All Microsoft Updates Phone Home

www.heise-security.co.uk/news/86429

What do you think? Should we be developing strategies to block this kind of unauthorised use of our internet connections?

Suppose from a security point of view this could be classed as a back channel that is leaking information out of the corporation/company.

On the other hand, if ya have nothing to hide it shouldn't be an issue. Suppose it does depend on what M$ is actually doing with the data that its collecting ? Is it just collecting it as stat's to know how much pirated stuff is out their or is it more sinister ?

As soon as the Genuine advantage started, we all knew this was going to be going on by the EULA. I'm sure most of us suspected it was going on before anyway.

The article does state:

When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data, the company has said. In the blog, the company once again explicitly states that it does not use the information gathered to identify or contact users.

Without this data stream going back, would the update mechanism work? That is the question. If the EULA says it will be doing this and we then block this information stream, theoretically they could halt the update process as technically we are not fulfilling our part of the bargain we accept when we sign up for genuine advantage.

The update process does save a lot of time wheras before we had to go trawling for updates and installing them manually which was a constant pain. However, it would be nice to see what is being sent back in a readable form. The only thing I have difficulty with is the non MS details being returned. Sure enough make and model of both hardware and software for diagnosis purposes, but certainly not licence keys, etc.

Like the various updates we can select to be downloaded, there should be tick boxes to select which uploads to give them. The MS ones could be greyed out as mandatory uploads but everything else should be optional to us whether we want them to have it or not.

It's as you say, and I think a lot of this stems from the fact that when you buy software you enter into a transaction that's almost without parallel in any other purchasing scenario. For example, suppose you bought a power drill to do a job at home, then discovered as you began to use it that a man was in your garden peeking in at you through your window. "What are you doing there?!" you'd rightly demand, but the reply would be "I'm from the product manufacturer and I'm legally entitled to use your resources to spy on you to make sure you're using our product in accordance with all the terms and conditions imposed on you by paragraph 4 subsection 6 of the agreement you entered into by purchasing it blah blah blah..."
Plus, don't forget that almost all the updates that phone home are fixes, so the inadequacy of the product is being used as a pretext to gather data which, in almost every other purchasing/ownership scenario, would be seen as a gross invasion of privacy.
Or am I just a belligerent, paranoid old luddite?

Or am I just a belligerent, paranoid old luddite?

Who's that behind ya ? LOL

I suppose in a corp environment you still have the use of WSUS to automate the updates. Would a WSUS environment still have this stuff going back to M$ ? I cannot see how that would work if it does ?

I use WSUS in my network and I think there's probably more scope for abuse, as all the PCs report back to the local WSUS Server which stores the info in a database. I haven't actually checked to see what my WSUS server sends back to Microsoft ...