Microsoft Releases Mobile Data Collection Source Code 69
mikejuk writes "To avoid the problems that Google and Apple have had with collecting WiFi data and privacy issues Microsoft has just released [some of] the source code used in its mobile data collection system. The code shows how the phones that it drives around don't collect any personal data — just WiFi and cell tower identification so that they can be used in geolocation. The source code is a great educational resouce but as to proving that Microsoft is doing the right thing it just doesn't work. First off, it isn't complete. Second, who is to say that it is the code used in the phones? That's the point of software — it's easy to change. Now if only we can provoke them to release large chunks of Windows or Windows Phone 7...."
Re: (Score:2)
The problem with most people was never that it was gathering info, but that everyone could access it. If someone stole your phone they'd have a footprint of your life in their hands. They encrypt it now and it's fixed.
Google's data is only accessible if you root the phone... And it'll only send info back and forth if you consent (Basically, if you want to use the geolocation boost you are forced to share your info too).
The issue is not a non issue. there is nothing wrong, in my opinion, in gathering informa
Re:Partial release rings alarm bells (Score:5, Insightful)
Re: (Score:2, Insightful)
Nothing ever will be. If we get full source they will whine that it's in the wrong license or it needs visual studio/windows to compile. Or they will call it useless and whine about that.
Re: (Score:3, Interesting)
Re: (Score:2)
It's very likely Microsoft will never release anything that will satiate people who understand licenses and value freedom. Microsoft likes you to sign crazy NDAs for access to specs and source and ties their own developers and evangelists hands.
And yet here they are releasing the code without requiring crazy NDAs [microsoft.com]. That is not to say that they haven't required NDAs in the past (like when they have released the full code for Windows for specialised uses), but that doesn't mean that everytime they release some code that it get tied up in paperwork.
He couldn't hook the WP7 phone he had to the projector like he normally does because Microsoft's legal department took away the cable he had been using for presentations...
Why? Was there an actual legal reason behind this, or did someone just pinch his cable? It seems pretty unlikely that the legal department would prevent them from advertising a released product.
Re: (Score:2)
He couldn't hook the WP7 phone he had to the projector like he normally does because Microsoft's legal department took away the cable he had been using for presentations...
Why? Was there an actual legal reason behind this, or did someone just pinch his cable? It seems pretty unlikely that the legal department would prevent them from advertising a released product.
I believe Windows Phone uses a protected graphics path, similar to the one in Windows Vista & 7, in order to provide DRM so services like Netflix feel all warm & fuzzy that their video content can't be intercepted. Because of this, all phones which are used in demos require a special build of the OS to display on a projector and, no doubt, a special cable recognised by that OS build.
Having said the above, I'm not sure what reason Microsoft would have to reclaim the cable apart from controlling the n
Re: (Score:1)
Somehow I get the feeling a full release of the source code still wouldn't be enough to satiate the nerdy masses.
I disagree. If it can be fully compiled and tested, then there would be no rational place for the "OAMG they have something they're hiding!" argument. OTOH, Microsoft is kind of notorious for only doing their PR stunts half-assed, and this latest one kind of proves it. Even SCO did a better job of convincing Joe Reporter that they truly showed off code/evidence (and let's face it - their attempts were hella laughable at best).
'course, you can still check things WP7-wise as it is now... that is, if you can c
Re: (Score:3)
IMHO, releasing only part of the source code is indeed, like GP said, more dangerous than no release at all. Just that he forgot to mention that it's potentially dangerous in both directions - both to the world at large ("oh look, stuff to test for exploits!"), and to Microsoft ("OAMG they're hiding something! You can't even test what's there without violating a license!").
That is not correct in this case. The problem is that everyone believed the article when they said that this was the code from Windows Phone 7. This is actually the code from Microsoft's vans that collected geolocation data. [engadget.com] (similar to Google's vans that logged everyone's WiFi packets that got them into strife). The fact that they didn't release the entire code is irrelevant because none of us have the binaries with which to compare the source code. Therefore there are also no security problems with them r
Re: (Score:2)
Interesting info, but I'm glad you cleared that up a bit. :)
Re: (Score:3)
You don't even have to use your "feelings", he says it in the next sentence:
Second, who is to say that it is the code used in the phones? That's the point of software â" it's easy to change.
"Please give us all your source code! And proof that it's exactly the source code on my phone! And that you didn't push an OTA update! And that you are verifying the MD5 checksum of the source code to the build on my phone! And a UN panel to supervise the foundry in which the hardware md5 check was being performed! And a background check on all the people supervising the foundry to make sure nobody changes the hardware to mis-r
Re: (Score:2)
And that you are verifying the MD5 checksum of the source code to the build on my phone! And a UN panel to supervise the foundry in which the hardware md5 check was being performed!
nah, not enough. md5 is COMPLETELY BROKEN [cert.org]!!!11!
Re: (Score:2, Informative)
Not with comments like "Second, who is to say that it is the code used in the phones?" coming from the person who wrote the summary. You could ship that jackball straight to Redmond, sit him down in front of a workstation at Microsoft, let him review the code himself and press the build button himself, and he'd still think it was a clever ruse on Microsoft's part.
