Digital Choke Daynotes

 Tuesday, July 26, 2005       mail    link   the story

Yeah, still hot here. But not humid. (Currently 99 degrees, 24% humidity; at 4:30pm PDT). It does cool off at night into the mid-60's. But hot during the day.

Which is why you're getting this (you could probably substitute any US city name this week):

YOU KNOW YOU ARE IN SACRAMENTO, CALIFORNIA IN JULY WHEN.....

• The birds have to use potholders to pull worms out of the ground.
• The trees are whistling for the dogs.
• The best parking place is determined by shade instead of distance.
• Hot water now comes out of both taps.
• You can make sun tea instantly.
• You learn that a seat belt buckle makes a pretty good branding iron!
• The temperature drops below 95 and you feel a little chilly.
• You discover that in July it only takes 2 fingers to steer your car.
• You discover that you can get sunburned through your car window.
• You actually burn your hand opening the car door.
• You break into a sweat the instant you step outside at 7:30 a.m.
• Your biggest bicycle wreck fear is, "What if I get knocked out and end up lying on the pavement and cook to death?"
• You realize that asphalt has a liquid state.
• The potatoes cook underground, so all you have to do is pull one out and add butter, salt and pepper.
• Farmers are feeding their chickens crushed ice to keep them from laying boiled eggs.
• The cows are giving evaporated milk.
• Ah, what a place to call home.

Now, excuse me while I grab another cold Cherry Kool-Aid.

 Wednesday, July 27, 2005       mail    link   the story

Yesterday, Microsoft started doing checks for a valid copy of Windows (non-pirated) prior to a manual check via Windows Update. The check loads an Activx control that checks your computer for a valid Windows OS serial number. If it's OK, then you get the non-security-related updates. If not, you are given an opportunity to report your illegal copy of Windows.

Which brought about this exchange of information. Dr. Jerry Pournelle recieved a note from one of his Chaos Manor readers (start here on Dr. Pournelle's site; the subject is also covered in his "View" pages for Tuesday and Wednesday) about a story that claimed the information transferred back to Microsoft during this check included:

"The company will scan machines for a variety of information, including product keys or software authorization codes, operating-system version and details on the flow of data between the operating system and other hardware, such as printers."

Not true, as I reported back to Dr. Pournelle in two emails:

All the info that I have found indicates that the "Windows Genuine Advantage" (WGA) program is not as intrusive as indicated by the report from the Globe and Mail link in today's mail. As an example, this quote from The Register:

"To register for the WGA, users just need to visit the Microsoft Download Centre, Windows Update or Microsoft Update. There they will be prompted to download an ActiveX control that checks the authenticity of their Windows software and, if Windows is validated, stores a download key on the PC for future verification."

Although I haven't captured packets during an authentication, the above statement is similar to what I have read at other sites (Infoworld, etc).

Microsoft's WGA site says (in their faq):

" The genuine validation process will collect information about your system, such as Windows product key, PC manufacturer, and operating system version, to determine if Windows is genuine. This process does not collect or send any information that can be used to identify you or contact you. The complete list of information collected in the validation process is shown below:

OEM product key PC Manufacturer OS version PID/SID BIOS info (make, version, date) BIOS MD5 Checksum User Locale (language setting for displaying Windows) System Local (language version of the operating system)"

(link to site is http://www.microsoft.com/genuine )

All my research (so far) indicates that this process is pretty benign, with no personalized information gathered.

For some reason, that email was delayed by his spam filter, so wasn't reported on his site until today.

In the meantime, I did a bit more checking, including actually going through the authentication routine. I didn't check actual packets sent back to Microsoft, but found this information, which I sent in a second letter to Dr. Pournelle:

I tested the new Microsoft "Genuine Windows" by using Windows Update on my computer. The process is quite painless.

For those worried about the information sent, note this link to the Microsoft Privacy Information as part of that valid license check: http://www.microsoft.com/genuine/downloads/PrivacyInfo.aspx?displaylang=en

" Microsoft has commissioned TÜViT, an independent German security auditor to test how well Windows Genuine Advantage Version 1.0 protects customers’ data. TÜV conducted a legal audit of Microsoft’s statements, policies and specifications to set the requirements for a technical audit that determined that the program’s databases, source-code and implementation respect privacy concerns.

"TÜV has confirmed that Microsoft does not collect any personal information or process any data that would allow Microsoft to identify or contact a user. It has also confirmed that Windows Genuine Advantage can for privacy reasons be used safely on a system that processes privacy data and that it does not interfere with any client software other than the operating system, and, therefore, it does not conflict with the relevant European and German data protection laws."

So, I am not worried about any intrusion into my private information with this process. The press report in yesterday's view/mail is not accurate, in my opinion.

Microsoft may do some things incorrectly, but this one looks OK.

I suspect that there was a bit of misunderstanding. The WGA does the checks as detailed above. Microsoft also released the beta of Vista (nee Longhorn, the next new OS). The beta includes, as part of the beta testing process, the ability to send back more detailed error information for analysis by Microsoft. This is similar to the "Dr. Watson"-like info that is sent back to MS when a program causes an error. This information may be a bit more detailed, including info on the software programs and drivers installed on your computer. No personal data is sent.

So the WGA 'flap' that you'll see on Dr. Pournelle's site (which he has agreed is probably a bit of misconception) is no big deal, although some people think that it is intrusive and wrong for MS to determine if you have a legal copy of Windows before it is updated.

My fellow Daynoter Dan Seto mentioned this in his post today.

In my opinion, Microsoft is driving its customers to Linux and Apple by treating them (it's customers) like thieves. As for me, I already dual boot into Linux on a daily basis. As applications for Linux slowly mature, it's just a matter of time until I won't need Windows at all.

And because I stayed home from work today (I had a bit too much spare time...), I sent him this note:

Let's see. Every time I put a key into the car's ignition, the key is checked to see if it is valid. If the key is not valid, then the car won't start. (Car: "hmmm...key inserted...is it a valid key, or are you a thief?" ) And I am denied the use of the car because I have a 'non-authorized' key.

I have no problem with Microsoft checking for a valid copy of Windows. If I want to use Windows, then I should have a properly licensed (purchased) copy of the program. Otherwise, I am a thief, and should be denied the use of the program.

Just like being denied the use of a similar model of car just because my key doesn't work.

As for the information that is transmitted during the validation sequence, this is on the privacy pages of Microsoft' site. (See http://www.microsoft.com/genuine/downloads/PrivacyInfo.aspx?displaylang=en )

"Microsoft has commissioned TÜViT, an independent German security auditor to test how well Windows Genuine Advantage Version 1.0 protects customers’ data. TÜV conducted a legal audit of Microsoft’s statements, policies and specifications to set the requirements for a technical audit that determined that the program’s databases, source-code and implementation respect privacy concerns.

"TÜV has confirmed that Microsoft does not collect any personal information or process any data that would allow Microsoft to identify or contact a user. It has also confirmed that Windows Genuine Advantage can for privacy reasons be used safely on a system that processes privacy data and that it does not interfere with any client software other than the operating system, and, therefore, it does not conflict with the relevant European and German data protection laws."

I got no problem with any of this.

If a user doesn't want to pay for Windows, then there are alternatives.

And Dan replied (hey Dan, hope it's OK to post this...)

When I buy a car, the key comes with it and if I want to remove the lock or rekey the lock I am free to do so without GM's permission. The point being, the car is mine, not GM's and I am free to do with it as I please.

But the larger point, as mentioned in the article, is that this validation process is just part of a larger effort that will control the use of the PC. The example given was not being able to forward email without permission. The article is silent as to who's permission.

But it's as if I would need to get GM's prior permission every time I wanted to start the car!

I realize that in places like China or Russia piracy may be prevalent, but this system isn't targeted only at them.

In the end, I don't think I want to use an operating system that controls me instead of me controlling it. The OS and the applications that run on it are supposed to be tools for me to complete what I want done. When those tools start to get in the way, it becomes my job to find new tools.

So I wrote back (I told you that I had too much spare time today):

The "key" statement (sorry) is in your email: "When I buy a car".

If you are the legal owner of the car, then you (or someone that you give the key to) are authorized to use it.

And if your car ever needs a safety upgrade, as the owner of the car, you are entitled to get the upgrade (safety upgrade). I can't take a "copy" of your car (assuming car-cloning) and also get the safety upgrade. I am not the legal owner of that copied car, and should not expect to get any safety issues fixed on my cloned car.

If GM or Ford decides to offer a tire upgrade (not a safety-recall tire upgrade, i.e. Firestone) to your car for free, they should not have to offer it to un-registered owners. Perhaps safety recalls (security patches) will be offered to all by GM/Ford to anyone that stops by, without ownership checking (which is what Microsoft is offering...security patches for all, product upgrades that are not security-related to registered owners).

The article mentions "technical analysis to gauge the system's invasiveness". This analysis has already been done; see today's entries on Jerry Pournelle's site from me about the information transferred during a legal copy check.

If I want to buy a 'car shell' (computer box) and put my own engine (operating system) in it, then I can do that. Just as you can decide to buy a computer box and put Linux and other non-MS apps.

But I don't think that anyone that has an unregistered copy of Windows or MS-Office should be able to get a free pass on upgrades.

To which Dan said:

I guess I'm not being clear on my "key" point ;)

I don't have problems with MS checking on Windows ownership. I've already done that (when I've downloaded optional utilities). And I don't have problems with them trying to keep piracy down because I paid for my copies and, in any case, as you and I have stated, I can choose another operating system.

The problem I have is with the larger effort to control my PC. I paid for it. It is not leased from MS or Intel. Hence, I don't want anyone telling me whether I can, for example, forward an email or not.

Although the article is silent on any other examples of what MS is allegedly planning regarding DRM, I've heard that hardware locking of media files will debut in the not too distant future. So, for example, if I want to make an MP3 copy of a song from a CD I bought, I couldn't do that. Or if I wanted to record a TV show for viewing later, I couldn't do that either.

Obviously, this whole DRM thing is a big subject to tackle (even if I was at home, which I'm not!). But again, my main point is that registration appears to be just the tip of a much larger iceberg.

Which brings up an interesting subject: the whole DRM thing. That is a bit different (as Dan said). But, again, I (and apparently Dan) don't have a problem with how Microsoft is checking for valid copies of Windows.

As I said ... too much extra time today. But it was fun to discuss this with Dan (his Daynotes site is one of my regular daily stops).