Hacker News new | comments | ask | show | jobs | submit login
Windows 8 Tells Microsoft Everything You Install, Not Very Securely. (nadim.cc)
193 points by derrida on Aug 24, 2012 | hide | past | web | favorite | 81 comments

This guy has a habit of trying to be a grandstanding security expert but being wrong a lot. In this example, he is wrong because although IIS will answer a SSLv2 connection, it will not actually process the request. Anyone who has done basic scanning for an audit is well aware of this false positive.

See here: http://billing.handsonwebhosting.com/knowledgebase.php?actio...

As he says:

"I haven’t checked whether Windows SmartScreen does in fact use SSLv2, but the fact that the Microsoft servers support it is concerning."

Yeah, maybe check next time before you shout that the sky is falling.

If you are concerned about the privacy issue (MS getting requests indicating what was installed - not the bogus MITM claim), disabling this is offered in the privacy settings, and it is even put in front of your face during OS install. Also, all major AV products do the same thing, except they're not as transparent about it.

Nothing to see here.

Author here. Let me ask you something: Have you checked if SSLv2 connections are actually dropped?

The point of my article isn't SSLv2, it's privacy concerns. Also, I did actually check and disabling SmartScreen doesn't seem to be offered during OS install, did I miss something?

Thanks for the disgusting ad-hominem! It totally aids your missing the point.

Edit: Whoa, I think I've figured out why this guy is being so personal; his submission history includes promoting a security company I left after a brief stint. Small world!

You can disable smartscreen during install: http://www.winsupersite.com/content/content/142370/clean_13....

Ah, thanks! Updating article accordingly!

It's not worth getting worked up over a jerk on the internet. The comment you are replying to was indeed rude, but stick to disagreeing on the facts and leave it at that. I find that's the best way to get others to do the same.

You're concerned about privacy but you didn't even check what kind of data was being sent by the server before writing this article...

That's a follow-up that anyone can do and corroborate. You're more than welcome to, I'm sorry my article was lacking in that regard.

Edit: Just updated the article with information on that!

This article would have read better without the SSL related discussion, which I think distracts from the major point.

In general, though, I think we're at the point where we can stick a fork in the trust model we've been using up to this point. 2v3/TLS 1.1/EC+DHE isn't the issue, and the more time we spend talking about those issues, the less time we spend focusing on fixing the fundamentals of internet security 3-5 years from now, which we need to actually get right this time.

re: your privacy concern - if that is the concern why did you mention the SSLv2 stuff at all? Although I really don't like smart-screen filter there are really only two ways this could work - Win8 downloads a big white/black list every night, or it checks each time an .exe is launched. I don't think it is particularly shocking that it does the latter.

Microsoft already gathers lots of information from customer experience improvement data and crash dumps and stuff like that, and goes to tremendous efforts to ensure that it is never traceable back to an individual. I don't know for sure but I'd be surprised if the same policies were not in play here also.

Guess again?

Oh! Sorry, my mistake.

Maybe I'm misunderstanding, but wouldn't the real issue be whether the Windows 8 client will use SSLv2, not whether the server does? I'm imagining a third party doing a MITM attack, posing as Microsoft's SmartScreen server and saying it only does SSLv2.

Typically the client checks to see whether the server has the right certificate. That protects against this.

You're absolutely right. If only the server supports SSLv2 then there's not much an attacker can do.

> disabling this is offered in the privacy settings, and it is even put in front of your face during OS install.

What's the default behavior? I think we've all had experiences (or know of) of not-entirely-reading all things and ending up with eight new IE taskbars installed.

"Lastly, users can choose to disable SmartScreen if they want to. Granted, most users wouldn’t even know of SmartScreen, much lesss the potential privacy concerns. :)"

The article would be a little more convincing if the author had checked that SmartScreen actually uses SSLv2, rather than simply running on a web server which happens to support the protocol.

Also no mention of how this relates to CEIP (Consumer Experience Improvement Program), Microsoft's program to gather usage metrics. Includes much more than just what programs you installed, but is very well anonymized.

Agreed. Personally I wouldn't care if anyone intercepted a message saying what app I just installed. The author also neglected to mention if the payload contains anything that identifies the user.

