M$ Says "NO!" to Using File Sharing to Distribute XP SP2!

A group of net activists thought they’d use Bit Torrent to distribute XP Service Pack 2.

Given that numerous net security advocates have been screaming about how pourous XP’s security is ever since M$ introduced XP, you’d think that M$ would be inclined to allow this to happen. And you’d be wrong.

So, you’ve got the most widely used OS on the planet, you’ve just released a much needed security update, but you’ve got to limit the distribution of it in order to not overload your systems, someone comes along and decides to speed up the process, at no cost to you, and your response is to threaten them with legal action if they continue? I don’t get it.

Uh, I think you just answered your own question there. It’s a security update. As in, something that will help make your OS less vulnerable to hackers and intrusion. And you don’t understand why Microsoft (last I checked, there’s no dollar-sign in the name) would want people to be getting this directly from them instead of random, anonymous people spread throughout the internet, over which they have no control?

If I want to get a new key made for my car, I go to the dealer and wait in line. I don’t head down to the local chop shop and let them make me a copy just because it’s faster.

If you needed new locks for your car because the current locks have been proven to be unsecure, would YOU wait 2 months until the dealer freed up space for you, or would you go to the local mechanic who has a stock of secure, compatible locks to put on your car today?

Unless there is a legitimate risk of someone tinkering with the SP and defeating the security fixes, there is no reason to limit the file sharing. There may very well be a risk there, but it is not mentioned in either article.

Gee, like it’d be really hard for M$ to slap a disclaimer on their site about it, and before you start blabbering about people downloading a corrupt file and getting thei machine hacked by a virus, odds are that most people who know about Bit Torrent and understand how it works are going to be savvy enough to figure out if the file they’re about to downlaod is legit or not. Even if they do manage to get fooled, they’re likely to be running anti-virus software so the damage, if any, to their system will be minimal.

And if I live in a bad neighborhood, loose the keys to my car doors, the dealer tells me that “Yeah, we can make you a replacement key, but it’ll be some time in the indefinite future before we have it ready.” should I simply leave my doors unlocked and hope that no one steals my car, or should I call a locksmith and have him either cut me a new set or replace the locks for me? And if I do decide to go the locksmith route, should the dealer have the right to sue the locksmith to keep him from helping me protect my property? (I know what the license agreements for software say, but the the PC that software’s installed on is mine, not M$, and they shouldn’t have the right to block me from taking what steps I think are necessary to protect it. Especially when it’s their software flaws which make the system vulnerable.)

BitTorrent checks the file’s integrity on download. In this situation, though, that’s not really enough: anyone that isn’t MS can alter SP2 (or just advertise some malware as being SP2), put an appropriate hash in the torrent (since they’re creating the torrent file, they have control over it, not MS), and screw with people to MS’s detriment. How likely is it that people will go beyond BT’s built-in checks and check the service pack against the hashes on MS’s site? Not very, I’d wager. It’s unfortunate, because this is a very good use of the technology, but MS is still wise to cover their $4e10 ass.

Perhaps it’ll provide incentive for people to download Linux distributions, which are BT’d all the time without complaints from the distributors. :slight_smile:

I see MS’s point.

Can you tell me for a fact that every file called “WindowsXP-KB835935-SP2-ENU.exe” out there on every Peer to Peer network is the real deal? Most people don’t have the techy know-how to do a MD5 checksum on the file and then compare it to the original, or even to look at the Digital Security Certificate on the file properties. Most would just blindly download something and then run it without taking these precautions.

I can understand how someone could put malware in the place of PS2.

However, I can’t fathom how someone could figure out how to add anything to SP2. The service pack has already been compiled to machine language and the source code is gone. I suppose someone could reverse compile it but all that would do is result in millions of line of unreadable gibberish. In addition, I suppose someone could read the machine language in theory but that would take decades if not longer to understand.

This is an honest question. I am a systems analyst and former programmer so I understand programming and computers. Someone please explain exactly how someone could go about this in practice.

Again, I’ll argue that anyone with the brains to figure out Bit Torrent is going to be smart enough to have anti-virus and anti-spyware stuff installed and running on their box, so even if they do get a fake file, they’re not going to be put through a wringer over it. Nor do I see it as M$ covering their ass, since M$ can simply say that they’re not responsible for any patches you download via non-M$ sources. If I’m running a bootleg copy of Windows on my company’s PC, and because of a design flaw in the software a program crashes and I lose vital data, which causes me to lose profits, do you think that I’m going to have a leg to stand on in court if I try to sue M$ for damages?

So today I went to Microsoft’s site, because I don’t ever use IE, nor will I allow ‘automatic updates’ purely because I don’t trust everything M$ does.

I find, after a few minutes of searching the downloads page,
Windows XP Service Pack 2 Network Installation Package for IT Professionals and Developers. So I start reading the other stuff on that page before I download and install it, just to see what’s going on with this whole controversy.

I find this little notice:

Apparently if you are attempting to get XP SP2 for your own, personal, solitary home computer you’re just supposed to wait a little while because visiting the page they tell you to go to results in merely being told to…

So, what did I do? Downloaded the package for ‘IT Professionals and Developers’. Why should I leave my system with known security holes for ‘a while’ until M$ decides it’s time to allow the other ‘smaller’ download? It’s not as if this ‘smaller’ download really is smaller; it simply downloads part of the installation and then reconnects to Microsoft’s site when it needs the rest of the download.

They also point out:

A warning I will very likely ignore as I have numerous friends and family members using Windows XP at this point in time who are not savvy enough to hit the Microsoft Downloads page, search for the right item, realize that the ‘IT Professional/Developer’ copy will work on their installation of XP Pro, and sit around like good little sheeple exposing their security holes much longer than necessary.

Good on ya, Microsoft. No wonder you guys are so widely loved.

FTR, I’m a BitTorrent savvy person myself, and most of those I know who also use BitTorrent would be smart enough to check the file before attempting to install it.

I guess it was misleading to state a monetary figure, because, of course, I don’t really think anyone is crazy enough to sue over a file they downloaded from an unauthoritative source.

MS isn’t worried about corporations with cash to burn on lawyers. They already know where they stand when it comes to not downloading things from MS directly, and their IT people should know enough to at least check the hashes. The people they’re worried about are those downloading “WINDOWSXPSP2FORREAL.torrent” only to find that all their credit card numbers are now being sent to some 31337 h4x0r in Russia. MS wants there to be one definitive source of the software so that there’s absolutely no confusion about whether what you’re downloading is the real service pack or not.

I don’t think it’s guaranteed in the least that someone who can use BitTorrent automatically knows what an MD5 hash is and what it’s good for or is running some kind of program that makes their computer impervious to attacks by rogue programs. Last I checked, all I have to do to download from a torrent is click on a link and say where I want it saved.

This is probably a fairly unlikely scenario, because I’m sure MS has gone and digitally signed SP2 and done all sorts of things to make it extremely difficult to tamper with. That said, the whole SP2 isn’t likely to be executable. If it’s like tons of other self-extracting executables, it’s probably just a small executable (the installer) with a giant archive tacked onto the end of it (that to be installed). So you would edit the archive, not the executable. That’s not to say you can necessarily leap the other technical hurdles requried to do it, but it works in your favor that it’s data, and not code, that you want to change.

Again, I fail to see how this is M$'s problem.

And in the meantime, I’m supposed to what? Simply leave my PC vulnerable while I wait for M$ to release the patch, even though those same hackers who could create a phony SP2 for me to download via BitTorrent can hack in through a known vulnerability?

I don’t check the hash files either, but I do take a good look at the program before I launch it, making sure that my antivirus, firewall, and spyware blaster programs are fully updated before I double click on the downloaded file. Knock on wood, I haven’t had a system destroying virus, or other piece of malware crash my system yet.

I’m not “blabbering,” dumb-ass. And stop being such a fucking penguin-hugging Big Corporations Are Evil Down With Micro$oft!!! weasel that you can’t listen to a reasonable argument without condescending to imply that people just don’t understand file sharing and checksums and virus scanners.

Because it’s really simple. You don’t put out an official, major release, that includes security improvements over a peer-to-peer network. You think Microsoft can respond to every consumer complaint by saying, “Stop your blabbering, you should’ve run a virus scanner.” You think that the legal department for a company as large as Microsoft can just slap a warning message on their website and fix everything? You think that the worst thing a hacker can do to a system release is to just add a virus that will be easily caught by a virus scanner?

No, you keep the security release as an official release that you have control over. So that people don’t have to worry about viruses in the first place. Sheesh.

Tuckerfan, if you want to get an OS update from an anonymous source, go ahead. I’d fire your ass in a heartbeat if you worked for me.


Well, my department at work will be getting their update from an ‘anonymous source’. Namely me.

It’ll be sitting on the internal web server where they can all go get it and run it themselves so that I don’t have to go machine to machine.


Hey jack ass, when did I say I was running Linux on my box? When did I say all big corporations are evil? I didn’t. I am running Windows XP Pro, because I’ve grown up using M$ products and simply don’t have the spare time to learn how to use Linux.

And M$ didn’t, but they did bitch slap someone who did and in a manner which wouldn’t have affected M$ systems at all. If the patch so is damned important, you’d think that M$ would be busting their ass to make sure the thing was out there as fast as possible, not saying, “No, we only want it to trickle out.”

You really think that someone who used BitTorrent is going to bitch to M$ because they got a virus instead of SP2? Or some other piece of malware? Given that tech support calls to M$ cost you money, I’d think that M$ could quite easily get away with slapping a disclaimer on their site.

And in the meantime they have to worry about things worse than viruses.

Oh, Cerowyn, it ain’t my job to update the PCs at work, I’ll let the IT guy worry about those, after all, that’s what he’s paid to do. So I don’t know what you think gives you the right to fire me for how I choose to update my own personal computer at home.

As a company, they’re obliged to protect their properties. They can’t allow people to go around offering Windows XP SP2, even if it’s legitimate, because it only takes a few people downloading “PassCrack 9k” or “KiddiePorn Fetcher” instead of SP2 to make users distrustful. If there’s a single, authoritative, trusted source with a big name behind it, users are far more likely to actually download the patch, which is what everyone wants.

Also bear in mind that all these pages offering the fake SP2 are not going to carry MS’s warning about a lack of support, so no amount of lawyerese on their own web page is going to help the situation.

No, MS is wrong here. It doesn’t mean, however, that they should give up their right to distribute an authoritative version of their security patch.

Take a good look how? Read it byte-for-byte? Ask it politely if it’s going to ruin your computer? Anti-spyware and antivirus tools are largely reactionary and rely on malicious programs being identified before they can be caught. You don’t want to be the one to identify them. And since you’re going to run that SP2 install with elevated permissions, the antivirus app is unlikely to get in your way. If it does, you’ll tell it that whatever the program is doing is ok, because it’s an operating system update, right?

The firewall will do you little good. “Application ‘Internet Explorer (wink, nudge)’ would like to access the Internet. [Allow] [Deny]”

The patch is important, yes, which is exactly why they want to be the single source for it instead of letting people potentially get away with calling anything they want SP2.

They probably won’t call MS, but do you think they’ll give SP2 a shining recommendation to their friends? Trust me, not everybody knows that there’s a difference between downloading SP2 from MS and downloading SP2 from a site your somewhat geeky friend sent you to. For a critical security patch, it’s vital for MS to maintain their users’ trust.

Because security is their problem. It’s their problem because everyone has justly been on their case making it their problem. Part of security is ensuring that your software is released through secure sites as official patches. Bit Torrent may be a safe bet, but where do you draw line about everywhere else? Where do you tell your customers to draw the line? Microsoft have decided to draw the line where it’s securest; at their domain.

Yes. Not ideal, but you’ve waited this long already. The big difference is you’ve not been fooled into a sense of security by a fake patch.

:rolleyes: And I’m sure every other non-pc-literate downloader does the same. If it was known Microsoft policy to let anyone host their patch many people would pick it up without a second thought from the first dodgy popup that appeared on their browser. And they wouldn’t have a clue what it should look like, how big it is, or anything.

Dunno about your anti-virus program, but AVG is certainly capable of telling me whether a virus is contained in a file before I execute it and get infected.

Anybody who really wants to distribute a virus or a trojan with the same file name and approximate size of XP SP 2 will probably care fuck-all about some DMCA warning from Microsoft.

Who in their right mind trusts Microsoft?

Two words that definitely do not seem to go together are ‘Microsoft’ and ‘Security’. Their domain, right? Their webservers? Are they running MS operating systems? Defintely no way for someone to hack the site and stick a malicious file on there. :smiley:

Oh yeah, because everybody trusts M$ products. :rolleyes:

So because I’m not a M$ certified software expert M$ has the right to slap me with a cease and desist order if a friend asks me to come over and help fix their PC? Because, you know, I might screw up their PC and then they’d have to call M$ for tech support help.

And I fail to see how the folks were preventing M$ from doing that.

Well, for starters in all my years of utilizing “unauthorized distribution channels” only once have I gotten a piece of malware. Yeah, sure lots of times did I get something that wasn’t what I was after, but I can tell you my virus scanner screams more at shit that comes in my inbox than it does at anything I’ve ever downloaded from a questionable source. I know how big the SP2 pack is, I know what the file should look like (it shouldn’t be a .zip, .tar, .rar), I’m not even going to bother with a file the wrong size or the wrong format, if I do get the wrong one, it’s pretty easy to tell during the install process, and even if I somehow manage to have a total brain fart and allow a piece of malware to install itself and wreak havoc on my machine, it’s no biggie, you see, I’ve got a disk image of the system before I installed anything I’m unfamiliar with, and since that’s stored on a removeable drive, I can be back in business in less time than it takes me to do a reformat and reinstall with my original Windows CDs.

Out of all my friends and family I’m about the only one who has a high speed internet connection, everybody else is on dial-up. Given that SP2’s 266 MBs, it makes more sense for me to download the patch, burn it to a CD and give copies of it to those folks on dial up (at no cost to them) rather than have them spend the weeks necessary it’ll take for them to download it via a 24/7 dial-up connection which they don’t have. But by your logic, M$ should sue my ass into the stone age because I’m operating as an uncontrolled distribution channel and could possibly be infecting their PCs with some kind of malware.

Hey pal, have you seen the reviews for SP2?
IBM says don’t install it!
Firewire takes a massive performance hit under SP2.
Norton has problems running under SP2.

IOW, even if you do get it from M$, you could have plenty bitch about.

Which is exactly why Microsoft want to be in the position to warn “If it’s not our site then it’s not official and it’s not secure”, rather than “It’s ok if you download from these 100 other sites (below) as well, oh and some others that may be mirroring them, and any other file-sharing outfit that may be hosting it. Hell, you’ll find it everywhere, just watch out for the evil sites that have fake copies, but that’s your problem.”