Sign in with
Sign up | Sign in

Windows 8 to Tell Microsoft About Everything You Install?

By - Source: Gizmodo | B 79 comments

The new SmartScreen feature in Windows 8 supposedly tells Microsoft about the application you're installing along with your IP address.

A recent scare piece by Cryptocat developer Nadim Kobeissi over on Gizmodo alleges that Windows 8 will tell Microsoft everything the user installs into the new OS.

The reveal is based on the RTM version of Windows 8 which offers a new feature called Windows SmartScreen. This feature is turned on by default, and is the culprit behind what Microsoft reportedly knows about the installed programs. According to the report, Windows SmartScreen is merely supposed to "screen" every application the user installs from the Internet, and inform the user if it's safe to proceed, or too evil to install.

But there's more to it than that. Kobeissi provides an example of installing the Tor Browser Bundle. Once the installer is opened, Windows SmartScreen gathers information about the application and sends it to Microsoft. If the company responds saying that it doesn't have the proper certificate, then the user gets an error like the one seen here (jpg).

"There are a few serious problems here," Kobeissi writes. "The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install. This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users. This situation is exacerbated when Windows 8 is deployed in countries experiencing political turmoil or repressive political situations."

Even worse, it may be possible to intercept SmartScreen's communications to Microsoft and learn about every application downloaded and installed by a target. Adding to that, this information could be sold to third parties who would then send tailored spam to the targeted user. Even Microsoft's sever, which received the SmartScreen data, was reportedly found to support SSL v2 which is known to be insecure and susceptible to interception.

"I haven't checked whether Windows SmartScreen does in fact use SSLv2, but the fact that the Microsoft servers support it is concerning. Furthermore, SmartScreen is not easy to disable, and Windows will periodically warn users to re-enable it should they attempt to disable it," he writes.

Microsoft actually revealed SmartScreen back in March 2011. The company claimed the service sends a hash of the app installer and its digital signature. But as Kobeissi points out, the hash and user IP combined together is enough to identify that a specific address tried to install a specific application. Can this be connected to the user's Windows account? It's possible. Will Microsoft track everything its Windows 8 users install? Probably not.

"Armed with file names, Microsoft could — in theory — be building a database matching IP addresses to files downloaded/run, but let’s be real — it’s Microsoft. This is the same company that’s scared to fart in fear of litigation," writes another researcher who has thus changed his tune since the Gizmodo piece went live.

Windows 8 RTM users can turn off Windows SmartScreen via Action Center -> Change Windows SmartScreen settings. Users can also turn off annoying Action Center warnings by clicking Turn off messages about Windows SmartScreen in the same window.

To read the full report, head here.

 

Contact Us for News Tips, Corrections and Feedback

Display 79 Comments.
This thread is closed for comments
Top Comments
  • 38 Hide
    idroid , August 24, 2012 10:09 PM
    Over my dead body those fockers will know what i install....its incredible the amount of violations against our privacy that some companies commit
Other Comments
  • -7 Hide
    A Bad Day , August 24, 2012 10:05 PM
    I do recall there is an open source software that uses other computers to assist in encrypting and transferring messages. The more computers that are connected to the encryption network, the harder it is to trace the origin or the receiver of the message. However, the key feature is that it allows the computers to be anonymous.

    Windows 8 would be a huge threat to that encrypting software.
  • 38 Hide
    idroid , August 24, 2012 10:09 PM
    Over my dead body those fockers will know what i install....its incredible the amount of violations against our privacy that some companies commit
  • -5 Hide
    Anonymous , August 24, 2012 10:14 PM
    Time to put that tin foil hat on, eh, Kobeissi? Windows 8 is evil!
  • -2 Hide
    Bloob , August 24, 2012 10:21 PM
    Ok, no retail for me until I know whether or not this is in it.
  • 19 Hide
    master_chen , August 24, 2012 10:26 PM
    Oh F*UNK. That's it, Micro$oft. You're done if you'll do that. You're done. Yes. YOU'RE DONE.

