It doesn't take a genius to see this is simply a [malware] disaster waiting to happen when someone spoofs the 'updates' .. using P2P-type methods for software patching is beyond asinine.
Want a Windows 10 update? Don't go to Microsoft ... please
Microsoft has slipped out an update to Windows 10 to early testers letting you slurp software updates from others across the internet. The Windows 10 Insider Preview Build 14915 that has gone to testers on its Windows Insider "Fast Ring" comes with Delivery Optimisation broadly enabled. Delivery Optimisation was introduced in …
COMMENTS
-
-
-
Thursday 1st September 2016 15:57 GMT Anonymous Coward
Re: @kraggy
IMHO, this is a disaster waiting to happen.
The bad guys have a brand new attack vector to aim at, one with millions of access points.
When this goes wrong (and it will) will MS fess up and admit that this continuious updates is a dead end and they'll return to the old system of updates
If they don't I am sure that it will trigger a challenge to the EULA in the US that prohibits law suits agains MS for any reason. Then the inevitable class action law suits can begin and proceed to tane MS to the cleaners. Personally, I will be getting the popcorn and the beer in ready for the show to begin.
-
Thursday 1st September 2016 15:27 GMT richardcox13
> this is simply a [malware] disaster waiting to happen
Only if someone manages to break the signing and thus create a replacement file that works as an update with the same signature.
When downloading updates direct from MS today they are downloaded over HTTP, not HTTPS. But the signatures are downloaded on HTTPS and checked against the patches downloaded without a secure channel. This avoids the overhead of encrypting the patches for each client while performing the same content validation a secure channel would given (remember TLS both validates the content came from the correct server and hides the content on the network: the latter is irrelevant in this case as anyone can download the patches already).
-
Thursday 1st September 2016 15:36 GMT Anonymous Coward
@kraggy
"when someone spoofs the 'updates' .. using P2P-type methods for software patching is beyond asinine."
Although true there really is no reason for concern. We've already established that Microsoft's own updates also often manage to break parts of the system, so if this would happen then customers would basically get the experience they've already been expecting anyway.
-
-
Thursday 1st September 2016 21:43 GMT Bluto Nash
It strikes me as more of a "hey, this Torrent thing is pretty neat!"
Delivery Optimization works by breaking a download into small pieces and then determines the best route for delivery.
Unless you can force a client to take the WHOLE THING (hurr hurr), you might have a bit of trouble getting your payload fully delivered.
-
Thursday 1st September 2016 23:49 GMT joed
Has anyone seen it working in the wild?
I'm actually fine with peer distributed updates ... within my LAN only. Sadly, I did no see it working even though my LAN is definitely faster than my "broadband". Now, letting MS off the hook, saturating my upload link and burning through my data caps (however unlikely at my "broadband" speed) is of no interest to me. If anything, I'd like to show MS my appreciation for their constant "improvements" of Windows experience and add towards their bandwidth costs (to make up for the amount of telemetry I'd severely cut across my systems). Heck, I'd be willing to run script up/downloading random bits to OneDrive to help that cause.
-
Friday 2nd September 2016 01:51 GMT a_yank_lurker
@kraggy - morons does as morons do, paraphrasing Forest Gump. Someone will figure out a way to piggyback malware through this. This will make protecting your 'bloat 10 kit very dubious. I do not trust any other user's kit to be clean enough for me to take a download from them. I am not a fan of torrents either.
-
-
-
-
Thursday 1st September 2016 17:52 GMT bombastic bob
"The second thing was to set all network connnections to 'metered'."
seeing as there's no official way to do that with an ETHERNET connection (or a connection within a VM), it's still "a hack" to make it work, and not a simple one from what I've read...
and eventually M-shaft could BREAK THAT ONE as well. It would be JUST LIKE THEM to do that.
-
-
Thursday 1st September 2016 17:22 GMT David 132
Peter, if Windows 10 stays true to form, I suspect you'll get a blink-and-you'll miss it popup that says
"We noticed that you disabled peer-to-peer updates. We've turned them back on for you. You can disable them again for a short time but we'll helpfully switch them back on after ten minutes to prevent you hurting yourself. Because you're too stupid to know what's best for you."
If you think I'm exaggerating... tried turning off Defender lately?
-
-
Thursday 1st September 2016 19:38 GMT David 132
You have to turn the service off to disable Defender....
Yep - I know that, you know that, but for how long will that work? As it is, disabling the WU service is the only way to regain (some) control over automatic updates. We shouldn't have to delve into the innards of the OS just to get it to obey our instructions.
-
Friday 2nd September 2016 07:36 GMT David 132
@john 104: You have to turn the service off to disable Defender....
Also worth mentioning - for the time being, you can also disable it via GPO. I say "for the time being" because Microsoft now seem to be actively deprecating/ignoring more useful GPO switches with each successive update, unless you have the Enterprise or Education SKUs. Lawd bless 'em.
-
-
-
Thursday 1st September 2016 15:32 GMT Fan of Mr. Obvious
What are they not saying...
No way network consumption is the only reason for this, especially since pipes are only getting bigger. I think we are going to get saddled with something new (other than new malware -- which I agree will happen) from BillCo. Could it be that when Bill talked about "products" in his pitches about Common Core that he was planning on delivering "education" in a peer-to-peer fashion? Makes me wonder.
-
Thursday 1st September 2016 15:48 GMT Roland6
Re: What are they not saying...
My misinterpretation of the headline was that MS would not be enlarging their Windows Update infrastructure and might as part of a cost-saving exercise be reducing it. Thus making the whole WUP process longer and less predictable - unless like many file download sites these days you sign up for a subscription....
-
Thursday 1st September 2016 15:59 GMT Fan of Mr. Obvious
Re: What are they not saying...
I certainly see how you get there, but I am not buying it. The excess power behind Azure alone is immense - they are not in any resource danger so the Windows clowns could go ask them how to be efficient if need be. At that, Windows installs, particularly client installs, are not rising at a rate that should be of any added concern.
-
-
Thursday 1st September 2016 18:36 GMT VinceH
Re: What are they not saying...
"I think we are going to get saddled with something new (other than new malware -- which I agree will happen) from BillCo. "
Coming soon!
The new expanded Microsoft Azure Cloud - store your files on just about any random Windows 10 user's computers, and use yours to store other users' files. Unused disc space is wasted disc space, so this new feature is designed to reduce wastage, and increase storage availability in the cloud.
-
-
-
Thursday 1st September 2016 18:02 GMT bombastic bob
Re: How is this a new feature
"This was in the first version of windows 10, and I make sure it's turned off as it kills my network connection at home and work."
So, with the same KINDS of thinking that justified *OBAKACARE* in the USA [i.e. making "healthy people" pay for the "infirm" through strong-arming the young and healthy into BUYING INCREASINGLY EXPENSIVE INSURANCE that they may not actually *WANT*, in order that those with pre-existing conditions (a definite MONEY LOSS for insurers) can be "covered"],
(pause for breath)
*NOW* Micro-Shaft wants to FORCE YOU into PROVIDING THEM BANDWIDTH for the frequent (massive) *FORCED* updates that Win-10-nic is so INFAMOUSLY known for! They are STEALING BANDWIDTH from YOU and from your ISP.
But, THIS way they can SHOVE EVEN MORE "new, shiny" FEATURES
UP YOUR A$$ONTO YOUR COMPUTER, without your consent, without you WANTING them, and so on WITHOUT having to upgrade their OWN infrastructure to deal with the BANDWIDTH.Yeah, JUST LIKE Micro-Shaft to THINK LIKE A SOCIALIST in its company policies. Or would that be *FEEL* [the 'F' word] ???
oh yeah, I turned that "feature" (the 'get updates from the intarwebs' and 'let people on the intarwebs update from your computer' settings) *OFF* as well.
-
Thursday 1st September 2016 20:31 GMT Anonymous Coward
Re: How is this a new feature
*NOW* Micro-Shaft wants to FORCE YOU into PROVIDING THEM BANDWIDTH for the frequent (massive) *FORCED* updates that Win-10-nic is so INFAMOUSLY known for! They are STEALING BANDWIDTH from YOU and from your ISP.
But, THIS way they can SHOVE EVEN MORE "new, shiny" FEATURES UP YOUR A$$ ONTO YOUR COMPUTER, without your consent, without you WANTING them, and so on WITHOUT having to upgrade their OWN infrastructure to deal with the BANDWIDTH.
Well, you're right about that part, not sure WE NEED ALL THE SHOUTING though.
So, with the same KINDS of thinking that justified *OBAKACARE* in the USA [i.e. making "healthy people" pay for the "infirm" through strong-arming the young and healthy into BUYING INCREASINGLY EXPENSIVE INSURANCE that they may not actually *WANT*, in order that those with pre-existing conditions (a definite MONEY LOSS for insurers) can be "covered"],
Nothing to do with this conversation, but BTW, the other alternative would be to have tax increases to pay for universal medical coverage for everyone. Don't like that idea? Well, don't expect Medicare when you get old then (other people's tax money, after all). Don't like the idea of your taxes paying for other people's medical bills? Tell your congresscritter to abolish the VA.
-
-
Thursday 1st September 2016 15:52 GMT Anonymous Coward
Neither good nor bad in principle, I may wait a while.
This is based on a few papers they wrote in the wake of BitTorrent years ago(and covered her on the Reg). It's architecture, like BT, looks sound enough. I may drag my heels a bit and let the research community kick the 1.0 version around. The idea is that you don't trust the chunks you swarm download, and check them as they are being re-assembled, then check the whole file. Since you can't be sure that your not being hit w a Man in the Middle attack anyway, this isn't really that different.
However, a bug in the decoder or validation code (like the several ASN.1 vulns over the years) and your toast. As Microsoft has been a little light on the QC since they dissolved Trustworthy Computing, I will wait until people have beaten that up with a fuzzer for a few months. That will also shake out other unintended consequences. Like when even machines set to ignore the win 10 installer still downloaded 3GB to share it with the other computers that also weren't going to install it, even if they would be left critically low on disk space on their boot volume afterward....
Once we get past the first few forehead slappers, it should be alright though. Those still put off the idea of trusting outsiders can run WSUS and still get some benefit of this on their local network. Or the community can get sick enough of WSUS to make a less retarded FOSS version of it.
-
Thursday 1st September 2016 21:43 GMT Zakhar
Re: Neither good nor bad in principle, I may wait a while.
No, no, it is definitely bad!
And yes, it has already been used by other companies.
Notoriously, the WoW updater (Blizzard - World of Warcraft) is using a BitTorrent client to spread the updates, some of which can weight several gigabytes.
Linux distro (like Ubuntu) also encourages you to use BitTorrent to download an iso, especially when it has just been released and it's a popular milestone such as a LTS version. The big difference here is you are "encouraged" not "forced", to use BT.
The reason behind that is simple : bandwidth and servers are not free.
It is especially true for this kind of updates that provoke "spikes". Everyone wants the update when it's out, the fastest possible. For that you will need a lot a servers and pay a lot of bandwidth, and all that will be used for a very short period of time, and then almost dormant.
But for the user, being forced to update like that is bad.
There is the risk of corruption, but that is well mitigated by the BT protocol itself, and by signing updates. But the downsides are :
- you get your bandwidth eaten, especially at home when you have ADSL, remember that a "good" line has only 1mpbs (this is 128K bytes a second... or 2h30 for 1 GB).
- and most dramatically to be efficient you must open some ports (see the "High ID" issue well known amongst BT/eMule users). And that is IMHO a much bigger risk you are taking. You need just consider some recent CVE such as the one on the TCP stack, to want to avoid having open ports to the world on your machine.
- if you don't open ports, the protocol will still make your machine communicate with other (your machine will use outgoing communication). A blackhat need just pretend he needs some parts of the download to get communications incoming from machine hidden behind NATs, and can operate from then with the same possible flaws.
The problem also comes with the "poprietary" nature of W$.
For open source it is auto-solved. You might have noticed that there are probably several repository of any major Linux distro available in your country. So when you apt-get install, or yum install, you probably hit a repo near you. That is because open source makes it possible, and it is in the interest of ISPs to have their own repo so that they don't need to pay outgoing bandwith when you upgrade your machine.
So yes, as many saw it, M$ is getting rid of the "issue" on its users that will pay for CPU (eg electricity) and bandwidth, and more importantly put the users at risk with more opened TCP communications.
But of course, if you want to go for it, please be my guest!
-
Friday 2nd September 2016 02:02 GMT a_yank_lurker
Re: Neither good nor bad in principle, I may wait a while.
@Zakhar - The key with torrents is user control. Giving one the option of a direct download vs a torrent is reasonable. Personally I have found torrents slower than a direct download for what I have used it for. Plus I am not very thrilled with basic concept behind torrents so I almost always use the direct download. Slurp is not considering that users have different comfort levels with torrenting and some will much prefer a direct download especially for OS updates.
-
-
-
Thursday 1st September 2016 16:24 GMT Pascal Monett
So let's see
Since Windows 1 0, Microsoft has added to the malware attack vector list with QR codes in BSODs, stuffed up their own update system, stuffed thousands upon thousands of users' PCs with flaky updates, and now this.
Congratulations, SatNad, you're really pulling all the stops out to keep the hackers happy !
Win 1 0 : nowhere on my PCs ever.
-
Thursday 1st September 2016 16:39 GMT anoco
This is genius from Microsoft!
Now we won't be able to easily defend against their updates by firewalling a few IPs. It increases their attacking vector a million fold.
Now every IP could be the enemy. Even the Reg could be bombarding us with updates while we read about MS's weekly cock ups. It's genius!
-
Thursday 1st September 2016 16:51 GMT Jim-234
Possibly helpful on a local network by why on earth with the broader internet?
Typical Microsoft, take the start of a possibly useful idea, force it down your throat with a nightmare of added baggage attached.
I could see on a local network it could be useful, once one PC has the update no need to download it all over again and again for every device in your home or office network. Saves lots of bandwidth
But WHY do they insist on taking it to the insane level of making it a built in Bit Torrent client under somebody else's control resting on your PC, giving up all the bandwidth gains as it connects back and forth to who knows who all over the internet, probably blabbing happily all kinds of details in the process to everyone, not just your Redmond overlords.
So now Skynet has it's instant distribution network.
-
Friday 2nd September 2016 00:48 GMT Gordon 11
Re: Possibly helpful on a local network by why on earth with the broader internet?
But what is a "local network"?
I presume that it is any system with the same broadcast address.
Now, when I'm at home I trust these.
But when I'm attached to a free Wifi spot in a coffee shop - I don't.
BHowever, MS doesn't let me distinguish these (not sure how it could).]
Much the same as it not letting me set an Ethernet connexion (which I only get when I'm running via my 'phone's data allowance) as a chargeable connexion. It works for the MS developers in the MS developers' environment, so it must apply globally.
-
-
-
Thursday 1st September 2016 17:50 GMT bombastic bob
Re: What about the ISP's who throttle BitTorrents?
well, I bet Micro-shaft will scream "NET NEUTRALITY" the first time some net admin wants to put a stop to excessive traffic by throttling the M-shaft P2P. case in point, a college campus.
Let's say the college campus has a fat pipe, but it's all being USED UP because of M-shaft P2P traffic. It's no so much the several hundred students who were given new laptops (with Win-10-nic on them) after graduating high school, who are just trying to do their homework, but the ZILLIONS of people around the world whose computers "discover" that the several hundred students on this campus have ALREADY completed THEIR downloads, and NOW it's "serving up content" around the world!
Uplink bandwidth usage can easily impact downloads, because ACK packets won't necessarily get through, and HTTP requests or photo uploads will become SLUGGISH. So a smart admin would THROTTLE the amount of P2P traffic that goes out through the big pipe onto the intarwebs...
And THEN, along comes Micro-Shaft, wielding their "bandwidth theft" NET NEUTRALITY hammer, whining to the various gummint regulators, yotta yotta yotta.
A likely scenario, yes.
(regardless of how you look at it, Micro-shaft is STEALING BANDWIDTH to do this)
-
Thursday 1st September 2016 22:10 GMT Zakhar
Re: What about the ISP's who throttle BitTorrents?
Stealing bandwidth yes, and you forgot electricity: when the CPU runs the BT program to serve chunks to others, you pay the electricity, the SSD being worn out, etc...
But on a global scale, BT is much more efficient for this sort of task than direct download.
The task we are contemplating is distributing a chunk of several gigabytes of data to 350M computers around the word.
If you place servers only in Redmond, not only you need a lot of servers and bandwidth to be reasonably quick, but you also use up a lot of "international" bandwidth (peering). Indeed, you can do better and use things like CDN that will duplicate the content around the globe and provide a shorter route.
BT naturally optimizes all that. It will obviously exchange more data with a PC that is on the same LAN, simply because it is much faster, than with a PC at the end of the world.
We had this discussion at length in France when Sarkozy government put in place stupid Hadopi that banned P2P.... and now eveyone uses direct download to the great dismay of ISP that saw their peering bill explode.
But again, you are very right, the protocol being much more efficient on a global scale should not be an excuse for M$ to make their users pay for it!
Everyday that passes by, I'm more and more happy to have completely left this hell 8 years ago. ;-)
-
-
-
Thursday 1st September 2016 17:11 GMT Johnny Canuck
I run a wifi network in a largish rooming house (90 rooms). We have had problems in the past where a single user would strangle our bandwidth using torrent software. To fix this I installed a "torrent killer". If it detects torrent traffic, it disconnects the offending computer from our wifi network, forcing the user to come to the office and ask to be reconnected. It has proven to be quite a successful deterrent. When Windows 10 started the "optimised" update distribution, it would activate the "torrent killer" and cut people off. I had to issue instructions on how to turn off Delivery Optimisation.
-
Thursday 1st September 2016 18:03 GMT Herby
DOS attack??
Just advertise that you have "updates" and let everyone download them. Of course they will be useless.
Maybe an even better idea is to have the downloads for Linux available. Update your W1(.)0 with Linux, free of charge. Would anyone notice?
So, we have wonderful Microsoft installing software on users machine that benefits ONLY Microsoft, and takes advantage of users bandwidth, paid for by the user. Sounds like malware to me.
Me? No windows (on computers) at my house. That's for sure!!
-
-
Friday 2nd September 2016 11:38 GMT Patrician
Re: DOS attack??
........."Of course users would notice if you put Linux on their computer! No BSODs, no ads, no data slurping, no forced updates, no automatic torrents nuking their bandwidth (important if you have a narrow pipe)."......
And, no more gaming, no more Photoshop, more difficult software installation and frequent drops to command line to carry out tasks that are a simple mouse click in Windows ....
Linux is *not" a viable alternative to Windows under all circumstances; unfortunate but true.
-
Saturday 3rd September 2016 19:23 GMT Anonymous Coward
Re:You don't say?
You don't know what you are talking about. Please, come in 21 century and don't spread shit. Installing a program in Linux is a breeze and is much more easier then it is in Windows. Have you ever try Linux???
https://www.youtube.com/watch?v=5jAJH3aGtGM
And that is hard for you???
Photoshop??? Is everybody needs uses Photoshop? Is Photoshop a must for every user? Many professionals here, eh? Or everybody use to resize their puctures with 2 GB software? Come on.
-
-
-
-
Thursday 1st September 2016 18:30 GMT Dwarf
Limited bandwidth
So, when I'm on limited monthly internet quota or when I'm paying over the odds for it (ie mobile broadband , roaming in Europe or similar), then MS will take an unspecified amount of money from me each month.
This is just another form of misuse. The risk of running windows just got a lot larger.
Why does anyone put up with this ?? Come on sheeple wake up !
I think they need to update the strapline.
Microsoft Windows, How much will it cost you this month ?
-
Thursday 1st September 2016 18:39 GMT VinceH
"Microsoft claims to have experienced a reduction in network consumption of between 30 and 50 per cent on networks where PCs have
been keeping up to date with preview builds and apps from its own online Storeeither had Linux installed in place of Windows, or had updates disabled over the last year because people wanted to avoid having Windows 10 'accidentally' installed on their computers."Fixed that for them.
-
Thursday 1st September 2016 19:54 GMT Anonymous Coward
"The idea of Delivery Optimisation is that software downloads and updates converge on a destination PC from around a network, helping reduce network bottlenecks and delays."
No, no, no no ...
The idea is W10 updates, coming on a daily basis, without any user consent, are coming from a network (read: DSL) paid for by the customer, not MS. Indeed with no delays.
This way, W10 and its "features" (malware, ransomware) will propagate at no MS cost.
Life is great for MS, and fuck you, W10 user !
-
Thursday 1st September 2016 20:54 GMT Ian Ringrose
The ideal is that you may have a large network in say a university that is very fast but is split up into IP subnets. You can now up the windows updates from a PC on the fast local network without having to change anything.
I expect that if it is slower getting an update from your PC then Microsoft’s server, your PC will not be giving out much at all…..
-
Friday 2nd September 2016 13:13 GMT david 64
What's the difference - really?
You think when your machine downloads an update, it comes from Microsoft's own servers?
One word - Akamai.
They must pay an awful lot of money to CDNs like Akamai to globally\geographically distribute the vast number of TBs of data all their products consist of.
You didn't think that every installation of Windows across the whole world downloaded updates from a single server\cluster in Redmond somewhere, right?
To me, they are just swapping out a long-standing CDN infrastructure for a new one. You still download your update bits from "someone else's computer" as you have done for years.
So what - in reality - is the difference?
Objectively it makes sense to me tbh and i can see how it might save them a lot of money, with - realistically - negligible impact on customers. A bit crafty\cheeky though I suppose!
Yes there are some large updates. No your pc might not cache all the pieces of a full update necessarily. Yes you can control it. Yes you can turn it off.
eg. https://4sysops.com/archives/windows-update-delivery-optimization-wudo-in-windows-10/
re: Network\Bandwidth, WU has been using BITS for years without issue\uproar over bandwidth??
In corporate where you have little pockets of computers distributed nationally\internationally, and unlikely to have WSUS in each site, this will clearly be a beneficial option to the administrator.
GPOs provide control over the type of remote computer your machine pulls updates from - eg. local subnet, AD-site based, Internet etc.
Interestingly it apparently might be relevant to the borked WSUS CU issues with 1607. "This is a bug in the Windows client that will be fixed in an upcoming cumulative update." Hmm.
Agree it could be nice for the tin-foil hat brigade if there was a clear gui-based method to disable this 'new' functionality (ie. CDNv2) and revert back to the old way (CDNv1). But then that would require MS to keep paying Akamai, thus negating any financial gains (which is what it is all about) of moving to this new approach.
IMHO - much ado about nothing.
-
Friday 2nd September 2016 17:29 GMT John Brown (no body)
Windows Insider "Fast Ring"
At first I thought a "Windows Insider" was some some sort of specially invited users to beta test new stuff. Then it opened out to many, many 1000's. Now it's just everyone with a Win10 install so they had to create a new group called "Windows Insider Fast Ring" for "special" testers because everyone is a tester now. Got to keep those fanbois feeling extra special. I wonder if the "whitest ever wash"? (until the next one washes even more whiter.)
-
Thursday 3rd November 2016 05:19 GMT Anonymous Coward
I can see this being a problem for virgin media users - low cable upload bandwidth and hitting bandwidth throttling during peak hours.
You'd think with all that tax these multinationals are dodging they could pay for their own bandwidth. If they'd written less buggy code they'd have less updates...