lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 08 May 2008 10:06:23 -0500 From: Paul Schmehl <pauls@...allas.edu> To: Darth Jedi <darth.jedi@...ckformoney.com>, "'J. Oquendo'" <sil@...iltrated.net>, 'Ken Schaefer' <Ken@...penStatic.com> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Microsot DID DISCLOSE potential Backdoor --On Wednesday, May 07, 2008 17:27:18 -0400 Darth Jedi <darth.jedi@...ckformoney.com> wrote: > Undisclosed breach of personal privacy, or great tool to thwart criminals? > > I'm a bit torn - I think it's great that this tool can be used to help > identify and stop botnets (who really likes 'em anyway); but at the same > time, I am not very impressed that Microsoft hid(?) this disclosure from the > users - packaging the product as a tool to help users with malicious > software - does it even remove the malicious software or just monitor it? I > always was a bit confused when I couldn't find an interface for configuring > my Microsoft supplied Spyware protection! =P > Note: "this tool" != MSRT. "This tool" == botnet hunter. You're comparing apples with oranges. The is precisely the muddying of the waters that J. Oquendo is seeking to stir up emotions. > Did anyone really have an idea that the Malicious Software Removal Tool was > scanning and sending information about their computers & their network usage > to Microsoft [and honestly - so what if the EULA said something to the likes > that "we might use some information gathered" - that's so vague, who really > reads that and thinks "Ok, they are going to be watching all the traffic > across my network if I install this tool"] - perhaps the fault is to be laid > at the users feet - who inherently trust Microsoft - I mean, is that really > a good idea in the first place? > It clearly says that on the download page. It's not Microsoft's fault if you don't bother to read it. > I also wonder, these EULA's usually say something to the effect of "this > information won't be used to personally identify you" - does the EULA of > MSRT state this, and if so, do botnet owners not count, and if not, we're > all pretty foolish to be installing it then aren't we? > Yes, their web page (I don't see any EULA) states that they don't collect personally identifiable information. Furthermore, the botnet tool is a separate tool. The page also states that after the tool is run, it deletes itself. So, when you are infected with something, the tool will detect and clean it *and* send some information about the infection back to M$. I'm willing to bet they still won't know your pants size or where you bank. -- Paul Schmehl (pauls@...allas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists