Forgot your password?
typodupeerror

Microsoft Misrepresenting WGA's Functionality? 458

Posted by Zonk
from the first-time-for-everything dept.
Legal Ethics writes "According to an article on Groklaw, Microsoft is misrepresenting what the Windows Genuine Advantage (WGA) tool is to pressure people into installing it. It comes with no uninstall, it fails to disclose many pieces of information it provides to Microsoft, and it misrepresents itself as a 'critical update' when it does not address any security vulnerability, although it remains to be seen if it can create one. ZDNet has a series of screenshots so that you can see exactly how badly it misrepresents itself. Oh, and it also checks for updates, so Microsoft can presumably execute arbitrary code on any machine with it installed, merely by making that code part of a WGA update."
This discussion has been archived. No new comments can be posted.

Microsoft Misrepresenting WGA's Functionality?

Comments Filter:
  • That's interesting (Score:4, Interesting)

    by Poromenos1 (830658) on Sunday June 11, 2006 @06:42PM (#15514062) Homepage
    I had never thought of that. I just assumed that it's within a company's power to give people updates to ensure they've paid for the software, but come to think of it, the ones who have paid for it shouldn't have to put up with anything they don't want to, and the ones that haven't, well, they're probably not going to.
  • by Vegeta99 (219501) <rjlynnNO@SPAMgmail.com> on Sunday June 11, 2006 @06:49PM (#15514081)
    That stupid icon has been bitching at me to install the new WGA Tool for days now. Considering I ALREADY installed it and verified my installation, I figured the reboot wasn't worth it and have not installed it yet. Guess that was a good thing.

    Why would I need to re-verify my installation anyway?
  • by Anonymous Coward on Sunday June 11, 2006 @06:52PM (#15514089)

    Since Windows is sending information home, and the user has no control over that messaging with regard to timing or content, it seems to me HIPAA-compliant systems (and other systems requiring security) cannot be built on Windows.

    What an opportunity for the open source world!

  • Re:Sad... (Score:1, Interesting)

    by Anonymous Coward on Sunday June 11, 2006 @06:58PM (#15514106)
    You say "their own operating system" as if my computer is their property. Does driving a GM mean that GM would be within their rights to disable my car via OnStar if I failed to prove to them every day that I had not stolen it?
  • by Anonymous Coward on Sunday June 11, 2006 @07:00PM (#15514116)
    I remember installing this on one of my Windows computers. I wanted to see what it would do because it was a pirated version. It actually went off without a hitch and I could install the software I wanted that required WGA approval.

    Does it actually check to make sure the versions are legit now?
  • by ehaggis (879721) on Sunday June 11, 2006 @07:01PM (#15514119) Homepage Journal
    Non-admins may get the euphemistic warning of possessing pilferred software,
    http://forums.microsoft.com/Genuine/ShowPost.aspx? PostID=370244&SiteID=25/ [microsoft.com]
    Notice the MS solution, delete this, open up all permissions on that (good idea?), read, write, execute, delete for everyone! Or pay-up to get your copy of MS Winders to shut up.

    Nothing like family (non-admins) and employees (non-admins) thinking they have purloined software. Isn't an unfounded accusation called, "Libel" http://dictionary.reference.com/search?q=Libel/ [reference.com]?

    (My SuSE never accuses me with false accusations.)

  • WGA virus? (Score:2, Interesting)

    by Sathias (884801) on Sunday June 11, 2006 @07:05PM (#15514136)
    Oh, and it also checks for updates, so Microsoft can presumably execute arbitrary code on any machine with it installed, merely by making that code part of a WGA update.

    If this is true then it is only a matter of time before someone hacks it and uses it to write some malware which only damages people who own a genuine copy of Windows. Surely Microsoft can't be *that* stupid?
  • index.dat, anyone? (Score:2, Interesting)

    by Crazyscottie (947072) on Sunday June 11, 2006 @07:18PM (#15514169)
    Does anyone remember those annoying little "undeletable" index.dat files that Windows keeps for no apparent reason? Ya know, the ones that log each and every website you've ever visited [acesoft.net] ? Call me a conspiracy theorist, but with the NSA's recent actions, I think Microsoft would see this as the perfect opportunity to start sending those directly to Big Brother on a daily basis.
  • Re:Somewhat obvious. (Score:4, Interesting)

    by WhyCause (179039) on Sunday June 11, 2006 @07:47PM (#15514263)
    It's not entirely true that you have to install it.

