Hotmail's social networking busts your privacy

Windows Secrets Newsletter • Issue 241 • 2010-04-22 • Circulation: over 400,000

Table of contents

Top Story: Hotmail’s social networking busts your privacy
Lounge Life: Partitioning’s ongoing role in Windows security
Wacky Web Week: Here’s one way to get up the mountain
LangaList Plus: Two ways to make ‘self-healing’ Windows setups
Perimeter Scan: Custom boot CDs help fix Windows disasters
Patch Watch: Oracle releases Java patch earlier than expected

Top Story

Hotmail’s social networking busts your privacy

By Woody Leonhard

In its rush to take on Facebook and Google Buzz, Microsoft is now collecting and displaying personal information on your Hotmail page — information you may never have wanted to broadcast.

Exactly how it’s mining this information is something of a mystery, but if you use Hotmail or Windows Live, it’s time to review your privacy settings — lest something you said or did comes back to haunt you.

One user signed in to her Hotmail account recently and was greeted with Microsoft’s new, improved social networking splash page, shown in Figure 1.

Hotmail's new user home page

Figure 1. When you sign in to Hotmail, you now see the “Today” page with its new social networking format.

What’s wrong with this picture? All three What’s new with your network entries contain potentially embarrassing information that the authors never dreamed would appear on someone else’s Hotmail sign-in page. I speak with authority — I’m one of the contacts.

This looks like a heavy-handed attempt by Microsoft to expand its Windows Live Spaces social networking out to the zillions of people who use Hotmail. A controversial move in a confusing marketplace, it’s reminiscent of the Buzz privacy debacle that got Google into hot water with several governments (as reported in a Deutsche Welle story). In essence, Microsoft is signing you up for a Windows Live Spaces account without your consent.

The new format brings up some disturbing questions: How, for example, does Microsoft come up with a list of your network contacts, when you’ve never created one in the first place? How does Microsoft find the What’s new items — little tidbits of information about those in your network, the network that you didn’t know you had until just now?

Unfortunately, these questions remain unanswered.

Where the ‘what’s new’ list gets its faces

In an e-mail, I asked Microsoft two questions: Where do they get the list of your network contacts that appears on the Hotmail login page? And how do they harvest the content that appears next to each contact?

A Microsoft spokeswoman replied with an e-mail that simply stated:

“Hi Woody,

Please see the Windows Live ‘What’s New’ feed permissions work to answer your questions.

http://help.live.com/help.aspx?project=wl_spaces&market=en-us&querytype=topic&query=spaces_proc_setprofilepermissions.htm “

(Microsoft doesn’t allow its spokespersons to be identified by name.)

The link goes to instructions on how to set your Spaces profile permissions. Using a tedious procedure described at the end of this story, you can keep Microsoft from divulging some kinds of information. But what you see and what the world sees on your new Hotmail start-up page is the way it’s meant to be.

Even though I don’t know for sure where Microsoft gets its Hotmail content, I can make a few educated guesses.

If you subscribe to Microsoft’s Windows Live Spaces, you have a list of What’s new with your network contacts. Microsoft uses that list to come up with the names that appear on your Hotmail startup screen. If, however, you never signed up for Live Spaces, it looks like MS draws the What’s new information primarily from the people you’ve IM’d using Microsoft Live Messenger. (You can check this by instant-messaging someone new and seeing whether that person then shows up on your Hotmail page.)

It also looks like Microsoft draws the names in the Hotmail What’s new list from your Hotmail contacts. Microsoft has many different contact lists (Hotmail, Messenger, Live Mail, Outlook, Spaces, etc.), and it appears Microsoft’s scheme is to expand its social networking system by combining all these lists. Fortunately, it can’t do that unless you give your consent (and your contacts may have to give their consent as well).

Microsoft also lets you draw names from other social networks such as Facebook, MySpace, LinkedIn, AOL, and others.

How Microsoft finds other ‘what’s new’ content

The What’s new with your network list adds content from blog updates, favorites updates, photos, games, and more — but for the life of me, I have no idea from what specific sources Microsoft mines this material.

This is not a case of paranoia or that I’m anti-social — I have no problem with Facebook, for example. If you stick something on a Facebook wall, you expect the missive to be visible to anybody who wants to look at the wall. That’s part of the social-network deal. But the new Hotmail user home screen goes to another level.

