up my IP address
and they know when I connect is a non-issue, what they may be doing beyond that
isn't.

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Anonymous on Monday, June 12 2006 @ 03:12 PM EDT
I use ZoneAlarm as my personal firewall and I noticed that
"wga_tray.exe" attempts to access the internet everytime I boot. It
just starting appearing recently and I hadn't had the opportunity to
investigate. In the interim, I denied it access until I could determine its
purpose. NOW I KNOW. It gets a big fat rubber-stamped "DENIED
ACCESS" for all time. I wonder what Microsoft will do......

I've been considering a move to Linux for some time now. I think these tactics
will accelerate my adoption.

th80
[having trouble resetting my groklaw account]

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Problem!
Authored by: Jamis on Monday, June 12 2006 @ 03:13 PM EDT
According to Robert Cringley's column on Infoworld today, this process doesn't
even run correctly.
"Genuinely disadvantaged: Heard from two Cringesters who say Microsoft
tagged them as scurvy pirates after their Windows Genuine Advantage
applet mistook legit copies of Windows for fakes. Judging by Microsoft's
user forums, they've got a lot of shipmates. A Microsoft spokesperson
insists "validation failure is almost always caused by the use of a
nongenuine Windows license," despite scores of complaints from users who
bought machines with the OS preinstalled. Fixes range from running an
Active X control to reinstalling Windows from scratch. With
"advantages"
like that, I'll happily remain disadvantaged."

http://www.infoworld.com/article/06/06/09/79014_24OPcringely_1.html?source=NLC-N
OTES2006-06-12


[ Reply to This | # ]

To a thief, everyone's a thief
Authored by: Anonymous on Monday, June 12 2006 @ 04:55 PM EDT
This in a nutshell is micro$ofts problem. The axiomatic statement is also true,
to a trustworthy individual, everyone is trustworthy.

[ Reply to This | # ]

Microsoft's Calling Home - Time To Take Them To Court
Authored by: Anonymous on Monday, June 12 2006 @ 08:35 PM EDT
Wow, this is incredible. Microsoft has become Big Brother!

I read the license agreement before installing WGA on my systems here at home -
four systems. Nowhere did the EULA notify me that it would be calling home on a
daily basis, or every time that the computer was powered up. This is a
violation of my rights. I paid for all four copies of MS-XP that are used
within my home. I don't like, but agreed to have them validated when the
systems were bought, or when XP was installed. I do not believe in piracy and
felt that MS should get a fair shake at protecting their intellecual property.
However, I am not ok with my PC calling in every day to report my IP address and
other information. What business is it of theirs? I paid for the software, it
checked home when I bought it, it is a valid copy. They have no right to
continually monitor my computer - period!

Has anyone heard of any lawsuits being filed over this action?

Looking forward to your comments ...
David

[ Reply to This | # ]

Microsoft's Calling Home Problem: It's a Matter of Informed Consent
Authored by: Anonymous on Monday, June 12 2006 @ 10:44 PM EDT
The firewall with winxp can only filter out in-coming packets not out-going
packets. This is done by design to deprive most non-technical people from easily
thwarting the wga.

Who owns your computer today?

[ Reply to This | # ]

Microsoft Passport
Authored by: Anonymous on Tuesday, June 13 2006 @ 06:11 AM EDT
They even get some more information if one has a MS
passport/messenger account. They then have an email
address to the IP address, if they combine the data.

[ Reply to This | # ]

And so, with the advent of ...
Authored by: Anonymous on Tuesday, June 13 2006 @ 12:51 PM EDT

"Windows Genuine Advantage" (and other DRM measures), the relentless march by Windows into the New Social Order continues, where the old and obsolete concept of trial by jury is replaced to by the concept of trial by machine software, where guilt is assummed until proven innocent, where the software ajudicating guilt is provided and controlled by one of the parties in the dispute, and where there is no neutral appeals process.

For those who don't "get" that it is time to leave Windows from the forgoing, may God have mercy on your soul.

[ Reply to This | # ]

WGA almost got me, whew!
Authored by: tz on Sunday, June 18 2006 @ 02:29 PM EDT
I obviously turned any automation off (in my top ten is disabling things like
automatic updates, or CD autorun), but given that XP is about as secure as a
seive, I wanted to turn on the security checks - much as I do for Apple or
Ubuntu Linux updates.

I rarely boot into XP, but there is one utility that gets updates from the
internet and writes them to a PCMCIA card and this only runs under XP, and this
update I should do about every month.

When I booted I noted a half-dozen critical security updates and started the
install just as I realized the scroll bar may have hid a few. I stopped the
install well in time and noticed the last one was some kind of malware removal
tool, and the penultimate one was WGA. I had already read the horror stories
and was hoping it wasn't installe (and noted the impossibility of uninstalling -
does XP rollback fix it?). It should now be disabled from the update path, but
I'm going to be really worried each time I have to apply the updates - I'll need
to look long and hard for Microsoft Malware.

Wait until some factory with 1000 computers and a $10,000 per minute line
shutdown cost (they also normally clone installs) gets hit with this so their
computers don't start up and everyone will need to manually be reloaded. It
used to be only caused by some viruses by insufficently careful administrators.

Not that you could ever trust Microsoft, but I think more people will want to
switch to Linux.

[ Reply to This | # ]

The re-checking should be geographically enabled/disabled
Authored by: Anonymous on Wednesday, June 21 2006 @ 04:10 PM EDT
You do realize that when you go to any web site that you expose your Operating
System, Web Browser, IP address, and the page you came there from if you clicked
on a link? They can easily see if you accept cookies, have JavaScript on or
off, and what media plugins you have installed too. Oh the things we can
determine from your IP address though: continent, country, state/province, city,
zip/postal code, DMA, area code, ISP, and Internet connection type/speed, and
even latitude/longitude (zip/area and lat/lon are usually only accurate on a
25-50 mile radius though).

That is way more information than probably almost any of you realized. Yet, I
doubt you ever would have because none of that information can be used to reach
back at you. Sure, sure, big bad Microsoft could get your ISP to identify you
by your IP address if you are pirating, but Jesus, do you honestly think they
are going to go through that hassle on an individual basis? Heck no. Can you
say not profitable? They are doing this to thwart mass pirating. Can't say I
blame them for trying. My advice to Microsoft though, only enable the
re-checking on every boot in countries where pirating is rampant by looking up
their IP in a geographic mapping database.

[ Reply to This | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )