Microsoft remotely checking registry?
[Comments only please! I'll ask the submitter of the best answer to lock the question]
I've heard that Microsoft can remotely check the registry of Win98 machines connecting to their site to discover info about applications (possibly to detect illegal copies).
I'am interested in the subject because:
1. It is a potential security hole.
2. My company might want to do something something similar.
3. I'm nosy.
Please provide URLs to *technical* information regarding the issue (not anecdotal "MS sues....").
I'd prefer to avoid the legal speculation and focus on whatever facts we can get our hands on.
Does anyone really know what happens when a user upgrades Win98 online?
I've heard that Microsoft can remotely check the registry of Win98 machines connecting to their site to discover info about applications (possibly to detect illegal copies).
I'am interested in the subject because:
1. It is a potential security hole.
2. My company might want to do something something similar.
3. I'm nosy.
Please provide URLs to *technical* information regarding the issue (not anecdotal "MS sues....").
I'd prefer to avoid the legal speculation and focus on whatever facts we can get our hands on.
Does anyone really know what happens when a user upgrades Win98 online?
Well Microsoft it is going to implement in 1999 a new system which uses the registry check remotely. this is to prevent pirates from stealing softwares. this kind of procedurement as soon as it arrive crackers are going to break it. This mean, that they are not going to suceed in this matter 100%. That is the only purpose of it. from preventing pirated software in computers of people who can't afford it or do not want to pay for it.
This registry checker it is going to make sure in a Corporation that many of their software be use accurately. In many places around the country there has been problems with licensing problems that they get out of control and use more lincenses that they should use.Microsoft Office 2000, It is going to be the first suite which will contain this mechanism. Which for the average "joe" it will keep him out from using more copies of it.Others more knowledgable people are going to fight that. and try to prevent it. In some way Microsoft wants to have control of what you use and do in your computer. This for them means millions of dollars. Also, when they discover people, they will sue them and get back alot of money. So, for them it is a business either you buy it or not buy it. they will always find the way to get you. If you buy it you are safe. and if you break it. then, and they get to know; they will sue you until they leave you without a penny.
There has been some articles in www.cnet.com and other places like www.news.com about this kind of problems.
This registry checker it is going to make sure in a Corporation that many of their software be use accurately. In many places around the country there has been problems with licensing problems that they get out of control and use more lincenses that they should use.Microsoft Office 2000, It is going to be the first suite which will contain this mechanism. Which for the average "joe" it will keep him out from using more copies of it.Others more knowledgable people are going to fight that. and try to prevent it. In some way Microsoft wants to have control of what you use and do in your computer. This for them means millions of dollars. Also, when they discover people, they will sue them and get back alot of money. So, for them it is a business either you buy it or not buy it. they will always find the way to get you. If you buy it you are safe. and if you break it. then, and they get to know; they will sue you until they leave you without a penny.
There has been some articles in www.cnet.com and other places like www.news.com about this kind of problems.
I have seen alot of this speculation around the internet, and I would like to clarify things on this subject abit. There is NO built in mechanism to allow the type of thing you are talking about and probably never will be. No existing version of windows includes any backdoor or mechinism by which ANYONE can get registry data from a normal internet connection - (meaning that no network redirectors are loaded). I say probably never will be since if the mechinism was somehow added for Microsoft to view registry data on an unsecured connection then so could a hacker. Now when you connect to some of microsofts sites they may ask if you will send them information on your computer. This IS REGISTRY DATA, but you must expiicitely allow them to do it. If you do not allow the ActiveX control that does this work to be installed on your system then you are completely safe. I hope this helps to clarify things.
As for you creating such a program. This can be done fairly easily with an ActiveX control. You would just create a control that gets whatever info you want out of the registry. Then have it forward the data to your web server or a CGI script. But under normal conditions the guy on the other end will know you are doing it because he must allow the applet to be installed. Hope this helps
I apologize for locking the question - please reject my answer if you would like more discourse on the subject. I hit the wrong button :<
heath...
I have to disagree with you just on the basis of the tools that are freely available to webmasters that enable you to find out much information about people that come to their site. I don't know them all but have been pointed there from members of geocities. Futher, I've been to quite a few site over the years that sent me a e-mail in a responce that outlined my complete system oS and hardware.
I don't use them so you're safe at my site::))
Regards,
Bud
http://www.geocities.com/~budallen/
I have to disagree with you just on the basis of the tools that are freely available to webmasters that enable you to find out much information about people that come to their site. I don't know them all but have been pointed there from members of geocities. Futher, I've been to quite a few site over the years that sent me a e-mail in a responce that outlined my complete system oS and hardware.
I don't use them so you're safe at my site::))
Regards,
Bud
http://www.geocities.com/~budallen/
Smeebud...
I do not disagree that there are MANY pre-written tools available to get registry data from a users machine. What I am saying is that cant simply make a web-page that can leech data from a users machine. That kind of stuff REQUIRES some type of process being run on the client. Now to get the process to run on the client under most modern browsers you generally need the users permission - He/She must actively allow you to install the applet. JavaScript/VBScript cant do this type of stuff. Now there is some info like OS version and Browser version that can be retrieved via Java but I am talking about actually Registry data such as retrieving the entrie HKEY_CURRENT_USER key and sending it to server. This just cant be done without the users knowledge. Now if the user is silly enough to set his browser to accept ActiveX controls without notifying him - this would work - but that is probably less than 1% of the browsing population.
I do not disagree that there are MANY pre-written tools available to get registry data from a users machine. What I am saying is that cant simply make a web-page that can leech data from a users machine. That kind of stuff REQUIRES some type of process being run on the client. Now to get the process to run on the client under most modern browsers you generally need the users permission - He/She must actively allow you to install the applet. JavaScript/VBScript cant do this type of stuff. Now there is some info like OS version and Browser version that can be retrieved via Java but I am talking about actually Registry data such as retrieving the entrie HKEY_CURRENT_USER key and sending it to server. This just cant be done without the users knowledge. Now if the user is silly enough to set his browser to accept ActiveX controls without notifying him - this would work - but that is probably less than 1% of the browsing population.
Alexo, your question is an excellent one! While I agree with Heathprovost in part, I must vehemently disagree with Istal. Further, while Smeebud is correct, some sites can elicit information, it is more of a tactic than anything else. Most of the postings here thus far founded in speculation rather than research and fact. We are MSDN (Microsoft Developer Network) members, and in the case of "all of MS products" we are given the source codes or modules and SDK's for these products as well as some of the checking tools.
For those of you concerned about M$ releasing a product or having a method by which information such as pirated software can be detected, rest assured that it cannot be done unless and until the user does something stupid like trying to fake the install by using a false micro-code such as that commonly referred to as a "CD Key". If you have followed anything going on in the USA and in Europe, you will have learned that to do as Istal suggests would open Microsoft to both a constitutional fight in Federal court by the justice department, somewhere, I am certain, Bill Gates don't want to be again, as well as additional private litigation founded upon existing court decisions. If someone can show me one site that states, factually with proven information, that such a program or code exists written either by M$ or by a third party on their behalf, I will handle the referral to the justice department myself through our corporate council. Think about the ramifications people, OEM's sells hundreds of thousands of computers every day loaded with a M$ OS. Do you think for one minute they are going to sell a computer to someone that would enable others to scan their private information. The implications are enormous. Just think about a government computer running 98 or Win NT that can be examined.
If this doesn't convince you, then think about all the time and money being spent to close holes that already exist in 95, 98 and NT. Would M$ do this and leave open a method by which others could accomplish this. M$, in theory, attempted this in 1995 and ran tests with MS Word. They found out quickly that they had an enormous exposure to legal action. Today, you can't even get a crack to unravel a word document password in Word 98, let alone MS Office 2000.
Yes, some hacker sites and even M$ can read your system setup and can even read what updates you have made to Windows 98. But first, as heathprovost suggests, "you must permit it". There are two reasons for this, one is due to the legal issues involved (M$ cannot merely ask you to okay an on-line disclaimer to bypass this, it must be in writing) and two what these sites are reading has nothing to do with your registry. They are reading the baseline that is created by Windows and other MS programs. When you log onto the Windows 98 update site, M$ asks if you want your system checked. The software reads this baseline and reports that information. That software also looks at the name and address (if entered) info that is in the registration information (not the registry mind you!). If you prepare a "clean" system, one with little or no correct information, no one can detect it.
This could go on endlessly, but I think this is enough.
For those of you concerned about M$ releasing a product or having a method by which information such as pirated software can be detected, rest assured that it cannot be done unless and until the user does something stupid like trying to fake the install by using a false micro-code such as that commonly referred to as a "CD Key". If you have followed anything going on in the USA and in Europe, you will have learned that to do as Istal suggests would open Microsoft to both a constitutional fight in Federal court by the justice department, somewhere, I am certain, Bill Gates don't want to be again, as well as additional private litigation founded upon existing court decisions. If someone can show me one site that states, factually with proven information, that such a program or code exists written either by M$ or by a third party on their behalf, I will handle the referral to the justice department myself through our corporate council. Think about the ramifications people, OEM's sells hundreds of thousands of computers every day loaded with a M$ OS. Do you think for one minute they are going to sell a computer to someone that would enable others to scan their private information. The implications are enormous. Just think about a government computer running 98 or Win NT that can be examined.
If this doesn't convince you, then think about all the time and money being spent to close holes that already exist in 95, 98 and NT. Would M$ do this and leave open a method by which others could accomplish this. M$, in theory, attempted this in 1995 and ran tests with MS Word. They found out quickly that they had an enormous exposure to legal action. Today, you can't even get a crack to unravel a word document password in Word 98, let alone MS Office 2000.
Yes, some hacker sites and even M$ can read your system setup and can even read what updates you have made to Windows 98. But first, as heathprovost suggests, "you must permit it". There are two reasons for this, one is due to the legal issues involved (M$ cannot merely ask you to okay an on-line disclaimer to bypass this, it must be in writing) and two what these sites are reading has nothing to do with your registry. They are reading the baseline that is created by Windows and other MS programs. When you log onto the Windows 98 update site, M$ asks if you want your system checked. The software reads this baseline and reports that information. That software also looks at the name and address (if entered) info that is in the registration information (not the registry mind you!). If you prepare a "clean" system, one with little or no correct information, no one can detect it.
This could go on endlessly, but I think this is enough.
I agree 100% with everything stated by dew_associates. Thank you for clarifying things. But I would like to point out that reading the registry of a remote machine IS possible. I have seen code that does just that. But the catch is the client (assuming his security settings are adaquate) will have to ALLOW this to happen by allowing the code to be installed on his machine. This is not a backdoor or loophole - it is not microsoft's intention to allow these things to happen. They have gone to tremendous efforts to keep code like this off of users machines without them being aware. Many people dislike the fact that code like this can even be written at all. It is the primary reason why JavaScript is so crippled when it comes to having access to the local machine. But I think that the approach microsoft has made is a good one. ActiveX controls can pretty much do ANYTHING, and some people, for very legitimate reasons, may need to read the registry of a remote machine. By making sure the client must be aware of it, microsoft has allowed developers free reign in designing software while at the same time allowing users the police their own machines. I agree again with dew_associates though, I think this could go on endlessly.....
http://www.news.com/News/Item/0,4,29744,00.html
read about the Mechanism CNET refers. It talks about preventing for those of you who do not believe it.
With the release of Microsoft Office 2000, Microsoft is expanding its anti-software
piracy program to several countries to help reduce theft and simplify registration of
the popular desktop productivity suite.
Microsoft will include the Registration Wizard in Office 2000, a new technology to
discourage piracy.
The Registration Wizard makes registration a part of installing the product and helps
prevent illegal installations. Customers can use the product 50 times before registration is required.
Microsoft has recently been stepping up efforts against software piracy. This year, the
company has sued many computer resellers across the country for allegedly selling pirated versions of the Windows 95 operating system and Office 97 Professional software, among other products.
Last month, Microsoft launched the second beta of Office 2000, making it available to an unprecedented 700,000 testers.
In addition to automating registration, Office 2000 will include a hologram on the CD to help customers identify the authenticity of the Office product. Microsoft will also introduce a new type of in-box packaging to prevent thieves from easily removing the CD from the box in retail stores.
The Office Registration Wizard will be included in versions of the product offered in
Australia, Brazil, and New Zealand, as well as in academic packages distributed in the
United States and Canada. This technology is designed for full-package products in these markets and will not be included in products obtained by customers with volume license agreements, due to their unique deployment processes.
PS: Yes it will not be implemented in Big licensing. but how many licenses would be big for them.
read about the Mechanism CNET refers. It talks about preventing for those of you who do not believe it.
With the release of Microsoft Office 2000, Microsoft is expanding its anti-software
piracy program to several countries to help reduce theft and simplify registration of
the popular desktop productivity suite.
Microsoft will include the Registration Wizard in Office 2000, a new technology to
discourage piracy.
The Registration Wizard makes registration a part of installing the product and helps
prevent illegal installations. Customers can use the product 50 times before registration is required.
Microsoft has recently been stepping up efforts against software piracy. This year, the
company has sued many computer resellers across the country for allegedly selling pirated versions of the Windows 95 operating system and Office 97 Professional software, among other products.
Last month, Microsoft launched the second beta of Office 2000, making it available to an unprecedented 700,000 testers.
In addition to automating registration, Office 2000 will include a hologram on the CD to help customers identify the authenticity of the Office product. Microsoft will also introduce a new type of in-box packaging to prevent thieves from easily removing the CD from the box in retail stores.
The Office Registration Wizard will be included in versions of the product offered in
Australia, Brazil, and New Zealand, as well as in academic packages distributed in the
United States and Canada. This technology is designed for full-package products in these markets and will not be included in products obtained by customers with volume license agreements, due to their unique deployment processes.
PS: Yes it will not be implemented in Big licensing. but how many licenses would be big for them.
http://www.news.com/News/Item/0,4,21425,00.html
Here is another article where another company has done it before. go to the URL and read. maybe some of you are not familiar with it.
Here is another article where another company has done it before. go to the URL and read. maybe some of you are not familiar with it.
ASKER
istal, thank you for the URL. It proves that MS can and does this, although the scope is not clear (it only talks about office2000).
heathprovost, making such a mechanism in an OS is trivial. A simple thread that waits on a TCP/IP port or something similar. Also, if it only allows access (via a predefined protocol) to a specific registry subkey that only holds the windows registration ID (and possibly those of other MS software packages) there will be no issue of privacy. Heck, the software licence may explicitly state that the software must be registered and will be checked when the machine goes online (after all, who reads those small letters anyway?)
Dennis, see above, and:
The information that can be freely leeched from the computer is limited to machine name, IP address, OS and browser version and maybe some more items I forgot. However, an OS can have an undocumented backdoor. I have access to MSDN level 3 (I think) which my company subscribes to. It does not include the source of the OS or IE so proving (or disproving) the issue is not easy.
The legal position is not clear. The second link istal posted proves it.
I'd prefer to avoid the legal speculation and focus on whatever facts we can get our hands on.
Does anyone really know what happens when a user upgrades Win98 online?
heathprovost, making such a mechanism in an OS is trivial. A simple thread that waits on a TCP/IP port or something similar. Also, if it only allows access (via a predefined protocol) to a specific registry subkey that only holds the windows registration ID (and possibly those of other MS software packages) there will be no issue of privacy. Heck, the software licence may explicitly state that the software must be registered and will be checked when the machine goes online (after all, who reads those small letters anyway?)
Dennis, see above, and:
The information that can be freely leeched from the computer is limited to machine name, IP address, OS and browser version and maybe some more items I forgot. However, an OS can have an undocumented backdoor. I have access to MSDN level 3 (I think) which my company subscribes to. It does not include the source of the OS or IE so proving (or disproving) the issue is not easy.
The legal position is not clear. The second link istal posted proves it.
I'd prefer to avoid the legal speculation and focus on whatever facts we can get our hands on.
Does anyone really know what happens when a user upgrades Win98 online?
ASKER
Edited text of question
Istal - I read your URL and I am sorry but I do not see how it is relevent to whether microsoft can read data from the registry of a remote computer. I does not state anywhere that they will start doing that. It only says they will start requiring registration of Office 2000 after 50 uses. This is nothing new and is done with plenty of other software on the market today. And none of these software packages require you to connect to their site to read your registry to verify anything.
As for the second URL you have given, this proves my point exactly! Creating a program (the Battle.Net client) that sends registry data to a server is not hard to do at all. And since this client is an actually executable installed by the user from a CD, Browser security does nothing to protect against this. This is irrelevent. This is not a mechanism of the OS or of the Internet in general but a proprietary server gathering info from a proprietary client. Battle.Net also, since you brought it up, completely eliminates piracy of Blizzard software by requiring unique CD Keys for every user logged on to Battle.Net at the same time. This CD Key info is stored on your HD, and they have been able to read this data since they created Battle.Net. Once again I dont see how this is relevent.
Alexo, I agree that a mechanism in the OS would be trivial. And I also agree that if this mechanism only returned such information as the registration ID or such then the backlash from the user community would be minimal. But my point is if Microsoft created a means to read ANY (i.e. anything they wanted) information from the registry, whether they documented this or not, they would be cutting their own throat. Anyone with a port sniffer and the inclanation to do it could discover what was happening, and eventually would figure out how. Then everyone would be doing this with their software and users would rebel. This would by no means benefit Microsoft.
Since no user has come forth with any real proof that there is some backdoor undocumented means that microsoft is using to get registry data yet, I can only assume that either there is not one, or that microsoft has chosen not to exploit it yet. Either way, we are back to the same conclustion. Microsoft CANNOT read registry data without a users permission.
As for the second URL you have given, this proves my point exactly! Creating a program (the Battle.Net client) that sends registry data to a server is not hard to do at all. And since this client is an actually executable installed by the user from a CD, Browser security does nothing to protect against this. This is irrelevent. This is not a mechanism of the OS or of the Internet in general but a proprietary server gathering info from a proprietary client. Battle.Net also, since you brought it up, completely eliminates piracy of Blizzard software by requiring unique CD Keys for every user logged on to Battle.Net at the same time. This CD Key info is stored on your HD, and they have been able to read this data since they created Battle.Net. Once again I dont see how this is relevent.
Alexo, I agree that a mechanism in the OS would be trivial. And I also agree that if this mechanism only returned such information as the registration ID or such then the backlash from the user community would be minimal. But my point is if Microsoft created a means to read ANY (i.e. anything they wanted) information from the registry, whether they documented this or not, they would be cutting their own throat. Anyone with a port sniffer and the inclanation to do it could discover what was happening, and eventually would figure out how. Then everyone would be doing this with their software and users would rebel. This would by no means benefit Microsoft.
Since no user has come forth with any real proof that there is some backdoor undocumented means that microsoft is using to get registry data yet, I can only assume that either there is not one, or that microsoft has chosen not to exploit it yet. Either way, we are back to the same conclustion. Microsoft CANNOT read registry data without a users permission.
I have myself registered Windows 98 online. The process is simple. You anser a bunch of questions (most of which are not mandatory). You are then asked if you would like for Microsoft to collect information about your system so that they can server you better :)giggles. If you say yes, an ActiveX control is installed that does this, if not it doesnt. That is it. As for what information they are collecting, I really dont know. But I am certain that it could be ANYTHING that they wanted. More than likely though - it is just what dew_associates said, some baselines of the install and your CD Key and such.
Alexo, I appreciate your comments and they are no doubt founded in legitimate concern, however Istal's articles are nearly a year old and you know as well as I do that technology changes daily, not monthly or daily. Indeed, you may be a level 3 MSDN user, however as an OEM to governmental agencies and a solutions partner we do have access to acutal code, much the same way as does MIT and Princeton University. I say to you and the other interested parties here, please "PLEASE" read what is being said, ignore the hype and rumor and get to the root of the issue. Internet news is just like the newspapers, they print a headline to get your attention.
In the one instance with Blizzard Entertainment, here is the key comment for the unknowing, "when it collected the names and email addresses of some of its users without their knowledge or consent". This info is in the base line data file for Windows 95, 98 and NT and is also in your email profile. How do you think they got the email addresses if it were not for their browser or email program's profile.
Here's a related article that speaks to the issue and what has already been implemented by most major server providers:
W3C focus on privacy, not security
By Reuters
Special to CNET News.com
April 15, 1998, 8:25 a.m. PT
BRISBANE, Australia--Concerns about the security of messages transmitted on the Internet are no longer valid, the founder of the World Wide Web Tim Berners-Lee said today.
However, Berners-Lee told the Seventh International World Wide Web Conference that privacy of information about users was still a top priority for the international World Wide Web Consortium (W3C), an organization that oversees the use of the Internet.
"I am very concerned about privacy aspects of the use of the Web at the moment," he said.
The W3C is working on a Platform for Privacy Preference (P3P), which will allow Web users to dictate how much information is collected by Internet providers about what sites they visit, what purchases they make, and other Web habits, Berners-Lee added.
Berners-Lee, who is a W3C director, told the conference in Brisbane that security on the Internet is now more of a problem for governments because individuals can communicate in secret.
Cryptography is very, very strong so there are many ways of sending information across the Internet, according to Berners-Lee, as reported on Australian Broadcasting's Web site.
"So really it's impossible for somebody else to find out what you're saying," he said. "In fact, the biggest problem with applying security isn't that the technology isn't strong enough, it's that governments are so frightened of it."
"They're very frightened of consumers or terrorists being able to communicate equally well in a secret way," Berners-Lee noted.
The Web inventor said he is against organizations or governments who seek to regulate or censor the Internet, saying Web technology tries not to force a particular policy or view on its users.
"I believe if somebody is going to decide what a child should see, then it's a good idea for that person to be a parent," he said, pointing to technology that allows children to be locked out of certain sites.
-----------------------
If you have been keeping up with what has been happening here in the USA, with the new EURO currency and the P3P platform, you will realize that P3P has already been implemented. Next, if you care to read the US Supreme Court commentary to the House of Representatives, any intrusion into the private computer portal "must be viewed as a violation of the Constitutional Right of Privacy".
Here's another:
A small Florida-based company must stop making software that allows users to "unlock" safeguards against piracy and make illicit copies.
