Go Back   Hardware Canucks > NEWS & REVIEWS > Press Releases & Tech News

    
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old August 25, 2012, 09:19 AM
Shadowmeph's Avatar
Hall Of Fame
F@H
 
Join Date: Oct 2007
Posts: 3,307

My System Specs

Default New windows 8 tell MS everything you install

I had my suspicions about this after I installed and was checking out Windows 8 but I wasn't sure until I read this.
I doubt that I will use windows 8
Quote:
Update: According to Microsoft, SmartScreen sends a hash of the app installer and its digital signature, if any. A combination of the hash and the user’s IP address is still enough to identify that IP address x attempted to install software y.
Update 2: Another researcher has discovered that a filename of the app you’re trying to install is indeed sent to Microsoft. This severely strengthens privacy concerns.
Update 3: Approximately 14 hours after this article was published, another scan of Microsoft’s SmartScreen servers reveals that they have been reconfigured to no longer support SSLv2. The servers now only support SSLv3 connections.
I’ve recently been using the final, Released to Manufacturing version of Windows 8 on one of my computers, to much delight. I’ve been very impressed by how fast, well-designed, functional and capable this latest iteration of Windows is. However, my tinkering around from a security/privacy perspective has left me concerned.
Windows 8 has a new featured called Windows SmartScreen, which is turned on by default. Windows SmartScreen’s purpose is to “screen” every single application you try to install from the Internet in order to inform you whether it’s safe to proceed with installing it or not. Here’s how SmartScreen works:
  • You download any application from the Internet. Say, the Tor Browser Bundle.
  • You open the installer. Windows SmartScreen gathers some identifying information about your application, and sends the data to Microsoft.
  • If Microsoft replies saying that the application is not signed with a proper certificate, the user gets an error that looks something like this.
There are a few serious problems here. The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install. This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users. This situation is exacerbated when Windows 8 is deployed in countries experiencing political turmoil or repressive political situations.
This problem can however get even more serious: It may be possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target. Here is my analysis:
A quick packet capture showed the following activity happening immediately when I tried to install the Tor Browser Bundle:
Click for full size and notes.

SmartScreen appeared to connect over HTTPS to a server in Redmond (apprep.smartscreen.microsoft.com, 65.55.184.60, run by Microsoft) in order to communicate information about the application I was trying to install.
After running some tests on this Microsoft server, I discovered that it ran Microsoft IIS 7.5 to handle its HTTPS connections. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception. The SSL Certificate Authority chain goes down from “GTE CyberTrust Global Root” to “Microsoft Secure Server Authority.” The Certificate Authority model is itself susceptible to some serious problems.
I haven’t checked whether Windows SmartScreen does in fact use SSLv2, but the fact that the Microsoft servers support it is concerning. Furthermore, SmartScreen is not easy to disable, and Windows will periodically warn users to re-enable it should they attempt to disable it.
To recap, here are the concerns posed by SmartScreen in Windows 8:
  • Windows 8 will, by default, inform Microsoft of every app downloaded and installed by every user. This puts Microsoft in a compromising, omniscient situation where they are capable of retaining information on the application usage of all Windows 8 users, thus posing a serious privacy concern. The user is not informed of this while installing and setting up Windows 8, even though they are given the option to disable SmartScreen (which is enabled by default.)
  • Windows 8 appears to send this information to Microsoft to a server that relies on Certificate Authorities for authentication and supports an outdated and insecure method of encrypted communication. It is possible that these insecurities could allow a malicious third party to target a Windows 8 user and learn which applications they are using. This allows them to profile the user and decide how to best exploit their personal selection of applications and their computing habits.
I find Microsoft’s decision to design SmartScreen in such a privacy-free fashion to be a very bad choice, and I really hope that these concerns regarding SmartScreen will be addressed in near-future updates.
Windows 8 Tells Microsoft About Everything You Install, Not Very Securely | Nadim Kobeissi
Reply With Quote
  #2 (permalink)  
Old August 25, 2012, 09:51 AM
enaberif's Avatar
Hall Of Fame
 
Join Date: Dec 2006
Location: Calgahree, AB
Posts: 10,582
Default

So first they change messenger to protect links and now this? Oi vey.
Reply With Quote
  #3 (permalink)  
Old August 25, 2012, 09:54 AM
AkG's Avatar
AkG AkG is offline
Hardware Canucks Reviewer
 
Join Date: Oct 2007
Posts: 4,339
Default

While I truly think Win 8 is a train wreck...this is scare mongering just for pg hits

Simple solution....turn the bloody thing off...just like we all do for that annoying UAC

How to Turn Off or Disable the SmartScreen Filter In Windows 8 - How-To Geek
__________________
"If you ever start taking things too seriously, just remember that we are talking monkeys on an organic spaceship flying through the universe." -JR

