Slashdot Mirror
NTBUGTRAQ Bashes Windows Update
BigBadBri writes "Russ Cooper, keeper of the NTBUGTRAQ list, has a few concerns (to put it mildly) with the trustworthiness of Microsoft's Windows Update."
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
I don't trust Microsoft either. More often than not, their "patches" break more than they fix anyway.
This shouldn't surprise anyone at all. Anyone involved in computer security or stability is going to have doubts about any sort of update technology, especially if it's from Microsoft. All it takes is a 'minor' 'bug', like the one in the article, and we could be facing a much lerger numbers of CodeRed targets, or zombie machines, or who knows what else.
Oh, by the way, youre car is just fine. No, no recalls at all for it. Well, one, but it's only important if you actually drive, so you're fine, I'm sure...
It's been proven time and time again that people don't patch their systems by hand. Windows Update is at least a step in the right direction, even if it does have some flaws. I can only imagine the outcry if M$ DIDN'T have a Windows Update. It would be an evil scheme or something.
--- Don't be a player hater: I meta-mod ALL negative mods as Unfair.
True that... with each newer operating system and update I see more and more 'report blah blah to Microsoft to improve quality'. It happens in Windows Media Player, whenever a process crashes, and probably other places as well.
How soon until they don't tell you that and just start reporting your web browsing favorites and selling that information to others?
--------
Free your mind.
I'll voice an opinion that'll surely prove to be unpopular around these parts: I like Windows Update.
Sure, like any given piece of software, you may run into glitches and bugs at some point. But, overall, Windows Update has provided me with an extremely easy and painless way to keep my systems updated.
Even my Mom can use it, which says a lot. It's better than any alternatives I've seen which require too much geek knowledge to operate. (Admittedly I've never seen how MacOS X handles updates.)
-Teckla
I have had windows update tell me that i'm clean, when i've only just done a fresh install, but i don't take it personally, you'd only complain if it examined every bit of your disk to ensure that it got it right... make your minds up people!!
Actually, it has to be the only source of update because only Microsoft can do something about problems within their source code, therefore, they are the sole providers of patches for Windows.
Please direct all bug reports to
Russ complains a lot, but he never offers any solutions to the problem.
Is it better? Here's a quote from the article:
Let me put it this way. Since the inception of Windows Update millions of computers have been infected with Trojan's that are today allowing individuals to conduct en-masse DDoS attacks. Read that how you want, but its a fact. Here's another. Since the inception of Windows Update Microsoft has gone to producing patches almost every week. Few if any business' have found Microsoft trustworthy enough to permit automatic updates
Many people will also tell you that a false positive is far worse than a false negative. For example, if Windows Update is misconfigured and tells you that you're up to date when you're really not, that's arguably worse than not being up to date and knowing that you're not up to date. (Because in the latter situation at least you can do something about it)
Even if technically windows update is better than nothing, it's utterly pathetic that this is the best one of the richest and most powerful corporations on the planet can do for their customers.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
Well, I'm sure Russ is a MS customer like everyone else, so it's MS' responsibility to fix the problem.
I mean, if my headgasket in my GM blows, I don't go to Goodwrench with the schematics for a new design.
If "windows update" is so bad, then how to expect everyday people to update/patch thier computer(s)?
I think its a win/lose/lose type of situation.
+++ David Watts 5495 0.0 0.5 1888 884
they've yet to prove that their intentions are any other than making quality software.
That's pretty funny.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Isn't the security aspect, its the fact that MS hasn't gotten patching down yet. Patches from Microsoft CONSTANTLY slow down and screw up peoples computers. Every time you download a patch its like playing russian roulette.
I just experienced this two days ago. My friend had me reinstall XP on his laptop so I started with a disc that had XP SP1 included. Now considering the huge list of known problems SP1 causes both he and myself were happy with how the system preformed after install. It seemed snappy and worked well. But then after I ran windows update and pulled down like 15 security updates, boom instant slowdown. I'd say its about 15-20% slower now. I might as well have pulled out his PIII900 and dropped in a PIII600. (And yes I specifically avoided 811493)
When will MS stop having to reissue patches and stop slowing down and screwing up systems because they can't figure out how to make software with some decent security built in? I mean screw the security track record of other OS's, Microsoft is the one with 40 billion in the bank. They are also the ones who still don't get it and are just now telling their programmers that security needs to be considered when designing software. For about the fact that OSS exists, I still can't believe people can people can have faith in a company like that.
