Microsoft wants Automatic Update for Windows

Edward Dao writes "After the embarassment of last week's blaster worm, Microsoft is weighing the possibility of automatic update. Microsoft not only wants to upload the latest patch on to users' computer but also installing it for them." This will work out really well for everyone I'm sure. Yikes! Can I at least press 'Ok' first?

oh yeah?

[krisp]

Of course, this will be implemented in such a way that implantinga fake RR for windowsupdate.microsoft.com into a local name serverallows Windows to download and run any file with a certian file name. This should make it far eaiser to fool Windows Update into installing Linux.
This will make Linux rollouts a breeze after buying all those Dells.

Imagine the possibilities!

Then again, the Microsoft Tax is cheaper then the SCO tax.

Re:oh yeah?

[killthiskid]

Two things from the article:

...say that it is time to consider making software updates automatic for home users of the Windows operating system.

And...

The company is "looking very seriously" at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them...

So... only for home users and users can shut it off!

So don't freak out too much... maybe this will actually help... think if this had been in effect for slammer... we keep bitching that the 'patch was available, why didn't people use it!'... well, this would fix that problem.

One other thing from the article:

Microsoft also will begin shipping new versions of Windows XP with the built-in firewall activated by default, said Steve Lipner, director of the company's security engineering strategy.

Now that makes sense!

Re:oh yeah?

[redtail1]

I know that using the default Windows XP firewall doesn't make me 31337 and I wish it would let me know when someone tries to hack my machine but I'm satisfied. Are there any known problems with it?

Re:oh yeah?

[blahlemon]

It does not make sense to have Microsoft's firewall activated by default. The thing is buggy as heck and some DSL accounts don't work properly when it is activated. Consider that their OS is NOT engineered for security (an admission they made themselves) and that they have a track record of "swiss cheese" code.

Additionally I would hate to think that computers would roll out with auto update automatically enforced on home users machines. Quite a few home users wouldn't know if they had turned it off or not for one. Can you trust Microsoft to have tested the patch against software you use? What if you've got a "pay for use" internet account? Do you want to pay for the bandwidth Microsoft uses? HINT: Think service pack. What if a patch goes wrong or the home user mistakes it for a virus and forces a shut down in the middle of a service pack?

I'm not going to suggest that Microsoft would use this to monitor individuals or covertly take over peoples machines, that's just more FUD. I do think, however, that the last thing Microsoft needs to do to their software is add another automated feature that can be comprimised and easlity manipulated because it's already built for interaction with external machines over an inherantly insecure environment.

You don't fix a hole in a dam by adding more holes.

Re:oh yeah?

[killthiskid]

Valid points... but we're talking lesser of two evils here. I would much rather see a single user of a computer have problems (due to firewall, updates) than their unpatched machine causing problems for more than one user.

We can't have it both ways... right now windows is set for ease of use over security... and having auto-updates and a firewall will move them towards the security side of things and away from ease of use... but isn't that what we've been bitching about for years?

Re:oh yeah?

[mr_z_beeblebrox]

I believe in holding people (and companies responsible for the damage their systems cause) I would propose this:
Auto updates have an opt out feature, if you opt out you agree to responsibility for any damage caused by your PC for which their was a known fix.
Microsoft agrees that if you do not opt out they are responsible for any damage caused by poorly coded patches.

In both those cases liability would probably be limited to something like what MS accepts now. IE these statements:
USER: sorry my PC ddos'd your hospital network causing countless deaths. If MS would write better patches I would allow auto updates
or
MS: Sorry our patch broke your hospital network. Perhaps you should consider more standard equipment


Okay, sorry I started out constructive then broke cynical.

Re:oh yeah?

[mAineAc]

'One other thing from the article: Microsoft also will begin shipping new versions of Windows XP with the built-in firewall activated by default, said Steve Lipner, director of the company's security engineering strategy. Now that makes sense!' How does this make sense? Their firewall is crap. It causes problems with dial up connections all the time. I work for an ISP and many times someone calls in with a bad connection and all we have ot do is shut off the microsoft firewall and all of a sudden it works. This is set by default when you create a dialer anyway. You have to remove the check to disable it. All this is going to do is give people a false sense of belief in their software. It is only a one way firewall anyway. If they have spyware or spamware it does nothing to stop this from reaching out to get info or give it. There are firewall companies out there. This is just a way for windows to remove market share from another source. Soon, if we continue this way, all coders will work for Microsoft or they will be out of work.

Re:oh yeah?

[blahlemon]

How about developing a release of Windows that doesn't have extra ports open by default that the system doesn't need? How about recognizing some of the more common issues and have these default fixed?

I think that Microsoft should halt development and roll out of it's next OS's until it's fixed the base functions. They should start from the beginning, and review the code line by line with a focus for security. Stop adding more and more features until you've fixed the old ones.

I know, NO OS is 100% secure, no program in unhackable and being the biggest boy around Microsoft is also the biggest target. That doesn't excuse their continued shody behaviour.

lol, I say this, knowing of course, that it will never happen. It's not in Microsofts interests (nor the interests of their shareholders) to go back to code and rewrite and rebuild. I personally think it would be good corporate behaviour to do it though.

This is a little off topic but consider your car. What if your car manufacture refused to fix your older vehicle because they no longer support that model? The public would crucify them. But Microsoft does exactly that by terminating patches and support for older OS's. Those older machines, if they provide the base code for the exploits in the current release, are then potential holes. I don't know about you but I'm still running a copy of 98 at home for games because it works and is stable (sorta).

Anyways, back on topic, I agree. We've all bitched about Microsoft being insecure and when they try and make right we bitch some more. And it's not giving them a fair shake. Who knows, maybe this will be the tool that saves everything. I for one am getting sick of paying for bandwidth that gets absorbed by virus's and spam. Actually, I think we should hold the ISP's more responsible.

Re:oh yeah?

[markalot]

This is a prime example of blind hatred.

For years slashdotters have been spouting how Microsoft defaults were wrong. How in Linux you have full control but it defaults to a safe mode. Now Microsoft wants to do the same thing and everyone gets all FUD'ed about it.

Credibility is important, RTFA, think, then post.

Re:oh yeah?

[Virtex]

So... only for home users and users can shut it off!

According to the Windows XP EULA, Microsoft has already given themselves the right to install software on users' home machines without their consent or knowledge. And there's no provision for allowing users to "opt out".

Re:oh yeah?

[zentigger]

Isn't that pretty much how Windows(TM) Update(TM) works already. I can enable automatic updates, or I can shut it off. Win2K comes with it turned on by default.

Perhaps a better solution would be for any "home" version to have an automatic updater that pops up a big red warning box into the middle of the screen telling users they need to patch and a little sliding theremometer scale to show the severity of the patch.

Re:oh yeah?

[aldousd666]

That's true, ease of use over security, same with lindows. I know for example, that if you disable DCOM in our corporate environment, our software inventory system doesn't work... not to mention a bunch of other things. We need to be able to control our users workstations from a corporate administrative point of view, otherwise, we have to walk to their machines to fix them, and waste millions of dollars a year in troubleshooting time. I need to have MY settings on our network, not microsoft's generic 'how do you do' settings 'please click on turn off the computer'.

but as for home users, that's a different story, if they don't want to opt out of the updates, then they may be better off --

BUT they still have a LOT of bugs to work out.

Look at ms03-026, even their Critical Update, had a flaw in it that often incorrectly identified the patch as installed when the systems were still vulnerable (they revised it and re-released it on August 16th to fix this problem, but the first generation of the fixes may have screwed them over if not for the complainging all over NTBUGTRAQ) They need to be sure that the patches are absolutely 100% functional, and absoulutely will not under any circumstances hose up a system before they go and require it for warranty compliance. Otherwise, the simple result is: they lose their marketshare.

Re:oh yeah?

[Senjaz]

You are right, but this is Microsoft we are talking about here. There will probably be an exploit to be found in the auto-updater and hey-presto they will have just added another way for hackers to get malicious code onto a user's machine without the user knowing.

Re:oh yeah?

[q.kontinuum]

As far as I know it ignores completely IPv6 traffic.

http://support.microsoft.com/default.aspx?scid=kb; en-us;306203

With Microsoft Internet Protocol version 6 (IPv6) installed and Internet Connection Firewall (ICF) or Basic Firewall enabled, the firewall filters Internet Protocol version 4 (IPv4) traffic, but the basic firewall and the ICF does not block or filter IPv6 traffic.

Note ICF is available on Microsoft Windows XP and Microsoft Windows Server 2003, Standard Edition and Windows Server 2003, Enterprise Edition. Basic Firewall is a component of Routing and Remote Access that you can enable for any public interface on a computer running both Routing and Remote Access and a member of the Windows Server 2003 family.

Re:oh yeah?

[Bake]

Well, that could be due to the fact that there is a special ICF for IPv6 enabled when you enable IPv6 on your box.
It's listed in the Services console as "IPv6 Internet Connection Firewall" and its default setting is to block everything incoming, ICMP messages included.

Re:oh yeah?

[Darby]

Credibility is important,

Right.
In the area of security, stable patches which won't ruin an installation, and privacy MS has proven in almost every case that they have no credibility whatsoever.

If anybody else announced this, it would at least be potentially reasonable.
With MS it is different because they have shown themselves to be less trustworthy than any other vendor.

No hypocrisy involved.
Thanks for playing though.

Re:oh yeah?

Users wouldn't want to waste the bandwidth downloading the patch and would click no.

Re:oh yeah?

[spectrokid]

XP does have a mechanism buildt in for silent, interruptible background downloads. Even people paying by the minute for dial-up will only use their excess bandwith for it. (OK, so it could take a month to download sthing serious.) This is definitely the lesser evil for my sisters computer.

Re:oh yeah?

[FooAtWFU]

"Can you trust Microsoft to have tested the patch against software you use?" "You don't fix a hole in a dam by adding more holes." Mmm. It's not just whether you can trust Microsoft, it's whether the next big security hole will be a hole in the Microsoft updater that lets random people send you stuff masquerading as an update? Just think about all the fun THAT would cause.

Re:oh yeah?

I cannot believe that people are actually buying into this Automatic Patch stuff. The question should be asked why this is needed in the first place. I should not have to sacrifice privacy and let MS do whatever it wants on my computer in the name of security just because the OS I use is so vulnerable that it needs to patch itself every day. Would you buy a car that automatically calls a mechanic to fix itself every day because new harmful elements in our world render it unsafe to driver? If Automatic Patch is allowed, then MS really has an out on everything they dump on people's machine.

"Something really bad happened to your machine and you lost all your important files? I am sorry, but don't worry, it will be patched for everyone by tomorrow." How can that be acceptable to anyone?

Re:oh yeah?

[fubar1971]

Actually, windows update is installed on win 2k and higher. This already has the features to schedule downloads and installations of hot fixes automagiacally. Currently it is not enabled by default, but I would imagine that it would not take nuch effort by Microsoft to make that the default setting. I only hope that they are nice enough to still give the user the option to schecdule different times and still be able to disable it if they wish. Besides I don't see what the big deal is. Who hear uses RedHat's up2date service? What's the difference. Oh that's right we all trust RedHat....

Re:oh yeah?

Only fools and loosers would pay SCO tax. And for those that pay them, I have a tax for you to pay...

Re:oh yeah?

[SmackCrackandPot]

Actually, there is a way. We recently purchased a new system with Windows XP installed. After a bit of rooting about in the user accounts menus, we found two password protected accounts with system level access. One account was owned by Microsoft, and the other owned by the system manufacturer. Needless to say, we quickly deleted these two accounts. The only side-effect is that automatic updates don't occur when visiting certain web pages.

Re:oh yeah?

[mpe]

Of course, this will be implemented in such a way that implantinga fake RR for windowsupdate.microsoft.com into a local name serverallows Windows to download and run any file with a certian file name. This should make it far eaiser to fool Windows Update into installing Linux.

Or alternativly a malware writer will come up with some way to fool this automatic update system into distributing their spyware, virus, worm or what-have-you.

Re:oh yeah?

Do you know what SSL is? Do you know what signed certificates are for?

Re:oh yeah?

[killthiskid]

Ok, I'm hoping you check your replies and actually respond to this...

What are the names of the user accounts of which you speak?

If they really exist, it would be a 'very bad thing' (tm), if they all have the same password and level of security require to install patches, it would open a HUGE hole into allowing people access.

Re:oh yeah?

[SmackCrackandPot]

When I examined my system (System->Settings->User accounts) or either using "Regedit", I discovered two user names. Both were actually serial numbers of 12-14 digits/letters and were password protected. Presumably, the password for the account must match the registered account/password to access Microsoft's update server.

There's little explanation why these accounts exist. However, once I deleted them, automatic updates on my system no longer work. I get a "network not available" error. So, if your system gets corrupted, and/or these entries get damaged, you're not going to be able to update your system.

M$ worm.

Wouldn't this clasify as a worm too? I don't want anything installed on my system without my permission too.

Nice to see that M$ is in the worm buiesness too.

Re:M$ worm.

[freaksta]

No... EULA would have a clause just for this. It would be totally legit if you opted in (by using there OS or otherwise stated in the EULA)

Re:M$ worm.

[Frymaster]

I don't want anything installed on my system without my permission too.

well, technically you give permission when

1. you agree to the eula
2. you don't activate the opt-out option

i agree that not knowing what's getting put on your machine is irksome, but this idea has sprung from two problems that everyone here is very aware of:

1. people don't do their patches! blaster is all over the news yet a casual poll of my non-geek friends (the windows ones at least) showed that only one had done the patch!
2. joe avg. user doesn't know what half this stuff is anyway? he can get an "agree?" box but he doesn't know what he's agreeing to anyway. the thinking is that the savvy will go for the opt out.

now, having said that, i hate the idea on principle... but i can understand why redmond thinks it's a good idea. they're taking a beating in the press over security and they've determined that the real problem (rightly or wrongly) is the end user - so now they have a "solution"

Re:M$ worm.

[Paleh0rse]

I think, in light of recent events, the default settings for operating systems should be "kid gloved".

Idiot proof everything, like the way the standard RedHat install sets up all basic command line functions to be verbose by default. And then as you learn more about what you're doing you can set these preferences to something else.

Don't forget, people, in general, hate to A) Read and B) Learn

Then, as the user becomes more proficient, s/he can set things up the way they like.

Think about it, if you don't know enough about something to know how to turn it on or off, do you really think you should be able to choose if it's on or off?

Re:M$ worm.

[EpsCylonB]

but i can understand why redmond thinks it's a good idea. they're taking a beating in the press over security and they've determined that the real problem (rightly or wrongly) is the end user - so now they have a "solution"

I don't want to stick up for MS or anything but the problem is the user. If there is a patch availiable and the user doesn't install it then it is the user's fault (even if the user is ignorant).

The way I see it there are two obvious solutions...

1. Force the update on people.

2. People should have to have a licence to own a computer and take a test so that they understand security issues. Now I realise that sounds a little extreme but if you take into account the the cost in bussiness that worms cause then it might be a good idea. It would certainly get rid of the ignorance defense.

Re:M$ worm.

[DraconPern]

People should have to have a licence to own a computer and take a test so that they understand security issues. Now I realise that sounds a little extreme but if you take into account the the cost in bussiness that worms cause then it might be a good idea. It would certainly get rid of the ignorance defense.

Thank goodness I am not the only one thinking that. We have gone through too many people at work who didn't know how to use a computer (even though they claimed they are good) and thus werent' able to do their job. Sadly, the only 'license' out there (for enduser) is the Microsoft Office User Specialist(MOUS), but at least it's a start!

Re:M$ worm.

In the days I used dial-up, I would get pissed at people sending me email attachments. Imagine doing a service pack over dial-up.

You will be patched in 14 hours... please wait.

Pros and cons.

Re:M$ worm.

[jazman_777]

People should have to have a licence to own a computer and take a test so that they understand security issues. Now I realise that sounds a little extreme but if you take into account the the cost in bussiness that worms cause then it might be a good idea. It would certainly get rid of the ignorance defense.

Clearly the technology's simplicity is oversold. "Anyone can use it!" Hey, how about some intelligence/knowledge requirements for voting? Right now, just anyone can vote.

Re:M$ worm.

[mr_z_beeblebrox]

people don't do their patches! blaster is all over the news yet a casual poll of my non-geek friends (the windows ones at least) showed that only one had done the patch!

To know one non-geek who patched his system I would guess you must have a thousand friends

Re:M$ worm.

"...but if you take into account the the cost in bussiness that worms cause then it might be a good idea..."

What costs?

See Nimda, the Ms SQL Worm or the latest RPC/DCOM one. There're only a limited set of effects and sources for them at the enterprise:
1/ Their own infected boxes. Hey! it's an enterprise! It can't be fault of unknownledgeable people at their home. It is their system administrators mistake. And it is their mistake because the enterprise goes paying rubish for the system administrator role and, surely, they recieve rubish back again.
2/ Piracy. If Microsoft really tried to stop piracy, most of these wouldn't be a problem. Let's take the SQL worm for instance. Point one is, of course, stupid sysadmins (and stupid bosses that really think they can pay at the Joe Dumb rates and still contract Mr. Smart). It is not only that there were a patch time before the exploit, it is that the whole thing was very badly designed (what the heck is doing an SQL daemon wide open to the Internet, patched or unpatched?). On the other hand how is it possible its fast and wide spread? Surely because a tone of directly connected to the Internet home boxes had installed Ms SQL Server. Now: Can you imagine any real use for Ms SQL Server at home? And even more: Can you imagine any home user, even if he really needs Ms SQL Server (and that I deny) paying the cost of the license? No Ms SQL Servers wide open to the Internet, no worms. It's that simple.
3/ Finally DOS-like costs. Those are related to some kind of "slashdot-like" effect, they are not dependant of the recieving end's operative system and, at the enterprise level they're manageable to some extent (the movements Microsoft has done to avoid this monday flood shows an example of it).

"People should have to have a licence to own a computer and take a test so that they understand security issues"

No that's not necessary: you probably wanted to say that "people should have to have a license to *connect* a computer to the Internet".

But even this is not necessary. It is more on the line: if enterprises value their IT assets they should take care of them and be prepared to affront due costs for this to happen. Basically that means: Contract solid professionals, pay them accordingly and forget enterily about technical issues (==get off the way): they'll do it for you.

I have had Microsoft and Linux OSs on the Internet for years. I've done my work: no Nimda, no Code Red, no SQL worm, no nothing. Still, I know what's exactly the part due to my knowledgeability and what's the part due to luck, and I always tried to make it very clear to my employer when I've been forced to do technical things their way instead of mine.

Re:M$ worm.

make sure you brand them after to show proof that they comply....

Re:M$ worm.

[nightsweat]

That's ignorant. Have you noticed MS often slips license changes in with the patches?

Read the EULA's from the orignal software and from the service packs sometime.

Re:M$ worm.

[EvilTwinSkippy]

Think about it, parents don't want kids on the internet anyway. We could add Internet Access to the rights of passage into adulthood.

We could design a class of computing appliance that is utterly stripped down and does not require a license. Read-only OS, hardwired into the system. USB-Flash drive data storage. A ROM device for adding additional programs.

I also think that Network Engineers should be licensed like civil engineers. There are things that a clueless Linux admin can do that will utterly frell a larger network.

Where will we get our next incoming crop of Hackers? Give them a sandbox to play in. Bring back BASIC, or some sufficiently "minute to learn, lifetime to master" scripting language. I'm partial to TCL/TK myself. Let them play in that environment, swap programs back and forth with other proto-hackers, and let them study the real langauges in a more structured setting.

I'm picturing a hacker apprenticeship type program. Someone expressing an interest in learning the business teams up with someone in industry to learn the trade, taking a series of qualifying exams along the way. Yes, this would imply a hacker's union or a guild of some sort.

But when you think about it, for all of our openness, there is still a few entry requirements to be taken seriously on the net. One is a stated interest in learning the Net. The other is a demonstration of how a person is willing to learn independently.

Re:M$ worm.

[BurKaZoiD]

People should have to have a licence to own a computer and take a test so that they understand security issues.

You, sir, are a f*cking moron. There are millions of people in this country alone licensed to drive, but does that stop accidents from occuring? Anyone can memorize a load of bullshit (they don't care about) long enough when it's a prerequisite to get something they want. As soon as they get the license (car or computer) the information they memorized can take a flying leap.

I can't believe someone even suggested some dumbass bullshit like this. What are you, a politician?

Re:M$ worm.

[falsified]

As a user of dial-up, I should let everyone know that a service pack is probably worth it. I have two hours to kill when it comes to security. Anyone who thinks that patches are a waste of time probably deserve to have their computer knocked out of service.

Re:M$ worm.

[SmallFurryCreature]

People undertake training and a test to verify that they can drive a car. How many people die on the road each year due to people being incapable of handling their car? So much for testing people.

What I find really odd is that we threat computers so differently from the real world. If a real product is found to have a defect then a recall notice is published in all major newspapers (in europe don't know about rest of world) and you can return the faulty product for either a replacement or your money back.

Granted if software companies had to do it this way they would all have gone bust. Or maybe they would invest in real testing. Real testing is not to see if something works but to see if you can break it. When I hear excuses like people using the product wrong as an explantion for bugs I get pissed off. You are not supposed to bite the nose of a teddy bear and then swallow it. Nonetheless this is exactly what is tested against. A product should be safe to use or clearly labelled to indicate who it shouldn't be used by.

I think it says it all that unlike almost everything we buy in the netherlands, software is not tested by a goverment/indepedent organisation. Everything else is. Clothes, cars, books, movies, toys, furniture, food etc etc. But software and hardware are not.

Think this is a strange notion to test software by a central organisation? This what all the consoles do for their software. Oh and please don't mention MS certification, this are just logos you can buy.

Re:M$ worm.

Except for the fact that when I tried to patch a win2k system that was working great as a server with no problems for months, I was told I needed a new service pack to do the patch. When the service pack was installed it caused the computer not to boot at all. I was happier with the worm, at least I could block the port with a firewall or something. Microsoft's patches cost me hours of time getting the server back up.

Re:M$ worm.

Hardly insightful.

Yes, you can stand back and say "it's the users fault". But when did the user click an agreement to spend inordinate amounts of time patching his OS? Did I miss the pop-up box during installation that said 'We're sorry if you're on dialup, but you will and should update this operating system at least once a week, or even more often.'

There is a large difference between routine maintenance and an obscene level of commitment. For many (and I'm sure that most of the users on Slashdot forget this) the computer is a tool that they may turn on only once or twice a WEEK. Unusual? Hardly. The majority of the US still doesn't even have broadband.

When you're going at the rate of a couple patches a month, and this for a product that is only used a couple times a week by MOST USERS, that equates to changing the oil in your car roughly once ever 2-3 days. And who the hell is going to do that?

Not everyone is a computer addict like the folks at slashdot.

Re:M$ worm.

Microsoft not only wants...

That's the difference between open source and proprietary: It's about what *you* want, not what the *vendor* wants. You never give up control.

Re:M$ worm.

Your point is excellent.

Re:M$ worm.

[mfrank]

You forgot 3) Microsoft not selling bug-ridden crap.

Re:M$ worm.

[walt-sjc]

People should have to have a licence to own a computer and take a test so that they understand security issues.

Maybe if they were liable for the damages caused by running an insecure system, they wouldn't NEED a license. "Your computer was found to be spreading a worm because it was not kept up to date and secured. You are fined $500. You better fix it, because the next time the fine will be $1000. Then $2000. And so on." I suppose you could START with a warning THEN fine.

Maybe if commercial OS vendors were liable for writting crappy software, we would see less problems. MS has NO incentive at all to create secure software. If MS were fined $500K for each remotely exploitable security hole that someone else found, they would be a little better about fixing the crap and making sure it works correctly the first time.

Re:M$ worm.

[i_really_dont_care]

I don't want to stick up for MS or anything but the problem is the user. If there is a patch availiable and the user doesn't install it then it is the user's fault (even if the user is ignorant).

Wrong. There is absolutely no excuse for

a) opening this port AS DEFAULT for Internet connections (remember, this port is NEVER used for ANY legitimate service)
b) this buffer-overflow (do they have a QM department or what??)

The problem with Microsoft is that everything is very insecure _and_ activated by default. RPC port, SMB protocol, HTML mail, ActiveX, you name it.

If you pick up a CD of Windows 2000 from a local retailer, it is expected from you that you install the latest service pack (which will produce more problems -- remember the XP service pack which slowed the whole system down?), about 20 hotfixes (which may or may not really fix the problem -- remember the story about Windows Update saying a fix was installed when it really isn't?), a virus scanner, a firewall and whatever. And, it is additionally expected that you repeat this procedure at least every month or so. And all this just to surf the net, read mails and write letters!

If I buy a TV and I had to check all the wires every month or so to make sure it doesn't implode or start burning, I'd sure return it to the manufacturer.

I'm a programmer myself. I'm coding software for industrial machines. When the machine behaves wrongly and people are injured, I'm responsible. Personally. By my private property. And that's fair. Period.

Re:M$ worm.

[Luxviaest]

In all actuality, the true problem is not the home user, (although most are pretty helpless in a situation like this) it is Microsoft's long history of putting out insecure operating systems. People can only exploit holes if they are there, and within the world of Microsoft there are more holes to be found than within a Swiss cheese factory.

Re:M$ worm.

[Lord+Kholdan]

If 90% of the consumers cant drive the new CarX is the fault in the consumers or in the car?

If 90% of the users don't know how to make a call in their new cell phone is the fault in the users or in the cellphone?

If 99.99% of the users cant read a book written in latin should we:
a) Translate the book
b) Teach everyone latin

Only people who would even consider option b are computer engineers.

If you don't like the fact that most people are ignorant about inner life of computers? Go back to BBSes. Oh wait, they dont have the content, the people, the cheap connectivity? Has it occured to you that those exist because internet is full of people! You cant have it both ways.

If companies think being on the internet is dangerous who forces them to put critical services there? Maybe they are there because the gains outweight the benefits?

And before you throw in the facts about traffic laws... Majority of drivers are in favor of some sort of laws existing, I'd even bet that they support the majority of the current laws. What you'd want is a law supported by the few, benefitting the few, paid by the majority (in work hours wasted studying computer security).

Re:M$ worm.

[Pepebuho]

Sorry, but I do not agree.

A better suggestion is the Gator way. Make the updater/installer Nagware that in case of a critical update will not simply let you go until you apply the patch.

If you tell it NO, it should print a DIRE WARNING of DOOM that makes you pay notice.

People are not fools, and proper disclosure of the dangers they face should be enough. If i am reckless/fool enough to disregard due notice, then I am to blame, not Microsoft. Taking away my right/ability to control what goes into my computer is not the solution.

Re:M$ worm.

[EvilAlien]

Did I just read an argument for taking computers and Internet connections away from the general public?

Re:M$ worm.

[E-Rock]

I guess it depends on what you're calling a defect. If someone comes along and pours sugar into your gas tank your car won't keep running right. Is that a recallable defect?
If someone sends a particularly malformed request to a process on your machine it won't run right. Is that a recallable defect?
I'd say no in both cases.

Re:M$ worm.

[BrokenHalo]

The way I see it there are two obvious solutions...

As always, there is always the "extra" solution:

Do nothing at all

Shock therapy has helped in several cases I've known where windows users have been caught with their pants down. In some (ok, only 25%, but that's better than nothing) of these cases, the miscreants in question actually were receptive enough to let me install Linux on their spare disk space with /boot mounted read-only, and having tried it for a while (with all the eye-candy turned on) are now quite happy to do without Windows, and particularly without the continual threat of malicious code being executed without their knowledge.

Let's face it, the line that "Linux isn't ready for the desktop" just doesn't apply any more to folks who just want to browse the Internet and do word processing.

OK, I'm letting myself in for posts saying "BSD can do it too!" :-). It can, of course, but it takes more effort...

Re:M$ worm.

[buysse]

There are days, my friend. There are days where that doesn't sound like a bad idea. It's a good idea as long as I decide who gets to vote. It's not a good idea if you do, or $DEITY forbid, if Jeb does.

Re:M$ worm.

[MikeMo]

What's wrong with the notion of releasing an OS that is secure in the first place? Creating a system that forces updates on users is a patch on the real problem -- that the OS is just so darn hackable. Typical MS response, though.

Re:M$ worm.

[buysse]

And, arsehole, what do you think the effect of this policy on free software would be? I'll fucking tell you, there wouldn't be any. If I could be fined for software I released for free, without warranty (because MS also gives no warranty), I'll tell you right now that I wouldn't release it -- and I doubt that many other people would.

Who do you fine if a hole in Linux caused similar damage? Every person who's contributed to the kernel? Redhat? Registered Debian devs? All of the above?

The law demands equal protection. You can't just apply a law to one corporation or individual without applying it to all.

</flame>

Re:M$ worm.

OS Joke Cliche Alert:

WARNING: The preceeding post has violated the OS Joke Cliche rule. This "joke" has taken the form of a cheap shot towards a familiar OS without any supporting detail substantiating the claim (possibly ruining the "joke"). In fact, the lack of supporting data causes the "joke" to be increasingly unfunny.

This particular "joke" relied on the following unsubstantiated data:

(___) Linux/Windows/OSX users are better than other users
(___) Linux/Windows/OSX is better than other operating systems
(_X_) Windows crashes all the time
(___) Microsoft spelled "Micro$oft" or "M$"
(___) Microsoft is out to get you
(___) Linux users are a bunch of smelly hippies

Re:M$ worm.

[Phantasmo]

I run Windows Update regularly, but I always wonder if installing the patches and service packs is worthwhile.

Windows 2000 Service Pack X:

• fixes vulnerability a
• fixes vulnerability b
• EXCITING NEW DRM TECHNOLOGY!
• fixes vulnerability c...

It's either take the bad with the good, or slog through a huge list of fixes and hope that I can put together the equivalent of the latest service pack.

Re:M$ worm.

[Gob+Gob]

Yes the patch was out for a while before the worm.

Full marks kiddo!

I as an admin don't troll MS's site for help and found out about it throught my ISP. For all the $$ my business pays MS it would have been nice to hear them WARN "there is a hole in your boat" before *nice* people like you pointed out that "Island Redmond has a new cork".

Perhaps when we both are lucky enough to have neural feed to the MS Intranet then we would be as happy as all the clear minded, joyful folk who have that luxury vie their desktops these days.

One condition - you first.

Re:M$ worm.

[buysse]

You forgot: c) don't read the book. I don't consider this a viable option, BTW. I'm just saving a PFY the effort, and I've got karma to burn. Of course, you have a +1 Insightful flame... flame on.

If 90% of the people can't drive the new car, I don't know that I would blame either one. Can you drive a stick? My wife can't, and won't, and most of the USian people can't. Should we recall all cars with a stick? If those 90% of the users don't bother to open a manual and learn about the cellphone, perhaps they should buy a different mobile, or a different car.

People who misconfigure their software, either by stupidity, error, or negligence, should be liable for the results. If I have a car with brake problems and drive it anyway, and I plow through a crowd of people on a sidewalk, would you consider me liable? I knew that brake repairs were available (patches), and I chose not to apply them. Perhaps I didn't have time (to download them), perhaps I just didn't feel like it. Am I criminally negligent? In my mind, yes. With Windows 2000 or XP, you are notified of new patch availability by the cute little popup at the bottom of the screen. You know that you have a brake problem.

People need to take some responsibility for their own fucking actions. I don't advocate throwing these users in jail, or even fining them, but I don't think that Microsoft deserves all the blame for this problem. The users are at fault as well.

Re:M$ worm.

[jazman_777]

It's a good idea as long as I decide who gets to vote.

Certainly almost _any_ intellectual criteria would be better than "18 Years Old". How about, "who are your representatives in Congress and your state gov't?" That would filter out all the riff-raff. Or, how about if you receive Government Money, conflict of interest, can't vote. Oh, wait, that would be just about everybody these days.

Re:M$ worm.

[Paleh0rse]

Not at all, and I apologize if I gave that impression. All I am saying is applications/operating systems/etc... should be disigned and set up so that "Joe-Average-user" should need to learn about the applications they are trying to configure before they can sabotage themselves.

Think of it this way: Bob, a "Sys-admin" (at least on paper), buys a computer at retailer-X for his company which he turns into a webserver with some "a-little-too-easy-to-configure-and-set-up" MS software.

Bob has more or less no idea about the underlying technologies and back-end systems that go into making his "server" work and he puts it directly on his 1.5/1.5 SDSL circuit with no protection. (He doesn't know any better, he got his MCSE from the back of a box of Captain Crunch [WAIT!, they did give away that whistle a while back, maybe that is a good place for budding techies to start])

Anyway, OS flame wars aside, to Bob, service packs, bug fixes, and security bulletins mean nothing (patches?! we don't need no stinkin' patches!)

Anyway, so Bob thinks he's the schitt because he set up his "server" all by himself and it works. For now, at least...

Three months later Bob's server contracts a Worm something big time and starts becoming a liability on the Internet and his company's LAN/WAN/etc.

So, if Bob had been forced to RTFM in order to set things up insecurely that might have alerted him to the fact that he was making himself vulnerable! Call me a romantic, but I don't think users make themselves vulnerable on purpose. At the very least, Bob would have ended up setting up his Web server with standard configuration, which I am suggesting should be a highly protected and locked down config by default.

Want to unlock things and make your systems unsecure? Learn the hows and whys of the systems first! It doesn't really effect the REAL techies out there because we know how to, and even enjoy, doing things like READING DOCUMENTATION and learning how to secure our systems. OK, I'm rambling now because I have to go out on a call on Wall Street but, I hopw I got my point across.

I don't want to take away anything from the user, I only want to hand them a box off the shelf that isn't a ticking time-bomb of unsecured services and daemons.

Cheers!
Erich

Re:M$ worm.

[obdulio]

What about the unpatched servers (remember that Slammer hit Sql Server, an app that most home users are unlikely to use).? Are these servers administered by idiots or by people who paid to get an MSCE?

Why there isn't a culture of patching among Windows admins? Is the importance of patching not stressed enough in the MSCE courses?

Re:M$ worm.

[darksaber]

So, for everyone complaining about changes happening without you knowing, would you rather it be Microsoft or some virus writer making these changes?

Re:M$ worm.

[Lord+Kholdan]

Problem is that people dont think that the costs associated with security (having to update computer, possible criminal prosecution for failure to do so) aren't worth the gains (maybe a bit fewer reinstalls, bit more bandwidth).

And who are you to tell them otherwise? If they want easy software over stable, unpatched systems over unreasonable responsibility let them have it.
Internet does not exist for sysadmins. Internet does not exist for programmers. The beauty of internet is how it is all encompassing. You could have a network where every page is checked for standards compiliancy, every program is automatically checked for latest patches. Yes you could have it.

But it would not be internet that we all have learned to love. Some would even say that it's not internet that we've learned to love but freedom to act as we wish. You might not like it but the internet belongs to the general population more then it belongs to the technological elite in the same way as electricity.

I see the costs vs benefits of making updates mandated by law. I do not think it would be worth it. Majority agrees with me. Any ISP or country that does not will see their clients fleeing towards competition.

Now the question that remain is:
Do you think people should be forced by law to update their computers against their wishes and perhaps even their best interests?

Re:M$ worm.

Don't forget, people, in general, hate to A) Read and B) Learn

I'd have to argue this in that people, in general, are so overloaded with information that they simply just shut down mentally and just don't want to hear or know more. In this way, by flooding people with information it is also possible to censor information by allowing otherwise important information (like the one telling you to update your computer software or some other instructions or information) to become lost in the overall clutter.

One hundred years ago there was not so much information available to people and frankly there may not have been so much need. Faster information transmission may have been a bigger influence hundreds of years ago though...

Re:M$ worm.

[slipstick]

There is a huge difference between Microsoft and Debian. MS is specifically in the business of trying to make money from their software product. You sould have the right to sue them for damages caused by a defective product. Debian is a not-for-profit company giving away their software for FREE. Since there is no exchange of "equal value" between you and the Debian group you cannot expect the same protection under the law. In contract law it's called "equal consideration" or something like that, effectively both parties must be "getting something" from the deal.

With Debian you can than choose to pay somebody to keep your system up to date, patch it, add stuff to it or whatever. Generally this would be under a more mutually beneficial contract.

Now as for Redhat, regardless of the fact that I think highly of them due to their support of Open Source, they too would be under the same restrictions as Microsoft as long as you purchased their product and didn't just download it from the internet or whatever. I've only ever paid for one copy of Redhat but I've never complained about any bugs or default installs or things that I "don't like" because I simply don't have the right. I didn't pay for it so why should I have any consideration from them.

In the end I don't believe this change in practice would affect the "openness" of software in any way. It might change the nature of how people get their software. For instance Microsoft may choose to "give away" Windows to avoid multi Billion dollar lawsuits or you can pay a "super extra exhorbitant" price for it in order to have the right and expectation that the software would behave as designed and the right to sue for damages if it doesn't.

The market for software would likely change drastically but it might actually be for the better. I don't know that it would be for the better but it might.

One possible scenario would be that home users get the benefit of free (as in beer) software subsidized by companies & corporations who would pay larger sums of money in order to have "someone to sue". Software in general would possibly get better/more secure, in fact this would be more likely, as there would be a greater insentive to make it work correctly in order to maximize the return on investment eg. collect money for a "perfect" product and not pay anything out because "it just works".

As it is there is absolutely no insentive for Microsoft or any other for profit company to make their product secure because the customer can't do anything about it anyway.

Open source coders would be affected by this in that it would level the playing field. We give our software away for free because of the nature of how it's developed. It is packaged up by other companies and sold as a product. These companies should have to be the ones that ensure it is "safe". In fact I can see nothing but benefits in the long term for everyone if users had the right to sue the manufacturer for bugs in the software that caused damages as long as you payed your hard earned cash in consideration.

Re:M$ worm.

[tiled_rainbows]

Where will we get our next incoming crop of Hackers? Give them a sandbox to play in.

Even before hackers lay hands on their first keyboard, they are, typically speaking, going to have that anti-authoritarian/ contrary/ obstinate/ rebellious "hacker" mindset that would rebel totally against being forced to use some "safe" toy language just because some old guy with a computer license said they weren't allowed to play with the real thing. This wouldn't work on general society, let alone some of the most individualistic, anarchic members of it.

Re:M$ worm.

[mystran]

I don't get this whining about MS installing software to your computer without you knowing.

I mean, if MS wanted to install something without you knowing, MS could just as well ship that on the original installation CD. If you don't know what's already on your computer, why should you care what MS adds there..

Now, I understand that people fear that MS changes something, that will cause something else to fail. I think this is the most important difference between the Open-Source (and UNIX) world and the commercial (and Windows) world; OSS gets written to specifications, Windows stuff to implementation.

In OSS, if the underlying implementation is wrong, then somebody will fix it, and in the mean time people will find a work-around that doesn't touch the faulty part. In Windows software, it's not uncommon to rely on some undocumented feature, or even an error (I don't like the word "bug") in the implementation.

I think that OSS is better here for 2 reasons: OSS can be fixed by who-ever finds the error and in UNIX world there are more different implementations, more diversity, so one can't expect portability among different UNIX'es, or even versions, or even different CPU architectures, if one relies on errors.

Re:M$ worm.

[walt-sjc]

Dear dipshit (since you seem to stoop to name calling,) please read my original post. Notice the word "commercial".

If you are a corporation selling a software product, you should be held liable just as auto manufacturers are held liable for defects (such as bad brakes, seat belts, etc.) are.

If redhat wanted to NOT be held liable, they would give away redhat for free and charge for support. They, for the most part, do that now.

Re:M$ worm.

[slipstick]

If your brakes were faulty by design, e.g. when turning right on a 90 degree day with 30% relative humidity your brakes fail, and you plowed through the crowd than the manufacturer of the car would be at fault and damn rights they would be forced to pay ALL damages. If you knew about a recall but hadn't done anything yet you also may be liable but I don't know.

In the software world we don't have either consequence so no-one has an insentive to ever fix anything. Microsoft is liable for sure right off the bat or at least they should be since it's a manufacturer's defect. Even with a fix out most people likely didn't know about it. With a vehicle a mandatory recall means the manufacturer has to inform you by all possible means. Microsoft only posts some snippets on their website and hopes that everyone sees it. Even with Windows Update the best you ever see is "There are updates available for your computer". Sorry that doesn't cut it. How about "There are critical updates for your computer that will likely cause widespread computer failure and major loss of money and possibly your data it is imperative you update now!"

The more I think about it the more it makes sense to me. If you pay money for a program the manufacturer must be held liable for "bugs"(e.g. defects) and no license should be able to remove that responsibility not even an Open source one. Note the requirement of paying gives any vendor/programmer a way out of liability as it should.

Re:M$ worm.

[Metroid72]

Why not make software better?

Re:M$ worm.

[Daetrin]

i agree that not knowing what's getting put on your machine is irksome, but this idea has sprung from two problems that everyone here is very aware of:

1. people don't do their patches! blaster is all over the news yet a casual poll of my non-geek friends (the windows ones at least) showed that only one had done the patch!

Some people are just idiots, but there are good reasons why some of them haven't installed the latest patch.

I work at a video game studio, and last week we got a email from our sys-admin saying that the Blaster worm was going around, and we should install the attached windows patch from Microsoft to fix the security hole.

Just ten minutes later we all got an urgent email from our sys-admin telling us NOT to install the patch if we hadn't done so already. Apparently the patch corrupts any 3D Studio Max files that are saved after installing it. Given that 3DS Max is the primary tool of about half the team, we obviously couldn't have half the people sitting around doing nothing to protect against Blaster. So instead he gave us the latest update to Norton Anti-virus. (I have no idea what happened to the artists who had already intalled the patch before getting his warning. Is there an easy uninstall?)

So the smart thing any sys-admin at a company is going to do is turn off the automatic update, however quite a number of home users are going to be really pissed when Microsoft automatically updates and it breaks some program that was important to the user but that Microsoft never thought to test against.

Re:M$ worm.

[hitmark]

no a it tech, i have had contact with that kind before. some think that as they have the paperwork to prove that they know what they are doing noone can tell them otherwise (atleast not a geek with no formal it education)... if attitudes like what he shows then at the end one would have licneses to get up in the morning and if you dont score 140+ on the iq test then your removed from the system like some rabid dog (i know im going over the top here but history is full of one law leading to another...) sure it could be helpful if more people understood the basics in hardening a os but it would allso help if the standard home os had all network features turned of as standard or atleast only talked to stuff if the computer had been the initiating party (execpt for basic traffic to keep the net afloat that is). as for mail viruses, most can allready be picked up by the mailservers as long as they stay updated. but one working solution could be a console style where stuff would either run of a cd/dvd (no write ability = no virus) and if the a program was started from a RW medium then sandbox it to hell and back. the point is now that any program can access the ability to write to any other file, thereby allowing for viruses. this is more important to kill then stuff TCPA will kill...

Re:M$ worm.

Do you have any clue what a worm even fscking is?? But to answer your question, No, it most obviously would not be a worm. God you are ignorant.

Re:M$ worm.

[ryanwright]

Don't forget the exciting new vulnerabilities, too...

Re:M$ worm.

[startled]

"If 99.99% of the users cant read a book written in latin should we:
a) Translate the book
b) Teach everyone latin

Only people who would even consider option b are computer engineers."

Only people who think people who can't read Latin go out and buy lots of books in Latin write posts like yours. :)

Re:M$ worm.

[aleph+]

> Only people who would even consider option b are computer engineers.

I think what you meant was "only computer engineers would even consider option b".

What you wrote means "all computer engineers would consider option b", which is untrue.

Re:M$ worm.

[buysse]

By law? No. But if their negligence causes significant damage, it is a civil tort. As much as I don't like the USian sue-everybody attitude, it has it's uses. I don't want the government involved either, but people have to take responsibility for their action, or for their inaction.

Freedom does not come without responsibility.

Re:M$ worm.

[Lord+Kholdan]

By law? No. But if their negligence causes significant damage, it is a civil tort. As much as I don't like the USian sue-everybody attitude, it has it's uses. I don't want the government involved either, but people have to take responsibility for their action, or for their inaction.

Freedom does not come without responsibility.

A better way to say that is "Freedom does not come withut a price" and the 'problem' is that people are willing to pay the price of DDoS attacks and being spam bots but are not willing to pay the price of being responsible.

Besides, would you really want laws that'd define that actions of 95% of people illegal? Do you think that kind of law would be respected? It'd get worse treatment then prohibition!

Re:M$ worm.

[buysse]

Where do you draw the line? Just because I get a free car (in a hypothetical contest) does not mean that the company does not have liability. Price is not a good dividing line.

Cheapbytes will sell me a CD with Debian. Is Cheapbytes now liable for defects in Debian? I can buy an OpenBSD CD, and in fact am encouraged to do so by Theo. Is that now commercial software?

IE is a free download. Is it commercial software? [Note that IE is not only for Windows, there is a (neglected) IE for UNIX systems and a Mac version].

Once the government is involved, all bets are off. My libertarian tendencies come out on this one. The feds need to stay out of this. If they get involved, it won't be to create liability for the (large donor) software companies like Microsoft, they will create additional restrictions on the market, like the SSSCA or requiring other "Trusted Computing" technologies (palladium, but without being able to turn it off) in all computers sold.

And about the name-calling, I hadn't had my coffee yet. Never in a good mood without coffee. Once, I even ordered my wife to go clean the "fucking bathroom" before I had coffee. After my bones knit, I never did that again.

Re:M$ worm.

[buysse]

See some of my other posts about this. I buy a CD from cheapbytes -- does this make someone liable? OpenBSD CDs are another good example.

If you really want something interesting, look at the theories in the security community about SCADA systems, Windows DCOM bugs, and the Great Blackout(tm). I still will not grant that MS should be liable, even if that massive clusterfuck was because of a bug in their software. It was a known bug, and not patching it was criminal negligence on the part of the user, not the manufacturer. (Assuming, of course, that the DCOM bug has something to do with it, of which we'll probably never know. We'll never know because too many large donors to the administration own energy companies, who could be liable for anything except a freak accident.)

Re:M$ worm.

[buysse]

Like I said, I don't want laws. The negligence is a civil tort, much as if your dog chewed on a three-year-old's arm when you didn't have it properly tied up. You had a responsibility to control that animal. You have a responsibility to make sure that the brakes work on your car. You have a responsibility to patch your systems.

Re:M$ worm.

[Mephie]

What about insurance?

Think about it. You buy insurance so you can be compensated when/if your system is hit by a security bug.

Then, you're held responsible for your part in propigating a virus/worm if it happens, complete with fiscal responsibility.

So, you get hit with a virus and it propigates via your system. Your insurance takes care of your liability. But you had to file a claim so now your premium goes up.

Now, even the average, clueless user has a vested interest in keeping their system secure. And that interest is backed by the best possible motivator: Money.

Why not, right?

Re:M$ worm.

[scalis]

Any product in its original state that has not been handled careless can be recalled, that idea might work for cars or toys but not for software. A computer with an operating system with certain pre-installed applications that the user can never modify and wich is automaticaly updated is detected to have a flaw? Sure, recall it.
A computer modified by kids, reinstalled by dad, never patched by mom? I say no refund.
And what about open source software? Sure, give them their money back... ;)

Re:M$ worm.

[Lord+Kholdan]

I'm sorry but I simply cannot support idea that would make 95-99% of the population guilty.

Laws create the minimium standards of morality that must be obeyed and it takes horrible twisting of that idea to create the system you want.

Not to mention that it simply cannot work. Computer security is not something you can learn overnight. Maybe people even cannot learn it.

And we should not require everyone to learn something as extensive as computer security to just benefit a small minority of computer users.

Sure I get packets on my firewall. But that's not so bad compared to the idea of being sued because someone thinks I didn't take reasonable steps to protect my computer.

Worms are an annoyance. Lawsuits are a threat.

Re:M$ worm.

[buysse]

I'm not advocating that law -- I'm talking about use of laws that already exist. It is negligence to not fix this, especially something this high-profile.

If you're running Windows 2000 or XP, there is notification of updates from Microsoft. You are told that an update is available, it offers to download it for you... unless you have explicitly turned this off. By doing so, you make a choice.

Practically, suing the majority of the population will not happen, can't happen, and shouldn't happen. It does not absolve those people of the responsibility to prevent their systems from damaging others. People had almost a month after this patch was available to update. That's negligence, and it has caused damage. This specific worm isn't the best example.

Here's a hypothetical for you -- BigCorp is running Windows, has no firewall, and has not patched it's 8,000 desktops in 42 locations in over a year. A worm hits this corporation, and proceeds to DoS the root name servers from 42 different network feeds on different ISPs, taking out what most people call the Internet, for all practical purposes. Your company is doing B2B shit over VPNs ont he Interweb. You are down for 6 hours, causing you to lose a contract worth over a million $$. Are they liable in any way, or is ignorance a valid excuse?

Re:M$ worm.

[Lord+Kholdan]

Here's a hypothetical for you -- BigCorp is running Windows, has no firewall, and has not patched it's 8,000 desktops in 42 locations in over a year. A worm hits this corporation, and proceeds to DoS the root name servers from 42 different network feeds on different ISPs, taking out what most people call the Internet, for all practical purposes. Your company is doing B2B shit over VPNs ont he Interweb. You are down for 6 hours, causing you to lose a contract worth over a million $$. Are they liable in any way, or is ignorance a valid excuse? I'd say that that is a somewhat different case as while we cannot expect understanding and competence from home users we should be able to expect that from corporations. I'd call internet a high risk zone, if you want to risk your money by doing critical stuff here it's your own mistake.

Should be perhaps move this problem at the ISP level? By definition they must have competence to handle these situations?

If ISP recieves complaints about ip x.x.x.x DDoS:ing in IP y.y.y.y the ISP of x.x.x.x should curtail all the traffic from x.x.x.x to y.y.y.y untill problem is fixed or whatever?

That'd be a solution that would be a fair to all parties?

Re:M$ worm.

[danielsfca2]

The answer to worms is firewalls. Period. Not installing patches every other day.

Everyone should get broadband, now. Sorry if that comes off as terribly elitist, but no one should be using dial-up anymore. It was okay five years ago, but it's just the wrong way to be networking. Using POTS for networking is like using a tricycle to commute 20 miles to work. Not its purpose and painfully inadequate. POTS is for voice, broadband is for data.

The fault for low broadband adoption rates is partially the end-user's, for not placing enough importance on a reliable, fast Internet link. But it is mostly the fault of broadband ISP's for not providing Joe Averageuser a compelling price. Just as AOL offers Grandma a $7.95 plan for limited use, (Insert your local cable monopoly here) should offer a $19/month plan for about 192k-256k downstream. Joe Averageuser doesn't need large amounts of bandwidth, so this should be adequate. Then when he turns on his computer twice a week, he won't have to wait for a dial-up connection. The cable company wins, they don't have to provide much in the way of bandwidth, and Joe wins because he's paying the same as he paid his old ISP for a better connection. If he becomes a power user later he can "upgrade" to a plan more like what they offer presently.

Now that we've solved the problem of universal broadband, let's move on to firewalls. Every ISP (broadband ISP, since dial-up ISPs should die off) should provide a basic router at minimal cost and require its use. My cable company rents me a modem for $3 a month, so they should raise it to $5 and put in a router, or swap my modem for a modem+router unit. Or you can supply your own and forego the charge. The ISPs should constantly scan for open ports 135, 137-139, 69, 445, 5000 and send out threatening letters to anyone who accepts a connection warning the user that if they do not install a router, they will be considered breaching the AUP and be terminated. Follow-up violators in a week and terminate if necessary.

That is all the enforcement you need, since if they have no router, but never expose those ports, then they're probably not a threat to anyone since they're probably either running Mac OS X, another Unix variant (not that Unix is secure 100%, but who's seen 1000s of Unix boxes DDOS'ing or propagating a worm?), or Mac OS 9, none of which are playgrounds for script kiddies.

The routers the cable company gives you (though you should be allowed to supply your own) should, by default, (A) not forward any of those ports we mentioned, and (B) block any large amounts of forged packets (to prevent DDOS attacks. (B) should be forced, because no one should want to take part in a DDOS attack.

That will solve the problem of worms and general mischief, since you can't install/control a trojan or spread a NetBIOS worm to someone who's behind NAT. To solve the problem of e-mail worms:

1. No one should use Outlook.
2. Repeat step 1.

Eliminating ActiveX exploits will require the same procedure, but for MSIE. Both of these products are inferior to many of their alternatives. There is little excuse for anyone to require their use or to use the products themselves.

In conclusion, by following my plan, we can render security vulnerabilities in MS Windows irrelevant, because no one would be vulnerable to attacks on those vulnerabilities.

Re:M$ worm.

[cfuse]

2. People should have to have a licence to own a computer and take a test so that they understand security issues. Now I realise that sounds a little extreme but if you take into account the the cost in bussiness that worms cause then it might be a good idea. It would certainly get rid of the ignorance defense.

I have been arguing the same thing about reproduction. If we can prevent idiots from reproducing, then half the problem is gone already.

Seriously, stupidity is the only thing on the planet of which there is a neverending supply.

Re:M$ worm.

[danaris]

You're quite right, but aside from the safety features others are mentioning, someone can't pour sugar into your car from anywhere in the world and leave minimal traces. There are some limits to what we should require of software/OS programmers, I certainly agree with that. However, there are also limits to how far the computer == car analogy will take you. The digital world is far more mutable than the physical, and everyone's a step away from everyone else's doorstep. There should be precautions in place to make sure people can't pour sugar in your computer unless you're darn sure you want it to get a taste for the stuff.

Dan Aris

Not such a bad idea

[JohnGrahamCumming]

If you RTFA you'd find that Microsoft is only "looking very seriously" at this idea,
that it would not apply to business users of XP (since they want careful control
of the patching of their machines), and that it would be possible to opt-out from
the automatic updates.

So if you are a business user you don't get automatic updates, if you are a home
user of XP that is technically savvy you can turn it off, and if you are a home
user who is not computer savvy then you are going to get automatic updates. This
latter group seems like the ideal set of people to get automatic protection.

John.

Re:Not such a bad idea

[John+Paul+Jones]

Automatic protection from running applications that break following a patch? At least a corporate user can call the helpdesk, while a novice home user would have no idea why something stopped working suddenly, and would chalk it up to "Computers are evil". The divide between the tech-aware and tech-unaware grows exponentially.

Re:Not such a bad idea

[Psiren]

So who is held accountable when the latest patch breaks something and causes loss of data? The user, because they didn't opt out? Seems like a potential shitstorm for Microsoft there. If people are too dumb to patch their system with the existing Window Update, how in the hell are they going to diagnose problems when its being done without their knowledge?

Re:Not such a bad idea

[MP3Chuck]

"if you are a home user of XP that is technically savvy you can turn it off, and if you are a home user who is not computer savvy then you are going to get automatic updates."

This is already the case...

Re:Not such a bad idea

[MImeKillEr]

How is this any different then the scheme they're using now? By default, automatic update is enabled for Windows. Anyone technically savvy immediately turns it off five seconds after installation is complete.

Also, from the article:

The next version of Windows, which analysts expect to be completed in late 2004, could be the first to let the Auto Update feature download patches from Microsoft without requiring the user's explicit approval. Microsoft is also considering whether to make the Auto Update mandatory earlier, through an interim upgrade known as a service pack

and

Harris Miller, president of the Information Technology Association of America, applauded Microsoft for considering the move.

"People are going to have to accept mandatory updates as part of the warranty process, and that's exactly what Microsoft should be doing," Miller said. "You can't just send out a recall notice and hope that people come into the shop and do their maintenance."


I didn't see anything anywhere in the article that said business users or technically savvy home users would be given the option of disabling the forced update.

Re:Not such a bad idea

[swordboy]

If you RTFA you'd find that Microsoft is only "looking very seriously" at this idea

Microsoft are MORONS. The fix for this particular worm required SP2 or greater. That is 8 hours and 10 minutes over dialup.

Windowsupdate is a god send for people with broadband but MS are going to be required to send CDs in the mail if they want to keep dial-up users up to speed.

Re:Not such a bad idea

[Randolpho]

Hmm.... you clearly don't get how Microsoft got to be so huge in the first place, do you? :) Home users actually want stuff like this.

Re:Not such a bad idea

[numbski]

Okay, now what happens when they decide to enter some draconian language into the EULA that you supposedly agree to by installing these patches....are you now just agreeing to whatever they want by simply using Windows? You now have no choice in this case?

Re:Not such a bad idea

You start off with a RTFA then you finish your post with nothing but I think's and probably's.

So your opinion should count?

Re:Not such a bad idea

[Henry+V+.009]

If they don't know what a patch is, then they're in more danger of a virus attacking their computer anyway. So "the divide between the tech-aware and tech-unaware" shrinks exponentially, as viruses become far less likely. The very rare case of a WU breaking something will have little impact in comparison.

Re:Not such a bad idea

[jeffy124]

Microsoft would find out about it. Thousands (millions?) of machines would suddenly stop working, making news headlines similar to Blaster. Hence, MS would be forced into doing something, like a patch to rollback an earlier patch. It may also get regular people asking if anything else is out there if it starts happening a lot.

Re:Not such a bad idea

[DCheesi]

This latter group seems like the ideal set of people to get automatic protection.

They're also the people most likely to be using cruddy dialup connections. As mentioned in previous posts, forcing updates over 56K (or worse) is a VeryBadIdea(tm).

Re:Not such a bad idea

"The divide between the tech-aware and tech-unaware grows exponentially."

...and so do my consulting fees. [insert evil laugh here]

Re:Not such a bad idea

[fireduck]

how often do MS patches actually break things?

I'm a home user. I've applied every critical update MS puts out. I apply practically everything available on the windows update site (even the beta versions of stuff like movie maker). I have never had a piece of software not work after applying an update. I think I'm a fairly typical home user. MS Office, MS Money, a bunch of games, photo editing software, winamp, random shareware. Stuff most people use. and stuff that has never broken on me.

Software breaking is definitely a problem, but how often does it really happen? I'd imagine that the liklihood of these people getting a virus / worm is greater than the liklihood of an ms patch breaking a piece of software...

Re:Not such a bad idea

[ragingmime]

Automatic protection from running applications that break following a patch?

Well, you're right... but the alternative is to have this novice home user wondering no idea that a worm like Blaster is making the computer magically reboot. Malware like that is probably a more common problem than Windows Updates breaking software. And at any rate, I'd imagine that if a Windows Update wound up breaking something, it would probably be a more obscure program - which a novice wouldn't have anyway. Although I hate to defend the "Evil Empire", the automatic update seems like the better option to me.

Re:Not such a bad idea

[JohnGrahamCumming]

I didn't see anything anywhere in the article that said business users or technically savvy home users would be given the option of disabling the forced update.

Here are the quotes:

"The company is "looking very seriously" at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them"

"The company has no plans to consider forcing business users to install patches, because most companies are reluctant to do so. Some patches interfere with existing programs."

John.

Re:Not such a bad idea

[Pirogoeth]

So you make the software update so that you agree to a EULA the first time you run it. As long as there are no changes, the patched get installed automatically. Any patch that brings a change to the EULA will not install. It would be downloaded, but a message would pop up saying that there is an update, and make you agree to the new EULA before it is installed.

At any rate, I think the EULA changes come with things like new versions of the Media Player and the like. Those shouldn't be done automatically anyway. Only security patches should be automatic.

As long as there is a way to disable it, I don't see why this would be a problem. The users who don't care about this are exactly the people that need it anyway.

Re:Not such a bad idea

[penguinboy]

"People are going to have to accept mandatory updates as part of the warranty process,"

Since when does Microsoft include a warranty on Windows?

Re:Not such a bad idea

[eddie+can+read]

would not apply to business users of XP

Good, because my copy of XP is corporate. At least that's what the MASTERS OF DEADLY DOOM accompanying file says.

Re:Not such a bad idea

[Pirogoeth]

Well, perhaps as part of PC Satisfaction, MS would actually have to test their patches sufficiently enough to make sure they work the first time, or at least make sure that your system can be rolled back if problems still pop up.

Re:Not such a bad idea

[geekmetal]

But now is that a good security measure? Having a remote website downlooad stuff on your machine and even install it without the users knowledge?

I still think the idea might be a good one for the novice home user, but it would be good if MS can clarify how the setup would work securely and take some input from the geek community on it by bringing it up for discussion.

Re:Not such a bad idea

[TGK]

Where are my mod points when I need them? This is perhaps the single best argument raised in this thread. I'm a broadband user (ah the joys of in-home ethernet) and I'm in the process of puting together a new machine. It's running windows because some of the software my school requires is Windows only.

Now, I've been downloading updates for the last hour or so now. I understand that the Microsoft site is probably pegged following all the media coverage of the latest worm, but nonetheless, I'm a broadband user and it's still taking me a significant chunk of time to download all these updates.

Dialup can only be worse. If MSFT wants to keep the users current they've gotta either find some way of updating Windows that's not quite so hard on dial up (mailing CDs sounds good) or they need to find some way to bring the average patch size down. I have a hard time buying into the idea that the problems in the system really require a patch of that size. With a little more creative work you'd think they could find a more efficient way to insert the new code.

Re:Not such a bad idea

[Harbinjer]

Whether or not they have a warranty, when was the last time someone benefitted from this warranty? It does not matter if there is a warranty if MS won't do anything about is, and suing them for service isn't easy.

People used to complain about warranties and service on linux, and holding people responsible for when it breaks. But does anybody really hold MS responsible for when windows breaks? Has anybody ever gotten any money out of them when it did break?

Re:Not such a bad idea

It depends what you're running. If you only have MS software then you're unlikely to have a problem. As son as you have anything else on your machine you are in deep brown stuff. I run several old, specialist programs that are essential, all of which have barfed on application of one patch or another at various times. I'm tech savvy so I can usually sort thigns out, but to a non-techie user it could cause serious disruption. OTOH perhaps there's a market in there ...

Kate

Re:Not such a bad idea

[immel]

This sort of thing could be exploited to force users to download viruses. Apple had to make several patches to its own software update program for this reason. Fortunately, nobody used this formerly-present flaw to their advantage.

Re:Not such a bad idea

http://www.discreet.com/products/gmax/gmax_inter im _fix.html

Well, actually, the entire 3DSMax product line is affected, but this was the best link I could fine.

Our sysadmins were also complaining about having something else broken, but I'm not sure what that was all about.

Re:Not such a bad idea

[RealErmine]

By default, automatic update is enabled for Windows. Anyone technically savvy immediately turns it off five seconds after installation is complete.

Sounds like you're unreasonably paranoid. I've been using Windows 2000 for three years and whenever I need to reinstall (usually due to hard disk crashes or building a new machine. NEVER because the OS or Microsoft did something stupid) the first thing I do is go get all the updates. Nobody who is "technically savvy" wants to run a version of their OS that is three years old. Why? For reasons of security, stability, and compatibility with new software. Why not have the OS go find them for me?

Stop speaking for me. I consider myself technically savvy due to my degrees in Electrical Engineering and Computer Science as well as my hobby of building PCs for my friends. At first, when a service pack added the auto-update feature to W2K, I had it set to let me verify updates, but then I noticed something: I kept hearing about worms and vulnerabilities in Windows on Slashdot and from my friends a day or two after I saw my PC automatically find the fix from MS. It certainly beats going to windows update myself after the fact. I let auto-update have free reign after that discovery.

The fact is that most people who use Windows do not understand that they need to update their OS in order to keep their computer running. What's the first thing you do if you try installing a piece of software and it doesn't work? Roll back to a earlier backup? I doubt it. If your hardware seems to be working you go and get all the current driver and OS updates because developers usually release their software built on platforms with recent OS and driver versions.

Obviously I think automatic updating could be a good thing, but there could be some problems. Nobody with a modem connection wants their OS to automatically dial in and start downloading 15MB patches. You also may not want your server to start downloading patches at peak traffic hours. I hope that MS leaves the option for user input for these reasons. It also only currently downloads critical updates. Their decisions about what is critical have been reasonable so far.

One good thing that you might not see coming from the auto-update is that now you don't need Internet Explorer to use the windows update site.

Re:Not such a bad idea

[RoLi]

Those shouldn't be done automatically anyway. Only security patches should be automatic.

And Windows shouldn't crash. And there should be no war and no hunger. And there should be no need for any patches in the first place.

Re:Not such a bad idea

[Jucius+Maximus]

"How is this any different then the scheme they're using now? By default, automatic update is enabled for Windows. "

The current scheme requires users to still click OK on the update.

Keep in mind that 99% of users just want to use the computer and not worry about having to keep everything patched up and secure. They just want some sort of 'fire and forget' type solution that they just install and forget about it. This is why crap like Norton CrashGuard and such sells so well.

I think that the automatic updates that don't require any confirmation is actually a good thing for typical end users.

"I didn't see anything anywhere in the article that said business users or technically savvy home users would be given the option of disabling the forced update."

And as to being able to turn it off:

"The company is "looking very seriously" at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them, said Mike Nash, corporate vice president of Microsoft's security business unit." (emphasis mine)

Any user who knows anything will turn it off by some setting in the control panel. But since 99% of users will use the default settings for everything, all the masses will get patched whether they know what that means or not and people like you and me can still turn the cranks manually and remain in control. I have no problem with that. (But I will laugh if some spyware hijacks the auto-updater to download more spyware or spambots or something.)

Re:Not such a bad idea

[Malc]

The last thing that I saw break my system was a patch or update to DirectX. After it installed, my laptop blue-screened on boot. I was unable to fix. After re-installing the OS (and everything else) at great cost to my time, the patch/update worked the second time.

Right now we're holding off applying Win2K SP4 to our web servers. It contains a change to the security model that will break some of our ISAPI extensions. The fix is trivial, but we haven't had time to check it out on a test bed, nor deploy it to all our servers (unfortunately we have to do them manually as we don't have anything like SMS deployed).

Re:Not such a bad idea

[HomieJ]

IE 6 Breaks Win98 (badly)-- and it is a RECOMMENDED patch according to Windows Update. Funny thing is now, you can't get IE 5.5 anymore. So for those running Win 98 you are stuck with 5.0 that came with it, 6.0 that breaks it, or Xp/2000 that costs$$.

Re:Not such a bad idea

I updated my home 98 system (which the family uses) last night with all the "critical" patches. Now the system won't even boot. I've got to rebuild the fucking thing (again). This sucks.