For instance, if you have a Windows Live ID and you add John Smith to your What’s new network, you expect that others in your network will find information on Mr. Smith. That’s cool. But you’d probably be surprised when you discover that someone you casually IM’d six months ago now sees that you and John are buddies.

I’ll give two examples where the source of the new Hotmail content mystifies me. I made a comment on December 11, as shown in Figure 1, but I have no idea where Microsoft found that text. (You won’t find it searching on Google or Bing.) What’s new also says that I commented on Kim’s file — but I have no idea who Kim is. Clicking through on the linked PDF e-book turns up a dead link. By clicking on Kim, I discovered that she is or was a marketing manager at Microsoft Press. But I still have no idea how she ended up as a What’s new link with my name on it.

I’ll readily confess that I don’t recall every I agree button I’ve ever pushed. But I’m reasonably certain I’ve never given Microsoft permission to mash together information about a woman I’ve never heard of and stick it under my name on other people’s Hotmail pages.

Use the Permissions pages to protect yourself

As far as I can tell, a Windows Live ID is necessary for MS to spread potentially embarrassing information about you across the Hotmail sign-in pages of people you barely know. Windows Live IDs have gone by many different names over the years, including @hotmail.com or @live.com e-mail addresses, Windows Live Messenger, MSN Messenger or Windows Messenger ID, Xbox Online ID, Windows Passport or .NET Passport ID, and Microsoft Wallet or Passport or Passport Network ID.

If you have a Windows Live ID and you’re concerned about privacy — as you should be — you can use the permissions pages (and there are many of them) to control exactly what other Hotmail users will see about you. Here’s how:

Step 1. Go to the Windows Live sign-in page and sign in with the Windows Live ID that you want to protect.
Step 2. At the top of the page, above the masses of advertising, click the Profile link.
Step 3. On the Profile page, click the Permissions link. You’ll see a lengthy list of permission options, as shown in Figure 2. I counted 22 different main permissions options, and several of the options have multiple choices.

Figure 2. A tiny subset of all of the permissions you’re allowed to tweak.

One of the options — What’s New — includes 16 sub options (see Figure 3). These settings control the What’s new with your network items on the Hotmail login page, but they’re poorly defined — many of the links shown in Figure 3 didn’t lead anywhere.

Figure 3. The many permissions options for the “What’s New” section of Hotmail have a daunting number of choices.
Step 4. Work through the permissions that concern you the most — for example, whether your last name should be displayed. It could take an hour to slog through it all. As far as I can tell, there’s no easy way to simply say, Keep Out.
Step 5. When you’re done, click the link in the upper-right corner of the window and sign out.

That’s what you have to go through to keep Microsoft from broadcasting your personal details to people you barely know.

Unless somebody in Redmond shows a little common sense and restraint, this foray into public — and potentially embarrassing — data mining could bring with it legal liabilities.

Given the murkiness of this new social networking scheme, I’d just as soon opt out — if I could only figure out how.

Have more info on this subject? Post your tip in the WS Columns forum.

Woody Leonhard‘s latest books — Windows 7 All-In-One For Dummies and Green Home Computing For Dummies — deliver the straight story in a way that won’t put you to sleep.

Lounge Life

Partitioning’s ongoing role in Windows security

By Tracey Capen

The strategies and opinions about dividing a hard drive into multiple partitions are almost as old as the PC itself.

PC technology has changed radically in the past few years, but there are still good reasons to divide up drives into separate compartments — as the following post makes clear.

Reprising the question of partitioning Win7

Lounge member peterg has an old and still-complex question: What’s the current thinking on disk partitioning in this age of Win7, cloud computing, virtual drives? Peterg wanted lots of opinions, and he got his wish. More»
Installing two versions of PowerPoint

Leon Foot had an unusual request: He’s teaching beginning PowerPoint and wants to have versions 2003 and 2007 installed on his notebook at the same time. Helpful answers from other Loungers include creating a virtual PC and tweaking the Windows registry. More»
Wireless router causing crashes

Melanie Herron thinks her new Belkin wireless router is causing her computer to crash and asks for help with a STOP error. Josh B has provided the steps Melanie needs to do a Windows memory dump, which Josh might be able to use for advanced troubleshooting. More»

Interesting questions raised on the Lounge

Lounger Jim Moelk is having difficulty with Microsoft patch KB979683. Paid subscribers to Windows Secrets can find the answer to this and other patch problems in the twice-monthly Patch Watch column.

