Windows 8 Tells Microsoft About Everything You Install

page: 1
0

log in

join

posted on Aug, 28 2012 @ 10:36 AM
link   
I've recently been using the final, Released to Manufacturing version of Windows 8 on one of my computers, to much delight. I've been very impressed by how fast, well-designed, functional and capable this latest iteration of Windows is. However, my tinkering around from a security/privacy perspective has left me concerned.
Nadim Kobeissi may be young, but already the hacker and programmer has done more to fight for privacy and internet rights than most of us ever will. Now, he sheds light on the fact that Microsoft knows everything we install on our Windows 8 devices.

Windows 8 has a new featured called Windows SmartScreen, which is turned on by default. Windows SmartScreen's purpose is to "screen" every single application you try to install from the Internet in order to inform you whether it's safe to proceed with installing it or not. Here's how SmartScreen works:

1. You download any application from the Internet. Say, the Tor Browser Bundle.

2. You open the installer. Windows SmartScreen gathers some identifying information about your application, and sends the data to Microsoft.

3. If Microsoft replies saying that the application is not signed with a proper certificate, the user gets an error that looks something like this.



There are a few serious problems here. The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install. This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users. This situation is exacerbated when Windows 8 is deployed in countries experiencing political turmoil or repressive political situations.

This problem can however get even more serious: It may be possible to intercept SmartScreen's communications to Microsoft and thus learn about every single application downloaded and installed by a target. Here is my analysis:

A quick packet capture showed the following activity happening immediately when I tried to install the Tor Browser Bundle:



SmartScreen appeared to connect over HTTPS to a server in Redmond (apprep.smartscreen.microsoft.com, 65.55.184.60, run by Microsoft) in order to communicate information about the application I was trying to install.

After running some tests on this Microsoft server, I discovered that it ran Microsoft IIS 7.5 to handle its HTTPS connections. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception. The SSL Certificate Authority chain goes down from "GTE CyberTrust Global Root" to "Microsoft Secure Server Authority." The Certificate Authority model is itself susceptible to some serious problems.

I haven't checked whether Windows SmartScreen does in fact use SSLv2, but the fact that the Microsoft servers support it is concerning. Furthermore, SmartScreen is not easy to disable, and Windows will periodically warn users to re-enable it should they attempt to disable it.

To recap, here are the concerns posed by SmartScreen in Windows 8:

1. Windows 8 will, by default, inform Microsoft of every app downloaded and installed by every user. This puts Microsoft in a compromising, omniscient situation where they are capable of retaining information on the application usage of all Windows 8 users, thus posing a serious privacy concern. The user is not informed of this while installing and setting up Windows 8, even though they are given the option to disable SmartScreen (which is enabled by default.)

2. Windows 8 appears to send this information to Microsoft to a server that relies on Certificate Authorities for authentication and supports an outdated and insecure method of encrypted communication. It is possible that these insecurities could allow a malicious third party to target a Windows 8 user and learn which applications they are using. This allows them to profile the user and decide how to best exploit their personal selection of applications and their computing habits.

I find Microsoft's decision to design SmartScreen in such a privacy-free fashion to be a very bad choice, and I really hope that these concerns regarding SmartScreen will be addressed in near-future updates.

Update: According to Microsoft, SmartScreen sends a hash of the app installer and its digital signature, if any. A combination of the hash and the user's IP address is still enough to identify that IP address x attempted to install software y.

Update 2: Another researcher has discovered that a filename of the app you're trying to install is indeed sent to Microsoft. This severely strengthens privacy concerns.

Update 3: Approximately 14 hours after this article was published, another scan of Microsoft's SmartScreen servers reveals that they have been reconfigured to no longer support SSLv2. The servers now only support SSLv3 connections.

