Microsoft's Calling Home Problem: It's a Matter of Informed Consent

Discussion in 'Computer Security' started by ffreeloader, Jun 13, 2006.

  1. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    The originating device's MAC address does not propagate outside the local subnet, as I think Harry or d-faKtor confirmed recently on another thread in this forum.

    However, the public IP address (if you are not using an anonymous proxy service), is propagated to the destination and if somebody wanted to take the time and trouble to track you by that, it would be just a case of contacting your ISP and then marrying their logs up with the other unique info that Microsoft are gathering.

    I accept that if you keep moving from one customers site to another that could confuse the issue but it wouldn't be too hard for them to see that more often than not, you log onto the Internet from a common location and that would most likely be your home or your work place.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  2. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    OK. You may be correct. I know that when I have been sniffing packets I have always seen MAC addresses in the ethernet packets on both packets sent from my computer and from packets recieved by my computer, but the other MAC address is the one from my SMC switch/router. However, this is may be ethernet specific behavior. Whether or not it substitutues its own MAC address for my computer's MAC address after doing its NAT thing I am do not know. Thought I did but it's possible I'm mistaken on this.

    I guess I'm going to have to break down and build myself a Linux firewall and router so I can capture the packets entering and leaving my network from my ISP to see for myself how a firewall that does NAT handles this as seeing the actual packets always gives me a much better idea of what is happening.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  3. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    I was under the impression that the public I.P address of the router\firewall at the client site I am located at would be recorded. To be honest as discussed I’m not 100% sure though.

    Back to the car example I wasn’t driving erratically. I have been pulled over and been given the whole “Is this your car sir?” speech. Then I have to take all my insurance documents down to the police station to prove it. It hasn’t happened in a long time so I’m hoping that’s the end of it. :biggrin

    Surely some amount of personal information has to be logged to prove the PC is still the same one in comparison to when the PC was first activated? The HD may have been moved to another PC or the original installation may have been imaged and then installed on various PCs without a volume licence key. Maybe there is a *valid* reason why the OS has to ‘call home’ more than once? :blink
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  4. JonnyMX

    JonnyMX Petabyte Poster

    5,257
    220
    236
    Why do people get so touchy about their PCs, the content of their hard drive and their internet usage?
    We've only had those things for ten minutes.

    What about the government checking your tax records?
    What are the NHS doing with your confidential medical files?
    What about the ex-school caretaker with no vetting or training who is watching you on CCTV when you leave your house?

    Come on, if we want to have a pop at the information gathering/invasion of privacy thing then give MS a break.

    If you have any services, credit cards, store loyalty cards, a licensed motor vehicle, a club membership - then somone is monitoring your life.

    Why should what happens on your PC be any different?

    In today's world, you can't escape being watched and monitored. I've got no problem with this, some government spy can bore his tits off watching me fill my car up with petrol, or MS can amuse themselves with the pr0n that I have on my PC.

    What really bugs me is that, given all this surveilance, why do we still find it as difficult as ever to collar the REAL crooks?
     
    Certifications: MCT, MCTS, i-Net+, CIW CI, Prince2, MSP, MCSD
  5. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I'm not sure, but it seems to me that the real reason behind all the surveillance is civilan control, not stopping crime.... The real criminals have enough power, money, and influence to buy/negotiate their way out of the surveillance and/or the enforcement of the law. The little guys don't.

    Look at the spammers for an example. There should be more than sufficient evidence left behind to catch these guys, but they walk away and scoff at the law. If Blue Frog could find the spammer's real servers and DoS them with nothing more than legitimate opt-outs then the governments could find them and shut them down too, they just don't.

    And btw, I have practically none of the surveillance you mention where I live. My bank and probably the Post Office has some, but not too many other places do. It's one of the advantages of living in a small town.

    Besides, what MS is wanting to do is actually come inside the home and snoop where none of the other types of surveillance you mention exist. They want to be able to actually destroy personal property inside what has always been considered, even by law enforcement, pretty much sacrosanct. It's a huge step between surveilling someone outside their home, and surveilling someone inside their home. That's why the police must have reasonable suspicion and get a search warrant to search inside your home or tap your phone line.

