locked
Update Mesh Folder - Security Issues RRS feed

  • Question

  • Hi,

    When I am logged out, I can still update the Mesh...

    e.g

    1) Logged out of my Desktop Live Mesh
    2) Placed a file in the Mesh folder
    3) Pressed the 'Update Live Mesh' button
    4) The cloud gets updated with the new files without asking me to sign in

    Is this a known issue ?

    Thanks

    Gary
    http://sqlservertipsandtricks.blogspot.com/
    Thursday, June 26, 2008 3:46 PM

Answers

  •     Mesh synchronizes your files even when you are not signed in (this is what implemented today). This is assuming that you added your computer to your device ring. Your device/computer is acting on your behalf and does sync even if you are not signed in. Although, it is limited in what it can do without your presence - it cannot create new live folders, delete existing folders, etc. It can only synchronize existing live mesh folders. This approach helps in cases when you synchronize massive amount of files and there is a remote computer which you use rarely - it will get all your files (that are in your Mesh) even if you are not signed in on it and so when you start using this device you will have all your files ready (otherwise,  there would be a huge synchronization at the time of your sign in).

    There are 2 ways to prevent this background sync: 1) switch to offline mode; 2) remove your device from the device ring in Live Mesh Desktop.

    As people noted there are 2 potential security threats that can arise from the present implementation: 1) someone steals your device and 2) viruses/trojans can spread easier

    as for #1, one way to disable synchronization with a stolen computer is to remove it from your device ring in your Live Mesh Desktop. In this case, even if your were signed in on this stolen device, Live Mesh will sign you out and will stop any synchronization with this device.

    as for #2, we should consider adding an antivirus to Live Mesh, so that files would be checked before synchronization to prevent spreading malicious files. You are right that at the moment it is a threat.

    Thanks
    Nikolai
    Friday, June 27, 2008 10:10 PM

All replies

  • Hi Gary,

    Which "Update Live Mesh" button are you referring to?  If you right-click the Live Mesh notifier and select "Update Live Mesh", that updates the Live Mesh software (if an update is available).  It does not force files to sync, though.  You do not have to be logged in to the Live Mesh software for your files to sync.

    Perhaps I've misunderstood your scenario?

    Ben.
    Thursday, June 26, 2008 5:11 PM
  • I can duplicate this (XP Pro SP3):

    1. Sign out of Live Mesh via right-click in System Tray to bring up context menu. Live Mesh icon in system tray turns "darker" and gets the little red X.

    2. I went to a folder (called mp3) on my machine that's shared on my Mesh.

    3. Created a text file called ATestDoc.txt

    4. Opened a browser and went to mesh.com

    5. Signed in to mesh.com (note: icon in my system tray on local machine still has red X)

    6. Bring up my Desktop, and navigate to the mp3 folder on the Desktop.

    It has the ATestDoc.txt file in it. So Gray's right - the updates occur even when you're logged out.

    So the question is whether this is a bug, or the expected behavior...
    Thursday, June 26, 2008 5:46 PM
  • Based on Ben's reply, I believe that this is expected behavior. "You do not have to be logged in to the Live Mesh software for your files to sync."
    -steve
    Microsoft MVP Windows Live / Windows Live OneCare Forum Moderator
    Thursday, June 26, 2008 6:51 PM
    Moderator
  • So is there anything that can stop the sync behavior, if desired for some reason?
    Thursday, June 26, 2008 7:13 PM
  • Yes, thats the scenario I am talking about.

    Is this a good thing or a bad thing ???

    Good thing - You dont have to be logged in to sync files which can save time and effort
    Bad thing - Anybody who has access to your device can sync files with potential to remove everything from the Mesh folder. That in turn would delete everything from the cloud and then remove everything from the other devices.

    Or worse, somebody gets hold of your device and places a virus in a Mesh folder, somehow they have some code to activate the sync process and in turn have the potential to infect the rest of your devices.

    I could see somebody writing a virus/worm that would do something like that.






    http://sqlservertipsandtricks.blogspot.com/
    Thursday, June 26, 2008 8:09 PM
  • Looks like the "Work Offline" entry in the context menu on the tray icon does what I want - stops the sync until you take that off. I just tried that with the same setup as I outlined above and didn't get the new file in the cloud until I took the "work offline" checkmark away.

    Still, it's not really the behavior I'd expect (mostly - when I think about it, other stuff does work in the background when I'm not logged in - like Windows Update).
    Thursday, June 26, 2008 8:39 PM
  • Thats true.

    BTW I thought it was me  pressing the 'Update Live Mesh' button that would sync the file (that does something else), but as I have now seen, you just need to place the file in the folder and it will automatically sync with the cloud if you are not logged in. (You login in first, then sign-out)

    By default, not being logged in should also set the status to 'Work Offline' so no files can come on to your desktop.





    http://sqlservertipsandtricks.blogspot.com/
    Friday, June 27, 2008 12:45 PM
  • Interesting discussion. You make a good point regarding someone gaining access to a device and potentially wreaking havoc with *all* of your devices and the cloud. This could certainly be an even greater issue when we can add other devices like phones to the Mesh.
    I'm thinking this might be a good thing to toss onto the suggestions thread and/or filed to Connect.
    -steve
    Microsoft MVP Windows Live / Windows Live OneCare Forum Moderator
    Friday, June 27, 2008 12:56 PM
    Moderator
  • I've been thinking about this, and I'm not sure I see that there is a "security issue" here, but maybe more of a misunderstanding in how things work regarding the "signed in" status.

