News Microsoft working on P2P

http://www.bit-tech.net/news/2005/06/21/Microsoft_Avalanche/

 

I'm guessing it'll automatically disable allowing anything with microsoft in the name to be transferred...

and of course you know that as soon as they implement any new ideas that are decent, they'll make it into the next version of most bittorrent clients.

 

This will be a WGA episode all over again.

 

*never underestimate the power of idiots in large corporate groups...*

Microsoft is going to have to step VERY carefully here.

This may be why they were forcing DRM so hard with Intel...they *could* make P2P a legitimate distribution method, assuming licensing changed around a little bit. If you're using other people's computers to help send the files, you can reduce the overall cost of the product and at the same time enhance delivery. This, coupled with on-chip DRM, could make a difficult service to hack and at the same time provide numerous benefits to end-users.

The problems here are:
1) We all expect to pay a certain price for software right now, and companies DO take advantage of that. I didn't notice a discount from Valve for buying HL2 over Steam, despite the fact that they didn't box anything and had no need to print a single page. So we could just be increasing their profit margins while they use and abuse our bandwidth for their newest purchases.

2) If there is not an inherent consumer benefit and price reduction as above, we will end up with angry people who are much more dedicated to breaking the technology than there were before, which will lead to yet another failed attempt at content protection and an even b!tchier RIAA, etc., and now with Microsoft throwing their weight and resources behind it since it's their system that would end up exploited.

Overall, it *could* be a winner, but odds are it will just be yet another problem rife with lawsuits. In this field, Murphy was an optimist.

 

£36 for 14(15 once DoD:Source is released) games imo is a huge discount.

Death

 

In the US the box and source versions cost the same amount. The boxed version gives all the same free downloads as someone buying it over source, as well. No discount between the two, despite the fact that those buying over source did not require a manual, CDs, etc.

 

Oh right, over here it was £30 iirc for the DVD (HL2&Source) but it cost me about £36 for the whole catalouge (sp*) over steam.

Death

 

i wonder, just what will actually be shared? will microsoft decide to use the system as a vast distributed storage array? surely they could make considerable savings by caching files on each users computer, and sharing the data from there, rather than having to pay for all that bandwidth at widnowsupdate etc

i think its a good step for filesharing. bittorrent has been the easiest and fastest way to get linux iso's for a long time, seems like microsoft want a peice of this.

i just cant help thinking that sooner or later someone is gonna use this to create something even worse than blaster/slammer. as soon as someone finds an exploitable weakness in it, they are going to have the infection vector, transfer mechanism, replication system, all in one big handy package. oh, and a stack of vulnerable hosts to infect too. i'd like to beleive people will leave it alone because its a legitimate example of filesharing technologies, but i cant hold out much hope for it lasting more than a few weeks before someone finds a way to exploit it into a vast array of exploited machines.

 

RPC = Remote Procedure Call

its a important concept on many platforms that allow people to execute code remotely. Its not a distrabution framework like Avalanche. Avalanche whilst it might have bugs, should be running as a service with priveldges to do what it wants. So a flaw found shouldn't be as important. There is nothing however to prevent "user initiated" virus spreads, i'd hope a signing might be used.

The one that i'm woundering is the not searching a users hard drive. They goign to be maintaining a local registry? using the system volume information mabye?

 

TheAnimus, i was using blaster and slammer as an example of a rapidly spreading large scale infection, not as an example of the technology used. whilst RPC is an important concept, it is not needed to spread viruses, as the buffer overflow exploit in the graphics rendering code shows (and im not even going to mention IIS).. the avalanche system should be running as a non-priviledged service, with the absolute minimum priveledges it needs to preform its function, but it wont, and even if it were limited, it has been proven time and time again that priviledge escalation is trivial on a windows based system. as many many previous times have shown, code that should be marked as benign will be poked and prodded until it shows a weakness that can be exploited (again, the buffer overflow in the graphics rendering is a good example).

to be frank, the avalanche system is being born with a big fat target on its back. even if code signing were built in from the ground up, it isnt secure enough. to say a flaw "isnt important" is nonsense, any flaw, no matter how minor, in a windows system will be massively exploited repeatedly and with malicious intent. this is not doomsaying, its a proven fact that continues on a daily basis. (the netmessage system flaw that allows anonymous spam from the internet is a relatively minor flaw, but its still exploited, to name but one of the hundreds, if not thousands, of examples).

the fact that MS is embracing p2p is certainly a positive step for p2p, but i fear it will ultimately have negative effects. due to microsofts dominance in the OS market, it is the number 1 target for malicious code. having p2p as a part of windows itself (as it inevitebly will be) will simply add another doorway into the system for a malicious coder to explore. if they find a single means of running their code on our machiens, they will exploit it, and if the p2p system is half as successfull as a similar system like bittorrent, then the effects will be devastating.






if avalanche were a deer, which one would it be?