Re: (Score:2)
Somehow I get the feeling a full release of the source code still wouldn't be enough to satiate the nerdy masses.
Satiate?? Really?? Does anything even suggest that we find the phone relevant enough to care? If one had to pick a group most likely to avoid the phone, wouldn't "the nerdy masses" be a good first pick? The phone seems to be targeted at people that perceive Apple and other offerings as too scary and complicated... That's the opposite of the "nerdy" demographic.
Re: (Score:2)
Never mind that you would have to use visual studio to compile it and we all know that secretly inserts backdoors in all software made with it.
Re: (Score:2)
It's better than nothing but does not prove much. MS could release the compilation script that build that piece of the code to be able to verify that the binary version of these function is present in WP7
But once again, that code could not be activated at all. Once again, you could offer to recompile that part of the code to insert some profiling. But then, you would know the code is gone trough but maybe discarded.
Soon we will have the discussion about trusting trust again (if you don't know, what it is,
Re: (Score:1)
Re: (Score:2)
Somehow I don't think you realize that this is about Microsoft's equivalent of the Google StreetView car and nothing at all to do with the phone. You're not intended to run this code, ever. It's for them to run. What they are doing is, is showing that they're doing it "right" as compared to Google's way of doing it "wrong."
And the funny thing is that in the Google threads there are tons of people who do all sorts of speculation in order to absolve Google, and in the summary of this story they go to all sort
Re: (Score:2)
Without the ability to compile the entire thing for yourself and check the checksums, there is no real way to know that this is the genuine source.
Check the checksums against what?
How much proof do you need? (Score:5, Insightful)
First off, it isn't complete. Second, who is to say that it is the code used in the phones? That's the point of software — it's easy to change.
Blah blah blah. And where's the "REAL" birth certificate??
No amount of proof is enough for some people.
Re: (Score:2)
Re: (Score:1)
Those are quite different. Heck, just giving out source and let users compile it and place it on their own phones would solve this complaint. Sure you have to trust the compiler and the hardware, but that is pretty normal.
Re: (Score:3)
For any non-trivial function its basically impossible to prove exactly what a computer will do, and once the data leaves the phone to someone's server you can't prove anything. All you have is the company's good word.
Re:How much proof do you need? (Score:4, Insightful)
For any non-trivial function its basically impossible to prove exactly what a computer will do
Bullshit.
If this were remotely true then closed-source applications couldn't be hacked. How exactly do you think you crack and application which requires a software key or has a DRM requirement? How do you think they jailbreak game consoles with saved games? The magic of coincidence? Of course not. The look at the binary code, see what it's doing, disassemble/decompile what they can, and trap all network I/O and file I/O. If you really want to know what WP7 is doing, you can reverse engineer it. If DRM -- which is specifically designed to be difficult to reverse engineer or circumvent -- if DRM can be understood with just binary access, the behavior of an OS on a phone which lacks this design focus should not be that difficult.
Other than being a goodwill gesture (and arguably opening MS up to fraud lawsuits if they are found to be lying), this release doesn't do much at all. However, given what would happen to MS if the code they release here is found to be anything other than what is actually running, I don't believe that they would risk being so stupid as to release anything but the actual source code. MS is in no position in the mobile marketplace to suffer such a gaffe.
Re: (Score:1)
Not really...no. (Score:2)
Re: (Score:2)
You, sir or madam, are missing the point. Source code alone is meaningless if you can't actually *use* it.
Re: (Score:3)
You, sir or madam, are missing the point. Source code alone is meaningless if you can't actually *use* it.
You made Donald Knuth cry, you big bully.
Re: (Score:2, Offtopic)
I don't have time to compile fricking source codes! I have better things to do, like actually use the software. Besides, Microsoft already compiled it for me.
Re: (Score:2)
Source code alone is meaningless if you can't actually *use* it.
Assuming the code provided is exactly what's used, you can use the source code to do your own code audit. You can see where there might be security problems, see if there's any shady stuff going on, etc.
Of course, this usefulness relies on those first 8 words of my comment.
Re:Big difference. (Score:1)
Do you not see the difference between a potentially but very unlikely faked birth certificate, and a piece of meaningless code which won't compile, is by their own admission incomplete, and can't be tested on working hardware?
How is this insightful? The article was right on the money. This doesn't prove anything.
What a biased piece of garbage article. (Score:5, Insightful)
I don't know how this one made it through the slashdot filters to be published. Mikejuk's posting sounds like conspiracy drivel. What Microsoft did was clearly a good effort to try and show the worry-warts what they're doing, but to expect them to give away the source code to their operating systems is just crazy.. their whole business model is based on traditional closed source software.
Re:What a biased piece of garbage article. (Score:4, Funny)
I don't know how this one made it through the slashdot filters to be published.
You must be new here.
Re: (Score:2)
their whole business model is based on traditional closed source software.
