Re: windows update reporting info back to MS? (and .NET fw SP1)
From: Mike Coppins (mike@legolas.com)Date: 08/06/02
- Previous message: Roger Seielstad: "Re: Synchronising NT User Accounts with a database."
- In reply to: Elan Hasson: "Re: windows update reporting info back to MS? (and .NET fw SP1)"
- Next in thread: Phydeaux: "Re: windows update reporting info back to MS? (and .NET fw SP1)"
- Next in thread: Bill Wernet: "Re: windows update reporting info back to MS? (and .NET fw SP1)"
- Reply: Phydeaux: "Re: windows update reporting info back to MS? (and .NET fw SP1)"
- Reply: De Velopment: "Re: windows update reporting info back to MS? (and .NET fw SP1)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 06 Aug 2002 17:16:10 +0100 To: focus-ms@securityfocus.com From: Mike Coppins <mike@legolas.com>
At 02/08/2002 23:02, Elan Hasson wrote:
>Think about it, Windows update doesn't set a cookie, it just verifies a list
>of predefined files (version #s of system files etc.) and sends back to MS.
>MS checks to see if they are up to date and spits out what updates you need.
>Its as simple as that. Who cares if MS knows you run WMP 6.0 instead of 7.0?
>I don't see a problem here. Get over it.
So when does it become an issue? What do you regard as 'private
information', such as what non-MS software you run, or [if you do fill out
the MS Wallet info, for example] personal information you store on your
machine?
Why was it the case before that update analysis was performed at the client
end, now on the server end? Why the signifcant amounts of undeclared SSL
traffic?
If the server-side got compromised, what kind of information would be
available for the attacker on Microsoft's fairly vast customer base?
Personally, I'd prefer it from a privacy/security point of view if Windows
Update worked like this:
1 - the client plugins are installed on request (currently the case);
2 - Core OS patch information is retrieved by registry hits;
3 - Client is requested to check what other MS products they would like
to check for updates for (such as Office, SQL Server, IIS, IE, etc). This
information should only be stored remotely after user has confirmed OK
after a warning about identifying information);
4 - plugin scans registry for patch info on those products;
5 - the client requests the patches not detected to be downloaded and
installed (currently the case)
If MS want to be doing undeclared SSL transactions, then they should
release a tool that allows people to view what data is being sent before it
gets encrypted, to show that their intentions aren't to be gathering
"private information" without consent of the user.
-- Mike Coppins mike@legolas.com http://www.legolas.com/
- Previous message: Roger Seielstad: "Re: Synchronising NT User Accounts with a database."
- In reply to: Elan Hasson: "Re: windows update reporting info back to MS? (and .NET fw SP1)"
- Next in thread: Phydeaux: "Re: windows update reporting info back to MS? (and .NET fw SP1)"
- Next in thread: Bill Wernet: "Re: windows update reporting info back to MS? (and .NET fw SP1)"
- Reply: Phydeaux: "Re: windows update reporting info back to MS? (and .NET fw SP1)"
- Reply: De Velopment: "Re: windows update reporting info back to MS? (and .NET fw SP1)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
