I've read the full article and I can understand about the privacy issue that was brought up, why should it be Microsoft's concern what software you choose to install and run?

On the other hand though I think the whole idea of "Smartscreen" is a good idea in that it should (in theory) reduce the number of malicious software from being installed on a Windows 8 computer and thereby reducing the threat of viruses from transferring from one computer to another.

But then again if it doesn't stop someone from installing software with no digital signature from Microsoft then it won't prevent that user's computer from getting infected. Now if only Microsoft could create "Smartuser" instead of "Smartscreen" it would be more effective at reducing the spread of malicious software.

Wouldnt it be easier to maintain a local list of known malicious software that is updated when the system is updated?

Well, MS does have the Malicious Software Removal Tool that is updated every so often, done via Windows Update.

Personally, IMHO, this is something that Homeland Security wanted them to do, and of course they were glad to do it so that they could see what people were using so they could just purchase it like most of the other stuff that they deliver.

woodsmoke

I'm pretty sure MS has a "Smart-User Removal Tool" that runs all the time - of course. If you find it and click on it, it takes you to Distro Watch...

oshunluvr, i literally laughed out loud at your comment.

i give it about a month before 2 things happen.

1. Windows 8 is pirated and can easily be downloaded from a torrent site with smart screen disabled(as well as a convient backdoor for joschmo cracker)

2. Malicous programmers figure out a way to forge the smart screen certificate to allow its program to pass through and set itself and all its friends up to seem legitimate.

oh and im writing this on a vista machine at my friends house. its running slower than the last time i used it so i should probably change my password when i get home.

This is not me bashing windows(i do use it for photoshop), its just the truth.

"Wolf, wolf!"

This feature is not new. It's a further extension of SmartScreen, a reputation service. SmartScreen first checked for known fishing attacks, then included URL checks, and then included checks for downloaded files. BTW, this last bit -- the one that's got Kobeissi's panties in a bunch -- has been around since IE9, so it isn't exactly new. Furthermore, the data is anonymized and not shared. Believe me, the Trustworthy Computing Group, to which I belonged during most of my time at Microsoft, would be all over the IE team if they had not incorporated privacy elements.

Various aspects about the article should give a reader pause. First, he mis-reports how SSL is handled, claiming that SSLv2 will be used. Although the SmartScreen server was mistakenly configured to allow SSLv2 connections, in practice this would never happen. (In fairness, he updated his article after Microsoft fixed the server.) He omits an analysis of the information that's actually collected; once again, he did publish an update. But, and most infuriating, he has to sew just a bit more doubt by raising the quesion about certificate chains. This is a systemic problem with the way heirarchy of trust works, and not at all specific to SmartScreen. This bit, alone, makes me question Kobeissi's motives.

SmartScreen covers only URLs and downloaded programs. Programs installed via other means aren't included in the reputation check. Google and Firefox also perform reputation checking, using an offline database. The tradeoff here is that the database must continually be updated.

Also, Microsoft is now responding to questions regarding the original article. Example at Softpedia.

I knew you would respond and I am glad you did. I'm four years removed from using Windows in any significant way, and since I did not even install VB on this new Acer I, for the first time in 10 years, do not have a copy of Windows handy to check. I figured I'd post the OP to let people know what Kobeissi claims, but I am not aware of his credentials. As I've said before, my grip is with Microsoft's ethics and business practices.


Thanks, Steve, that info is good to know. You're THE voice with Windows experience that I trust.

I was curious about Kobeissi and looked him up: http://en.wikipedia.org/wiki/Nadim_Kobeissi

When I read your original post and the article you referenced, I figured it would be wise to wait a bit for additional material to come to light, as well as find time to do my own research (alas, I've been distracted by a new Roland Fantom G8 I found for, er, a song at Best Buy, haha).

As is mine.

I'm honored.

Welcome back Steve, your absence was noted!

Thanks!

You know, when I'm at home, I'm often on KFN, which has come to feel like another home. But when I'm away -- as I was this week, in SF for a few days -- I feel like I miss both homes: Seattle/family and KFN. I try to keep abreast of goings on here via Tapatalk on my phone, but it isn't the same.

That said, I'm off again tomorrow, back once more to SF, this time for VMworld. Looks like it'll be very interesting. I'm planning to attend as many of the sessions on network virtualization as I can. SDN, FTW!

There is no patch for stupidity.