Microsoft denies Windows 8 SmartScreen spying

Earlier this week, Nadim Kobeissi posted a report that claimed the SmartScreen feature in Windows 8 allows Microsoft to see every application that is installed by a user and that Microsoft could be collecting that information into one large database. Furthermore, Kobsissi said that SmartScreen uses an "outdated and insecure" security system that could allow a hacker to intercept that data.

Microsoft has now responded to Kobeissi's allegations and, as you might expect, claims that his findings are inaccurate. The Register reports that, according to Microsoft's statement:

We can confirm that we are not building a historical database of program and user IP data. Like all online services, IP addresses are necessary to connect to our service, but we periodically delete them from our logs. As our privacy statements indicate, we take steps to protect our users’ privacy on the backend. We don’t use this data to identify, contact or target advertising to our users and we don’t share it with third parties.

As far as the security issue, Kobeissi said that the SmartScreen communications to Microsoft are using a server based on SSLv2.0, which he said is "known to be insecure and susceptible to interception." Microsoft told The Register that it does not in fact use SSLv2.0 and Kobeissi's blog has now been updated to state that Microsoft's servers have now been changed to support the SSLv3 protocol.

Even with this change, Kobeissi still seems to be concerned about Windows 8 and its SmartScreen security features. In a post on his Twitter page, he states, "Dear Microsoft: If you don't want someone to seriously, seriously exploit your SmartScreen security, please contact me right now."

Source: The Register
Hacker image via Shutterstock

Report a problem with article
Previous Story

Windows 8 compatibility artwork spotted

Next Story

Another Surface street art ad shows up in Los Angeles

36 Comments

Commenting is disabled on this article.

NEOWIN ARTICLE writers,
please stop with all this spam.
all these news stories are just the same as going to "news stations",

please just do proper ones?
please

of course they deny, what else they could do? They have to answers to all the future users and that includes the goverment.

Kobeissi's blog has now been updated to state that Microsoft's servers have now been changed

This is what is kind of funny, as his blog makes it sound like Microsoft was using SSLv2.0. Even if the older SSLv2.0 was enabled on the servers, if the clients are using SSLv3.0, the whole point is moot, which they obviously were, or it would have broke every copy of Windows out there that reports smartscreen information about Apps and Website.

What kills me, is idiots like this complain about Microsoft using data for security. The Smartscreen technology for 'browsers' has proved to be highly successfully, making IE's security best Chrome and Firebox, but that doesn't seem to matter that it is used to make things more secure and to track down botnets, etc.

It also makes it seem like Microsoft is spying on users, when the whole IDEA of smartscreen is to monitor Web Sites and Downloads that are HARMFUL. If Microsoft does not check potentially risky downloads or web sites; how on earth could they ever find malicious sites and content?

The insane irony to all this is the blogger is a noted Google Chrome and Google fan. Which is a company that MAKES THEIR LIVING BY TRACKING users, and SELLING USER DATA.

Microsoft does not track the data to 'users' nor does Microsoft have it in human readable form, nor does Microsoft use or sell the data.

How can someone complain about security when they are working on supporting Google Chrome in their own projects and recommending Google products?

Not only does Chrome report back to Google, Google is tracking users via ads, and other methods, let alone their data mining of GMail and GDrive and G+ and GDocs, and that any engineer can do a query and READ any user's content from any of these services at any time, which is impossible with Microsoft's services, as they not human readable content and highly encrypted from even their own engineers.

And Google admits their engineers can and DO exercise this ability to read user content.

Google also admits they use it for targeted trend tracking and sell that information along with inside information on financial trends discovered through private emails, and even sell information to countries on their citizens, working as an ad hoc CIA, that has resulted in the tracking and killing of citizens from several African countries.

But ya, Microsoft looking at potentially dangerous downloads to keep users safe is the 'evil' thing....

What a freaking tool.

This guy is nothing more than an attention-whore. He even goes as far a spamming his own little "CRYPTOCAT THREAT MODEL" draft in his Twiiter Feed.

Nothing more than a little fish wanting to look bigger than he actually is. In arguing against Peter Bright at ArsTec, he tried taking a swipe at someone with much more experience in the industry and epically failed.

One more and serious reason to avoid Windows 8.

No improvements in gaming, next-level spyware, forced Metro, no Start-Menu, ads on programs on Metro etc.

Win7 will be a few more years on my PC.

PC EliTiST said,
One more and serious reason to avoid Windows 8.
Win7 will be a few more years on my PC.

+1 except when I finish moving to Xubuntu, everything Microsoft will be permanently out of my home. I just find no need for their products anymore.

- No improvements in gaming
Perfection is hard to beat

- next-level spyware
Are you using google or facebook?

- forced Metro
I see metro interface only 2-3 times a day

- no Start-Menu
bothered enough?

- ads on programs on Metro
what's the matter with that?

fenderMarky said,
- No improvements in gaming
Perfection is hard to beat

So Windows 7 is more than enough

fenderMarky said,

- next-level spyware
Are you using google or facebook?

No, but at least i can disable it in windows 7.

fenderMarky said,

- forced Metro
I see metro interface only 2-3 times a day

In windows 7, you saw metro 0 times a day.
fenderMarky said,

- no Start-Menu
bothered enough?

Well, in windows 7, Start menu is present.

fenderMarky said,

- ads on programs on Metro
what's the matter with that?

No metro programs in windows 7.

imho: windows 8 is just a bridge between windows 7 and windows 9.

PC EliTiST said,
One more and serious reason to avoid Windows 8.

No improvements in gaming, next-level spyware, forced Metro, no Start-Menu, ads on programs on Metro etc.

Win7 will be a few more years on my PC.


stick with your windows 7 then.
mc don't care what some crummy 14 year old's that think they know it all think or care about.
grow up please

1. The security they're using is overkill for the actual confidentiality of this information.
2. Microsoft thoroughly sanitizes personal data.
3. The user is clearly presented with options to disable this feature.
4. The feature is doing exactly what it's meant to do. This is like blaming Google for processing your search queries on their server.

Problem?

billyea said,
1. The security they're using is overkill for the actual confidentiality of this information.
2. Microsoft thoroughly sanitizes personal data.
3. The user is clearly presented with options to disable this feature.
4. The feature is doing exactly what it's meant to do. This is like blaming Google for processing your search queries on their server.

Problem?

i like the analogy, well said

fenderMarky said,

Yes... it's Microsoft. And many people thinks to be cool blaming Microsoft for every reason.


but like who cares even if they were...

what does it matter?

I personally would trust a company that actually sells software and doesn't track use over one that gives it away for free and makes money by selling me advertisements or selling information about me. If MS did sell customer information regarding what Apps are installed by their user base, there would be a rebellion in not just the consumer market, but in the corporate market which is their bread and butter and would doom them. That being said, I think MS knows what is at stake and would not abuse the situation.

Edited by Drewidian, Aug 26 2012, 10:30pm :

So a "researcher" found out that the Windows security feature that "checks files and apps with Microsoft" actually sends info about files and apps to Microsoft...

And, on top of that, they're sending that info using SSLv2 instead of SSLv3...

Has President Obama and the Joint Chiefs of Staff been notified? Heads should roll for this.

thomastmc said,
So a "researcher" found out that the Windows security feature that "checks files and apps with Microsoft" actually sends info about files and apps to Microsoft...

And, on top of that, they're sending that info using SSLv2 instead of SSLv3...

Has President Obama and the Joint Chiefs of Staff been notified? Heads should roll for this.

Actually the researcher made a mistake, as it actually uses SSL3

These people throwing these kinds of allegations around need to be controlled. I'm all for free speech but not when your information is outdated/inaccurate.

drazgoosh said,
These people throwing these kinds of allegations around need to be controlled. I'm all for free speech but not when your information is outdated/inaccurate.

well there's much more than this crap you know.

look all around the internet and on the news, much much bull crap.

A few months ago there was someone here on Neowin (he was an anti-Microsoft person) who was complaining that Microsoft did not do this. That Microsoft should be taking a list of all the programs installed on your computer, sending that list to Microsoft so that they could automatically update your software. And if they didn't do it, then they would need to send a megabyte or two of data to you to notify the system which software needed to be updated, and that would be bad because it would ruin his data cap.

Now we have that very thing being done, and we are seeing people complain that it is a privacy issue.

Damned if you do...

This is a total non issue, why are we still even discussing it? By definition a service like Smartscreen has to send details of what you're installing to some internet based service so it can then provide a safe or not response. Besides, is there a more secure protocol than SSL3 they could be using? (genuine question, I don't know the answer).

TCLN Ryster said,
This is a total non issue, why are we still even discussing it? By definition a service like Smartscreen has to send details of what you're installing to some internet based service so it can then provide a safe or not response. Besides, is there a more secure protocol than SSL3 they could be using? (genuine question, I don't know the answer).

TLS 1.1+

primexx said,

TLS 1.1+

What encryption do banks use when you logon? Isn't that just your browser's SSL capability? Isn't that information more valuable to a hacker than the knowledge that I've just installed Steam onto my PC?

TCLN Ryster said,

What encryption do banks use when you logon? Isn't that just your browser's SSL capability? Isn't that information more valuable to a hacker than the knowledge that I've just installed Steam onto my PC?

well depends what the hacker is looking for, if he (or she) is working for google, they are looking just for that, so they can use steam ads to make your life more "easy" (yes I actually mean annoying) if its Steam they're working for... well etc. etc.

They could also work for the goverment (Acta ring a bell?) say you have Mp3's stored in an app you've downloaded illegally etc. etc.

^ it can be good for seeing which users have what installed and drawing up a demographic profile on known and best malware targets. this is a big issue.

insanelyapple said,

They both are the same thing.


well maybe, but no. Not at all.

Microsoft makes their money from you. You are their customer.

Google makes their money from companies buying demographic data. You are their product.

insanelyapple said,

They both are the same thing.


Except that Microsoft THOROUGHLY anonymizes your data. If they didn't, and their servers were compromised, leaking gigabytes of confidential business/personal/financial data, every corporation on the planet would go ballistic.
So they have better privacy controls than Google. Because they have to.

insanelyapple said,

They both are the same thing.

there's a difference between being a consumer and being a product.
one buys products and the other gets sold.