    If you choose the 'Expert' installation option, you have the option of not installing the WGA update, Windows Update then asks if you'd like to turn off notification of that particular update.

    That is, of course, what I did.

    Of course, for all I know, WU goes ahead and installs it anyway.
  • MS's defines spyware (Score:4, Interesting)

    by OmegaBlac (752432) on Sunday June 11, 2006 @08:09PM (#15514333)
    Seen in the groklaw comments thread: Microsoft's definition of spyware:
    spyware Software that can display advertisements (such as pop-up ads), collect information about you, or change settings on your computer, generally without appropriately obtaining your consent.
    Pop-ups ads? That pop-up bubble is annoying and is just as bad. Check.
    Collects info about user? Collecting info about my hardware and my installation without my consent is close enough. Check.
    Change settings on my computer? You cannot remove it without some hack. Check.
    Doing all this without "appropriately obtaining your consent"? Hell yes check.
    WGA is spyware by Microsoft's own definition.
  • by Spiked_Three (626260) on Sunday June 11, 2006 @08:11PM (#15514340)
    One thing I will credit Microsoft for, is I do not know ANYONE legitimate or not, where windows stopped running because of verification failure.

    In 2 personal cases, other products I paid a lot of good money for stopped. First Norton anti virus, after a hard drive failure would not validate and refused to run on the new hard drive.

    And second the most evil spy ware in the universe - steam - tells me I have a banned CD key - I'm sitting here looking at a CD, a box, a manual, and a receipt for $50 and I have never given a copy of anything to anybody - and they call me a crook and ban me - I swear if I ever get the opportunity I will do physical harm to someone who is responsible for steam. Then their joke of tech support says they cant offer any help since i have a banned key. Don't cross my path in a dark alley, i'll ban your head from your shoulders, thiefs.
  • by Aladrin (926209) on Sunday June 11, 2006 @08:15PM (#15514359)
    Yeah, it does. One known-pirated computer that I know of (I used to work at a computer store) used to have WGA report as valid. A few months later, it reported as pirated (which was true.) So yeah, it does a better job of checking now. How good? I dunno.
  • by Jackie_Chan_Fan (730745) on Sunday June 11, 2006 @08:56PM (#15514471)
    I reinstalled XP recently and my Key decided to "run out of activations" so i had to call up MS. I was furious...

    I contemplated installing the various coporate versions and hacked Pro versions that i have on back up just out of spite.

    But instead i called up MS went through their automated crap which is a nightmare in stupidity. After it finished it told me "I can not activate my key and to hold on to for an operator"

    YAY.

    So i get to the operator... I give her the code, she gives me a new key... all is solved...

    Not so fast...

    I go to install updates... and WGA must be installed first...

    OK lets do it...

    ERROR.. UNKNOWN ERROR.

    What?! What the fuck?

    I call MS tech support...

    The guy is completely useless and puts me through to a smarter tech...

    As i'm waiting for brainiac to pick up, i discover that by default windows XP installs IE with "Custom" security settings which does not allow WGA to install.

    So lets recap. WGA wont install automatically on a default XP install because IE is set to custom security rather than "Medium"

    Oh the stupid headache...

    So i figure it out while waiting and then the guy picks up cause i'm a nice guy i waited to tell him what the problem was...

    I tell him and i hang up.

    WGA is not only a pain in the ass for legal users... the activation itself in windows is down right stupid. I have to call MS everytime i want to reinstall now.

    Which is what? every month?

    I made an image of the boot drive install instead. No thanks MS.

    Its just too much. I dont care about MS's bottom line, i care about the dollars i spent and its a headache. Too much is too much and that too much was WGA itself.

    I have the coporate and hacked WGA versions, I know how to reg hack the WGA dll out and kill access to it and bypass the windows update...

    BUT I also OWN my windows... I tried to do the right thing and in the end, yeah it works but it was a big fuckign headache that i'm not willing to deal with any more. Things are only going to get worse as DRM and every other attempt made at taking control of your computer is made by these companies.

    I like for it to be known that its just as easy to run the hacked versions with less of a headache... I was on the verge of doing it out of spite...

    I only wanted to know why my Key wasnt working and why WGA was not allowing me to update cause i was angry... Thats the only reason i am running my legit copy of XP now.

    I'd gladly explore other options next time if it means saving my time and my sanity.
  • by grotgrot (451123) on Sunday June 11, 2006 @08:59PM (#15514485)
    After installing Office 2007 beta, I couldn't get it to activate. I did some tracing with Ethereal and found that an https connection was made to Microsoft servers and a blob of data sent. Microsoft servers don't respond and 60 seconds later the connection is closed. After installing WGA, the Office 2007 activation worked fine.

    In case anyone is curious, these are the benefits Microsoft claims if you use WGA: http://go.microsoft.com/fwlink/?linkid=39157 [microsoft.com]

    What is really funny is that if you click Validate Now on that page and you are using Firefox, it wants to install a plugin for Firefox. Yes, Microsoft has written a plugin for Firefox!
  • WGA (Score:3, Interesting)

    by mikeboone (163222) on Sunday June 11, 2006 @09:00PM (#15514488) Homepage Journal
    Ed Foster blogged about the EULA [gripe2ed.com] a while back. Strange that the software needs a unique EULA at all.

    What I can't figure out is why MS needs to monitor the legitimacy of your copy of Windows XP in real time. Is a valid copy suddenly going to become illegitimate for some obscure reason?
  • by BCW2 (168187) on Sunday June 11, 2006 @09:40PM (#15514632) Journal
    You are thinking the same way Sony did about the rootkit. In the words from a deputy director of Homeland Security about Sony, "it may be your IP, but it's NOT your computer"! The same applies here, Gates didn't pay for the computer or the electricity to run it, so what's on it is none of his business.
    A M$ piece of spyware reporting home in realtime is just setting the stage for remote control over your software choices. Think about the RIAA/MPAA asking M$ to dis-able Limewire on all computers for a big enough bribe. Or M$ deciding that they don't want Open Office to run on their OS. It will happen!
    There has never been a reason to trust M$ and I don't see that changing.
  • Re:WGA (Score:3, Interesting)

    by karmatic (776420) on Sunday June 11, 2006 @10:19PM (#15514760)
    Actually, yes.

    Got this little gem from my companie's Microsoft rep. There are a variety of "leasing" options available, where a) your volume license expires after so long, or b) you get MS product ala carte (i.e. SQL server for $X/mo, and can scale up as needed - targeted at hosting providers ).

    This will allow them to deactivate these machines remotely, even if the user plays games with the clock. The rep also made it sound like there were plans to eventually add support for other Microsoft apps (Office, SQL Server, etc.) as well.
  • by Deagol (323173) on Sunday June 11, 2006 @10:23PM (#15514772) Homepage
    First, try a live-CD distro (like Knoppix). Mess around with it a few times, just to see how it goes. See if your hardware is compatible. If you're missing a few linux-friendly things, treat yourself to an upgrade with linux in mind. :) Worst case, assuming you ditch the penguin forever, is you have a nicer rig to use.

    Next, once you're comfortable with configuring a live-CD, back up your data and do a dual-boot install. Use linux as much as you can stand it, then switch back to Winderz for the few must-have apps. If you hate it, dump linux and you'll have a fresh Windows install that may run well for a few months. ;-)

    Once you convert to OSS versions of most of your apps, and are comfortable with linux being your primary environment, back up your data then install a 100% linux install. Then, for those few clingy win32 apps, try using Wine (a mostly bitter pill, but it does some stuff well) to run the apps. Failing that, try Qemu. If *that* fails, try VMWare or Win4Lin.

    Eventually, a few months down the road (or a couple of years, even), you may decide that the stability and reliability of Linux outweighs the win32 baggage and you either find linux equivalents you really like or you "settle" for something not 100% what you'd prefer.

    I began the above transition about 7 years ago (except live-CDs weren't around). Took about 2 years. Games kept me dual-booting for about a year... until a wife and kids took more of my time and I decided that silly free games (nethack and xmame) were enough for the occasional video game fix. Then Quicken and Turbo Tax kept me using VMWare for about a year. I replaced Quicken with GnuCash for a year or so, then I ditched it for a simple spreadsheet checkbook balance sheet. By that time, I was beyond the simple tax returns, and I decided that $200 yearly H&R Block trip was less painfull than the $50 TurboTax and several hours of punching in stuff. (Also, the whole anti-piracy FUBAR for Turbo Tax in the late 90s turned me off Intuit.)

