The Canadian security researcher Nadim Kobeissi, who is a known activist against Internet surveillance and programmer of Cryptocat, has raised concerns over privacy in Windows 8′s defensive feature SmartScreen. Whenever you install any application from the Internet, SmartScreen will gather information about it and send the data to Microsoft. In the final, Released to Manufacturing version, “Windows 8 is configured to immediately tell Microsoft about every app you and download and install,” Kobeissi wrote on his blog.
He also claims that Microsoft’s servers aren’t secure enough, since they are configured to support SSLv2, which in his eyes is known to be insecure and easy to intercept. SSLv2 uses the MD5 function for authentication, which is insecure. It also facilitates the man-in-the-middle (also MITM) type of attack, in which the hacker assumes the likeness of the server to which the user believes he’s connected. However, he didn’t check whether SmartScreen does in fact use SSLv2 as well, but he’s already concerned that Microsoft’s servers do. Ultimately, an attacker could learn which applications an user has installed on their computer. Approximately 14 hours after he published his post, another scan of Microsoft’s SmartScreen servers reveals that Microsoft has reconfigured servers only to support SSLv3 connections.
On the other hand, Rafael Rivera, known for analyzing Microsoft code, calls Kobeissi’s post merely a scare piece. Rivera sheds more light on the subject by showing the code in question. For those programmers among you, it may be easy to understand.
| 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 |
<Rq V=”1.2″> <RqT>0</RqT> <App> <FName>U2FtZUdhbWUuZXhl</FName> <FHash>d3ff5939726c9f8fa6e514fb65eb470a1f9ec7a65b2706732 a03749226c2520</FHash> <Sig>0</Sig> <Sz>45056</Sz> <M>1</M> <SR>100</SR> </App> <ID>0F98AD9C-D498-42B3-B421-E6C97A8E61E7</ID> <G>B68802CA-B396-4773-8FD9-EEECA4DE65D9</G> <L>ZW4tVVM=</L> <OS>6.2.9200.0.0</OS> <I>OS4xMC45MjAwLjE2Mzg0</I> <C>10.00.9200.16384</C> <DJ>2</DJ> </Rq> |
Rivera continues to point two elements in particular: FName and FHash. FName is a Base64 encoded representation of the executable file, while FHash is a SHA256 hash of the executable contents, to eliminate filename-based false positives.
In essence, Microsoft could track what you download and install. Rafael Rivera maintains that it’s very unlikely that it will ever keep such a database matching IP addresses. Stories like these certainly inspire fear to anyone in the IT world, yet mostly it’s just hot air, and Microsoft will likely address any privacy concerns if they really present a credible threat.
Yet you have the choice, and can turn off SmartScreen whenever you like if it makes you sleep more soundly at night. To do so, just go to the Action Center, Change Windows SmartScreen settings, and click Don’t do anything (turn off SmartScreen).
If Smartscreen is such a security danger, where is his concern with IOS? Prime example of a FUD hit piece.
That’s pretty much what we’re suggesting, yes.
I still contend that this kind of information remains relatively benign.
Will “Turn off messages about Windows SmartScreen” actually disable SmartScreen or just disable any notifications generated by it? given the wording it seems to be the latter.
I apologize, because that’s actually wrong. This information is from Rivera’s website. In reality, you have an option called “Don’t do anything”. Yes, this will turn off SmartScreen completely, not just the notifications.
I updated the article accordingly.
No Problem I just was trying to get clarification
I’ve read a few privacy statements and it seems that information is collected anonymously for statistical analysis. It’s likely that keeping databases on individuals would increase the complexity to the point of being cost ineffective.
I do see where people are coming from when it comes to privacy but being that you can turn the feature off this is a non-issue. Also, if you don’t like the what Microsoft is doing… install another OS.
Oh ya, like what Linux? That’s uber user-friendly! How about Mac? Pay more and get less! There’s a monopoly here, unless you’re a power-user then you are stuck with it.
I bet you anything that at least 90% of people will turn this feature off. A lot of people are very concerned about their privacy, and with a feature like this, who knows what Microsoft could do with your information.
This can be turned off… right?
Anything private like personal information should ALWAYS be turned off. Didn’t mean to scream there, but security is a must when it comes to personal information like that.
thanks for the info. (what is FUD?)
if its a single server (ip) cant we just block the name / ip and stop it sending information
Will viruses be able to use SmartScreen to forward data to badguys? Windows has always had so many holes in their software..