“if your opponent has a conscience, then follow Gandhi. But if you enemy has no conscience, like Hitler, then follow Bonhoeffer.” - Dr. MLK jr
Reply With Quote
  #4 (permalink)  
Old August 25, 2012, 09:57 AM
enaberif's Avatar
Hall Of Fame
 
Join Date: Dec 2006
Location: Calgahree, AB
Posts: 10,582
Default

Well obviously but by default its something that only us techies will know about and poor grandma will be getting phone calls.
Reply With Quote
  #5 (permalink)  
Old August 25, 2012, 10:07 AM
sswilson's Avatar
Moderator
F@H
 
Join Date: Dec 2006
Location: Moncton NB
Posts: 14,417

My System Specs

Default

Quote:
Originally Posted by AkG View Post
While I truly think Win 8 is a train wreck...this is scare mongering just for pg hits

Simple solution....turn the bloody thing off...just like we all do for that annoying UAC

How to Turn Off or Disable the SmartScreen Filter In Windows 8 - How-To Geek
Quote:
Originally Posted by enaberif View Post
Well obviously but by default its something that only us techies will know about and poor grandma will be getting phone calls.
This is the issue, and yes I've got my tin foil hat on ATM.... ;)

It might be a great service, but it should be off by default or at the very least not be activated on install until the user gives informed consent.

This is right up there with the recent MS Email WRT cloud computing where they tried to calm concerns about the location of the physical cloud servers for legal reasons... their answer was to point out that the orignator would be bound by their physical location WRT legal requirements which is fine and dandy but missed the point completely and doesn't address the real issue in that I don't mind following the laws of Canada, but absolutely refuse to allow the US government to get access to my personal/private information just by the fact that MS's servers are physically located in the US.

The current mindset of the US government (across all parties) does not place a high value on personal privacy, and any information we send to MS will be made available to US authorities if they request it.

That's the issue.
__________________
MSI Z87I Gaming AC / i5 4670K / 2X 4G Gskill 1866 DDR3 / XFX XTR 750 / EVGA GTX 680 SC+ 2GB / Intel DC S3700 200G / random 160G Sata HDD
Inwin 904 / Swiftech MCP655-b / Alphacool NexXxos XT45 120 Rad / 2X Scythe GT AP-15 / EK Supreme HF / Dell UltraSharp U2412M

Asrock AM1H-ITX / AM1 Athlon 5350 / 2X4G Gskill PC3-14900 / Intel 6235 Wi-Fi / 90W Targus Power Brick / 320G Seagate Momentus / Mini-Box M350 / 1X 22" Dell IPS / 1X 22" HP
Reply With Quote
  #6 (permalink)  
Old August 25, 2012, 10:19 AM
dandelioneater's Avatar
Hall Of Fame
F@H
 
Join Date: Dec 2010
Location: Kelowna, BC
Posts: 1,114

My System Specs

Default

I'll hold my judgement until release day, but right now ubuntu 12.04 LTS looks very appealing.
__________________
Reply With Quote
  #7 (permalink)  
Old August 25, 2012, 10:50 AM
Soullessone21's Avatar
Hall Of Fame
F@H
 
Join Date: Oct 2011
Location: Calgary AB
Posts: 1,322

My System Specs

Default

How is this any different from OSX:S when we run MRI even remotely we can see all your programs you have installed or download as well as head office always knows whats on every mac that enters our IP so I'm pretty sure this is just the standards of the IT business now. Anyways who cares, does any of us actually have anything worth hiding?
__________________
Follow us on facebook at https://www.facebook.com/realhardwarereviews?ref=hl
Site and Forum online
http://forums.realhardwarereviews.com/index.php
Contests will be done on there from now on :)
http://realhardwarereviews.com/
Always up for a Beer in Calgary or Area

“Two possibilities exist: either we are alone in the Universe or we are not. Both are equally terrifying.”
Reply With Quote
  #8 (permalink)  
Old August 25, 2012, 10:57 AM
AkG's Avatar
AkG AkG is offline
Hardware Canucks Reviewer
 
Join Date: Oct 2007
Posts: 4,339
Default

More importantly....why would grandma be installing warez? If the kids are smart enough to 'give' ol granny some extra software....they will be smart enough to turn it off. Hell I fully expect most groups to start releasing 'fixes' that before they fix a program....they scan and turn off this abortion.

Honestly, this aint about "OMFG they will know my kinks" its just another ham-fisted MS attempt to stop malware in its tracks. It will fail at that too. MS doesnt give a rats ass what you install (as long as its NOT there kit you are 'installing'). The man hours to sift through all that shite...yeah this just scare tactics by an author who wants page hits and to get on the 'me too" bandwagon.
__________________
"If you ever start taking things too seriously, just remember that we are talking monkeys on an organic spaceship flying through the universe." -JR

“if your opponent has a conscience, then follow Gandhi. But if you enemy has no conscience, like Hitler, then follow Bonhoeffer.” - Dr. MLK jr
Reply With Quote
  #9 (permalink)  
Old August 25, 2012, 11:45 AM
NyteOwl's Avatar
Allstar
 
Join Date: Aug 2008
Location: Nova Scotia
Posts: 905
Default

Quote:
Originally Posted by Soullessone21 View Post
How is this any different from OSX:S when we run MRI even remotely we can see all your programs you have installed or download as well as head office always knows whats on every mac that enters our IP so I'm pretty sure this is just the standards of the IT business now. Anyways who cares, does any of us actually have anything worth hiding?
This isn't really the point.

A company has a right (indeed a responsibility) to know what is installed on its own machines. To a certain extent also machines which connect to their network.

Now if a machine is undergoing troubleshooting or management remotely, it is presumably with the consent of the owner.

The point is, that for the average user this is a gross intrusion to have enabled by default. It should disabled by default and be one of the things the installer ASKS (and discloses what it does) the user if they want enabled.

I personally, and our firm, already had no intentions of going with Windows 8 except perhaps one machine for testing purposes. This just reinforces them.

The move to SSL3 with use of TLS1.1 or 1.2 is a definite move in the right direction as it doesn't suffer from the vulnerabilities that TLS1.0 has had for many years.

(The argument "if you have nothing to hide.." is so old and full of holes it isn't worth mentioning and I'm actually surprised anyone here trotted it out.)
__________________
Obsolescence is just a lack of imagination.

Last edited by NyteOwl; August 25, 2012 at 11:50 AM. Reason: fixed typos
Reply With Quote
  #10 (permalink)  
Old August 25, 2012, 12:20 PM
sswilson's Avatar
Moderator
F@H
 
Join Date: Dec 2006
Location: Moncton NB
Posts: 14,417

My System Specs

Default

Quote:
Originally Posted by NyteOwl View Post
This isn't really the point.

A company has a right (indeed a responsibility) to know what is installed on its own machines. To a certain extent also machines which connect to their network.

Now if a machine is undergoing troubleshooting or management remotely, it is presumably with the consent of the owner.

The point is, that for the average user this is a gross intrusion to have enabled by default. It should disabled by default and be one of the things the installer ASKS (and discloses what it does) the user if they want enabled.

I personally, and our firm, already had no intentions of going with Windows 8 except perhaps one machine for testing purposes. This just reinforces them.

The move to SSL3 with use of TLS1.1 or 1.2 is a definite move in the right direction as it doesn't suffer from the vulnerabilities that TLS1.0 has had for many years.

(The argument "if you have nothing to hide.." is so old and full of holes it isn't worth mentioning and I'm actually surprised anyone here trotted it out.)
Exactly, I have nothing to hide either, but if anybody wants to invade my privacy there had better be a good reason and judicial oversight unless there is the perception of an immediate threat to somebody's life.

This is especially important when it comes to information that physically resides in the US. Given the current US policy of demand information now ask permission later, what's to stop them from demanding application specific information in order to further a DCMA investigation?
__________________
MSI Z87I Gaming AC / i5 4670K / 2X 4G Gskill 1866 DDR3 / XFX XTR 750 / EVGA GTX 680 SC+ 2GB / Intel DC S3700 200G / random 160G Sata HDD
Inwin 904 / Swiftech MCP655-b / Alphacool NexXxos XT45 120 Rad / 2X Scythe GT AP-15 / EK Supreme HF / Dell UltraSharp U2412M

Asrock AM1H-ITX / AM1 Athlon 5350 / 2X4G Gskill PC3-14900 / Intel 6235 Wi-Fi / 90W Targus Power Brick / 320G Seagate Momentus / Mini-Box M350 / 1X 22" Dell IPS / 1X 22" HP
Reply With Quote
Reply


Tags
microsoft , snooping , windows

Thread Tools
Display Modes

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows 7 install problem gambel626 Troubleshooting 10 July 5, 2010 06:54 PM
Windows 7 install problem. shammancer O/S's, Drivers & General Software 8 November 13, 2009 05:30 PM
Failed Windows 7 Install lanken123 O/S's, Drivers & General Software 4 October 17, 2009 08:50 PM
Can't get windows to install AmuseMe Troubleshooting 29 September 12, 2009 01:20 PM
Formatting. Install Windows XP or Windows 7 geokilla O/S's, Drivers & General Software 29 July 7, 2009 02:32 PM