Myce.com Latest Updates

Microsoft spies on all your Windows 8 installs – badly encrypted

Posted at 24 August 2012 15:41 CEST by Jan Willem Aldershoff

Nadim Kobeissi, developer of an encrypted instant messaging application has discovered that during the installation of every application in Windows 8 the Microsoft servers are contacted. While Microsoft’s idea behind this seems good and is meant to protect you against malware, the way the feature has been implemented causes possibly security and privacy breaches. The feature, called Windows SmartScreen is turned on by default and sends an encrypted string to a Microsoft server containing information about any software you are trying to install, and like with all internet communication also your IP address is revealed to the Microsoft servers.

According to Kobeissi this is a problem as he writes on his blog, “The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install. This is a very serious privacy problem, specifically because Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users.” He goes on to write, ” This situation is exacerbated when Windows 8 is deployed in countries experiencing political turmoil or repressive political situations.”

This means that in some countries the government  could make efforts to intercept traffic from the user to the Microsoft servers and then would be able to track installations of e.g. the Tor network used by dissidents in countries like Iran to securely transfer information about sensitive subjects. Even worse, the servers collecting the information are running an insecurely configured web server. If you don’t want to be tracked, but then also are unprotected by Windows SmartScreen, you can turn it off, however Windows will continuously nag you to put it on again.

Discuss this in our Windows 8 Forum.

Click to share

There are 25 comments

blegs38552
MyCE Member
Posted on: 24 Aug 12 16:01
    Is this only for Windows 8 (f/k/a Metro) apps, or for any app?

    Either way, this should be disabled at once, or at least default to disabled with an option at installation to turn it on.

    Also, is this in the RTM version, or in the Trial and Beta versions only?
    voxsmart
    MyCE Member
    Posted on: 24 Aug 12 16:21
      This is just another reason not no use Windows 8. It seems M$ is deliberately trying not to sell 8?
      NightAngel
      New Member
      Posted on: 24 Aug 12 18:01
        So M$ is getting into the spy game now, even though this is a good way to cut down on the piracy of their products I'm sure M$ is really not concerned on who owns the copyrights to the software you are downloading or installing, if it is illegal you and/or the website will be reported to the authorities..

        I have no plans of buying or using Windows 8 but if I ever did the system that I install it on would be disconnected from the Internet the moment it is activated, not that I'm into piracy or any its just that I don't like the idea of my personal privacy being breached.
        ivid
        MyCE Resident
        Posted on: 24 Aug 12 18:56
          Are we really surprised ? I'm not considering Google and Apple know about every app we install on our mobiles and tablets, and MS for our XBOXes. MS is jumping on the bandwagon, even though there isn't a "marketplace" store involved to d/l the software from.
          Kerry56
          Administrator
          Posted on: 24 Aug 12 20:17
            One of the links has a practical solution for anyone running Win 8.

            You can turn off Windows SmartScreen via Action Center -> Change Windows SmartScreen settings, and subsequently turn off annoying Action Center warnings by clicking Turn off messages about Windows SmartScreen in the same window.

            ...a tale...full of sound and fury, signifying Nothing.
            voxsmart
            MyCE Member
            Posted on: 24 Aug 12 20:47
              Quote:
              Originally Posted by Kerry56
              One of the links has a practical solution for anyone running Win 8.

              You can turn off Windows SmartScreen via Action Center -> Change Windows SmartScreen settings, and subsequently turn off annoying Action Center warnings by clicking Turn off messages about Windows SmartScreen in the same window.

              ...a tale...full of sound and fury, signifying Nothing.
              This all very good for us in the know, but what percentage of the total users are we? What about all those who have no idea their privacy is being breeched.
              I'm repairing a neighbours laptop at the moment, even after all the time and advice i've given her about updating Windows and keeping the antivirus/antimalware up to date, the machine is over run with all sorts of nasties. What hope do all these people have with M$ spying on them as well
              I think it's very unfair.
              diane7
              CDFreaks Resident
              Posted on: 24 Aug 12 20:57
                Quote:
                Originally Posted by Kerry56

                ...a tale...full of sound and fury, signifying Nothing.
                iv read a lot of Blogs about mindows 8 Today and a lot of people POSTING NEWS on tecnical forums are Trying to Slag off W8

                My Gist YOU Cannot say you Hate it IF Yoy havent tried it .

                a few months
                StormJumper
                Retired Moderator
                Posted on: 24 Aug 12 21:12
                  Quote:
                  Originally Posted by Kerry56
                  One of the links has a practical solution for anyone running Win 8.

                  You can turn off Windows SmartScreen via Action Center -> Change Windows SmartScreen settings, and subsequently turn off annoying Action Center warnings by clicking Turn off messages about Windows SmartScreen in the same window.

