It doesn't take a genius to see this is simply a [malware] disaster waiting to happen when someone spoofs the 'updates' .. using P2P-type methods for software patching is beyond asinine.
Want a Windows 10 update? Don't go to Microsoft ... please
Microsoft has slipped out an update to Windows 10 to early testers letting you slurp software updates from others across the internet. The Windows 10 Insider Preview Build 14915 that has gone to testers on its Windows Insider "Fast Ring" comes with Delivery Optimisation broadly enabled. Delivery Optimisation was introduced in …
COMMENTS
-
-
-
Thursday 1st September 2016 15:57 GMT Anonymous Coward
Re: @kraggy
IMHO, this is a disaster waiting to happen.
The bad guys have a brand new attack vector to aim at, one with millions of access points.
When this goes wrong (and it will) will MS fess up and admit that this continuious updates is a dead end and they'll return to the old system of updates
If they don't I am sure that it will trigger a challenge to the EULA in the US that prohibits law suits agains MS for any reason. Then the inevitable class action law suits can begin and proceed to tane MS to the cleaners. Personally, I will be getting the popcorn and the beer in ready for the show to begin.
-
Thursday 1st September 2016 15:27 GMT richardcox13
> this is simply a [malware] disaster waiting to happen
Only if someone manages to break the signing and thus create a replacement file that works as an update with the same signature.
When downloading updates direct from MS today they are downloaded over HTTP, not HTTPS. But the signatures are downloaded on HTTPS and checked against the patches downloaded without a secure channel. This avoids the overhead of encrypting the patches for each client while performing the same content validation a secure channel would given (remember TLS both validates the content came from the correct server and hides the content on the network: the latter is irrelevant in this case as anyone can download the patches already).
-
Thursday 1st September 2016 15:36 GMT Anonymous Coward
@kraggy
"when someone spoofs the 'updates' .. using P2P-type methods for software patching is beyond asinine."
Although true there really is no reason for concern. We've already established that Microsoft's own updates also often manage to break parts of the system, so if this would happen then customers would basically get the experience they've already been expecting anyway.
-
-
Thursday 1st September 2016 21:43 GMT Bluto Nash
It strikes me as more of a "hey, this Torrent thing is pretty neat!"
Delivery Optimization works by breaking a download into small pieces and then determines the best route for delivery.
Unless you can force a client to take the WHOLE THING (hurr hurr), you might have a bit of trouble getting your payload fully delivered.
-
Thursday 1st September 2016 23:49 GMT joed
Has anyone seen it working in the wild?
I'm actually fine with peer distributed updates ... within my LAN only. Sadly, I did no see it working even though my LAN is definitely faster than my "broadband". Now, letting MS off the hook, saturating my upload link and burning through my data caps (however unlikely at my "broadband" speed) is of no interest to me. If anything, I'd like to show MS my appreciation for their constant "improvements" of Windows experience and add towards their bandwidth costs (to make up for the amount of telemetry I'd severely cut across my systems). Heck, I'd be willing to run script up/downloading random bits to OneDrive to help that cause.
-
Friday 2nd September 2016 01:51 GMT a_yank_lurker
@kraggy - morons does as morons do, paraphrasing Forest Gump. Someone will figure out a way to piggyback malware through this. This will make protecting your 'bloat 10 kit very dubious. I do not trust any other user's kit to be clean enough for me to take a download from them. I am not a fan of torrents either.
-
-
-
-
Thursday 1st September 2016 17:52 GMT bombastic bob
"The second thing was to set all network connnections to 'metered'."
seeing as there's no official way to do that with an ETHERNET connection (or a connection within a VM), it's still "a hack" to make it work, and not a simple one from what I've read...
and eventually M-shaft could BREAK THAT ONE as well. It would be JUST LIKE THEM to do that.
-
-
Thursday 1st September 2016 17:22 GMT David 132
Peter, if Windows 10 stays true to form, I suspect you'll get a blink-and-you'll miss it popup that says
"We noticed that you disabled peer-to-peer updates. We've turned them back on for you. You can disable them again for a short time but we'll helpfully switch them back on after ten minutes to prevent you hurting yourself. Because you're too stupid to know what's best for you."
If you think I'm exaggerating... tried turning off Defender lately?
-
-
Thursday 1st September 2016 19:38 GMT David 132
You have to turn the service off to disable Defender....
Yep - I know that, you know that, but for how long will that work? As it is, disabling the WU service is the only way to regain (some) control over automatic updates. We shouldn't have to delve into the innards of the OS just to get it to obey our instructions.
-
Friday 2nd September 2016 07:36 GMT David 132
@john 104: You have to turn the service off to disable Defender....
Also worth mentioning - for the time being, you can also disable it via GPO. I say "for the time being" because Microsoft now seem to be actively deprecating/ignoring more useful GPO switches with each successive update, unless you have the Enterprise or Education SKUs. Lawd bless 'em.
-
-
-
Thursday 1st September 2016 15:32 GMT Fan of Mr. Obvious
What are they not saying...
No way network consumption is the only reason for this, especially since pipes are only getting bigger. I think we are going to get saddled with something new (other than new malware -- which I agree will happen) from BillCo. Could it be that when Bill talked about "products" in his pitches about Common Core that he was planning on delivering "education" in a peer-to-peer fashion? Makes me wonder.
-
Thursday 1st September 2016 15:48 GMT Roland6
Re: What are they not saying...
My misinterpretation of the headline was that MS would not be enlarging their Windows Update infrastructure and might as part of a cost-saving exercise be reducing it. Thus making the whole WUP process longer and less predictable - unless like many file download sites these days you sign up for a subscription....
-
Thursday 1st September 2016 15:59 GMT Fan of Mr. Obvious
Re: What are they not saying...
I certainly see how you get there, but I am not buying it. The excess power behind Azure alone is immense - they are not in any resource danger so the Windows clowns could go ask them how to be efficient if need be. At that, Windows installs, particularly client installs, are not rising at a rate that should be of any added concern.
-
-
Thursday 1st September 2016 18:36 GMT VinceH
Re: What are they not saying...
"I think we are going to get saddled with something new (other than new malware -- which I agree will happen) from BillCo. "
Coming soon!
The new expanded Microsoft Azure Cloud - store your files on just about any random Windows 10 user's computers, and use yours to store other users' files. Unused disc space is wasted disc space, so this new feature is designed to reduce wastage, and increase storage availability in the cloud.
-
-
-
Thursday 1st September 2016 18:02 GMT bombastic bob
Re: How is this a new feature
"This was in the first version of windows 10, and I make sure it's turned off as it kills my network connection at home and work."
So, with the same KINDS of thinking that justified *OBAKACARE* in the USA [i.e. making "healthy people" pay for the "infirm" through strong-arming the young and healthy into BUYING INCREASINGLY EXPENSIVE INSURANCE that they may not actually *WANT*, in order that those with pre-existing conditions (a definite MONEY LOSS for insurers) can be "covered"],
(pause for breath)
*NOW* Micro-Shaft wants to FORCE YOU into PROVIDING THEM BANDWIDTH for the frequent (massive) *FORCED* updates that Win-10-nic is so INFAMOUSLY known for! They are STEALING BANDWIDTH from YOU and from your ISP.
But, THIS way they can SHOVE EVEN MORE "new, shiny" FEATURES
UP YOUR A$$ONTO YOUR COMPUTER, without your consent, without you WANTING them, and so on WITHOUT having to upgrade their OWN infrastructure to deal with the BANDWIDTH.Yeah, JUST LIKE Micro-Shaft to THINK LIKE A SOCIALIST in its company policies. Or would that be *FEEL* [the 'F' word] ???
oh yeah, I turned that "feature" (the 'get updates from the intarwebs' and 'let people on the intarwebs update from your computer' settings) *OFF* as well.
-
Thursday 1st September 2016 20:31 GMT Anonymous Coward
Re: How is this a new feature
*NOW* Micro-Shaft wants to FORCE YOU into PROVIDING THEM BANDWIDTH for the frequent (massive) *FORCED* updates that Win-10-nic is so INFAMOUSLY known for! They are STEALING BANDWIDTH from YOU and from your ISP.
But, THIS way they can SHOVE EVEN MORE "new, shiny" FEATURES UP YOUR A$$ ONTO YOUR COMPUTER, without your consent, without you WANTING them, and so on WITHOUT having to upgrade their OWN infrastructure to deal with the BANDWIDTH.
Well, you're right about that part, not sure WE NEED ALL THE SHOUTING though.
So, with the same KINDS of thinking that justified *OBAKACARE* in the USA [i.e. making "healthy people" pay for the "infirm" through strong-arming the young and healthy into BUYING INCREASINGLY EXPENSIVE INSURANCE that they may not actually *WANT*, in order that those with pre-existing conditions (a definite MONEY LOSS for insurers) can be "covered"],
Nothing to do with this conversation, but BTW, the other alternative would be to have tax increases to pay for universal medical coverage for everyone. Don't like that idea? Well, don't expect Medicare when you get old then (other people's tax money, after all). Don't like the idea of your taxes paying for other people's medical bills? Tell your congresscritter to abolish the VA.
-
-
Thursday 1st September 2016 15:52 GMT Anonymous Coward
Neither good nor bad in principle, I may wait a while.
This is based on a few papers they wrote in the wake of BitTorrent years ago(and covered her on the Reg). It's architecture, like BT, looks sound enough. I may drag my heels a bit and let the research community kick the 1.0 version around. The idea is that you don't trust the chunks you swarm download, and check them as they are being re-assembled, then check the whole file. Since you can't be sure that your not being hit w a Man in the Middle attack anyway, this isn't really that different.
However, a bug in the decoder or validation code (like the several ASN.1 vulns over the years) and your toast. As Microsoft has been a little light on the QC since they dissolved Trustworthy Computing, I will wait until people have beaten that up with a fuzzer for a few months. That will also shake out other unintended consequences. Like when even machines set to ignore the win 10 installer still downloaded 3GB to share it with the other computers that also weren't going to install it, even if they would be left critically low on disk space on their boot volume afterward....
Once we get past the first few forehead slappers, it should be alright though. Those still put off the idea of trusting outsiders can run WSUS and still get some benefit of this on their local network. Or the community can get sick enough of WSUS to make a less retarded FOSS version of it.
-
Thursday 1st September 2016 21:43 GMT Zakhar
Re: Neither good nor bad in principle, I may wait a while.
No, no, it is definitely bad!
And yes, it has already been used by other companies.
Notoriously, the WoW updater (Blizzard - World of Warcraft) is using a BitTorrent client to spread the updates, some of which can weight several gigabytes.
Linux distro (like Ubuntu) also encourages you to use BitTorrent to download an iso, especially when it has just been released and it's a popular milestone such as a LTS version. The big difference here is you are "encouraged" not "forced", to use BT.
The reason behind that is simple : bandwidth and servers are not free.
It is especially true for this kind of updates that provoke "spikes". Everyone wants the update when it's out, the fastest possible. For that you will need a lot a servers and pay a lot of bandwidth, and all that will be used for a very short period of time, and then almost dormant.
But for the user, being forced to update like that is bad.
There is the risk of corruption, but that is well mitigated by the BT protocol itself, and by signing updates. But the downsides are :
- you get your bandwidth eaten, especially at home when you have ADSL, remember that a "good" line has only 1mpbs (this is 128K bytes a second... or 2h30 for 1 GB).
- and most dramatically to be efficient you must open some ports (see the "High ID" issue well known amongst BT/eMule users). And that is IMHO a much bigger risk you are taking. You need just consider some recent CVE such as the one on the TCP stack, to want to avoid having open ports to the world on your machine.
- if you don't open ports, the protocol will still make your machine communicate with other (your machine will use outgoing communication). A blackhat need just pretend he needs some parts of the download to get communications incoming from machine hidden behind NATs, and can operate from then with the same possible flaws.
The problem also comes with the "poprietary" nature of W$.
For open source it is auto-solved. You might have noticed that there are probably several repository of any major Linux distro available in your country. So when you apt-get install, or yum install, you probably hit a repo near you. That is because open source makes it possible, and it is in the interest of ISPs to have their own repo so that they don't need to pay outgoing bandwith when you upgrade your machine.
So yes, as many saw it, M$ is getting rid of the "issue" on its users that will pay for CPU (eg electricity) and bandwidth, and more importantly put the users at risk with more opened TCP communications.
But of course, if you want to go for it, please be my guest!
-
Friday 2nd September 2016 02:02 GMT a_yank_lurker
Re: Neither good nor bad in principle, I may wait a while.
@Zakhar - The key with torrents is user control. Giving one the option of a direct download vs a torrent is reasonable. Personally I have found torrents slower than a direct download for what I have used it for. Plus I am not very thrilled with basic concept behind torrents so I almost always use the direct download. Slurp is not considering that users have different comfort levels with torrenting and some will much prefer a direct download especially for OS updates.
-
-
-
Thursday 1st September 2016 16:24 GMT Pascal Monett
So let's see
Since Windows 1 0, Microsoft has added to the malware attack vector list with QR codes in BSODs, stuffed up their own update system, stuffed thousands upon thousands of users' PCs with flaky updates, and now this.
Congratulations, SatNad, you're really pulling all the stops out to keep the hackers happy !
Win 1 0 : nowhere on my PCs ever.
-
Thursday 1st September 2016 16:39 GMT anoco
This is genius from Microsoft!
Now we won't be able to easily defend against their updates by firewalling a few IPs. It increases their attacking vector a million fold.
Now every IP could be the enemy. Even the Reg could be bombarding us with updates while we read about MS's weekly cock ups. It's genius!