Microsoft Misrepresenting WGA's Functionality? 458
Legal Ethics writes "According to an article on Groklaw, Microsoft is misrepresenting what the Windows Genuine Advantage (WGA) tool is to pressure people into installing it. It comes with no uninstall, it fails to disclose many pieces of information it provides to Microsoft, and it misrepresents itself as a 'critical update' when it does not address any security vulnerability, although it remains to be seen if it can create one. ZDNet has a series of screenshots so that you can see exactly how badly it misrepresents itself. Oh, and it also checks for updates, so Microsoft can presumably execute arbitrary code on any machine with it installed, merely by making that code part of a WGA update."
Why punish legit users? (Score:5, Insightful)
Re:Why punish legit users? (Score:5, Insightful)
swich to something better, nobody is forceing you to use microsoft's product http://linux.com/ [linux.com]
Just stay away from Microsoft. (Score:2, Insightful)
For most needs, Linux, Mac OS X, Solaris, and BSD are more than suitable. And far cheaper!
If you depend on software that only runs on Windows, petition the developers to create a Linux/Solaris/BSD/Mac OS X edition, or a port to those platforms. Say straight out that you do not want to use Windows, but you do want to use their software. Give them an alternative they can contemplate.
There is no need to become a victim to Microsoft, especially when they put the security of your data at risk. This WGA nonsense is the sort of thing that businesses just shouldn't have to deal with. And thankfully they don't. Between Solaris, Linux, BSD and Mac OS X, there are many alternative, professional operating systems out there for them to use.
Isn't this a violation of spyware laws? (Score:5, Insightful)
huh (Score:4, Insightful)
It's Spyware by any definition (Score:5, Insightful)
the question is when are the anti-malware community going to step up to the plate and provide protection from this software
the fact its made by Microsoft should be irellavent, just analyse the behaviour of the application and judge it on that
communicates unique information at any time to an American based advertising company (msn anybody?) with you the user having no idea of what data and what the implications are of giving this company that data
can your business really risk an application like this on your systems ? are you prepared for the consequences of letting this program run unchallenged inside your companies infrastructure ?
Re:Sad... (Score:5, Insightful)
Re:ok (Score:5, Insightful)
I don't understand... (Score:4, Insightful)
Re:Un-American (Score:3, Insightful)
If ExxonMobil figured out how to run a combustion engine on water (seperating the Hydrogen and Oxygen obviously) do you really think that they would share it with the world? Of course not! It would ruin their current business model.
What these super-companies can't fully comprehend, however, is that any little startup business with an innovative can change everything. Innovation doesn't come from big business anymore, it comes SOLELY from the little guy. And is slowly becoming less and less American.
Every business is futile to innovation. There is no stopping it, only delaying. It must be embraced.
Sorry,
--
From Northern Virginia? Check out Fairfax Underground.com [fairfaxunderground.com]. Includes free database of arrests by the the Fairfax Police
Re:huh (Score:5, Insightful)
Re:How to Disable the WGA Add-on (Score:2, Insightful)
Now, I have one purely academic question related to this.
Can it work on reverse?
In other words, suppose we have a piece of spyware that installs itself as an IE extension. Can it mark itself to have same sort of "stickiness" as the WGA add-on?
If so, it might be a bit of a headache for spyware-cleaner types...
And a practical corollary to that academic question, and a follow-up to your instructions: Exactly how long before there will be a tool that allows you to nuke an IE extension from the orbit, no matter if it's WGA or not?
Why punish monopolies? (Score:0, Insightful)
If true, does that mean that the DOJ erred in calling Microsoft a "monopoly"?
Re:It's Spyware by any definition (Score:1, Insightful)
In what way is this less malicious than say, bonzi buddy? I guess MS assumes that you trust them, but I bet claria (right?) considers themselves trustworthy too.
And really.. the only people who pirate windows these days either do so because they build their own machines, or they were screwed by someone who sold them a machine with an illegit install. The first group is probably miniscule in comparison the amount of windows sales, and in the second case screwing the user is not really fair anyway.
Re:Isn't this a violation of spyware laws? (Score:5, Insightful)
Microsoft is not a company, go to any state building or federal building in the nation, and find out what they're running. You're talking about a corporation that has settled antitrust lawsuits with licenses and lockin [com.com].
If Sony doesn't get it's ass handed to them for rootkits, why would you think Microsoft would receive any punishment at all?
It can update itself! (Score:5, Insightful)
Oh, and it also checks for updates, so Microsoft can presumably execute arbitrary code on any machine with it installed, merely by making that code part of a WGA update.
