Windows 8 to Tell Microsoft About Everything You Install?
The new SmartScreen feature in Windows 8 supposedly tells Microsoft about the application you're installing along with your IP address.
A recent scare piece by Cryptocat developer Nadim Kobeissi over on Gizmodo alleges that Windows 8 will tell Microsoft everything the user installs into the new OS.
The reveal is based on the RTM version of Windows 8 which offers a new feature called Windows SmartScreen. This feature is turned on by default, and is the culprit behind what Microsoft reportedly knows about the installed programs. According to the report, Windows SmartScreen is merely supposed to "screen" every application the user installs from the Internet, and inform the user if it's safe to proceed, or too evil to install.
But there's more to it than that. Kobeissi provides an example of installing the Tor Browser Bundle. Once the installer is opened, Windows SmartScreen gathers information about the application and sends it to Microsoft. If the company responds saying that it doesn't have the proper certificate, then the user gets an error like the one seen here (jpg).
"There are a few serious problems here," Kobeissi writes. "The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install. This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users. This situation is exacerbated when Windows 8 is deployed in countries experiencing political turmoil or repressive political situations."
Even worse, it may be possible to intercept SmartScreen's communications to Microsoft and learn about every application downloaded and installed by a target. Adding to that, this information could be sold to third parties who would then send tailored spam to the targeted user. Even Microsoft's sever, which received the SmartScreen data, was reportedly found to support SSL v2 which is known to be insecure and susceptible to interception.
"I haven't checked whether Windows SmartScreen does in fact use SSLv2, but the fact that the Microsoft servers support it is concerning. Furthermore, SmartScreen is not easy to disable, and Windows will periodically warn users to re-enable it should they attempt to disable it," he writes.
Microsoft actually revealed SmartScreen back in March 2011. The company claimed the service sends a hash of the app installer and its digital signature. But as Kobeissi points out, the hash and user IP combined together is enough to identify that a specific address tried to install a specific application. Can this be connected to the user's Windows account? It's possible. Will Microsoft track everything its Windows 8 users install? Probably not.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
"Armed with file names, Microsoft could — in theory — be building a database matching IP addresses to files downloaded/run, but let’s be real — it’s Microsoft. This is the same company that’s scared to fart in fear of litigation," writes another researcher who has thus changed his tune since the Gizmodo piece went live.
Windows 8 RTM users can turn off Windows SmartScreen via Action Center -> Change Windows SmartScreen settings. Users can also turn off annoying Action Center warnings by clicking Turn off messages about Windows SmartScreen in the same window.
To read the full report, head here.
-
A Bad Day I do recall there is an open source software that uses other computers to assist in encrypting and transferring messages. The more computers that are connected to the encryption network, the harder it is to trace the origin or the receiver of the message. However, the key feature is that it allows the computers to be anonymous.Reply
Windows 8 would be a huge threat to that encrypting software. -
idroid Over my dead body those fockers will know what i install....its incredible the amount of violations against our privacy that some companies commitReply -
master_chen Oh F*UNK. That's it, Micro$oft. You're done if you'll do that. You're done. Yes. YOU'RE DONE.Reply
A Bad DayI do recall there is an open source software that uses other computers to assist in encrypting and transferring messages. The more computers that are connected to the encryption network, the harder it is to trace the origin or the receiver of the message. However, the key feature is that it allows the computers to be anonymous.
TOR? :\ -
spartanmk2 This would make Dr. Evil angry, and when Dr Evil gets angry, Mr. Bigglesworth gets upset. And when Mr. Bigglesworth gets upset... people DIE!Reply -
aicom All it's doing is taking a hash and signature and sending to MS for a computer to determine if the file has a hash that's known to be bad. Obviously, there's no way for MS to get the executable from that hash. I'm not worried about it. IE9 has been doing this exact thing since it was released and I could turn off SmartScreen if I wanted but it's a pretty good way to detect trojans (since the hash won't match the expected value).Reply -
aicom Not to mention the AV companies (including MS via the integrated Windows Defender in Win7 and Win8) already get hashes (and the entire file with permission) of executables that they think are strange.Reply -
master_chen aicomIE9 has been doing this exact thing since it was released.Reply
You forgot one major thing:
NO. ONE. USES. IE.
NOBODY.
NEVER.
EVER.
Guess why, huh?
-
aicom master_chenYou forgot one major thing:NO. ONE. USES. IE.NOBODY.NEVER.EVER.Guess why, huh?Reply
It's not because of SmartScreen. FYI, I myself use Chrome.