Windows 8 will automatically report every program you download to Microsoft

Article

 

See this post in particular for a good explanation
http://www.dslreports.com/forum/r27457974-

full thread otherwise
http://www.dslreports.com/forum/r27456924-Windows8-tells-Microsoft-everything-you-install

 

Thanks for those links.

 

This isn't really a privacy problem (SSLv2 use excluded) any more than installing anti-virus is a privacy problem, at least you can turn this off unlike some AVs where collecting data on executables is forced/invisible.

Popular software does it as well such as the Steam client. Looking forward to steam coming to Linux? Well, it will be profiling your software and hardware.

App stores also keep a log of everything installed.

But really, this is cloud functionality. With everything cloud comes a personal privacy decision. I don't think this could be implemented using a locally downloaded database, it would have to be gigantic and unreasonable for those on slow connections.

I personally think this will be a great feature for reducing the amount of botnets we have assaulting websites with DDoS and assaulting us with spam. Wilders members may not use it, but it will definitely be a good extra barrier for those that struggle with computers.

 

For the love of $diety do NOT connect a Windows 8 computer to a network, or if wireless even allow it to be within earshot of an open access point, prior to studying its configuration extensively and disabling everything you want disabled. Then use it for target practice

 

unless you have examples to show us, or reports from a reputable source then this is just FUD.

 

It only uses SSLv2 if the host doesn't support newer.

 

Fear, Uncertainty, Doubt? Yes, in moderation those would be perfectly healthy emotions to experience if about to use Windows 8 (or any other software that has such features built in). The privacy issues are well established; the recent article mentioning SmartScreen issues is in some but not all respects late to the game. I would suggest you Bing it. What I was actually doing is pointing out a way to cope with such a situation and strongly encouraging people to do it. Namely, to mitigate the risk of purposeful and/or accidental privacy events by preventing the possiblity of an Internet connection until after you are certain you have the machine tightly configured and options the way you want them. Not only for privacy reasons BTW but also for security reasons. Not only when bringing up a new computer and OS BTW, but also when installing new application software you aren't familiar with. An alternative to dealing with the wireless scenario during new computer setup would be to disable the wireless adapter via BIOS or manufacturer keyboard shortcut (IF that is possible). When installing unfamiliar application software one has those as well as OS provided options.

That's no joke. The bit about a Windows 8 box being better fit for target practice than computing, well, that was sort of a joke. Not entirely.

BTW..."As for concerns over the leakage of material via SSLv2.0, Microsoft said that it will not use this protocol with Windows 8 and that SmartScreen does not support that version. Kobeissi notes that 14 hours after he posted about the issue a new scan of the servers showed no SSlv2 support, although he stands by his original findings." via The Register.

 

Good to hear they removed SSLv2 support. So the real issue has been solved within a day, and the OS hasn't even released, good stuff.

 

LOL. Even I must give you points for that try

 

Microsoft denies Windows 8 app spying via SmartScreen

http://www.theregister.co.uk/2012/08/25/windows8_smartscreen_spying/

 

Sorry, I don't argue with paranoid FUD spreaders so feel free to spout out nonsense until your hating heart is content, but I'll give you no points for that try.

Also like I stated earlier, the only other way to do this is with a local database:

Unfortunately the researcher conveniently ignores (as I pointed out) that this would be extremely impractical. If it was practical, there would be no need for cloud AV/reputation systems as they would all be locally stored.

 

just because we are paranoid doesn't mean there really isn't someone out there who is trying to get us. Trust no one is my motto. I already know microsoft is trying to spy on us, little story's like this just reinforce my gut feeling. The more they try to tell us that there simple "reporting" software is there to help us, the more I feel suspicious.
I'm not trusting like some of you, If someone points out something suspicious, too me that's all the proof I need. I won't be an early adopter of windows 8 until it proves itself to be safe.

 

My post isn't directed at people like you, it's directed at those that make it their mission to spread FUD. Be as untrusting as you want, I'm quite untrusting of Google myself, however, I don't go around spreading FUD about them that's based on nothing other than gut feeling. There is no evidence here to suggest malicious intent any more than there is evidence to suggest that security software vendors have malicious intent.

 

There has to be some basic fundamental level of trust or you wouldn't be using Windows at all... you'd be on Linux or a Mac or some other alternative..