Re:Not such a bad idea

[ThosLives]

Well, I didn't see this anywhere else, so here goes:

Mac OSX already has something close to this - if you turn on the System Update notifier, it will check to see if there are updates as frequently as once a day and as infrequently as never. It will then open a box in the middle of your screen (for the "novice home user") and say, "There are updates available! Do you want them?". You can then download them only (to install later, perhaps), download and install right there, or tell it to ignore the update completely.

I think this is a good solution - you are aware of the updates, but aren't forced to update. There is no "automatic" side to it at all, and the user still has control over his system.

Re:Not such a bad idea

Hmmm. If my Windows is a Pirated Copy, doesnt that make my warranty void anyways?!

Re:Not such a bad idea

" how often do MS patches actually break things?"

Too often. One of my work systems died Friday after visiting windowsupdate.microsoft.com. 5 of my coworkers had similar problems.

I have never had a system infected by a virus. But I have had Microsoft patches break things. My experience is that Microsoft is a greater danger to my computers than anyone else.

Microsoft needs to separate security patches from bug fixes and feature additions.

Re:Not such a bad idea

[socrates32]

If the automatically downloaded and installed patch doesn't require (or even allow) user intervention, then the user cannot be held to any "changes" to the EULA that came along with it.

That's why there's an "I Agree" button in the first place. If you don't know a change happened, you can't have agreed to it. If you don't have the option to disagree, then you haven't agreed to it either.

Re:Not such a bad idea

[jejones]

Not necessarily. If it's a third-party program that breaks, they'll get the heat, not MS...and MS hasn't been above intentionally breaking third-party software in the past, vide "DOS isn't done until Lotus won't run" and the bogus warning when running Windows atop DR-DOS instead of MS-DOS.

Re:Not such a bad idea

[crazyphilman]

Well, I'm a developer, and I run Windows 2000 professional at home, with IIS and Visual Studio .Net installed. Wanna talk about patches breaking stuff? Here's my list of woes (noting that Linux has never given me this kind of trouble):

1. If you install the O/S, then patch it, and THEN try to install Visual Studio, the Visual Studio installer crashes. The problem seems to be that if you install Microsoft's updated .Net packages before Visual Studio, Visual Studio can't handle that and it chokes.

2. If you install the O/S, then Visual Studio, then Norton Internet Security (kind of important on a windows 2000 box, which doesn't have an integrated firewall), then try to update Norton and Windows, WHICH OUGHT TO WORK, Norton will update fine, Windows Update will crash several times, and the end result will be your IIS will stop working, so your Visual Studio won't be able to create VS.Net projects. I think this might be related to a recent patch, because it didn't happen before Service Pack 4 came out.

3. If you have a recent copy of Roxio's CD burning software, it'll stop working after you update Windows. The app will start up, but it'll crash as soon as you insert a CD-RW into the drive. I've updated the software from the Roxio site, too, hoping that would help (no luck). It's got to be something in one of the windows patches. So, patch windows or burn CDs! You seem to have to choose one or the other. Older, no longer available copies of Roxio seem to keep working, so if you get a Rio Volt MP3 Cd-player, you can install the older software off of their disk (warning: this might not be true anymore).

5. Windows patches keep restoring MS Outlook Express! If I kill it off, it keeps coming back like a friggin' vampire. It's the undead, unwanted email app. Actually, the only easy way I've found to kill it is to change the security on the Outlook Express folder so that no one has read-write priviledges, then boot from a floppy and clean the thing out. This way, Windows can't keep putting the files back (Grr... Windows puts 'em back THREE SECONDS after you delete them, otherwise!).

Ugh. I hate Microsoft. And, I'm a programmer who uses that platform! What does THAT tell you? ;)

Re:Not such a bad idea

[edgezone]

how often do MS patches actually break things?

see: Q811493
It caused complete freezing of my athlon laptop (mine wasn't the only case, as I found out about this by searching google).

Now I have to check every time an automatic update notice pops up to make sure it is not listed. I can only imagine what would happen to a poor soul who didn't realize what was happening every time his/her computer froze and was completely unresponsive until rebooting (hard reboot only).

Re:Not such a bad idea

[aliens]

I applied all critical fixes to a friend's computer. Suddenly his NIC was not recognized. Uninstalled all critical patches didn't bring it back. It works fine on a base install of XP.

But just imagine, you goto use your computer and boom, no more internet. Now you call your techie friend, he/she asks "What did you install recently?" Nothing that you know of, making both your lives that much more difficult.

Re:Not such a bad idea

[rhochhalter]

Um, I'm running Win98SE and IE6 and have never had problems with the setup. Of course, I only run Windoze when I have to run some software that still doesn't run under Wine very well, or there is no Linux equivalent that works.

Re:Not such a bad idea

Get a clue on the fuckin products available to businesses ass

Microsoft SMS and SUS (sus is free) automated (from a local source) of update patches in a business.

Faggot

Re:Not such a bad idea

[MImeKillEr]

Sounds like you're unreasonably paranoid. I've been using Windows 2000 for three years and whenever I need to reinstall (usually due to hard disk crashes or building a new machine. NEVER because the OS or Microsoft did something stupid) the first thing I do is go get all the updates. Nobody who is "technically savvy" wants to run a version of their OS that is three years old. Why? For reasons of security, stability, and compatibility with new software. Why not have the OS go find them for me?


And my argument (as is the argument of many others) is that its my machine and I'll make the decisions as to which updates I need. Take, for example, the 'Critical update' for OE 6. Why would I need to install an update for OE when its never been used on my computer? Sure, slap the latest Service Pack on your box - as long as its relevant.

There are also several documented instances where an update or service pack breaks another software component. In the case of my work system, the last service pack for 2000 would break Rational Robot. Yes, I know business users could disable the feature, but what about home users with the same software and the occasional VPN connection?

Stop speaking for me. I consider myself technically savvy due to my degrees in Electrical Engineering and Computer Science as well as my hobby of building PCs for my friends.

You sound more like someone who feels the need to brag about your college education. No? A simple 'I'm technically savvy' would've sufficed. No one here cares about your credentials.

The fact is that most people who use Windows do not understand that they need to update their OS in order to keep their computer running.

Bullshit. You only update your computer if a fix addresses a problem present on your PC. Ask anyone who works in support if you should apply all fixes simply because they're available.

Re:Not such a bad idea

[micromoog]

If people are too dumb to patch their system with the blah blah blah . . .

Too dumb? How about just not interested? Many people just want their computer to work, the way their car and dishwasher "just work". They couldn't care less about any of the technical details. Resistance from arrogant fucks like you has been holding this back, and Microsoft is finally making a bold move in the right direction.

Re:Not such a bad idea

[smithmc]

If you RTFA you'd find that Microsoft is only "looking very seriously" at this idea,
that it would not apply to business users of XP (since they want careful control
of the patching of their machines), and that it would be possible to opt-out from
the automatic updates.

Um, isn't this how it works now? When I got my current notebook w/XP Pro on it, I recall being asked whether I wanted to have updates automatically installed, automatically downloaded but not installed (the option I chose), or to simply be notified that updates are available.

Re:Not such a bad idea

I run the help desk for an online share dealing system. We have enough trouble with non-technical users now, let alone if MS starts changing their settings without them even knowing about it.

Re:Not such a bad idea

Wait a minute. Golden rule of software testing (in a single system environment):
If it breaks you, and you clean install and it doesn't break you, you were probably running a driver which caused it.
That's *especially* the case on laptops, because video drivers are generally vendor specific and slightly different than those of a card.

Re:Not such a bad idea

[spuke4000]

My company deploys an Activex control with a VBScript API as part of one of our products. Last February MS released a critical patch to fix a VBScript based security flaw, and it caused our app to stop working. The fix turned off some of the features that were in the Microsoft published VBScript API. We had to beg and plead with them to stop distributing the patch, and it took a month for them to solve the problem. Thankfully only a handful of users patched their machines, or our entire user base would have been out of the water.

So, I think for the most part the patches don't cause problems, but MS is not known for their quality assurance, so I wouldn't bet money that a patch won't break anything.

Re:Not such a bad idea

[MImeKillEr]

Yeah, I missed those when I skimmed the article. Thanks.

Re:Not such a bad idea

If you were using XP you could have perhaps restarted in safemode and used system restore. I do wish there was restore console access to the system restore functions.

The fact that you said you resinstalled the OS and everything else and then the patch worked, suggests you had a configuration issue in the earlier install that was just begging to kill your system. Most likely fucked up video driver stuff from installing / upgrading / upgrading/ uninstalling/installing

Re:Not such a bad idea

[wavecoder]

Software breaking is definitely a problem, but how often does it really happen?

All the time! I've had patch installations crash the OS itself, not to mention various programs. The most recent patch (for the DCOM vulnerability) took down a mission-critical server for more than 24 hours a couple weeks ago. Such patches have disabled my modem and network card, messed up the sound and video, corrupted a driver for a floppy drive, and on and on. Microsoft not only releases beta-quality software as final products; they release alpha-quality patches.

Not a M$ fan,
Ed

Re:Not such a bad idea

[jspoon]

"Too often. One of my work systems died Friday after visiting windowsupdate.microsoft.com. 5 of my coworkers had similar problems."

They died?

Re:Not such a bad idea

Bullshit. You only update your computer if a fix addresses a problem present on your PC. Ask anyone who works in support if you should apply all fixes simply because they're available.

Yeah, tell that to all the people that didn't install the DCE patch.

Re:Not such a bad idea

You'd be surprised! I work in a primarily Microsoft environment, and we had a security firm do some vulnerability assessments for us. They scanned our machines for vulnerabilities and provided a list of the MS patches to solve the problems they found.

We installed all of the patches and they came in and re-scanned to verify that the patches had been applied and the vulnerabilities no longer existed. BUT... NEW VULNERABILITIES WERE FOUND THAT WERE NOT THERE PREVIOUSLY!! And the only thing that had been done in the meantime was the running of the MS patch! At least one of the patches we ran from MS screwed up and caused a new vulnerability. And if I remember correctly, the new one was much worse than the old in terms of exploitability.

This is not necessarily a good thing....

Re:Not such a bad idea

[st0rmshad0w]

Yeah, 30MB of updates over dailup sounds just grand to me, do I get to bill MS when my relatives start calling?

How about MS mails you a CD with the updates as they come out, its not like they don't have the spare change laying around.

Fifty billion in the bank and their stuff is _still_ sub-par.

Re:Not such a bad idea

BINGO!

"done without their knowledge"

Could this be the REAL goal? nahhhhh... couldn't be.

Re:Not such a bad idea

[John+Paul+Jones]

Please read the rest of this thread to get the general idea. Home users want things to work, period. They think in binary, even if they don't know it: "It works" or "It doesn't work".

The issue is with the lack of acceptance of patch download/installations, and the saturation of low-bandwidth links while downloading SP[1-9] at 100+MB.

Moderators, think before moderating. Posters, think before posting, please.

Re:Not such a bad idea

[mercuryresearch]

I had an original "Book PC" that I downgraded from Linux to XP Home Edition before giving it to a family member. Microsoft Windows Update (but not the XP Installer itself) misidentifies the modem hardware, and if update installs its driver, the modem is lost -- and it's the only network connectivity the device has in this application.

So, basically, Windows Update will take this thing permanently off-line until a fairly advanced user can get the original driver re-installed.

It's not how often it causes the problem, but the severity and frequency of updates. Every case I've seen windows update NOT work (and they are rare) has been a situation where the system is taken completely out of service. If this happens with even 0.01% of users we're talking about tens of thousands of systems *per update*. This is a major tech support issue.

Re:Not such a bad idea

I've seen SP3 for W2k Server cause my second hard drive (F:) to not be recognized upon a reboot. I had to go into the disk manager, give it a drive letter, and then change the drive letter to F:. Couldn't give it the drive letter F: in the first place, though, cause though it appeared to work, you couldn't access the drive.

Yeah, sometimes MS OS's do some really screwy things...

Re:Not such a bad idea

So I guess the real question is: Would a non-tech savvy user even be running several old, specialist programs?

Re:Not such a bad idea

[HomieJ]

It's pretty well documented in news groups and fourms: Google Search

Essentially, it destabilizes explorer when doing large file copies/moves/deleted. I can reproduce it with JUST Win98 and IE6 installed clean. You don't even have to run IE6 (I don't) it just need be installed.

Re:Not such a bad idea

[Dark+Lord+Seth]

No Updates Were Installed

The following items failed to install. To try installing them again, click Review and install updates, and then click Install Now again.

818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1
330994: April 2003, Security Update for Outlook Express 6 SP1
Security Update for Windows 2000 (823980)
823559: Security Update for Microsoft Windows
816093: Security Update Microsoft Virtual Machine (Microsoft VM)
814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP)
Security Update, February 13, 2002 (MSXML 3.0)

I like to think that I'm the only person where Windows Update consistently fails HORRIBLY but that'd be naive. At least I tried to apply every critical update. It somehow fails to download the files required. Good thing I got a decent firewall up and running because even the MS patching system is horribly shit. Ah well, that's the first thing to break down on a fresh (less then a week old) Win 2000 install.

This also raises another question: How many people were affected by the worm because Windows Update simply fucked up for them? Even if WU would die on updating for even 1% of all users, how many people would it affect then? I only just found another way to manually download the patches to see if that'll work. Oh and this isn't the first time Windows Update fucks up. I've had it crash PCs, screw up installations and I've made it succesfully install the same patch 5 times in a row.

Woot for Windows Update! Adding another weak link in an already fragile chain which is Windows security!

Re:Not such a bad idea

So far every user we have that has installed Win2K SP4 has had trouble. The first got a BSOD and I had to re-install the operating system files. The next two complained of extreme slow down in their computer after installing the SP. Removing the SP restored their machine to normal speed but now stranger things are happening that weren't a problem before installing the SP. My advice: Stay away from Win2k SP4!

Re:Not such a bad idea

Of course, I only run Windoze when I have to run some software that still doesn't run under Wine very well, or there is no Linux equivalent that works.

Well, of course... And whenever I travel overseas I say I'm Canadian.

Re:Not such a bad idea

[Slightly+Askew]

First, you forgot step 4) Profit!!!

Ugh. I hate Microsoft. And, I'm a programmer who uses that platform! What does THAT tell you? ;)

*In my best Sean Connery*

"It tells me that penguin loving morons such as yourself should try reading MS books instead of burning them!"

Re:Not such a bad idea

[jtdennis]

It requires SP2 for Windows 2000, not XP. I've installed it on some pre-SP1 XP computers here with no problems. I've also noticed no speed problems with the auto update tool on my mother's PC using dial up. It downloads in the background and doesn't seem to be noticable at all until the download is done.

Re:Not such a bad idea

[MImeKillEr]

I was one of those people. I haven't seen a single issue.

Re:Not such a bad idea

[jellomizer]

The main problem is security. Having 90% of the desktops with a port open will defiantly a good security hole.
No matter how good and secure Microsoft makes it. It is a port that is open to the internet with access to the hole file system. This seems like only a mater of time. For real damage to occur.

Re:Not such a bad idea

[mr_z_beeblebrox]

Or when NT SP4 broke the filesystem. If that's not a critical system I do not have any critical systems.

The bottom line is test patches, but is that relevant to a home user. How many home users have a 'lab' PC?

Re:Not such a bad idea

Sounds like you're unreasonably paranoid.

Has it occurred to you that people with illegal copies of Windows think auto-updates provide a way to detect they are using it illegally?

Re:Not such a bad idea

They never had warranty or accuntability. However the propaganda fed to the public says otherwise, and therefore this is what is reported in news.com.com and sites like that.

Re:Not such a bad idea

[Xerithane]

Resistance from arrogant fucks like you has been holding this back, and Microsoft is finally making a bold move in the right direction.


Thank you for pointing this out. People don't want to know how the computer works, they just want it to work. I want to write an email, push the email button on my keyboard and click send. That's how a car works. 2% of the American population could actually fix anything that goes wrong with their car, why expect it to be different?

It's because of the computer elitist group (Hi Slashdot!) that computers "scare" people. They aren't interested, and would rather just have someone who is interested fix their problems. There is nothing wrong with that, and it doesn't make them stupid.

(On a side note, there are a lot of stupid people, like those who use white-out on the screen, etc.)

Re:Not such a bad idea

[CaptnMArk]

You should really be getting the updates before putting the machine on the internet.

Re:Not such a bad idea

so i guess having no control over your computer is good... spyware, yes but it`s needed for the update sorry,

Re:Not such a bad idea

[bourne]

So who is held accountable when the latest patch breaks something and causes loss of data?

The same someone who is held accountable when the default OS installation is insecure and the system is compromised by a 2-bit, brain-dead worm.

That would be... um... hmm... lessee... ah... tumbleweeds blow by in the hot desert wind... nobody, and certainly not Microsoft.

You can be sure that whatever legalese is in the EULA puts the responsibility squarely on the administrator, where it belongs. If they don't choose to disable auto-patch, then they undertake that risk voluntarily.

Re:Not such a bad idea

"Microsoft needs to separate security patches from bug fixes and feature additions."

Security patches *are* bug fixes, so no separations.

Of course bug fixing should be perfectly isolated from feature additions, but this goes directly against a company whose benefits come from selling use licenses.

Re:Not such a bad idea

[evilandi]

downloads in the background and doesn't seem to be noticable

It'd be pretty damn noticable on my British Telecom phone bill.

Not everywhere has free/inclusive local calls, remember.

Re:Not such a bad idea

>That is 8 hours and 10 minutes over dialup

Also, bear in mind that many users, at least in the UK, are on dial-ip ISPs such as Freeserve, which disconnect you from the internet every 2 hours. So unless Microsoft implement this uppgrade in such a way that you can download loads of 10meg (or so) files, then anything which would take 8 hours to grab would be *impossible to download*.

Re:Not such a bad idea

But then, *even in paper* such a company will brake guarantee terms.

Re:Not such a bad idea

[Nothinman]

Cars do a lot less than computers, you can do just about anything with a computer while a car has a single specific use. If you had a computer designed explicitely to send email it would work fine like that, but because you want the computer to also play games, do your taxes and play DVDs you have a much more complicated beast.

Eventually computers will get to a point where 99% of things 'just work' but computers have had a lot less time to mature than cars have. Do you really believe people in the early/mid days of autmotive travel just jumped in cars and everything worked?

They aren't interested, and would rather just have someone who is interested fix their problems. There is nothing wrong with that, and it doesn't make them stupid.

That's perfectly fine, infact it's a good business for a lot of people. But the problem is that the people who aren't interested only call for help when something's broken, in the case of this worm a lot of people don't even know they have a problem. Paying someone periodically for general maintenance isn't something people want to do.

Maybe we need a computer equivalent of the service engine soon light aka idiot light.

Re:Not such a bad idea

[westlake]

and losing control of your system because you were too paranoid (or forgetful) to download a patch is better?

Re:Not such a bad idea

[Zemran]

It may sound good to you but MS sell their products in many countries where it is illegal to access someones computer without their permission. Click through agreements do not give any permission to anyone in most countries so I think this could result in some interesting litigation if anything goes wrong.

Re:Not such a bad idea

[Malc]

And that excuse is acceptable in a system that uses automatic updates?

Oh, it was Win2K and I'd been pretty careful with it too. More careful than with my desktop which ran Win2K without a problem 3.5 years until I trashed part of the system drive installing Grub to the wrong partition, followed by even more damage with dd.

Re:Not such a bad idea

[valkraider]

with access to the hole file system

Freudian slip?

Re:Not such a bad idea

[walt-sjc]

Frankly, companies should be forbidden from making EULA changes in software patches. It's morally wrong. It's also one of the reasons I don't run Windows.

Re:Not such a bad idea

This is *NOT* insightful. Microsoft wants all this stuff of automatic updates coz:
1/ Broadband users being 24x7 Internet conected take all and any virus, hiccup, worm or whatever opened there.
2/ Broadband users are a big potential for distributed DOS attacks.
3/ Points one and two puts Microsoft in a sligthly uncomfortable position regarding public opinion and class actions.

Disconnected or modem-connected users don't exist, so why Microsoft should take care about them?

That's all.
Full stop.

Re:Not such a bad idea

[jtdennis]

It only downloads when you're online, and doesn't automatically dial. So no, It wouldn't be noticable.

Re:Not such a bad idea

[abulafia]

blah blah insult blah use the fricken' value add books, jerk blah should try reading MS books instead of burning them!

As opposed to a using a system that just works?

Re:Not such a bad idea

[BagOBones]

Well we now know what all that extra space on those new 100 GB + drives will be used for.

Re:Not such a bad idea

[Psiren]

Too dumb? How about just not interested? Many people just want their computer to work, the way their car and dishwasher "just work".

Sorry, I don't agree. I still have to fill my car with diesel, check the oil and water, pressure on the tyres etc. This is all essential end user maintenance. Granted, I don't poke around in the engine when something mechanical goes wrong. The same goes for computers. It's a general purpose machine. It is complicated, and that will always be the case.

Re: Not such a bad idea

[Black+Parrot]

> Microsoft are MORONS. The fix for this particular worm required SP2 or greater. That is 8 hours and 10 minutes over dialup.

Think how fun it's going to be when you re-install your media and then get to download three years of cumulative updates.

Re:Not such a bad idea

Or...

You could get the fuck off the internet you dial-up bitch. Dial-up died with the 90's. I have zero sympathy for llamas on modems who're too cheap to get broadband or too stupid to move to an area where they can get it.

If you're even remotely serious about participating in the world today you'll get something faster than that tin can & string setup.

Re:Not such a bad idea

[g0hare]

Gee, maybe you should try deploying SP4 thru Group Policies in Active directory - that way you wouldn't need SMS

Re:Not such a bad idea

[Notre97]

You must not remember the NT SP6 fiasco. That thing broke complete systems, they had to release SP6a to get anything to work.

If that had been automatically updated, there would be a lot of people in a world of hurt.

Re:Not such a bad idea

[Dog+and+Pony]

If people are too dumb to patch their system with the existing Window Update, how in the hell are they going to diagnose problems when its being done without their knowledge?

You make it sound like they would ever be able to diagnose a problem.

A user of this class will not be able (or even try) to diagnose the problem, whether they have a machine that has never been patched, or if they now-and-then click through windows update (they never read any of the information there anyways) or if the patches are installed without them knowing.

All they know is that the computer behaves odd or stops working. Then they call someone.

Maybe some patches will break their computers. I'd rather have that then another stupid worm running around hogging my precious bandwidth. ;)

Re:Not such a bad idea

[swilver]

The fact is that most people who use Windows do not understand that they need to update their OS in order to keep their computer running

If it isn't broken, do not fix it.

Known problems are better than unknown new ones.

If I have a computer which works and does what I want it to (even if it has some minor KNOWN quirks), there's no reason to "fix" it and run the risk of the "fix" breaking my perfectly working system.

Upgrades and Fixes are often the same thing in Microsoft's dictionary. Unfortunately, this means that if you just want exploit #35783 fixed, you have to upgrade your Internet Explorer, Direct X drivers, MediaPlayer, etc.. as they are "required" for this "software" to function "correctly".

Re:Not such a bad idea

Why is this funny?

It's not funny that Windows crashes.

It is not funny that people die from war.

It is not funny that people die because they lack food, expecially considering there's enough food in the world.

(A brief sidenote, a major part of the reason food is not shared is because there's not enough profit in "sharing". That's some seriously unfunny shit.)

There will always need to be patches, I am sorry. The perfect design, perfect testing and the perfect coding is an illusion limited to the designers, testers and coders own prespective.

Re:Not such a bad idea

[zoombat]

I like to think that I'm the only person where Windows Update consistently fails HORRIBLY but that'd be naive.

Yep, Windows Update has issues. There's been lots of discussion on NTBugTraq about problems with Windows Update. See this one about MS03-026.

Think about it.. if the Windows gurus in the NTBugTraq community are confused by the behavior of Windows Update, how the heck are regular consumers supposed to reliably use the service???

And you raise a good point. If WU can't reliably patch your computer, how can pushed patches from MS be any better? If you're counting on your computer being automatically patched by MS and the updates are failing, isn't the perception of security when there is in fact none even worse than nothing at all?

Re:Not such a bad idea

I remember a time when it was possible to purchase Windows service packs on CD for a small fee to cover overheads. Is this still possible?

Still, what I'd probably do would be to just download the service pack once and write it to a CD so that if I was to reinstall later, or make a fresh install on another box, I would have the latest service pack (which contains a rollup of all previous service packs and fixes, right?) and be essentially up to date, aside from a few small security updates which will eventually form part of the next service pack.

Re:Not such a bad idea

[valkraider]

1. I think exactly 3 people in this discussion have actually read the article. Maybe less.

2. This is simply rediculus. The "upkeep" of a computer is the responsibility of the owner - not M$. People like using cars as an analogy. Well, YOU have to maintain your own car. YOU have to change the oil and the timing belts and fuel filters and air fiters etc etc etc... If failure to do any of the required maintenance causes mechanical failure - the car maker warranty is void and YOU are responsible for the cost of repairs. If YOU drive the car poorly, or hit too many potholes, or take the passenger car off-roading, YOU will be responsible for repairs. If there is a flaw that is the fault of the car maker - they usually will fix it for free - and notify users via a recall, but YOU are responsible for bringing the car in and YOU are responsible for keeping up to date about recalls.

I don't know about you, but when I pay > $20k US for something I expect a good amount of service to be included, but most comsumer computers nowadays are costing lessthan $500 US and people *still* want all the problems fixed for free...

People are responsible for their own crap. If they don't like it they should not use computers. If they cause too many problems the ISP should disconnect them or charge them a nuisance fee. If YOU don't like that THEY don't secure their systems, secure YOUR system and there's no big deal. How hard would it have been for ISPs to simply block all RPC traffic on their network? People have a basic responsibility for their own actions that we are starting to move away from. For some reason no one is ever responsible for anything anymore... Except M$ and the government of course...

Re:Not such a bad idea

Ugh. I hate Microsoft. And, I'm a programmer who uses that platform! What does THAT tell you? ;)

That you're a whore?

Re:Not such a bad idea

[the_Bionic_lemming]

Well, I'm a developer, and I run Windows 2000 professional at home, with IIS and Visual Studio .Net installed. Wanna talk about patches breaking stuff? Here's my list of woes (noting that Linux has never given me this kind of trouble):

I have five fully patched win2000 boxes two of them with both VS6 and .Net one with SQL 2000 one with just VS.Net, and another handling a satellite connection for three boxes.

Never have a problem with updates locking applications. No BSD's IIS runs just fine The Main home system is great for gaming as well as programming.

I think the key here is hardware going into the box. I rarely buy cheap stuff when I build my boxes - as such everything but the US Robotics drivers are Pretty Much Standard drivers that ship with 2000.

As for Linux? The first time I tried loading red hat it burned my seventeen inch monitor out. Course - that was five years ago - I haven't been too eager to try it since.. ;)

Re:Not such a bad idea

[BrynM]

Don't forget to cater to the most popular analogy here. "And my car should always run". Which doesn't always happen unless you buy a new car. Maybe that's what MS is eventually planning. Break it until they have to buy a new one.

Re:Not such a bad idea

[E-Rock]

You can order CDs for SPs, if you're a TechNet memeber they send everything to you. If you're a Pro you should be slipstreaming the SPs into your install CD. Our SP4 install discs only need a handful of patches after install instead of the 60-100+ you'd need off a SP0 install.

Re:Not such a bad idea

[ph117]

95% of the time the patches install fine. It's the other 5% that's the problem though.

When I finally got broadband I managed to cripple my PC by installing Win2k SP2. In its wisdom the installer decided to decompress the files to my decidedly flaky second drive and install them from there. Halfway through the install process I got a nice message telling me that the CRC on the file had failed, and would I like to retry. I had no way of finishing or aborting the process, and on reboot I just got a blue screen every time.

Admittedly I should have backed up my system before installing (not to mention not using a drive I knew to be dodgy as spare space!). At the end of the day the kind of users that don't install patches for themselves are also the kind of users who aren't going to be running regular backups.

Software breaking is definitely a problem, but how often does it really happen? I'd imagine that the liklihood of these people getting a virus / worm is greater than the liklihood of an ms patch breaking a piece of software...

Yeah, but at the end of the day, who's decision is that to make? Mine or Microsoft's (or the author of an anti-worm?)

Re:Not such a bad idea

[john.r.strohm]

There's just one LITTLE problem with that theory.

If the machine stopped working, IT NOW ISN'T WORKING AND YOU CAN'T DOWNLOAD THE PATCH TO IT!

"Auto update" is treating the symptom, not the disease. The disease is Microsoft's apparent inability to write reliable, secure code, as evidenced by their track record on exploitable buffer overrun vulnerabilities.

Brethren and sistren, do you realize that, by the simple expedient of outlawing temporary buffers on the stack, Microsoft could kill most of their buffer overrun stack smashing problems ALL AT ONCE?

Re:Not such a bad idea

[squidfood]

how often do MS patches actually break things?

I lost Apache twice. Holy conspiracies, Batman!

Re:Not such a bad idea

[Uart]

I believe you can already set XP Pro to auto update. Some of the systems we have here at school (Villanova) allready do that.

Re:Not such a bad idea

[pmz]

Home users actually want stuff like this.

But they don't understand why or how (sigh).

The big problem is that Microsoft, historically, has made tremendously awful decisions regarding configuration management in their operating systems. The Registry is an abomination, the windows\system directory is an abomination, their "third party code at fault" smoke and mirrors doesn't help, etc. etc. etc.

Re:Not such a bad idea

OS Joke Cliche Alert:

WARNING: The preceeding post has violated the OS Joke Cliche rule. This "joke" has taken the form of a cheap shot towards a familiar OS without any supporting detail substantiating the claim (possibly ruining the "joke"). In fact, the lack of supporting data causes the "joke" to be increasingly unfunny.

This particular "joke" relied on the following unsubstantiated data:

(___) Linux/Windows/OSX users are better than other users
(_X_) Linux/Windows/OSX is better than other operating systems
(_X_) Windows crashes all the time
(___) Microsoft spelled "Micro$oft" or "M$"
(___) Microsoft is out to get you
(___) Linux users are a bunch of smelly hippies

Re:Not such a bad idea

[Zebra_X]

The answer to your question is:

For home users, no often on up to date machines.

For developers, servers, and business users it is a different story. Most of the problems that are reported are coming from the business side of the fence.

Basically mandatory patching for the most "dangerous" user group is acceptable. Businesses should have a higher degree of control over what happens on their computer and developers... well they are responsible for bugs so they need to deal with them too :-) after all they are the most tolerant group of users.

Re:Not such a bad idea

[profplump]

If you haven't had Windows Update break things then you're not technically savvy, at least insofar as you have never supported more than 5 machines. Out of my 350 machines I find that at least every other SP or major patch breaks something. Often it's every major patch. It doesn't always break all the machines, but it almost always breaks something.

I honestly can't understand why you wouldn't want to understand the patches you're installing. You might even want all of them, but you still ought to understand what they are supposed to do. This is not an opportunity afford to you by Windows Update, and it certainly wouldn't happen with automagic updates.

So thank you very much, but I'll keep being "unreasonably paranoid" and get my patches the old fashioned way -- by reading security advisories and deciding which patches I need.

Re:Not such a bad idea

[pmz]

And there should be no need for any patches in the first place.

If the patches were simply for very small bug fixes on a fundamentally sound architecture and implementation, then I would be happy and eager to apply patches. After all, improving an already good thing is good, right? However, Microsoft's patches guarantee no improvement, and, sometimes, they are a step backwards with EULA changes, DRM integration, and potentially broken cofigurations.

Re:Not such a bad idea

[mustangsal66]

how often do MS patches actually break things?

Ummm... Let's start with a fun one. On a friday, MS release a 'security' patch. I did a little reading on it, and installed it on my wife's Laptop running XP home. No sooner did she reboot, but the Microsoft wireless pcmcia card would no longer work. My RedHat laptop has no problems connecting, neither did my playstation2.

While this was anoying for the patch to break connectivity, it actually secure the device!

She couldn't get out, and they couldn't get in!

The only true way to secure a computer 99% is to unplug it, and lock it in a safe.

O'Doyle Rules!

Re:Not such a bad idea

[pmz]

I was unable to fix. After re-installing the OS (and everything else) at great cost to my time, the patch/update worked the second time.

This is the worst part about Windows--it breaks in non-repeatable ways. I don't know where all the dirt collects within Windows, but it appears Microsoft doesn't know, either!

Re:Not such a bad idea

[Xerithane]

Cars do a lot less than computers, you can do just about anything with a computer while a car has a single specific use.

Really? For whom? Not for the average individual. Saying that a car has a single purpose is much like saying a computer has a single purpose. If a computer can do anything, than why do we need so many other things except for a computer? Computers for the masses are for checking email, surfing the internet, and working in office. Cars are much more important, and do much more for them. Cars are much more complex, both mechanically and technologically speaking. Cars still just work. You don't have to reboot a car, and it doesn't delete your groceries when it crashes either.

Eventually computers will get to a point where 99% of things 'just work' but computers have had a lot less time to mature than cars have.

Computers have been around since 1945. Cars started in the late 1800's (1886, iirc). So that is a 60 year deficit. A 1940s car was still much more stable and easy to operate than your consumer based car.

That's perfectly fine, infact it's a good business for a lot of people. But the problem is that the people who aren't interested only call for help when something's broken, in the case of this worm a lot of people don't even know they have a problem. Paying someone periodically for general maintenance isn't something people want to do.

