Thoughts on the Windows SmartScreen scare

Important update: My original post failed to address the data in FName and as a result, was slanted towards Microsoft. I have since then, however, re-evaluated the issue and edited the article as such. The original content has been left intact/scratched out for full transparency. This is the first time I've ever hit publish on data I haven't fully checked and I'm extremely disappointed with myself. Sorry I let you down.

So a tinkerer by the name of Nadim Kobeissi wrote a scare piece today, proclaiming Windows SmartScreen was reporting back information about every application you download and install on your machine. Kobeissi, oddly, failed to actually show what this data looked like. So here's what the fuss is about:

<Rq V="1.2">
  <RqT>0</RqT>
  <App>
    <FName>U2FtZUdhbWUuZXhl</FName>
    <FHash>d3ff5939726c9f8fa6e514fb65eb470a1f9ec7a65b2706732
a03749226c2520</FHash>
    <Sig>0</Sig>
    <Sz>45056</Sz>
    <M>1</M>
    <SR>100</SR>
  </App>
  <ID>0F98AD9C-D498-42B3-B421-E6C97A8E61E7</ID>
  <G>B68802CA-B396-4773-8FD9-EEECA4DE65D9</G>
  <L>ZW4tVVM=</L>
  <OS>6.2.9200.0.0</OS>
  <I>OS4xMC45MjAwLjE2Mzg0</I>
  <C>10.00.9200.16384</C>
  <DJ>2</DJ>
</Rq>

The only interesting part here is the data contained in the FHash element. This data represents a SHA-256 hash of the exectuable content (not filename) you ran on your PC. (In this case, I just downloaded and ran a random XNA-based game from Codeplex.)

The interesting nuggets of data here are contained in the FName and FHash elements.

FName contains a base64 encoded representation of the executable file name you downloaded and ran on your PC. In this case, I downloaded and ran a random XNA-based game from Codeplex with a name of SameGame.exe. If you run that through a base-64 encoder, you end up with U2FtZUdhbWUuZXhl.

FHash represents a SHA-256 hash of the executable contents, to eliminate file name-based false positives (think of a game named virus.exe).

So could Microsoft track everything you download and use? No. Yes. But will they? Unlikely.

Microsoft doesn't have hashes of every piece of software out there to match against, nor do Windows SmartScreen users send in enough data (like filenames) to build such a database dynamically. Assuming they retained IP data -- which I seriously doubt they do -- they could possibly determine what types of malware you almost ran. But who cares? It just saved your ass at that point.

Armed with file names, Microsoft could -- in theory -- be building a database matching IP addresses to files downloaded/run, but let's be real -- it's Microsoft. This is the same company that's scared to fart in fear of litigation. (They won't even defend their Metro design language naming for crying out loud.) I expect Microsoft to respond with a statement about how this data is anonymized internally. And if that doesn't relieve the pressure, I expect an update to remove the file name reporting aspect of the service, given malware often mutates and changes file names.

But look, you have the power of choice. You can turn off Windows SmartScreen via Action Center -> Change Windows SmartScreen settings, and subsequently turn off annoying Action Center warnings by clicking Turn off messages about Windows SmartScreen in the same window.