                  ...a tale...full of sound and fury, signifying Nothing.
                  Turning off the annoying Action Center warning messages may turn off the messages the user receives BUT does it stop the sending of the data and other personal info to Microsoft ?
                  Kerry56
                  Administrator
                  Posted on: 24 Aug 12 21:38
                    Quote:
                    Originally Posted by StormJumper
                    Turning off the annoying Action Center warning messages may turn off the messages the user receives BUT does it stop the sending of the data and other personal info to Microsoft ?
                    Turning off Windows SmartScreen stops the transmission of data. Turning off the Action Center warning messages stops the operating system from nagging you about turning off SmartScreen.

                    This was one of the first things I did when I installed Win 8.

                    The data sent to MS is anonymous and used for statistical analysis of installed programs, not to compile an individual profile of each user. But even gathering this type of data may lead to privacy concerns, and puts Microsoft under the crosshairs for possible infractions of laws that have been and continue to be developed to protect online privacy.

                    I've no doubt the information could be useful to them in aggregate, but they are poking the wasps' nest with this type of behavior.

                    But it is not intended for profiling on the individual level. There are many, many services online that do the same type of thing. Amazon, Steam, Yahoo....the list can go on for companies that do customer data collection. Putting it inside the operating system is what may drive the tin-foil hat brigade over the edge however.
                    StormJumper
                    Retired Moderator
                    Posted on: 24 Aug 12 23:03
                      OK thanks Kerry not that it matters to me because I will not be using Windows 8, however I did want it to be explained a little more in-depth for better understanding for those who will be.

                      And like always you did a good job of it.

                      SJ
                      ChristineBCW
                      MyCE Die Hard
                      Posted on: 24 Aug 12 23:33
                        Thanks for the heads-up. I'm glad disc-space is so cheap so they can keep compiling this. I wonder if we'll get a cut if they can sell it? That'd be nice... a few mil, sure.

                        Of course, on Planet Conspirato, checking the box only means, "Here's a user to pay particular attention to..." and kicks off some other service phoning home.

                        What's that Twilight Zone episode where the two-headed alien brothers invisibly visit a bar, and grant one earthling great strength?

                        Or am I thinking of Don Ameche and Ralph Bellamy comeback films in the '80s?
                        tmc8080
                        MyCE Resident
                        Posted on: 25 Aug 12 02:30
                          Wow, just as creepy as Smart phones logging and recording keystrokes.. and allowing techs to read that data for "DIGANOSTIC PURPOSES"... this was possible on BOTH IOS and ANDROID early versions...

                          Windows 8 is off by default for me.. that is... NOT installed!
                          xorsists
                          MyCE Senior Member
                          Posted on: 25 Aug 12 07:25
                            A quick guide to shut off Smartscreen can be found here:

                            http://www.howtogeek.com/75356/how-t...-in-windows-8/
                            ChristineBCW
                            MyCE Die Hard
                            Posted on: 25 Aug 12 08:57
                              I wonder how many services shouldn't be disabled because of promised/threatened phone-home-links into MS? What was that whole DCOM thing about a few years ago?

                              I wonder if MS will say SecEss (or WinDefender) can't run without it?

                              (Side note... I thought Win Defender was old-tech and that MS wasn't recommending it, but was pushing their Security Essentials INSTEAD. But there it is, two years after SecEss is annointed - Win Defender, running, alive and well. Good grief... Dear MS, does the concept of consistency EVER mean anything? This cooked-spaghetti-against-wall approach is so tiresome...)
                              cholla
                              MyCE Resident
                              Posted on: 25 Aug 12 15:13
                                MS now stands for MicroSpy .
                                I turned Defender off a long time ago . There are much better alternatives.
                                Kerry56
                                Administrator
                                Posted on: 25 Aug 12 15:20
                                  ^Windows 8 Defender incorporates Microsoft Security Essentials, so it is both anti-malware and anti-virus in one. It is different from Windows Defender found in earlier versions of Windows.
                                  ChristineBCW
                                  MyCE Die Hard
                                  Posted on: 25 Aug 12 16:44
                                    Kerry, yes, now "Defender" is "all you need for Win8" according to Microsoft.

                                    Today, that is. On this latest press release.

                                    My next question will be, "When the application called Windows Defender sees a threat, is the Alert Dialog Box using the exact same spelling in the Alert Dialog Box's Title Bar?"

                                    Because they haven't done that in the past, which always opened the door to the question, "How can I tell a Real Warning Dialog as opposed to a Hijacking Dialog since Microsoft refused to issue alerts with the spelling 'Microsoft Security Essentials'?"

                                    Grrr... I mean, some Microsoft typist had to spell SOMETHING in the Title Bar... why not use The Correct & Precise Spelling each and every time?