This is why a self-patching computer is a good thing! Lets look at the outcomes of a self-patching computer vs. a non-patching computer:
Virus/Worm released: Kills non-patched computer. Patched computer works fine.
Bad Patch released: Maybe kills patched computer, but will probably be able to be fixed easily soon. Non-patched computer sits there waiting to be exploited.

Why is there an issue with self-patching computers? For home users, this is a great idea.

Re:Not such a bad idea

[the+web]

I think I'm a fairly typical home user.

Hardley! You seem to know how to do stuff!

The typical home thinks the monitor and gui are the "computer" and the computer is just the "disc/hard drive".

The typical home user doesn't even understand the difference between an output device and a mother board.

Re:Not such a bad idea

[monique]

It's not the 'update' part that bothers me; it's the 'automatic' part.

Not running automatic updates is *not* the same as never updating. Some people, like me, like to know what we're about to put on our machines.

Re:Not such a bad idea

[cowbutt]

If MSFT wants to keep the users current they've gotta either find some way of updating Windows that's not quite so hard on dial up (mailing CDs sounds good) or they need to find some way to bring the average patch size down.

Like rsync or xdelta, you mean?

xdelta's even BSD-licensed, so there's nothing to stop them integrating it today. But again, Microsoft's arrogance and NIH-attitude stops them from recognising that outsiders might just have solved problems years before they even recognised the problem.

--

Re:Not such a bad idea

[fat_mike]

Dude, just go to Jiffy Lube. They'll do all that for $25. And they usually have good, up-to-date magazines.

Re:Not such a bad idea

[buysse]

They also don't want to upgrade their car or their dishwasher to add capabilities -- like installing new software. I can just imagine the call to BMW now... "Well, the car stopped working correctly after I installed the new hovercraft attachment, and I need you to fix this now." That shit doesn't happen, because you don't expect the car manufacturer to give you new functionality. What software updates (or say, installing a new game, which most home users demand) do is add new functionality to a device. You can't compare that to a dishwasher, unless you can install a mod in your dishwasher to let it wash clothes or the cat.

I'm going to leave the "resistance from arrogant fucks like you..." alone, but would you buy a computer that you can't add software to? Would you then complain that even though it just works, for the exact things you bought it for, you can't run the new Flash XP-MX-27.3?

Re:Not such a bad idea

[pmz]

Well, I'm a developer, and I run Windows 2000 professional at home, with IIS and Visual Studio .Net installed.

Perhaps the problem is that you are a developer that relies on Windows 2000, IIS, and Visual Studio as a development platform? The complexity of these products is so great and so uncontrolled that I'm suprised that they work at all.

I do programming using 20-year-old technology, where the source code of my tools probably hasn't changed in five years. Practically nothing breaks, everything is predictable, and most all my time is geared towards progress rather than troubleshooting my platform of choice (in this case, Solaris).

Ugh. I hate Microsoft.

Yeah, I do, too.

And, I'm a programmer who uses that platform! What does THAT tell you? ;)

I long ago decided that I would choose a different career before I would be forced to work full-time with Microsoft's products. So far, I've been successful in staying with Solaris with only brief glimpses of Windows in my SunPCi environment. If this doesn't continue to pan out, and the economy stays in the sewer, I'll go self-employed and take that risk before getting pimped out by Microsoft.

Re:Not such a bad idea

[_randy_64]

I installed all the XP Pro critical and security upgrades to my home box as soon as I finished the install (with SP1). The Windows File Search function stopped working, Media Player immediately crashed at startup, and Yahoo Messenger didn't work. Had to re-install XP. This was a brand new install, not an upgrade. So I'm a bit leery of doing any more updates. Yes I did do the update for the latest worm.

Re:Not such a bad idea

[Neophytus]

that is until you try to browse with all 5kb/s used up by the patching

Re:Not such a bad idea

[pmz]

Many people just want their computer to work, the way their car and dishwasher "just work".

Then, people should just buy a Mac and shut up. Microsoft is the "American car" of the computer world--i.e., the people who buy one should have read Consumer Reports, first.

Re:Not such a bad idea

Hmmmmmm... Red Hat Linux "burned out" your 17 inch monitor just from installing it? It couldn't have been mere coincidence could it? How much did Billy Gates pay you to post that comment?

Re:Not such a bad idea

[Vulcana]

You would be surprised.

I have just gone through patching our NT4 workstation boxes. (we have some mission critical software which only runs under NT) There is one patch which is part of of the critical patch lists that would 90% of the time render the machines unbootable. I have two machines that I have to reinstall from scratch because I wasn't able to recover them.

It took me a while to isolate the specific patch which blew up the machine.

Also MS Project 2000 installed on a windows NT 4 workstation would blow the machine up about 50% of the time.

Re:Not such a bad idea

[pmz]

Dialup can only be worse.

Given that an update might take eight hours of download time on a dial-up connection that is reliable for only two or three hours at a time...

That just isn't a recipe for happy customers.

Thankfully, I have all my home computers behind a draconian firewall (its only me using it, so it is damn strict), so keeping each and every internal computer patched up to the latest day-old patch set simply isn't a concern. So my OS is three months out of date...I just don't care...I'd love to see anyone try to connect from the outside. Sure, there's always the splitting-hairs "what if" scenarios of malicious JavaScript, for example, but I'm comfortable with those tremendously miniscule odds.

Re:Not such a bad idea

[germinatoras]

I couldn't agree more. The car analogy works well here. Somebody who never changes their oil or checks the coolant level on their car is going to have big problems before too long. I guess it stems from computers being sold as "magic boxes" instead of complex machines, which is what they really are.

Re:Not such a bad idea

[jtdennis]

This makes me wonder what percentage of people posting in this thread have ever even used the auto update feature.

Re:Not such a bad idea

[delus10n0]

Come on, man. Quit trolling! I already gave you a solution in my other reply to you.

Ignorance is no excuse. Nor is "my internet is too slow to download patches, so I won't do it! No siree!"

Re:Not such a bad idea

[delus10n0]

Then apparently you're a dumbass and either don't know about "System Restore" or don't care.

Oh yeah, there's also a little button on a device's properties page that says "Roll Back Driver" Try pushing it next time.

Genius.

Re:Not such a bad idea

[Wudbaer]

Well, yesterday evening I installed SuSE 8.2. The online update after the install also needed around half an hour on a DSL connection. So what's your point again ?

Re:Not such a bad idea

[delus10n0]

Ok, getting a bit tired of the "dialup" excuse.

Microsoft has always offered Service Packs on CD for just the cost of S&H.

Or you can always go to a friends or an internet cafe with highspeed internet (or your work), download the patches/SP's, and burn them to a CD.

Sheesh.

Re:Not such a bad idea

Windows 2000 Service Pack 3 and above is not compatable with my old system: a Dual PII-350 with an ASUS motherboard.

Now, because of a known issue with that particular Motherboard, Win2k only works properly with that system if I overide the installer's autodetect and tell it that my system does NOT support ACPI, but once installed it was about as solid as windows could get. However, as soon as I install service pack 3 (or 4), my system becomes horribly unstable.

This happens every time -- even when updating from a fresh install.

Re:Not such a bad idea

[Bert64]

Not to mention people who pay for bandwidth usage, if your machine goes and downloads the huge ms patches without your knowlege, it could cause an unwelcome bandwidth charge.
So, could MS be held responsible for this?

Re:Not such a bad idea

[crazyphilman]

It's not my fault. I work for my state's government, and they're a Microsoft-only shop. Most of my stuff at home runs on FreeBSD or Slackware Linux, with one iBook running OS/9 (it's kind of a mascot, it's too cute to discard). I wanted to run a single desktop machine using Windows so I could take work home, and it was such a pain in the ass to get it working correctly I'm almost ready to just give up and dump it. I'm SO fed up with it... Working with it is just painful.

I can get everything to work if I don't patch it, and I just keep it off the network. But then I won't know if any apps I build will work on a patched machine. It's just a great big pain in my ass. I'm getting close to just putting Slackware on it and dumping all my Windows CDs.

If I need to work, I can always stay late I guess. Our work machines all seem to be working... Which implies that if I tinker enough, eventually I could get my home machine to work. Heh. I can't wait for the next time some Windows evangelist tries to give me a song and dance about how windows doesn't require tinkering...

Re:Not such a bad idea

[delus10n0]

GAH!

Ok, people. You really need to research this.

XP and 2003's auto updating feature uses the "Background Intelligent Transfer" service. This service will throttle itself to only download using "leftover" bandwidth. If you're not using your internet connection, it chugs along full steam ahead. If you start to use it, it throttles back and gives you priority.

Read all about it here before whining about how slow it will make your dialup.

Plus there's always the option of downloading the SP/hotfixes elsewhere and burning them on CD. Or just ordering the SP from Microsoft. Sheesh.

Re:Not such a bad idea

[crazyphilman]

Yeah, really. I mean, I used to run Slackware on that box, and I never got any trouble from THAT... The only reason I put windows on it was so I could bring work home if I had to, but it's been a royal pain in the butt. I'm going to put slackware back on, I think. I never really had any trouble with it. Here's something funny: I found writing firewall rules for iptables easier than working with Norton Internet Security! I don't like firewall GUIs. They're too nonintuitive.

Re:Not such a bad idea

[crazyphilman]

Yeah, but my problems had nothing to do with hardware. For one thing, my IIS just up and died. No warning, no messages, just dropped off the face of the earth. And, what about Roxio ceasing to function? That's not necessarily a driver issue. That is more along the lines of the CD burning software. Unless a driver was killed off and Roxio crashed on accessing the driver (admittedly possible). That PC was a Compaq, using their built-in CD-RW drive, so I'm not talking about cheap-crap hardware (well... Ok, it's Compaq, but still).

I think that an O/S shouldn't start working poorly because you installed a driver. And, different people shouldn't get different results (like my home machine choking, and yours NOT choking). Another thing -- if you already have .Net framework installed, shouldn't VS.Net be able to detect that, and work around it??? I mean, come on, I'm not asking them to build me a base on mars, here, I just want to be able to patch my machine. It shouldn't be so difficult.

Re:Not such a bad idea

[Sloppy]

Either you believe in EULAs, in which case you are already screwed right now, even before they do this. Or you know EULAs are a lie and you are permanently immune to this sort of attack.

The risk you are describing isn't technical or legal. It's mental.

Re:Not such a bad idea

[crazyphilman]

Hey, remember older versions of Linux where you would configure X manually with XFree86? I bet he didn't look up his monitor's settings, and tried one of the more aggressive ones. That'll fry a monitor quickly, or so I hear. But, still -- that's his own fault, X warned him not to play too fast and loose with the settings!

Re:Not such a bad idea

[the_Bionic_lemming]

nothing AC.

5 years ago you had to be real careful with what frequency you set your monitor to. The default frequency for the red hat install just happened to be one that would cook the tube.

Re:Not such a bad idea

[Overly+Critical+Guy]

I keep hearing this FUD. What apps have ever broken after a patch? In all these years and all the computers and networks I have patched, not a SINGLE app has EVER stopped working because some security hole was plugged by a critical update.

Re:Not such a bad idea

[Slightly+Askew]

I'm confused when it became flamebait to use humor to demonstrate a point about ignorance of a subject not being a defense for belittling said subject. Perhaps I should elucidate.

One of the original poster's point was that their stuff gets rewritten by Windows three seconds after they delete them. This is a feature called Windows File Protection (WFP). It is used for the same reason that the current topic of discussion is being considered...users who do not know what they are doing screwing up their systems. In this case, if someone accidentally deletes an important system file, or they install an outdated, unsupported software that would break their current system files, the OS fixes the problem automatically. If you don't like it, spend 10 seconds on google.com and find an article like this that tells you how to turn it off.

As opposed to a using a system that just works?

I don't recall telling anyone they should use any specific OS. To me, that is akin to telling them which God to worship. However, it does appear that the original poster is being forced to use Windows. Therefore, I recommended that they study up a little on the OS they are using and find ways around the things they hate. To someone familiar with Windows, saying you hate windows because of WFP is like saying you hate Unix because there is no GUI. How much research would it take to discover X?

BTW: For those who missed the reference, and therefore the joke...here you go (about 1/4 of the way down).

Re:Not such a bad idea

[pixelite]

"You don't have to reboot a car, and it doesn't delete your groceries when it crashes either."

I don't know about you but I have seen many cars that needed rebooting. Ever seen someone pushstart a car because it just died on them. What about the car that needs the timing readjusted so that it doesn't choke itself and turn off, they need restarting, too. I'll grant you the part about the groceries, though, that is something that I have never seen.

Re:Not such a bad idea

[Overly+Critical+Guy]

DirectX isn't listed as a "Critical Update." Your driver probably crashed.

You just said your ISAPI fix is trivial.

What's the problem?

Re:Not such a bad idea

[the_Bionic_lemming]

Let's flip this around, and you tell me why I have no lockups, BSOD's or even incompatibiluty issues?

What other apps do you use? If you're a programmer you should know all about DLL hell - a completely unrelated program could of altered a DLL that roxio needs - Have you run the IIS lockdown tool? How have you configured your local permissions?

All sorts of things could be happening to couse your issues - but as I said - I don't have those issues. I use win2k at work or at home for most of the day - the boxes at work stay up 24/7 and the ones at home get booted up every day when I get home from work.

So you tell me? Why do you have issues and I don't?

Re:Not such a bad idea

[Repugnant_Shit]

But if you're really technically savvy, you're
a) running a firewall, so many exploits won't hit you.
b) not running insecure software (Outlook, IE, etc).
c) smart enough to realize patches can cause problems, so maybe you'd like to wait 3 or 4 days until others have tried it

d) Not running Windows anyway :)

Re:Not such a bad idea

[John_Booty]

If you RTFA you'd find that Microsoft is only "looking very seriously" at this idea, that it would not apply to business users of XP (since they want careful control of the patching of their machines), and that it would be possible to opt-out from the automatic updates.

As long as you can opt-out of it, and the "automatic update" feature is used ONLY for security fixes and not for "upgrades" that change the computer's functionality in perhaps-undesirable ways, I'd support the enabling of an "automatic update" feature by default on their OS installs.

Essentially, an Automatic Update feature is the ONLY way an end-user is gonna get security patches. And even "knowledgable" users forget or don't always have the time to install a security fix. (Suppose a new exploit hits while you're away for a 3-day weekend or something) Experience has definitely shown that huge numbers of people are simply NOT gonna keep their machines updated. You may wish that it was otherwise, but in my book an Automatic Update feature is simply a way of facing reality.

And experienced users could just turn it off. Or, use Linux instead. But I think you can see the value of something like this running on your grandmom's computer. After walking my girlfriend through the process of ridding her family's computer of the Slammer virus, I'm all for something like Automatic Update.

Hmm, maybe Microsoft writes these virii themselves in order to make us eager to accept their evil Automatic Update scheme. Yeah, just like the U.S. flew planes into the WTC just so they could get the Patriot Act passed. Wait, I forget if I'm joking or not anymore... :P

Re:Not such a bad idea

On #3, I think you just forund Bills new 'feature' that was created for RIAA...

Re:Not such a bad idea

[crazyphilman]

I beg your pardon!

I don't "hate" windows because of WFP. I merely find WFP aggravating. I hate windows because windows doesn't work predictably, and frequently chokes on things it shouldn't choke on, like patches and updates. FOR EXAMPLE, I find it irritating that A) the installation of service pack 4 crashed, and B) that my IIS immediately stopped working afterwards, and C) because I now have no IIS, I can't create new Visual Studio .Net projects, so D) I can't bring work home, which E) was the only reason I set up that infernal Windows box in the first place!!! Please, explain to me why exactly windows' failure to survive this chain of events relates to a lack of knowledge or ability on my part. I promise I will pretend to find your explanation fascinating, and I'll even drink a double expresso and stay awake for the whole thing. No promises though.

Re:Not such a bad idea

[AirRock]

But you've already agreed to it by letting the Auto Update run as it wants. It'll probably say in the EULA that M$ can change it whenever they feel like it withouth checking with you. And because you've let it, you agreed to it.

Re:Not such a bad idea

[crazyphilman]

That's a good question; the only things I installed on that box were: Windows 2000; IIS (not the lockdown tool, because I'm just using it locally, and not serving to the web); Visual Studio .Net (the Visual Basic Standard Edition, no bells or whistles); Roxio Easy CD Creator for CD burning; and Norton Internet Security. All I did was update Norton Internet Security, then run Windows Update. Windows update choked on Service Pack 4, and IIS died without a whimper, never to work again (can't even call up the administrative app). And, YES, I did try working with it as administrator, so it's not a permissions issue.

Note that if I put off installing Visual Studio .Net, I could get through all the Windows Updates, but then, the installation of Visual Studio .Net would fail. One of the admins at work pointed out that if you install the .Net framework, then try to install Visual Studio .Net, that won't work. VS.Net has to get installed first.

Anyway, this doesn't affect my point. My point is, I shouldn't have to worry about all this weirdo bullshit when all I want to do is install a freakin' patch and have my system still work the way it did before the patch. Ok? MY WHOLE PROBLEM with windows is that I can't install my stuff, and update my system, without parts of the system suddenly going tits-up without warning. And, I think that's a valid beef.

It doesn't matter that YOU can do it with no trouble. It should work without trouble for everyone, especially at the prices they're charging.

Re:Not such a bad idea

[WarpedMind]

Gee. I thought Microsoft got to be so big by building and then illegally maintaining a monopoly through FUD and unfair trading practices.

Building a quality product that people actually WANT has only occurred to them recently.

Re:Not such a bad idea

[Mryll]

Yep. Unfortunately Joe User who is ignorant of the internals of his system is neither willing to learn needed skills for maintenance, nor to pay a pro for maintenance until the damn thing is broken beyond their ability to use it at all. In some sense they deserve the limited utility and reliability that they get from their systems. OTOH it's messing it up for everybody else now that they're on the global network. The only idiot-proof systems will by necessity have limited flexibility.

Re:Not such a bad idea

[Pfhreakaz0id]

I always wondered why they (and not just microsoft, lots of folks), include entire files that need to be updated. They are just binaries. Patch the file. I know WISE had a patch maker that you could point at mutlitple previous versions of files that could be updated. We used to use this update a binary Access database (I know, I know...) for customers back in the days before broadband. That 30 mb Access database patch was never more than 600 or 700K even when we included every possible older version, and we updated once a month or so for several years.

Re:Not such a bad idea

The problem is that a car and a dishwasher are MECHANICAL, there is very little that can change on these things over the course of time. ie you turn your steering wheel left, the car goes left. The dishwasher washes dishes.

A computer is a LOT different! The software is DYNAMIC, it changes, daily! You need both the hardware AND the software for the thing to work.

Your CD/DVD player does the sme thing day after day, but does the software? Of course not!

There is so much -shit- running in the background of a Windows box, nobody can firgure out whats what. How well do all the services behave between each other? Try the 3 finger salute soemtime just to see how many processes are running. I have a P4 running XP, and I average about 30??

50% are internal windows processes, and I assume (read better have) a required function. The rest are user functions.

Consider Murphy's law, how would it apply to a system with 30 events happening all at the same time??

The auto update idea is decent, for a Bill idea, however...

What about security of the update server?

Would the update be sent using encryption? Would the software calculate checksum info? How would it verify it? The server itself would be a honeypot for hackers, it would provide a relatively simple way to distribute warez, trojans, spyware, you name it...

What makes it better, the owner of the box would not even have a CLUE what was on it.

Re:Not such a bad idea

I think what the poster meant, was that the update is run MANUALLY not AUTO. They didn't say 'turn it off' just 'disable automatic update'. I don't run that damn thing in auto, and I bet you don't either.

Only joe sixpack should, for the reason that he doesn't have a sniff of what is even on his box, or what it does.

As for downloading through Explorer, I can't stand it. I would rather d/l updates using FTP. And install them with the box offline. Much safer...

Re:Not such a bad idea

Arguments 1, 2, 3 and 5 are valid. But anyone who uses a piece of software as consistently buggy and hideous as Roxio deserves whatever they get. Buy a copy of Nero.

Re:Not such a bad idea

[crazyphilman]

An A/C said: "Arguments 1, 2, 3 and 5 are valid. But anyone who uses a piece of software as consistently buggy and hideous as Roxio deserves whatever they get. Buy a copy of Nero"

Nero, eh? I'll have to check that out. Nothing we've done has gotten my poor mom's copy of Roxio working again. We've really given up on it. You know, I noticed while the machine was being patched, a text string flashed about fetching new Roxio files... During Windows update! I'll check Nero out and see how it works. Thanks!

Re:Not such a bad idea

[Alsee]

Building a quality product that people actually WANT has only occurred to them recently.

When did THAT ever happen?

OH! Perhaps you are thinking of their "security inititive"? That's little more than Microsoft-speak for TrustworthyComputing aka DRM. They are mainly working to secure the computer AGAINST the owner.

That's just another example of Microsoft using their monopoly to force on people exactly what Microsoft wants them to have, against the desires of the customer.

-

Re:Not such a bad idea

[jpop32]

Microsoft are MORONS. The fix for this particular worm required SP2 or greater. That is 8 hours and 10 minutes over dialup.

What, dialup is the only connection to the whole wide world that you can possibly think of getting Service Packs?

It didn't occur to you to look for it elsewhere?

I'll bet you whatever you want that you can walk up to a news stand anywhere in the civilized world and find a computer magazine that has a CD with latest Windows SP on it, _right_now_.

Or, it never did occur to you, in your immense smart-assly wisdom, to try asking someone you know with a computer if he possibly has it?

In my book, a MORON is a person that downloads Windows SP over dialup.

And you dare post on Slashdot? Geez...

Re:Not such a bad idea

[lubricated]

If you buy a retail copy of a consumer version of windows(windows xp, windows me) you get 2 incidents of general usabilty support and unlimited installation support. That is the warranty included with windows. People do call microsoft for support all the time. Especially to get rid of the blaster worm, which microsoft will help you get rid of for free without using an incident(if you stay on hold long enough).

Re:Not such a bad idea

[Quixadhal]

then Norton Internet Security (kind of important on a windows 2000 box, which doesn't have an integrated firewall)

It never ceases to amaze me how many people nowadays seem to feel that a "firewall" is something that is (or even can be!) integrated into a desktop computer.

Go spend $50 on a router, or scrounge up an old P133 and install linux/bsd/whatever on it... you're FAR better off than relying on any software firewall which sits on top of your buggy windows kernel.

I'm not trying to M$-bash here (although it IS fun), but just pointing out that if your "firewall" runs in software on the machine it's supposed to protect, then it is vulnerable to any attack which can comprimise any aspect of that machine... including the tcp stack itself.

And as for Norton.... the quickest way to make a win2k installation unstable (at least in MY experience) is to install any Norton product. The funniest of the lot is Norton's Crash Guard. My friend installed this thing and went from an occasional blue-screen to about three a day.

Re:Not such a bad idea

[jpop32]

I'm a broadband user (ah the joys of in-home ethernet) and I'm in the process of puting together a new machine.

And it didn't occur to you to ask around and get your combat gear (latest SPs, updates, patches, essential shareware and stuff like that) before you actually got around to installing stuff on the machine? At the very least you could round up a dozen of cover CDs from computer magazines, you would find everything there, sure thing.

You are not a very resourceful guy, are you? Please turn in your geek badge at the 'logout' button.

IMHO, no geek should leave home without a set of CDs that allow him to turn a pile of boxes into a fully functioning, sercure computer. To not even have a set, that's unheard of.

Re:Not such a bad idea

[Slightly+Askew]

I think one problem is the assumption that just because a SP is released, it will work perfectly in every situation without any other updates. This is silly. There is no way to test an OS update with every single piece of third-party software under the sun.

2. If you install the O/S, then Visual Studio, then Norton Internet Security (kind of important on a windows 2000 box, which doesn't have an integrated firewall), then try to update Norton and Windows, WHICH OUGHT TO WORK, Norton will update fine, Windows Update will crash several times, and the end result will be your IIS will stop working, so your Visual Studio won't be able to create VS.Net projects. I think this might be related to a recent patch, because it didn't happen before Service Pack 4 came out.

Under known issues with SP4, I found this, which, I believe, addresses your Norton problem in item 2.

3. If you have a recent copy of Roxio's CD burning software, it'll stop working after you update Windows. The app will start up, but it'll crash as soon as you insert a CD-RW into the drive. I've updated the software from the Roxio site, too, hoping that would help (no luck). It's got to be something in one of the windows patches. So, patch windows or burn CDs! You seem to have to choose one or the other. Older, no longer available copies of Roxio seem to keep working, so if you get a Rio Volt MP3 Cd-player, you can install the older software off of their disk (warning: this might not be true anymore).

What CD burner do you have? I have found a reference to Sony burners failing with SP4 unless you install a fix from Roxio here, which may cover #3.

5. Windows patches keep restoring MS Outlook Express! If I kill it off, it keeps coming back like a friggin' vampire. It's the undead, unwanted email app. Actually, the only easy way I've found to kill it is to change the security on the Outlook Express folder so that no one has read-write priviledges, then boot from a floppy and clean the thing out. This way, Windows can't keep putting the files back (Grr... Windows puts 'em back THREE SECONDS after you delete them, otherwise!).

I have already addressed #4(or 5 :-)) when I discussed WFP.

1. If you install the O/S, then patch it, and THEN try to install Visual Studio, the Visual Studio installer crashes. The problem seems to be that if you install Microsoft's updated .Net packages before Visual Studio, Visual Studio can't handle that and it chokes.

That leaves #1 which, I too, had this problem with. However, all I did was go to add/remove programs, uninstalled the .NET framework that windowsupdate installed, then restarted VS.NET installation. Worked fine after that, and I just skipped the .NET framework recommendation on the windowsupdate site (it was not a "critical" update, anyway).

The point being that as awesome as the resources and support are for Linux and other open source OSes, there is a multitude of free support for Windows as well. I don't infer that this relates to a lack of knowledge or ability, but perhaps a lack of effort to resolve the problem?

Re:Not such a bad idea

[Metroid72]

Hey AC he's gotta make a living though.
Is it a sin now to be in the wrong side of GPL/Linux/*nix/Free Software?
The last time I checked we were all humans and we need to pay bills, eat, etc.

Re:Not such a bad idea

[crazyphilman]

Actually, I do possess a D-Link hardware firewall, and I hook my laptops into it when I use 'em. However, I had thought it might be a good idea to try and install the Norton product, as it contained antivirus software, a software firewall, and so on. Feh.

So you think it might be Norton screwing me up? Huh. Well, it IS a pretty good possibility. I guess I could rely on the D-Link, and leave Norton off. Kind of a shame about the Antivirus software being integrated though. I hate throwing away that cash... Ah, well. What can you do?

P.S. I don't think you meant to say that you can't integrate a firewall with a PC; you even point out that you can create a PC firewall using Linux or a BSD. I think you meant to say you can't put a software firewall in a WINDOWS box and expect it to do anything (other than annoy you), a point with which I'd have to say I agree. I need that Unix-style kernel firewall support.

Re:Not such a bad idea

I've had MS patches break things, including windows before.

When i used to run NT4, I religiously got every published update. One was supposed to improve security for TCP/IP, and was released shortly before a major service pack, I think SP4.

It turned out that the SP was not compatible with the hotfix. Installing both resulted in complete loss of the IP stack. An updated version of the service pack (SP4a)? was released a couple of weeks later to fix this problem.

I've had a couple of minor problems, mainly applications failing after hotfixes and service packs - so I've been hesitant to apply updates immediately - and my policy until recently was to wait for a month so that the patches had been fully publicly vetted. I ended up getting hit by the blaster worm.

You can't win.

Re:Not such a bad idea

[aliens]

Well there were no Driver Updates listed in these updates. These were all "Critical Updates".

And system restore is not always an option, it will turn off. This one must have been turned off awhile ago when he filled up his drive with crap(mp3's/games). It would have been nice to have that option.

But what does it matter? I've seen System Restore not work well just as often as does. It's great when it works, but it doesn't always.

My point was that with automagic updates and something breaks the average user is left confused and annoyed. MS has to try and protect themselves from nightmares like this, but are automatic updates it?

Lastly I know this is Slashdot, but please try and grow up. Your post could have simply been,

"Did you use System Restore? Or did it install a new driver? You know you could have used RollBack Driver in the control panel then"

Re:Not such a bad idea

[crazyphilman]

Well, here's my answer about the "lack of effort" jibe.

When I'm working with Linux, I'm using Slackware, which is almost 100% volunteer-built and mostly nonprofit. So, since it's more of a do-it-yourselfer linux than most, you kind of expect to have issues, and to have to research them; you're inclined to cut it a lot of slack (pardon the pun). The fact that Slackware can be acquired for free enhances one's desire to cut it some slack. The fact that it's very high quality helps also. You feel like, "Hey, these guys put all these tools together for me, for nothing. They just GAVE it to me. So, you know, if a few things go askew, and I have to do some extra work, that's ok, no hard feelings."

Contrast this with Windows. You have to pay upwards of 200 bucks for the professional edition, plus another hundred bucks just for the entry level, "standard edition" VB.Net development tools. Add about seventy bucks for Norton Internet Security, another fifty bucks for Roxio (because God forbid Microsoft offers you built-in CD-Burning tools), and so on... You've spent about four hundred and twenty five bucks just buying some basic software. Maybe I'll be forgiven for feeling that having to run around and do a lot of bullshit research just to install a fucking PATCH strains my goodwill just a tad! I'm not annoyed at you, per se. But I think that if I'm going to have to lay out almost the price of a NEW PC for some software, then the very least I should expect is for that software to work as expected without having to run around "researching". And, let's just briefly consider the difference between Linux "research" and windows "research": under Linux, you're researching how to code firewall rules, how to set up config files, etc. You're RTFM'ing, ok? Under Windows, you're digging around for arcane notes about how model A of the Sony CD-RW doesn't work with Roxio! I mean, COME ON already! It ain't the same.

BTW: I don't have a Sony CD-RW, so your Roxio tip didn't tip me off to anything. And, my Roxio WAS patched up to the current level -- and still didn't work. Nyah.

I'm not annoyed at you for basically calling me lazy and blaming me for my windows woes. That's par for the course here on Slashdot. But, I AM annoyed at Microsoft for putting out a crappy product that doesn't work as advertised. For the money they're charging, this stuff shouldn't be happening.

Re:Not such a bad idea

[the_Bionic_lemming]

Could be the issues with the versions - I have the enterprise suite for all of them.

I dunno. I've never had an issue with a patch 'cept for the time they upgraded the upload control. And even then all it did was trash one of the asp apps - it was easily fixed tho. I keep seeing people complaigning about the patches but I have never seen a box go down because of it.

The one other issue that comes to mind is something about one of the latest patches that seems to cause a profile to start disliking acrobat forms. But then again it isn't a show stopper - we log in as admin , copy the user profile to a folder, delete the user profile, recreate the user profile, and transfer the backup back to the new folder.

Problem solved in less than a minute or two.

Oh well, good luck on your issues- I would hate to have them. Guess maybe I should count myself lucky or somthin ;)

Re:Not such a bad idea

[jlechem]

I too have never ever had a problem with windows update causing a crash or application to stop working on my box. I use win2k, Visual Studio .NET, IIS, and cd burning software. The worst thing to happen is sometimes my download stalls but I think that is comcasts fault and not MS. All I do is reboot and restart the download and it goes fine. I have also used the WU on Win98 machines I've built for my family and have never had a problem with any of their machines as well.

Re:Not such a bad idea

[Randolpho]

That's not the way I read the history, but thankfully I've taken off my rose-colored glasses.

Microsoft got on top by making good shit. How they *stayed* on top is where those questionable practices come into play.

Re:Not such a bad idea

[thatzreal]

Yea, i'm a home user too, and it hasn't broken my weatherbug, webshots, gator address book, or bonzai buddy yet.

How often do home users know whats best for their computers, how many of them actually care if micrsoft puts "fixes" on their computers for them? The answer to that question is not many.

Re:Not such a bad idea

Microsoft are MORONS. The fix for this particular worm required SP2 or greater. That is 8 hours and 10 minutes over dialup.

No, you are a MORON. The fix required a ~1MB download, which is available if you click on the little RED link located in the box on Microsofts HOMEPAGE, which leads you to a list of all the download links. Granted there might be another worm you are talking about, but it sure as hell doesn't take downloading a whole service pack to fix 1 worm.

Moron.

Re:Not such a bad idea

[Xerithane]

I don't know about you but I have seen many cars that needed rebooting. Ever seen someone pushstart a car because it just died on them.

Cars don't "just die" -- there is always a sound reason for why it died. Windows (and sometimes Linux, and any other computers) just die. Period. No reason, they just crash.

What about the car that needs the timing readjusted so that it doesn't choke itself and turn off, they need restarting, too.

Comparing timing belt adjustments isn't really valid. If you don't know how to adjust a timing belt yourself, buy a new car or hire a mechanic because everything needs maintenance. Automating maintenance is the key, though.

I'll grant you the part about the groceries, though, that is something that I have never seen.

Which doesn't mean it can't happen :)

Re:Not such a bad idea

Do you have any idea what it would cost to keep sending CDs to just the registered Windows users?

Wait a second...

Oooh! Oooh! I know! MS could include the latest patches on every one of those free AOL CDs!