    So I've been 100% Winderz free for 5 years, and I'll never go back. I don't put up with DRM or anti-piracy shit any more. If I doesn't run on Linux (now, FreeBSD/amd64), I find something else to use.

    Freedom... indeed!

  • by stinerman (812158) <nathan,stine&gmail,com> on Sunday June 11, 2006 @11:11PM (#15514911) Homepage
    World of Warcraft runs on Cedega.

    Better yet, it runs on straight Wine [winehq.org] with a few patches.
  • by modecx (130548) on Monday June 12, 2006 @12:42AM (#15515201)
    Personally, I highly suggest that it's not a good idea for your average linux newbie to go about trying to dual boot with Windows. You can go to a used computer store in any metro area and pickup a secondhand machine that will most likely be 100% compatible with Linux for less than $150, and it will still be more than powerful enough for anybody interested in Linux to screw around with, and actually do useful stuff with it, too... Heck, if said linux newbie is experienced with building computers for his gaming habit, then he's likely got nearly everthing he needs to build a whole 'nother box to mess with. Furthermore it's not like Linux or X11 or the shells that run on top of those bits can tolerate older and slower computers with less memory and less storage than Windows, now is it? For example, I have everything I need to build a decent machine that would do well with linux just laying around including an 800Mhz Duron with motherboard and 512MB RAM, a Geforce2 GTX and a 40 GB drive, 17" monitor, and an old CD drive. The only thing I'm missing is a case with a cheap power supply, and I can get that at MicroCenter or CompUSA for $40.

    The bonus is:

    1) He still has his Windows machine to fall back on in case he needs to go and read documentation when he biffs his linux installation, play games, or do other windows specific stuff without having to shut down and start up and shut down and etc.
    2) There is no need to fret about screwing up everthing on his Windows machine because there's no need to format or partition or anything.
    3) He can experiment with using a network to make his two computers get along and do stuff that he just couldn't do before, and learn tons about both operating systems in the process.

    With the crap most geeks keep around another computer could be had or built for little to nothing... It's stupid to dual boot unless you're trapped on Antartica where you can't get a few measly parts in the time available (?), or you're so desperately poor that $50 means the difference between having a roof over your head or not.
  • Re:Trade-offs (Score:5, Interesting)

    by Eivind (15695) <eivindorama@gmail.com> on Monday June 12, 2006 @02:07AM (#15515372) Homepage
    Sure there are programs only for Windows for which there's no exact linux replica.

    The same is true the other way though. I'm currently for practical reasons running Windows on my laptop (because current employer runs that, and it just ends up being easier overall getting the job done.)

    Privately, it drives me nuts, I regret not having made the thing dualboot.

    There's no Kphotoalbum, picasa is available from Google, and tries to solve sorta the same problem, but frankly it doesn't measure up. It has lots more eyecandy but much less funcionality. I'm not aware of any other sub-$1000 program even playing in the same ballpark.

    Mail clients is a hassle. Thunderbird is barely acceptable, yet fails to manage a lot of stuff I've been taking for granted for years. Simple stuff that mutt, pine and kmail all manage. Yes, it's possible it can be convinced to do something similar, but atleast it's not equally trivial.

    Development-tools all have to be installed manually. And they tend to be more opaque than I'm used to. When they fail, they do so with much less information that migth help. Frequently the best advice amounts to "reinstall".

    One can install CygWin, but the tools under cygwin are a lot less polished than under a real *nix.

  • by ClassMyAss (976281) on Monday June 12, 2006 @02:16AM (#15515386) Homepage
    Now, if, for example, someone were to write a simple program that called wgatray.exe in an infinite loop and had a few hundred thousand people running it, then Microsoft would wind up on the end of a DoS attack.
    The particularly amusing part about this would be the following: as I understand things, Microsoft has failed to report to the end user that this piece of software phones home. This means that if a user ran the program a million times in a row, they could plausibly claim that they had no way of knowing they were even participating in a DOS attack should the Feds come a-knocking! They were simply running a program on their home PC that claimed to be network-silent (although I'm not entirely sure whether or not the EULA admits to making any connection at all...if it does, you'd be screwed). Hence Microsoft's own shenanigans would bite it in the ass.