    A Bad DayI do recall there is an open source software that uses other computers to assist in encrypting and transferring messages. The more computers that are connected to the encryption network, the harder it is to trace the origin or the receiver of the message. However, the key feature is that it allows the computers to be anonymous.


    TOR? :\
  • 16 Hide
    spartanmk2 , August 24, 2012 10:28 PM
    This would make Dr. Evil angry, and when Dr Evil gets angry, Mr. Bigglesworth gets upset. And when Mr. Bigglesworth gets upset... people DIE!
  • 15 Hide
    aicom , August 24, 2012 10:29 PM
    All it's doing is taking a hash and signature and sending to MS for a computer to determine if the file has a hash that's known to be bad. Obviously, there's no way for MS to get the executable from that hash. I'm not worried about it. IE9 has been doing this exact thing since it was released and I could turn off SmartScreen if I wanted but it's a pretty good way to detect trojans (since the hash won't match the expected value).
  • 13 Hide
    aicom , August 24, 2012 10:32 PM
    Not to mention the AV companies (including MS via the integrated Windows Defender in Win7 and Win8) already get hashes (and the entire file with permission) of executables that they think are strange.
  • 17 Hide
    aicom , August 24, 2012 10:35 PM
    master_chenYou forgot one major thing:NO. ONE. USES. IE.NOBODY.NEVER.EVER.Guess why, huh?


    It's not because of SmartScreen. FYI, I myself use Chrome.
  • 15 Hide
    upgrade_1977 , August 24, 2012 10:36 PM
    Well, thats just another reason to avoid windows 8. Thanks...:) 
  • 5 Hide
    freggo , August 24, 2012 10:36 PM
    aicomAll it's doing is taking a hash and signature and sending to MS for a computer to determine if the file has a hash that's known to be bad. Obviously, there's no way for MS to get the executable from that hash. I'm not worried about it. IE9 has been doing this exact thing since it was released and I could turn off SmartScreen if I wanted but it's a pretty good way to detect trojans (since the hash won't match the expected value).


    If I am not mistaken the hash of a program would be the same if it is the same executable. So all M$ has to do is installing various applications on their own computers and voila, they get a list of hash values for each executable.

    Or am I missing something here ?
  • 12 Hide
    Kami3k , August 24, 2012 10:39 PM
    Well looks like Windows 7 will be with me for a long time! Maybe I should buy up some retail copies just in case....
  • 5 Hide
    blazorthon , August 24, 2012 11:01 PM
    EDIT: I seemed to have misunderstood what it was doing thanks to the poor article. My bad.
  • 1 Hide
    jhansonxi , August 24, 2012 11:06 PM
    aicomAll it's doing is taking a hash and signature and sending to MS for a computer to determine if the file has a hash that's known to be bad. Obviously, there's no way for MS to get the executable from that hash. I'm not worried about it. IE9 has been doing this exact thing since it was released and I could turn off SmartScreen if I wanted but it's a pretty good way to detect trojans (since the hash won't match the expected value).
    Works perfectly as long as malwre doesn't modify SmartScreen to send back forged hashes.
  • 9 Hide
    gravewax , August 24, 2012 11:11 PM
    SSLv2 is disabled on all client communications (even those initiated from a server). The Server OS supported SSLv2 for backwards compatibility only but even then most but the most incompetent admins disable it altogether. basically an article based on someone poor technical knowledge and a whole lot of FUD about not understanding that hashes don't actually send all your private information.
  • 6 Hide
    alextheblue , August 24, 2012 11:19 PM
    Overblown, alarmist. Lots of security software already does stuff like this, it helps protect users from installing all sorts of garbage or spoofed software.
    jhansonxiWorks perfectly as long as malwre doesn't modify SmartScreen to send back forged hashes.
    SmartScreen occurs BEFORE you install something. If it can tamper with SmartScreen, that means it is already running - in other words your computer is already compromised. At that point you're already vulnerable, why bother attacking smartscreen, when you can just open the machine wide and install whatever you want remotely? Silly.
Display more comments