    What MS is doing is bypassing all these personal privacies that have existed for centuries. They are demanding that you give up one of the more sacred rights that human beings have ever fought and died to obtain and keep: The right to privacy in your own home.

    You really need to study your own British history to see how people have valued this right over the centuries. It's been as important a struggle as the right to worship according to the dictates of a person's conscience. You give it up, and you're nothing more than a serf back in medieval times where the lord of the manor could come into your home at will.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  6. fortch

    fortch Kilobyte Poster

    408
    21
    35
    Again, the scapegoat painted on M$ is overkill. They are *not* monitoring anything outside of their product, and nothing has been proven on the inside -- this is all speculation! Has anyone's home network passwords been compromised yet? Your broadband provider is monitoring much more than MS ever did or will. Why no angst there? MS is simply trying to create the best OS they can, tailored to users. If you know anything about business, you know the greatest way to succeed is to know your customer base. The second way? Keeping their trust -- not to repeat myself, but has any bank account passwords, medical records, etc. been compromised by WGA? Not that I know. If you own a credit card, and shop at a local store, you should mistrust the seedy-looking clerk holding your card -- they have much less to lose than a successful company like Microsoft.

    Back to the car analogy (that was butchered). I don't know about you, but my car was built by Chevrolet, NOT by the police. When I roll into the dealer, my vehicle is validated each and every time -- the VIN is compared to the database, and if it matches, my level of warranty is revealed. In that, depending on what I require, the Service Writer will advise me if anything is covered. If I roll in there with a leaking radiator, and I'm not covered under warranty, should they replace it? Sure, but only if I pay. Now, if a recall comes out, it's imperative they know how to get notice to the owner of the vehicle -- so they have a fair amount of information as well. What? No way! They can't have my information -- it's personal! However, after I get rear-ended by a semi, because the recall notice (about inoperative brake lights) never made it to me, I'm all ready to sue for damages -- but don't have a leg to stand on. Why? Because I'm maintaining my anonymous status in the world.

    Sure, my examples are a bit wild -- but no moreso than the blanket accusations being levied against M$. I know, the difference is that MS is inside our home, but only because we agreed to this during installation. YES, we bought a Microsoft product, brought it into our homes, and then criticize it for something that we aren't even sure of. How can we dictate how Windows does it's job, based solely on the assumptions of what (in my previous career) we call SWAG (Scientific Wild Ass Guess)? If you don't believe in MS, then why are you purchasing and using their products?. Part of investing in a product is trust -- ultimately, it's your CHOICE, right? Aside from that, to which most of us have done.... has anything been compromised? Why do people assume that this limited information being reported is anything but honorable? What, because MS has been competitive in big business? I'm sorry, but I'm more skeptical of my cable company, power company, credit card company, cell provider, dentist, doctor, and all staff that has access to all this information (don't forget every shady e-tailer that you've given your cc to). In fact, I'd wager that the vast majority of ID thefts come from insecure data at these businesses than at Redmond (although, it may be insecure OS or apps that may have been compromised :blink ).

    If we're so adamant that we are innocent until proven guilty, and that is a basis for our liberties, then why don't we afford the same rights to Microsoft?
     
    Certifications: A+,Net+,Sec+,MCSA:Sec,MCSE:Sec,mASE
  7. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Ummm.... Does your local Chevy dealership take a look at your VIN and enter it into a database to see if they can possibly file criminal charges against you? (Remember the OK law MS helped write?) Do they take a look at to see if you've changed the chip and then if you have take that issue beyond anything other than revoking your warranty? Are they going to revoke your license to drive your car because you changed the chip, i.e, the programming that runs the computer that runs your car? Are they going to look into your cd case and see if you have any mp3's you shouldn't have and then delete them and turn you over to the RIAA and police because you had them in your possession? Does your Chevy dealer require you to agree to such things before you can use your car?