No, their business model is based on vendor lock-in and pricey support contracts. They could publish the source code and it would not harm their business model because the moment someone created a compatible product, they'd be sued for copying the "look and feel". Our patent and copyright system pretty much ensure there will never be competition against Microsoft (or any large business) from this country, european countries, australia, or most anywhere else they've managed to sucker the government into enac
Re: (Score:3)
Re: (Score:2)
If there is any way any article can be slanted against Microsoft, it will be heralded on Slashdot.
some time ago it was proposed to move slashdot.org to microsoftsuck.com. So far this goal is only partly met [microsoftsucks.de]...
The Point (Score:2)
And here I thought it was about letting the user accomplish something they consider useful. I didn't realize the point of software was to allow you to change it. Silly me.
I work for Microsoft... (Score:5, Informative)
Re: (Score:2)
Yeah, but you're probably a designer or an engineer. Generally, I trust what those people say. It's the executives, lawyers, and (to a somewhat lesser degree) sales and marketing reps I expect to lie through their teeth. That said, I expect the same of any corporate entity. Caveat emptor, indeed.
How DO you know? (Score:5, Insightful)
Good question. Very insightful. But how far do you go?
How would you know that if they released the code that this code is what's really running on your phone? How do you know there isn't a backdoor inserted post compilation?
How do you know that Linux isn't just a shell around an obscenely stenographed copy of Windows? Do you inspect every single line of code that goes into your machine personally? How do you know the code's not kept in a tiny hardware ROM on all modern chipsets and injected into Linux during boot? Do to read them all, personally? Well you should!
The sheeple must know! It's a plot by the Skull and Bones society, the Illuminati and the masons, IE9 has links to stuff they put in our water and Windows mobile uses fillings in your teeth as an antenna so the greys can track you from space. Soylent Windows 7 is people! Oh God in heaven it's PEOPLE! ...
More seriously, yes, it is possible they wouldn't use that actual code in their phones... but Occom suggests they probably do, while Hanlon agrees but clarifies if they aren't it's probably a slightly different version due to that idiot new developer in section 8 that ran the wrong script.
Eventually, at some point, you just have to either accept what someone's saying or accept there's no trust there and move on. Keep in mind it's practically impossible to avoid cell-tower based snooping and tracking, making this whole point useless because the NSA etc don't need your phone to cooperate for them to get what they want.
Re: (Score:2)
How would you know that if they released the code that this code is what's really running on your phone?
RTFA, it's code running on phones they are using for data collection.
who is to say that it is the code used in the phon (Score:2)
When they are sued by privacy groups or federal regulators, they will be able to show to the court that this is the code being used in their phones.
Yeah, sorry, they are not going to prove it to some random joes on the slashdot.
Re: (Score:2)
isn't this an admission that their current method of security, security by obscurity(closed source), isn't as secure as opening up the source?
No, this isn't even about security. It's about saying 'yes we are collecting data, this is the code we are using to collect that data' so people can see what data they are collecting. Had google done the same thing people would have seen that their code was collecting more information than they said it was.
Re: (Score:2)
isn't this an admission that their current method of security, security by obscurity(closed source), isn't as secure as opening up the source?
No, this isn't even about security. It's about saying 'yes we are collecting data, this is the code we are using to collect that data' so people can see what data they are collecting. Had google done the same thing people would have seen that their code was collecting more information than they said it was.
So, then it's showing the Open Source has better PRIVACY provability than Closed Source, no?
Re: (Score:2)
isn't this an admission that their current method of security, security by obscurity(closed source), isn't as secure as opening up the source?
No, this isn't even about security. It's about saying 'yes we are collecting data, this is the code we are using to collect that data' so people can see what data they are collecting. Had google done the same thing people would have seen that their code was collecting more information than they said it was.
So, then it's showing the Open Source has better PRIVACY provability than Closed Source, no?
Perhaps, but that's pointless anyway since you still have to trust that the code the company releases is indeed the code it is running.
Re: (Score:2)
Opening the source would not have prevented Google from inadvertently collecting that information and it won't do anything to help Microsoft not get caught in the same problem.
The difference is that Google used someone else's code whereas Microsoft wrote their own. Neither company actually wants to log everyone's WiFi packets, but it would be far easier for Google to accidentally click a checkbox in a third party app to enable this feature than for Microsoft to accidentally write code to do the same thing.
Both companies had access to their respective source code, and I would argue that in this case it was the closed source code that received more scrutiny. Microsoft would have ac
Re: (Score:2)
here's the WiFi info the code captures:
ObservationGenerator.cs, line 795
- mac address
- signal strength
- infrastructure mode (ad-hoc/infrastructure, etc..)
- 802.11 network type (frequency-hopping/direct-sequencing, etc...)
wifidriverwrapper.cpp, line 339 would seem to imply that they're also only logging visible infrastructure APs.
they could easily have also captured:
- SSID (alphanumeric ID)
- encryption status (WEP/WPA2 enabled/keyed, etc...)
- frequency band/channel #
this is all high-level information from th
Google Wifi (Score:2)
The voyeurs dilemma... (Score:2)
Are you really sure you want to see more? It might harm you in ways you can't imagine.
This just in... (Score:1)