It's SSL, how are you supposed to be able to read the Payload? The article also explicitly mentions that no tests were run to figure out whether SSLv2 is used by the client.

You wouldn't personally care if messages were intercepted regarding the apps you're installing, but imagine the kind of leverage it would give someone trying to profile a network of activists in Syria. The exact version number of every app on every computer, perfect for studying the exploit surface.


I've updated the article with information on what SmartScreen sends.

The article doesn't actually say that Microsoft is using SSLv2, but if they were, then someone could potentially execute a man-in-the-middle attack against a user of the service. Which is to say, they'd know exactly what you're downloading, along with any other information this services sends to Microsoft, and they'd be able to provide you with fake results for the software safety check that this service provides. Odds are they would also have your IP address, so they could also potentially link this to you (e.g. via your other browsing behavior over insecure HTTP). It would be a pretty serious flaw.




First they came for the socialists, and I didn't speak out because I wasn't a socialist.

The SmartScreen connection uses SSLv3 just fine on my machine. Here's an example payload: https://gist.github.com/3448961 (I initially posted this on HN directly, which broke the site layout, so I deleted that post -- sorry about that!)

The base-64 encoded strings in the request are the HTTP referrer and the download location, respectively. The "client key" and "MAC" seems to be API key-like authenticators. Not sure what the GUIDs are about.

Anyway, the use of this data has been explained in quite a bit of detail a long time ago already: http://windows.microsoft.com/en-US/windows-vista/smartscreen....

As said elsewhere already, the feature is easy enough to turn off. And there is definitely an opt-in question somewhere, as I had to enable the feature on my machine in order to test it...

If one loads an app on Apple's popular smartphone, Apple keeps a record of it. Along with one's credit card number and potentially a large amount of location and connectivity data.

If one loads an app on Facebook or searches on Google or even visits a commercial website one's privacy is likely to be compromised.

None of this makes Windows behavior entirely devoid of causing concern, but in my opinion, Microsoft is more trustworthy filling that role than the crapware antivirus providers who have been doing it for years.

The problem is that Smartscreen is on by default. Most users are going to have trouble enough trying to forget about the missing Start Menu even after watching the Welcome Intro let alone fumble through looking for some way to disable this option.

Malware protection requiring surrendered privacy seems a pretty crappy "feature." Why can't Microsoft do better?

How? By constantly downloading the entire database of every application to your local drive? Where it would not only take up space, but could be modified to allow anything in? The author says nothing about _what_ exactly is being sent to MS, all he can say for sure that a request is sent to that URL. And about it being turned on by default - as long as it can be turned off, this is _good_. The main problem with security features (like Windows Update for a long time) that are not turned on by default is that your regular Joe user will never turn those on, thus ending up with a terribly out of date, insecure system.

How? By constantly downloading the entire database of every application to your local drive? Where it would not only take up space, but could be modified to allow anything in?

Yes, and no.


(besides, if you can just tamper with the filesystem you're kinda in already)

Most users are going to have trouble enough trying to forget about the missing Start Menu even after watching the Welcome Intro...

Exactly, most users being the key point. You need to target all this stuff for the lowest key denominator and unfortunately for those of us on HN... but at least we have the knowledge that this exists. I think krautsourced point stands.

Damn if you do, damned if you don't!

On a slightly different note concerning privacy:

How much more of this will we take before enough people demand privacy again? What event has to happen? On our phones, applications can't even be downloaded until monitored and approved by the corporation (one step further than this). Our desktops have been moving in this direction for some time already.

>How much more of this will we take before enough people demand privacy again?

Probably when actual privacy issues surface, not this "zOMG Microsoft collects a hash and IP!" nonsense. Between crash dumps, the CEIP, and other downloads directly from their site, this is a complete and total non-issue.

Linux from Scratch. Build it for the ones you love.

That was a very interesting and funny read! Thanks!

Why would I need to build LFS to get privacy? If my only purpose is privacy it's a ludicrous amount of work.

It sucks but the why is clear: because it's becoming the only way to get it (for some definition of "from scratch" ofc).

I am not going to let anyone know the software that I have installed, nor will I trust or depend on a white list issued by a big private corporation with business interests.