The U.S. Federal Court for the District of Connecticut has slapped a temporary injunction on Imagine That, preventing the company from shipping copies of its RivalLock and IceLock software, while a trademark infringement suit brought by CNC Software proceeds. RivalLock and IceLock allow users to make multiple copies of software licenses that are not supposed to be duplicated.
As for anti-piracy efforts by M$, including those involving Office 2000 and Windows 2000, maybe a little intensive research is in order to get your facts straight without unnecessarily alarming everyone. Here's a recent report, read it very carefully:
http://www.news.com/News/Item/0,4,28280,00.html?st.ne.bp..bphed
If you know anything about Windows 95, especially OEM versions, yopu will realize that the CD Keys were interchangeable. In Windows 98 and subsequent new releases, they are not. The unique key module is burned into each CD and will only accept a correct CD key. Therefore, the issue of anti-piracy is moot. On the other hand, as with beta's issued by M$, they are time limited by both dates and by number of starts. This is to foil the user who is willing to circumvent the Bios date just to run software.
Alexo, contrary to your comment (and Istal's as well), the links supplied by Instal are nothing more that the writers opinions regarding a specific issue at that moment in 1998, and prove nothing! They should not be taken as factually based and applying as a whole to the actions of M$ or anyone else. As you can see by looking further, US Courts are ready, willing and able to enjoin companies that either invade privacy or circumvent anti-piracy efforts.
If you have read my post above, Microsoft reads a baseline created when you loaded Win 98. In that base line is confirmation of a valid OS, the hardware found by the install process and the current versions of all files installed. When you log on, M$ asks you if you want to have your system checked. You can say no, and you will be shown ALL available updates. All of this information is readily available in the M$ knowledge base as well as some of the better on-line support sites.
Lastly, as to the issue of a back door, these were more commonly referred to in Windows 95 as socket layers. And yes, in 95 they were there, but M$ didn't realize it until their OS started to fail all over the world because of Internet instrusions, some of which we referred to as "nukes". But again, you need to know allot of information to accomplish this, including "all" of the assigned portal addresses between the two computers. Why do you thing Netmeeting was such a hassle. Originally it was thought to be an avenue where techs could solve problems by control a clients system remotely. It failed miserably after the socket layers were closed with the OOB fix.
We deal with these and other issues daily, and there is no way that any governmental agency would permit an OS to be loaded without a certification from the issuer as to this subject. You can obtain this same information via the Freedom of Information Act directly from the US Superintendant of Documents. It is referred to as "US Computer Implementation Standard".
Dennis
In the one instance with Blizzard Entertainment, here is the key comment for the unknowing, "when it collected the names and email addresses of some of its users without their knowledge or consent". This info is in the base line data file for Windows 95, 98 and NT and is also in your email profile. How do you think they got the email addresses if it were not for their browser or email program's profile.
Here's a related article that speaks to the issue and what has already been implemented by most major server providers:
W3C focus on privacy, not security
By Reuters
Special to CNET News.com
April 15, 1998, 8:25 a.m. PT
BRISBANE, Australia--Concerns about the security of messages transmitted on the Internet are no longer valid, the founder of the World Wide Web Tim Berners-Lee said today.
However, Berners-Lee told the Seventh International World Wide Web Conference that privacy of information about users was still a top priority for the international World Wide Web Consortium (W3C), an organization that oversees the use of the Internet.
"I am very concerned about privacy aspects of the use of the Web at the moment," he said.
The W3C is working on a Platform for Privacy Preference (P3P), which will allow Web users to dictate how much information is collected by Internet providers about what sites they visit, what purchases they make, and other Web habits, Berners-Lee added.
Berners-Lee, who is a W3C director, told the conference in Brisbane that security on the Internet is now more of a problem for governments because individuals can communicate in secret.
Cryptography is very, very strong so there are many ways of sending information across the Internet, according to Berners-Lee, as reported on Australian Broadcasting's Web site.
"So really it's impossible for somebody else to find out what you're saying," he said. "In fact, the biggest problem with applying security isn't that the technology isn't strong enough, it's that governments are so frightened of it."
"They're very frightened of consumers or terrorists being able to communicate equally well in a secret way," Berners-Lee noted.
The Web inventor said he is against organizations or governments who seek to regulate or censor the Internet, saying Web technology tries not to force a particular policy or view on its users.
"I believe if somebody is going to decide what a child should see, then it's a good idea for that person to be a parent," he said, pointing to technology that allows children to be locked out of certain sites.
-----------------------
If you have been keeping up with what has been happening here in the USA, with the new EURO currency and the P3P platform, you will realize that P3P has already been implemented. Next, if you care to read the US Supreme Court commentary to the House of Representatives, any intrusion into the private computer portal "must be viewed as a violation of the Constitutional Right of Privacy".
Here's another:
A small Florida-based company must stop making software that allows users to "unlock" safeguards against piracy and make illicit copies.
The U.S. Federal Court for the District of Connecticut has slapped a temporary injunction on Imagine That, preventing the company from shipping copies of its RivalLock and IceLock software, while a trademark infringement suit brought by CNC Software proceeds. RivalLock and IceLock allow users to make multiple copies of software licenses that are not supposed to be duplicated.
As for anti-piracy efforts by M$, including those involving Office 2000 and Windows 2000, maybe a little intensive research is in order to get your facts straight without unnecessarily alarming everyone. Here's a recent report, read it very carefully:
http://www.news.com/News/Item/0,4,28280,00.html?st.ne.bp..bphed
If you know anything about Windows 95, especially OEM versions, yopu will realize that the CD Keys were interchangeable. In Windows 98 and subsequent new releases, they are not. The unique key module is burned into each CD and will only accept a correct CD key. Therefore, the issue of anti-piracy is moot. On the other hand, as with beta's issued by M$, they are time limited by both dates and by number of starts. This is to foil the user who is willing to circumvent the Bios date just to run software.
Alexo, contrary to your comment (and Istal's as well), the links supplied by Instal are nothing more that the writers opinions regarding a specific issue at that moment in 1998, and prove nothing! They should not be taken as factually based and applying as a whole to the actions of M$ or anyone else. As you can see by looking further, US Courts are ready, willing and able to enjoin companies that either invade privacy or circumvent anti-piracy efforts.
If you have read my post above, Microsoft reads a baseline created when you loaded Win 98. In that base line is confirmation of a valid OS, the hardware found by the install process and the current versions of all files installed. When you log on, M$ asks you if you want to have your system checked. You can say no, and you will be shown ALL available updates. All of this information is readily available in the M$ knowledge base as well as some of the better on-line support sites.
Lastly, as to the issue of a back door, these were more commonly referred to in Windows 95 as socket layers. And yes, in 95 they were there, but M$ didn't realize it until their OS started to fail all over the world because of Internet instrusions, some of which we referred to as "nukes". But again, you need to know allot of information to accomplish this, including "all" of the assigned portal addresses between the two computers. Why do you thing Netmeeting was such a hassle. Originally it was thought to be an avenue where techs could solve problems by control a clients system remotely. It failed miserably after the socket layers were closed with the OOB fix.
We deal with these and other issues daily, and there is no way that any governmental agency would permit an OS to be loaded without a certification from the issuer as to this subject. You can obtain this same information via the Freedom of Information Act directly from the US Superintendant of Documents. It is referred to as "US Computer Implementation Standard".
Dennis
You mentioned you may want to do this type of thing yourself (access registry of remote machine). See this URL
http://www.softseek.com/Programming/ActiveX/System/Review_17891_index.html
http://www.softseek.com/Programming/ActiveX/System/Review_17891_index.html
Heathprovost, point to a specific file please?
Dennis, MS OFFICE 2000 articles was published DEC 9 1998, and the one that talk about starcraft is only 8 months. Not even a year. Maybe you should see the dates in the MS OFFICE 2000 article. which is what we are trying to prove about Microsoft. the Blizzard company was just an example about others company has done it before. it just an explanation that such a thing has been used before.
Heath, about the 50 uses. we already know this has happened before even with MS. so why they would care to publish it.??? the mechanism they are refering is about somebody will not be able to use it in other machine because there will be an authentication method through the Internet.so that means that when the Website check once the license It will not give you permission to check it again if it is using the same key. in other words, you need an extra license, so if somebody try to do that they will know exactly who is doing.
I do not think MS is doing such a thing just for nothing.
Heath, about the 50 uses. we already know this has happened before even with MS. so why they would care to publish it.??? the mechanism they are refering is about somebody will not be able to use it in other machine because there will be an authentication method through the Internet.so that means that when the Website check once the license It will not give you permission to check it again if it is using the same key. in other words, you need an extra license, so if somebody try to do that they will know exactly who is doing.
I do not think MS is doing such a thing just for nothing.
Istal, I think we are getting side-tracked. If Microsoft creates a mechinism by which you must register Office 2000 online and they record your Name, Address, CD-Key, and such so that no other user can register with that key, I personally think it is a great idea! It is a documented, resonable approach to eliminating software piracy. Opinions may vary, that is the way of things. But I dont see what this has to do with reading the registry settings of a remote machine on the internet. The question was whether Microsoft, reads information from the registry of a remote user without them knowing about it. If microsoft comes out and says they are going to start getting information from their users registries or from anywhere else then this whole discussion is pointless. The point is that RIGHT NOW they do not. And I have no reason to believe that they are gathering information from my computer without my knowledge, and in fact have every reason to believe that they are not! The legal implications if someone found out (and someone would) would be horrible. Think about it.
BTW Istal - the Office 200 article may have been published Dec 9, 1998, but the information in it is MUCH older than that. There may not have been details earlier, but Microsofts intention to implement piracy control into Office 2000 has been routinely written about in PC Mags and such for well over 2 years.
Great topic to bring up- I enjoyed reading this- Sorry can't add anything other then rumor or specalation so I won't add anything.
Heath, the fact is that they are going to start to use a mechanism in the new version. what we do not know yet how this is going to be implemented and what consequences this will bring. and IMHO this will be implemented from the register. as it has been already done with CD key for Microsoft and names etc. It would be encripted in the register. It will not be as easy as saving it in a file. I do not believe so. about your PC MAG articles talking about it. They were mostly speculation that were not solid at those moments. just thoughts they had internally in doing which they did not bring. MS will be bringing a new method for many thing. until we see this happen we will know what it is about. now it will be speculations only. but MS will create something different for that. there is a software called HOTDOG 5.0 PRO. HTML program which uses something similar. I do not mean they get into your privacy. but they make sure you are the right owner.
Heathprovost, thanks for the URL. It was pretty much what was expected as we use 6.0 in some items for remote activity.
Istal, as for your comment regarding M$ and Office 2000 and even Windows 2000 for that matter, CD Key verification is a long way from Alexo's question.
His concern, and I quote,
"I've heard that Microsoft can remotely check the registry of Win98 machines connecting to their site to discover info about applications (possibly to detect illegal copies).
I'am interested in the subject because:
1. It is a potential security hole.
2. My company might want to do something something similar.
3. I'm nosy.
Please provide URLs to *technical* information regarding the issue (not anecdotal "MS sues....").
I'd prefer to avoid the legal speculation and focus on whatever facts we can get our hands on.
Does anyone really know what happens when a user upgrades Win98 online?"
1. The issue "is not a security hole"
2. Your company might want to hire an excellent State and Federal law firm to: A. Investigate the issue, B. Issue their legal opinion as to doing so, and C. Glad to hear your nosy, especially regarding these types of issus.
There are no URL's to technical issues as has already been noted here. Frankly the Federal and State issues and the possible ramifications far and away outweigh and possible gain M$ good develop, piracy or not. By their own figures, M$ has already spent in excess of $70 million on the DOJ litigation, do you really believe they would want to risk 10 times that for invasion of privacy issues, constitutional issues as well as a probable further indictment by DOJ, I think not.
If your looking for an opinion (and yes I know what opinions are like), weigh the ramifications against the gains. If M$ had a smooth way of doing this without getting caught, they wouldn't have spent $241 million dollars in the last 2 years to inhibit piracy the way they are.
Lastly, Istal, your no doubt a nice fellow, but your also a dreamer!
Istal, as for your comment regarding M$ and Office 2000 and even Windows 2000 for that matter, CD Key verification is a long way from Alexo's question.
His concern, and I quote,
"I've heard that Microsoft can remotely check the registry of Win98 machines connecting to their site to discover info about applications (possibly to detect illegal copies).
I'am interested in the subject because:
1. It is a potential security hole.
2. My company might want to do something something similar.
3. I'm nosy.
Please provide URLs to *technical* information regarding the issue (not anecdotal "MS sues....").
I'd prefer to avoid the legal speculation and focus on whatever facts we can get our hands on.
Does anyone really know what happens when a user upgrades Win98 online?"
1. The issue "is not a security hole"
2. Your company might want to hire an excellent State and Federal law firm to: A. Investigate the issue, B. Issue their legal opinion as to doing so, and C. Glad to hear your nosy, especially regarding these types of issus.
There are no URL's to technical issues as has already been noted here. Frankly the Federal and State issues and the possible ramifications far and away outweigh and possible gain M$ good develop, piracy or not. By their own figures, M$ has already spent in excess of $70 million on the DOJ litigation, do you really believe they would want to risk 10 times that for invasion of privacy issues, constitutional issues as well as a probable further indictment by DOJ, I think not.
If your looking for an opinion (and yes I know what opinions are like), weigh the ramifications against the gains. If M$ had a smooth way of doing this without getting caught, they wouldn't have spent $241 million dollars in the last 2 years to inhibit piracy the way they are.
Lastly, Istal, your no doubt a nice fellow, but your also a dreamer!
Alexo, I think you have enough Information about this matter and it would be good to have some comments about what you think.
Dew_associates, you sure have a big EGO, and think you know it all that happens around. there is always somebody that knows more about what's going on than you do.
and for sure, you are the last one to know.
Dew_associates, you sure have a big EGO, and think you know it all that happens around. there is always somebody that knows more about what's going on than you do.
and for sure, you are the last one to know.
Well Mr. Istal Youngmann, it's easy sir, just show me your verifiable credentials. I paid a high price for mine in money, time, blood, sweat and tears and I'm damned proud of it. If pride is ego, than I guess your right!
Dennis
Dennis
ASKER
Sorry for the delayed response. My online time is limited (as you can tell from my profile) so I cannot comment immediately.
Dennis, thank you for the valuable information. However, I'd like you to clarify some points please.
>> we do have access to acutal code [...]
Do you have access to the complete source of Win9x, NT and IE? If not, what parts do you have access to?
>> please "PLEASE" read what is being said [...]
The problem is that almost nothing (apart from hype, opinions and headlines) is being said. That's why I asked this question in the first place.
>> When you log on, M$ asks you if you want to have your system checked.
What -is- checked if you agree?
>> You can say no, and you will be shown ALL available updates.
What heppens if you decline? Are there any options that you are consequently blocked from?
>> All of this information is readily available in the M$ knowledge base as well as some of the better on-line support sites.
