Contents | < Browse | Browse >

===========================================================================
           WINDOWS95: IT'S NOT PARANOIA, THEY ARE OUT TO GET YOU
                     Taken from the Risks-Forum Digest
===========================================================================

RISKS-LIST: Risks-Forum Digest  Thursday 18 May 1995  Volume 17 : Issue 13

Date: Wed, 17 May 95 13:44:40 EDT
From: cnorloff@tecnet1.jcte.jcs.mil
Subject: Microsoft plans corporate espionage

Microsoft officials confirm that beta versions of Windows 95 include a
small viral routine called Registration Wizard.  It interrogates every
system on a network gathering intelligence on what software is being run on
which machine.  It then creates a complete listing of both Microsoft's and
competitors' products by machine, which it reports to Microsoft when
customers sign up for Microsoft's Network Services, due for launch later
this year.

"In Short" column, page 88, _Information Week_ magazine, May 22, 1995

The implications of this action, and the attitude of Microsoft to plan such
action, beggars the imagination.

Chris Norloff  cnorloff@tecnet1.jcte.jcs.mil

[Also reported by jyoull@cs.bgsu.edu (Jim)" and herzog@uask4it.eng.sun.com
(Brian Herzog - Sun Microsystems, Inc.).  The following analysis was also
sent to RISKS by a contributor who requested anonymity.  PGN]

------------------------------

Date: Wed, 17 May 95 12:22 xxT
From: [identity withheld at submitter's request]
Subject: RISKS in Microsoft's Windows95

Sometime in the latter part of the summer, Microsoft is planning to release
their Windows95 follow-on for Windows 3.1 to the masses.  Whether the
effort required to keep things working after installing the release vs. 
the perceived benefits of Win95 makes the installation a sensible decision
is quite an open question.  Reports from beta testers are indicating that
even for Windows experts, getting their system running again after the
upgrade can be a bad experience, given the wide variety of complex
hardware, drivers, and other components that have been integrated into
Windows 3.1 environments over the years.

For Windows users who are less than experts, the problems risk being even
more serious, with various applications (or even entire systems)
effectively useless without various "tweaks", fixes, new drivers, new
software, etc.  In other words, the backwards compatibility of Win95 in the
real world of people's existing Windows 3.1 installations should be an
issue of grave concern, especially among users concerned about prolonged
downtime.

We may be reaching a stage where the sheer complexity of PC application
software and hardware is making the entire concept of major operating
system upgrades being installed successfully by average users extremely
problematical.  It seems very likely that large numbers of Windows 3.1
users will (or at least should) be extremely cautious about being an early
adopter of Win95.

By the way, here's a new feature announced for Win95 that carries new RISKS
of its own.  Called "AutoPlay" it is apparently a feature of the Win95
CD-ROM driver that allows CD-ROM authors to create a special init file on
the disc that will automatically start running programs from the disc as
soon as a disc is inserted into the CD-ROM drive.  From the descriptions
available so far, there doesn't seem to be a system-wide way to disable
such a feature, you have to remember to hold down the shift key on your
keyboard while inserting the disc to disable it for that particular
insertion (apparently folks with remote keyboards might just be out of
luck!)

What sorts of harm could come from autoloading of CD-ROMs?  Outside of the
obvious malicious applications (don't laugh, CD-ROMs are getting so cheap
to produce that all manner of nasties could be planted on purpose or by
accident), there's the obvious problem that most PC CD-ROM applications
need considerable software and disk support, often involving significant
use of disk space, changes to system-wide configuration and other driver
data, etc.  It is not unusual for these changes to conflict in some manner
with other programs and installations, needing manual intervention.  At
least when you do the installation manually you can stop, look for README
files, etc.  before starting the guts of the install, but if the CD-ROM
fires off on its own there's no telling what might happen.

True, a reasonable CD-ROM author would query the user about this process
rather than running off and starting the install without user input, but
it's probable that many authors who want things to look "slick" won't
bother with this.  In fact, Microsoft seems to be encouraging the "slick"
attitude in their description of this feature.

Another point.  You're about to start seeing music CDs that carry CD-ROM
programs and data on the initial part of the disc before music track 1.  If
such discs tried to make use of the Win95 AutoPlay feature, an unsuspecting
user who stuck the music disc into his or her CD-ROM player planning to
hear only music (lots of PC users play music CDs on their CD-ROM drives
these days) could end up getting a lot more than bargained for.