Concerned About Bandwidth? Read The Windows Update Delivery Optimization FAQ

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
If you are limited on bandwidth, or you just don't want to host updates for others, make sure you read the Windows Update Delivery Optimization FAQ.

Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft. This can help you get updates and apps more quickly if you have a limited or unreliable Internet connection. And if you own more than one PC, it can reduce the amount of Internet bandwidth needed to keep all of your PCs up-to-date. Delivery Optimization also sends updates and apps from your PC to other PCs on your local network or PCs on the Internet.
 
I am concerned about this feature at work being that using torrents have been banned years ago.
 
It can also distribute updates over your local network. Again, this is a great feature that defaults to the worst possible setting. I keep meaning to count all of the various features and functions I had to turn off that were on by default, I'd bet it was 20 options.
 
Wonder what kind of file integrity checks will be implemented in the package distribution. Could be a new way to distribute malware and viruses. Just pop it in with the updates, now anyone pulling it from you installs it, and if they have sharing on, it just keeps passing on?
 
arnemetis said:
Wonder what kind of file integrity checks will be implemented in the package distribution. Could be a new way to distribute malware and viruses. Just pop it in with the updates, now anyone pulling it from you installs it, and if they have sharing on, it just keeps passing on?
Click to expand...

I'd hope they'd at least have the computer pull file hashes from MS directly so that when it pulls a file from another computer it checks the hash to make sure it matches before it tries to install the update.

Key words: I'd hope.
 
arnemetis said:
Wonder what kind of file integrity checks will be implemented in the package distribution. Could be a new way to distribute malware and viruses. Just pop it in with the updates, now anyone pulling it from you installs it, and if they have sharing on, it just keeps passing on?
Click to expand...

The linked page answers that question:
What security measures are used in Delivery Optimization?
Delivery Optimization uses the same security measures as Windows Update and the Windows Store.

Windows Update uses information obtained securely from Microsoft to validate the authenticity of files downloaded to your PC. Delivery Optimization also checks the authenticity of each part of an update or app that it downloads from other PCs before installing it.
Click to expand...
 
So in this scenario... I put together an update package full of malware. Enumerate it correctly, then mirror Microsofts update distribution site, do a DNS update to MY site where I am simply validating the information. And then seed out the malware to be distributed around the world by Microsofts built in user based infrastructure?

Just checking.

We all know bittorrent is a snake waiting to bite us. I know game companies like Blizzard and others have already been leveraging this very technology to cut down on their bandwidth costs and infrastructure impact. But come on guys and gals. This is approaching silly.

So now if I want to distribute files through a network (internet) I just need a windows 10 LOOKING bittorrent client and businesses will presume all is well?

I wonder if the enterprise edition has a function to disable this. What if you need to pull a patch? Now you have to make sure your enterprise users ALL get that update to stop distributing that patch, and who can distribute is out of your control?

Yea... no. I can see the calls now.

"Hey IT it's me executive guy. My super light ultra fast laptop has great battery life when I am on the road. But I've noticed as soon as I VPN into the office via my dedicated super speed network connection or heaven forbid come into the office and connect to the network, that my battery life becomes shit. What's going on with that?"

"Well sir that's because you are sharing updates with everyone else on the corporate network."

"Well turn that off right now. We've paid over a hundred thousand dollars for a series of DR Susue servers and you're telling me we are not even using them!"

"Well sir it's windows 10."

"Windows 10 is supposed to be optimized!"

"Yes sir it is... FOR MICROSOFT."
 
I wouldn't be surprised if someone figures out an attack vector using this.

Put a computer with all the latest updates on a network injected with malicious code.

There are ways to fool checksums...
 
drescherjm said:
I am concerned about this feature at work being that using torrents have been banned years ago.
Click to expand...

It does not use torrents, it uses peer-to-peer but it is Microsoft's own protocol. Basically, computers on the same network can share updates with each other so that if one computer has downloaded the update from the internet, the other 99 don't also have to.
 
Zarathustra[H];1041771872 said:
I wouldn't be surprised if someone figures out an attack vector using this.

Put a computer with all the latest updates on a network injected with malicious code.

There are ways to fool checksums...
Click to expand...

It is not a checksum, it is a cryptographic signature that requires a private key to sign.
 
damicatz said:
It does not use torrents, it uses peer-to-peer but it is Microsoft's own protocol. Basically, computers on the same network can share updates with each other so that if one computer has downloaded the update from the internet, the other 99 don't also have to.
Click to expand...

On our network enabling peer to peer that has outgoing connections to the internet (opening a hole in the firewall) can get you fired.
 
drescherjm said:
On our network enabling peer to peer that has outgoing connections to the internet (opening a hole in the firewall) can get you fired.
Click to expand...

It is unclear if it even tries to do this.

The feature is supposedly for intranet sharing of updates only.

It's supposed to save your bandwidth across your router, so you download the patch to your network once, instead of once per machine.

You could probably accomplish the same results through some sort of router or proxy based caching, like using Squid, but this is easier.

I am cautiously optimistic, but I wonder if there is a way to disable it for some machines so they are not loaded by sending updates to other machines during - say - a gaming session.
 
Zarathustra[H];1041772158 said:
It is unclear if it even tries to do this.

The feature is supposedly for intranet sharing of updates only.

It's supposed to save your bandwidth across your router, so you download the patch to your network once, instead of once per machine.

You could probably accomplish the same results through some sort of router or proxy based caching, like using Squid, but this is easier.

I am cautiously optimistic, but I wonder if there is a way to disable it for some machines so they are not loaded by sending updates to other machines during - say - a gaming session.
Click to expand...


I, like you, want to like this..My parents have some bad health issues and moved in with me a while back...I have my main rig/server/HPTC rig in my living room, and the 'rents have a desktop upstairs and my mom uses a notebook and a tablet...

I would like this if I could set it up to pull updates to my main rig first, and it be the ONLY client that can then pass on these updates *IF* I allow it...

I have a 1TB per month cap on my internet, and despite the fact I have provided DDWRT router logs to my ISP numerous times showing I am using less then 350~450GB per month, they still insist I am using over 900GB on AVERAGE.
 
Jaymzkerten said:
I'd hope they'd at least have the computer pull file hashes from MS directly so that when it pulls a file from another computer it checks the hash to make sure it matches before it tries to install the update.

Key words: I'd hope.
Click to expand...

Right like hashes or certificates will stop any hackers :)
 
damicatz said:
It does not use torrents, it uses peer-to-peer but it is Microsoft's own protocol. Basically, computers on the same network can share updates with each other so that if one computer has downloaded the update from the internet, the other 99 don't also have to.
Click to expand...

Except it doesn't default to only that behavior. it's defaulted to upload to other PCs on the level Internet.

Windows then sends parts of those files to other PCs on your local network or PCs on the Internet that are downloading the same files.
Click to expand...

And you can disable that for "metered connections", but here's the fun part: only WiFi connections can be manually set to a "metered connection".

Totally absurd.
 
arnemetis said:
Wonder what kind of file integrity checks will be implemented in the package distribution. Could be a new way to distribute malware and viruses. Just pop it in with the updates, now anyone pulling it from you installs it, and if they have sharing on, it just keeps passing on?
Click to expand...

This here. Not a fan of peer provided updates....seems very risky I see an exploit that goes undetected and allows remote code execution. /Tinfoil hat
 
arnemetis said:
Wonder what kind of file integrity checks will be implemented in the package distribution. Could be a new way to distribute malware and viruses. Just pop it in with the updates, now anyone pulling it from you installs it, and if they have sharing on, it just keeps passing on?
Click to expand...

shhhh...Microsoft claims Win10 is more secure than 8.1.
 
You must log in or register to reply here.
Back
Top