Could you please give me the relevant KB articles and the URLs of the sites that are considered "better"?
>> Lastly, as to the issue of a back door, these were more commonly referred to in Windows 95 as socket layers.
No Dennis, I'm not talking about socket layers.
>> And yes, in 95 they were there, but M$ didn't realize it until their OS started to fail all over the world because of Internet instrusions, some of which we referred to as "nukes".
The "nukes" were (are?) exploiting holes and weaknesses in the implementation of the TCP/IP protocol suite. I'm referring to a mechanism that is deliberately built into the OS. Something akin to handling a "ping" command but returning actual registry subkey information instead of the acknowledgement.
>> You can obtain this same information via the Freedom of Information Act directly from the US Superintendant of Documents.
Not being a US citizen (or even a resident) makes it a bit hard. A URL will be most helpful.
heathprovost, thanx for the URLs there are some questions though:
First, I'm familiar with the possibilities of an ActiveX control. Using those does limit the user to the choice of just one browser.
What does MS do? Refuse access to the upgrade cite to users of others browsers?
Back to Dennis,
>> 1. The issue "is not a security hole"
Almost everything is a possible security hole. If you tell me that you have checked the source of both Win9x and IE and there is no provision for such mechanism (apart from external plug-ins that the user can decline to install) I will accept it.
>> 2. Your company might want to hire an excellent State and Federal law firm [...]
I see no legal problem in checking licenses online. Lots of products do that (E.g., Oil change). Also, "State and Federal" will not help as we're not in the US and our laws may differ.
Another thing, unless I explicitly state so, I represent only myself and not the company I work for. You can see that it's name is *deliberately* missing from my "expert info" and I only mentioned it once on EE.
Now, a technical question:
Did anybody check what information is read from the registry when an online upgrade is done (using regmon or a similar tool)?
Finally, I would really like to keep this discussion on topic and leave personal attacks out. Thank you.
>> I paid a high price for mine in money, time, blood, sweat and tears [...]
Blood? Is that the new MS policy? What would they ask for next? A kidney?
Dennis, thank you for the valuable information. However, I'd like you to clarify some points please.
>> we do have access to acutal code [...]
Do you have access to the complete source of Win9x, NT and IE? If not, what parts do you have access to?
>> please "PLEASE" read what is being said [...]
The problem is that almost nothing (apart from hype, opinions and headlines) is being said. That's why I asked this question in the first place.
>> When you log on, M$ asks you if you want to have your system checked.
What -is- checked if you agree?
>> You can say no, and you will be shown ALL available updates.
What heppens if you decline? Are there any options that you are consequently blocked from?
>> All of this information is readily available in the M$ knowledge base as well as some of the better on-line support sites.
Could you please give me the relevant KB articles and the URLs of the sites that are considered "better"?
>> Lastly, as to the issue of a back door, these were more commonly referred to in Windows 95 as socket layers.
No Dennis, I'm not talking about socket layers.
>> And yes, in 95 they were there, but M$ didn't realize it until their OS started to fail all over the world because of Internet instrusions, some of which we referred to as "nukes".
The "nukes" were (are?) exploiting holes and weaknesses in the implementation of the TCP/IP protocol suite. I'm referring to a mechanism that is deliberately built into the OS. Something akin to handling a "ping" command but returning actual registry subkey information instead of the acknowledgement.
>> You can obtain this same information via the Freedom of Information Act directly from the US Superintendant of Documents.
Not being a US citizen (or even a resident) makes it a bit hard. A URL will be most helpful.
heathprovost, thanx for the URLs there are some questions though:
First, I'm familiar with the possibilities of an ActiveX control. Using those does limit the user to the choice of just one browser.
What does MS do? Refuse access to the upgrade cite to users of others browsers?
Back to Dennis,
>> 1. The issue "is not a security hole"
Almost everything is a possible security hole. If you tell me that you have checked the source of both Win9x and IE and there is no provision for such mechanism (apart from external plug-ins that the user can decline to install) I will accept it.
>> 2. Your company might want to hire an excellent State and Federal law firm [...]
I see no legal problem in checking licenses online. Lots of products do that (E.g., Oil change). Also, "State and Federal" will not help as we're not in the US and our laws may differ.
Another thing, unless I explicitly state so, I represent only myself and not the company I work for. You can see that it's name is *deliberately* missing from my "expert info" and I only mentioned it once on EE.
Now, a technical question:
Did anybody check what information is read from the registry when an online upgrade is done (using regmon or a similar tool)?
Finally, I would really like to keep this discussion on topic and leave personal attacks out. Thank you.
>> I paid a high price for mine in money, time, blood, sweat and tears [...]
Blood? Is that the new MS policy? What would they ask for next? A kidney?
Alexo, as I pointed out earlier, I have personally went through the online registration process. There is no resistriction put on the user because he/she elected not to allow microsoft to inventory his machine. To my knowledge there are no, I repeat NO, restrictions applied because you elected not to have your system information sent to microsoft. There are restrictions concerning whether you actually registered or not, but once again the system check is COMPLETELY and TOTALLY optional.
Also, about your comment about ActiveX controls. I have not personally seen any, but I do not know of any reason why a similar registry plugin could not be created for netscape. Netscape's plugin arcitecture is just as powerful as ActiveX when it comes to doing API calls.
And I agree there is no legal problem with checking licenses online, but I dont think that is the point. Microsoft openly acknowledges the fact that they collect some information, if the user agrees, from users registering on their Windows98 upgrade site. And as far as what information they are collecting, it IS ONLY a simple list of hardware on the users machine and their CD-key. It is displayed back to you before being sent (I have seen it). The legal problem which would arise would be if Microsoft is somehow collecting regisry information WITHOUT the users knowledge or consent. This is what I thought we were talking about. If Microsoft somehow read the entire HK_USERS_SOFTWARE key from a users registry without his consent, I almost GUARENTEE that a lawsuit would develop from it if it were discovered. Think about it. Although the registry may be a data structure created by Microsoft for their operating system, it is frequently used to store all kinds of unrelated data. This includes private user infromation that Microsoft does not have rights to.
Although I think it is well within their capabilities, I do not think Microsoft would be willing to open themselves up to that kind of legal battle. Maybe I should state my earlier point differently. Microsoft WOULD NOT EVEN IF THEY COULD read data from a users registry without their permission.
Also, about your comment about ActiveX controls. I have not personally seen any, but I do not know of any reason why a similar registry plugin could not be created for netscape. Netscape's plugin arcitecture is just as powerful as ActiveX when it comes to doing API calls.
And I agree there is no legal problem with checking licenses online, but I dont think that is the point. Microsoft openly acknowledges the fact that they collect some information, if the user agrees, from users registering on their Windows98 upgrade site. And as far as what information they are collecting, it IS ONLY a simple list of hardware on the users machine and their CD-key. It is displayed back to you before being sent (I have seen it). The legal problem which would arise would be if Microsoft is somehow collecting regisry information WITHOUT the users knowledge or consent. This is what I thought we were talking about. If Microsoft somehow read the entire HK_USERS_SOFTWARE key from a users registry without his consent, I almost GUARENTEE that a lawsuit would develop from it if it were discovered. Think about it. Although the registry may be a data structure created by Microsoft for their operating system, it is frequently used to store all kinds of unrelated data. This includes private user infromation that Microsoft does not have rights to.
Although I think it is well within their capabilities, I do not think Microsoft would be willing to open themselves up to that kind of legal battle. Maybe I should state my earlier point differently. Microsoft WOULD NOT EVEN IF THEY COULD read data from a users registry without their permission.
BTW, if you want to see the information that is collected and you have acually registered with Microsoft, look in your Windows directory for a files called REGINFO.TXT. This is what is sent to microsoft when you register. Here is the print out of mine (names and information may have been changed to protect the innocent :-)
=== Microsoft Registration Wizard ===
Default First Name = Heath
Default Last Name = Provost
Default Company =
Mailing Address = PO Box 71276
Additional Address =
City = Lafayette
State = LA
ZIP Code = 70519
Country = 0
Daytime Phone = 318-555-3334
Non-MS Products = 0
Product Identification = XXXXX-XXX-XXXXXX-XXXXX
Processor =
Math co-processor =
Total RAM =
Total Disk Space =
Removable Media =
Display Resolution =
Display Color Depth =
Pointing Device =
Network =
Modem =
Sound Card =
CD-ROM =
Operating System =
Include System = 0
Include Products = 0
Application Name = Microsoft Windows 98
OEM Manufacturer =
Version = 3.0.0000
Company Name = Microsoft
ResultPath = SOFTWARE\Microsoft\Windows
Date = 06/13/1998
Language = 1033
E-mail Address = h.provost@notavailable.com
Reseller Name = msdn subscriber
Reseller City = Lafayette
Reseller State = LA
HWID = XXXXXXXXXXXXXXXXXXXXXXXXXX
MSID =
Extension =
Product Inventory 1 =
Product Inventory 2 =
Product Inventory 3 =
Product Inventory 4 =
Product Inventory 5 =
Product Inventory 6 =
Product Inventory 7 =
Product Inventory 8 =
Product Inventory 9 =
Product Inventory 10 =
Product Inventory 11 =
Product Inventory 12 =
Notice Product inventory is all blank, this is because I elected not to give them information on my machines hardware. They will however collect the other info, but keep in mind much of this comes from the online questions, not your system (in particular the e-mail address).
=== Microsoft Registration Wizard ===
Default First Name = Heath
Default Last Name = Provost
Default Company =
Mailing Address = PO Box 71276
Additional Address =
City = Lafayette
State = LA
ZIP Code = 70519
Country = 0
Daytime Phone = 318-555-3334
Non-MS Products = 0
Product Identification = XXXXX-XXX-XXXXXX-XXXXX
Processor =
Math co-processor =
Total RAM =
Total Disk Space =
Removable Media =
Display Resolution =
Display Color Depth =
Pointing Device =
Network =
Modem =
Sound Card =
CD-ROM =
Operating System =
Include System = 0
Include Products = 0
Application Name = Microsoft Windows 98
OEM Manufacturer =
Version = 3.0.0000
Company Name = Microsoft
ResultPath = SOFTWARE\Microsoft\Windows
Date = 06/13/1998
Language = 1033
E-mail Address = h.provost@notavailable.com
Reseller Name = msdn subscriber
Reseller City = Lafayette
Reseller State = LA
HWID = XXXXXXXXXXXXXXXXXXXXXXXXXX
MSID =
Extension =
Product Inventory 1 =
Product Inventory 2 =
Product Inventory 3 =
Product Inventory 4 =
Product Inventory 5 =
Product Inventory 6 =
Product Inventory 7 =
Product Inventory 8 =
Product Inventory 9 =
Product Inventory 10 =
Product Inventory 11 =
Product Inventory 12 =
Notice Product inventory is all blank, this is because I elected not to give them information on my machines hardware. They will however collect the other info, but keep in mind much of this comes from the online questions, not your system (in particular the e-mail address).
Another way to look at it:
You purchased a license to use programs that belong to the software developer. Why shouldn't they be allowed to collect information about who uses it and on what type of equipment?
If that info is in the registry, (created by them) then perhaps the registry is not the safest place for your treasured private details. If you are unwilling to grant access to this information, then you should safegaurd it. Surely you don't leave money lying around to be picked up by others who might happen along. If you have information that you'd like to remain private, why not treat it as you would treat other valuables that you own?
Don't know how? Then consider: "CAVEAT EMPTOR"
Why do consumers always think it is somebody else's responsibility to protect them?
You purchased a license to use programs that belong to the software developer. Why shouldn't they be allowed to collect information about who uses it and on what type of equipment?
If that info is in the registry, (created by them) then perhaps the registry is not the safest place for your treasured private details. If you are unwilling to grant access to this information, then you should safegaurd it. Surely you don't leave money lying around to be picked up by others who might happen along. If you have information that you'd like to remain private, why not treat it as you would treat other valuables that you own?
Don't know how? Then consider: "CAVEAT EMPTOR"
Why do consumers always think it is somebody else's responsibility to protect them?
Alexo, thank you for you response. Don't be concerned about the delay, we all have commitments. I\we concur completely with heathprovosts comments.
As to your questions, I've responded in the order given unless an appropriate response already exists on this page.
<<Do you have access to the complete source of Win9x, NT and IE?>>
Certain of the Win98 core modules are omitted, however for the most part we have about most. Since we supply hardware and software to DOD, we are required to provide certain information for security purposes. The same applies for Windows NT 3.51, 4.0 and 5.0. We have the complete source for all IE 3 and 4 components except for one specific module. If you have access to it, you can read DOD Circular 5980c 3/96 (Software Security Issues) it will detail which components must be made available and which have been excluded for proprietary reasons.
That's why I asked this question in the first place.
Indeed Alexo. Most of what is out there is hype. With varies governments peering into every aspect of OS's, especially those that could pose a security risk, M$ will not risk that problem without complete up front acknowledgement.
<<What -is- checked if you agree?>> See heathprovosts comment.
<<Are there any options that you are consequently blocked from? >>
You won't receive the emergent update notifications, you will have to go looking for them.
<<Could you please give me the relevant KB articles and the URLs of the sites that are considered "better"?>>
Better is a matter of opinion I guess. There are some that you won't be able to reach unless your a developer or OEM, but try these.
http://www.zdnet.com/
http://www.metaplus.com/
http://nt.scbbs.com/cgi-bin/om_isapi.dll?clientID=13009
http://oem.microsoft.com/namerica/default.asp
http://www.microsoft.com/security/default.asp
http://home.att.net/~gunn1/stan.html
http://www.pcworld.com/pcwtoday/
http://www.microsoft.com/TechNet/
<<No Dennis, I'm not talking about socket layers.>>
The last backdoor option in any of the Win source codes were the open socket layers. Aside from the hackers that were nuking people, under agreement with the Dept of Justice and DOD (see circular appendix for above) M$ has certified that no backdoor exists in any of their operating systems.
<<The "nukes" were (are?) exploiting holes and weaknesses in the implementation of the TCP/IP protocol suite. I'm referring to a mechanism that is deliberately built into the OS. Something akin to handling a "ping" command but returning actual registry subkey information instead of the acknowledgement.>>
Were is correct. That has been closed in 95 for some time and effectively eliminated in 98. Of course as long as there are those looking to invade, weaknesses will develop. You cannot simply ping someone and return sensitive data, especially if there is a network and firewalls are implemented.
<<A URL will be most helpful. >>
Sorry guy, can't help you with that. You would have to request, in writing, a specific document.
<<does limit the user to the choice of just one browser.>>
As a follow-up to this question, we run both IE and Netscape together on our machines so we can see what Internet and Intranet pages will look like in both.
<<Refuse access to the upgrade cite to users of others browsers?>>
Hmmm, good question, never thought about it.