Whats your thoughts on this????
edit on 28/8/12 by Phatdamage because: updated with correct spelling!




posted on Aug, 28 2012 @ 10:42 AM
link   
Did you give consent for this in whatever agreement you agreed to?



posted on Aug, 28 2012 @ 10:46 AM
link   
I know that in windows 7 if your system crashed or programs, that the accompanying error report sent is a log of your open files programs and websites. Designed to "Help Microsoft Better Their Software" Its too much Imo. Many people don’t realize it. Just like with Google complying with law enforcement requests to release your search history Etc. Microsoft is on the bandwagon With them. i believe that all the major search sites, software company’s, Phone company’s are all in league with the GOVT to keep an eye on the americans.....Heck all the people of earth.

Looking over my shoulder as a write this.

BTW i don’t use Windoze
edit on 28-8-2012 by shaneslaughta because: (no reason given)



posted on Aug, 28 2012 @ 10:51 AM
link   

Originally posted by SpearMint
Did you give consent for this in whatever agreement you agreed to?


the only thing they say is that "info can be sent to Microsoft to update and improve future projects"

Seems like Windows 8 will be the end of all hacked software!



posted on Aug, 28 2012 @ 10:54 AM
link   
Its possible for anyone to capture information about your system and everything you do on it passively.
its a huge concern of mine that’s why i don’t use Microsoft. There are a lot more devious people that use windows because its been a standard platform for years. There are a lot more system exploits and loopholes in Microsoft products than any other.



posted on Aug, 28 2012 @ 10:56 AM
link   
reply to post by Phatdamage
 


The same thing is posted in Win 7.
Its stated that its for the betterment of the software.



posted on Aug, 28 2012 @ 10:58 AM
link   

Originally posted by Phatdamage

Originally posted by SpearMint
Did you give consent for this in whatever agreement you agreed to?


the only thing they say is that "info can be sent to Microsoft to update and improve future projects"

Seems like Windows 8 will be the end of all hacked software!


I wouldn't be surprised if they have some kind of partnership with companies like Adobe.
edit on 28-8-2012 by SpearMint because: (no reason given)



posted on Aug, 28 2012 @ 11:05 AM
link   
Software and hardware company’s are in league with each other.
Make OS more bloated, hardware company’s love it. then they get to make
bigger ram sticks faster multi core processors. All "Aimed" at useability.
The thing is its a curtain designed to blind you from the truth. its a distraction.
They are working in ways to spy on the people all over the place. Through false
marketing and the distractions. Most will just accept that this is normal and acceptable.
They will and have been falling into this void for so long that it actually allows the GOVT,
to over step its bounds. Occupy the peoples minds with useless junk while they slowly
take over the world. Or Destroy it in the process. Who knows
edit on 28-8-2012 by shaneslaughta because: (no reason given)



posted on Aug, 28 2012 @ 03:44 PM
link   

Originally posted by shaneslaughta
Software and hardware company’s are in league with each other.
Make OS more bloated, hardware company’s love it. then they get to make
bigger ram sticks faster multi core processors. All "Aimed" at useability.
The thing is its a curtain designed to blind you from the truth. its a distraction.
They are working in ways to spy on the people all over the place. Through false
marketing and the distractions. Most will just accept that this is normal and acceptable.
They will and have been falling into this void for so long that it actually allows the GOVT,
to over step its bounds. Occupy the peoples minds with useless junk while they slowly
take over the world. Or Destroy it in the process. Who knows
edit on 28-8-2012 by shaneslaughta because: (no reason given)


There IS a simple way around this. Disable microsoft support/error reporting before you go online. After you install the programs you want then set your windows to MANUAL updates or in system processes just turn off smartscreen or make it a manual process.



posted on Aug, 28 2012 @ 03:58 PM
link   
I'm running the RTM, I'm fairly impressed with it, I thought the lack of a start menu was a bit of a ballache at first.

Smartscreen was turned off from the beginning, in fact just about everything that sends out info is blocked.

But yeah, overall, a nice fast system. (still prefer SUSE)



posted on Aug, 31 2012 @ 04:49 PM
link   

Originally posted by SpearMint
Did you give consent for this in whatever agreement you agreed to?

Of course he did.

Which means absolutely nothing to the 99% of the population that hasn't neither the time nor expertise to decipher it.





top topics
 
0

log in

join