 

I take that like you do trust the OS and OS developer that you are using right now to 100%, what OS that may be.....

 

When 8 asked me for the first time, if I want to have SmartScreen on, I read about it and I turned it off. All is pretty much explained here: SmartScreen Filter FAQ.

 

Exactly, turn smartscreen off, done.
Mrk

 

FWIW for anyone is trying to look at this, I tried to find published samples/info sufficient for study. One from http://news.ycombinator.com/item?id=4427008 posted to https://gist.github.com/3448961 with some decoding:

Code:

POST /urs.asmx?MSURS-Client-Key=NVMU7wXXXvr+sBw/6wmCzw==&MSURS-MAC=esVXvXXX0NE= HTTP/1.1
Accept: text/*
Content-Type: text/xml; charset=utf-8
User-Agent: VCSoapClient
Host: urs.microsoft.com
Content-Length: 435
DNT: 1
Cache-Control: no-cache

<RepLookup v="4">
 <G>7A7E08C8-3FF5-45F2-873D-A84D669DCXXX</G>
 <O>DC54AF8F-4219-4BDD-9EFA-DE9C6E10AXXX</O>
 <D>10.0.8110.6</D>
 <C>10.00.9200.16384</C>
 <OS>6.2.9200.0.0</OS>
 <I>9.10.9200.16384</I>
 <L>en-US</L>
 <RU>http://www.drivesnapshot.de/en/idown.htm</RU>
 <RI>0.0.0.0</RI>
 <R>
   <Rq>
    <URL>http://www.drivesnapshot.de/download/snapshot.exe</URL>
    <O>PRE</O>
    <T>DOWNLOAD</T>
    <HIP>0.0.0.0</HIP>
   </Rq>
 </R>
 <WA/>
</RepLookup>

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Length: 242
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
Date: Fri, 24 Aug 2012 10:12:26 GMT
Connection: close

<RepLookupResponse>
 <RepLookupResult>
  <Rs>
   <M>www.drivesnapshot.de/download/snapshot.exe</M>
    <C>UNKN:100:1:1</C>
    <R>1:1</R>
    <L>10080</L>
    <S>0</S>
  </Rs>
 </RepLookupResult>
 <Y>100</Y>
 <T>DC54AF8F-4219-4BDD-9EFA-DE9C6E10AXXX</T>
 <E>0</E>
</RepLookupResponse>

Which appears to be the type triggered by downloading a file.

A partial from http://www.withinwindows.com/2012/08/24/thoughts-on-the-windows-smartscreen-scare/ with some decoding:

Code:

<Rq V="1.2">
  <RqT>0</RqT>
  <App>
    <FName>SameGame.exe</FName>
    <FHash>d3ff5939726c9f8fa6e514fb65eb470a1f9ec7a65b2706732a03749226c2520</FHash>
    <Sig>0</Sig>
    <Sz>45056</Sz>
    <M>1</M>
    <SR>100</SR>
  </App>
  <ID>0F98AD9C-D498-42B3-B421-E6C97A8E6XXX</ID>
  <G>B68802CA-B396-4773-8FD9-EEECA4DE6XXX</G>
  <L>en-US</L>
  <OS>6.2.9200.0.0</OS>
  <I>9.10.9200.16384</I>
  <C>10.00.9200.16384</C>
  <DJ>2</DJ>
</Rq>

Appears to be the type triggered when running the program from http://samegamexna.codeplex.com/. Based on other info I think that extract may have been from a request to w.apprep.smartscreen.microsoft.com.

Note: Where you see XXX that's me being conservative with the info they posted in full.

I was hoping to find a full request/response for the later type and also a known request/response for non-download related URL checking. Having full samples of each variant **from the same machine/account** would be useful. If anyone does capture or come across such please let us know.

Someone posted verbage they could access when doing an express install ( http://slashdot.org/comments.pl?sid=3070309&cid=41111521) which comments on something privacy oriented people would be looking for: "Windows SmartScreen randomly generates a number called a GUID that is sent to Microsoft with your SmartScreen usage data. The GUID lets us determine which data is sent from a particular PC over time.".

 

Windows 8 privacy complaint misses the forest for the trees - Malware-detecting SmartScreen unfairly tarred as violation of user privacy.

...

http://arstechnica.com/information-...cy-complaint-misses-the-forest-for-the-trees/