The only real issue I have with them using this method is whether or not Microsoft will then have a legal obligation to report the downloading of any software which could in the future become illegal, I'm thinking packages like Tor whcih can be used to directly contravene law inforcement efforts regarding things like child pornography.

I'm not saying I support it, but what I am saying is I would feel very uncomfortable knowing that my computer company would instantly inform the police if I downloaded "suspicious software" regardless of my purpose, but that's just a glimpse of where I see their next move being after the idiocy of ACTA and all the recent changes to privacy laws.

Furthermore, the intent of Tor is the empowerment of dissidents under oppressive regimes.

I imagine there's little likelihood that this capability could have impeded the Arab Spring since Microsoft wouldn't have cooperated, but it seems like this would create a vulnerability for Microsoft doing business in China. If China decided they wanted to more actively monitor software intended to bypass firewalls and circumvent censorship policies, I wonder how effectively could Microsoft could resist.

Tor would be useless if it was only for dissidents!

You should think of Tor as a tool for everyone, where we all cooperate to increase our privacy, and have anonymity when we need it.

Tor's a bad example, Tor does not hide the fact you are using it usually. It simply hides what you are doing with it. Although I believe there is some sort of proxying system.

FYI Google keeps a big list of every app you've ever installed through Android Market/Play Store; it stays in "My Apps" even if you uninstall it.

I do not use Google products for this reason.

Which homes in handy when you get a new phone...

Apple do the same for the iPhone/iPad/iPod.

I do not use Apple products for this reason.

Privacy aside, if this feature didn't exist, you'd have people complaining (hey, even i'd probably be one of them) that applications they paid for are obscured from being found again.

The big difference here is that you can sideload other apps if you want. So you have the convenience of a centralized app source without the insane restriction that you need the consent of some corporate third party to install software on your (mobile) computer.

But you can sideload other apps on Windows 8. You can bypass smartscreen if you want to override it, or you can turn it off entirely. What's the difference?

What's really scary is the entire industry is doing their best to make this normal and they've enjoyed phenomenal success so far. This is almost Microsoft playing catch up.

As others have already mentioned, it's a trade off. They remember it for you, wholesale. This works out great when you need to install an app that you bought already onto a new device, etc. The people who really care/need about this type of privacy are surely not "scared". They already know how to avoid these helpful service, right? It's not rocket science. If it matters to you, then you figure out how to do it. The paid app vendors (Apple, etc) really are trying to be helpful here, not nefarious, imo.

Begging the question a bit here, so much so that I was tempted to just post '?'. I assume you mean Apple, but Apple's checks locally for code-signing, it doesn't phone home. Which is what the problem is.

I'm not specifically meaning Apple although they're certainly part of it:

- iTunes and App Store

- Steam

- Windows Phone marketplace, MSDN, upcoming software marketplace

- Amazon App Store and Google's Play Store

- Chrome Web Store and Firefox's add-on marketplace

- Ubuntu Software Center, packet managers in general

- Facebook's App Center

- Github, Google Code and SourceForge

I doubt there's anyone on HN who doesn't have a long history with a lot of names on that list. Almost every piece of software and game I have on every device I use has come via this list.

But I'm sure all of these .. centralized installation hubs I guess .. are reasonably vindicated by their privacy policies - where everyone's idea of 'reasonably' is different and most of them aren't like ours.

Centralized software distribution channel != phoning home every time any software is installed on a computer. You are citing examples of the first, the second is what the article is about.

i feel its biased when people say all the information of apps that are being installed in our System will be known to Microsoft..is it ok to know Apple the information about Mac Apps???

If you don't jailbreak your iPhone or iPad, then it's pretty much the same, and even worse, because the only way of getting the software is through the AppStore.

All information that gets sent to Apple goes over SSL v3, not v2 (just checked). This is the cause however with Microsoft (v2). V3 is a lot more secure than v2. However, I still agree, it should be asked if the information can be sent to Apple in the first place.

Folks are focusing on this point unnecessarily. Large scale real-time collection and cracking of SSLv2 is still out-of-scope for everybody, I suspect.

Large scale MITM, though, isn't, through compromised CA's, etc. That threat is much more severe and affects basically all software that relies on SSL/TLS (whatever version) for securing a connection or the CA system for validating the authenticity of downloads. That's a much more serious problem.