<<If you tell me that you have checked the source of both Win9x and IE and there is no provision for such mechanism (apart from external plug-ins that the user can decline to install) I will accept it.>>
As noted above, in order for M$ to be governmentally qualified, they have to certify this.
<<Also, "State and Federal" will not help as we're not in the US and our laws may differ.>>
Not true! If you write software that permits you to invade the security of any system in the US or it's possessions and/or territories, the US will handle the action vis-a-vis governmental inquiry to your courts. This is via international security agreement 1954.
<<Did anybody check what information is read from the registry when an online upgrade is done (using regmon or a similar tool)?>>
See heathprovosts comments.
<<Is that the new MS policy? What would they ask for next? A kidney? >>
The certification process for SE's is extremely difficult, it is not a freebie under any circumstances. It is basically like college used to be. Here, read it, learn it and show us you can apply it. The written tests are easy, it's the application of the technology that is pass or fail. There are no "D" grades.
As to your questions, I've responded in the order given unless an appropriate response already exists on this page.
<<Do you have access to the complete source of Win9x, NT and IE?>>
Certain of the Win98 core modules are omitted, however for the most part we have about most. Since we supply hardware and software to DOD, we are required to provide certain information for security purposes. The same applies for Windows NT 3.51, 4.0 and 5.0. We have the complete source for all IE 3 and 4 components except for one specific module. If you have access to it, you can read DOD Circular 5980c 3/96 (Software Security Issues) it will detail which components must be made available and which have been excluded for proprietary reasons.
That's why I asked this question in the first place.
Indeed Alexo. Most of what is out there is hype. With varies governments peering into every aspect of OS's, especially those that could pose a security risk, M$ will not risk that problem without complete up front acknowledgement.
<<What -is- checked if you agree?>> See heathprovosts comment.
<<Are there any options that you are consequently blocked from? >>
You won't receive the emergent update notifications, you will have to go looking for them.
<<Could you please give me the relevant KB articles and the URLs of the sites that are considered "better"?>>
Better is a matter of opinion I guess. There are some that you won't be able to reach unless your a developer or OEM, but try these.
http://www.zdnet.com/
http://www.metaplus.com/
http://nt.scbbs.com/cgi-bin/om_isapi.dll?clientID=13009
http://oem.microsoft.com/namerica/default.asp
http://www.microsoft.com/security/default.asp
http://home.att.net/~gunn1/stan.html
http://www.pcworld.com/pcwtoday/
http://www.microsoft.com/TechNet/
<<No Dennis, I'm not talking about socket layers.>>
The last backdoor option in any of the Win source codes were the open socket layers. Aside from the hackers that were nuking people, under agreement with the Dept of Justice and DOD (see circular appendix for above) M$ has certified that no backdoor exists in any of their operating systems.
<<The "nukes" were (are?) exploiting holes and weaknesses in the implementation of the TCP/IP protocol suite. I'm referring to a mechanism that is deliberately built into the OS. Something akin to handling a "ping" command but returning actual registry subkey information instead of the acknowledgement.>>
Were is correct. That has been closed in 95 for some time and effectively eliminated in 98. Of course as long as there are those looking to invade, weaknesses will develop. You cannot simply ping someone and return sensitive data, especially if there is a network and firewalls are implemented.
<<A URL will be most helpful. >>
Sorry guy, can't help you with that. You would have to request, in writing, a specific document.
<<does limit the user to the choice of just one browser.>>
As a follow-up to this question, we run both IE and Netscape together on our machines so we can see what Internet and Intranet pages will look like in both.
<<Refuse access to the upgrade cite to users of others browsers?>>
Hmmm, good question, never thought about it.
<<If you tell me that you have checked the source of both Win9x and IE and there is no provision for such mechanism (apart from external plug-ins that the user can decline to install) I will accept it.>>
As noted above, in order for M$ to be governmentally qualified, they have to certify this.
<<Also, "State and Federal" will not help as we're not in the US and our laws may differ.>>
Not true! If you write software that permits you to invade the security of any system in the US or it's possessions and/or territories, the US will handle the action vis-a-vis governmental inquiry to your courts. This is via international security agreement 1954.
<<Did anybody check what information is read from the registry when an online upgrade is done (using regmon or a similar tool)?>>
See heathprovosts comments.
<<Is that the new MS policy? What would they ask for next? A kidney? >>
The certification process for SE's is extremely difficult, it is not a freebie under any circumstances. It is basically like college used to be. Here, read it, learn it and show us you can apply it. The written tests are easy, it's the application of the technology that is pass or fail. There are no "D" grades.
Alexo, I failed to mention the fact that, unless your in the US or Canada, your version of 95, 98 or NT may be different than ours. Further, there will be some updates that will not be the same, especially regarding security issues. Microsoft does check this vis-a-vis the physical address for the IP address you logon through.
ASKER
I've decided to give the points to Dennis but since I have points to spare, I'm posting a dummy question for Heath. Thank you both.
Dennis, thank you for the reply. You may lock the question.
>> Alexo, I failed to mention the fact that, unless your in the US or Canada, your version of 95, 98 or NT may be different than ours.
Indeed. In Israel we had two localized versions of Win95, Hebrew (a particularly buggy piece of junk) and "Hebrew enabled". The situation is a bit better with Win98 and NT4, both have just one localized version.
>> Further, there will be some updates that will not be the same
Could you imagine that *none* of the upgrades is guaranteed to work with the localized version? In fact, most will screw up a system beyond all recognition if applied (without as much as checking the version or anything). To make matters worse, *no* upgrades, patches, service packs or whatever are available for the localized versions.
However, I've heard that NT5 final (aka Win2000) will support all languages without requiring a localized version. Can you confirm?
Dennis, thank you for the reply. You may lock the question.
>> Alexo, I failed to mention the fact that, unless your in the US or Canada, your version of 95, 98 or NT may be different than ours.
Indeed. In Israel we had two localized versions of Win95, Hebrew (a particularly buggy piece of junk) and "Hebrew enabled". The situation is a bit better with Win98 and NT4, both have just one localized version.
>> Further, there will be some updates that will not be the same
Could you imagine that *none* of the upgrades is guaranteed to work with the localized version? In fact, most will screw up a system beyond all recognition if applied (without as much as checking the version or anything). To make matters worse, *no* upgrades, patches, service packs or whatever are available for the localized versions.
However, I've heard that NT5 final (aka Win2000) will support all languages without requiring a localized version. Can you confirm?
ASKER
BTW, Dennis, I'm surprised you mention ZD as one of the "better" sites. As a regular reader of PCMag (we get it at work) I'm not overly impressed...
ASKER
test
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>> Alexo, unfortunately this is a function of the US State Dept as it applies to security issues.
Dennis, I'm not talking about 40bit vs 128bit security issues, this is a whole new level of incompatibilities.
Dennis, I'm not talking about 40bit vs 128bit security issues, this is a whole new level of incompatibilities.
Hi Alexo.. I'm not talking about 32bit v. 64bit v.128bit either. The often overlooked issue is the tight intergration of modules like IE along with the integrations of different language components. We have seen problems where certain algorithims are omitted or "hardened" for non-US and Canadian systems only to learn that the effect is far reaching, into elements not previously thought to have been effected. M$ will attempt to fix an issue only to learn later that the fix relies on a hardened module. Then they issue a fix (but it's not a fix) it's an additional module to work around the problem. It can be chaotic at times. I understand where your coming from, sometimes it's utter frustration.
BTW: if you want to do it yourself, just create a activex dll or java app which does a user interface trick on a form (a small tree or something else) and include some code using "regconnectregistry" post this info back to.