    Without being signed in (say just after a reboot where the PC is sitting at the login screen), the Live Mesh Desktop connection is ready to answer to incoming requests, and indeed, it broadcasts a status that it is ready to connect. No issue there, really.

    I'm assuming, though haven't tested or proven this, that the sync is NOT active at this point. Hmmm ... maybe another interesting test to try...

    When you login locally to the PC, the "rest" of Live Mesh starts, and we know now that syncing will take place, even if you have not signed in to Live Mesh. I did discover that the Live Mesh Folders in Windows Explorer don't respond to you when you're not signed in.

    So if someone got onto your system at this point, then changes they made to folders that are synced to the Mesh would propagate to the Mesh and other devices. But if someone's on your machine anyway, are changes to files on the Mesh the biggest worry?

    If you're in "Work Offline" state, then you're signed in but not actively syncing. Changes don't propagate, until you go back online. It might be useful at that point to have the News show something like "The following changes were made while this machine was offline" and then list the items affected.

    And I suspect a lot of people are going to have Live Mesh configured to automatically log in, so that there isn't even the sign in prompt to deter an unauthorized user of your machine.

    So - I'm not sure there's really a security concern, but there is a need for understanding of how the various devices on your Mesh will send files around, even if you're not signed in. It ain't email or FTP.
    Friday, June 27, 2008 5:50 PM
  • Yeah, the transfer of files is a misunderstanding perhaps ?

    Just think of this scenrio

    a) Somebody sends you a virus file via Mesh
    b) you open the virus file by mistake and it puts a virus file in all your shared mesh folders and infects your pc.
    c) If you have a shared folders with your friend, he/she opens the virus file and puts a virus file
        in all their mesh folders and also infects their machine
    d) Then the process is repeated again.

    This is way into the future, but maybe somehow when a file gets sync'ed to your desktop folders, you have an option to virus check it (automatically or manual)

    In the end, the user would have to have some responsibility on files in their mesh, but giving them the option on how much risk they want to take. i.e

    Option
    A) Automatic Sync (with or without virus checking)
    B) Sync on request (with or without virus checking)

    Then the user could select the option they want. If the user selected a weaker security model, they cant turn round and say its Microsofts fault etc....

    I think a good understanding on what the difference is between "Sign Out" and "Work Offline" is.
    Like i said before, maybe it should be combined.

    With the virus thingy... i dont know how you would solve something like that as most of it comes down to user error.

    Maybe the cloud has a built in virus checking facility that virus checks all files that comes in and out of the mesh (you have the option to turn this on/off). Or Anti-virus vendors create software that can be configured to scan Mesh folders on demand.... Thinking about it, they probably do this aready and if a file did appear in your desktop folder, any decent anti-virus tool (if configured correctly to scan modified/new files) would see this virus file and quanantine/delete it.

    So in conclusion, this thing should not happen (in theory) if everybody who uses mesh had their anti-virus checkers to scan for new/modified files.



    http://sqlservertipsandtricks.blogspot.com/
    Friday, June 27, 2008 8:20 PM
  • Actually, your scenario made me realize that I hadn't thought about using Mesh to share files with _others_. I have it syncing files between a bunch of my own machines, but not sharing files with any other individuals. When I think about that, then I get the greater "risk" aspect to this whole automatic behavior.
    Friday, June 27, 2008 8:28 PM
  •     Mesh synchronizes your files even when you are not signed in (this is what implemented today). This is assuming that you added your computer to your device ring. Your device/computer is acting on your behalf and does sync even if you are not signed in. Although, it is limited in what it can do without your presence - it cannot create new live folders, delete existing folders, etc. It can only synchronize existing live mesh folders. This approach helps in cases when you synchronize massive amount of files and there is a remote computer which you use rarely - it will get all your files (that are in your Mesh) even if you are not signed in on it and so when you start using this device you will have all your files ready (otherwise,  there would be a huge synchronization at the time of your sign in).

    There are 2 ways to prevent this background sync: 1) switch to offline mode; 2) remove your device from the device ring in Live Mesh Desktop.

    As people noted there are 2 potential security threats that can arise from the present implementation: 1) someone steals your device and 2) viruses/trojans can spread easier

    as for #1, one way to disable synchronization with a stolen computer is to remove it from your device ring in your Live Mesh Desktop. In this case, even if your were signed in on this stolen device, Live Mesh will sign you out and will stop any synchronization with this device.

    as for #2, we should consider adding an antivirus to Live Mesh, so that files would be checked before synchronization to prevent spreading malicious files. You are right that at the moment it is a threat.

    Thanks
    Nikolai
    Friday, June 27, 2008 10:10 PM
  • Hi,

    What I will do is put the 'Anti Virus' idea on the Suggestions Wish List Thread.

    Got one or two more ideas that I will put on there as well.


    Thanks for the reply

    Gary
    http://sqlservertipsandtricks.blogspot.com/
    Saturday, June 28, 2008 9:10 AM
  • Your Windows Live login and therefore security keys will be associated with your Windows Login (XP and Vista). So unless you leave your PC logged in and accessible your Live ID should be protected. It will be interesting to see how this will work with Mac and mobile devices though and Linux (if there is ever a native client for Linux).

    I wonder if Microsoft Open Access will extend to the SDK for clients?

    Regards
    Dave
    Saturday, June 28, 2008 10:27 PM