RE: Microsot DID DISCLOSE potential Backdoor

To: "J. Oquendo" <sil@xxxxxxxxxxxxxxx>, "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Microsot DID DISCLOSE potential Backdoor
From: Ken Schaefer <Ken@xxxxxxxxxxxxxxxx>
Date: Wed, 7 May 2008 10:12:11 +1000
Accept-language: en-US, en-AU
Acceptlanguage: en-US, en-AU
In-reply-to: <20080506183533.GA26718@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20080504034540.GA35227@xxxxxxxxxxxxxxx> <A0EAC86EA0438A4B906B99BA341589383D4E51D6C8@xxxxxxxxxxxxxxxxxxxxxx> <20080506183533.GA26718@xxxxxxxxxxxxxxx>
Thread-index: AcivqO14xtIuejBjT92HKTg9SiY2EAALSQGw
Thread-topic: Microsot DID DISCLOSE potential Backdoor

>From the April 2008 MSRT EULA (which is the latest I have):

" However, Microsoft may collect and publish aggregated data about the use of 
the software."

For all we know, Microsoft includes a database of signatures of known malware 
files on the removal tool being handed out to law enforcement, and that's the 
only information that's been handed over. Or perhaps Microsoft got the consent 
of specific users to hand information over the 3rd parties? We don't know, 
because we don't have facts.

At the moment all you have is:
a) one PC World article that claims Microsoft has used information gathered 
from the MSRT in the tool handed to law enforcement
b) even assuming that (a) is strictly correct, we don't know what information 
was actually used/included
c) and if the information is aggregate in nature (e.g. names and hashes of 
known malicious files) then it appears to be within the scope of the EULA than 
end users agree to anyway.

The stuff about IP addresses, from my reading of the article, is information 
gathered by law enforcement whilst running this new tool from Microsoft. Not 
information gathered from end users who are running the MSRT.

So, this is why I'm saying that your story's conclusions aren't supported by 
facts in evidence. At the moment it's all speculation. It may, or may not, have 
happened. We just don't know from the information presented to date.

Cheers
Ken


> -----Original Message-----
> From: J. Oquendo [mailto:sil@xxxxxxxxxxxxxxx]
> Sent: Wednesday, 7 May 2008 4:36 AM
> To: Ken Schaefer
> Cc: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Re: Microsot DID DISCLOSE potential Backdoor
>
> On Tue, 06 May 2008, Ken Schaefer wrote:
>
> > I'm not sure the facts in evidence support the conclusions reached
> here (sorry, not posting inline as I don't want to address each
> conclusion built upon some other shaky conclusion.
> >
> > From http://support.microsoft.com/kb/890830
> >
> > ======
> >
> > Either I am missing the point of J. Oquendo's post, or the
> conclusions I think he reaches are speculation rather that established.
> >
> > Cheers
> > Ken
> >
>
> Unsure if this made it to the list the first time, therefore I will re-
> take.
> Outside of technical quoting I will lay it out in understandable terms.
> Microsoft DOES NOT NOTIFY THE END USER THAT INFORMATION TAKEN FROM
> THEIR
> MACHINE WILL BE FORWARDED TO ANYONE OUTSIDE OF MICROSOFT.
>
> This *IS NOT* speculation but fact. Since you provided the link for us,
> please go back and specify where Microsoft is telling us the
> information
> they gather from Windows Malicious Software Removal WILL BE sent to
> LAW ENFORCEMENT AGENCIES inside or outside the United States.
>
> Please read the article and the wording:
> http://www.pcworld.com/businesscenter/article/145257/microsoft_botnethu
> nting_tool_helps_bust_hackers.html
>
> /QUOTED
> The software vendor is giving law enforcers access to a special tool
> that keeps tabs on botnets, using data compiled from the 450 million
> computer users who have installed the Malicious Software Removal tool
> that ships with Windows.
> / END QUOTE
>
> Please find me anything in the EULA for WMSR tool that specifies they
> will do as they see fit with data from my machine?
>
> Now what's to stop them from using the same principle in the future:
> We obtained information before, no one cared. RIAA cares to get a
> baseline of how many Windows users have MP3's. Farfetched? I think
> not. What happens a-la AT&T wiretaps where Microsoft decides to say
> obtain whatever information they'd like regardless of telling you
> what they're doing with that information.
>
> So you argue... "Reporting is optional..." It sure is, but what do
> you think the response would be from MS users if MS stated "We will
> send your information to Law Enforcement agents anywhere..."
>
> /QUOTED:
> In February, the Sûreté du Québec used Microsoft's botnet-buster to
> break up a network that had infected nearly 500,000 computers in 110
> countries, according to Captain Frederick Gaudreau, who heads up the
> provincial police force's cybercrime unit.
> / END QUOTE
>
> Missing the part? Its black and white. If MS wasn't using information
> (flawed
> since it's relying on IP) then how did they correlate IP information
> back to law enforcement... OUTSIDE the United States...
>

References:
- Microsot DID DISCLOSE potential Backdoor
  - From: J. Oquendo
- RE: Microsot DID DISCLOSE potential Backdoor
  - From: Ken Schaefer
- Re: Microsot DID DISCLOSE potential Backdoor
  - From: J. Oquendo

Prev by Date: Re: QTOFileManager V 1.0<== Remote File Upload Vulnerability
Next by Date: Re: Microsot DID DISCLOSE potential Backdoor
Previous by thread: Re: Microsot DID DISCLOSE potential Backdoor
Next by thread: Re: Microsot DID DISCLOSE potential Backdoor
Index(es):
- Date
- Thread