Security concern of EpicGamesLauncher.exe?

You’re not alone on your Win10 concerns. We should start a thread on how to block the ‘telemetry’ while allowing updates. I could contribute to that.

FWIW here’s the kind of thing you get on a closed (un-auditable) device where for-profit corporations think they can get away with things:

This kind of thing really bothers me in the context of where Microsoft is taking their newly ‘freed’ Windows 10. Personally I’d rather pay for my OS and have an expectation of some level of security vs. Microsoft’s new ‘google/facebook’ playbook. Do people really think they don’t intend to profit on Win10 in ‘other’ ways? And the new DRM layers they’re getting ready to roll out will make auditing their stuff basically impossible. I’m mulling over either ditching Windows altogether or pinning to Win7 like some sort of luddite until the UnrealOS is ready for prime-time

Is it possible that lsass is checking code signing certificates, on behalf of Windows (or some component like the Windows Anti-Malware Tool)?

Also, what’s the big deal about telemetry? Capturing actual user actions is the best way for developers to learn what users are ACTUALLY doing with the applications, which means it’s the best way for developers to ACTUALLY deliver what users really want. Now, there are some assumptions here, like the assumption that telemetry is at least lightly anonymized/sessionized, but even if it weren’t – how big a deal is that, really? It’s not like you’ll be coding with your bank credentials in Unreal Engine…

You’re made of atoms. Atoms project everything you do into space as radiation anyway. Trying to hide is about as fruitful as yelling at clouds for blocking the sun. Our best bet is to figure out how to make society livable, assuming that everyone can know everything. (And making sure that we know everything about the watchmen, too.)

I agree that our current society is NOT what it should be with regards to transparency and accountability for all citizens (especially those entrusted to enforce the rules.)

But … Unreal Engine is not a tool used by regime dissidents. So, it may be that your zeal would have more actual impact on the world if you aimed it towards places that have higher leverage.

You’re exactly right, this is what is happening. The technical problem is that by creating cross-process traffic, attribution becomes difficult impossible. I should be able to say “I trust Epic but I don’t trust Microsoft”, but when multiple executables share a process’s communication, that becomes problematic.

Anyway, I can’t prove this 100% but in my experience no other software triggers LSASS WAN traffic. I used to limit LSA to my LAN and that worked great. Now I need to create firewall pokes for it, but I can’t even limit the WAN address it accesses due to it’s reaching out to arbitrary ‘cloud’ services. The whole thing becomes unnecessarily problematic.

The general privacy problem for me is that I’ve done a lot of work in the industry. Everything from implementing double-click (now google) cookies (& flash cookies) to data warehousing, analysis, etc including working for a major credit bureau. I don’t do that stuff anymore for ethical reasons. Having seen the industry from the inside I understand how the sausage is made. I’ve implemented a lot of enhancement requests with themes like “users are blocking our cookies out of privacy concerns. Use flash cookies so that users think their privacy is protected but we are still watching their every move”, and “move illegal data aggregation operations off-shore, then import results back onshore so we can resell them”.

Look, if you want to share your information, you are welcome to. But you should be able to maintain a reasonable level of privacy if you want as well. I think most people would agree with that statement, even if you dont.

My basic problem is that commercial & government surveillance is now to the level of becoming ambient. 99% of users are completely unaware of the situation (which is how the corporates like it) and 90% of the remaining aren’t technically adept (or care) enough to even begin addressing the problem. I fully expect the coming Windows 10 ‘refresh’ to enable the OS to operate behind a DRM VM envelope that is not auditable and will enable Microsoft to create really ‘good’ (from a technical standpoint) back-doors to new levels of surveillance. So now even folks like me who do care and do understand the technical issues won’t be able to ring the alarm bell.

Why do you think Microsoft is ‘giving away’ Windows 10? Do you think it’s altruistic? I used to pay hundreds of dollars for my copies of Windows. Obviously Microsoft expects to make more off of me by invading my privacy and reselling my information. That and locking down the OS so they can profit thru their store. There’s no other explanation - they’re a profit-seeking public company - they’ll be sued by their shareholders if they don’t.

I think Epic is better than that. I trust Epic because Tim Sweeney is running the place and he chose to open-source the crown jewels. It is my hope that Epic creates a completely open source (thus auditable) UnrealOS that becomes dominant bu leveraging the coming paradigm shift to VR. Linux never gained critical mass because it never offered a ‘killer app’ that Windows couldn’t also offer, but I think an open source VR OS may be able to. It’s my sincere hope that it does.