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right in to today’s discussions in the Lounge.

The Lounge Life column is a digest of the best of the WS Lounge discussion board. Tracey Capen is technical editor of WindowsSecrets.com.

Wacky Web Week

Here’s one way to get up the mountain

By Stephanie Small

Snow sports are almost always a fun way to celebrate winter. Skiing or snowboarding — sometimes the hardest part is just getting up the hill.

That’s especially true when a novice takes on the deceptively simple rope tow for the first time. Watch this hilarious video of a newbie skier and his rope-tow technique. It will make you cringe while laughing! Play the video

LangaList Plus

Two ways to make ‘self-healing’ Windows setups

By Fred Langa

If you want or need free ways to make Windows reset itself to pristine condition after each use, here are two approaches.

With Microsoft’s SteadyState application or a virtual PC snapshot, Windows can start each session completely fresh, perfectly set up, and with no record of any previous activity or changes.

Make a clean ‘copy’ of Windows in seconds

Reader Nancy Todd wants to set up several PCs to revert to a known-good state after each use.

“I have a couple of unused machines with XP on them. I would like to be able to use them for one-time use and then during shutdown erase anything that was entered during use, like the PCs I see at the library or in secured networked workstations. Is there a way for a home user to do this on a single machine?”

Absolutely! Microsoft’s free SteadyState (for XP and Vista) does exactly what you want. SteadyState is designed for places such as libraries — to make their highly used and highly abused public PCs self-healing. After each use, SteadyState returns the PC’s software to a known-good condition.

You can grab a copy of SteadyState from Microsoft’s Shared Access download page. Read more about SteadyState in Window Secret’s April 8 Top Story.

But there’s a much more environmentally friendly way to do this, if your aim is to build a self-healing setup just for yourself or other private use. Instead of running SteadyState on a separate, standalone and dedicated PC, just fire up a virtual PC inside the machine you use every day.

A virtual PC is a hardware system that’s fully emulated by software and run as an application inside Windows. Inside the virtual PC, you can install and run the OS of your choice, along with other software; you can go online and do just about everything you can do on a real PC.

I use Oracle’s free VirtualBox all the time. To write this column, I’m constantly testing techniques and apps — and sometimes things go badly. So rather than risk my daily-use production system (or wastefully running a bank of separate, standalone test machines), I’ve set up a number of virtual PCs (VPCs) in my machine for testing.

Creating a VPC can take time. It requires a full setup, same as with a real system. But VirtualBox has a handy feature called snapshots — fully functional clones of the virtual system. Setting up one or more snapshots takes only seconds. You can then use the snapshot like a fully functional PC — except that when you’re done, you can simply delete the snapshot along with whatever happened inside it. The original VPC and my production system remain unaffected, ready for another test.

For more information on VirtualBox, check out its online documentation.

Running defragmentation alongside other apps

Andy Conde is cautious about his defrags — and rightly so.

“I have an Intel Quad core CPU I720 in my laptop, with 6GB of RAM, running Win7 64-bit.

This article is part of our paid content. Upgrade your account to see the rest of this article!

Perimeter Scan

Custom boot CDs help fix Windows disasters

By Ryan Russell

What do you do when your PC won’t load Windows — or it loads, but you’re locked out?

Panic is the first thing that comes to mind. But a better alternative is to create custom boot CDs to access your files and recover lost passwords.

Different boot CDs for different needs

The boot CD most familiar to Windows users is the installation disc that came with their system. There are, however, many more specialized, third-party boot CDs that help with difficult recovery and maintenance tasks.

For example, the anti-malware rescue CDs produced by AV vendors scan hard drives for malicious code and attempt to remove it. These boot CDs are invaluable when malware renders a Windows machine unusable or unbootable — PCs so hosed that it’s no longer possible to install and use normal anti-malware tools.

That’s just one kind of boot CD. There are many others, and I’ll give you some examples. In particularly difficult cases, you should try multiple types of boot discs to see which works best for you. As I’ve mentioned many times before in this column — multiple tools, multiple scans.

