M$ Says "NO!" to Using File Sharing to Distribute XP SP2!

[Tuckerfan]

A group of net activists thought they'd use Bit Torrent to distribute XP Service Pack 2.

Quote:

Microsoft hopes to have the Service Pack 2 security update installed on more than 100 million machines in the next two months, but it is limiting daily downloads of the software in order to prevent an overload on its servers.

The file-sharing lobby group, Downhill Battle, has taken matters into its own hands. It has made a copy of SP2 available using BitTorrent file-sharing technology.

Given that numerous net security advocates have been screaming about how pourous XP's security is ever since M$ introduced XP, you'd think that M$ would be inclined to allow this to happen. And you'd be wrong.

Quote:

Sorry, no more downloads here...
Microsoft sent DMCA takedown notices to our two webhosts, one of which was just linking to a torrent file on another server. We've stood up to these kinds of legal threats before (see the Grey Tuesday protests), but we decided not to bother this time, because we started this site primarily as a demonstration and to that end it's already been a huge success. SP2torrent.com showed how filesharing technlogy gives people without budgets or huge servers the power to solve problems themselves, without waiting for the government or some corporation to do it for them. For another demonstration that's still in action, check out p2pcongress.org. If you need Windows XP SP2, you can download it from Microsoft's instructable webpage:

So, you've got the most widely used OS on the planet, you've just released a much needed security update, but you've got to limit the distribution of it in order to not overload your systems, someone comes along and decides to speed up the process, at no cost to you, and your response is to threaten them with legal action if they continue? I don't get it.

[SolGrundy]

Quote:

Originally Posted by Tuckerfan

So, you've got the most widely used OS on the planet, you've just released a much needed security update

Uh, I think you just answered your own question there. It's a security update. As in, something that will help make your OS less vulnerable to hackers and intrusion. And you don't understand why Microsoft (last I checked, there's no dollar-sign in the name) would want people to be getting this directly from them instead of random, anonymous people spread throughout the internet, over which they have no control?

If I want to get a new key made for my car, I go to the dealer and wait in line. I don't head down to the local chop shop and let them make me a copy just because it's faster.

[Cheesesteak]

If you needed new locks for your car because the current locks have been proven to be unsecure, would YOU wait 2 months until the dealer freed up space for you, or would you go to the local mechanic who has a stock of secure, compatible locks to put on your car today?

Unless there is a legitimate risk of someone tinkering with the SP and defeating the security fixes, there is no reason to limit the file sharing. There may very well be a risk there, but it is not mentioned in either article.

[Tuckerfan]

Quote:

Originally Posted by SolGrundy

Uh, I think you just answered your own question there. It's a security update. As in, something that will help make your OS less vulnerable to hackers and intrusion. And you don't understand why Microsoft (last I checked, there's no dollar-sign in the name) would want people to be getting this directly from them instead of random, anonymous people spread throughout the internet, over which they have no control?

Gee, like it'd be really hard for M$ to slap a disclaimer on their site about it, and before you start blabbering about people downloading a corrupt file and getting thei machine hacked by a virus, odds are that most people who know about Bit Torrent and understand how it works are going to be savvy enough to figure out if the file they're about to downlaod is legit or not. Even if they do manage to get fooled, they're likely to be running anti-virus software so the damage, if any, to their system will be minimal.

Quote:

If I want to get a new key made for my car, I go to the dealer and wait in line. I don't head down to the local chop shop and let them make me a copy just because it's faster.

And if I live in a bad neighborhood, loose the keys to my car doors, the dealer tells me that "Yeah, we can make you a replacement key, but it'll be some time in the indefinite future before we have it ready." should I simply leave my doors unlocked and hope that no one steals my car, or should I call a locksmith and have him either cut me a new set or replace the locks for me? And if I do decide to go the locksmith route, should the dealer have the right to sue the locksmith to keep him from helping me protect my property? (I know what the license agreements for software say, but the the PC that software's installed on is mine, not M$, and they shouldn't have the right to block me from taking what steps I think are necessary to protect it. Especially when it's their software flaws which make the system vulnerable.)

[praxim]

BitTorrent checks the file's integrity on download. In this situation, though, that's not really enough: anyone that isn't MS can alter SP2 (or just advertise some malware as being SP2), put an appropriate hash in the torrent (since they're creating the torrent file, they have control over it, not MS), and screw with people to MS's detriment. How likely is it that people will go beyond BT's built-in checks and check the service pack against the hashes on MS's site? Not very, I'd wager. It's unfortunate, because this is a very good use of the technology, but MS is still wise to cover their $4e10 ass.

Perhaps it'll provide incentive for people to download Linux distributions, which are BT'd all the time without complaints from the distributors.

[Anonymous Coward]

I see MS's point.

Can you tell me for a fact that every file called "WindowsXP-KB835935-SP2-ENU.exe" out there on every Peer to Peer network is the real deal? Most people don't have the techy know-how to do a MD5 checksum on the file and then compare it to the original, or even to look at the Digital Security Certificate on the file properties. Most would just blindly download something and then run it without taking these precautions.

[Shagnasty]

I can understand how someone could put malware in the place of PS2.

However, I can't fathom how someone could figure out how to add anything to SP2. The service pack has already been compiled to machine language and the source code is gone. I suppose someone could reverse compile it but all that would do is result in millions of line of unreadable gibberish. In addition, I suppose someone could read the machine language in theory but that would take decades if not longer to understand.

This is an honest question. I am a systems analyst and former programmer so I understand programming and computers. Someone please explain exactly how someone could go about this in practice.

[Tuckerfan]

Quote:

Originally Posted by praxim

BitTorrent checks the file's integrity on download. In this situation, though, that's not really enough: anyone that isn't MS can alter SP2 (or just advertise some malware as being SP2), put an appropriate hash in the torrent (since they're creating the torrent file, they have control over it, not MS), and screw with people to MS's detriment. How likely is it that people will go beyond BT's built-in checks and check the service pack against the hashes on MS's site? Not very, I'd wager. It's unfortunate, because this is a very good use of the technology, but MS is still wise to cover their $4e10 ass.

Again, I'll argue that anyone with the brains to figure out Bit Torrent is going to be smart enough to have anti-virus and anti-spyware stuff installed and running on their box, so even if they do get a fake file, they're not going to be put through a wringer over it. Nor do I see it as M$ covering their ass, since M$ can simply say that they're not responsible for any patches you download via non-M$ sources. If I'm running a bootleg copy of Windows on my company's PC, and because of a design flaw in the software a program crashes and I lose vital data, which causes me to lose profits, do you think that I'm going to have a leg to stand on in court if I try to sue M$ for damages?

[catsix]

So today I went to Microsoft's site, because I don't ever use IE, nor will I allow 'automatic updates' purely because I don't trust everything M$ does.

I find, after a few minutes of searching the downloads page,
Windows XP Service Pack 2 Network Installation Package for IT Professionals and Developers. So I start reading the other stuff on that page before I download and install it, just to see what's going on with this whole controversy.

I find this little notice:

Quote:

Microsoft said:
DO NOT CLICK DOWNLOAD IF YOU ARE UPDATING JUST ONE COMPUTER: A smaller, more appropriate download will be available soon on Windows Update.

Apparently if you are attempting to get XP SP2 for your own, personal, solitary home computer you're just supposed to wait a little while because visiting the page they tell you to go to results in merely being told to...

Quote:

Microsoft said:
Get ready for Windows XP Service Pack 2
Microsoft is preparing to release a free update for Windows XP that provides better protection against hackers, viruses, and worms. The best way to ensure you get Windows XP Service Pack 2 when it is released is by turning on Automatic Updates today. You can use our step-by-step instructions or, if you prefer, let us do it for you.

So, what did I do? Downloaded the package for 'IT Professionals and Developers'. Why should I leave my system with known security holes for 'a while' until M$ decides it's time to allow the other 'smaller' download? It's not as if this 'smaller' download really is smaller; it simply downloads part of the installation and then reconnects to Microsoft's site when it needs the rest of the download.