 

but surely thats true of any deamon? (or service)

i don't think it will be any more of a target than RPC, RPC would be a much much much bigger target for obvious reasons.

Now you can complain about security risks, but i think it would be a lot better to crituqe this service on a wider level. For instance the HD not searching thing mentioned is quite a good idea.

 

yes, it is true of any deamon, on any software platform. if a machine is connected to the internet, it is vulnerable. but i think avalanche would be much more of a target because its designed to rapidly and efficiently spread files, exactly what a virus is designed to do (leaving aside the running of the code, thats kinda assumed for it to be able to spread the files), and each machine running avalanche is gaurunteed to be running a specific operating system, whereas i get rpc packets, even though im on a nix network here, avalanche allows a much more targeted approach, if a vulnerability is known, and no update has been released or workaround found, you know everyone on avalaunch is vulnerable, instead of just randomly guessing ip's. effectively all a coder has to do is figure out how to have avalanche run his code, and how to sneak his code into the avalanche network, all the reast is in the avalanch framework. to use an analogy, if i want a linux iso, its *much* easier for me to just grab the torrent than it is for me to sit down and code my own file transfer routines, then randomly scan the internet in the hope of finding a compatible host, then transfer the data myself from a single machine.

and yes, to be honest there are lots of issues about this, as you say, the not searching my hdd thing (if MS sign a deal with the riaa to show them your music and video is properly licenced, we are all up the swanny, lol), i think we might also consider if this is just a huge distributed storage network for MS (like, a 90mb windows update.... with the volume of windows pc's, if each one stores a meg, and is uploading using idle bandwidth, thats effectively just made microsofts windowsupdate fileservers redundant, and thus saved them a zillion quid in bandwidth, cause they are using ours).


i simply highlighted what i thought was the most obvious point, a bazillion script kiddies are gonna be wetting themselves over this.

i think, on the whole, there are going to be three big issues with this. the security (as i mentioned), the privacy (as you mentioned) and the bandwidth consumption (as someone on dialup will mention ).

 

Oh gee, M$ stealing another idea.

 

is that a pc in your sig.... i wonder who thought of that first.... is that a $ after the M there? i wonder who thought of that first.... ad infinitum.

microsoft arnt stealing an idea, they are using a networking methodology to improve data thoughput. if Bit-Tech released their own BT-net for filesharing, and ripped off the BitTorrent code, would you call them $it-tech who stole all the best ideas! you remember when sp2 came out? you remember it downloading at 2k/sec cause everyone in the world was downloading it? you remember everyone saying "gee, i wish MS would just release it on a decent filesharing network like bittorrent, cause swrming kicks ass"..... click your heels dorothy, your wish is granted.

with the size of microsofts userbase, and the size of their updates growing daily, p2p distribution is a natural step. who wants do d./l at 10k/sec from windowsupdate when i can swarm from avalanche and max out my 2meg line? whilst the system might need to be looked at closely, this isnt "M$ stealing another idea", any more than winmx stole napsters idea or bittorrent stole winmx's idea. its not stealing a product, its moving onto a new networking and filesharing model to distribute data.



<rant>

it should be noted, im a linux zealot. personally, i hope Microsoft suddenly get eaten by killer penguins and die, but, above all, i wish people would stop saying M$... im serious. if bill gates turned up on your doorstep and said "hey, would you like to trade places, i'll give you all my money and my big house on the mountain, and i'll live here" is there any one of us who would say no? MS made money, and lots of it, but every one of us would do exactly the same, i know i sure as hell would (but i'd make it open source and still be rolling in a bazillion dollars).

</rant>

<slightly-less-ranty>
i havent slept in 72 hours, im easily riled.
</slightly-less-ranty>

 

<my own little rant>
Agreed. This whole "They stole blah blah blah." Yeah, ya know what? They stole DOS! And if you've ever programmed using VB, you stole their DLL file structure! Eegads!

There are only so many different wheels to be invented here, people, and some of them could use some refinement. Let's get over the fact that they are building something similar to a pre-existing program and instead start looking at what they are going to add or subtract from the current status-quo. Stealing would be taking the exact bit-torrent code, slapping a Microsoft label on it, and releasing it to the public for profit.

Did anyone get riled up (aside from MS) about OpenOffice?! If so, I seem to have missed that. Or is only Microsoft ever guilty of borrowing an idea?
</my own rant>