In most cases, you won’t be buying a specialized boot CD but rather making it yourself. You’ll download an image file and burn a disc on a functioning computer. Not too tall an order for most knowledgeable PC users nowadays — especially if you’re a part-time, friends-and-family computer tech.

Recovering lost passwords using boot CDs

For every PC user, there comes a time when you need a password and don’t have it. Someone hands you a computer to use, but no one remembers the password. Someone leaves the company, and you cannot get those critical files off the PC left behind. You’re running the Windows installation CD to perform a repair, and surprise! It asks you for an administrator password you never knew you’d created. I’ve run into all of these problems and more.

In fact, I had a lost-password problem come up recently. I looked at a number of boot CDs used to recover passwords. I started out by checking with my friends on Twitter (@ryanlrussell), asking them to list their favorite password-cracking CDs.

Because I did not fully evaluate each program, I’ll not mention the ones I didn’t care for. But my favorite was backtrack-linux.org’s Linux-based security tools package, BackTrack 4, available free on its download page. In my informal testing, BackTrack 4 was the most-compatible password-cracking app and was also the easiest to use.

Yes, this is a Linux boot CD. In fact, most of the boot CDs available are Linux (or another free Unix) under the hood. This OS has good compatibility with most PC hardware, there is a large set of Linux-based diagnostics and security tools, and it’s free. You could craft a similar boot CD out of Microsoft’s Windows XP Embedded environment, but the company wouldn’t be happy if you gave it away free to all your friends.

To use BackTrack fully, you need to know a bit about Linux. If you’re not familiar with this operating system, a couple of helpful YouTube videos show, step-by-step, how to perform the password-cracking operations. (I’ll assume you know how to download, burn, and boot a BackTrack CD.) The first shows you how to reset a password, if that’s all you need. The second details how to acquire the lost password.

An alternative technique, which I prefer, is to crack passwords in a full Windows environment, using the free Ophcrack application (download page) hosted by SourceForge. This tool is not part of BackTrack but can work with it.

Once you have BackTrack running and the Windows drive mounted, copy the SAM and SECURITY files (found originally in the c:windowssystem32config directory) to a functioning Windows system and run Ophcrack on the files.

Boot CDs for emergency backups and maintenance

BackTrack 4 has many other tools in addition to password-cracking — far more than I can cover here. You can find a number of tutorials on the BackTrack Web site for these other operations. It makes a good playground if you’d like to learn more about PC security.

With a little experimentation, for example, you can learn how to access almost any file on the failed PC. This offers a way to recover and back up data files before you erase the hard drive and completely reinstall Windows.

A more specialized boot CD I’ve used and recommend is the GParted Live app (info page). GParted’s specialty is drive partition management — use it to copy, expand, and edit partitions.

A word of warning: Since you’re working on live drives, a mistake could potentially erase lots of data. So exercise extreme caution when using apps like GParted. Back up if you can. That said, more than once I’ve had to break out these tools when the data was in such poor shape that I could not back it up cleanly with traditional methods.

Finally, I will also mention that some folks carry Linux around on discs or USB flash drives to boot unknown machines. It lets them run public PCs in a configuration to their liking and with more trust than they’d get with a random, walk-up Windows box.

Have more info on this subject? Post your tip in the WS Columns forum.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is the Director of Information Security at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

Patch Watch

Oracle releases Java patch earlier than expected

By Susan Bradley

If you thought your Java was fully brewed with last week’s patch, guess again.

After two security researchers revealed a new vulnerability in Oracle’s Java app, the company quickly sent out a surprise update.

Hackers quickly attack Java security flaw

Event though I just told you to install a Java update, now I’m telling you to do it again!

In an unexpected move, Oracle released an update to fix last week’s Zero day vulnerability discussed in Robert Vamosi’s April 15 “In The Wild” article and in an Oracle Sun Developer Network Update Release Notes page.

As noted in Vamosi’s story, Google security researcher Tavis Ormandy publicly released information on a new Java exploit, putting pressure on Oracle to quickly come up with a patch. Hackers have already launched attacks using this vulnerability.

Originally, Sun indicated that it would not release a patch until the next quarterly update. But as reported in an April 15 Metasploit blog, security researcher Ruben Santamarta revealed his version of the Java flaw, putting even more pressure on Oracle to make an earlier release.

This article is part of our paid content. Upgrade your account to see the rest of this article!

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Table of contents