Re:Not such a bad idea

[LookSharp]

This may sound obvious to those of us who know how to use XP, but why didn't you just back up to the last "restore point?"

And are you sure it was just "critical fixes," and not "driver updates?" Windows Update once detected a driver update for a 3com NIC I had installed, and updating the driver b0rked it good. Did a "reinstall driver" in the hardware management interface (using original drivers) and it worked fine again.

Maybe you should go back to apt-getting? :D

Re:Not such a bad idea

[Reziac]

In fact, your car makes the point exactly as to why forced automatic updates are a Bad Thing: Your car runs on *diesel*. Now, what if along comes the automated filler-up mechanism that makes sure you never run out of fuel, and fills it with gasoline instead? Ooops!!

Re:Not such a bad idea

[Reziac]

NT4 SP4 ... 'nuf said.

Re:Not such a bad idea

[KJKHyperion]

noting that Linux has never given me this kind of trouble

Gee, put some effort in configuring Windows too, and you'll never have this kind of trouble

The problem seems to be that if you install Microsoft's updated .Net packages before Visual Studio

Buzzz. Wrong. The .NET Framework won't be part of the system until Longhorn. Either you personally install it, or it doesn't get installed or updated automatically. The problem lies somewhere else

kind of important on a windows 2000 box, which doesn't have an integrated firewall

Guess what? it does have one. It's part of the native IPSec service. See this tutorial, and, in general, avoid Norton products like rats with bubonic plague

Windows patches keep restoring MS Outlook Express!

Yeah, quite annoying, but blame sloppy Windows developers for that (system file protection is good. I didn't realize it until an install of Corel DRAW 9 on Windows NT 4 overwrote msvcrt.dll with an earlier version, and I was blamed). However, I've reversed it, discovered where the list of protected files is (sfcfiles.dll), in which format, and I can hand you a bogus sfcfiles.dll (with sources, if you're curious) that disables file protection completely by returning an empty list of files. Mail me if you are interested

Re:Not such a bad idea

[Darth_Burrito]

Cars are much more complex, both mechanically and technologically speaking.

No they aren't, not even close, not remotely. For example, a single human being is rarely capable of thoroughly understanding the implementation of a single non-trivial application. There is just no comparison. Even if you talk about modern cars, many of which have embedded systems, these are often specialized systems running very particular narrowly defined programs.

Cars still just work.

Sure, up until the very day they stop working. My dad's VW bus went through four engines. I'm not saying computers don't have mechanical failures, I'm just saying cars are often plagued with mechanical problems.

and it doesn't delete your groceries when it crashes either.

But then again, nobody dies when your home pc crashes do they? You know, there are obviously serious flaws in the orange growing industry because the oranges they are producing aren't as red as these apples.

A 1940s car was still much more stable and easy to operate than your consumer based car.

First your comparing a 1940's personal car, a 40 year old technology astronomically simpler than a computer, to what is essentially a 20 year old technology, the home pc. How much do you think a car's complexity increases in a year? Let's look at some satistics for the rate of increase in complexity of various software systems.

This is why a self-patching computer is a good thing!

I couldn't possibly agree more provided of course people have the option to turn off self-patching.

Why is there an issue with self-patching computers?

Patches can break things and sometimes it's not a matter of it being an accident. Also, people don't like things they own doing things without their permissions. Some people have expressed privacy concerns because a service like windows update reports on some of the software installed on your pc. I don't think these risks are justification enough. Also, and this is a Microsoft(Tm) problem, but MS has been known to tack on additional license agreements to their updates.

Re:Not such a bad idea

[Neophytus]

Being on broadband myself makes me a tad partial.

Re:Not such a bad idea

[Monkeybaister]

The first time I tried loading red hat it burned my seventeen inch monitor out.

Then your monitor was ment to die.

I have old monitors and they are intelligent about not trying to do refresh rates they can't handle.

So it was either "luck" or your monitor was crap.

Re:Not such a bad idea

[mnewton32]

I've been applying MS updates/upgrades/service packs religiously since DOS 6 (I mean 6.2, I mean 6.21, no I meant 6.22) and I've never had any serious problems. Although I did miss the famous SP 6 for Windows NT, which I hear was a real bomb. I went straight to 6a. The only time anything has really been screwed up royally by MS is when I uninstalled the PowerPoint 97 viewer. The uninstaller has an "issue" (that's what the KB article called it) whereby it deletes the _entire_ HKEY_CLASSES_ROOT\TypeLib registry tree. If you know anything about the Windows registry, you'll know that's bad. 4 months later I still can't administer user settings!

Re:Not such a bad idea

[Xerithane]

No they aren't, not even close, not remotely. For example, a single human being is rarely capable of thoroughly understanding the implementation of a single non-trivial application. There is just no comparison. Even if you talk about modern cars, many of which have embedded systems, these are often specialized systems running very particular narrowly defined programs.

Spoken by a person who doesn't understand cars. If you honestly think a computer is more complex than a car, you need to go pick up some books. If you compare a consumer based car and a computer, you will quickly see which is more complex.

Here's an exercise: Take all of the base components out of a computer and learn what each one is. That should take you about an hour, maybe two.

Take each of the base components out of a car, and learn what each one is. That should take you a couple of weeks. Especially to put it back together.

That's not really the point, but the point is that cars do work. That is why there are lemon laws. 3 drive-train problems entitles you to a refund of your money. Three system crashes entitles you to getting fucked by customer service with a computer. It doesn't matter how much data you lose, it's you who loses.

Cars have more components, just as finely tuned electronic equipment, and are more stable than any computer system. You know why? They aren't trying to do ground-breaking research every year. They don't buy into the Murphy Law bullshit.

Lets have predictive processors that detect when bad code is coming in and counter for it. That's innovation. Increasing your clock cycles, and eye candy in an operating system just makes it harder to see what true innovation is.

Re:Not such a bad idea

[WoTG]

Same here. On my home machine, I've had this stupid critical update for "Catalog Database Corruption" for months now. It won't install, and it stops other updates from downloading. I don't know what happened, and can't be bothered to debug it. I suspect a registry key, or errant file. Manually running the Windows Update program works, so I just do that when I'm bored.

Maybe Microsoft should release a "Windows Update Double-Checker" every few months to fix broken setups...

Re:Not such a bad idea

[aliens]

Hehe, thank you for pointing this out in a much more polite way than another reply.

To answer your question. System Restore had been offline since this kid used up so much space it had to turn itself off. I didn't think to check beforehand. (Assuming makes ass out of U and me:)
The last restore point was way back in time.

And they were all just Critical fixes, no driver updates. Otherwise I would have just rolled back the driver.

If he wasn't such an avid gamer I'd Debian the box in a minute :)

Re:Not such a bad idea

[the_Bionic_lemming]

Actually - I didn't know enough at the time to configure it correctly.

But then again - live and learn.

Re:Not such a bad idea

[RedWizzard]

Last Thursday in the wake of the Blaster worm I ran Windows Update on a NT4 machine. One of the hotfixes it applied (823803) screwed up the RAS subsystem which resulted in IE5.5 crashing whenever it attempted to open a page. Upgrading to IE6 stopped the crash, but it still locked up. Removing RAS fixed the problem but I needed RAS on that machine so I had to manually remove each of the 20-odd hotfixes (one at a time with a forced reboot between each one) to find the one that screwed everything up. I will never trust MS with automatic updating.

Re:Not such a bad idea

[Darth_Burrito]

Spoken by a person who doesn't understand cars. If you honestly think a computer is more complex than a car, you need to go pick up some books. If you compare a consumer based car and a computer, you will quickly see which is more complex.

Ok, I confess I'm not a big car person. The extent of my automobile knowledge is a rather basic understanding of major components as well as some very minor home maintenance like spark plugs, oil change, replace a tire, and replace brake pads. However the extent of my computer knowledge is a four year degree, a couple years of professional software development with a little admin work, and now the beginnings of a master's degree in the subject. My book shelves are lined with computer books. Except in an extraordinarily academic sense, I have no idea how my computer actually does 99.999999% of the things it does. By comparison, I have a wonderfully crystal clear understanding of how my car works. A typical home computer is astronomically more complex than a car.

Here's an exercise: Take all of the base components out of a computer and learn what each one is. That should take you about an hour, maybe two. Take each of the base components out of a car, and learn what each one is. That should take you a couple of weeks.

First, the large physical items inside of a computer do not represent its basic components. Many of the basic components consist of extraordinarly complex circuitry whose size is measured in microns. Second, the majority of a home pc's complexity is not in hardware, it is in software. For the barest, most minimal idea of what I'm talking about, search your hard drive for some basic executable file formats. In my case I found nearly 6000 dll, ocx, and exe files. Each of these components is capable of performing numerous tasks. Given the source code, I could easily spend several lifetimes trying to figure out how all of it worked in terms of the highest level languages used to create them and still not succeed. And this stuff is just the merest tip of the ice berg.

Cars have more components, just as finely tuned electronic equipment, and are more stable than any computer system. You know why?

Because they are designed with an entirely different purpose and set of design criteria in mind? Because they are much much simpler? Because they have been around in public use for a century?

Cars are more stable than any computer system.

They are two extraordinarily different things with different purposes and design criteria. What can this possibly even mean? Do we want to sit around comparing failure rates? How many times does a piston fire before a cyclinder cracks versus how many instructions, on average, a modern processor executes before the machine blue screens (think a billion instructions per second)? The truth is they are apples and oranges, it just doesn't make sense to compare them at this level.

Lets have predictive processors that detect when bad code is coming in and counter for it.

I think this is provably mathematically impossible. It's actually probably one of those famous theories I can't remember after spending too much time doing practical work. On the other hand, there are related constructs in programming like for instance, modern error handling. You can't generally tell if a program will throw an error, but you can execute a block of code, check if it threw an error, and then force it to run some other code in an attempt to handle the error or force the system back into a valid state.

Re:Not such a bad idea

I agree, I attempted to upgrade IE to 6.0 and it wouldn't install which broke the whole browser, so I got Opera and used that and Mozilla.

Re:Not such a bad idea

[Xerithane]

The extent of my automobile knowledge is a rather basic understanding of major components as well as some very minor home maintenance like spark plugs, oil change, replace a tire, and replace brake pads.

You just listed 4 components (counting "oil" as a component) in a car. Which are all exceptionally minor. A computer has: chassis, CPU, motherboard, hard drive, RAM, video card, ethernet card, mouse, keyboard, and monitor. I'm not seeing consumer level complexity here.

Except in an extraordinarily academic sense, I have no idea how my computer actually does 99.999999% of the things it does. By comparison, I have a wonderfully crystal clear understanding of how my car works. A typical home computer is astronomically more complex than a car.

I can assure you that you do not have a crystal clear understanding of how your car works. You probably do have a more clear understanding of how your computer works, especially with a four year degree. Unless colleges went really downhill, you should be required to have courses in logic gates, and such. You may not know how to build a processor, but you should at least now how they work.

I am a car person. Theoretically (I don't like to get my hands that dirty) a car is easy. However, they are amazingly complex. From a racing point of view, you constantly battle fuel/air mixtures, oil pressure, tire pressure, shock sensitivity, gear ratios, down pressure, etc. As a programmer, I worry about.. uhm... emerge being up to date.

Because they are designed with an entirely different purpose and set of design criteria in mind? Because they are much much simpler? Because they have been around in public use for a century?


That they are, but they are used for the same general purpose: To work how the consumer wants them to work, within the bounds of their design.

A car does meet those expectations, and has since 1908. A computer has had decades to just fulfill those, and has failed. A computer rarely does what the user wants it to do, within the bounds of it's design.

A user doesn't want to receive spam, viruses, or install firewall software. They just want it to work, and it doesn't. This is a flaw in the architecture, and the last 10 years being touted as "innovation" when all they do is make CPUs run more code faster and cooler. There is no innovation there. There hasn't been innovation since 1973. I picked that date at random.

The truth is they are apples and oranges, it just doesn't make sense to compare them at this level.

We can compare any "Utility Item" as utility items by having a little checklist.
Does it:

• do what I expect?
• do it reliably?
• without difficulty?
• without unwarranted failure?*
  • 
    * All things break, given enough time. Things shouldn't break in an unreasonably short time frame. Computers tend to do that, however (especially hard drives).
    
    If you compare any utility item (cars, televisions, VCRs, DVD players, Walkman/Discman, dishwasher, fridge) a computer comes in at the bottom by using the criteria above. That's my point, not the comparison and contrasting of cars and computers. Utility items should work, and computers just don't.
    
    I think this is provably mathematically impossible. It's actually probably one of those famous theories I can't remember after spending too much time doing practical work.
    
    Isn't that true... It may be mathematically impossible to do it reliably every time, but I find it hard to believe it can't work at least most of the time. I mean, Valgrind does amazing things in it's VM. Why can't there be hardware virtual machines that aren't running on binary? Why aren't we using trinary systems instead of binary? There are a hundred and one questions showing the lack of innovation in computers.
    
    Here would be innovation: Scalable clustered VMs running microkernels that share devi

Re:Not such a bad idea

Imagine there's no Windows, It's easy if you try.
No screen of Death, the Color of The sky.

Imagine all the people . . . bla h balh

Re:Not such a bad idea

[Jmstuckman]

We had a bunch of windowsupdate problems at work today. It was working fine for us before; the servers are probably hosed because of all the viruses.

Re:Not such a bad idea

[broken.data]

It all depends on what software you are using. How many times has Microsoft re-issued a patch a while later since it *DID* break something? If they were to automatically install patches and it hosed the system, who would be liable?

Re:Not such a bad idea

[DoninIN]

How many times have MS supplies updates deliberately broken a competitors product? Who in their right mind is going trust Redmond not to send a patch at midnight on Sunday that "accidently" breaks a competitors app? They've been busted in court for this before. They've paid fines, kept on doing it and they're not even pretending to be sorry. This is the dumbest idea. Ever. Period.

Re:Not such a bad idea

[IcePop456]

The patch has to be that size just like MS Office has to be a few hundred MBs inorder to fit the flight simulator or other uknown add-in programs.

Re:Not such a bad idea

[Darth_Burrito]

You just listed 4 components (counting "oil" as a component) in a car. Which are all exceptionally minor.

Hence the phrase, "as well as some very minor home maintenance like spark plugs, oil change, replace a tire, and replace brake pads?"

A computer has: chassis, CPU, motherboard .... I'm not seeing consumer level complexity here.

I wasn't talking about consumer complexity. I was talking about the a computer system's actual overall complexity.

I can assure you that you do not have a crystal clear understanding of how your car works. You probably do have a more clear understanding of how your computer works, especially with a four year degree. Unless colleges went really downhill, you should be required to have courses in logic gates, and such. You may not know how to build a processor, but you should at least now how they work.

I did not say I had a crystal clear understanding of how my car works. I said compared to my understanding of the complex set of applications and systems that make up my computer, my understanding of how cars work was crystal clear. This was said after I had deliberately demonstrated having at best, a layman's understanding of automobiles, in order to drive home my point. As you said before, I can learn to take a car apart and put it back together during the span of a few months to a year. It might take me a several years to get a good understanding of everything involved. As an expert in computer systems, I know with absolute certainty I could not analyze and discover the workings of all of the software and hardware components that make up my home pc, no matter how many lifetimes I had. Just for the record I had two or three classes involving logic gates and other (exceedingly boring) topics. In one, we went over the entire design of a mips processor in excruciating detail on paper, but hardware is trivial compared to software. For example, in any of the three companies in which I have done software development, I have never met a single person that understood how any of our homegrown software systems worked in their entirety. In any of the companies, it would have been extremely difficult to do, and that's just one specialized set of software.

To work how the consumer wants them to work, within the bounds of their design. A car does meet those expectations, and has since 1908.

We are drifting away from the topic of complexity and in to the topic of comparitive operation which I still don't think makes very much sense but .... You are making the assumption that software is designed to work perfectly, and that, in failing to do so, it fails the above criteria. It isn't designed to work perfectly. If it were, we would probably still be waiting for the internet to became a big thing. There are many things about cars that don't meet my expectations (energy source, autonomy, safety, etc), but the features I want are not part of the design just like error free execution is not part of general software design.

If you compare any utility item (cars, televisions, VCRs, DVD players, Walkman/Discman, dishwasher, fridge) a computer comes in at the bottom by using the criteria above. That's my point, not the comparison and contrasting of cars and computers. Utility items should work, and computers just don't.

While I disagree that a computer should be judged against these kind of devices in this kind of comparison, I will concede that from an everyday perspective, this idea makes sense. My personal belief is that computer systems are vastly more complex and capable than any of these other utility items and, in accomplishing so much more than any of these devices, they can not justly be compared by these criteria alone. As a last ditch argument along this line, let me try this bit. You mentioned several utility devices above that you purport all satisfy your utility criteria better than a computer: cars, televisions, VCRs, DVD players, Walk

Re:Not such a bad idea

[Sam+the+Nemesis]

It's running windows because some of the software my school requires is Windows only.

Why do people need to give explanation here, if they use windows. You don't need to give explanation for your choice.

Re:Not such a bad idea

Not only that, if your own broadband in Australia you have limitations to the amount you can download per month before you start recieving hefty bills. ie.. a 500mg usage p/m will cost you around $40 p/m. Go over it and your looking at 15c p/mg. And if you start receieving automatic updates towards the end of the month when you didnt have anything else planned to be downloaded and go over your limit, your paying for the updates without consent of payment. I wont even go into needed to download a SP to fix a bug when your limit is almost up.

Re:Not such a bad idea

[Crosis]

This is my experience of dodgy WU patches... I have two XP machines. A desktop with XP pro, and a laptop with XP home (both running linux as well of course!). One day last year, I did a full patch of both through WU. They both started crashing randomly 2-3 times a day. Both machines had been rock solid for months (Note: they get turned off at night). This persisted for about a week, when a new patch appeared on WU. I installed that on both machines. They have been stable since.

Re:Not such a bad idea

[TGK]

It deters the half-wit solution "Why don't you just install Linux, that will fix all your problems."

I was trying to make a point, not start a Linux fun fest. If I just wrote "I'm putting together a windows box" I assure you the calliber of responce would have been somewhat different.

Re:Not such a bad idea

[sql*kitten]

It's because of the computer elitist group (Hi Slashdot!) that computers "scare" people. They aren't interested, and would rather just have someone who is interested fix their problems. There is nothing wrong with that, and it doesn't make them stupid.

Let me explain the psychology at work here. Back in the day, computers were housed in dedicated buildings. Ordinary users never got near them, if they wanted anything done, they had to ask the techno-elite, and the techno-elite would, if they felt like, do it, like high priests making sacrifices in the inner temple on behalf of the masses outside.

This made the "high priests" feel special. They had all the power.

Along comes Bill Gates, with his idea of "a computer on every desktop". That's actually Microsoft's "mission statement", you know. Suddenly, the masses don't need the "high priests" any more. They want to do calculations, they've got spreadsheets, they want to store records, they've got databases. Some of them bought compilers and discovered that programming isn't a secret ritual after all, and they began to produce software for the ordinary people to use. Now, the "high priests" are relegated to the role of "support". No more are they help in awe, when once a user would have to beg for some computer time, now those users just expect the "priests" to refill the printer with paper.

That's why Slashbots hate Bill Gates and Microsoft with such fervour.

Re:Not such a bad idea

[st0rmshad0w]

"Ok, getting a bit tired of the "dialup" excuse."

Sorry, just the way life is. Most people I know (in person) don't have broadband, its an unnecessary expense right now.

"Microsoft has always offered Service Packs on CD for just the cost of S&H."

Riiiight. And patches? And why the hell should I pay them one dime for them to FIX their broken products? I'm not asking for replacement CD's, that I'll pay for, we're talking about stuff that repairs an existing product.

"Or you can always go to a friends or an internet cafe with highspeed internet (or your work), download the patches/SP's, and burn them to a CD."

See above. Broadband isn't as common as you would seem to think, at least not in my area. Yes I have alot of ways to get what I'm after (I can't believe you suggested using your employer's resourses to fix personal probems), but I'm one of those odd /. people, not your average person who can barely use his/her machine. Remember, we're talking about people who purchased MS products. And internet cafes? All gone around here, every last one of them. And even when they were here, none of them let you burn CDs.

"Sheesh."

Indeed.

Re:Not such a bad idea

[Xerithane]

That was absolutely beautiful. An exceptionally insightful perspective on the whole thing, and that explains why the attitude remains. Even through the generations where people never even saw mainframe systems.

Very nice, mate, cheers.

Re:Not such a bad idea

[danila]

Since all the packages are signed anyway, they should have allowed everyone to distribute the patches in any convenient way. Then you would have the patches on your ISP's server, on your favourite P2P, and literally everywhere, including on CDs in your local computer stores (sold for 5$ or given away), etc.

Re:Not such a bad idea

[crazyphilman]

Well, I got a tip from someone on here, in that Norton Internet Security might have screwed the pooch on a few things, so I have something to try:

1.Reinstall windows, with IIS.
2.Reinstall VB.Net
3.Go online and patch up all the way.
4.Cross fingers and reboot.
5.Try to install Norton Antivirus ONLY. I don't know if Norton Internet Security will LET me, but it's worth a shot...

Sorry if I got a little testy. This thing has been driving me nuts. :)

Re:Not such a bad idea

[crazyphilman]

I'm sorry -- in retrospect, my comment looks a little cold. I didn't mean it as shrewishly as it sounded.

I remember the early xf86config scripts, they scared the hell out of a guy. They were like, "If you put the wrong settings in, you'll fry your monitor". I generally responded by picking the most conservative settings I thought would work, and I never had any mishaps. I always wondered if anyone took the risk and got burned, and what that would be like. Did the monitor just stop working, or did it actually do the "sizzle, crack, pop" thing?

I knew a professor once, who told us that while he was an undergrad in a junior-level assembly language course, he managed to set his monitor on fire, so I wouldn't feel *too* bad if I were you. The prof almost got expelled for wrecking lab equipment and setting off the fire alarm. And all because he "wanted to see what would happen if he tried to draw stuff outside of the paintable area of the screen". Apparently, he blew up a bunch of capacitors or something, and became famous at that school... :)

Re:Not such a bad idea

[crazyphilman]

"Gee, put some effort in configuring Windows too, and you'll never have this kind of trouble"

Um, I don't know about that. So much stuff is buried in layers of GUI and "click here" weirdness that it's sometimes difficult to know what CAN be configured, much less how to do it. With Linux, I can just go to /etc, and start looking for conf files. although, I guess that's not for everyone...

"Buzzz. Wrong. The .NET Framework won't be part of the system until Longhorn. Either you personally install it, or it doesn't get installed or updated automatically. The problem lies somewhere else"

Umm, NO. If you go to Windows update, you ARE offered a .Net download. It's not a "critical" update, but it IS there. All 25MB of it. Go see for yourself. My point is that if you use this update, you won't be able to install Visual Studio .Net because it'll choke, and I thought that was kinda dumb.

"Guess what? it does have one. It's part of the native IPSec service. See this tutorial [wmich.edu], and, in general, avoid Norton products like rats with bubonic plague"

Now, that is a good tip. I'm going to check it out when I get home, and I thank you for it. Now all I have to do is replace Norton Internet Security with a good antivirus program -- any suggestions? I'm thinking about McAfee...

Thanks for the suggestions!

Re:Not such a bad idea

[crazyphilman]

Amen to that. If I could make a living doing Linux, Java, Perl, or C++ I'd be there in a heartbeat. But I live in New York, where everyone has already been laid off and most IT people are in serious trouble financially. No one is hiring. I got lucky two years ago and got a job with the state government, which was a godsend. Instead of being unemployed, now I'm making decent money (not a lot of money, but enough to live on) and all I have to do is swallow my pride a little and work with Microsoft tools. I jumped at the chance, as would anyone sensible I think.

It's not so bad. We're switching to .Net now, which is a pretty nice development platform. I'm enjoying working with it, and I don't mind working with windows as much now that I have nicer tools. I just wish patches would work more predictably, and that every worm that comes out wouldn't knock the whole network flat. It's not *that* much to ask for, you know?

Anyway, thanks for the kind words! I had tried to think of a witty comeback for the A/C's nasty "you're a whore" comment, like "I wish I WAS a whore, I could pay off my student loans then" but I kinda ran out of steam. Thanks!

Re:Not such a bad idea

[the_Bionic_lemming]

No probs bud.

I always did respect a person who could say - "oh -wait" :)

Re:Not such a bad idea

[Nothinman]

Really? For whom? Not for the average individual. Saying that a car has a single purpose is much like saying a computer has a single purpose.

For me. My car gets me from point A to point B and that's it, I know there's more going on behind the scenes than that but it's main purpose is to move me around.

Computers are used from everything from writing email to rendering entire movies to control car engines.

Why is there an issue with self-patching computers? For home users, this is a great idea.

I never had one, I think it's a good idea as long as it's able to be turned off by someone who wants to. The only problem I see is that MS' patches break shit periodically, having WU automatically install something that's going to break a 3rd party app is a very bad thing.

A computer has: chassis, CPU, motherboard, hard drive, RAM, video card, ethernet card, mouse, keyboard, and monitor. I'm not seeing consumer level complexity here.

I was referring to software complexity, not hardware. With computers it's software that's the problem, not the hardware (most of the time).

A computer has had decades to just fulfill those, and has failed. A computer rarely does what the user wants it to do, within the bounds of it's design.

That's because what user's want from computers changes every few years. 10 years ago noone knew about the Internet, now email is almost a necessity next to electricity and running water.

Cars don't "just die" -- there is always a sound reason for why it died. Windows (and sometimes Linux, and any other computers) just die. Period. No reason, they just crash.

Computers don't just die either, there's always a reason. Just because you can't find it doesn't mean it's not there.

Does this mean..

[DiS[EnDeR]]

they want to reboot my computer without informing me?

Re:Does this mean..

They inform you, you just haven't been paying attention. What do you think that blue screen means?

Re:Does this mean..

[neptune1]

Windows crashes all the time without informing you anyway...

Re:Does this mean..

U da MAN cuz U soooo TEH FUNNIE!!!1

Truuuuust us...

[medscaper]

Microsoft not only wants to upload the latest patch on to users' computer but also installing it for them.

Well, we all know what a nice job Microsoft has done in the past of supporting individual machines.

And we kept wondering ...

[OMG]

... how they will get people to activate the TCPA/Palladium features.

Now we know: MS will do it for you. How kind of them!

Re:And we kept wondering ...

[BiggerIsBetter]

Good point. Surely this would blow off any EULA type update licenses. How can you agree to an automatic update you didn't even know about?

Re:And we kept wondering ...

[gl4ss]

well, iirc, the 'standard' eula coming now basically allows them to change the rules of it as they see fit without you agreeing to it.

yeah it seems totally stupid and unforceable but so is most things in eulas nowadays anyways.

Re:And we kept wondering ...

finally someone is making sense i thought i was on a pro M$ forum for a minute... why aren`t the linux people seeing a golden oppertunity- if bill goes through with it, linux users will be able to say use windows and you have no control what gets on your computer but use linux and you have complete control....

Re:And we kept wondering ...

...you know what they say about ignorance of the law...?

Re:And we kept wondering ...

[HiThere]

Totally stupid, I can agree with. Unenforceable? You can afford the time & lawyers to fight their lawsuit? (Well, actually you'ld need to initiate the suit. They would just have acted in the way that they choose without consulting you. And the "contract" on the website pointed to by the WULA would have givent them permission.)

Re:And we kept wondering ...

[braddeicide]

It also says that you can return it for a refund if you don't agree, millions of laptop owners know thats a lie, LIE I TELL YOU!

Bandwidth

[jmays]

I know broadband usage is on the rise but really ... I use a modem. You know ... the kind that attaches to a phone line? Everytime I get online with my low bandwidth solution, I don't want my bandwidth eaten up by patches.

Granted, by the time this is incorporated into the OS, phone line users may be in the minority but until then ... no thanks.

Re:Bandwidth

[Viol8]

Agreed. A lot of people forget that not everyone (in fact the vast majority of people still) do not connect to the internet via some fancy
umpteen mb/s broadband connection. It would be nice if occasionally marketing types (and some geeks for that matter) would remember this
simple fact.

Re:Bandwidth

[dang-a-pin]

Dude, you're a sad little Nazi for insisting that everyone happen to have an extra $40-$50 a month to spend on internet access. Where's your concentration camp for ISDN users? Get your head out of your parentally-funded ass and wipe it clean with the Toilet Paper of Justice! wipe. Wipe! WIPE!!!!!

Re:Bandwidth

[duckpoopy]

I know your modem seems slow, but don't exagerate.
I am sure you get several millibits per second.

Re:Bandwidth

On the subject of bandwidth...

I know that the article says it'll only be for home users...but what if they decide to put it in for all versions. Can you imagine a company with even as little as 100 clients all trying to download an update at the same time?

Now, take that image and place it on the internet as a whole. There will (more than likely) be at any given moment a couple of thousand computers connected to the internet running this OS. All of them trying to download a couple meg file....that's going to be HUGE traffic over the net. Add that to the existing traffic already over the net, and it should cause a possibility for some nice net wide slowdowns.

but that's just my $0.014 CDN

Zro

Re:Bandwidth

Critical updates aren't released all that often. Something on the order of once every two or three weeks, at most. And to be blunt - which is worse? Spending some time updating, or getting your computer wasted by a worm?

And there is an opt-out. I doubt a single Slashdot user would be affected by this, simply because they'd be running Pro or opting out. The people who this is meant for clearly need it.

Re:Bandwidth

[Viol8]

Compared to peer-to-peer mp3 etc traffic and lots of other types its probably small beer. It might hit a companys
intranet that hasn't disabled the feature on its PCs but for the internet as a whole its a non-issue.

Re:Bandwidth

[Viol8]

Try reading what he wrote you dumb fuck.

Re:Bandwidth

[Overly+Critical+Guy]

So *gasp* turn autoupdates off.

Re:Bandwidth

[repetty]

" I know broadband usage is on the rise but really ... I use a modem. You know ... the kind that attaches to a phone line?"

Yeah, I remember those. My dad used to have an 8-track player in his truck, too.

--Richard

Re:Bandwidth

I too use a modem, the kind that attaches to a phone line. It is an ADSL modem and is 512/256k.

Re:Bandwidth

[jpop32]

I know broadband usage is on the rise but really ... I use a modem. You know ... the kind that attaches to a phone line? Everytime I get online with my low bandwidth solution, I don't want my bandwidth eaten up by patches.

Yes, and for such lowly users, Microsoft has designed BITS service. It's used for automatic downloads (patches and stuff). It uses any _remaining_ bandwidth your system has. It can continue interrupted downloads.

Any more questions?

Just turn the existing download updates on by def

[jaredmauch]

Since Windows ME(tm) Microsoft has provided a control panel extension to automatically download the recent patches and notify you when they're ready for installation. A mixed approach of this and the way MacOS X handles this (check daily, and pop up a window) and having this setting be default will provide for a more secure and security conscious public.

I think this is a good thing for the Internet community as a whole, it's no longer all the redhat 3.0.3 boxes being rooted, it's WinME, 2k and later in the majority that i've been watching over the past years.

imagine...

[borgdows]

if someone breaks into MS WindowsUpdate servers, he could install ANYTHING on millions of computers!

wow... scary...

Re:imagine...

I thought MS windowsupdate was like RedHat or autoupdate on linux. It will only install packages that are signed by the respective vendor. Just putting some package on an FTP/HTTP server will not get you anywhere since your package will not be signed and will be rejected right before installing it.

Re:imagine...

[bons]

"if someone breaks into MS WindowsUpdate servers, he could install ANYTHING on millions of computers!"

Actually, all they have to do is spoof your computer into thinking their computer is the WindowsUpdate system. Now this depends on how they implement their system but I'm willing to bet it depends on trusting some basic internet function that is exploitable one way or another.

Re:imagine...

[secolactico]

Actually, all they have to do is spoof your computer into thinking their computer is the WindowsUpdate system. Now this depends on how they implement their system but I'm willing to bet it depends on trusting some basic internet function that is exploitable one way or another.

Aren't MS patches signed? If they are, then fooling your computer (say, by poisoning dns) into connecting to a non-ms site would only yield invalid downloads. Even if they hijaak the actual servers, if they don't have the key, the result will be the same.

MS might produce crappy software (and some very good software IMHO) but surely with their resources they probably already considered this posibility.

Re:imagine...

[Jonsey]

if someone breaks into MS WindowsUpdate servers, he could install ANYTHING on millions of computers!

wow... scary...

Yeah, like Windows. : )

Re:imagine...

[pmz]

if someone breaks into MS WindowsUpdate servers, he could install ANYTHING on millions of computers!

Yup, automatic Windows update is a remote exploit just sitting and waiting to be exploited. If Microsoft will need a mathematically proved update process, now is the time for them to get the mathemeticians cranking away.

Re:imagine...

[bmajik]

you're confused. you're thinking of ftp.gnu.org

Stuff from WU is cryptographically signed and protected.

Re:imagine...

[bons]

"if they don't have the key"

As I said above: "I'm willing to bet it depends on trusting some basic internet function that is exploitable one way or another."

Given that security is the difficulty of cracking something vs. the reward of having done so (owning every Windows machine that this function hasn't been disabled on) and given that many crypto schemes once belived secure are no longer considered secure which crypto scheme do you want to trust this all important function to?

While we're at it, let's pretend we're Microsoft. We'll be obscure and not tell anyone, hoping that no one will figure it out for themselves. And while we're at it, let's make sure that is anyone does figure it out, they won't tell anyone else on the white hat side of the fence, just because we don't want the PR hit.

Remember, we're talking about the same organization that needed an outsider to renew their domain name and had the verisign keys problem. Why would you trust them for security?

Re:imagine...

[rmohr02]

They just need to get one script to modify the hosts file (I think).

Re:imagine...

[KJKHyperion]

if someone breaks into MS WindowsUpdate servers, he could install ANYTHING on millions of computers!

That's why all hotfixes are digitally signed. Windows Update, IIRC, checks the signatures on the files, but I'm not sure - I patch by hand (Windows Update isn't able to install patches without rebooting)

Re:imagine...

[RzUpAnmsCwrds]

Actually, they couldn't. All of Microsoft's patches are cryptographically signed, so unless RSA-2048 has been cracked, users are fine.

No thanks

[GeckoFood]

Some of us are still on dialup, and an automagic update of Windows via 56K modem would literally take HOURS if the connection even holds at all. I don't think I should be forced into high-speed access just so I can update my Windows partition periodically.

Re:No thanks

Some of us are still on dialup, and an automagic update of Windows via 56K modem would literally take HOURS if the connection even holds at all. I don't think I should be forced into high-speed access just so I can update my Windows partition periodically.

Anonymous Coward, a university sysadmin, soundly beats GeckoFood about the head with a clue-by-four.

Re:No thanks

[feed_those_kitties]

I completely agree.

How's this for a pie-in-the-sky solution: Microsoft mails out cdroms of updates to the registered owners that request it. Or, Microsoft pays for the broadband required to download their freakin' patches. (presuming that broadband is even available to them...)

Think those additional expenses might help convince Microsoft to build software that isn't full of security holes? Or more likely, they'd just pass the costs on to us consumers...

Re:No thanks

[erasmus_]

So in other words, you don't think the operation system could be smart enough to determine that you're on a dial-up instead of broadband, and schedule updates to be downloaded during off-hours, and only when it's detected that the computer has been idle for several hours? Yours is like the 3rd post to think that it will start downloading exactly when you're in the middle of something important - MS's usability engineers are not that dumb, no matter what Slashdrones say. Anyway, how do you get your updates now? You do get updates, don't you?

Re:No thanks

"you don't think the operation system could be smart enough to determine that you're on a dial-up"

Do you mean the same operating system that can't even remember my settings after a reboot?

Re:No thanks

That still doesn't address the cost problem, staying connected on the telephone can be expensive. I do wonder whether that explains a fair number of the people who dont' keep software & virus checkers up to date.

Kate

Re:No thanks

[XSforMe]

No, the operating system isn't smart enough to know when I am expecting an important call. The operating system can't posibly tell what kind of billing am I to expect for a 4 hour telephone call (not every country in the world has free local telephone calls as in the US). Even if the OS would only download while the line was up and idle, in some cases it would simply not be able to download an upgrade until 3-4 months have gone by (think a new version of IE).

Downloading security patches through a dail-up is problematic (last machine I gave maintenance to required a 23 Mb download), at this point MS would be better served if it started handing out CDs like AOL does and asking mom & pop to install them on their computers.

Re:No thanks

[RoLi]

MS's usability engineers are not that dumb

Mod +1 funny

Re:No thanks

[PhiltheeG]

I'm certain your new version of Windows with the automatic update will automatically download everything while you are sleeping, apply patches, then have coffee brewed on your uPnP coffee maker and waiting for you when you wake up...

Re:No thanks

[gl4ss]

what off hours? there is no such thing in most cases. and the off hours wouldn't be enough time to download the patches anyways in time(speed just isn't fast enough)

typical users DON'T leave their home computers on when they don't use them btw.

and need that phone line occasionally for phone calls, i'm sure you've had one, but some people get them like all the time even on their landline.

most people when they are online with their modem, are in the middle of doing something important(they wouldn't be online unless they were). using the phone line isn't free either in majority of countries, so leaving it to up to the os to decide when to dial up is not an option.

the bloated drivers and updates are a real problem in todays world when you're trying to keep your relatives little computers running good enough (nvidia drivers take +30mb, for example). sure it isn't a problem when you have 100mbit jack on the wall but majority of people don't have that.

Re:No thanks

[erasmus_]

I guess I was saying, more simply, that the OS can potentially only auto-download updates when it knows it's on a broadband or LAN connection, which it can easily determine. If on dial-up, it can then give you the option to either only do updates manually, or schedule them to be done during an idle time of your choosing. In other words, it doesn't have to be an "all or nothing" solution that affects dialup users negatively.

Also, I would not consider IE a security patch, nor do I think that those 23MB you downloaded were all patches. Hopefully we're talking about small files here, not entire service packs or applications. MS usually makes a hotfix available to users so that patching a security issue does not require the whole service pack. Those hotfixes are then rolled up into the SP so that one can get them all at once.

Re:No thanks

[PhoenixFlare]

No, the operating system isn't smart enough to know when I am expecting an important call.

So set it to download at like 1 or 2 AM or something, and have it quit around 4-5 or so. Unless you're a doctor or some other professional of that nature, and you don't have a pager, I refuse to believe anyone routinely gets important phone calls at those times of day.

The operating system can't posibly tell what kind of billing am I to expect for a 4 hour telephone call (not every country in the world has free local telephone calls as in the US).

Sorry, bud, but in the end, Microsoft is an American company, and will pander to the interests of that country.

If you really do have to pay for local phone calls, then disable the automatic updates, get broadband, or in the unlikely event that neither of those are possible, take 2 seconds and unplug the CPU from the phone when needed.

Downloading security patches through a dail-up is problematic (last machine I gave maintenance to required a 23 Mb download),

My condolences, but if you're working for a business that still gets 100% of their net access through dialup, you're rather behind the times, even if you're outside the US.

Just as everyone cannot be expected to have broadband, please remember that the number of people using dialup is ever-shrinking as well. At some point, priorities have to change.

Re:No thanks

[romanval]

My computer's gonna have hard time figuring idle hours when it's turned OFF.
Some of those (like I) have our PC in our bedroom. The last thing I want to hear while I'm half asleep is the drone of computer fans. God knows I hear enough of that during the day.

Re:No thanks

[curious.corn]

Well there's a 'continue' feature common to many ftp/http clients that (wow) continues partial downloads from the point they were interrupted. It's a patented tech from M$ only recenlty added to Longhorn IE betas but the M$ engineers are working hard to distribute this extraordinary feature to all users of the Windows Update service (how kind of them eh?) Don't worry M$ works for YOU (Buahahaha!), after all, how many users have asked for such rocket science tech embedded in IE?

Re:No thanks

[PhoenixFlare]

Don't assume you or your friends speak for everyone, please. I, for one, find it disconcerting not to have the fan noise.

And as for leaving PC's on, I have personally seen many people do this, including the hundreds of computers in my university's labs being left on 24-7.

Re:No thanks

You're lucky enough that you don't pay dial-up (USA citizen maybe ?), but I do, even on local area call. There's no such things as off-hours for me. I hope that MS engineers are not _that_ dumb.

Re:No thanks

- Some of us can't even get 56K (old phone systems). Ever try downloading a 100MB service pack at less than 2 kilobytes per second? Not fun.

- Not all dial up users have service plans that offer unlimited hours online. It's not uncommon to have a 10-20 hour plan if all you do is email. To which department at Microsoft can we send our bill when and our ISP charges us for going over our alloted hours because we had to download a patch?

- Some dial up users have to make a long distance call for internet access. Again, where can we send the bill?

- Not all dial up users have a dedicated phone line for internet. I guess I should tell my friends that if they try calling and my phone is busy for several days on end, it's because I'm downloading patches.

Re:No thanks

[Fweeky]

Latest nVidia drivers are a shade under 8MB. It's only the international version which approaches 30MB, and that serves those people right for not using the One True Language ;)

(Yeah, 8MB is still pretty huge for a driver and control panel stuff, but.. meh, it supports about 10 generations of products, what do you expect? :)

Re:No thanks

He's talking about Windows, not your inferior Linux flavour.

Re:No thanks

[PhoenixFlare]

what off hours? there is no such thing in most cases. and the off hours wouldn't be enough time to download the patches anyways in time(speed just isn't fast enough)

Do you not sleep, or what? And of course they're not going to download in one shot, that's what resumable multi-part downloads are for.

typical users DON'T leave their home computers on when they don't use them btw.

I feel like a broken record saying this, but you don't speak for everyone. Unless you regularly provide in-home support for a wide variety of users in many different countries, which I doubt, you just can't assume that.

I can only speak for what i've seen in my corner of the US, and some friends in England, Australia, Canada, and Russia, but any "typical" user i've seen leaves their PC on 24-7 or close to it. The university I attend leaves the umpteen computers in it's public labs on continuously. I don't think i've ever seen a system turned off there unless it had some sort of failure.

Re:No thanks

[Viol8]

By "typical" user I assume you mean some adolesecent friends of yours who's mum and dad pay his electric bills?
For those of us who have to pay for what we use why the f*ck would I leave a machine on 24/7 when I only use it maybe an hour a day???
If nothing else its hardly enviromentally responsible is it?? Universities are different , public labs are in more of less constant use.

Re:No thanks

[iainl]

I'm curious; exactly how many seconds do you believe I leave a PC connected through dialup to my phone without using it for something?

Our work system occasionally likes to insist on downloading updates immediately when connected to the network, too. Attempting to do something as simple as check email from clients when connected over a mobile phone from a laptop at a conference, when Systems want to shove a 30Mb update to me right away is a nightmare.

Re:No thanks

[PhoenixFlare]

By "typical" user I assume you mean some adolesecent friends of yours who's mum and dad pay his electric bills?

A little touchy, are we? No, I meant normal non-adolescent people who pay for their own living quarters and bills, a group which I would also currently be a member of. Disagree with me if you like, but again, please don't assume, and don't be an ass.

For those of us who have to pay for what we use why the f*ck would I leave a machine on 24/7 when I only use it maybe an hour a day???

I don't know how much you're paying for electricity, or how much you think everyone else is paying, but my bill last month was only $40- and that's with 2 computers + associated equipment on continuously, plus an AC unit, lights, fridge, cooking, a dishwasher, etc.

In any event, you're saying typical users only use their machines maybe an hour per day? Somehow I don't think that fits very well either. I would say 4 or 5 hours minimum as a better estimate for an average family, or even a single person that uses their system for work/entertainment.

If one hour/day really is your true use, though, then yes, I suppose it would be more cost-effective to just turn it off.

If nothing else its hardly enviromentally responsible is it??

To paraphrase the immortal Inigo Montoya, you keep claiming that continuous operation is a bad thing. I do not think computers draw as much power as you think they do.

Universities are different , public labs are in more of less constant use.

Uhmm...So you claim it would cause environmental damage to keep your personal system on all the time, but universities are different in some aspect? Please, feel free to explain.

Re:No thanks

[Viol8]

"To paraphrase the immortal Inigo Montoya, you keep claiming that continuous operation is a bad thing. I do not think computers draw as much power as you think they do."

They use about 200W. Now multiply that by a factor of say 10 million. Thats the output of a decent sized power station required just to
keep on a load of computers doing nothing.

"Uhmm...So you claim it would cause environmental damage to keep your personal system on all the time, but universities are different in some aspect? Please, feel free to explain."

Theres no point switching off a machine if someone is going to come and use it again in 5 minutes because being powered on/off dozens of
times a day would wreck it. HOwever if the labs are not used at night theres no reason why they can't all be powered off , same goes for non essential desktop machines at companies.

Re:No thanks

[PhoenixFlare]

They use about 200W. Now multiply that by a factor of say 10 million. Thats the output of a decent sized power station required just to
keep on a load of computers doing nothing.

Be that as it may, isn't the whole point of this article/argument that they won't be doing nothing?

Theres no point switching off a machine if someone is going to come and use it again in 5 minutes because being powered on/off dozens of
times a day would wreck it. HOwever if the labs are not used at night theres no reason why they can't all be powered off , same goes for non essential desktop machines at companies.

Yes, and i'm not arguing those facts.

From your original reply, though, you claim that leaving a home machine on 24-7 would be environmentally irresponsible, and in the very next breath, say that a university lab in constant operation would be different in that fact somehow- neither you or I said anything about damage to the machines in the original replies.

Re:No thanks

[delus10n0]

You should refer people to this page at Microsoft, which explains the "Background Intelligent Transfer" service in XP and 2003. It's what throttles the bandwidth for automatic updates and the like.

Re:No thanks

[Repugnant_Shit]

Please, the nvidia drivers are 12MB.

Re:No thanks

[Overly+Critical+Guy]

I swear, I'm going to reply to every single moron that posts this who didn't read the article, especially because other morons are modding it up to +5.

Just *gasp* turn auto updates off. That's right. Optional. Non-issue solved.

Re:No thanks

[redheaded_stepchild]

That might actually make a lot of sense.
If they only sent the disks to registered customers, those who had unregistered (unpaid for) copies of Windows would be at a disadvantage.
Of course, it might rival the size of my AOL cd pile.

In any case, MS doesn't really have anything to lose by doing it this way. CD's cost little to nothing, and they're (apparently) cheap to mail out.
If they actually TEST the software first, they could cut their cost significantly.

Re:No thanks

[XSforMe]

Sorry, bud, but in the end, Microsoft is an American company, and will pander to the interests of that country.
Good to know. I also hope the idiots who design this nasty things do also know that, and will therefore stick to infecting only US IPs. Duuuhhhh!!!

My condolences, but if you're working for a business that still gets 100% of their net access through dialup, you're rather behind the times, even if you're outside the US.What do you know about the state of telcos in other countries? Just curious since you seem eager to disqualify anybody who access the net based on dailup. Hell, I bet I can find places in the States where getting broadband is still prohibitively expensive for anything but big corporations.

Re:No thanks

[lemody]

> Some of us are still on dialup ...

You must be joking :)

You can do this already

[dlur]

You can do this already with Windows XP if you set it up to do so. In the system properties go to the Automatic Updates tab and then click on the radio button next to the bottom option, "Automatically download the updates, and then install them on the schedule that I specify".

Of course you'd have to be out of your gourd to do this regarding MS's history of untested patches. Also I noticed that MS is including driver updates in the critical updates as well (nVidia driver). I've NEVER installed a driver from MS on my computer and every time a customer of ours does it, it seems to totally screw up everything.

Re:You can do this already

[faber0]

I never saw device drivers offered on windowsUpdate.com be part of "critical updates" that download automatically.

But i have seen device drivers downloaded from there screw up the system so i hope the oberservation aboe remains valid.

Re:You can do this already

[xtermz]

Of course you'd have to be out of your gourd to do this regarding MS's history of untested patches

What the hell are you talking about? What evidence do you have to back up this statement? A lot of people are bashing MS for "untested" patches, but nobody has yet to quote an actual "history". So please, humor me with a chronology of bad patches posted by MS.

Re:You can do this already

[RealErmine]

Also I noticed that MS is including driver updates in the critical updates as well (nVidia driver).

This is just plain false. I've been using the auto-update feature and it has never downloaded an nVidia driver. I would notice when my computer reboots and the resolution is set to default 800x600. For more proof, when I go to the windows update site it lists their nVidia driver as an available download. I agree that the ones MS provides are crap and I update them myself from nVidia.

Re:You can do this already

[Jucius+Maximus]

"I've NEVER installed a driver from MS on my computer and every time a customer of ours does it, it seems to totally screw up everything."

Sounds right. I stopped installing drivers from windows update because I've *never* had a case where the "new" driver actually worked properly. Every single time, it broke something or had reduced functionality compared to the one it replaced.

Re:You can do this already

[Pxtl]

I got an SBLive driver from MS Update that fucked over all my sound settings - more problematically, the MS driver lacked 90% of the configuration tools to alter the sound settings. When your front speakers are 10% as powerful as your back speakers, tweaking the sound settings is a must.

Even after I rejected the patch, it patched again later.

Re:You can do this already

[PaschalNee]

A quick Google will provide loads of examples.

• Duplicate IP Addresses After Upgrading DHCP Clients to SP2
• Cannot Log on Using IPX After Installing SP3 on Windows NT 4.0
• SSIExecDisable Does Not Work after Applying Windows NT SP4

Are you humoured yet?

Re:You can do this already

[xanadu-xtroot.com]

You can do this already with Windows XP

You can do this with any Win* box that's running IE6-SP1 (with the latest updates). This stuff is installed for you (and no, I haven't noticed an option to stop it from doing so - I'm the admin of a 75 or so MS Shop).

Re:You can do this already

[MattRog]

Yeah, but that's for NT4 which is ancient. Anything with a more recent OS?

Re:You can do this already

[Pvt_Waldo]

Well buddy you must have a little gourd, or you keep playing with it so it's not very solid.

I've installed EVERY critical update - and never had a problem. Note what I said. CRITICAL update. Those are the ones that fix security holes. I don't care too much about .NET patches, IE6, etc. But CRITICAL updates have NEVER let me down.

Re:You can do this already

Drivers are not a critical update. They will not update unless you select them.

Re:You can do this already

[Xformer]

How about a more recent development tool? eVC++ 4.0 SP2 has problems talking with emulated CE.NET devices, where earlier versions did not. Transferring files to the emulator is kind of necessary if you want to debug something w/o destroying an actual device. I ran into this just last week.

And, oh yeah, this is on XP with all relevant updates applied (by relevant, I exclude things like fax and game related patches, which mean nothing on this machine).

Re:You can do this already

[kawika]

I have a Windows 2000 SP3 Server with MS SQL Server that automatically downloads and installs the patches via Windows Update, and reboots automatically between 3am and 4am on Monday if a patch requires a reboot. This system has been running continuously since SP3 was released last August and I've never had a problem with any bad patches.

Even though SP4 is now out, the automatic updates process doesn't do SP upgrades automatically. Device drivers aren't installed either. Only the critical security fixes are applied this way, which is probably the exact behavior most people want.

Re:You can do this already

[nolife]

Humor you? People that maintain and patch MS systems for a living *should* have a favorite grouping of mailing lists and forums to follow information like this. If you are truely interested I would suggest you subscribe to the NTBugtraq mailing list for starters. Just because you choose to limit your knowledge to what is posted on slashdot does not mean these things do not exist. Many of the introduced bugs are somewhat small, may not effect more then a small % of the users, and fixed with relative ease but they still exist. Specific to NTBugtraq, if there is a problem, you will noramlly see a reply within a day or so of the lists announcing the MS patch. The group knowledge is very helpful in troubleshooting and repairing any issues. Very few of the patches cause something major to fail but that does happen also.

Here is a couple of quick finds from Google. I don't track or keep lists of problems like you are requesting. I do monitor select mailing lists and web sites and take note of things that will directly effect me. These bugs or lack of fixes were a little bigger so they got news coverage.

NT patch causes other services to fail
Microsoft patch causes system failure
Microsoft Knowledge Base Article - 192816
Super patch fails to fix worst flaw in Internet Explorer
Microsoft fails Slammer's security test Not a direct patch failure but describes the complexity of deploying some patches and the side effects.
Researchers: Newest Microsoft IE patch flawed

Re:You can do this already

[urmensch]

Recommended Update for Windows 2000 (822831)
Download size: 243 KB
Some driver installation programs don't work on Windows 2000 (W2K) after you install either Critical Update QFE 813044 or W2K Server SP4. The installation does not succeed and you receive an incorrect error that no drivers are available for the device. The %WINDIR%\Setupapi.log reports there are no compatible drivers for the device. After installation, you may have to restart your computer. Read more...

Re:You can do this already

[nolife]

Sorry, that second link should be here

Re:You can do this already

[Tim+C]

Also I noticed that MS is including driver updates in the critical updates as well (nVidia driver).

That is incorrect. My work machine and two of the machines I have at home run XP and have nVidia-based cards in them, and I've not seen nVidia driver updates offered as critical updates on any of them. They're offered in the driver update section, but that is not offered by the AutomaticUpdates tool - that only offers critical updates. Driver updates are also not selected by deafult in Windows Update, you have to click on the "Driver Updates" link on the left, then select the individual drivers to install.

In short, in my experience, based on these three machines, there is no way to accidently or automatically install a driver update.

Re:You can do this already

[ManxStef]

You can do this with any Win* box that's running IE6-SP1 (with the latest updates). This stuff is installed for you (and no, I haven't noticed an option to stop it from doing so - I'm the admin of a 75 or so MS Shop).

Seriously, you haven't? And you admin 75 boxes?

Take a look at the "Automatic Updates" and "Background Intelligent Transfer" services (use Group Policy on your server to disable them).

Or, perhaps a better option would be to set up your own Software Update Services server (SUS) and control the distribution of patches to your boxes, not to mention saving a ton of bandwidth by not letting each client hit Windows Update...

Re:You can do this already

[ManxStef]

Ahh, on re-reading it seems I may have misunderstood? If so, my apologies.

I'm assuming you meant that there's no way to stop IE6 SP-1 from installing AutoUpdate services on your boxes? Dunno, you could well be right. You might be able to hack the IE6 MSI packages using ORCA, but it'd be tricky and may cause problems down the line. Not to mention that they're installed by default on XP and by the 2K service packs; just disable 'em if you don't use 'em :)

Re:You can do this already

[dlur]

I disagree with your disagreement of me. Here is a link to a screen shot to prove that indeed an nVidia display driver has been offered for certain nVidia chipset graphics adapters as a CRITICAL update on Microsoft's Windowsupdate site.

Re:You can do this already

[dlur]

I disagree with your disagreement of me. Here is a link to a screen shot to prove that indeed an nVidia display driver has been offered for certain nVidia chipset graphics adapters as a CRITICAL update on Microsoft's Windowsupdate site.

Re:You can do this already

[xanadu-xtroot.com]

I'm assuming you meant that there's no way to stop IE6 SP-1 from installing AutoUpdate services on your boxes?

Yea, that's all I was saying.

Thank you for your other post, though. You sent my mind in a direction or two I hadn't *really* known about (I knew the options were there, but hadn't found enough to go on (or time for that matter... - long story)).

But yes, that's all I was saying. IE6-SP1 force-feeds you the update stuff. People still just don't even go that far... :-\

Excellent

[Cackmobile]

so when a bad patch comes out all the windows pcs in the world will simultaneously crash. I hope its an opt in thing. When you first start your pcs it can ask yes or no. Regular joe can press ok but others can no and do it manually.

brilliant marketing strategy

[ctk76]

so how are we supposed to know whether it's the worm or the update constantly shutting down your computer?

Thanks to Microsoft's super security...

[rainstorm]

There's no way this new functionality could be buggy and exploited by viruses! ;)

Question

[HiQ]

How do you know Microsoft is automagically updating your system? I think the fact that it reboots ten times in a row is quite a giveaway...

Re:Question

So all of these years, those blue screens were actually notices that my system was patched and better.

Damn, thanks for clearing that up. I guess M$ is good after all.

Re:Question

[BetterThanCaesar]

Wow, so that's what it was up to last week!

Well, I for one welcome our new autoupdating overlords!

In Other News

[batkins]

In other news, Microsoft announces that after the embarassment of last week's blaster worm it will begin shipping quality OSes.

Oh, sorry. I was dreaming again.

automatic updates and .....

[mbennis]

automatic blue screens of death

As long as there are no automatic EULA changes

[jridley]

In the past MS has packaged EULA updates along with software updates. I really wouldn't have too much trouble with this as long as they don't try to push EULA changes along with the update.
Sure, some people might want to turn it off, but by and large I think there would be less damage with it on. I rarely meet a person who even knows what MS Update *is* let alone have used it.

I wonder how well this would work on dialup though? It seems like the world is really leaving dialup folks behind. I have cable myself but know a lot of people on dialup either because high speed is not available to them or because they really don't need a fulltime connection, and are getting by just fine on a $5/month dialup plan.

Re:As long as there are no automatic EULA changes

[ebuck]

Actually, it seems that an automatic pactch installer could totally render EULA updates null and void. This could have the unexpected effect of the owner bound to the original EULA which may not be available except via original media.

I can see Microsoft arguing to a court that the use of the software implys that they automatically accept a new EULA with each patch; however, I would be very shocked and dismayed if any court in the US would uphold that you could automatically agree to licensing changes without being at least notified that a change had taken place.

Microsoft could worm their way around the last part with a pop up window asking you to accept the latest EULA; however, that would be a public relations nightmare, and even though Microsoft is keen to kill off any professional competition, they are not in business to openly defy their users.

The only way an EULA holds up as legal when not read (if my memory serves me correctly) is that you implicitly agreed to it by opening the box. Automatic EULA updates lack even this token agreement. If the automatic update is turned off by default, you might be seen as "implicitly" agreeing to all future EULAs by turning it on. If it is on by default there's no action to bind you to any sort of agreement.

Mabye they'll put in a clause, "By agreeing to use this software you agree to all future licensing agreements with respect to this software which will invalidate this agreement", ie viral EULA.

Of course I'm not a lawyer, but if you believe this is sound legal advice, let me write your will.

Re:As long as there are no automatic EULA changes

[Jucius+Maximus]

"I wonder how well this would work on dialup though? It seems like the world is really leaving dialup folks behind. I have cable myself but know a lot of people on dialup either because high speed is not available to them or because they really don't need a fulltime connection, and are getting by just fine on a $5/month dialup plan."

True. The only reason the windows boxes at home don't get updated all the time is because we have 6 machines on a home LAN connected to the internet over 28.8 dialup. There is no broadband of even 56K where I live due to POS phone loops.

The thing about this is that it affects all operating systems. I can't get big updates for linux or MacOS X any more or less easily than I can get windows updates.

Eventually, it comes to the point where I just go into the university computer lab with a CD-Rw, download all the windows updates and bring them home. If I was a clueless luser running an auto-update-installing version of windows on several machines on a dialup connection ... well let's just say I would be very very annoyed.

Re:As long as there are no automatic EULA changes

[Pvt_Waldo]

Thanks for your opinion. Legal expert? I didn't think so.

Re:As long as there are no automatic EULA changes

[Electrum]

Actually, it seems that an automatic pactch installer could totally render EULA updates null and void.

Windows EULAs are already null and void unless you sign a contract with Microsoft.

maybe i'm mistaken, but

doesn't M$ already give that option in their windows updater configuration wizard.

Besides, I don't believe we have much to worry about. Home users may think this is good, but the corporate world (I hope) should be against it. Just like the Windows activation key type crap to prevent piracy. M$ eventually caved on this. With any luck this will be the same. (God willing, otherwise we'll face another surge of updates to patch vulnerabilities for that stupid feature)

So what's wrong with this?

[Eric+Ass+Raymond]

I mean, come on! This article is just a giant honeypot for the unwashed open source masses to bash Microsoft.

So what is it that you really want?

Manual updates? "LOLOLOL! M$ users are so stooopid that they can't do even that!".

Automatic updates? "LOLOLOLOLOL!!! You would let Microsoft to update your systems?! You fool! Why don't you download a Gentoo instead?!"

Systems that are secure and usable out-of-box? No such thing.

Re:So what's wrong with this?

Systems that are secure and usable out-of-box? No such thing.

Debian? :)

Re:So what's wrong with this?

>Systems that are secure and usable out-of-box? No such thing.

openbsd has a pretty good (although not perfect) record on this one.

Re:So what's wrong with this?

at least for me i don`t trust M$ to do the right thing when they say one thing you know there`s more going on than bill`s telling you. fear is what keeps a lot of people from updates.. and that is M$ own fault...

Re:So what's wrong with this?

[Eric+Ass+Raymond]

when they say one thing you know there`s more going on than bill`s telling you

O-kay... and you have examples of these horrifying secrets that "Bill" tried to cover up? Was the Cigarette Smoking Man involved, too?

Re:So what's wrong with this?

[resignator]

too true...I think from now on I will just skip any article about MS. Too bad they dont have a filter to block quotes from rabid linux fanbois. I am just as much a fan of open source as anyone (almost every machine i run has a *nix partition) but some linux users seem to live in a fantasy world. I couldnt imagine being such a hardcore zealot about anything. It just seems wrong and unhealthy...like they are trying to make up for something. Do us all a favor fanbois and pipe down. You scare away more people than you bring to linux (RTFM?).

boh

So what's new about it? Windows Automatic Update already does this for you, and it will install the updates for you, you only need to agree to restart the computer once they are installed.

MSBlaster

[fudgefactor7]

MSBlaster wasn't an embarrasment for MS, but for the lazy sysadmins who, with a month's prior notice and the patch to fix it, were still hobbled by the bug. If people who are in charge of systems and security spent more time patching and paying ATTENTION to things like Bugtraq and less time complaining about MS the world would be safer.

How is this bug more of a bummer than how gnuftp was compromised and potentially more damaging? Oh, don't hear people moaning about that on here now do you...?

The tale is telling, is it not?

Re:MSBlaster

[batkins]

For the 1200th time, the gnuftp crack was an *inside job*. It wasn't as if someone released a worm that attacked the gnuftp server (a la Blaster). They were also using wuftpd, which doesn't really make too much sense. The situation would be different if there was a way to root any Linux-based server in the world (much like the Windows RPC bug), but that's not the case. It was *one* machine, running an unusual FTP server. Just one. There's a big difference there, buddy.

You're probably just a troll, but at least get the facts right.

Re:MSBlaster

[inerte]

The tale is telling, is it not?

Nope. Home users don't have sysadmins to baby-sit their systems.

When you have a 90% market share, things differ on scale from one compromised FTP server.

Re:MSBlaster

[CerebusUS]

While it is embarassing for a system admin to have systems affected by the blaster worm, the real danger comes from machines that efectively have no admin watching them at all. (i.e. clueless home users) Control a couple hundred thousand zombie machines and you can take down pretty much any target at will.

This whole article should just get a -1 Troll moderation, as it's already well accepted that the only way slashdotters will be happy is if Microsoft says: "We suck" and quits.

Personally, I'm for it, as long as they can unify the patching implementation / detection code. Currently there's too many different ways to determine if you have or have not patched a system.

Re:MSBlaster

[twelveinchbrain]

You mean lazy sysadmins who, after installing the hotfix necessary to protect from MSBlaster, found that their applications stopped working? The ones who had to spend hours examining trace files to determine the exact root cause, and download several more hotfixes, with a cascade of errors, to get everything working again? Those lazy sysadmins?

Re:MSBlaster

[linuxtelephony]

Or even the few lazy SysAdmins that believed the M$ app that said the patch was installed, or took the time to disable DCOM if they didn't need it, and then found out they were still vulnerable to this worm? Do you mean those lazy SysAdmins?

Re:MSBlaster

[fudgefactor7]

(1) you gotta do your homework, folks. If you just believe that the patch was installed and don't actually check, then you're a fool.

(2) home users, like it or not, ARE the sysadmin. They must take responsibility for their action or inaction. Failure to patch a system because they didn't know how ("better damn well learn!") or "I'm too busy" or "It's too hard!" is not an excuse. If you can't be reliable enough to patch and to own up to the responsibility then you shouldn't have a computer, let alone one connected to the Internet. All these arguments are just as silly as not wearing a condom when fucking the neighboorhood whore, try that, and see what you bring home for the ride.

(3) It doesn't matter one iota if gnuftp was "inside" or not. It matters that all the data and source was compromised. That's a bigger deal than MSBlaster. The only thing that could trump it would be if MS' inside source repository was similarly compromised. If you can't keep inside security tight, then how can you be trusted to keep outside security tight? You can't.

Re:MSBlaster

[_|()|\|]

MSBlaster wasn't an embarrasment for MS, but for the lazy sysadmins who, with a month's prior notice and the patch to fix it, were still hobbled by the bug.

I'm using critical update notification on Windows 2000. I installed a generic critical update the day before Blaster really took hold. The next day, I had six new critical updates.

That same day, Windows Update on three Windows XP systems showed no updates. when I ran Windows Update again in the afternoon, there were twenty critical updates.

If the patch has really been available for months, then Windows Update is severely broken. If it doesn't work when I'm actively using it, why would I want it to be automatic?

The comparison to the GNU FTP site is specious. On the one hand, a million computers were compromised by a worm; on the other, one FTP server was compromised by an insider.

Re:MSBlaster

[4minus0]

How is this bug more of a bummer than how gnuftp was compromised and potentially more damaging? Oh, don't hear people moaning about that on here now do you...?

Do you not read the newspapers?
When the GNU ftp site was compromised did it affect any DMVs?
Did the cracking of the GNU server cause disruption at entire school districts?

In case you missed it, look here
or here
If you follow the first link you'll see that even Cisco's VoIP customers are affected by Blaster, not just WIndows users.
I'd call that more of a bummer than the GNU compromise.

Re:MSBlaster

In answer to these points:

1. Keep to the thread. Those capable of verifying that a patch was installed don't need the automatic update in the first place. The auto update is being considered beacuse of all those who know how to use the computer but don't know enough about the internals to verify that Microsoft did the job they said they were going to do!

2. All these arguments are just as silly as not wearing a condom when fucking the neighboorhood whore, try that, and see what you bring home for the ride. Do you even know how this worm worked? The users whose systems were compromised did not engage in any risky behavior, they did not open an e-mail attachment or respond to a phony e-mail with their password, hell, some of them read about the problem, did exactly what Microsoft suggested and still got compromised. Much, much different than fucking the neighboorhood whore!

3. It doesn't matter one iota if gnuftp was "inside" or not. No, jackass, it was an "inside job"! Someone connected locally to the server, with priviliges not extended to users from the Internet, managed to compromise the server. The MSBlaster worm gained the same level of compromise on systems that were merely connected to the Internet! And MSBlaster still worked after installing patches from M$, turning off the offending services ('cause altho you can turn them off, due to M$'s infinite wisdom they STILL listen on the port) and why the fuck were these kind of LAN-only services active on the Internet connection in the first place?

You're an idiot! Get back to work Microsoftie!

Re:MSBlaster

[Ummagumma]

Or how about sysadmins who are too overworked to patch every single one of their 100+ field laptops, or 30+ servers, or 250+ desktop machines?

Or sysadmins who prefer to install the patch on a testbed, and test out the hundreds of different cobinations of applications/services/databases with it BEFORE rolling it out to production, as they don't want to take down a critical production machine.

You've never worked in IT, have you?

Re:MSBlaster

It wasn't a month. 3 weeks.

Do you know what ports are open on your machine? Why did MS leave a port open to the internet?

And no, you don't hear moaning about gnu ftp being compromised, because my machine isn't rebooting every 5 minutes because of it.

The tale is that a MS bug has again crippled computer users. It has caused enormous concern and inconvenience. It has cost productivity. People have not been able to use a tool they purchased due to a flaw. Many people.

If you have to ask how it is more of a bummer than other exploits that have had very limited effect, no effect for most people, you have no clue.

Derek

Re:MSBlaster

[fudgefactor7]

If your IT person(s) can't do the patching on that few a number of computers in the span of a month then, yes, they're lazy. I deal with that number of systems, in MULTIPLE countries, every time there's a new patch/fix. The IT depertment that you are referring to either (a) is filled with incompetents, or (b) need to hire someone who knows what their doing.

...as they don't want to take down a critical production machine.

Why would you so foolishly have a purduction machine open to the Internet? Firewall, anyone? If you can't take that normal of a precaution then you should be fired.

You've never worked in IT, have you?

Apparently, I've been doing this longer than you.

Re:MSBlaster

[fudgefactor7]

The comparison to the GNU FTP site is specious. On the one hand, a million computers were compromised by a worm; on the other, one FTP server was compromised by an insider.

And how many people downloaded compromised source? How many *nix distros were subjected to compromised source? How many users? One FTP site? No, everyone who touched that site is potentially fucked. It's not just *one*.

Re:MSBlaster

[the_olo]

I've run a scanner from CERT on our corporate servers and discovered that most of them were vulnerable.

I've pointed out the fact to our sysadmins, and the reply was something along the lines:

"Yes, we know that, but unfortunately installing W2K Service Pack 2 on a server in the past screwed lots of things up, the application became a mess and we had to install it on unpatched server to get it working, so we don't risk updating anymore."

Re:MSBlaster

Applications stopped working? Cascade of errors? Can you show *any* proof this happened in even ONE instance?

Oh, right, sorry, forgot where I was.

Re:MSBlaster

MSBlaster wasn't an embarrasment for MS...
How is this bug more of a bummer than how gnuftp was compromised and potentially more damaging?

When was the last time prior to this that the gnuftp site was compromised? How many times can you remember this happening?

When was the last worm written on MS systems that spread throughout the Internet causing problems? How many times can you remember this happening?

Therein lies the difference. Everyone can and will make mistakes. But when they continually happen it usually points to something more systemic.

This is an embarrasment for MS. They chose their path - make the system seem easy enough for any idiot to think they are an expert - but everyone on the Internet has to deal with the fallout.

Re:MSBlaster

and the sources of your horror stories can be found where?

Re:MSBlaster

[swilver]

I wonder when people realize just how silly it is that as a computer owner you have to "take action" and keep your system updated all the time so it can't be hacked.

Most users just want the box to darn well work. They turn on the machine, and want to do something with that machine which they determined before even turning it on -- they don't want to be bothered with stupid programs informing you about upgrades.. that's not what they turned on the box for.

Re:MSBlaster

[Ummagumma]

Of course Im firewalled. What stops a laptop getting infected at home, and coming into the LAN?

Did you test this patch out, on all permutations of hardware/OS? With all production applications? Thoroughly? Doens't sound like it. Sounds like you saw the hotfix, patched all your machines, and hoped for the best. Now, imagine if the patch didn't work as advertised, and your Windows 2000 Server running SQL for the finance department suddenly wouldn't boot? Or SQL wouldn't start up? Not a risk I'm taking, thank you.

Re:MSBlaster

[Overly+Critical+Guy]

Right. Those lazy sysadmins who didn't have all critical hotfixes installed in the first place. I assume you're talking about yourself, which tells me you need to lose your job.

My network went 100% untouched. Automatic Updates is installed and works perfectly. Not a single app has ever stopped working.

People here just need a scapegoat, and that is usually Microsoft. It's a jealousy thing ("everyone uses them because they're FORCED too!!!").

Re:MSBlaster

[repetty]

"Do you not read the newspapers?"

I can't believe that you asked that question on Slashdot.

--Richard

NO way

[p51d007]

I for one will sever my using Windows if they don't at LEAST tell you with a yes/no prompt that a service patch needs to be installed. I don't have a problem with a pop up message telling you that there is a service patch available, would you like MS to install it, but, if it were completely behind the scenes, I'd have to say NO. I don't put all the patches/updates in, because most have to do with outlook express and IE, BOTH of which I do not use, so why would I want to choke my ISP by installing useless stuff? At least give us the option of saying no.

Great!!!

[jbelcher56]

They sure as hell better come up with a better solution than what they do now! It would really be nice if they would release patches that don't crash your system. Last time I tried to patch one of our servers, it "upgraded" some system files and wouldn't allow me to reboot (BSoD). Thank good for Google, since the knowledge base didn't have the answer on how to fix that "added feature." JB

No no no...

[MP3Chuck]

I'll dress myself, thanks Clippy.

What About RedHat?

[DiS[EnDeR]]

Doesnt RedHat 9 have this functionality already. Im not running it myself, but Im sure my bosss just touted this feature?

Re:What About RedHat?

[aldoman]

It's not at all automatic. Maybe theres a setting but on my RH9 boxen it just gives you a tick if you are updated, a execlamation mark if you need updated and a ? mark if you inet is down or your RPM database is b0rked.

ObGates-of-BorgReference

[DCheesi]

Resistence is futile, you will be patched...

EULA?

[saintjab]

And who will pay expenses when the system kills a critical server in our orginization? Who is responsible for damages when these packages explode? I'm not trolling at all, I'm very serious. I support a lot of Windows servers, and I know very well the damage that a service pack or hot fix can cause. This will be just one step closer to making people understand just how much MS wants to control everything. This is a rediculous solution to a problem they are not willing to correct. They should worry less about patching my servers (leave that to me) and worry more about producing code that is not vulnerable.

Oh great

I have enough problems with spyware and adware on my PC, now I have deal with M$ bullshit also? KEEEERIIIST!!!

Now I can probably have some one from Lavasoft make a new program to compliment Ad-Aware--MS-Aware and keep those pesky service packs from coming.

Not so bad

[Raven-sama]

This may seem like a bad idea to most people, but I mean when you think about it, with how often patches are released from Redmond, it's almost necessary.

Obviously you would have to enable this feature yourself, and you would have to have access to a list of any major changes that had been made to your system via this automation.

Still, on the other hand, with the DDOS attack against windowsupdate.com and the possibility of it serving trojaned files, this could still be a problem. It all depends really.

The obvious solution is for Microsoft to make Windows more stable and less vulnerable... naturally we've had to come up with more viable options!

anyone remember tivo?

[chef_raekwon]

the problem with the automatic updates, is that the funcitonality of software could change overnight, depending on who makes the changes. maybe Microsoft decides one evening that they don't like having a 'Start' button, and decide, for the good of the world, that it will now say 'Stop', and will be in the upper left corner, instead of lower left....

the point is -- no one could stop it, and would be stuck with the change, even if the change wasn't desired or warranted....

Bye Bye Bruce

[kindbud]

"I have always been a fierce enemy of the Microsoft update feature, because I just don't like the idea of someone else -- particularly Microsoft -- controlling my system," said Bruce Schneier, co-founder of Counterpane Internet Security Inc. "Now, I think it's great, because it gets the updates out to the non-technically savvy masses, and that's the majority of Internet users. Security is a trade-off, to be sure, but this is one trade-off that's worthwhile."

And that concludes our evaluation of Counterpane's security consulting services. Have a nice day. Don't let the door hit you on the way out, Bruce.

Don't they already have that option?

[pented_rage]

I think here the main problem is Home Users, many are not aware of windows update and more rarely use it. They already have the option in the "auto update" to automatically download and install updates, perhaps this should be a "default" for home users? (ofcourse those of you who know more about your system could easily disable it) This might also make M$ think twice and actually double test their updates before they get released? (maybe? hopefully? or unlikely?) Whats the biggest threat to Computer systems? the user or the software? (I lean towards the user)

Yeah, this will work nicely!

[zonix]

Just tried the KB823980 (DCOM thingy) security patch ...

Before you install this update, we recommend that you:
- Update your system repair disk
- Back up your system
- Close all your programs

So how will they accomplish that in the middle of a user session?

z

Re:Yeah, this will work nicely!

[erasmus_]

Well, backing up system state can definitely be done to disk, and closing all programs is very easy for the OS to do (hmm, unless you have an unsaved document, oh oh). Updating your system repair disk can be done to an image as well, which can be written to an actual floppy at some later point.

Anyway, the update can be downloaded and installed, and then the user can be required to do all these tasks before the system is rebooted. Heck, bring up a wizard for all 3 to make it easy so that the user is not forced to go through it manually. There are definitely ways of making it easy.

A few things Microsoft needs to do...

[forsetti]

1) WindowsUpdate needs to become MicrosoftUpdate. This would scan and offer patches for all MS software (OS, Exchange, SQL, IIS, Office, Visual Studio, ....). Also extend SUS to do the same.

2) Critical Update notification should be done the way OSX does it (with a little configging) -- instead of a tiny little innocuos icon in the system tray, put an obnoxious pop-up in the middle of the screen, with a big "Go Ahead and Install" button, with lots of skull & cross-bone icons.

3) Create patches using their own packaging structure: MSI. This allows for much simpler deployment and management, via Active Directory. No need to pay for SMS simply for patch deployment.

4) Supply MUCH MORE documentation to end users, discussing the importance of keeping one's machine patched.

5) Stop producing such buggy software! =}8v)

Just my $0.02 ...

Re:A few things Microsoft needs to do...

Parent mentioned OS X

Attention Moderators..
HURRY, MOD THIS UP as +1 interesting..

Re:A few things Microsoft needs to do...

[blibbleblobble]

"WindowsUpdate needs to become MicrosoftUpdate. This would scan and offer patches for all MS software (OS, Exchange, SQL, IIS, Office, Visual Studio, ....). Also extend SUS to do the same."

Wouldn't help those of us who run MS Visual Studio in Linux...

Re:A few things Microsoft needs to do...

Apparently you don't use SMS correctly. It can do a lot more than just distribute patches. We already run SUS at work for patches. We have "real" work for SMS to do.

Re:A few things Microsoft needs to do...

[Lord+Kholdan]

4) Supply MUCH MORE documentation to end users, discussing the importance of keeping one's machine patched.

Problem: People dont read the documentation.
Fix: Write more documentation.
Uh-huh?

The thing is that an OS is a product.
Product should do what people want it to do.
People want their product to be secure without having to waste their time doing anything about it.

Re:A few things Microsoft needs to do...

[delus10n0]

Regarding #1, Microsoft already makes the "Baseline Security Analyzer", a free product that will scan your computer (or computers on a domain, or an IP block) for updates to IIS/SQL/Windows/Exchange, and ensure security is properly setup on them. Pretty slick little program. It's available here.

Re:A few things Microsoft needs to do...

[forsetti]

I use MBSA extensively on my servers, but it does nothing more than alert you to a problem. As a sys-admin, that is fine. But a home user needs something that gives the option to fix all of those problems.

Re:A few things Microsoft needs to do...

[delus10n0]

You were asking for:

1) WindowsUpdate needs to become MicrosoftUpdate. This would scan and offer patches for all MS software (OS, Exchange, SQL, IIS, Office, Visual Studio, ....). Also extend SUS to do the same.

The typical home user is not going to have Exchange, SQL, IIS or Visual Studio running on their box. The Baseline Security Analyzer is meant to identify problems so that you, as an admin, can adminstrate and fix them.

Re:A few things Microsoft needs to do...

[Webz]

How do you run Visual Studio on Linux?

Re:A few things Microsoft needs to do...

[forsetti]

Definitely true -- the home user will not be running enterprise software. However, Microsoft has created a general purpose OS, used as both Workstation and Server, in large and small environments. This single OS is used in many many ways, with many different types of Microsoft supplied software, in many combinations.
To cover all possible combinations -- a home user *might* be running Visual Studio, or IIS -- a single "audit and patch tool" that covers the full range of Microsoft products in necessary.

Re:A few things Microsoft needs to do...

[delus10n0]

While I hate to keep debating this.. :)

If you are running IIS, WindowsUpdate will find patches for it. But like you said, a general purpose "find and patch" tool would be pretty useful, for everything.

Re:A few things Microsoft needs to do...

[blibbleblobble]

"How do you run Visual Studio on Linux?"

If you have Wine installed, just right-click on it in Nautilus, and select "open with... wine". Wine will display a green/black window telling you it's *trying* to open the file, then visual studio will launch.

Wine is included as standard in most Mandrake/Debian/whatever distros, or you may need to ask your computer to install it (rpmdrake, or some similar program).

Command line is like:

/usr/bin/wine.bin "/mnt/windows/Program Files/Microsoft Visual Studio/vb/vb6.exe"

Help files don't seem to work (use msdn.microsoft.com), but most other stuff seems to.

Macs & why they may/may not be affected

[adzoox]

I'm sure this will get said time and again in this thread, but why wouldn't someone be able to able spoof the "update server" and get people to download a virus directly..... heck that's worse than an emailed virus!

I have always disliked a software update feature. Since I use Macs, while the software update control is nice and very conveiniant (also much less likely to be hacked) I think that if someone WANTED to they could spread a virus through the system of Mac Users much more widespread than Windows users because of the inherent niavity/novice of a Mac User.

"A Security Update to the Network Control Panel" for example

That said, I also think the Mac web is great and would INSTANTLY pick up on it within a few hours and post to dozens of websites, whereas Windows users have to here from some paranoid or a "too late" IT staff.

Re:Macs & why they may/may not be affected

[Firefly1]

... the inherent niavity/novice of a Mac User

And there's proof of this, I take it. Interesting, considering that the same label has been applied to lots o' Windows users...

Re:Macs & why they may/may not be affected

Yes, I run a VERY large local Apple Consulting business... the average customer of a friend's PC consulting business seems beyond the novice as the average Mac user seems to me.

what?

[Datasage]

Windows already has the ability to download and install patches automaticly. But not many people allow windows to be set to that setting or dont know about it.

But id rather know when its about to install a patch. Thats the setting i have mine set Too

I can see their point...

[thebruce]

The main problem is people not knowing, or not caring about patching or updating the problems. This isn't something that's directly managable by MS. With an OS so widely used, how can updates be ensured to be installed on everyone's machine to stop spreading of viruses and exploits?

Some will say the user should have the choice... ok, so half the people who couldn't care less will still allow the spreading of the problems...

Some will say automatic background updating is the only solution... ok, so the majority of people still using low speed connections will bog down their systems, let alone major networks suddenly pulling huge bandwidth when every machine receives the command to update simultaneously...

And some still complain that even if the update is pushed and you need to say yes or no, it's still infringing on your privacy your own system...

Is there any way to implement a global, trustworthy, reliable patch service that is accepted by everyone? If not, there's no way to stop the virus spreading, work generating underground from having hay-days at the world's expense...

And this goes for any OS, not just Windows...

Re:I can see their point...

[thebruce]

bah, that "virus-spreading, worm-generating underground, from having hay-days at the world's expense" :)

Bad Idea.

[asdfasdfasdfasdf]

Microsoft is also considering whether to make the Auto Update mandatory earlier, through an interim upgrade known as a service pack.

This is a huge mistake. Talk about a support nightmare. I recently spent several hours trying to find out why my machine was freezing intermittently, only to find that Update 811493 was to blame. I uninstalled it and everything worked perfectly-- if they make it mandatory, and have a similiar problem what do we do? (Switch to Mac or Linux, right?)

For the record, there's still no way to tell Microsoft I NEVER want this update. If I use "auto update" at all it downloads it and wants to install. So, now I'm stuck using manual update or my machine might freeze up again.

Just great.

HA! Yah ..that's it.

[loconet]

Would you trust this guy with your computer like that? HA! yah right..Look at that smile, pure evil I tell you.

Great

[Henry+V+.009]

Most people are in far more danger of their computer being destroyed by a virus than they are of it being damaged by an automatic update.

If you think this is a bad idea, then you don't realize just how stupid the great mass of computer users are. I'm sure Microsoft will make this in a way that will allow anyone who knows what they are doing to turn this feature off. But it will kill viruses and worms that exploit windows holes, that's for sure. I can't recall one that's come out in years where the patch hadn't already existed, but that users were too stupid to download.

Besides, I'm sure that recent power outages spooked Microsoft for at least a few moments. They thought: Could this have been a computer problem? Not even Microsoft has that kind of money were it to be found liable.

Will Microsoft then fix everything they broke?

Will Microsoft then fix everything they broke when they applied the patch? If Mr/Ms Home User isn't tech savy enough to apply the patch I rather doubt they are up to cleaning up the inevitable mess that Microsoft will create.

Um...Microsoft already has this feature

[miroth]

MS already has an automatic update option for those who choose it in the Automatic Updates control panel applet.

Users can choose to be notified when updates are available, they can be notified when they've been downloaded and are ready to install, or they can just have Windows download and install the updates automatically.

This isn't really news.

Big deal

[flicken]

Debian (and other distros) have allowed* you to do this for years.

# cat /etc/cron.daily/apt-get
#!/bin/sh

apt-get --yes --quiet update
apt-get --yes --quiet upgrade

Presto! Automatically download and install all system updates.

* NB: allowed, not required---it's your choice.

ok....

[jeffy124]

Yikes! Can I at least press 'Ok' first?

That's one of the major problems. Windows has had an auto-update notifier for some years now. It checks windowsupdate regularly, and if a new critical patch is available, a dialog box asks if you want to download it. Most people have optioned to not do so.

IIRC, WinXP gives the option to make it download a critical patch without asking, but that's turned off by default.

so what happens?

[Grydon]

So what happens the auto updating feature get compromised somehow? Seems like the best way imaginable to spread a virus.

Put the blame on the ISPs where it belongs.

[nlinecomputers]

Isn't about time that we put the blame where it really belongs? On the damn ISPs! If we had decent email scanning and blocking of useless ports this shit wouldn't happen so much. Why does joe six pack need a port 135 open anyway. If you need the port you should ask to have it open otherwise most ports should be filtered by ISPs by default. Do that and hold ISP responsable when obvious virues pass through the smtp server and we wouldn't have a damn virus/worm problem.

Yay!

[Rinikusu]

Now, just compromise the automatic-update machines, install trojan on updates, and
"Arise, my children! SkyNet is BORN! ph33r m3!"

As long as

[rczyzewski]

...I can disable it for my corporate environment. Don't want my computers breaking from poor updates.

how would this be described ?

[andy666]

"Bill Gates wants to put his worm in your box"

All updates?

[sc00by2]

I'm not necessarily for Automatic Updating, but it isn't such a bad idea. Working as a Security Officer for a web hosting company, this would sure make my life easier. The question is, would ALL of M$'s patches be self-installed, or simply ones they find so critical, that they need to resort to mass emailing. A graded system would be nice, perhaps tied into DShield; whereby as the threat increases, the possibility of self-installation increases.

!.sig

Re:Breaking news! UN bombed!

If you want real news, read fark. If you want stupid linux shit, read slashdot.

Perspective

[mukund]

if (company_trusts_microsoft_code())
{
use_windows_OS();
allow_auto_updates();
}
else
use_some_other_OS();

/*
junk code

bitch();
moan();
flail_arms_wildly();
*/

RE: Automatic Updates?

[seamustheshark]

I particularly like the bit "What we're finding now is that through a combination of the availability of broadband...." and the lovely "...not just by downloading the patches for them but installing them as well."

What about us poor saps who can't get Broadband? In the "rural" part of England where I currently live (13 miles from the centre of the sixth largest City in the UK) I can't get Broadband, and BT tell me my telephone exchange will probably *never* be upgraded! Also, the Cable Companies are all broke, so no luck there...

So, how would this help me if I had a Win box, and required 30+MB of patches every month? My internet connectivity is a dial-up connection, with a two-hour cut-off (quite normal for UK ISP's) so no help there.

Hang on - phew! just remembered - my Red Hat boxes, although needing occasional patching, give me the option to download the patches from elsewhere via FTP (like using a leased line at work!) and then burn them on to CD to run on my RH machines at home! I'm saved!

If only MS were so willing for us dumb-old home users - who, I believe, where hardest hit by Mr. Blaster and friends. Kinda reminds me why I don't use Windows on my home machines now....

People not technoloigy

[hal9000(jr)]

Automatic updates aren't the answer and you can bet that enterprises will rebel against it. There is already an auto-update feature that allows uses to configure how updates are processed. Either never getting the update, downloading but not auto-install, and auto-download and auto-install. That is more than enough.

End users have to become responsible to keep thier systems upto date. Keeping upto date is not Microsoft problem.

For companies, they have to get better at updating remote computers and there is already a cottage industry evloving around patching. But companies also need to have procedures for allowing remote computers to acces the internal network.

This is indicative of proprietary problems

[rebeka+thomas]

This is the same story over and over again from Microsoft.

The entire industry of proprietary software is based on control. A company or companies wish to have you pay them money, while they retain control over the entire product. You merely pay them more, continuously, for the use. And when it comes to major bugs in software updates, the "you will pay" philosophy will come to mean more than just cash.

There is no other way to have a safe and reliable system, no matter what the coding ideology behind it, than to have educated sensible users. It's simply not going to improve without that base.

The advantage to OSS of course, is that those educated users can do more with their systems. You're restricted under Windows or MacOS for example, to what those companies wish for you.

Yawn. "Keep my computer up to date"

[Ayanami+Rei]

Circa Windows 2000, service pack 3.
By default, this already happens.

The story here is that Microsoft backed off when privacy groups thought this was a crummy idea (especially with the EULA of SP3 and XP SP1, big-brother visions abound).

Now they are saying they'd consider giving you more control over this, and to, by default, accept security-relevant patches in this manner by default.
Also, (big item), they'll ship the machines with the firewall enabled. That alone is probably the best idea they've adopted under recent community pressure.

Re:Breaking news! UN bombed!

If you want stupid linux shit

Heh. That's the most insightful line on Slashdot so far today.

Brilliant Move

[gregarican]

I think this is smart business. Next I want my red stapler back and my upstairs cubicle. Thanks, Milton from "Office Space"

Holy Twisted Logic, Batman!

[tds67]

The company is "looking very seriously" at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them, said Mike Nash, corporate vice president of Microsoft's security business unit.

How can Windows be required to accept updates if the user can tell it not to? Somebody please enlighten me on the meaning of the word "required".

big IFF...

[*weasel]

IFF (if and only if)...
they stuck to -security- patches
and those patches didn't break common configurations (anti msblaster didn't work on 2k sp2)
and there was user consent 'no, i dont want this particular patch for whatever reason'
and an opt-out a la 'never ask me again'.

then
i wouldn't see it as a bad thing, being on by default. maybe not turned on, on 'Server' installations, but certainly reasonable (given the above assumptions) for home installations

face it - automatic updates is how antivirus software works by default, more often than not.

users just can't be bothered to proactively look after their own gear.
and no matter how well you test - eventually you -will- have bugs, potential security issues, etc. these patches need to be distributed, and right now that isn't happening.

full-on autoupdate of drivers, service packs, compatibility patches, extensions, etc should remain very seperate.

but of course, we all have a good idea how likely the 'If's are.

This auto install bs...

is exactly why they can't seem to control a little virus. They give insecure programs the rights to do anything to your machine it wants.

Don't do windows.

I don't do windows. You shouldn't either.

Ideas for auto-up

[jamienk]

* Check for warez/serialz -- disable them and alert the vendors. Vendors can subscribe to "MS Auto Alert" program.

* Check for downloaded MP3s (from a database of known MD5s) -- disable them and alert the record distributors. RIAA can subscribe to "MS Locked Tunes" for service.

* Check for P2P programs -- disable them and alert local gov't authorities. Gov'ts can give big grants to MS for this as part of their "Anti-Terror-and-Pro-Business-Computers" bill.

* Check for web/ftp/irc servers -- disable them and alert ISP as to uploading violations. ISPs can join the "MSN One-Stream" network.

* Check for NAT -- diable and notify ISP... part of the push towards "MS-IPv6-PLUS!"

* Check for competitors' products (DRDOS, Java, Mozilla, OpenOffice, etc) -- disable them and alert user that their software was incompatable with the latest service pack. This one is free for end-users!

Re:Ideas for auto-up

Hahaha.. I think the chinese people might probably have the last laugh about your "ideas" ;-)

No confirmation!

[Bill,+Shooter+of+Bul]

Can I at least press 'Ok' first?

No, Then it wouldn't be automoatic. If microsoft owns the software and users just have permission to run it, then by the eula they could leagally do this now. Actually, I think it would be a really good idea for critical updates for microsofts software and microsoft's software only. Many times the driver updates they have on windows update for mycomputer are not the correct ones. I would be very upset if those were automatic.

Already exists

[jpnews]

Aren't there already tools for administrators to rollout patches en masse? Seems like we made use of that during the deployment of Windows2000, for that matter.

If that's all MS is "considering," well we all know what that means. That's a trial balloon floated to see what the reaction will be. But it sounds like MS wants automatic patching on every desktop. Good christ on a fucking biscuit! They get targetted one week and the next they want every system to be identically compromised!?

I thought we couldnt't trust them

A few months back microsoft advised that you do not trust microsoft certificates. Now they want to do automatic updates without any verification by the user? That's scary!

Good for home users

[martingunnarsson]

I think this is great, most Windows-users don't know what Windows update is anyway. Of course it should only distribute critical updates.
You can already have Windows download and install the most important updates on its own. I have this feature enabled on an internal webserver at work, and it works very well. It downloads the patches as they become available, then it installs them att 3 AM when there's noone visiting the server anyway.
Corporate users probably don't want a feature like this though, if a fix breaks the most critical business application, it's better to not apply it at all. They would be better off with an internal Windows update-server that only hosts the patches that has been OK'd by the tech department. This feature is already available as well.

Re:Good for home users

[Fweeky]

What constitutes a "Critical Update"? I'm running the very latest WHQL nVidia drivers (4523); yet Windows Update has "NVIDIA display software update released on May 02 2003." in the critical updates section.

All these resources.. they can't even get this right. *shudder*.

Service Packs

[Ratbert42]

Anyone remember NT4 Service Pack 6? The first one? The one that broke tcp/ip?

Re:Service Packs

[gregarican]

I can see the automatically pushed updates now. One day get Micro$loth Blah Blah 4.0 Update. Then two days later Micro$loth Blah Blah 4.0a Update.

When they screw up theyt just change the name. Like Ford Pintos metamorphosizing into the Ford Escort.

Re:Service Packs

[nuser]

Anyone remember NT4 Service Pack 6? The first one? The one that broke tcp/ip?

Can you imagine the consequences?

1.Get auto patched.
2.No TCP/IP so get disconnected from net.
3.Reinstall OS
4.GoTo 1.

Familiar statistic restated - 90% of the worlds useful computers don't run windows!

Re:Service Packs

[Overly+Critical+Guy]

NT4 is old, old, old. Anyone who still uses that piece of crap is already risking it.

I'm being a little facetious, but also a little serious! At least upgrade to something that even most Slashdotters like such as Windows 2000.

Re:Service Packs

So you are suggesting that nothing like this could EVER happen to Windows 2000?

All Your Box Are Belong to US

[rssrss]

Pathetic Earthlings!

All Your Box Are Belong to US

Future vision! (tm)

[Dark+Lord+Seth]

Can I at least press 'Ok' first?

The following patch will do the following to your system:

• Fix MBR by reinstalling Windows bootloader.
• Find and delete all non-FAT/non-NTFS filesystems to clear up HD space
• Remove viral software which is incompatible with the Microsoft Certified Licensing Scheme (MSLS)
• System wide deletion of any files which might or might not violate copyright. This legal safety feature has been brought to you by the RIAA and MPAA.
• Installation of peer-to-peer network. This system will take a modest 80 (eighty) gigabyes for useage by the Microsoft Peer-to-peer Hosting Services.

Ok - Ok - I'm Bill's towel boy, spank me please and install the patch!

Good idea: ELUA will save us

[thatguywhoiam]

In the past MS has packaged EULA updates along with software updates. I really wouldn't have too much trouble with this as long as they don't try to push EULA changes along with the update.

Actually that is an excellent point, as no matter how 'automagic' they want their updater to be, at some point, knowing MS, they will want to flash an updated EULA agreement across your screen so you can actually, you know, agree.

I don't think I'll agree.

Unless they do something sneaky, like 'by clicking the Start button you agree to all EULAs sent by Microsoft'... in tiny type the same colour as your desktop, of course...

Could be a bad idea...

[chosen_my_foot]

I remember at the end of the summer I used MS's little auto updater thing to install a patch that killed my network connection. MS reported a week later that it was a "minor problem", but the patch could disable networking on a "few systems". It was really fun, because had I not remembered System Restore, I would have had to wait a week or so for MS to release a fix for the patch, a double patch if you will. Can you imagine opting in when you maintain hundreds of systems, only to have your networking killed by said update?

morons surrounded buy greed/fear based execrable

liars & touts & shills, 0 my. & now, another terabyte or 2 of billonlyus payper liesense ?pr? ?firm? generated drivel, from robbIE's 'sponsors'. yuk. does any of this really matter, as the greed/fear based walking dead execrable huddle/hive in their bunkers? we DOWt it.

what does matter? why the planet population rescue effort of course. tell 'em robbIE.

of course that's off topic, as the hobbyists are the total opposite of the phonIE payper liesense corepirate nazis.

you gnu/software folks are to be commended. we'd be nearly doomed by now without y'all. the check's in the mail again.

meanwhile... for those yet to see the light.

don't come crying to us when there's only won channel/os left.

nothing has changed since the last phonIE ?pr? ?firm? generated 'news' brIEf. lots of good folks (on all sides) are being killed/mutilated daily. if anything the situations are continuing to deteriorate. you already know that. so whoisit that gives a fud about the latest scammage from the evile kingdumb?

the posterbouys for grand larcenIE/deception would include any & all of the walking dead who peddle phonIE stock markup payper to millions of hardworking conservative folks, & then after stealing/spending/disappearing the real dough, pretend that nothing ever happened. sound familiar robbIE? these fauxking corepirate nazi larcens, want us to pretend along with them, whilst they continue to squander yOUR "investmeNTs", on their soul DOWt craving for excess/ego gratification. yuk

no matter their ceaseless efforts to block the truth from you, the tasks (planet/population rescue) will be completed.

the lights are coming up now.

you can pretend all you want. our advise is to be as far away from the walking dead contingent as possible, when the big flash occurs. you wouldn't want to get any of that evile on you.

as to the free unlimited energy plan, as the lights come up, more&more folks will stop being misled into sucking up more&more of the infant killing barrolls of crudeness, & learn that it's more than ok to use newclear power generated by natural (hydro, solar, etc...) methods. of course more information about not wasting anything/behaving less frivolously is bound to show up, here&there.

cyphering how many babies it costs for a barroll of crudeness, we've decided to cut back, a lot, on wasteful things like giving monIE to felons, to help them destroy the planet/population.

no matter. the #1 task is planet/population rescue. the lights are coming up. we're in crisis mode. you can help.

the unlimited power (such as has never been seen before) is freely available to all, with the possible exception of the aforementioned walking dead.

consult with/trust in yOUR creator. more breathing. vote with yOUR wallet. seek others of non-aggressive intentions/behaviours. that's the spirit, moving you.

pay no heed/monIE to the greed/fear based walking dead.

each harmed innocent carries with it a bad toll. it will be repaid by you/us. the Godless felons will not be available to make reparations.

pay attention. that's definitely affordable, plus you might develop skills which could prevent you from being misled any further by phonIE ?pr? ?firm? generated misinformation.

good work so far. there's still much to be done. see you there. tell 'em robbIE.

And when the patches don't work...?

[Sudderth]

CSO has a story claiming that patching just doesn't work as a security solution: there are too many vulnerabilities, and the patch creation and implementation process creates new vulnerabilities. For example, the article cites Microsoft's release of a nonsecurity hotfix for SQL Server -- which could reopen servers to the Slammer worm.

I was just talking about Blaster last night with one of the guys interviewed in the article. His solution is centralized patch management -- installing client software on his ten thousand boxes that checks whether a patch that he's approved for distribution has been installed yet, and either installing overnight or warning the user that the machine will be downloading, applying and rebooting soon -- save your work.