If you wanna get rich, you know that payback is a bitch
That's it -- just dismiss all faults as MS bashing. See how much easier it is?
You mean that flaw that has little practical relevance and only occurs in isolated scenario's? Don't get me wrong, MS should fix all flaws, but how does this lose your trust? My XP Sp1 runs on around 150mb, but that's considering that I'm running an Enterprise DB (SqlServer 2000), IIS, at least one ASP.NET worker process, and a couple instances of IE.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
They cannot be trusted.. but somehow the Soviet Russia jokes had it right.
Trust is not about users trusting the corporation.
The trust they want to implement is the other way around.
Trusted computing involves the hardware running only "trusted" code, the screen showing only "trusted" documents. And knowing is half the battle.
Nouvelles de jeux et technologies en français. TC
Let us replace the "s" in Microsoft with a dollar sign, so that we remember that they are business who put profit first. Oh, how they do not fit in our idealized view of the world. They almost annoy as I sip on my Coke and adjust my Gap pants while I sit in my Herman-Miller chair.
Thats funny, and probably true (and definately shouldn't have been modded to -1), but thats missing the point a bit.
Its not a bad thing to be about profit, but it is a bad thing to put profit ahead of other concerns, especially when you are an industry leader. I think that the outcry would be the same way if Ford knew that a part was faulty, and they supressed the knowlege or downplayed it in the press. How about Boeing? Should either of these companies put their corporate reputation and profit ahead of safety? Of course not.
Now, you might say, whatever - nobody ever died because of a Microsoft trojan horse. And I would agree - but they have caused hundreds of millions of dollars of damage and hundreds of thousands of wasted man hours - all beacuse they are unwilling to reveal themselves for what they are - human.
First, they need to admit that they make the occasional mistake. Secondly, they need to make an easy and trustworthy way of recovering from those mistakes. And thirdly, they need to make it seem like they care more about about the security of their existing customers than trying to gain new ones. Its that easy.
Do you have Linux and a DotPal? Click here now!
Providing the solution is not his job. In a more general sense, the people who are best suited to notice and complain about problems are by definition not the people who are best suited to fix them. This is why programmers don't do all of their own QA. "This is broken" is a completely legitimate thing to say, even if you're not going to be the one to fix it.
Heh, same goes for you. Please explain how do you think he could give a solution to that. I mean, this isn't Open Source. He can't just download the tar.gz and make a patch for it. All he could do is perhaps call MS, *paying for the call*, and hope that somebody there fixes the problem.
In Open Source, complaining like this might be frowned upon sometimes. After all, we understand that not every OSS developer works for IBM, and has time and resources to fix every bug.
However, this is commercial software, and closed source to boot. Why should anybody solve Microsoft's problems? Isn't that why people pay for work being done for them in the first place? I think he's doing pretty much the best thing he can do, complaining in public. That's the one thing that seems to work pretty well to get the attention of large companies.
So, if I notice you have a flat tire, but don't know how to fix it, I should keep my mouth shut?
I don't think he specified Windows 2000. Works on XP just fine. (I use it all the time)
No reason to lie.
You must be referring to that memory management scenario that doesn't affect everybody and therefore isn't listed as a Critical Update, requiring you to actually ask Microsoft for the patch because it is so uncommon.
But to you, it suddenly becomes "XP SP1 hogged memory."
Next.
"Sufferin' succotash."
I never trust anyone who says "Trust me".
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
"I don't trust Microsoft in general, but in this case they've yet to prove that their intentions are any other than making quality software."
What an odd thing to say. You don't trust them in general buy you trust them in this particular case? Why? That's like saying "I don't trust that convicted child molester living across from me but I'll let him babysit my kids because nobody has proven he will abuse MY kids".
War is necrophilia.
given, of course there's nothing in their license agreement that prohibits it.
I haven't checked lately, but it's very possible that there is something that prohibits it.
Microsoft's patch files are, after all, their own copyrighted property. Redistribution would be illegal unless they've given you specific permission. (Many software companies explicitly deny this permission, even for products which are free to download. Sun's JDK for example)
There are other legal pitfalls- reverse engineering, for example, might be required to check if a patch is needed. (You'd be writing code to check if there are security problems, which edges towards violating the DMCA or at least a EULA)
And anyhow, while some Linux developers are happy to do free work for IBM, you're less likely to find open source coders willing to put in time to fix Microsoft's oversights- especially for a field as unglamorous and time-consuming as patch distribution.