

UTorrent.com compromised, malware added to installer - emilw
http://blog.bittorrent.com/2011/09/13/security-incident/

======
morsch
As far as I remember, uTorrent has an internal auto-update functionality that
interrogates the server for a new version. I wonder how well that is secured
and if owning utorrent.com is enough to distribute a malicious update to all
users unfortunate enough to start the application while owned.

I'm very wary about auto-updates that pull executables (as opposed to merely
data) in this way. It's one thing for Chrome to do it, I assume Google does it
in a way that's safe. But freeware/shareware projects? Not so much. Hell,
who's to say the authors don't lose interest in two years and let the domain
expire. I had one freeware or open-source app that didn't even have the
courtesy of _asking_ , it just pulled fresh binaries and restarted -- ouch.
(At least you could disable this feature in the preference.)

~~~
pdaddyo
Just since you mentioned Chrome's updating mechanism, it is a fascinating
approach that they took: [http://www.chromium.org/developers/design-
documents/software...](http://www.chromium.org/developers/design-
documents/software-updates-courgette)

~~~
wslh
Yes, but it's very difficult to setup outside Google.

~~~
vogonj
courgette is just a binary diff algorithm -- there's nothing fancy to it (they
use some really neat tricks, though), and apparently (I haven't verified) the
source is in the chromium tree.

validating your updates via asymmetric crypto can be mildly expensive
([http://www.verisign.com/code-signing/content-signing-
certifi...](http://www.verisign.com/code-signing/content-signing-
certificates/winqual-developers/index.html) lists Windows Authenticode
certificates at $400/yr) but is within the realm of a small company.

setting up a Google-scale CDN and writing a reliable push update framework?
that's the hard part.

~~~
RexRollman
If I recall correctly, Google is facing a patent lawsuit over the Courgette
technology. I don't remember if the complainant was a patent troll or not.

~~~
itsnotvalid
Whatever the outcome would be, that is enough to stop people from using this
piece of open source software to provide safer updates.

~~~
morsch
As stated above, courgette doesn't provide safer updates, just smaller ones.
It's just a really smart executable binary diff. Signing the update is an
orthogonal issue.

------
eyko
I stopped using it since it wasn't open source. Worse when it became infested
with "optional" ~~adware~~ search bar.

~~~
DrJ
still using the last-open source version with the auto-updater disabled!

~~~
kenny_r
May I suggest Deluge (<http://deluge-torrent.org/>)?

It's open-source, cross-platform and very similar to µTorrent in both
functionality and looks.

~~~
wladimir
Transmission ( <http://www.transmissionbt.com/> ) is an open source torrent
client with a nice web interface (as well as native interface) just like
Deluge.

I think it is somewhat lighter resource-wise (I'm running it on my NAS), but
apart from that I don't know the exact differences between Deluge and
Transmission, but I thought I'd mention it for completeness' sake.

~~~
chrisballinger
I love Transmission on OS X and wish they had a real Windows port!

~~~
mdaniel
Their website demonstrates a Qt GUI, as well as a web interface. What would,
in your opinion, constitute a "real" Windows port?

~~~
shinratdr
Something better than those options? What about a web interface or a Qt GUI
screams "great Windows UI" to you?

~~~
mdaniel
I suppose I did not place the same emphasis on "great" as you did.
Alternatively, I couldn't name a "great" Windows UI offhand, anyway.

However, my experience is that _some_ Qt apps on Windows behave normally, and
depending on the application (but in this case, especially just the need to
manage torrents) a web UI works just fine and avoids the waste of developer
hours fighting against the local platform's quirks.

For my enlightenment, what do you consider as an example of a great Windows
UI?

------
latitude
For those on Windows, here is a bit of code that can be used to validate
Authenticode signature of the update package.

[https://github.com/apankrat/assorted/blob/master/validate_pa...](https://github.com/apankrat/assorted/blob/master/validate_package.cpp)

Basically the idea is to get an Authenticode certificate and sign the update
.exe with it. Then, when a program checks for an update and pulls it down, it
would validate the package signature and will not proceed if the details - the
application and the certificate subject names - are wrong. It is as simple as
it gets.

------
streptomycin
And this is one of many reasons I love that almost all my software is
installed through a secure package manager.

~~~
agravier
pacman _cough_ _cough_ sorry I just lost it for a second...

~~~
agravier
Some explanation to counter those terrible downvotes: Pacman, the package
manager of Archlinux, is not implementing the verification of package
signatures. It's a recurrent issue in the Arch community.

~~~
ga2arch
It seems things are changing [http://allanmcrae.com/2011/08/pacman-package-
signing-3-pacma...](http://allanmcrae.com/2011/08/pacman-package-
signing-3-pacman/)

