

Windows 8 Tells Microsoft Everything You Install, Not Very Securely. - derrida
http://log.nadim.cc/?p=78

======
lawnchair_larry
This guy has a habit of trying to be a grandstanding security expert but being
wrong a lot. In this example, he is wrong because although IIS will answer a
SSLv2 connection, it will not actually process the request. Anyone who has
done basic scanning for an audit is well aware of this false positive.

See here:
[http://billing.handsonwebhosting.com/knowledgebase.php?actio...](http://billing.handsonwebhosting.com/knowledgebase.php?action=displayarticle&id=221)

As he says:

 _"I haven’t checked whether Windows SmartScreen does in fact use SSLv2, but
the fact that the Microsoft servers support it is concerning."_

Yeah, maybe check next time before you shout that the sky is falling.

If you are concerned about the privacy issue (MS getting requests indicating
what was installed - not the bogus MITM claim), disabling this is offered in
the privacy settings, and it is even put in front of your face during OS
install. Also, all major AV products do the same thing, except they're not as
transparent about it.

Nothing to see here.

~~~
magikarp
Author here. Let me ask you something: Have you checked if SSLv2 connections
are actually dropped?

The point of my article isn't SSLv2, it's privacy concerns. Also, I did
actually check and disabling SmartScreen doesn't seem to be offered during OS
install, did I miss something?

Thanks for the disgusting ad-hominem! It totally aids your missing the point.

 _Edit_ : Whoa, I think I've figured out why this guy is being so personal;
his submission history includes promoting a security company I left after a
brief stint. Small world!

~~~
cabirum
You can disable smartscreen during install:
[http://www.winsupersite.com/content/content/142370/clean_13....](http://www.winsupersite.com/content/content/142370/clean_13.jpg)

~~~
magikarp
Ah, thanks! Updating article accordingly!

------
eslaught
The article would be a little more convincing if the author had checked that
SmartScreen actually uses SSLv2, rather than simply running on a web server
which happens to support the protocol.

~~~
redact207
Agreed. Personally I wouldn't care if anyone intercepted a message saying what
app I just installed. The author also neglected to mention if the payload
contains anything that identifies the user.

~~~
magikarp
It's SSL, how are you supposed to be able to read the Payload? The article
also explicitly mentions that no tests were run to figure out whether SSLv2 is
used by the client.

You wouldn't personally care if messages were intercepted regarding the apps
you're installing, but imagine the kind of leverage it would give someone
trying to profile a network of activists in Syria. The exact version number of
every app on every computer, perfect for studying the exploit surface.

~~~
cyberl0l
L2 MITM SSL.

~~~
magikarp
I've updated the article with information on what SmartScreen sends.

------
mdb31
The SmartScreen connection uses SSLv3 just fine on my machine. Here's an
example payload: <https://gist.github.com/3448961> (I initially posted this on
HN directly, which broke the site layout, so I deleted that post -- sorry
about that!)

The base-64 encoded strings in the request are the HTTP referrer and the
download location, respectively. The "client key" and "MAC" seems to be API
key-like authenticators. Not sure what the GUIDs are about.

Anyway, the use of this data has been explained in quite a bit of detail a
long time ago already: [http://windows.microsoft.com/en-US/windows-
vista/smartscreen...](http://windows.microsoft.com/en-US/windows-
vista/smartscreen-filter-frequently-asked-questions).

As said elsewhere already, the feature is easy enough to turn off. And there
is definitely an opt-in question somewhere, as I had to enable the feature on
my machine in order to test it...

------
brudgers
If one loads an app on Apple's popular smartphone, Apple keeps a record of it.
Along with one's credit card number and potentially a large amount of location
and connectivity data.

If one loads an app on Facebook or searches on Google or even visits a
commercial website one's privacy is likely to be compromised.

None of this makes Windows behavior entirely devoid of causing concern, but in
my opinion, Microsoft is more trustworthy filling that role than the crapware
antivirus providers who have been doing it for years.

------
timmyd
Sure just turn it off

[http://www.howtogeek.com/75356/how-to-turn-off-or-disable-
th...](http://www.howtogeek.com/75356/how-to-turn-off-or-disable-the-
smartscreen-filter-in-windows-8/)

~~~
DASD
The problem is that Smartscreen is on by default. Most users are going to have
trouble enough trying to forget about the missing Start Menu even after
watching the Welcome Intro let alone fumble through looking for some way to
disable this option.