If MSFT is indeed not honoring opt-out of CEIP and other programs, the issue is them not honoring that preference. The particulars of the encryption built on top of a broken model are not the issue.

as far as i know SSLv3 more secured over SSLv2 on outside manipulations coz of hash of all old messages..

Isn't SmartScreen's job to validate the signature of the executable file with Microsoft? So it might just be sending the executable's signed public key to check for validity/revocation. Since OP hasn't posted the unencrypted communication we may not know. Doesn't Google do something similar with chrome, it sends a part of the hash of every site you visit to its servers for comparison to a list of malwares and phishing sites?

An IP address sending a public key could still be enough to identify that IP address x is trying to install software y.

Not with a 100% accuracy I must say. If you are a company developing products, you would have many different product and all of those products end up being signed using a single private key. So assuming that it only sends a company's public key for validation, it would still have to take a guess as to which product was downloaded.

Is there any actual demonstration of a succesful attack on sslv2? I've found only http://seclists.org/pen-test/2010/Jul/14 which implies it is possible. It would be a nice exercise to actually try to MITM the MS servers here.

I've already decided to steer well clear of Win8, going to buy a new laptop before its forced upon me and wait for the next release. This just confirms my decision.

Why? You can turn it off. And Windows already had the sending of error reports, did you avoid Windows XP too?

I'm confused. I thought Apple already did this? Also this is a norm in mobile phones.

Those work the opposite way: a blacklist is downloaded nightly.

Unfortunately anyone on the web can publish EXEs. Look at how big anti-virus definitions are, for example.

Do you really want some central organization dictating who can make software and who cannot? Who could you trust with that?

I don't think they are preventing apps from being run, just showing a warning message.

seems likely. One reason I can think of: have you seen the amounts of crap the average I-think-I-know-how-pcs-work human installs, causing the OS to become totally unusable? And then they start blaming it on the OS?

If one company does something wrong it does not excuse other companies from doing the same thing wrong.

True, but it seems like nobody cares about Apple having that information.

OS X sends info on apps installed outside of the app store back to Apple?

Well, we'll see if this is legal in Europe. Website cookies are regulated already here, I guess this sort of abuse will have to be stopped as well. Shame on Microsoft for another outrageous decision.

Outrageous? And "Send Error Report" wasn't? And other security software vendors sending file hashes isn't?

Please, explain why this in particular is so bad. It's tracking in a sense, but they are not going to use it to violate privacy.

Not sure what this guy is trying to say, but basically any kind of 'protection' based on connection to a server compromises your privacy. For example, an anti-phishing feature that is turned on by default in most browsers essentially reports EVERY page you visit to the anti-phishing protection server (obviously, in order to check whether a site is 'good', you must pass the site URL to the server, hence the server can log the URL, what would have stopped it from doing this?). Does not it concern anybody?

Not necessarily. It may be what Internet Explorer does for their malware protection, but Firefox certainly does not work this way.

The SafeBrowsing protection in Firefox downloads the entire malware/phishing database from Google in a highly compressed format, through incremental updates, and this is completely uncorrelated to what you visit.

If an URL you browse to is found as a match in that local database, then and only then is a lookup to a remote server done to check if the compressed URL was not a false positive, and if it's still up to date. This lookup isn't even of the URL you visited, but of the SHA-256 of it. This allows to verify if it was a known malware URL, but it is not possible to reverse it and obtain your URL if the hit was a false positive (due to the compression).

Firefox has some additional privacy protection here in that it will check a whole bunch of random entries from the local database whenever there is a hit, so even the party at the other end (Google) can't tell what malware URL, if any, you actually hit.

Google has added an additional, undocumented SafeBrowsing service to Chrome to check downloaded files, and that one does send the URL off to Google for scanning, but Mozilla has refused to implement this feature in Firefox until the privacy concerns can be addressed.

Note that, aside from being much better for privacy, using a local database is obviously of much higher performance than contacting a remote server for every URL.

Overall I'm not impressed with chrome's download safety features. Last I checked it flagged any unknown exes on http://dl.dropbox.com but trusted unknown exes on https://dl.dropbox.com.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact