Re: Leaving Techwhirlers

Subject: Re: Leaving Techwhirlers
From: Andrew Plato <gilliankitty -at- yahoo -dot- com>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Tue, 23 Sep 2003 22:00:41 -0700 (PDT)


"David Neeley" ...

> According to present Microsoft licensing, they think they have a right to
know what
> is on your computer "to be sure you're not running unlicensed software
products"
> to paraphrase. In addition, according to some people who have claimed to have

> analyzed the byte stream when they have the "auto update" "feature" enabled,
> Microsoft may already be taking advantage of that "right." (This was
> introduced in the Windows 2000 Service Pack 3 and exists in all XP licenses
as well).

Could you point out EXACTLY where it says this in the MS EULA.

As for analysis of the byte stream, could you direct me to a web site or some
proof of this analysis. The only proof I found was this article:
http://www.theregister.co.uk/content/4/29519.html

Note the last line of the article.

I did however turn up this statement from Microsoft on their Windows Update
Privacy statement:

------------------------------------------------------------------------

Windows Update Privacy Statement

Windows Update is committed to protecting your privacy. To provide
you with the appropriate list of updates, Windows Update must collect
a certain amount of information from your computer. This information
includes:

Operating-system version number
Internet Explorer version number
Version numbers of other software
Plug and Play ID numbers of hardware devices
Windows Update does not collect your name, address, e-mail address,
or any other form of personally identifiable information. The
information collected is used only for the period of time that you
are visiting the site, and is not saved.

To provide you with the best possible service, Windows Update also
tracks and records whether the download and installation of specific
updates succeeded or failed. Windows Update records the ID of the
item that you attempted to download and install, and information
about your operating system version and Internet Explorer version.
The information that is stored cannot be associated with anything
that is unique or personally identifiable about you or your computer.
------------------------------------------------------------------------

I see nothing sinister in that. If they don't know who you are, then how could
ANY information about your machine lead them to you and what you have
installed?

> For corporations or other organizations with a tight information security
need,
> this is *not* a minor matter. For example, there have been some rather
serious
> questions raised about this by IT directors in the healthcare industry, since

> HIPAA regulations say that sharing information covered under that law is
> subject to both civil and criminal penalties. While Microsoft may be
relatively
> benign, there is simply no guarantee or limit to the information they may
> extract in this manner.

This HIPAA regulations state that sharing CONFIDENTIAL information with third
parties must be secured and encryption used in transmission. HIPAA mandates
that organizations dealing with sensitive and confidential information, namely
patient data, must use certain measures to secure that data. Updating a PC
with patches does not transmit ANY patient or confidential data, therefore
there isn't any security risk.

> FYI, this is a real concern not only in the healthcare field but for defense
> contractors and others whose computers contain highly sensitive information.
> Besides, experience teaches that if such a facility exists in Windows, it can

> likely be exploited by people more sinister than Microsoft (can anybody say
"Swen"??).

Yes. This is true. This is why Microsoft created a Software Update Services
that can be run internally and secured.

Read up on it:
http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp

SUS Allows a company to centralize and secure the deployment of security
patches. A central, internal machine downloads a catalog of all the patches for
Windows products. Then, workstations and servers within the domain download
their updates - automatically - from the secured, internal machine. No
workstation level information is shared with MS EVER.

I've deployed about a dozen of these systems. They work very well. If you're
concerned about it, encourage your IT department to look into deploying an SUS
infrastructure. And make sure they do it right and secure access SPECIFICALLY
to the right domains.

> Please, therefore, try to be understanding that it may not be that an IT
organization is
> "anal" at all, but merely competent.

The disallowing windows update makes some sense - IF the organization has a
controlled patching process. If they don't, then disabling update does not make
a lot of sense. But, then again - not having control over the infrastructure
doesn't either.

Furthermore, the virus you mention (Swen) has nothing to do with MS. Its a
virus that is masquerading as an update. The "patch" that would stop Swen was
originally released in May of 2001. See:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

The way to have stopped Swen would have been to have good antivirus and keep
those signatures updated (incidentally, most AV companies also collect
information about OS and other software installed.)

Andrew Plato

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

NEED TO PUBLISH YOUR FRAMEMAKER CONTENT ONLINE?
?Mustang? (code name) is a NEW online publishing tool for FrameMaker that
lets you easily single-source content to Web, intranets, and online Help.
The interface is designed for FrameMaker users, so there is little or no
learning curve and no macro language required! See a live demo that
will take your breath away: http://www.ehelp.com/techwr-l3

---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.



Previous by Author: Re: Tech Writing Skills, College Degrees, Marketable Skills
Next by Author: How to stay safe...
Previous by Thread: Re: Leaving Techwhirlers
Next by Thread: Re: Leaving Techwhirlers


What this post helpful? Share it with friends and colleagues:


Sponsored Ads