Malware protection requiring surrendered privacy seems a pretty crappy
"feature." Why can't Microsoft do better?

~~~
krautsourced
How? By constantly downloading the entire database of every application to
your local drive? Where it would not only take up space, but could be modified
to allow anything in? The author says nothing about _what_ exactly is being
sent to MS, all he can say for sure that a request is sent to that URL. And
about it being turned on by default - as long as it can be turned off, this is
_good_. The main problem with security features (like Windows Update for a
long time) that are not turned on by default is that your regular Joe user
will never turn those on, thus ending up with a terribly out of date, insecure
system.

~~~
thinkingisfun
_How? By constantly downloading the entire database of every application to
your local drive? Where it would not only take up space, but could be modified
to allow anything in?_

Yes, and no.

<http://news.ycombinator.com/item?id=4427416>

(besides, if you can just tamper with the filesystem you're kinda in already)

------
aik
On a slightly different note concerning privacy:

How much more of this will we take before enough people demand privacy again?
What event has to happen? On our phones, applications can't even be downloaded
until monitored and approved by the corporation (one step further than this).
Our desktops have been moving in this direction for some time already.

~~~
fl3tch
Linux from Scratch. Build it for the ones you love.

~~~
chacham15
Even that may not be enough:
[http://scienceblogs.com/goodmath/2007/04/15/strange-loops-
de...](http://scienceblogs.com/goodmath/2007/04/15/strange-loops-dennis-
ritchie-a/)

~~~
molmalo
That was a very interesting and funny read! Thanks!

------
holri
I am not going to let anyone know the software that I have installed, nor will
I trust or depend on a white list issued by a big private corporation with
business interests.

~~~
cookiecaper
FYI Google keeps a big list of every app you've ever installed through Android
Market/Play Store; it stays in "My Apps" even if you uninstall it.

~~~
holri
I do not use Google products for this reason.

------
benologist
What's really scary is the entire industry is doing their best to make this
normal and they've enjoyed phenomenal success so far. This is almost Microsoft
playing catch up.

~~~
refulgentis
Begging the question a bit here, so much so that I was tempted to just post
'?'. I assume you mean Apple, but Apple's checks locally for code-signing, it
doesn't phone home. Which is what the problem is.

~~~
benologist
I'm not specifically meaning Apple although they're certainly part of it:

\- iTunes and App Store

\- Steam

\- Windows Phone marketplace, MSDN, upcoming software marketplace

\- Amazon App Store and Google's Play Store

\- Chrome Web Store and Firefox's add-on marketplace

\- Ubuntu Software Center, packet managers in general

\- Facebook's App Center

\- Github, Google Code and SourceForge

I doubt there's anyone on HN who doesn't have a long history with a lot of
names on that list. Almost every piece of software and game I have on every
device I use has come via this list.

But I'm sure all of these .. centralized installation hubs I guess .. are
reasonably vindicated by their privacy policies - where everyone's idea of
'reasonably' is different and most of them aren't like ours.

~~~
refulgentis
Centralized software distribution channel != phoning home every time any
software is installed on a computer. You are citing examples of the first, the
second is what the article is about.

------
itsbits
i feel its biased when people say all the information of apps that are being
installed in our System will be known to Microsoft..is it ok to know Apple the
information about Mac Apps???

~~~
dutchbrit
All information that gets sent to Apple goes over SSL v3, not v2 (just
checked). This is the cause however with Microsoft (v2). V3 is a lot more
secure than v2. However, I still agree, it should be asked if the information
can be sent to Apple in the first place.

~~~
dthunt
Folks are focusing on this point unnecessarily. Large scale real-time
collection and cracking of SSLv2 is still out-of-scope for everybody, I
suspect.

Large scale MITM, though, isn't, through compromised CA's, etc. That threat is
much more severe and affects basically all software that relies on SSL/TLS
(whatever version) for securing a connection or the CA system for validating
the authenticity of downloads. That's a much more serious problem.

If MSFT is indeed not honoring opt-out of CEIP and other programs, the issue
is them not honoring that preference. The particulars of the encryption built
on top of a broken model are not the issue.

