[Full-disclosure] Microsot DID DISCLOSE potential Backdoor
darth.jedi at ihackformoney.com
Wed May 7 22:27:18 BST 2008
Undisclosed breach of personal privacy, or great tool to thwart criminals?
I'm a bit torn - I think it's great that this tool can be used to help
identify and stop botnets (who really likes 'em anyway); but at the same
time, I am not very impressed that Microsoft hid(?) this disclosure from the
users - packaging the product as a tool to help users with malicious
software - does it even remove the malicious software or just monitor it? I
always was a bit confused when I couldn't find an interface for configuring
my Microsoft supplied Spyware protection! =P
Did anyone really have an idea that the Malicious Software Removal Tool was
scanning and sending information about their computers & their network usage
to Microsoft [and honestly - so what if the EULA said something to the likes
that "we might use some information gathered" - that's so vague, who really
reads that and thinks "Ok, they are going to be watching all the traffic
across my network if I install this tool"] - perhaps the fault is to be laid
at the users feet - who inherently trust Microsoft - I mean, is that really
a good idea in the first place?
I also wonder, these EULA's usually say something to the effect of "this
information won't be used to personally identify you" - does the EULA of
MSRT state this, and if so, do botnet owners not count, and if not, we're
all pretty foolish to be installing it then aren't we?
And finally, who really reads the EULA anyway? :-).
Additionally, I wonder, how far can & will Microsoft go in using this tool?
Could they also not use it to hamper & impede competitors and to give them
an unfair advantage in the market place of desktop & networking software?
Who is governing what they collect and how it's being used, and whether it's
a breach of privacy, etc.
Next thing we know, Microsoft will have bought doubleclick - and they'll be
selling our personal web-habits to marketing firms (or monitoring us in
other ways that could be fully supported through use of such laws as the
patriot act)... (or do they already do that?).
Seems to me, at a minimum, the practice is a bit iffy from a privacy
perspective - perhaps a class action law-suit might be on the horizon?
From: J. Oquendo [mailto:sil at infiltrated.net]
Sent: Tuesday, May 06, 2008 2:36 PM
To: Ken Schaefer
Cc: bugtraq at securityfocus.com; full-disclosure at lists.grok.org.uk
Subject: Re: Microsot DID DISCLOSE potential Backdoor
On Tue, 06 May 2008, Ken Schaefer wrote:
> I'm not sure the facts in evidence support the conclusions reached here
(sorry, not posting inline as I don't want to address each conclusion built
upon some other shaky conclusion.
> From http://support.microsoft.com/kb/890830
> Either I am missing the point of J. Oquendo's post, or the conclusions I
think he reaches are speculation rather that established.
Unsure if this made it to the list the first time, therefore I will re-take.
Outside of technical quoting I will lay it out in understandable terms.
Microsoft DOES NOT NOTIFY THE END USER THAT INFORMATION TAKEN FROM THEIR
MACHINE WILL BE FORWARDED TO ANYONE OUTSIDE OF MICROSOFT.
This *IS NOT* speculation but fact. Since you provided the link for us,
please go back and specify where Microsoft is telling us the information
they gather from Windows Malicious Software Removal WILL BE sent to
LAW ENFORCEMENT AGENCIES inside or outside the United States.
Please read the article and the wording:
The software vendor is giving law enforcers access to a special tool that
keeps tabs on botnets, using data compiled from the 450 million computer
users who have installed the Malicious Software Removal tool that ships with
/ END QUOTE
Please find me anything in the EULA for WMSR tool that specifies they
will do as they see fit with data from my machine?
Now what's to stop them from using the same principle in the future:
We obtained information before, no one cared. RIAA cares to get a
baseline of how many Windows users have MP3's. Farfetched? I think
not. What happens a-la AT&T wiretaps where Microsoft decides to say
obtain whatever information they'd like regardless of telling you
what they're doing with that information.
So you argue... "Reporting is optional..." It sure is, but what do
you think the response would be from MS users if MS stated "We will
send your information to Law Enforcement agents anywhere..."
In February, the Sûreté du Québec used Microsoft's botnet-buster to break up
a network that had infected nearly 500,000 computers in 110 countries,
according to Captain Frederick Gaudreau, who heads up the provincial police
force's cybercrime unit.
/ END QUOTE
Missing the part? Its black and white. If MS wasn't using information
since it's relying on IP) then how did they correlate IP information
back to law enforcement... OUTSIDE the United States...
Full-Disclosure is hosted and sponsored by Secunia.