Microsoft Uses Customer Bandwidth To Deliver Windows 10 Updates

For those of you who use Bit Torrent to download pirated movies, this post is for you.  Microsoft has turned every Windows 10 Home and Windows 10 Pro user into a Bit Torrent node of sorts, delivering Microsoft updates to their millions of customers.

Like other Windows 10 features (WiFi Sense, for example), I am sure that Microsoft thought this was a good idea.  A new Windows 10 service called Windows Update Delivery Optimization, turned on by default, has existing Windows 10 users serving up Windows patches for other computers on the Internet.

I can see a benefit for using WUDO to share updates with other computers on your same home or small office network.  That would actually reduce the load on your Internet connection.  For example, when Microsoft released their first big, post release Windows 10 patch (sorry, they are calling them service releases now.  It sound better than bug fix) this week, the patch weighed in at over 300 megabytes.  Since Microsoft has removed your ability to control when patches install, it could download in the middle of the day.

Say you have 5 computers in your office.  At some point those computers will collectively download almost 2 gigabytes of Microsoft madness.  WUDO would reduce that to 350 megabytes (the size of one download) and have you share that patch with your fellow computers.

But what they are doing is using you to serve patches to other, non related, users on the Internet, using your upload bandwidth.

For users on DSL, your upload bandwidth is already pretty small and for other businesses, you likely sized your Internet connection to meet your business needs not Microsoft’s.  After all, they are not paying you to use your bandwidth.

This is not a surprise;  Microsoft said this was going to happen for a while and it was active in the beta versions.

If you are concerned about your bandwidth (not to mention your liability for serving up Microsoft’s patches), you can turn this off, but it is not obvious.  The link below has more details, but from Settings, go to Update & security and then advanced options.  You can select to turn it off completely or leave it on for computers in your home or office only.

As we move to the brave new world of Windows 10, we have to learn a whole new set of configuration checks in order to turn on or off things that we want to be different than the default.  The good news is that Microsoft says this is the last version of Windows.

Information for this post came from Computer World.

The Challenge Facing Police Tackling Cybercrime

According to reports, police in 20 countries arrested 70 people in mid-July, saying they were part of a group that traded in all sorts of nifty stuff (if you are a hacker) like hacking tools, zero day exploits, stolen credit cards, and spamming and botnet services.  Assuming that there are 800 groups like this and no new ones are formed, at this rate we will clean things up in around 1,600 years.

And, that is the problem.  Unlike old fashioned bank robberies where you have to go to the bank, these groups can operate from anywhere in the world.

Many of them are in unfriendly countries and use service providers (the so called bullet-proof hosters) that flip the bird to the FBI.

Now, less than two weeks later, this group that the FBI and other law enforcement agencies created so much press over is operational again.  Just like the Mafia, unless you arrest every single member – and no new members come in to fill in the void – it is very hard to stop.  The hackers are improving security.  Using Tor.   On Tor, each user will be given his or her own IP address.  Authentication will be through Blockchain.  And, I am sure, a host of other improvements.  Unfortunately, like the mythical Hydra, you cut off one head and another one grows back.

I am  not belittling what the FBI and other law enforcement agencies are doing, but unfortunately, it is like going elephant hunting with a fly swatter.  They are outgunned.  The crooks are operating worldwide in countries not friendly to us and using service providers that do not care about U.S. warrants.

While law enforcement activities like this keep the heat on these groups and certainly will take out the careless and unsophisticated, we cannot, and should not, expect the police to be able to win this battle by themselves.  Businesses who write software and use software (that pretty much covers everyone, right) need to step up their game.

Software developers need to improve the security of the software that they write.  This means INTERNAL CORPORATE software developers too because that is actually the vast majority of the software out there.  That takes time, training, tools and money.

Software users (that would be you and me) need to step up our game on security consciousness.  That includes simple stuff like not using passwords like 123456 and more complicated things like not using some service that exposes information just because it makes our job a little bit easier.

Unfortunately, there is no easy answer, but unless we make it a little more difficult for the bad guys, we may be their next victim.

 

 

The FBI press release on the operation can be found here.

An article from Wired on the takedown from mid July can be found here.

An article from Krebs on bullet-proof hosting can be found here.

Finally, an article on the rebirth of Darkode can be found here.

Another Car Hack – This Time GM

This is the week for car hacks – because it is the week before the hacker conference Defcon.  In this case, for about $100, a researcher has created a black box that, while no where as dramatic as the Jeep hack, is still unnerving.

The black box is a WiFi hotspot.  It intercepts the communications from the GM Onstar smartphone app and masquerades as the user.  That is certainly a limitation compared to the Jeep hack.  This hack cannot disable your brakes or your accelerator.

What is can do is locate your car, unlock it and even start it – but not drive it away.  If you can unlock it, you can steal anything inside – or plant something inside if you are inclined to do that.

GM has been working with the researcher and claims to have fixed the app (it is not a car problem, it is an app problem).  Not everyone agrees that it is fixed, though.

The problem is, and we have heard this way too many times before,  that although the app uses encryption, it does not make sure that the encryption certificate is owned by GM and not a hacker.

While this attack may be fixed, the researcher will reveal a different exploit using the car’s digital key system.

It turns out that the researcher started working on a completely different exploit but the car maker fixed it – without his help – before he went public.  So a few weeks ago he switched to GM and found these two bugs.  Think about it – he found these buys with a couple of weeks of work.

Now remember, these are the good guys;  they are working with the car makers and they are finding bug after bug.

Do you imagine that the bad guys are not trying to exploit cars also?  Do you think they are not finding anything?  Only difference is that they are not telling the car makers.

Smart cars are not that smart and unless the car makers step up their game, things are likely going to get more ugly before they get better.

Just sayin…

 

 

Information for this post came from Wired.