------
nivla
Isn't SmartScreen's job to validate the signature of the executable file with
Microsoft? So it might just be sending the executable's signed public key to
check for validity/revocation. Since OP hasn't posted the unencrypted
communication we may not know. Doesn't Google do something similar with
chrome, it sends a part of the hash of every site you visit to its servers for
comparison to a list of malwares and phishing sites?

~~~
magikarp
An IP address sending a public key could still be enough to identify that IP
address x is trying to install software y.

~~~
nivla
Not with a 100% accuracy I must say. If you are a company developing products,
you would have many different product and all of those products end up being
signed using a single private key. So assuming that it only sends a company's
public key for validation, it would still have to take a guess as to which
product was downloaded.

------
yread
Is there any actual demonstration of a succesful attack on sslv2? I've found
only <http://seclists.org/pen-test/2010/Jul/14> which implies it is possible.
It would be a nice exercise to actually try to MITM the MS servers here.

------
quattrofan
I've already decided to steer well clear of Win8, going to buy a new laptop
before its forced upon me and wait for the next release. This just confirms my
decision.

~~~
TazeTSchnitzel
Why? You can turn it off. And Windows already had the sending of error
reports, did you avoid Windows XP too?

------
127
I'm confused. I thought Apple already did this? Also this is a norm in mobile
phones.

~~~
jpxxx
Those work the opposite way: a blacklist is downloaded nightly.

~~~
yuhong
Unfortunately anyone on the web can publish EXEs. Look at how big anti-virus
definitions are, for example.

~~~
slurgfest
Do you really want some central organization dictating who can make software
and who cannot? Who could you trust with that?

~~~
yuhong
I don't think they are preventing apps from being run, just showing a warning
message.

~~~
stinos
seems likely. One reason I can think of: have you seen the amounts of crap the
average I-think-I-know-how-pcs-work human installs, causing the OS to become
totally unusable? And then they start blaming it on the OS?

------
gitarr
Well, we'll see if this is legal in Europe. Website cookies are regulated
already here, I guess this sort of abuse will have to be stopped as well.
Shame on Microsoft for another outrageous decision.

~~~
TazeTSchnitzel
Outrageous? And "Send Error Report" wasn't? And other security software
vendors sending file hashes isn't?

Please, explain why this in particular is so bad. It's tracking in a sense,
but they are not going to use it to violate privacy.

------
dakimov
Not sure what this guy is trying to say, but basically any kind of
'protection' based on connection to a server compromises your privacy. For
example, an anti-phishing feature that is turned on by default in most
browsers essentially reports EVERY page you visit to the anti-phishing
protection server (obviously, in order to check whether a site is 'good', you
must pass the site URL to the server, hence the server can log the URL, what
would have stopped it from doing this?). Does not it concern anybody?

~~~
gcp
Not necessarily. It may be what Internet Explorer does for _their_ malware
protection, but Firefox certainly _does not_ work this way.

The SafeBrowsing protection in Firefox downloads the _entire malware/phishing
database_ from Google in a highly compressed format, through incremental
updates, and this is completely uncorrelated to what you visit.

If an URL you browse to is found as a match in that _local_ database, then and
only then is a lookup to a remote server done to check if the compressed URL
was not a false positive, and if it's still up to date. This lookup isn't even
of the URL you visited, but of the SHA-256 of it. This allows to verify if it
was a known malware URL, but it is not possible to reverse it and obtain your
URL if the hit was a false positive (due to the compression).

Firefox has some additional privacy protection here in that it will check a
whole bunch of random entries from the local database whenever there is a hit,
so even the party at the other end (Google) can't tell what malware URL, if
any, you _actually_ hit.

Google has added an additional, undocumented SafeBrowsing service to Chrome to
check downloaded files, and that one does send the URL off to Google for
scanning, but Mozilla has refused to implement this feature in Firefox until
the privacy concerns can be addressed.

Note that, aside from being much better for privacy, using a local database is
obviously of much higher performance than contacting a remote server for every
URL.

~~~
Dylan16807
Overall I'm not impressed with chrome's download safety features. Last I
checked it flagged any unknown exes on <http://dl.dropbox.com> but trusted
unknown exes on <https://dl.dropbox.com>.