Sorry if that was a political / ideological rant, your post kinda triggered it.

+1. You get it.

Sorry, gotta rant again:

I constantly tell my kids “be careful what you post on Facebook: Love may be eternal but data is forever.” But this forces them to self-censor themselves to be politically correct. An anonymous internet has it’s problems, but the real danger is in the big-brother internet where you can’t escape concrete attribution.

Example: It’s standard practice nowadays for companies to buy extensive online background checks on prospective employees. Has anyone seen what a ‘good’ background check looks like? It’s pretty scary. You’re judged not on only what you say, but what people you might have friended and one time say. It’s all there, tagged annotated and red-flagged. Were you at a wild party where your picture was taken? Gee, Facebook, Google, Apple & Microsoft /all/ aggregated your GPS location, identified who you were with thru GPS combined with facial recognition, and recorded, speech-to-texted, indexed, meta-tagged & attributed the whole thing to you. Even if you were across the room from someone doing something frowned on, it could very easily get attributed to you. And you get passed up on the job in lieu of the milquetoast guy who is either a true straight-arrow or someone who knows how to play (evade) the online surveillance game which is kinda a scary thought.

But I’m kind of an internet libertarian I guess.

I’m hoping that Epic can contribute to the solution and not the problem. Because I agree that “Don’t be Evil” kinda means actually doing the right thing, even when doing the wrong thing may result in truckloads of cash.

UE is not only the foundation for hundreds of current and future games, its rapidly becoming the operating system of the future. It’s creating a new foundation and setting a new precedent. This stuff is more important than you may think.

I guess your definition of “freedom” is different from mine.
I like being able to create games without having to pay up-front costs.
Also, I would like to live in a society where I’m free to live a normal life, uncensored, the way I am, safe in the knowledge that everyone else is also living a normal, uncensored life, and the tyrranny of the edited/censored public life is just gone.

Amazon is a rentable hardware platform. Their terms of service are pretty clear; while they can (and do) gather usage data for optimizing and running their services, they do not gather or use the specific data that people who rent server capacity from Amazon provide.
If you’re worried about metadata, I’d be more worried about the phone company, than Amazon.
Also, the electric utility: They provide metadata to the police for finding weed growing farms in states where doing so is not legal.

I could say the same. I don’t actually see anything that seems at all sinister or unexpected from these tools.

My guess is telemetry for usage statistics. Sending a little bit at a time is generally better than saving everything to a big batch. Also, libraries you can integrate to do this (rather than rolling everything yourself) are typically structured that way.
But, does it really matter? Why?

It doesn’t for me. It takes about 2%. It seems to me that it uses the unreal engine basic game loop, so it might try to run at 60 Hz. If you have slow graphics or a CPU that idles down in speed (or thermal) or have turned off vsync, then perhaps that would cause more CPU usage. You could easily experiment to see if that’s the case.

LSASS is obviously not directly Unreal Engine. It may be part of Windows trying to verify a security certificate, for example.
Or it may be part of Windows resolving a user name/profile; perhaps the launcher looks at the current user profile to put files in the direct directory or provide a good default name or whatever.
In general, the question of “what causes a windows process to do X” is better asked on msdn.com or sysinternals.com.

My bet is that the behaviour 12many sees is actually caused by some local software on his/her machine, not Unreal Engine directly. I don’t see that kind of request on my machine.
Then again, the question is over a year old, so implementations might have changed since then.

First, why should we have to guess what a piece of software is doing? I trust Epic software more than most, but new patterns of ‘back door’ (unintended I expect in this case) data squirts from external processes to unverifiable entities on the internet do make paranoid folks like me suspicious.

Second, you’re probably right LSASS is verifying certificates, but this doesn’t explain why no other software on my machine triggers LSA to chat with AWS. And the situation forces me into having to open my firewall more than should be necessary.

Third, I don’t think it’s just my machine. I’m not experiencing the 100% utilization issue, but the LSA traffic issue is obviously happening on other’s machines. And truth be told I work on sensitive IP - I’m bound by legal agreements and work entirely in protected virtual machines on my dev box - UE won’t run in a VM due to it’s DX requirements so it’s one of the few pieces of software I have installed on the host. And it’s behaving badly. (Minor rant here: If you take a look at what Visual Studio 2015 Community Edition accesses and then (I assume since it’s encrypted) transmits back to the MS mothership via ‘telemetry’, you might be surprised. Yet another reason to absolutely not trust Microsoft)

Finally, the network expert at Epic has stated that this is unexpected behavior and is going to look into it. I’m satisfied with this honest and not-evasive response. Mu guess is that the problem is going to be harder than they expect to fix, and whether they make it a priority in the face of all the other high priority work they have in the pipeline is going to be interesting. I’m looking forward to seeing whether Epic does the ‘as designed (sucks)’ Microsofty answer or puts in the effort to fix this the right way.