Where did WGA come from? Auto Updates. What does Auto Updates do? Downloads executable code and makes it a part of your Windows OS.
"Shocking facts" like those really put Slashdot editors low in my eyes.
Windows 2000 looks better all the time (Score:3, Insightful)
Letting the vendor have a backdoor into your machine is really risky. If you're in a financial institution, is the vendor bonded? If you're a healthcare provider, is the vendor HIPPA compliant? If you're in a law firm, are any of your clients competitors of Microsoft? You have no contractual guarantee that somebody at Microsoft, or elsewhere, isn't using that backdoor in some interesting way.
Even more fun when it breaks (Score:5, Insightful)
I poked around trying to figure out what was wrong.. Didn't see anything. I clicked the "get legal" or whatever it says button at login but nothing ever happened. I eventually remembered that this particular computer had locked up on reboot the week before on a Tuesday and thought perhaps it had something to do with the latest updates from MS. I uninstalled the last few updates I could find. Rebooted, reinstalled them and eventually everything came back to normal and no more complaints about an illegal copy.
I hope this never happens to aunt Tilly. I wonder when XP will really be ready for the desktop.
Re:Better... (Score:5, Insightful)
Re:Un-American (Score:4, Insightful)
Re:It can update itself! (Score:5, Insightful)
However, if I install this, I have no choice (leaving hacking it aside) but to give Microsoft that capability. It is not removable (through ordinary means), and allows Microsoft access to your machine in an even less transparent way than fully automatic updates.
This is definitely a large step beyond automatic updates, and is far more sinister.
Re:Why punish legit users? (Score:5, Insightful)
Because Microsoft has never been punished for doing so.
Re:Windows 2000 looks better all the time (Score:1, Insightful)
At the end of the day, if those sort of concerns are important to you, you should probably only be connecting to the Internet through an extremely strict firewall, if at all.
Re:Even more fun when it breaks (Score:4, Insightful)
And if it happens to aunt Tilly, you'll be the one spending part of your free time to fix it. Is this taken into account for in the Total Cost of Ownership studies of Microsoft? XP is not ready for the desktop. From windows 98 it "advanced/regressed" to something that has less direct stability issues is more complicated to maintain as a whole. Furthermore it has lots of amazingly distracting features, just these pop-up balloons that mention if a network cable is plugged/unplugged, an upgrade should be installed or whatever. Most non-tech people I know really start panicking when these things occur. Actually a friend told me once that out of nothing she got a pop-up saying that an update had been installed, and the computer needed to be rebooted. I tried to find out afterwards what it could have been, it might have been a malicious website, program, or something legitimate. Normal "desktop users" have lots of troubles handling all this crap, and even the techies have.
I don't own OS X, but from what I've seen of it it's probably the closest to "OS ready for the desktop" as you can get. The most elegant thing of it all is how you can combine easy and consistent GUI interfaces with command lines for solutions that need more coding. Genious!
Re:Un-American (Score:2, Insightful)
Innovation doesn't come from big business anymore, it comes SOLELY from the little guy
You saying ALL innovation is coming from the little guy? Dam that little guy must be good.
Big business spend an incredible amount of wealth on R&D campuses around the world. If they weren't delivering, you can be rest assured they would be downsived in an instant.
Re:Bypass & Disable Genuine Windows Validation (Score:5, Insightful)
It's only part fo the issue (Score:2, Insightful)
Re:Why punish legit users? (Score:2, Insightful)
Wow.
After spending the last hour rooting around reading info and checking out distribution sites I am stunned at the amount of work it would take to make the move.
I'm not saying it should or even could be easy to get a new system running in a different OS, and I acknowledge that Windows is not different. But I guess my point is it was easy to overlook that I've already invested all that time and effort once, and now I'm really doubtful I want to or even have the time for a do over.
I guess at this point I'm feeling like when you're 10 years into a so-so marriage. Sure you might like to leave and try something better, but when you step back and look at all the effort that will go into getting divorced and setting yourself up in a new marriage and then wonder if at the end of the day you'll just be trading one set of problems for a new, different set of problems with someone else.
Re:Better... (Score:5, Insightful)
Re:Trade-offs (Score:3, Insightful)
I suggest you get in touch with Adobe and see if they have released or actioned on any of the results of that survey. There might even still be the opportunity to participate in it.
I think Adobe's (and most other dev houses) biggest issue right now is that they don't think there are enough people to justify porting their applications. If enough existing users started discussing it seriously with Adobe, I'm sure they'd be very willing to listen. They actively asked for info in the past.
