RE: windows update reporting info back to MS? (and .NET fw SP1)

From: Javier Sanchez (Information Systems) (javier@msmc.com)
Date: 08/07/02

Previous message: sightblinder@ntlworld.com: "RE: windows update reporting info back to MS? (and .NET fw SP1)"
Maybe in reply to: Douglas R. Wilson: "windows update reporting info back to MS? (and .NET fw SP1)"
Next in thread: Paris E. Stone: "RE: windows update reporting info back to MS? (and .NET fw SP1)"
Next in thread: Roger Seielstad: "Re: IIS SMTP queue reader"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 7 Aug 2002 12:10:55 -0400
From: "Javier Sanchez (Information Systems)" <javier@msmc.com>
To: <focus-ms@securityfocus.com>

Here's what I did to make myself feel better.
1. Downloaded the full SP3.exe.
2. Disabled my network adapter
3. Ran the SP3 update
4. Rebooted.
5. Disabled Automatic Updates
6. Re-enabled the network adapter

However, this won't accomplish much if you use the WindowsUpdate site,
as both the website and the Auto-update client will both transmit the
same information.

As some consolation, the following text is also provided by Microsoft:
"Because Windows Update does not collect personally identifiable
information, the configuration information and GUID cannot be used to
identify you. "

<SOAPBOX>
I must agree with Darren Reeds comments - SP2 was the last "free"
Service Pack. Microsoft has crossed a point of no return, and it would
be naive to believe that they are alone. Other vendors will follow.
Bruce Schneier crystalized the point one or two Blackhats ago when he
stated that people believe that, because its computer related, somehow
its magically different than the real world. This, not only applies to
security, but it also applies to our privacy. We tolerate these
voilations of our privacy, when we install software, surf the web, etc.
Most of the time without giving it a great deal of thought or concern.
Beacuse its "cyberspace"? There still a person at the other end of that
cable. I don't have any answers but I ask that we all stay vigilant.
</SOAPBOX>

Javier I. Sanchez

-----Original Message-----
From: Mike Coppins [mailto:mike@legolas.com]
Sent: Tuesday, August 06, 2002 12:16 PM
To: focus-ms@securityfocus.com
Subject: Re: windows update reporting info back to MS? (and .NET fw SP1)

At 02/08/2002 23:02, Elan Hasson wrote:
>Think about it, Windows update doesn't set a cookie, it just verifies a
list
>of predefined files (version #s of system files etc.) and sends back to
MS.
>MS checks to see if they are up to date and spits out what updates you
need.
>Its as simple as that. Who cares if MS knows you run WMP 6.0 instead of
7.0?
>I don't see a problem here. Get over it.

So when does it become an issue? What do you regard as 'private
information', such as what non-MS software you run, or [if you do fill
out
the MS Wallet info, for example] personal information you store on your
machine?

Why was it the case before that update analysis was performed at the
client
end, now on the server end? Why the signifcant amounts of undeclared SSL

traffic?

If the server-side got compromised, what kind of information would be
available for the attacker on Microsoft's fairly vast customer base?

Personally, I'd prefer it from a privacy/security point of view if
Windows
Update worked like this:

  1 - the client plugins are installed on request (currently the case);
  2 - Core OS patch information is retrieved by registry hits;
  3 - Client is requested to check what other MS products they would
like
to check for updates for (such as Office, SQL Server, IIS, IE, etc).
This
information should only be stored remotely after user has confirmed OK
after a warning about identifying information);
  4 - plugin scans registry for patch info on those products;
  5 - the client requests the patches not detected to be downloaded and
installed (currently the case)

If MS want to be doing undeclared SSL transactions, then they should
release a tool that allows people to view what data is being sent before
it
gets encrypted, to show that their intentions aren't to be gathering
"private information" without consent of the user.

-- 
Mike Coppins
mike@legolas.com
http://www.legolas.com/

Previous message: sightblinder@ntlworld.com: "RE: windows update reporting info back to MS? (and .NET fw SP1)"
Maybe in reply to: Douglas R. Wilson: "windows update reporting info back to MS? (and .NET fw SP1)"
Next in thread: Paris E. Stone: "RE: windows update reporting info back to MS? (and .NET fw SP1)"
Next in thread: Roger Seielstad: "Re: IIS SMTP queue reader"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: How can a .net socket server listen to all the IPAddresses of
... 1st network adapter: ... The socket client program is running on Windows XP machine with the IP ... The client program gets to connect to the server when the server listens to ... If so, then there's probably no configuration problem, just wrong expectations on your part. ...
(microsoft.public.dotnet.framework)
RE: vpn
... We have only 1 network adapter and not using ISA. ... to use the server only to accept RAS clients via vpn, ... >from a command prompt on the client computer and server ... Connection is established, and the client ...
(microsoft.public.windows.server.sbs)
Re: Client Computer cannot connect to internet
... > Set the client to obtain an IP and DNS automatically from the SBS DHCP ... The Server has ... >> Network Adapter ... >> John C. ...
(microsoft.public.windows.server.sbs)
Re: NNTP IP address?
... >on the client end configuration to enhance privacy? ... server, not the client. ...
(comp.security.misc)
Re: What doesnt lend itself to OO?
... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
(comp.object)