lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <D025DB869354C9B58441980C@utd65257.utdallas.edu>
Date: Thu, 08 May 2008 10:06:23 -0500
From: Paul Schmehl <pauls@...allas.edu>
To: Darth Jedi <darth.jedi@...ckformoney.com>,
	"'J. Oquendo'" <sil@...iltrated.net>, 'Ken Schaefer' <Ken@...penStatic.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Microsot DID DISCLOSE potential Backdoor

--On Wednesday, May 07, 2008 17:27:18 -0400 Darth Jedi 
<darth.jedi@...ckformoney.com> wrote:

> Undisclosed breach of personal privacy, or great tool to thwart criminals?
>
> I'm a bit torn - I think it's great that this tool can be used to help
> identify and stop botnets (who really likes 'em anyway); but at the same
> time, I am not very impressed that Microsoft hid(?) this disclosure from the
> users - packaging the product as a tool to help users with malicious
> software - does it even remove the malicious software or just monitor it?  I
> always was a bit confused when I couldn't find an interface for configuring
> my Microsoft supplied Spyware protection! =P
>

Note: "this tool" != MSRT.  "This tool" == botnet hunter.

You're comparing apples with oranges.  The is precisely the muddying of the 
waters that J. Oquendo is seeking to stir up emotions.

> Did anyone really have an idea that the Malicious Software Removal Tool was
> scanning and sending information about their computers & their network usage
> to Microsoft [and honestly - so what if the EULA said something to the likes
> that "we might use some information gathered" - that's so vague, who really
> reads that and thinks "Ok, they are going to be watching all the traffic
> across my network if I install this tool"] - perhaps the fault is to be laid
> at the users feet - who inherently trust Microsoft - I mean, is that really
> a good idea in the first place?
>

It clearly says that on the download page.  It's not Microsoft's fault if you 
don't bother to read it.

> I also wonder, these EULA's usually say something to the effect of "this
> information won't be used to personally identify you" - does the EULA of
> MSRT state this, and if so, do botnet owners not count, and if not, we're
> all pretty foolish to be installing it then aren't we?
>

Yes, their web page (I don't see any EULA) states that they don't collect 
personally identifiable information.  Furthermore, the botnet tool is a 
separate tool.  The page also states that after the tool is run, it deletes 
itself.  So, when you are infected with something, the tool will detect and 
clean it *and* send some information about the infection back to M$.

I'm willing to bet they still won't know your pants size or where you bank.

-- 
Paul Schmehl (pauls@...allas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