Lauren (Weinstein) posted the following to the PFIR list. It is also
available on his blog at http://lauren.vortex.com/archive/000184.html
Date: Tue, 27 Jun 2006 09:56:39 -0700 (PDT)
From: pfir@pfir.org
Greetings. Microsoft officials contacted me yesterday to discuss
changes in their Windows Genuine Advantage (WGA) program taking effect
today, and to chat about a variety of other issues related to WGA now
and in the future. There is a particularly significant change related
to the "phone home" Internet activates of WGA that have been so
controversial since my initial report on this topic.
http://lauren.vortex.com/archive/000178.html and multiple linked
entries dated forward from that posting.
In particular, in response to the original controversy, MS has been
widely quoted as saying that they'd reduce the frequency of
WGA-initiated Internet connections from daily, to once every two
weeks, then eventually to zero.
Officials now tell me that this schedule has been accelerated. A new
update of WGA should be appearing in the Windows Update cycle starting
this morning (if it's not there now it should be within a few hours).
It reportedly will be tagged as an optional "high priority" (not
security) update, with a new End User License Agreement (EULA) -- more
on this below.
Here are some details on WGA behavior beginning with this new update,
as explained to me by MS:
If a system has been previously validated (via a visit to the MS
Windows Update or Download Center sites, for example), the new version
(and future versions as now planned) of WGA will attempt some network
activity to report to MS that the new WGA installation was successful
(as per the new EULA). If this connection activity fails, MS says
that for most users there will be no further connection attempts by
WGA.
If a system has not been previously validated, the new version of WGA
will retry as necessary in an attempt to validate, each time the user
logs in (for most people, this means each time that they boot their
system). Once validation has succeeded, these connection attempts
would cease for most users.
There are some Windows license classes that do not have permanent
validations, and that need to be revalidated at intervals. For those
license classes, WGA would begin initiating connection attempts again
when the current license validation period expires. Ordinary consumer
licenses of the sort that most people get with their computers have
permanent validations and do not fall into this category.
While recurring WGA-initiated connections will no longer be taking
place for most users, WGA validation will still occur when users
attempt to update at the Windows Update and Download Center sites.
Non-validated systems, or systems that have had their validations
revoked, may be subject to restrictions previously noted including
inability to download and/or install/execute various non-critical
updates -- or some major packages (e.g. Internet Explorer 7, etc.)
Officials told me that the most restrictions would be on the use of
automatic updates and downloads, with fewer restrictions on actual
update installation procedures, and the fewest restrictions of all
related to program executions (as noted, execution restrictions would
mainly be related to major program releases).
Microsoft considers WGA versions starting from today to no longer be
"prerelease" -- but for now they are still optional. A new EULA is
provided with a more explicit preamble where the user can decide to
accept/reject or read more (a change of this sort was one of my
original recommendations regarding the WGA EULA acceptance procedure).
MS says that users can choose to reject installation of WGA even if it
arrived through Windows Automatic Update.
For persons who wish to remove the prerelease WGA (the one with the
boot/daily Internet connection activity for all users) without
installing the new WGA, I'm told that a link and Knowledge Base
article will be available giving the recommended step-by-step
instructions for this process, and that users can call MS support for
help with this procedure if necessary (without incurring a support
charge).
That's the current situation as I understand it. Since it appears
likely that I'll be having additional contacts with MS related to WGA
issues, I'll continue to report on this topic as appropriate.
In other essays I'll discuss my specific opinions regarding the
implications and other issues relating to these kinds of
authentication environments.
--Lauren--
Lauren Weinstein
lauren@vortex.com or lauren@pfir.org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
- International Open Internet Coalition - http://www.ioic.net
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com
pfir mailing list
http://lists.pfir.org/mailman/listinfo/pfir
Monty Solomon (monty@roscom.com)