I understand your issue. The applications you need don't exist on Linux yet. Thats not a fault of the various Linux platforms however. More a case of companies needing to be made aware that there are people who would buy their software if a Linux version existed.
Library hell can be avoided by static linking at compile time. Is kind of like including MFC DLLs with your applications, but a lot cleaner.
Re:Why punish legit users? (Score:3, Insightful)
This is already outdated information and partially incorrect. ActiveX is severly disabled and limited even in WindowsXP at this point. To install an ActiveX control after SP2 takes the user to approve it, and that is if ActiveX is even enabled.
Secondly, the UAP in Vista is 'still' changing, even the Beta2 of Vista does not fully represent the level of protection.
UAP throughout the beta cycle of Vista has been a 'big' work in progress due to the strict enforcement of the NT security model that applications were never forced to adhere to on XP, as they probably should have been even if would have made a lot of applications fail to run properly.
Your information about the 'amount of clicks' to delete an icon is also outdated and wrong. You can find videos at www.microsoft.com that demonstrate the changes in the UAP even since Beta2, and no longer are 'several' prompts required to do anything, in fact UAP is less annoying than 'admin' or 'root' prompts in *nix or OSX at this point. Also since there is no user equivalent to a 'root' account AT ALL on Vista, it offers even a higher level of security past the older *nix model.
As in XP and past version of NT, Administrators were semi-equivalent to root in the *nix model; however this has changed, and even the highest level Administator account still does not have uncontrolled 'root' access. (This is why in earlier versions like Beta2, there were several prompts to confirm operations that required root level access.)
Also everyone here that is not familar with the ActiveX locks and protections introduced with SP2, should look this information up if they are dealing with customers or working with XP at all. As WindowsXP stands now it is harder to get an ActiveX control to install and run than it is to fake a MIME type to get something to run on OSX and several *nixes.
ActiveX is truly not a problem since it was locked down with SP2. Calling for it to be abandon is also not an intelligent way to address the issue, as there are still viable uses for it in corporate environments and where users need more than browser level functionality. In this regard it is NO different than Plug-in technology that everyone here uses in their browsers on other platforms, and not that it has to be user approved and installed like a plug-in is not any more dangerous.
(In the past, I agree that ActiveX was dangerous as it could self install or applications could elevate ActiveX permissions, but this ended with SP2, putting it on the same level of any other downloaded application or plugin type of technology.)
It is easy to pick on MS for not enforcing the NT security model for application compatibility with Win2K and WinXP; however, to pick on MS about Vista because it is 'too' secure is stupid.
In your post alone you argue that MS is not being secure enough and then in the next paragraph you are arguing that they are too secure. Pick a reason to hate them and stick with it.
Re:Why punish legit users? (Score:3, Insightful)
Switching OSes takes hours of work and it will be weeks before you have everything working properly and the way you like it. Add on top of that possible hardware issues (I never switched to Linux because every time I mess around with it, I am reminded how terrible ATI Linux drivers are and that there aren't drivers for my Broadcom chip wireless card).
Re:Why punish legit users? (Score:3, Insightful)
Statements like this indicate that you don't undersand how viruses work. A virus can do plenty of damage running as a normal user. Your home directory is probably far harder to replace than the rest of your OS, but no special privileges are required to wipe it out. You don't need root to become a spam zombie, to install extensions or plugins in Firefox, or to steal all of the confidential information that is invariably lurking in your cookies, bookmarks, web cache, and personal documents.
At no point does an email virus require root access. And if it did, it could just ask for the root password - you can bet that at least 50% of users would give it up without a second thought.
Believing that permissions solve the virus problem indicates that you don't understand the amount of damage that can be done even with a limited user account.
Re:Trade-offs (Score:3, Insightful)
Seriously: there's no reason why there ever has to be a "one true OS." In fact, I think that sort of thinking is harmful, because it could prevent a newcomer from gaining a foothold. Even Linux makes some basic assumptions about how a computer operates that could be challenged down the road.
This is why I'm a fan of openness in data storage formats even more than I am in source code or operating systems: as long as people have the ability to move from one platform/OS/software-package to another, we're in good shape. It's the vendor lock-in that's the problem, and honestly I think once the dominance of Windows is broken (don't ask me how long that will take, but it will happen eventually) I doubt that such a situation as we have today will ever repeat itself.
If you have openness in data storage, people can change OSes every decade or so without penalty aside from repurchase and retraining. While significant, they're not enough to outweigh a significant benefit in design or technology. However, access to years of stored data would be.