Saturday, 25 April 2009

Windows 7 Torrent Risks

As we all know, ISOs of Windows 7 in its various incarnations are available via Torrent or other peer-to-peer services.

For us, there is a substantial risk to our business and to our client’s business if we went ahead and downloaded and used any of those Windows 7 ISOs.

What are the risks?

How do we know that the code has not been altered in some way, shape, or form?

For many, the “what ifs” do not carry much weight.

For some, they may have an ability to dump the contents of the system’s memory once the OS was fully loaded  and analyze it to see if anything surreptitious is there. For those that can do it, this may be a required step before using the OS and all of its features as a daily driver.

While we could isolate the installed OS in a VM and monitor its behaviour, at what point does the time and energy put into this discovery process make sense for our clients and for us?

Every decision we make when it comes to investigating new products, new patches coming down the pipe, new pre-release software, permitted production software updates, or any product that looks like it can become a part of our I.T. Solutions package need to be carefully vetted for risks and benefits.

To us, the risks are too high to trust an illegitimately downloaded ISO of Windows 7 or any other software product for that matter versus the “benefit” of working with a newer version of the product.

So, we will wait patiently for April 30th (previous blog post) and the ability to download the RC version of Windows 7 via our TechNet subscription.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

6 comments:

Sean said...

P Dog,

I'm a regular reader of your blog and this post is pure FUD.

MD5 hashes and a myriad of other common sense tools (like seeing a torrent was posted quickly, before the iso could have been injected) mean that I have no worries about what I download. Your post is some of the oldest anti-piracy FUD out there. I've come to expect more from you than that.

How about you don't download it from TPB, et. al. and use it in a production environment for the sound age old reason of never using beta, even release candidates in production environments?

How about it is in violation of the EULA and even though it is "free" you are still pirating it. If you aren't willing to pirate MS software that is gold, why would you be willing to pirate RC software?

You talk about risk / reward. This oh so scary Win7 iso installed on a stand along laptop or a laptop on vlan poses pretty little risk. The reward is that you get to start really learning Windows 7 this weekend, and not next. Depending on your schedule and plans, a head start of one week may be huge.

I have a client that will be going to Windows 7 the instant he can. He is in the beta program and will get Win7 RC1 when it goes to the general public. However, his laptop came in Friday. Why make him wait a week or whatever for the reformat and install of Win7 RC1 when he can have it now? He knows the "risks" and he wants to jump in so I'm not going to stop him.

On top of all of that, Microsoft should be saying "Thank you for saving us the bandwidth costs!"

Anonymous said...

Good point Phillip. Didnt OSX get a trojan in this fashion?

http://blog.trendmicro.com/mac-trojan-hidden-beneath-pirated-iwork-09/

Philip Elder SBS MVP said...

Sean,

Again, the whole process is a balance between the risks and benefits.

FUD? I don't think so as the point rests on a principle.

It is from that principle that we provide products and services for our clients as well as operate our business.

If we are willing to "bend the rules", not pay for the software we use, or perhaps download software from wherever, then where does that leave us? What does that say about us?

Anonymous has provided us with a point of reference for a problematic download.

If there is one, there are others. And, again it comes back to the risk versus the "benefit".

In our case, it is our preference to not compromise our business principles, nor take any risks in this fashion.

Thanks for challenging my opinion! :)

Philip

Anonymous said...

Well I hope Sean's client didn't download it from PB, as the torrented versions of the RC already have a trojan on them...

Anonymous said...

http://www.msfn.org/comments.php?shownews=23281

Philip Elder SBS MVP said...

A,

Thank you for the follow up! :)

Philip