Epic management - if you’re reading this, I hope you guys establish some level of public policy around transparency (specifically disclosure of telemetry and a way to audit it) that sets a new standard for industry like GPL and the other licenses did for open source.

First, I have no great theory for why you see LSASS do this, and I don’t. Maybe the Epic engineer will figure it out, or maybe it ends up being specific to some particular configuration.
That being said – part of verifying certificates is talking to the certificate issuing authority. Whatever authority that might be could quite likely run infrastructure on Amazon (or, if the authority is godaddy, on godaddy …)

Regarding VMs that can run DX11, perhaps you have already tried all the options.
If not, I believe that if you go all the way into the Microsoft ecosystem, you can run HyperV, which lets you virtualize DX11 into a HyperV guest that’s not the “controlling” or “main” instance.
Or use something like Xen PCI pass-through, and dedicate a GPU to the guest …
Or you can run the editor under Linux as a host. You can do whatever you want with networking under Linux

Yes, I’m not an Epic engineer, and I hear you that you feel you want an answer from Epic. I’m not providing that.

However, I am getting something out of this: I’m learning more about your viewpoint, by contrasting it with mine, and trying to figure out if there’s something I’m missing that should make me change my viewpoint.
And (perhaps subtly) I’m suggesting that there may be viewpoints that think this is less of a priority, and thus might not be surprised if this issue never bubbles to the top.

Meanwhile, I, too, live in a world where working 3D virtualization would be great.
Even the least bad of the bunch when it comes to desktop systems (VMWare Workstation) is pretty terrible along this axis. Going Linux-only and using containers for virtualization (where devices can be bound cross-container) may be the least bad option.
So, if anyone tries out something new, and it works well, I’d love to hear about it!

Still happens running the launcher without the option -http=wininet

surprisingly blocking didn’t prevent the launcher from signing in (so blocked it was)… however without permanently blocking the address/process etc (ie Deny for a while), with Epic launcher running in background it will still trigger the process again later at somepoint. ie last time it was local port 2584 (diff everytime) but ip & remote port 80 the same.

Yes, this is how TCP works. You get a different source (ephemeral) port for each connection. The OS chooses a random source port when establishing a new connection, each time.

Yes, I saw that research, and while I do believe in the basics of democracy, I am quite concerned that most people go to the church their mother said to go to, and care about the issues that the media tells them to care about (mainly, to improve viewership, to make more money from ads.)

Aaanyway – without a clear description from Microsoft on all the APIs that will cause lsass.exe to attempt to connect out to the internet, we’re not going to get a really good answer here. MSDN and Sysinternals are surprisingly devoid of useful information on this.

Brain wave , tech … and you guys still afraid you gona lose your ideea or some new cool feature . with learing ai up and running on each ,device you use colecting data , we already accept to share so keep working

Another link for us tinfoil hat types: http://www.extremetech.com/internet/229946-british-startup-wants-to-help-landlords-employers-spy-on-you-via-social-media

Epic, can someone from the mothership please update us on this?

doesn’t seem like they are doing anything about it

this launcher is garbage

what part of signing in, inputting password, logging in… then having to wait 2mins because of rate limiting the number of users connecting… and then having to input password again!! … all the while hassled by stupid lsass.exe connections from firewal, because epic can’t be bothered to fix the issue. No I’m not allowing lsass permanent internet access just because you can’t make a decent launcher… its out of the norm for every other application that handles it connections through its own executables not through system executables…thats about as dodgy as win10 is now…well not as dogy thats os is on a whole nuther level.

fyi sort out the servers if you can’t handle that many logins… or like stop tying games like unreal tournament to this launcher and just add it on steam so I don’t have to go through this nonsense.

ooh … next time the launcher needs to download an update how about showing progress on the download…not just “Please wait” so lame… not everyone has 1gbit internet to not notice this bad design.

And how about you show us how a good launcher is done.

how about you take a look at every other **** launcher instead