RE: Microsot DID DISCLOSE potential Backdoor
From the April 2008 MSRT EULA (which is the latest I have):
" However, Microsoft may collect and publish aggregated data about the use =
of the software."
For all we know, Microsoft includes a database of signatures of known malwa=
re files on the removal tool being handed out to law enforcement, and that'=
s the only information that's been handed over. Or perhaps Microsoft got th=
e consent of specific users to hand information over the 3rd parties? We do=
n't know, because we don't have facts.
At the moment all you have is:
a) one PC World article that claims Microsoft has used information gathered=
from the MSRT in the tool handed to law enforcement
b) even assuming that (a) is strictly correct, we don't know what informati=
on was actually used/included
c) and if the information is aggregate in nature (e.g. names and hashes of =
known malicious files) then it appears to be within the scope of the EULA t=
han end users agree to anyway.
The stuff about IP addresses, from my reading of the article, is informatio=
n gathered by law enforcement whilst running this new tool from Microsoft. =
Not information gathered from end users who are running the MSRT.
So, this is why I'm saying that your story's conclusions aren't supported b=
y facts in evidence. At the moment it's all speculation. It may, or may not=
, have happened. We just don't know from the information presented to date.
Cheers
Ken
> -----Original Message-----
> From: J. Oquendo [mailto:sil@infiltrated.net]
> Sent: Wednesday, 7 May 2008 4:36 AM
> To: Ken Schaefer
> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
> Subject: Re: Microsot DID DISCLOSE potential Backdoor
>
> On Tue, 06 May 2008, Ken Schaefer wrote:
>
> > I'm not sure the facts in evidence support the conclusions reached
> here (sorry, not posting inline as I don't want to address each
> conclusion built upon some other shaky conclusion.
> >
> > From http://support.microsoft.com/kb/890830
> >
> > =3D=3D=3D=3D=3D=3D
> >
> > Either I am missing the point of J. Oquendo's post, or the
> conclusions I think he reaches are speculation rather that established.
> >
> > Cheers
> > Ken
> >
>
> Unsure if this made it to the list the first time, therefore I will re-
> take.
> Outside of technical quoting I will lay it out in understandable terms.
> Microsoft DOES NOT NOTIFY THE END USER THAT INFORMATION TAKEN FROM
> THEIR
> MACHINE WILL BE FORWARDED TO ANYONE OUTSIDE OF MICROSOFT.
>
> This *IS NOT* speculation but fact. Since you provided the link for us,
> please go back and specify where Microsoft is telling us the
> information
> they gather from Windows Malicious Software Removal WILL BE sent to
> LAW ENFORCEMENT AGENCIES inside or outside the United States.
>
> Please read the article and the wording:
> http://www.pcworld.com/businesscenter/article/145257/microsoft_botnethu
> nting_tool_helps_bust_hackers.html
>
> /QUOTED
> The software vendor is giving law enforcers access to a special tool
> that keeps tabs on botnets, using data compiled from the 450 million
> computer users who have installed the Malicious Software Removal tool
> that ships with Windows.
> / END QUOTE
>
> Please find me anything in the EULA for WMSR tool that specifies they
> will do as they see fit with data from my machine?
>
> Now what's to stop them from using the same principle in the future:
> We obtained information before, no one cared. RIAA cares to get a
> baseline of how many Windows users have MP3's. Farfetched? I think
> not. What happens a-la AT&T wiretaps where Microsoft decides to say
> obtain whatever information they'd like regardless of telling you
> what they're doing with that information.
>
> So you argue... "Reporting is optional..." It sure is, but what do
> you think the response would be from MS users if MS stated "We will
> send your information to Law Enforcement agents anywhere..."
>
> /QUOTED:
> In February, the S=FBret=E9 du Qu=E9bec used Microsoft's botnet-buster to
> break up a network that had infected nearly 500,000 computers in 110
> countries, according to Captain Frederick Gaudreau, who heads up the
> provincial police force's cybercrime unit.
> / END QUOTE
>
> Missing the part? Its black and white. If MS wasn't using information
> (flawed
> since it's relying on IP) then how did they correlate IP information
> back to law enforcement... OUTSIDE the United States...
>
討論串 (同標題文章)