    Not that I'd ever do such a thing myself or suggest it to others, of course, seeing as I've just gone on the record admitting knowledge to the spyware activity of the program.
  • windos like games (Score:3, Interesting)

    by Tom (822) on Monday June 12, 2006 @04:14AM (#15515582) Homepage Journal
    For many years now, it has been more convenient and hassle-free to run cracked versions of games, even if you did buy the original (I know I downloaded quite a few no-CD cracks for games I had bought in the store).

    Looks like windos will be next in line for that attitude.

    Oh yeah - last I checked, the whole multi-million dollar copyprotection software did exactly zilch for the level of illegal copying in the games world...
  • To Who's Advantage (Score:2, Interesting)

    by macaroo (847109) on Monday June 12, 2006 @05:48AM (#15515768)
    The M$ WGA program reminds me to the electronic wars that took place on the US highways in the 80s between the "Guardians of the Law" and the average Joe Six-Pack driver. First there was the Police Radar to detect speeders. Then, the Radar Detector. Next the Police detector to notifiy the police that a car had a Radar Detector on board. Finally the Radar Jammer. M$'s paranoia is unlimited. They are a company that just does not get it. They do not just produce a product to be used, but want to own the individual and his equipment that use it. I disable and hide the "Nag" updates on all my customer's computers and warn them about installing it. If they do, I tell them they are on their own. I also monitor and use all the latest disabling patches that the hackers develop to counter act this travesty of individual freedom. I am a dye in the wool Apple Mac user, however work on Windows machines for a living. If it was not for Windows, I would be out of business!
  • by Anonymous Coward on Monday June 12, 2006 @05:48AM (#15515770)
    Yeah that's pretty much the decision I've made. That is instead of just jumping in whole hog today as I had planned, I'm going to start familiarizing myself with the nitty gritty of Linux and set it up on an old box or something to get my feet wet, then when I'm done with this machine running XP in the next year or so I'll make the move. As bad as XP is, Vista sounds 10 times worse.

    I consider myself fairly technically proficient so I guess I was just being overconfident/naive in thinking I could switch at the drop of a hat is all. My point wasn't so much that the move isn't worth it, rather that I'd overlooked the time and effort that would be involved.
  • Virtualization? (Score:4, Interesting)

    by Balthisar (649688) on Monday June 12, 2006 @06:56AM (#15515885) Homepage
    I have several, legal licenses to XP. Yet, I *always* use a borrowed, corporate serial number. Why? No activation. Why do I care? Aside from the principals involved, my XPs always run in virtual environments -- VirtualPC, VMWare Workstation, and of late Parallels Workstation. I've not tried Bochs, etc.

    I'm not trying to debate the licensing (I know I'm supposed to use my own numbers; I don't care, though) or the multiple machine issues (I've got all the licenses I need legally; convenience is the issue). Instead I bring questions:

    How does activation work in a virtual environment on multiple, physical machines? Sure, the virtual machine "footprint" is going to change between using VMWare, VPC, and Parallels. But what bearing does the host machine have on it? If I take my legally activated product (the non-corporate version) disk image from physical machine to physical machine, is there a tie to the real, physiscal hardware? As far as I know, processor ID, MAC address, and so on are all virtualized, but is there something else in the activation checksum that these commercial VM solutions tie to the physical hardware?

    I don't know enough about the license (who really does?); to me the "machine" is the disk image, so I have no moral qualms about moving it from physical machine to physical machine as long as they're not used at the same time (etc. etc.).

    Oh, so why don't I try it? I just don't want to "burn up" any of my serial numbers. Meaning, invalidate them because now I look like I've pirated the number because I'm installing onto too many machine. VMWare for Windows and Linux, VPC for Mac and Windows, Parellels for Mac/Linux/Windows... I'm a big time pirate trying to install a single serial on *seven* computers, ya know?
  • by gelfling (6534) on Monday June 12, 2006 @07:40AM (#15515999) Homepage Journal
    Curiously this is not an unknown problem. MS is aware of it at any rate - machines that for whatever reason CANNOT successfully install WGA and therefore are screwed out of all subsequent updates. Did I mention these are fresh installs? These are machines that were scratch rebuilt mere weeks ago and are completely clean of spyware, virii and have relatively few applications installed? Did I mention that MS has ZERO response to this? No answer at all whatsoever. I have asked if there is a way to download and install WGA on its own.

    I suspect they are silent on that point because there's a flaw in WGA which would verfiy any machine you managed to intall it on.

"I'm not afraid of dying, I just don't want to be there when it happens." -- Woody Allen

Working...