    Ah, so repeated obfuscation, outright lies, and a long verifiable history of very unethical behavior are the ways to keep their customer's trust? Checking a legit user's computer every time he starts, or logs onto, it to see if he stole the OS is a way to generate trust between customer and corporation? Trust only works one way? MS customers are supposed to trust MS, but MS doesn't need to show the same respect toward their users? I always thought trust was a two way street. Do you see it otherwise?

    I guess I don't get your point, Fortch, at least not the point you thought you were making.

    See the above. Do you trust people who have shown the propensity to time and time again not be honest with you? If you think trusting your inalieanble rights as a US citizen to a corporation who has shown they are unethical is a good idea, then by all means trust them, Fortch. I don't. I don't trust anyone who has proven to me they are unethical. I didn't think you would trust anyone who has proven themselves unethical either, but I guess I was wrong about that.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  8. fortch

    fortch Kilobyte Poster

    408
    21
    35
    Two things that I believe you may have overlooked:

    1. The source for any information of alleged ethical infringement, which is generated either by a) a competing entity, b) anyone that wants to 'take down' the big guy, or c) anyone in news that, rather than check their sources, reports it right away to beat the others of that ilk.

    2. MOST IMPORTANT, the concept of devil's advocate -- just because I argue a point, doesn't always mean that I agree 100%. Regardless, I believe these debates are very much needed -- not only do I learn more about the issue, but I hope the opposing party at least comprehends the other side, and gives creedence to some points. I know I have learned, and my awareness has been raised -- but sadly, from your personal assessments of me and lack of acknowledgement, I don't believe I've done a fair job of defending. Or, you are just too immersed in this to see any but your own point.

    Anyways, I believe we've worn this topic out, so I'll step away -- and thank you for the informative links and posts, they are definitely food for thought. Touche!
     
    Certifications: A+,Net+,Sec+,MCSA:Sec,MCSE:Sec,mASE
  9. JonnyMX

    JonnyMX Petabyte Poster

    5,257
    220
    236
    Thought you two were mates...

    :twisted:
     
    Certifications: MCT, MCTS, i-Net+, CIW CI, Prince2, MSP, MCSD
  10. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Would be an interesting convo in the pub! 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  11. fortch

    fortch Kilobyte Poster

    408
    21
    35
    We are, but we are mature enough and smart enough to know that we won't agree on everything :D
     
    Certifications: A+,Net+,Sec+,MCSA:Sec,MCSE:Sec,mASE
  12. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I know your side of the debate wants to minimize those who do the research and find the problems. However, take this current issue--wga/gan--as an example. It wasn't until people began reporting what they were finding that MS finally started to be forthcoming. MS is pushing these tools as security updates. Honest way to do this? Not even slightly. Second, as more and more information has come out about what is being sent back MS had to finally admit that they were collecting more than what they initially said. Honest way to do things? Not even slightly. With me this makes me far more suspicious than if they had just come out with press announcements and come clean from the very first as to what it was they were doing. Remember your comment on keeping trust with clients? That's how it's done, not be being secretive and dishonest.

    Hey, I felt the same way some times as you did the same thing I have done, focus on what you percieved as the main point or problem with the opposing point of view, and not answer other points. No biggie though, I've known you a long time.

    That's fine. I was thinking of saying the same as I felt your feelings were getting hurt and I didn't want that.

    When I debate an issue, it's no holds barred on the issues, and I really try to keep the personal stuff out of it. I asked some of the personal questions I did because I was so surprised at some of your answers. I thought they just dodged the issues I had raised, and knowing what you have said in the past about ethical issues I was very surprised that these things are not a major sticking point with you. My stand on this fully transparent, so you know my answers are exactly what I think. If I were arguing the devil's advocate position, which I have a very hard time doing simply because I can't sell anyone of something I don't believe in myself, you would have tried to do the same with me. It's the weakness of the devil's advocate position.

    I wanted to hear your real stand on some things, not just the position you took for debate purposes. This medium isn't very good at signalling that and I didn't make that abundantly clear so that is my fault.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.