They also point out:

Quote:

The Microsoft Download Center site is your only authorized web source for downloading a licensed copy of Windows XP Service Pack 2. To report a website offering unlicensed copies of Windows XP SP2 for download, please send e-mail to: piracy@microsoft.com or visit http://www.microsoft.com/piracy/ReportingUs.mspx.

A warning I will very likely ignore as I have numerous friends and family members using Windows XP at this point in time who are not savvy enough to hit the Microsoft Downloads page, search for the right item, realize that the 'IT Professional/Developer' copy will work on their installation of XP Pro, and sit around like good little sheeple exposing their security holes much longer than necessary.

Good on ya, Microsoft. No wonder you guys are so widely loved.

FTR, I'm a BitTorrent savvy person myself, and most of those I know who also use BitTorrent would be smart enough to check the file before attempting to install it.

[praxim]

Quote:

Originally Posted by Tuckerfan

Again, I'll argue that anyone with the brains to figure out Bit Torrent is going to be smart enough to have anti-virus and anti-spyware stuff installed and running on their box, so even if they do get a fake file, they're not going to be put through a wringer over it. Nor do I see it as M$ covering their ass, since M$ can simply say that they're not responsible for any patches you download via non-M$ sources. If I'm running a bootleg copy of Windows on my company's PC, and because of a design flaw in the software a program crashes and I lose vital data, which causes me to lose profits, do you think that I'm going to have a leg to stand on in court if I try to sue M$ for damages?

I guess it was misleading to state a monetary figure, because, of course, I don't really think anyone is crazy enough to sue over a file they downloaded from an unauthoritative source.

MS isn't worried about corporations with cash to burn on lawyers. They already know where they stand when it comes to not downloading things from MS directly, and their IT people should know enough to at least check the hashes. The people they're worried about are those downloading "WINDOWSXPSP2FORREAL.torrent" only to find that all their credit card numbers are now being sent to some 31337 h4x0r in Russia. MS wants there to be one definitive source of the software so that there's absolutely no confusion about whether what you're downloading is the real service pack or not.

I don't think it's guaranteed in the least that someone who can use BitTorrent automatically knows what an MD5 hash is and what it's good for or is running some kind of program that makes their computer impervious to attacks by rogue programs. Last I checked, all I have to do to download from a torrent is click on a link and say where I want it saved.

Quote:

Originally Posted by Shagnasty

However, I can't fathom how someone could figure out how to add anything to SP2. The service pack has already been compiled to machine language and the source code is gone. I suppose someone could reverse compile it but all that would do is result in millions of line of unreadable gibberish. In addition, I suppose someone could read the machine language in theory but that would take decades if not longer to understand.

This is probably a fairly unlikely scenario, because I'm sure MS has gone and digitally signed SP2 and done all sorts of things to make it extremely difficult to tamper with. That said, the whole SP2 isn't likely to be executable. If it's like tons of other self-extracting executables, it's probably just a small executable (the installer) with a giant archive tacked onto the end of it (that to be installed). So you would edit the archive, not the executable. That's not to say you can necessarily leap the other technical hurdles requried to do it, but it works in your favor that it's data, and not code, that you want to change.

[Tuckerfan]

Quote:

Originally Posted by praxim

I guess it was misleading to state a monetary figure, because, of course, I don't really think anyone is crazy enough to sue over a file they downloaded from an unauthoritative source.

MS isn't worried about corporations with cash to burn on lawyers. They already know where they stand when it comes to not downloading things from MS directly, and their IT people should know enough to at least check the hashes. The people they're worried about are those downloading "WINDOWSXPSP2FORREAL.torrent" only to find that all their credit card numbers are now being sent to some 31337 h4x0r in Russia.

Again, I fail to see how this is M$'s problem.

Quote:

MS wants there to be one definitive source of the software so that there's absolutely no confusion about whether what you're downloading is the real service pack or not.

And in the meantime, I'm supposed to what? Simply leave my PC vulnerable while I wait for M$ to release the patch, even though those same hackers who could create a phony SP2 for me to download via BitTorrent can hack in through a known vulnerability?

Quote:

I don't think it's guaranteed in the least that someone who can use BitTorrent automatically knows what an MD5 hash is and what it's good for or is running some kind of program that makes their computer impervious to attacks by rogue programs. Last I checked, all I have to do to download from a torrent is click on a link and say where I want it saved.

I don't check the hash files either, but I do take a good look at the program before I launch it, making sure that my antivirus, firewall, and spyware blaster programs are fully updated before I double click on the downloaded file. Knock on wood, I haven't had a system destroying virus, or other piece of malware crash my system yet.

[SolGrundy]

Quote:

Originally Posted by Tuckerfan

Gee, like it'd be really hard for M$ to slap a disclaimer on their site about it, and before you start blabbering about people downloading a corrupt file and getting thei machine hacked by a virus, odds are that most people who know about Bit Torrent and understand how it works are going to be savvy enough to figure out if the file they're about to downlaod is legit or not. Even if they do manage to get fooled, they're likely to be running anti-virus software so the damage, if any, to their system will be minimal.

I'm not "blabbering," dumb-ass. And stop being such a fucking penguin-hugging Big Corporations Are Evil Down With Micro$oft!!! weasel that you can't listen to a reasonable argument without condescending to imply that people just don't understand file sharing and checksums and virus scanners.

Because it's really simple. You don't put out an official, major release, that includes security improvements over a peer-to-peer network. You think Microsoft can respond to every consumer complaint by saying, "Stop your blabbering, you should've run a virus scanner." You think that the legal department for a company as large as Microsoft can just slap a warning message on their website and fix everything? You think that the worst thing a hacker can do to a system release is to just add a virus that will be easily caught by a virus scanner?

No, you keep the security release as an official release that you have control over. So that people don't have to worry about viruses in the first place. Sheesh.

[Cerowyn]

Tuckerfan, if you want to get an OS update from an anonymous source, go ahead. I'd fire your ass in a heartbeat if you worked for me.

:wally

[catsix]

Well, my department at work will be getting their update from an 'anonymous source'. Namely me.

It'll be sitting on the internal web server where they can all go get it and run it themselves so that I don't have to go machine to machine.

[Tuckerfan]

Quote:

Originally Posted by SolGrundy

I'm not "blabbering," dumb-ass. And stop being such a fucking penguin-hugging Big Corporations Are Evil Down With Micro$oft!!! weasel that you can't listen to a reasonable argument without condescending to imply that people just don't understand file sharing and checksums and virus scanners.

Hey jack ass, when did I say I was running Linux on my box? When did I say all big corporations are evil? I didn't. I am running Windows XP Pro, because I've grown up using M$ products and simply don't have the spare time to learn how to use Linux.

Quote:

Because it's really simple. You don't put out an official, major release, that includes security improvements over a peer-to-peer network.

And M$ didn't, but they did bitch slap someone who did and in a manner which wouldn't have affected M$ systems at all. If the patch so is damned important, you'd think that M$ would be busting their ass to make sure the thing was out there as fast as possible, not saying, "No, we only want it to trickle out."

Quote:

You think Microsoft can respond to every consumer complaint by saying, "Stop your blabbering, you should've run a virus scanner." You think that the legal department for a company as large as Microsoft can just slap a warning message on their website and fix everything? You think that the worst thing a hacker can do to a system release is to just add a virus that will be easily caught by a virus scanner?

You really think that someone who used BitTorrent is going to bitch to M$ because they got a virus instead of SP2? Or some other piece of malware? Given that tech support calls to M$ cost you money, I'd think that M$ could quite easily get away with slapping a disclaimer on their site.

Quote:

No, you keep the security release as an official release that you have control over. So that people don't have to worry about viruses in the first place. Sheesh.

And in the meantime they have to worry about things worse than viruses.

Oh, Cerowyn, it ain't my job to update the PCs at work, I'll let the IT guy worry about those, after all, that's what he's paid to do. So I don't know what you think gives you the right to fire me for how I choose to update my own personal computer at home.

[praxim]

Quote:

Originally Posted by Tuckerfan

Again, I fail to see how this is M$'s problem.

As a company, they're obliged to protect their properties. They can't allow people to go around offering Windows XP SP2, even if it's legitimate, because it only takes a few people downloading "PassCrack 9k" or "KiddiePorn Fetcher" instead of SP2 to make users distrustful. If there's a single, authoritative, trusted source with a big name behind it, users are far more likely to actually download the patch, which is what everyone wants.

Also bear in mind that all these pages offering the fake SP2 are not going to carry MS's warning about a lack of support, so no amount of lawyerese on their own web page is going to help the situation.

Quote:

And in the meantime, I'm supposed to what? Simply leave my PC vulnerable while I wait for M$ to release the patch, even though those same hackers who could create a phony SP2 for me to download via BitTorrent can hack in through a known vulnerability?

No, MS is wrong here. It doesn't mean, however, that they should give up their right to distribute an authoritative version of their security patch.

Quote:

I don't check the hash files either, but I do take a good look at the program before I launch it, making sure that my antivirus, firewall, and spyware blaster programs are fully updated before I double click on the downloaded file. Knock on wood, I haven't had a system destroying virus, or other piece of malware crash my system yet.

Take a good look how? Read it byte-for-byte? Ask it politely if it's going to ruin your computer? Anti-spyware and antivirus tools are largely reactionary and rely on malicious programs being identified before they can be caught. You don't want to be the one to identify them. And since you're going to run that SP2 install with elevated permissions, the antivirus app is unlikely to get in your way. If it does, you'll tell it that whatever the program is doing is ok, because it's an operating system update, right?

The firewall will do you little good. "Application 'Internet Explorer (wink, nudge)' would like to access the Internet. [Allow] [Deny]"

Quote:

And M$ didn't, but they did bitch slap someone who did and in a manner which wouldn't have affected M$ systems at all. If the patch so is damned important, you'd think that M$ would be busting their ass to make sure the thing was out there as fast as possible, not saying, "No, we only want it to trickle out."

The patch is important, yes, which is exactly why they want to be the single source for it instead of letting people potentially get away with calling anything they want SP2.

Quote:

You really think that someone who used BitTorrent is going to bitch to M$ because they got a virus instead of SP2? Or some other piece of malware? Given that tech support calls to M$ cost you money, I'd think that M$ could quite easily get away with slapping a disclaimer on their site.

They probably won't call MS, but do you think they'll give SP2 a shining recommendation to their friends? Trust me, not everybody knows that there's a difference between downloading SP2 from MS and downloading SP2 from a site your somewhat geeky friend sent you to. For a critical security patch, it's vital for MS to maintain their users' trust.

[Futile Gesture]

Quote:

Originally Posted by Tuckerfan

Again, I fail to see how this is M$'s problem.

Because security is their problem. It's their problem because everyone has justly been on their case making it their problem. Part of security is ensuring that your software is released through secure sites as official patches. Bit Torrent may be a safe bet, but where do you draw line about everywhere else? Where do you tell your customers to draw the line? Microsoft have decided to draw the line where it's securest; at their domain.

Quote:

And in the meantime, I'm supposed to what? Simply leave my PC vulnerable while I wait for M$ to release the patch, even though those same hackers who could create a phony SP2 for me to download via BitTorrent can hack in through a known vulnerability?

Yes. Not ideal, but you've waited this long already. The big difference is you've not been fooled into a sense of security by a fake patch.

Quote:

I don't check the hash files either, but I do take a good look at the program before I launch it, making sure that my antivirus, firewall, and spyware blaster programs are fully updated before I double click on the downloaded file. Knock on wood, I haven't had a system destroying virus, or other piece of malware crash my system yet.

And I'm sure every other non-pc-literate downloader does the same. If it was known Microsoft policy to let anyone host their patch many people would pick it up without a second thought from the first dodgy popup that appeared on their browser. And they wouldn't have a clue what it should look like, how big it is, or anything.

[catsix]

Quote:

praxim said:
And since you're going to run that SP2 install with elevated permissions, the antivirus app is unlikely to get in your way. If it does, you'll tell it that whatever the program is doing is ok, because it's an operating system update, right?

Dunno about your anti-virus program, but AVG is certainly capable of telling me whether a virus is contained in a file before I execute it and get infected.

Quote:

The patch is important, yes, which is exactly why they want to be the single source for it instead of letting people potentially get away with calling anything they want SP2.

Anybody who really wants to distribute a virus or a trojan with the same file name and approximate size of XP SP 2 will probably care fuck-all about some DMCA warning from Microsoft.

Quote:

For a critical security patch, it's vital for MS to maintain their users' trust.

Who in their right mind trusts Microsoft?

Quote:

Futile Gesture said:
Microsoft have decided to draw the line where it's securest; at their domain.

Two words that definitely do not seem to go together are 'Microsoft' and 'Security'. Their domain, right? Their webservers? Are they running MS operating systems? Defintely no way for someone to hack the site and stick a malicious file on there.

[Tuckerfan]

Quote:

Originally Posted by praxim

As a company, they're obliged to protect their properties. They can't allow people to go around offering Windows XP SP2, even if it's legitimate, because it only takes a few people downloading "PassCrack 9k" or "KiddiePorn Fetcher" instead of SP2 to make users distrustful. If there's a single, authoritative, trusted source with a big name behind it, users are far more likely to actually download the patch, which is what everyone wants.

Oh yeah, because everybody trusts M$ products.

Quote:

Also bear in mind that all these pages offering the fake SP2 are not going to carry MS's warning about a lack of support, so no amount of lawyerese on their own web page is going to help the situation.

So because I'm not a M$ certified software expert M$ has the right to slap me with a cease and desist order if a friend asks me to come over and help fix their PC? Because, you know, I might screw up their PC and then they'd have to call M$ for tech support help.

Quote:

No, MS is wrong here. It doesn't mean, however, that they should give up their right to distribute an authoritative version of their security patch.

And I fail to see how the folks were preventing M$ from doing that.

Quote:

Take a good look how? Read it byte-for-byte? Ask it politely if it's going to ruin your computer? Anti-spyware and antivirus tools are largely reactionary and rely on malicious programs being identified before they can be caught. You don't want to be the one to identify them. And since you're going to run that SP2 install with elevated permissions, the antivirus app is unlikely to get in your way. If it does, you'll tell it that whatever the program is doing is ok, because it's an operating system update, right?

The firewall will do you little good. "Application 'Internet Explorer (wink, nudge)' would like to access the Internet. [Allow] [Deny]"

Well, for starters in all my years of utilizing "unauthorized distribution channels" only once have I gotten a piece of malware. Yeah, sure lots of times did I get something that wasn't what I was after, but I can tell you my virus scanner screams more at shit that comes in my inbox than it does at anything I've ever downloaded from a questionable source. I know how big the SP2 pack is, I know what the file should look like (it shouldn't be a .zip, .tar, .rar), I'm not even going to bother with a file the wrong size or the wrong format, if I do get the wrong one, it's pretty easy to tell during the install process, and even if I somehow manage to have a total brain fart and allow a piece of malware to install itself and wreak havoc on my machine, it's no biggie, you see, I've got a disk image of the system before I installed anything I'm unfamiliar with, and since that's stored on a removeable drive, I can be back in business in less time than it takes me to do a reformat and reinstall with my original Windows CDs.

Quote:

The patch is important, yes, which is exactly why they want to be the single source for it instead of letting people potentially get away with calling anything they want SP2.

Out of all my friends and family I'm about the only one who has a high speed internet connection, everybody else is on dial-up. Given that SP2's 266 MBs, it makes more sense for me to download the patch, burn it to a CD and give copies of it to those folks on dial up (at no cost to them) rather than have them spend the weeks necessary it'll take for them to download it via a 24/7 dial-up connection which they don't have. But by your logic, M$ should sue my ass into the stone age because I'm operating as an uncontrolled distribution channel and could possibly be infecting their PCs with some kind of malware.

Quote:

They probably won't call MS, but do you think they'll give SP2 a shining recommendation to their friends? Trust me, not everybody knows that there's a difference between downloading SP2 from MS and downloading SP2 from a site your somewhat geeky friend sent you to. For a critical security patch, it's vital for MS to maintain their users' trust.

Hey pal, have you seen the reviews for SP2?
IBM says don't install it!
Firewire takes a massive performance hit under SP2.
Norton has problems running under SP2.

IOW, even if you do get it from M$, you could have plenty bitch about.

[Futile Gesture]

Quote:

Originally Posted by catsix

Anybody who really wants to distribute a virus or a trojan with the same file name and approximate size of XP SP 2 will probably care fuck-all about some DMCA warning from Microsoft.

Which is exactly why Microsoft want to be in the position to warn "If it's not our site then it's not official and it's not secure", rather than "It's ok if you download from these 100 other sites (below) as well, oh and some others that may be mirroring them, and any other file-sharing outfit that may be hosting it. Hell, you'll find it everywhere, just watch out for the evil sites that have fake copies, but that's your problem."

[The_Llama]

I don't get the debate and conjecture. Neither of the 2 links shows an actual reason for the lawsuit. However, one of the ways that MS tried to limit the bootleg copies of XP Pro was to not give you SP1 if you didn't have a valid key. Therefor it would be reasonable to guess that they want to use SP2 in the same way.

I got SP2 yesterday, so nya nya!

[Mockingbird]

What would be smart of Microsloth is to USE bittorrent to distribute it from their own trackers which you can set up to require authentication via password to gain access.

It would allow them to control distribution to those they want to have it, and it would remove bottlenecks in the amount of people who could be downloading it at once.

[Tuckerfan]

Quote:

Originally Posted by Mockingbird

What would be smart of Microsloth is to USE bittorrent to distribute it from their own trackers which you can set up to require authentication via password to gain access.

It would allow them to control distribution to those they want to have it, and it would remove bottlenecks in the amount of people who could be downloading it at once.

A brilliant solution, but one which M$ would never go for. Remember the howls of laughter which greeted M$ when people found out that some of M$'s subcontractors were using Linux servers to distribute M$'s products via the web? Same thing here.

[Mockingbird]

Quote:

Originally Posted by Tuckerfan

A brilliant solution, but one which M$ would never go for. Remember the howls of laughter which greeted M$ when people found out that some of M$'s subcontractors were using Linux servers to distribute M$'s products via the web? Same thing here.

Yeah, I know... it was an 'in a perfect world' solution.

I did download the SP via bt and got it in under 30 minutes.

[legion]

I understand the concerns that the service pack thingy should only be downloaded for Microsofts site, but why can't they allow these kind of updates to be distibuted on the software disks that you get cellotaped to computer magazines?

[legion]

Distributed, dammit!

P.S. There maybe other typos that I didn't notice.

[legion]

P.P.S. Anyone know of a spellchecker for Mozilla?

[SolGrundy]

Quote:

Originally Posted by Tuckerfan

Hey jack ass, when did I say I was running Linux on my box? When did I say all big corporations are evil? I didn't. I am running Windows XP Pro, because I've grown up using M$ products and simply don't have the spare time to learn how to use Linux.

Because you keep typing it "M$", which was already dumb and tiresome like 10 years ago. Makes you sound like any one of the thousands of insipid militant Linux-using Microsoft-bashers I've met over the past 10 years.

The rest of your point: sure, fine. It would be more convenient, maybe. But companies as large as Microsoft have to have control over the release of their software. Not because they're money-grubbing or evil or trying to screw everyone, but because they have millions and millions of customers. If you've got a virus-scanner, use it, and your computer isn't going to explode between now and the time that SP2 is offered over standard Windows update.

[Tuckerfan]

Quote:

Originally Posted by legion

I understand the concerns that the service pack thingy should only be downloaded for Microsofts site, but why can't they allow these kind of updates to be distibuted on the software disks that you get cellotaped to computer magazines?

Because that would make sense.

Seriously, though, the reason for not doing it is because of the expense involved, since M$ would either have to pick up the tab for the whole CD or at least part of it, whereas with the web based distro, their costs are lower.

[Tuckerfan]

Quote:

Originally Posted by SolGrundy

Because you keep typing it "M$", which was already dumb and tiresome like 10 years ago. Makes you sound like any one of the thousands of insipid militant Linux-using Microsoft-bashers I've met over the past 10 years.

So do you assume that someone who refers to Fords as "Fucked Up Rebuilt Old Dodges" doesn't currently drive one? (Which was no doubt dumb and tiresome 75 years ago.)

Quote:

The rest of your point: sure, fine. It would be more convenient, maybe. But companies as large as Microsoft have to have control over the release of their software. Not because they're money-grubbing or evil or trying to screw everyone, but because they have millions and millions of customers. If you've got a virus-scanner, use it, and your computer isn't going to explode between now and the time that SP2 is offered over standard Windows update.

I'm not worrying about my PC exploding, I'm chapped because of the heavy handed way that M$ responded to this. Mockingbird posted the ideal solution above, yet M$ wouldn't do that.

Again, by your logic of M$ having total control over the distribution, then they should legally be able to prevent me from helping to repair a friends computer (because I'm not M$ certified) and bar me for burning CDs of SP2 to give to my friends with dial up connections. All because I might incur costs for the company.

You say that because M$ has millions and millions of customers it is their right to tightly control the distribution of their software. I say that because M$ has millions of millions of customers, they are obligated to make sure that the security patches they write to correct the flaws in their software are distributed to the public as fast as possible. If M$ doesn't want to spend the money to upgrade their servers so that they can handle the increase in demand for the patch, then they need to get out of the fucking software business altogether.

[Mojo]

Quote:

Originally Posted by praxim

...but MS is still wise to cover their $4e10 ass.

What the hell is "$4e10"?
_{if it isn't l33t then I've just wasted 10 minutes trying to translate gibberish}

[catsix]

It's exponential notation.

It means $40 billion.

4 x 10^10 = 40,000,000,000.

[praxim]

Quote:

Originally Posted by legion

I understand the concerns that the service pack thingy should only be downloaded for Microsofts site, but why can't they allow these kind of updates to be distibuted on the software disks that you get cellotaped to computer magazines?

IIRC, they've done this before, and will likely continue to do so.

Quote:

Originally Posted by Mockingbird

What would be smart of Microsloth is to USE bittorrent to distribute it from their own trackers which you can set up to require authentication via password to gain access.

Exactly what I was going to say.

Quote:

Originally Posted by catsix

Dunno about your anti-virus program, but AVG is certainly capable of telling me whether a virus is contained in a file before I execute it and get infected.

I was making two points here: 1) the virus has to be identified before your AVS will do something about it or 2) if it identifies virus-like behavior, chances are the user will dismiss it because it is, after all, an OS update. I haven't used any AV programs in a while. but I remember seeing things like "This program is attempting blah. If this is an operating system upgrade, it's ok. Allow?" I was not arguing that you can't identify a virus before you run it.

Quote:

Originally Posted by catsix

Anybody who really wants to distribute a virus or a trojan with the same file name and approximate size of XP SP 2 will probably care fuck-all about some DMCA warning from Microsoft.

Absolutely, but this doesn't mean they shouldn't control what illicit distribution they can. Anybody with enough will can break into my apartment and won't care a bit about my deadbolt, but I still lock my doors at night.

Quote:

Originally Posted by Tuckerfan

So because I'm not a M$ certified software expert M$ has the right to slap me with a cease and desist order if a friend asks me to come over and help fix their PC? Because, you know, I might screw up their PC and then they'd have to call M$ for tech support help.

Out of all my friends and family I'm about the only one who has a high speed internet connection, everybody else is on dial-up. Given that SP2's 266 MBs, it makes more sense for me to download the patch, burn it to a CD and give copies of it to those folks on dial up (at no cost to them) rather than have them spend the weeks necessary it'll take for them to download it via a 24/7 dial-up connection which they don't have. But by your logic, M$ should sue my ass into the stone age because I'm operating as an uncontrolled distribution channel and could possibly be infecting their PCs with some kind of malware.

Of course not. Burn it to a CD - those things have much better bandwidth than any torrent anyway. MS is not at all concerned with your little tech support sessions. They know they could never go after people who burn the SP to CD and wouldn't care to if they could.

I don't really understand how you can say that my logic disallows that. I'm against someone setting up a mass distribution of a critical security patch that isn't authorized by the vendor. That follows, I believe, the spirit of that clause in their license, if not the letter.

Quote:

Originally Posted by Tuckerfan

Quote:

And I fail to see how the folks were preventing M$ from doing that.

I should have phrased that differently. It's not sufficient for MS to be the authoritative source, but they must also be the only source. If MS allows unchecked mirroring, chances are that most people will never bother to check with the authoritative source.

Quote:

Originally Posted by Tuckerfan

Well, for starters in all my years of utilizing "unauthorized distribution channels" only once have I gotten a piece of malware. Yeah, sure lots of times did I get something that wasn't what I was after, but I can tell you my virus scanner screams more at shit that comes in my inbox than it does at anything I've ever downloaded from a questionable source. I know how big the SP2 pack is, I know what the file should look like (it shouldn't be a .zip, .tar, .rar), I'm not even going to bother with a file the wrong size or the wrong format, if I do get the wrong one, it's pretty easy to tell during the install process, and even if I somehow manage to have a total brain fart and allow a piece of malware to install itself and wreak havoc on my machine, it's no biggie, you see, I've got a disk image of the system before I installed anything I'm unfamiliar with, and since that's stored on a removeable drive, I can be back in business in less time than it takes me to do a reformat and reinstall with my original Windows CDs.

Good luck in the past is no excuse for poor practices in the present.

If all you know is that SP2 is a 266 MB executable file that looks pretty official, I could make my own SP2 for you in an hour. If you want a reasonable assurance that the file is what you really want, you should check with a cryptographic hash. We've already established that most users are unlikely to do this.

Quote:

Originally Posted by Tuckerfan

Oh yeah, because everybody trusts M$ products.

You may not trust MS's products, but you should be able to trust that the service pack you get is what MS intended and not what someone cooked up in their parents' basement.

Quote:

Originally Posted by legion

P.P.S. Anyone know of a spellchecker for Mozilla?

If you're using Firefox, this one works: http://www.exchangecode.com/spellbound/

[China Guy]

FYI, automatic update already pushed SP2 to my machine and I just installed it this morning. Took about 10 minutes.

Security is every users problem.

SP2 comes with everything locked down by default. Microsoft products used to be shipped in a kindler, gentler past before the big hacker attacks because it made things easier to use.

A lot of people in this thread are screaming about security being Microsoft's problem. In an effort to control security, Microsoft is controlling the downloads. Only way they can control is to have one official download site.

Just think how much people would be screaming if they download some awful virus from a P2P site? They would be screaming that Microsoft security sucked. They do that now by not turning on the firewall, having a virus checker, etc etc.

[Tuckerfan]

Quote:

Originally Posted by praxim

I was making two points here: 1) the virus has to be identified before your AVS will do something about it or 2) if it identifies virus-like behavior, chances are the user will dismiss it because it is, after all, an OS update. I haven't used any AV programs in a while. but I remember seeing things like "This program is attempting blah. If this is an operating system upgrade, it's ok. Allow?" I was not arguing that you can't identify a virus before you run it.

The newer ones don't bother saying things like "this looks like a virus," they're generally pretty good at IDing viruses these days. AVG is better than ones I've paid for.

Quote:

Absolutely, but this doesn't mean they shouldn't control what illicit distribution they can. Anybody with enough will can break into my apartment and won't care a bit about my deadbolt, but I still lock my doors at night.

And if M$ was going to be losing money from people distributing the patch via BitTorrent, you might have a case.

Quote:

Of course not. Burn it to a CD - those things have much better bandwidth than any torrent anyway. MS is not at all concerned with your little tech support sessions. They know they could never go after people who burn the SP to CD and wouldn't care to if they could.

Guess you haven't seen the specs for what Longhorn's supposed to be able to do then? Even legitimate file sharing is going to be difficult, if not well-niegh impossible under Longhorn. On the plus side, it's supposed put an end to virus worries. Of course, SP1 was supposed to fix all the security holes in XP and we know how well that turned out.

Quote:

I don't really understand how you can say that my logic disallows that. I'm against someone setting up a mass distribution of a critical security patch that isn't authorized by the vendor. That follows, I believe, the spirit of that clause in their license, if not the letter.

Great, so it follows the spirit and the letter of the clause of the license, but is any real harm being done to M$? No. Certainly there's the potential to harm M$, but you can't go after someone because there's the chance of potential harm to someone. After all, every time you get behind the wheel of a car, there's the potential that you could get into an accident and kill someone. Should you be prevented from driving because of that? If you're going to stop someone from freely distributing a security patch, that the original vendor is also freely distributing because there's the potential that this could cause the vendor to incur additional costs, then what's to stop you from going after folks who screw up someone else's computer when they're trying to fix it? After all, their botched efforts have the potential of costing the company money.

Quote:

I should have phrased that differently. It's not sufficient for MS to be the authoritative source, but they must also be the only source. If MS allows unchecked mirroring, chances are that most people will never bother to check with the authoritative source.

Caveat emptor, wouldn't you say?

Quote:

Good luck in the past is no excuse for poor practices in the present.

And past performance is no guarantee of future returns, as it says on the bottom of all the brokerage house ads. Still doesn't keep people from investing in the stockmarket.

Quote:

If all you know is that SP2 is a 266 MB executable file that looks pretty official, I could make my own SP2 for you in an hour. If you want a reasonable assurance that the file is what you really want, you should check with a cryptographic hash. We've already established that most users are unlikely to do this.

And I serously doubt that the vast majority of XP users are going to bother downloading the SP2 patch from a BitTorrent source. I'd wager that most of them don't even know what one is. But I'd be willing to bet that the majority of folks who do know what a BitTorrent source is, know how to handle things if their computer gets totally fubared.

Quote:

You may not trust MS's products, but you should be able to trust that the service pack you get is what MS intended and not what someone cooked up in their parents' basement.

I should also be able to trust that if M$ is going to leave me with gaping security holes that they're going to bust ass to get the necessary patches to me ASAP.

[Tuckerfan]

Quote:

Originally Posted by China Guy

FYI, automatic update already pushed SP2 to my machine and I just installed it this morning. Took about 10 minutes.

Security is every users problem.

Agreed.

Quote:

SP2 comes with everything locked down by default. Microsoft products used to be shipped in a kindler, gentler past before the big hacker attacks because it made things easier to use.

What kinder, gentler past do you speak of? Back when the internet was DARPAnet? Because there's been computer viruses floating around for well over a decade now.

Quote:

A lot of people in this thread are screaming about security being Microsoft's problem. In an effort to control security, Microsoft is controlling the downloads. Only way they can control is to have one official download site.

Then why not use Mockingbird's suggestion? It's secure, and gets the patch out faster.

Quote:

Just think how much people would be screaming if they download some awful virus from a P2P site? They would be screaming that Microsoft security sucked. They do that now by not turning on the firewall, having a virus checker, etc etc.

Where you been? I can recall reading articles over ten years ago bitching about how DOS was written in a "virus friendly matter." I can accept the various incarnations of Windows having glitches and problems, because every new product is going to have some kinks that need to be worked out of it, but anti-virus protection and many of the security issues are problems that have been known about for years now, and it's only with SP2 that M$ seems to have gotten serious about fixing the problem.

[praxim]

Quote:

Originally Posted by Tuckerfan

The newer ones don't bother saying things like "this looks like a virus," they're generally pretty good at IDing viruses these days. AVG is better than ones I've paid for.

Read this http://en.wikipedia.org/wiki/Antivirus. Please tell me where I'm wrong. If the virus is not identified, AVG won't pick it up. Or it will warn you of virus-like behavior, much of which is totally aceptable in OS upgrades.

Quote:

And if M$ was going to be losing money from people distributing the patch via BitTorrent, you might have a case.

This is not about money.

MS has a bad security record. They're releasing a very critical set of patches which address security concerns. It is imperative for them to insure that the distribution channel is as secure as possible. As you acknowledge here:

Quote:

Great, so it follows the spirit and the letter of the clause of the license, but is any real harm being done to M$? No. Certainly there's the potential to harm M$, but you can't go after someone because there's the chance of potential harm to someone. After all, every time you get behind the wheel of a car, there's the potential that you could get into an accident and kill someone. Should you be prevented from driving because of that? If you're going to stop someone from freely distributing a security patch, that the original vendor is also freely distributing because there's the potential that this could cause the vendor to incur additional costs, then what's to stop you from going after folks who screw up someone else's computer when they're trying to fix it? After all, their botched efforts have the potential of costing the company money.

It's actually totally irrelevant whether there's any potential harm to be done to MS. They get to control the distribution of their IP, that's the nature of copyright. If they believe that allowing others to distribute the patch, even if they themselves give it away for free, will harm them, they have every legal right to restrict its distribution.

The rest of this argument is a total straw man. This has nothing to do with driving (where, actually, you can restrict someone's rights if they present a legitimate danger to others) or the possibility of breaking someone's computer while fixing it (which is also actually covered in the case of, say, those warranty stickers on towers that cannot be broken, for exactly that reason).

Quote:

Guess you haven't seen the specs for what Longhorn's supposed to be able to do then? Even legitimate file sharing is going to be difficult, if not well-niegh impossible under Longhorn. On the plus side, it's supposed put an end to virus worries. Of course, SP1 was supposed to fix all the security holes in XP and we know how well that turned out.

Please stop bringing up things that have nothing to do with the argument. If you don't like MS's products, stop buying them. Quit whining that you grew up on them and can't be arsed to learn anything else. It's like you keep saying: if the customer has a problem, it's their job to fix it.

Quote:

Caveat emptor, wouldn't you say?

Sure. I should be able to sell arsenic and orange juice side by side, but call them both orange juice. Caveat emptor, after all.

Quote:

And past performance is no guarantee of future returns, as it says on the bottom of all the brokerage house ads. Still doesn't keep people from investing in the stockmarket.

I've never been in a serious car accident. Should I stop wearing my seat belt and disable the air bags?

Quote:

And I serously doubt that the vast majority of XP users are going to bother downloading the SP2 patch from a BitTorrent source. I'd wager that most of them don't even know what one is. But I'd be willing to bet that the majority of folks who do know what a BitTorrent source is, know how to handle things if their computer gets totally fubared.

I'd say we've proven, by example, that this is not the case.

Quote:

I should also be able to trust that if M$ is going to leave me with gaping security holes that they're going to bust ass to get the necessary patches to me ASAP.

Absolutely.

[catsix]

Quote:

Tuckerfan said:
The newer ones don't bother saying things like "this looks like a virus," they're generally pretty good at IDing viruses these days. AVG is better than ones I've paid for.

Yeah, AVG is pretty damn good. It'll tell you exactly what file is infected and what it is infected with, as in the actual name of the virus. They also publish very frequent updates to catch new viruses. It doesn't ever say 'this looks like a virus'.

Quote:

But I'd be willing to bet that the majority of folks who do know what a BitTorrent source is, know how to handle things if their computer gets totally fubared.

If I were going to attempt to get the SP from BitTorrent, I'd be damn sure to check the hash, and I'd do a backup before installation in case it was FUBAR. And the average computer user, you're right, doesn't know BitTorrent from his or her ass.

Quote:

praxim said:
Read this http://en.wikipedia.org/wiki/Antivirus. Please tell me where I'm wrong. If the virus is not identified, AVG won't pick it up. Or it will warn you of virus-like behavior, much of which is totally aceptable in OS upgrades.

Never, ever have I seen AVG warn of 'virus-like' behavior. I have seen it warn immediately that a downloaded file contained a virus.

Nor is it likely that a new virus would be written expressly for SP2 since 10 Aug.

[Dead Badger]

I think the likelihood that the file linked from Downhill Battle is malicious is very low, given the site's apparent motivations. I have no guarantee of this, however, and have no prior knowledge of the group so have no reputation by which to judge them. The checksum posted on their front page is completely pointless, since it proves only that they have generated a checksum of the file they're distributing. Bittorrent is still development software, and hardly immune to security flaws itself. There are no guarantees if you download this file, and that's all that should matter.

If a security professional even considered downloading the service pack from this source, they'd be nuts. Sure, they'd probably get away with it, but what on earth is the point of security if you arbitrarily decide to trust people you don't know from Adam? And for that matter, MS haven't restricted access to the full download from their own site, merely pointed out that it's not intended for use on single computers. As for those suggesting that virus checkers are perfectly adequate to protect the world from malicious software, one can only wonder why they're downloading a security update at all; after all, they're perfectly safe, right?

Quote:

Originally Posted by catsix

Nor is it likely that a new virus would be written expressly for SP2 since 10 Aug.

It's entirely possible that one could be written beforehand, and added as a payload once SP2 was released. If you're that confident that the world's virus crews would never consider attacking the biggest security update in Windows history, I have to question your claims to computer savviness. What do you think these guys live for? Virus signatures only work on previously identified viruses, and heuristic detection algorithms are far from perfect. Is "not likely" really something you want to hang your hat on?

At the root of it, if a flawed version of SP2 gets out, Microsoft will take the blame. It's entirely reasonable for them to prevent unauthorised redistribution of their own software, on which their reputation rests. Once they let one P2P site distribute it, they would presumably be on legally shaky ground in preventing other more dubious sites doing the same. Someone has already linked to a place where you can download the service pack direct from MS, so what's the problem?

[The_Llama]

SP2 beta has been out for quite some time. I had it for at least a month, and the friend who gave me the link to get it had it at least a few weeks before that. Just so everyone knows it's been available (in beta) for a while. I've seen the beta on usenet, as well, posted by a few of the major cracking groups. So Aug. 10 isn't the first time everyone in the world got to see it.

[badmana]

I got it via BitTorrent. No problems to report. Slashdot reported it several days before MS found out so I believe the file made it to several hundred thousand machines by then.

Although I can see why MS wouldn't be happy about having the patch spread itself via BitTorrent, I don't know why they had to issue a legal warning to stop others from doing so.

I sent it to my GF (after Downhill Battle stopped hosting it) and all is good.

[catsix]

Quote:

Dead Badger said:
If you're that confident that the world's virus crews would never consider attacking the biggest security update in Windows history, I have to question your claims to computer savviness.

Question it all you want. I've never had a virus infection, not at home, nor at work, on my watch. I think they'll try to attack it, but I also think that attempting to sneak in a virus that's totally unidentified and would remain so for any reasonable amount of time would be a piss-poor way to attack Windows.

There are plenty of security holes in existing installations to attack, and a lot more is known about them.

Sure, they could write a virus ahead of time and then infect SP2 with it, I just don't think that it would do much good at all. Viruses are typically identified within a couple of days, and disinfection measures and updates to antiviral programs are put out in extremely timely manners.

Would they consider it? Yes. Would they actually be capable of doing anything significant? I doubt it.

Quote:

Is "not likely" really something you want to hang your hat on?

It's done every day. Risk assessment.

Quote:

Someone has already linked to a place where you can download the service pack direct from MS, so what's the problem?

I linked to it. I also know that when MS's servers are too busy, it's a royal pain in the ass to attempt to get anything from them.

For that reason, I typically do put copies of those patches I get on my website, and I'll point people I know to that site.

Quote:

The_Llama said:
SP2 beta has been out for quite some time. I had it for at least a month, and the friend who gave me the link to get it had it at least a few weeks before that.

While I will use and try betas at home, I can't just grab the first beta of a service pack and stick it on every machine on the LAN at work. At most I can do so on my test machines, but not on all the machines. Betas have that name for a reason. They have not satisfactorily been real-world bug tested.

[Dead Badger]

Quote:

Originally Posted by catsix

Would they consider it? Yes. Would they actually be capable of doing anything significant? I doubt it.

So all of these virus epidemics we've had in the past few years; what were they? Imaginary? No, they're proof positive that without assurance, viruses do get in to the wild and do do lots of damage, and they do it to people who aren't stupid, just overconfident. For all the browser holes and security patches, the most enduring and popular attack vector for viruses is to trick a user into executing something themselves. Fundamentally, you simply didn't know what that executable contained until you ran it. Saying that you didn't catch a virus doesn't prove that it was a sensible thing to do; it just means you got lucky.

Quote:

It's done every day. Risk assessment.

Right; which is why I find it hard to believe that anyone would advocate downloading and installing a major system update from somewhere completely random. Security is the art of eliminating uncertainties, not of taking educated risks. Look at it this way; if you're so confident in your abilities to protect yourself, why not wait until MS do make the patch generally available. You're not in any danger in the meanwhile, right? And if you're not so confident, wait and download it from a trusted site. In neither instance should running an unverified program on your machine be considered the best option.

In any case, this is somewhat beside the point, which is MS's actions in requesting that the P2P copy be taken down. You're free to do whatever you want to your computer, and if you think the file you've got is legit, then knock yourself out. None of this affects the fact that MS are perfectly within their rights to stop untrusted sites from redistributing their copyrighted software, and are well advised to do so given the vast negative publicity that would result from any malicious files being spread under their name. And that publicity wouldn't just be bad for their image, but would put vast numbers of people off installing the patch, decreasing general security. Like it or not, MS have taken the only sensible action here.

[catsix]

Quote:

Dead Badger said:
So all of these virus epidemics we've had in the past few years; what were they? Imaginary?

You asked about one specific case. I don't think that in this case there is a signifcant risk of anyone managing to hide a virus in a supposed SP2 executable that wouldn't be detected and fixed less than a day or two after it hit the wild. It's a high profile target with limited chance of success.

Quote:

Fundamentally, you simply didn't know what that executable contained until you ran it. Saying that you didn't catch a virus doesn't prove that it was a sensible thing to do; it just means you got lucky.

Considering the anti-virus software and the ability to check the hashes, I can be pretty damn sure of what an executable contains before I run it.

Quote:

I find it hard to believe that anyone would advocate downloading and installing a major system update from somewhere completely random. Security is the art of eliminating uncertainties, not of taking educated risks.

Where did I say 'somewhere completely random'? There are sites other than MS which are neither 'completely random' nor untrustworthy. Or are you suggesting that I am the kind of person who would Google 'SP2' and then download and run an untested, unverified .exe from some site in Tuvalu or Niue?

Quote:

Look at it this way; if you're so confident in your abilities to protect yourself, why not wait until MS do make the patch generally available.

Scroll up bucko. I downloaded it from MS. I just didn't follow their admonition that this particular download is 'not for use at home.'

Quote:

And if you're not so confident, wait and download it from a trusted site. In neither instance should running an unverified program on your machine be considered the best option.

Non-Microsoft is not the synonym for 'untrusted'. And where did I say something about running unverified files? I specifically stated that I check hashes. It's something that I am accustomed to due to my usage of Unix, and do apply to my usage of Windows.

Not using MS directly to obtain all my software in no way indicates that I use sites that are 'untrusted' or that I can't check a hash.

Quote:

You're free to do whatever you want to your computer, and if you think the file you've got is legit, then knock yourself out.

It is legit. Downloaded directly from the page I quoted earlier on, yeah, MS's site. It's also now available on the internal web server I run for my company.

Quote:

None of this affects the fact that MS are perfectly within their rights to stop untrusted sites from redistributing their copyrighted software, and are well advised to do so given the vast negative publicity that would result from any malicious files being spread under their name.

The problem here is that you seem to believe any site that isn't Microsoft itself is automatically untrusted and will ruin their reputation. I can see that it's really damaged the hell out of Sun Microsystems to have its software mirrored at other sites, and Apache, they've definitely suffered those publicity hits because their httpd is available at sunfreeware. Of course, they do also post recommendations that the hashes be checked, and consider their users intelligent enough to actually do so.

Quote:

Like it or not, MS have taken the only sensible action here.

Sensible wouldn't include mirrors at download.com or cnet.com or tucows.com or CDs stuck into computer magazines would it?

Why on earth do you think that only the microsoft.com domain should be considered 'trusted'?

[The_Llama]

Quote:

While I will use and try betas at home, I can't just grab the first beta of a service pack and stick it on every machine on the LAN at work. At most I can do so on my test machines, but not on all the machines. Betas have that name for a reason. They have not satisfactorily been real-world bug tested.

My point had zero to do with you, or your using it. It had to do with this statement

Quote:

Nor is it likely that a new virus would be written expressly for SP2 since 10 Aug.

That gives people the false idea that SP2 is only available to the public, and thusly people who would hack or malign it, on the day of its official release.

[Dead Badger]

Quote:

Originally Posted by catsix

I don't think that in this case there is a signifcant risk of anyone managing to hide a virus in a supposed SP2 executable that wouldn't be detected and fixed less than a day or two after it hit the wild. It's a high profile target with limited chance of success.

Right, you "don't think". And like I said, you're probably right. But "probably" is not security, and I don't see any reason whatsoever why this case is different from any others. High visibility target, high chance of being attacked. Not exactly rocket science; why do you think the 9/11 hijackers went after some of the tallest buildings in the world?

Quote:

Considering the anti-virus software and the ability to check the hashes, I can be pretty damn sure of what an executable contains before I run it.

I'm curious as to why you believe that checking the hash is any protection at all. The hash for the bittorrent distribution was published by the same people distributing the download, not by Microsoft. If you check the hash against a hash obtained from a known good version of the service pack, then yes, you know you have a valid version, but I don't see how one can do this, since Microsoft haven't published the hash (as far as I can see) and the only other way to obtain it would be to generate a hash from a known valid download. As for the virus checker, I can only assume you're completely ignoring the repeatedly-made points about new or unknown viruses.

Quote:

Where did I say 'somewhere completely random'? There are sites other than MS which are neither 'completely random' nor untrustworthy. Or are you suggesting that I am the kind of person who would Google 'SP2' and then download and run an untested, unverified .exe from some site in Tuvalu or Niue?

No, I said completely random. I have never heard of Downhill Battle before, and in the context of downloading security updates they are completely random. I have no reason to trust them whatsoever. As I said, their apparent motives suggest that they are bona fide, but that in itself does not generate sufficient trust for me.

Quote:

Scroll up bucko. I downloaded it from MS. I just didn't follow their admonition that this particular download is 'not for use at home.

Okaaaaay. In which case I'm slightly confused at your insistence that downloading from an unknown site is so safe, but there you go.

Quote:

Non-Microsoft is not the synonym for 'untrusted'. And where did I say something about running unverified files? I specifically stated that I check hashes. It's something that I am accustomed to due to my usage of Unix, and do apply to my usage of Windows.

I said absolutely nothing about non-Microsoft. I'm talking very specifically about some site that hardly anyone had heard of before this story broke, and which the vast majority of users do not know anything about. Download.com, SunSite; all fine with me; I know and trust these places. I'm talking about simple common sense here. Don't download software from places you don't know. Sheesh.

Quote:

The problem here is that you seem to believe any site that isn't Microsoft itself is automatically untrusted and will ruin their reputation. I can see that it's really damaged the hell out of Sun Microsystems to have its software mirrored at other sites, and Apache, they've definitely suffered those publicity hits because their httpd is available at sunfreeware. Of course, they do also post recommendations that the hashes be checked, and consider their users intelligent enough to actually do so.

Meh, again with this daft notion that I'm insisting on a single download source. I'm objecting to the ridiculous idea that Microsoft should allow the digital equivalent of Buttfuck, Illinois to distribute their own code without first asking Microsoft, and with no guarantees that the code is genuine or safe. I think distributing the patch on download.com or other trustworthy sites is a great idea but that's not what we're talking about; we're talking about MS stopping the file from being distributed on P2P systems.

Quote:

Why on earth do you think that only the microsoft.com domain should be considered 'trusted'?

Again, I haven't said anything so stupid. I just don't trust sites I've never heard of, and don't see why Microsoft should, either.

[Dead Badger]

Quote:

Originally Posted by Dead Badger

Right, you "don't think".

Just to be clear, this wasn't supposed to be some juvenile jibe, it just came out like that. I just meant to emphasise that you couldn't be sure... (in the context of the Downhill Battle download)

[catsix]

Quote:

Dead Badger said:
Right, you "don't think". And like I said, you're probably right. But "probably" is not security, and I don't see any reason whatsoever why this case is different from any others.

So far as the computers at my place of employment are concerned, my opinion of security is our security.

Quote:

If you check the hash against a hash obtained from a known good version of the service pack, then yes, you know you have a valid version, but I don't see how one can do this, since Microsoft haven't published the hash (as far as I can see) and the only other way to obtain it would be to generate a hash from a known valid download.

And you think that's not possible why?

Quote:

Okaaaaay. In which case I'm slightly confused at your insistence that downloading from an unknown site is so safe, but there you go.

My insistance is that downloading from a known safe site does not necessarily mean only Microsoft itself.

Quote:

Download.com, SunSite; all fine with me; I know and trust these places. I'm talking about simple common sense here. Don't download software from places you don't know. Sheesh.

Then surely you can comprehend that a site you would consider 'unknown' might be one that I know well?

Quote:

I think distributing the patch on download.com or other trustworthy sites is a great idea but that's not what we're talking about; we're talking about MS stopping the file from being distributed on P2P systems.

Which is not, in and of itself, a danger. BitTorrent, among others, indicates the exact source of the file. If it's a site I know to be trustworthy, where's the problem for me?

Quote:

Just to be clear, this wasn't supposed to be some juvenile jibe, it just came out like that. I just meant to emphasise that you couldn't be sure... (in the context of the Downhill Battle download)

I can, however, limit my downloads from sites that aren't Microsoft to ones I do know and trust the content of. Again, unknown to you does not mean 'unknown to everyone.'

[Tuckerfan]

Quote:

Originally Posted by praxim

Read this http://en.wikipedia.org/wiki/Antivirus. Please tell me where I'm wrong. If the virus is not identified, AVG won't pick it up. Or it will warn you of virus-like behavior, much of which is totally aceptable in OS upgrades.

Again, someone who doesn't understand how to correct their PC when it get's totally fubared isn't going to know what BitTorrent is or how to use it.

Quote:

This is not about money.

MS has a bad security record. They're releasing a very critical set of patches which address security concerns. It is imperative for them to insure that the distribution channel is as secure as possible. As you acknowledge here:

And one would think that with M$'s bad security record that they'd be busting ass to ensure that they got the patches out as fast as possible, and using every means under the sun to get them out. Yet they're not.

Quote:

It's actually totally irrelevant whether there's any potential harm to be done to MS. They get to control the distribution of their IP, that's the nature of copyright. If they believe that allowing others to distribute the patch, even if they themselves give it away for free, will harm them, they have every legal right to restrict its distribution.

Again, if it's my dangly bits that are being unprotected, I have every right to do what I can to protect them. It's even legal for me to kill another human being if I can prove that they were a threat to my safety. Why should my privacy (which can be compromised due to the security flaws in M$'s software) be subject to the whims of a corporation?

Quote:

The rest of this argument is a total straw man. This has nothing to do with driving (where, actually, you can restrict someone's rights if they present a legitimate danger to others) or the possibility of breaking someone's computer while fixing it (which is also actually covered in the case of, say, those warranty stickers on towers that cannot be broken, for exactly that reason).

Yes, but you have to be able to prove that the individual whose driving your restricting is posing a threat to others by getting behind the wheel. The only way you can do that is by pointing to their past behaviour. Since this is, apparently, the first time someone has tried to distribute M$'s software this way, there's no evidence that it would cause major problems.

Quote:

Please stop bringing up things that have nothing to do with the argument. If you don't like MS's products, stop buying them. Quit whining that you grew up on them and can't be arsed to learn anything else. It's like you keep saying: if the customer has a problem, it's their job to fix it.

You know, I'd like to quit using M$'s products, but unfortunately, I can't. You see, in my industry, 99.999% of the software used will only run on Windows based machines. Yes, there's Linux equivalents of some of the programs, but they're not widely used, so if I'm going to land a decent paying job in my field, I must stay current with the Windows versions. I haven't had the time or the money to play with any of the Linux based Windows emulators out there to see if the programs I need to use will run under them. Even if they can, I'd need a much more powerful PC than I have at present, and I can't afford to get a new one, so I'm stuck with Windows.

Quote:

Sure. I should be able to sell arsenic and orange juice side by side, but call them both orange juice. Caveat emptor, after all.

And you bitch about me throwing out strawmen.

Quote:

I've never been in a serious car accident. Should I stop wearing my seat belt and disable the air bags?

And this has what to do with anything?

Quote:

I'd say we've proven, by example, that this is not the case.

Where? You've proven nothing.

Quote:

Absolutely.

At least we agree on one thing.

[praxim]

Quote:

Originally Posted by Tuckerfan

And one would think that with M$'s bad security record that they'd be busting ass to ensure that they got the patches out as fast as possible, and using every means under the sun to get them out. Yet they're not.

Every means they have, yes. But distribution is their call, not anyone else's. If they want torrents up, they can do it themselves. It's not hard.

Quote:

Again, if it's my dangly bits that are being unprotected, I have every right to do what I can to protect them. It's even legal for me to kill another human being if I can prove that they were a threat to my safety. Why should my privacy (which can be compromised due to the security flaws in M$'s software) be subject to the whims of a corporation?

I never argued that there was anything you couldn't do, just what a third party should be allowed to do.

Quote:

Yes, but you have to be able to prove that the individual whose driving your restricting is posing a threat to others by getting behind the wheel. The only way you can do that is by pointing to their past behaviour. Since this is, apparently, the first time someone has tried to distribute M$'s software this way, there's no evidence that it would cause major problems.

People can be denied driving rights for a variety of reasons, like various medical conditions, that have nothing to do with past behavior.

There's no precedent, so it's impossible to be certain that massive damage would result. But if MS assesses the risk inherent in allowing others to distribute their software and decides it's too great, that's their call. We make these kinds of decisions constantly; we don't have to try everything to find out whether its a bad idea or not.

Quote:

You know, I'd like to quit using M$'s products, but unfortunately, I can't. You see, in my industry, 99.999% of the software used will only run on Windows based machines. Yes, there's Linux equivalents of some of the programs, but they're not widely used, so if I'm going to land a decent paying job in my field, I must stay current with the Windows versions. I haven't had the time or the money to play with any of the Linux based Windows emulators out there to see if the programs I need to use will run under them. Even if they can, I'd need a much more powerful PC than I have at present, and I can't afford to get a new one, so I'm stuck with Windows.

I thought your primary issue was with your computer(s) at home. I'd imagine this is a non-issue at the job, where this is handled by someone else, someone who is very likely going to play it safe and download the SP from MS.

Besides, you didn't say you had to use Windows for work, you just said you couldn't bother to learn anything else.

Quote:

And you bitch about me throwing out strawmen.

I was providing an example of how allowing others to dilute your branding can be dangerous. Maybe it really is a strawman, maybe it's a useful analogy. I've been known to come up with some bad ones. The point remains: there has to be some guarantee that a product is what it claims to be. The customer can't look into proprietary software to confirm its contents, and even if they could, it would be far too time-consuming to do so.

I agree absolutely that people should be personally responsible for what they download and where they acquire it. Unfortunately, far too many people still run whatever random official-looking file pops up in their inbox. MS has to be realistic and acknowledge this fact.

Quote:

And this has what to do with anything?

You argued that you download from arbitrary sources, never check the hashes, and have never been burned, so why stop now? I'm saying that a run of good fortune is no excuse to toss out safe practices.

Quote:

Where? You've proven nothing.

You insist that anyone using BT is also going to be prepared to check the file for tampering, but you also mention that, while you use unofficial distribution channels, you don't actually check the files you download to ensure their integrity. Therefore, not every person out there using BT is taking precautions to ensure that what they downloaded is what they wanted.