                                    Time will tell.. every time I visit BleepingComputer and see all the names that ransomware typists have used in their attacking dialog box Title Bars, it's so depressing.
                                    Kerry56
                                    Administrator
                                    Posted on: 25 Aug 12 22:54
                                      Peter Bright over at Ars Technica raises a good point. This particular bit of "snooping" by Microsoft is overblown, and pales in comparison to the information that they will gain through their App Store within Windows 8. http://arstechnica.com/information-t...for-the-trees/
                                      xorsists
                                      MyCE Senior Member
                                      Posted on: 26 Aug 12 01:07
                                        I really hate this info about smart screen it is great for MS to see what apps are the most popular ect. but sending info to MS server about any program that you may install is just plain none of their business not to mention and I don't care what MS will say that your private info will not be shared is pure BS they can do whatever they wish and have done so in the past.

                                        Using the default windows defender another bad idea although it is an antivirus program too.

                                        I can assure you I never used MSE for this reason it also reports back to MS servers what ever security threat that it detects so MS has been doing this right a long anyway you look at it big Brother MS has always in one way or another tracked info about you & your computer habits much like search engines do.

                                        My smart screen is off and will stay that way and I install my own antivirus suite so I can see what MS is doing and block the transmissions with my antiviruses firewall program it makes it a little better and gives me a piece of mind.

                                        JMO.
                                        StormJumper
                                        Retired Moderator
                                        Posted on: 26 Aug 12 01:20
                                          Quote:
                                          Originally Posted by cholla
                                          MS now stands for MicroSpy .
                                          I turned Defender off a long time ago . There are much better alternatives.
                                          Yeah I stopped using Defender a very long time ago myself, as for 'MicroSpy' is that a real surprise to anyone, as stated else where-> "Microsoft is the central point of authority and data collection/retention here and therefore becomes vulnerable to being served judicial subpoenas or National Security Letters intended to monitor targeted users".
                                          cholla
                                          MyCE Resident
                                          Posted on: 26 Aug 12 03:06
                                            Quote:
                                            Originally Posted by StormJumper
                                            as for 'MicroSpy' is that a real surprise to anyone
                                            That was posted with my tongue in my cheek .
                                            Not with my mouth open in suprise.
                                            headquarter84
                                            CD Freak
                                            Posted on: 27 Aug 12 07:43
                                              Quote:
                                              Originally Posted by voxsmart
                                              This is just another reason not no use Windows 8. It seems M$ is deliberately trying not to sell 8?
                                              Oh well, I was still thinking about if I should upgrade to Win8 or not, but now they won! I totally I'm NOT buying it now... How many screw-ups can you have in one single OS release! M$ is definitely working hard to annoy EVERYONE and turn away possible new customers!

                                              Quote:
                                              Originally Posted by ivid
                                              even though there isn't a "marketplace" store involved to d/l the software from.
                                              Actually there IS an app store in the making, it's currently called "Windows Store Preview" and it should be officially online as "http://apps.microsoft.com" after the official release of Win8. You can check one the current products in the shape of the new MS Fresh Paint to get a hint of the style and direction they're taking.
                                              theppfftt
                                              MyCE Rookie
                                              Posted on: 27 Aug 12 14:22
                                                I won't waste my time on windows 8. i see no benefit and i'm sick of all of microsofts little games.
                                                whatever_gong82
                                                MyCE Member
                                                Posted on: 27 Aug 12 20:10
                                                  I'd just do what people above like Kerry56 have suggested, turn off the stuff Microsoft uses that could be used to spy on you, and you're set.
                                                  xorsists
                                                  MyCE Senior Member
                                                  Posted on: 27 Aug 12 22:06
                                                    Quote:
                                                    Originally Posted by whatever_gong82
                                                    I'd just do what people above like Kerry56 have suggested, turn off the stuff Microsoft uses that could be used to spy on you, and you're set.
                                                    Same here whatever_gong82 and i leave it at that and am very happy with windows 8 on my desk top pc.

                                                    Post your comment

                                                    You need to register before you can comment

                                                    Like us

                                                    Most popular headlines

                                                    New Threshold screenshots show start menu and windowed apps

                                                    Myce managed to get 2 new Windows Threshold screenshots, one shows the new start...

                                                    Anti-piracy campaign set to start in the UK

                                                    After four years of discussions between media companies and internet service pro...

                                                    Western Digital releases new NAS storage drives

                                                    Western Digital is expanding its line of NAS (network attached storage) drives, ...

                                                    Vuze releases Leap, a lightweight BitTorrent client

                                                    Vuze is a well known BitTorrent company, whose primary torrent client has evolve...

                                                    Microsoft to lay off 14% of its employees

                                                    Microsoft is planning to lay off 18,000 employees in one year, of which likely 1...

                                                    See all headlines
                                                    Follow Myce.com