Money down the drain...

[tlianza]

A friend of mine works at a local computer retail store. They made a fortune last week with people brining in their infected computers and charging to have them patched and/or have the virus removed. I think it was like $40 just for them to install the patch, and $100 if they already caught the worm and needed it removed.

Talk about easy money! I personally would rather see my mother get automatic updates than be duped into spending this kind of money to have her computer patched (not that she would, but many mothers probably would).

Re:Breaking news! UN bombed!

Whoever did this, I wonder if they have a branch in the NYC.

This isn't terribly different from now...

[Sutekh-Acolyte]

Automatic Updates is a feature that Microsoft already implemented. True, they won't install for you if downloaded automatically, but that's just another feature that could be added.

There's always been the option to not use Automatic Updates. I, for one, hate that system- and connection-slugging feature even with high-end hardware on a high-speed connection. So I disabled it, and I don't download the Automatic Update updates from WindowsUpdate.

What makes you think that Microsoft won't let you choose to not use Automatic Updates? The difference may be so subtle as to simply ask upon installing Windows XP SP2 (or Longhorn, for that matter) whether or not to activate Automatic Updates. I wouldn't doubt that you'd also be able to customize it to download but not install.

What if your update messes up auto-update?

[winkydink]

So, let's assume that Microsoft implements this functionality of "forced" automatic updates. What happens if they accidentally push out an update that messes up the ability to automatically update?

It's like the old joke:

What's the difference between a light bulb and a pregnant lady?

You can unscrew a light bulb.

MS had better make very sure their functionality is more like a light bulb than a pregnant lady. :)

Yes, you can click OK first

[Junior+J.+Junior+III]

You click OK to the EULA that allows you to use Bill Gates's computer that he has so generously allows you to keep on your desk. Don't forget, it's their system, you just happen to sit in front of it. Yup yup!

Happens now already!

[airrage]

Actually, at my current environment, we all run SMS (systems management server), so nightly there is a security tool which runs which determines which patches are applicable to you but have not been run. It then "queues" them up -- sometimes several at a time -- and then installs on a pre-determined schedule.

They've also pushed this to the server room, so now patches are thrown down on the servers.

The basic philosophy behind this is that we might have a production system go down for a while, but it's better than an enterprise wide outage.

Peace out.

Loss of the Big Picture

[Earl+Shannon]

It seems to me that Microsoft is suffering from LOBP ( see subject ). They are taking the Big Brother knows best approach to fixing problems that they themselves are originally responsible for. A lot of their problems arise from things being automatically done for the user. Running macros in an email? That's just asking for trouble. And now they want to explicitly create a mechanism to allow changes to the OS? Give me a break. People should be sueing the living daylights out of them for producing such poor software in the first place. Until Microsoft feels the pinch financially things will not change.

People are lazy? People are stupid? Good heavens!

[lambadomy]

From the article:

"What we're finding now is that through a combination of the availability of broadband and customers wanting to stay up to date with security patches, and, most importantly, considering the kinds of threats out there now, that customers want us to keep them up to date automatically -- not just by downloading the patches for them but installing them as well."

I'm not sure who these customers are that want this...but to me this amounts to saying "our customers are lazy and stupid". Maybe I'm trolling, but...the "kinds of threats" that are out there are caused by microsoft writing vulnerable code in the first place! Sure everyone has bugs, but maybe, just maybe, they'll write a buggy patch too! I don't see how anyone could even be considering this as the default. If these people want microsoft to automatically update their computer...they can turn it on right now!

I know you hear this a lot here, but people need to either

a) have a working knowledge of their computer/operating system, including how to maintain it.
b) have their computer regularly maintained by another live human being.

This isn't that hard. People have this perception of computers as the same as their television or washing machine in terms of support - don't touch it unless it's obviously unusably broken. They don't work that way, they're much closer to cars. Sure, some people don't maintain their cars either, but those people aren't in the majority.

I'm rambling at this point, but really this is a disaster waiting to happen. What, are we going to end up testing EULAS in court finally when microsoft breaks ten million computers automagically and then says "well, you clicked the agreement"? I guess that could be agreeable. Please, I know most people here know what they're doing with their computers, but this problem is not just caused by microsoft. Educate everyone you know about the needs for computer mainenence! Make them pay you, I don't care, do something. Of course, the stupid IT department here got the worm too, so maybe it's completely hopeless.

I'm in favor!

[Progman3K]

That way, people will perceive MS as a totalitarian-dictator-like software company, whose aim is to take control of your machine away from you even more than they currently do.

It's really funny how almost EVERY move MS makes back-fires on them.

Compare to the early 90s when MS couldn't do anything wrong...

Trust

[Mr_Silver]

The major problem here is: How many people trust Microsoft not to do "other things" whilst they're installing your patches?

Sure the tech savvy users like those who frequent slashdot (and we're ignoring the rabid fascist anti-MS zealots here) will not like the idea - but the problem that Microsoft is having is that even the general public are starting to mistrust them.

A case in point is the abysmal failure of Passport. Sure it has hundreds of users, but nearly all of them were forced into getting it because they wanted a hotmail account. Very few people actually store all their personal details on there.

Until they get the trust issue sorted, people are never going knowingly let them take control.

Re:Trust

[RealityProphet]

The major problem here is: How many people trust Microsoft not to do "other things" whilst they're installing your patches?
Sure the tech savvy users like those who frequent slashdot (and we're ignoring the rabid fascist anti-MS zealots here) will not like the idea - but the problem that Microsoft is having is that even the general public are starting to mistrust them.

I don't believe the general public has any sort of misplaced paranoia about windows updates. If Microsoft turns on autmatic updates, and installs the patches automatically, the general user will probably not even know, never mind start thinking about some duplicitous intention on Microsoft's part.

A case in point is the abysmal failure of Passport. Sure it has hundreds of users, but nearly all of them were forced into getting it because they wanted a hotmail account. Very few people actually store all their personal details on there.

This is just a ridiculous conjecture. Here is a slightly less ridiculous conjecture: Very few people used Passport because it turned out not to be very useful. Or how about this one: Very few people used Passport because it was obscure and very un-user-friendly? Or: there was always another way of conducting an online transaction, and when someone just NEEDS to order their rabbit leash, they just want it done with as soon as possible and don't want to be bother signing up for anything more than is absolutely necessary?

Short memory

[drgroove]

Doesn't Microsoft remember the .NET update fiasco they caused 2 years ago?

Installation of the .NET updates to XP, 2K, etc caused Windows PCs to lose the ability to access the web, launch certain applications (including little things like Internet Explorer and Outlook Express), and even raised stability issues with certain PCs. In certain cases, the rollback feature would not resolve the issue, and the OS had to be reinstalled.

Even the OEMs were *not* installing the .NET update patch on new PCs - Dell, HP, Compaq, et al - all recommended that users *stay away* from the .NET updates.

Given that even Microsoft cannot predict how their patches will behave once installed on their own OS, what are they thinking even considering updating automatically?

Bad, Bad idea

[Harbinjer]

This is a bad idea on soooo many levels

First of all is their patches. They sure as hell aren't 100%. So one day your favorite program might work, and the next day it might not. All wihtout you doing anything. This is why businesses take a while to evaluate patches.

Secondly, what if there is an exploitable bug(and there will be at least one). Every windows machine out there might be downloading viruses instead of updates. If someone were to reverse engineer the network interface, and hack a couple DNS servers, they could have all those users downloading whatever they wanted, even illegal things, or viruses, hacks, anything.

Plus there's the privacy issues. I konw that right now windowsupdate could send MS anything anyway, but if we all expect it to update any time it wants, we have no controls at all on our system, MS could send an update to lock you out of your own system if they suspect you of something, or just for the hell of it.

While I don't expect this to actually go through, its important to be wary of just how abusive such a system could be.

P.S. I, for one, welcome our new windowsupdate.microsoft.com masters.

Re:Bad, Bad idea

[Overly+Critical+Guy]

This is a bad idea on soooo many levels

It's an excellent idea.

First of all is their patches. They sure as hell aren't 100%. So one day your favorite program might work, and the next day it might not. All wihtout you doing anything. This is why businesses take a while to evaluate patches.

Nobody ever gives an example of this happening. It has never happened in my years of administering Windows networks. It's just baseless FUD if you don't give examples!

Secondly, what if there is an exploitable bug(and there will be at least one). Every windows machine out there might be downloading viruses instead of updates.

You'd rather risk having an unpatched machine than downloading "critical updates" from a company you have a chip on your shoulder against?

If someone were to reverse engineer the network interface, and hack a couple DNS servers, they could have all those users downloading whatever they wanted, even illegal things, or viruses, hacks, anything.

Very doubtful. Read up on how Windows Update works sometime.

Plus there's the privacy issues. I konw that right now windowsupdate could send MS anything anyway, but if we all expect it to update any time it wants, we have no controls at all on our system, MS could send an update to lock you out of your own system if they suspect you of something, or just for the hell of it.

Ah, the tinfoil theory. Very credible. "M$ WILL LOCK YOU OUT OF YOUR COMP!!11"

While I don't expect this to actually go through, its important to be wary of just how abusive such a system could be.

It's not abusive. You know why? A lot of us already use Automatic Updates. And, of course, this is optional anyway (so people are bitching about a non-issue, but when has that stopped Slashdot from posting a flamebait article?)

Re:Bad, Bad idea

[Overly+Critical+Guy]

P.S. Linux apps break all the time when you upgrade libraries and packages. Entire systems break when new kernels are released. I don't see the complaints here, though. Double standard.

(Off-topic, I know...hence unchecked "Karma Bonus").

Re:Bad, Bad idea

[Jeff+DeMaagd]

The thing is, any user already can set Windows to download update automatically. The smart ones would avoid though.

Re:Bad, Bad idea

Nobody ever gives an example of this happening. It has never happened in my years of administering Windows networks. It's just baseless FUD if you don't give examples!

You're joking, right? Remind me why there was a Service Pack 6a for NT4. And don't give that "NT4 is old and you shouldn't be running it" bullshit you said in another post. When SP6 for NT4 was released, NT4 was still the flagship server and workstation OS from MS, since Windows 2000 had not shipped yet.

Wouldn't you love...

[cspenn]

Wouldn't you love to hack this so that it downloads and automatically installs Debian?

I would. :)

Chris
http://www.studentplatinum.com

Who's going to pay ?

[grims]

OK, Considering that they do incoporate this 'necessity of the customers' into the OS, who is going to pay for all this ?

MS Patches arent a dll replacement or anything simple like that - so, one would have to account for the bandwidth costs for the *MB worth of download, and also, who will support, if like a user above pointed out that, a patch would break the OS - call MS Support ? (Wait - I need your credit card # please).

To understand the needs of another person is a difficult thing indeed.

Good news/Bad News

[ChibiLZ]

I really hate hearing news like this. On one hand, I think it's a great idea, because there are far too many morons out there who don't know how to update and patch their OS. This would be such a help for it. Of course, I'm not sure that I want MS automagically installing software on my computer, especially if it is without my knowledge. Why don't we have an agent program like the antivirus updates, that when the computer starts, it looks out on the net for updates, then informs the user of the updates, the size, and what they do. Then the user has the control to download them or not, but at least the updates will be right in their face. Either that or don't allow them on the net to spread virii. Of course, maybe we should block all MS OS users from the net. Looks like I need to install Linux...

Who is liable? Will it reboot too?

[linuxtelephony]

If Dell, HP, IBM, for Vendor X sells a PC to a customer, and Automatic Update causes that PC to no longer boot or work properly, that customer is going to back to where they bought the PC. Who is expected to pay the support? The vendor? Microsoft? The customer? My guess it'll be the customer one way or the other.

What if the machine is in a small or home-office business handling some critical task and the Automatic Update causes a failure or some data to be lost? Will M$ be liable and pay damages? Doubtful.

If the patch requires a reboot, will it also automatically reboot the machine?

I can see so many ways this is going to cause all kinds of problems.

My guess is that the "Home" version of the OS will have automatic update turned on by default, and probably difficult to turn off since M$ users don't know how to do anything for themselves, therefore if they try to turn this off they must really be trying to turn it on so they'll leave it on. (Hmm, that sounds kind of like turning off DCOM but it still being active).

The "Pro" of "Office" or "Server" or whatever they call the more expensive version used by IT departments will probably have this turned off so automatic update doesn't take out people's networks. Especially people big enough to be more than just a minor irritant.

Can you image a Fortune 100 company having 1/3 or 1/2 of it's systems down and its IT department totally consumed and in knots trying to fix a problem that looks like a virus. First just a couple of systems would have problems, but as their clocks hit a certain time and the Auto Update goes out and installs the new code, more and more systems fail.

And then there are the systems that report they have the update installed, but really they don't for whatever reason. Following NTBugTraq on this last virus has been more interesting than for past viruses. Several systems had DCOM turned off, all the tools said it was off, but the systems were still vulnerable. Other systems reported the patch was installed, but they were still vulnerable.

This auto update sounds like such a can of worms. M$ may just be giving more people the push they need to check out alternatives. Here's hoping.

Re:Who is liable? Will it reboot too?

no one is liable, read the ms license sometime, they accept no liability for the functionality of their software. software functionality falls outside the scope of pc warrenties also. so yes, in the end, if the software fails, the cost of fixing it falls on the end user. and at a well known blue and yellow consumer electronics store, re-imaging a pc will cost you $60.

Windows already has this...

[ibanix]

... as the 'Automatic Updates' control in Windows 2000 SP3 and beyond. It is enabled by default in SP3/SP4, and will place an icon in your taskbar when new updates are available. It won't download them until you ask it to do so.

You can set it completely off, or set it to automagically download and install updates.

Well, yes.

[autechre]

From the article:

"The company is 'looking very seriously' at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them..."

So yes you can "at least press Ok first." Although I'm sure CmdrTaco has nothing to worry about, since he doesn't run Windows any more, which I suppose is why he didn't read the article.

Personally, I think that this would probably be a responsible move on their part (and Bruce Schneier apparently agrees with me). I especially like the fact that they're going to start shipping Windows with the firewall enabled. As far as I'm concerned, no one should be worried as long as you can disable automatic updates and disable the firewall (though I think they should make it slightly non-obvious how to do so, so that the people this is intended to benefit won't turn it off). After all, you don't leave Windows exactly as it comes off the CD, do you? Hopefully, you'll also be able to create corporate install CDs with these features disabled if need be.

There are only two things that concern me:

1. Broken patches: What if, as has happened in the past, an update breaks the auto-update mechanism? Then they'll be pretty well stuffed. I'm not sure what to say about that other than "don't do that."

2. Dial-up users: As the article mentions, SP1a is big. Really big. I mean, you might think that the OpenOffice download is big, but that's just peanuts compared to...right. However, that was a combination of many small patches, and just like many other things in life, if people had updated incrementally as they should have, they wouldn't have a need for a giant update. Hopefully, MS will be able to keep the patch size down, and we can watch 2003 to see if they can keep the frequency down as well.

(Yes, I now have to care about Microsoft products again, which is annoying, but I might as well make the best of it).

Re:Well, yes.

Incremental updates? Forget it! I tried the incremental updates thing for a while. I even had the autoupdate thing on too. It wasn't long before I realized, hey, why the hell is my internet so damn slow? Lo and behold... Windowsupdate downloading 3mb worth of patches. Happens at least once a week.

With my measly 36kbps connection (i'm in the countryside... I can't get broadband), it only takes a good half-hour of my time... about how long i'm on the internet. So I'm stuck with a dreadfully slow internet connection if I want a secure OS. It simply doesn't work. Even their incremental updates are FAR too big.

I got hit by the blaster worm this morning. After struggling against the timer, I finally found the site to download the patch, only to find that the damned thing is 1.5mb! I had to try multiple times just to download it before the worm shut down my computer. So much for that prospect... I'm going back to linux. Even running root, I've never hit against a virus/worm, and I've been running it for over a year now. First time I boot up XP for 3 months, I get hit by blaster. No more windows for me, it's getting wiped...

Re:Well, yes.

[Overly+Critical+Guy]

When Longhorn comes out, you'll be able to use XML to script entire custom installations.

Re:Well, yes.

[Darby]

When Longhorn comes out, you'll be able to use XML to script entire custom installations.

Sure, the current version of windows is a piece of crap missing even the most basic functionality of an actual enterprise level OS, but just wait for the next version.

Cripes, don't you ever get tired of repeating the same stupid crap which has always been demonstrated to be a lie?

They already have this, stupid

They've had this for some time. Go into your "automatic updates" settings on 2k/xp, and you'll see there's actually an option for "download, install, tell me when you're done". Which is exactly what this would be.

It would be great if they shipped XP with this option already enabled, as opposed to the "download, but then ask to install" like it does now. Everyone I run into NEVER installs anything that way, because they're "too busy" and just want all the little dialog boxes to go away as fast as possible.

And never mind the Win98 folks, who actually get the update notifier screen, but then have to go to click "take me to the page" and push a few buttons there, because people were "scared" that microsoft was STEALING ALL YOUR PERSONAL INFO OMFG. Everyone just clicks the "remind me later" and never gets a patch installed that way.

What kind of troll is this?

[Ayanami+Rei]

Slashdot, I present you the reverse-psychology troll!

Do you troll for people who play the devil's advocate, or think they have a non-conformist point of view or what? I'm really confused.

Re:What kind of troll is this?

[rebeka+thomas]

People with a limited mindset often mistake me for a troll.

I merely speak what is truth, and if the thought that I am a troll crosses your mind then that is a fault in your own thinking.

Don't blame me for that

Sounds familiar...

[travdaddy]

Hm, software that would slow your internet connection way down and patch Windows without the user's knowledge. Sounds like the RPC DCOM Cleanup Worm.

Change the EULA and we might have a deal

[Bronz]

Tell ya what Microsoft, you can patch my machine automatically as long as I get to sue you the first time an automagic update foos my bar. Yeah, tough call huh?

You may not know this, but there are a lot of people who don't jump on the latest service packs not because they lazy, but because they are scared.

Just Remember:

[ihummel]

You don't really own your computer, Microsoft does. They can do whatever they want whenever they want. Isn't that right class? Now repeat after me...

Not Much of a Change

[Funkeriffic+Toad]

Having recently obtained an XP computer, I can assert that everytime one boots up the system (which is to say, with quite some regularity ;-), Microsoft already offers a persistent pop-up bubble prompting users to register for automatic updates. I think it is safe to say that the "average user" would certainly sign up just to be rid of the damn thing.

Microsoft to buy Symantec

[dfn5]

It seems to me that in todays world it is impossible to run any form of Windows without some form of Antivirus protection. So when is Microsoft going to buy Symantec and integrate Norton Anti-virus into Windows? Oh wait, that would be an anti-trust violation. On the other hand they were allowed to integrate a TCP stack into windows which put 3rd parties out of business.

Nothing New?

[AndyFewt]

I thought the Automatic Updating Service in XP Pro already did this. It has the options to download and install, download and let you decide, just tell you there is a patch or of course you can disable it totally... I fail to see how this "new" idea is any different. I thought the XP auto update was set to download and inform by default so perhaps they're just switching the default setting.

Just have a look for yourself. Control Panel > System > Automatic Updates

Re:Nothing New?

[xanadu-xtroot.com]

It has the options to download and install

Let me point one thing out:

It has the options to download and install

The option to do this. They are talking about removing that option unless you specifically let it do so rather than tell it to do so.

beware of auto-updates

[SPravin]

IMHO this is a dangerous thing to do, as once the virii-writers get hook of how the auto-update feature works it will become a big vulnerability.

MD5 can't detect infringing MP3s

[yerricde]

Check for downloaded MP3s (from a database of known MD5s)

MD5 can't distinguish an infringing copy of a work from a a copy authorized by Title 17, U.S. Code, section 107 or 1008, provided they are from identical digital phonorecords using identical encoder settings. Only something that makes discs different, such as audio watermarking, can do this, but this is incompatible with current Compact Disc mass production techniques.

Check for P2P programs -- disable them

And watch as people b**** that Windows SMB File Sharing and BitTorrent (both P2P programs with a history of actual non-infringing use) don't work anymore.

Check for competitors' products (DRDOS, Java, Mozilla, OpenOffice, etc) -- disable them and alert user that their software was incompatable with the latest service pack.

In other words, "DOS ain't done till Lotus won't run"? Microsoft may be in for more than an antitrust slap on the wrist this time.

Another use for a worm

[pwiebe]

Maybe Micorsoft should write their own worms, to update their own bugs!

Re:Another use for a worm

[Neva]

More interestingly, that's an another open port for new worms to exploit. How convenient to infect the user's machine automatically, just by applying the latest "patch"

Security by obscurity or what this time..

plan b

[514x0r]

instead, why not "look seriously" into building an OS that doesn't need a weekly patch?

Re:Just turn the existing download updates on by d

Parent post mentions OS X

MODERATORS!!!!
HURRY, mod this up +1 interesting

Debian does this too.

Theres a line in the crontab that runs apt-get update; apt-get upgrade every 10 days in the latest version of debian.

This has little or nothing to do with the article.

[Ayanami+Rei]

The focus of the article is that Microsoft is ignoring people who cry "privacy" and opt for updates by default with a choice to disable or screen because they cannot allow Slammer worms to thrive when patches have been out for months.

Also, they are going to ship with firewalls enabled. People who want to run servers will have to learn to open ports.

Microsoft is adopting a secure-by-default stance, even if it inconviences some users or ruffles a few feathers.

The fact that Debian can do these things has nothing to do with it. I take it you are very proud of Debian, but maybe you should have posted about how Debian doesn't offer to run updates by defaults but gives you the option to do so if you like.

Oh, and MacOSX and RedHat takes the same attitude (up2date utility sits in corner, turns red if there's an update you should apply, MacOS has a similar tool). ::makes a raspberry::

Automation

[fleppir]

Oh sure, fix the problem by implementing something to allow remote code execution without alerting the user. Anyone want to bet how long before someone finds an exploit?

misdirected effort

[sonofasailor]

it seems MS is runnning down another long dark hallway. why not just spend more time coding software that doesn't allow privilage elevation? imagine if ford came out to your house and put brand new firestones on because the tread shredded on the last pair. bill pull you head out of your ass and FIX the PROBLEM. Send your staff back to school at University of Leeds to learn how to write secure code.

patch reliability

[jdvernon1976]

Let's assume for a moment that everyone's fine with Microsoft deciding you need to patch your system. Your home machine downloads the patch and installs it and your machine reboots - you're patched.

Those of us that work as sysadmins/netadmins/DBAs at various companies know that when Microsoft puts a patch out on Windows Update, it's not necessarily tested out to completion. That's part of why patches take so long to proliferate - dependable administrators test them in-house, instead of depending on MS's testers. Let's face it...if Microsofts Quality Assurance team were so sharp (or listened to - it can't ALL be their fault), many of the after-the-fact patches wouldn't be necessary.

Is Microsoft going to take responsibility for auto-installed patches that a) don't work b) make situations worse? Or are they going to take the stance of "The user could've refused our auto-install, but they didn't - they knew the risks."

We all know how hard it can be to opt-out of spam - how difficult will Microsoft make it to opt-out of auto-installed patches...and for those of us that can't/don't, how sure are we that it won't make things worse?

Re:patch reliability

[Ratphace]

Sure sounds like a Microsoft Catch 22.

Don't patch and it's your fault. Patch and fook up your system and it's your fault.

Good tactic for taking the 'blame' out of your end of the court... :(

Re:This is better than OS X

[jesboat]

Let's start with the windowing environment, since that is the first thing users will notice. While both KDE and GNOME are mature, stable, and accepted as IEEE standards, Apple has elected to use neither. In fact, they don't even use X at all! Their display system is a proprietary, closed-source system called Quartz Extreme. In addition to the moral issues involved with closed software, this precludes the user from running X apps. There is an untested and alpha-quality X11 emulation layer available for download, but it is emulation, so programs will be slow. Does this sound like a standards-based system to you?

Actually, it's quite good. You'll note that it's emulating only the X11 libraries, really even only the X11 server itself. The slowdown of having X apps pass through that layer also occurs on Linux, *BSD, or any other OS. KDE and GNOME may be open standards, but they're not as nice-looking as Aqua, and the WindowServer that runs Apple's windowing system, is, AFAIK, part of Darwin, and thus open.

Looking under the hood, it gets worse. While all other *nixes use standard ELF binaries, Darwin (Apple's name for their proprietary "Unix" kernel) does not. It uses Mach-O, an unproven format that is proprietary to Apple. The moribund FreeBSD, off which OS X is based, uses ELF, so clearly Apple went to the extra effort of "switching" (heh) simply to break compatibility. With ELF, users would be able to run most of their Lunix apps; with Mach-O this is impossible. Additionally, Apple has moved most configuration info fromhuman readable text files into a proprietary database called "NetInfo", which is much like the Windows registry we all loathe. Why? These are only a few of the ways that Apple has deliberately broken compatibility with other systems, presumably in order to lock users in to expensive Mac hardware.

Darwin is not a kernel, Mach is the kernel. You'll note that it's the same micro-kernel that GNU Hurd uses, and if Hurd isn't Unix, what is (nowadays)? Darwin may be based on FreeBSD, but the kernel is Mach, which isn't. Also, you seem to be overlooking that most Linux programs are compiled for Intel processors, not PowerPCs. Thus, they wouldn't run anyways. However, most do compile with little or no modification. Netinfo is never used directly. Requests are handeled by lookupd, which uses Netinfo, but searches flat files (/etc/passwd, /etc/hosts, etc.) first. Netinfo also allows networks that share common printers, hosts, network configuration, users, mounts, etc. to be constructed easily. Unlike the registry, Netinfo is documented, and has manipulation utilities, for both the command line and the GUI. And, it's never gotten fscked up (for me.) Mac hardware may be expensive, but- it's better. Even the Linux people who use Linux on Macs agree it's faster, better, etc. on a Mac. Macs are more durable, featureful, more standard, and "just work" more and don't work less.

When we factor in the threat to users' civil liberties that is posed by the DRM included to support the iTunes Music Store (do you really think it will end there?) it is obvious that real *nix gurus should give OS X a wide berth. Caveat emptor.

Okay, find music for that cheap on Linux (while still supporting the artisit. It's hard. The music industries wouldn't stand for a service without DRM, and you'll note Apple is pretty darn nice. Unlimited CD burns (but no more that 10 for the same playlist), 3 computers, unlimited iPods. Plus, AACs are MPEG-4, which is darn good quality, and darn small file size. I would never use Windoze, and always like Linux. But for me, Mac OS X is a great UNIX, and is all I need it to be.

It would seem youhaven't taken a close enough look at Mac OS X.

Moderators: Mod me down troll all you want, but mod the parent down troll as well.

I love home users.

[BoomerSooner]

I have several people who use a web based service from my company that runs on Windows 2000 Server. I check for patches daily and install them as soon as I do a full backup (in case it shits out the whole system).

My users kept calling saying "You have that Blaster Worm on your system because every time I try to connect my computer dies!". So I explain to them my systems have been patched for that exploit for over a month and I have run all the proper testing software to verify. I then ask if they have AntiVirus software installed and their reply is "I don't know.". Lol, I don't know, so it must me my server! I immediately tell them to invest in a copy of Norton Antivirus and Norton Firewall.

Ah, the world of windows.

The funny thing is if these same people were running linux they would be logged in as root and still execute whatever script someone sent them. I'm not too sure Linux would be any more secure than Windows because in windows you can also run as just a User. However, when doing that a significant number of poorly designed programs will not work.

Re:I love home users.

[EvilTwinSkippy]

The funny thing is if these same people were running Linux they would be logged in as root and still execute whatever script someone sent them.

I definitely hear that. In fact Lindows operates in precisely this manner.

I am increasingly convinced that our enemy is not Microsoft, or even SCO. Our enemy is cluelessness. If we could somehow impart the masses with an infantessimal fraction of our sense of the big picture most of our problems would disappear.

When I say "our" I mean all computer professionals. I don't give a rat's ass what kind of Guru you are, Networking, Windows, Linux, BSD, Mac, or PDP-11. We all share a chunk of "the clue". It is our duty to impart "the clue" onto others, without bias, and without favoring any particular implementation.

What is the best way? I don't know. I can only shoot off a few half-baked ideas. My front-running suggestion is take an example from Mythology.

Think about it. How many people do you know who never change their oil, yet decorate for Christmas, throw salt over their shoulder after spilling it, and avoid black cats and ladders? Imagine a computer mythology complete with ritual, dogma, and superstition. The masses already have developed their own misguided rituals, we should just go ahead and publish a book on the proper ones.

Think about how complete a job all of the Greek god did to explain about weather, war, death, and fate. These are REALLY tough concepts even today. And yet, but putting names on them, giving them personalities, and endowing these creations with a sense of power people bought into it.

Of course, you should encourage those who show a natural aptitude to study computers in the conventional hacker sense. More or less the same way wizards always seemed to be operating on a different level than average folk.

Re:I love home users.

[Pastis]

"I'm not too sure Linux would be any more secure than Windows because in windows you can also run as just a User."

and in Linux not?
Appart from Lindows, tell me which Linux distribution uses root as a default login for its users?

Wait for a distrib combining SEL from NSA (included in 2.6), chrooting most critical processes and of course not using root as a default login. Give that to a home user, and let's see how many will run into trouble...

Re:I love home users.

[Bendy+Chief]

This sounds a lot like the Foundation from Isaac Asimov's series. :)

I suppose I could make myself comfortable in the robes of a High Technomage.

Re:I love home users.

[aled]

Little user if you don't patch your system, the evil, evil Worm will eat you.
The lazy Programmer (didn't indent his code|used goto|linked a closed source library given by a stranger in exchange for his family only domain.com), so the god of thunder struck him death.
I'm getting the idea or what?

Re:I love home users.

Not a bad idea, I like that 'computer wizzard' part. :)

I have thought for years that anyone buying a computer and/or internet access should face a licensing process simillar to driving a car. You are forced to learn certain things before you can actually do it.

Of course, just imagine what this would be like if M$ had any input into this.. *shudder*

My wife is so clueless about any of this, the only time she pays attention is when Bill Gates force-feeds her content via MSN search...

Would you only drive a car that the dealer tells you how to drive it, where to go, and what to do after you get there?

Re:I love home users.

[greenhide]

I am increasingly convinced that our enemy is not Microsoft, or even SCO. Our enemy is cluelessness. If we could somehow impart the masses with an infantessimal fraction of our sense of the big picture most of our problems would disappear.

No, actually our enemy is the script kiddies and virus software writers whose goal is to shut down the whole system.

Whether they do it for fun or ...Profit?!?, what they're doing is morally wrong, invasive, etc.

And yet, it seems many here at Slashdot place all the blame on the users, and never on the virus writers. Heck, we've even deified some of these people and bitch and moan when virus writers are caught and put into jail.

This is like blaming people for leaving their doors unlocked, rather than blaming the thieves who are actually doing the stealing.

Obviously, it is our responsibility as slightly-more-savvy-than-average computer users to secure our own computers, and to encourage others to do the same.

But the truth is, computers should be easy. If I use a fork, I shouldn't have to worry about tine alignment or upgrade its metallacity or whatever. Computers are more complex than forks, obviously, but users shouldn't have to worry about the inner workings of their computers in order to use them to do they work that they *want* to do.

That being said, I still think that there should be a special circle of hell reserved for those idiots who actually buy things from spammers and who open any attachment they receive. Those people are just being very, very stupid. So maybe we could spread a myth that if you respond to any SPAM or open an attachment that has a virus, your computer will melt. I don't think that most users are impressed by the warnings that say things like, "If you open this attachment, there will be a bad file on your system, it will get sort of slower and might crash." That's pretty much an everday occurrence for many users anyway.

Re:I love home users.

[kfg]

"If I use a fork, I shouldn't have to worry about tine alignment or upgrade its metallacity or whatever"

You've never been to Denny's, have you?

KFG

Re:I love home users.

[meknapp]

So maybe we could spread a myth that if you respond to any SPAM or open an attachment that has a virus, your computer will melt.

Shouldn't be hard to convince the people that believed Bill Gates would send them $1 for every person they forwarded that email to!

Re:I love home users.

[ryanwright]

Our enemy is cluelessness. If we could somehow impart the masses with an infantessimal fraction of our sense of the big picture most of our problems would disappear.

That's easy: Require a license to connect to the Internet. In order to obtain the license you have to pass a test. First thing you should be providing to any potential ISP is your license number.

Re:I love home users.

[shamino0]

That's easy: Require a license to connect to the Internet.

Actually, you're not that far off from a workable solution.

Have ISP's proxy everything. Most users don't do more than web and mail. Add in SSH, FTP, news, a few streaming media protocols, and a few chat protocols and you've got just about everything that most people use. With the possible exception of SSH, all of these can be proxied. Block everything you're not proxying.

When you block any and all direct connections between users and their servers, you block the spread of anything that uses an unsupported protocol (e.g. NetBIOS or RPC). Anything that tries to use the proxy to spread itself can be blocked by that very same proxy.

Of course, a lot of the more technically savvy users would balk at this, but that's where something resembling a license can come in. Those who prove that they have a clue can have the blocks removed to allow direct connections. If they prove that they really don't have a clue (say, by being slammed by a worm that could've been fixed by installing a month-old OS patch) then the blocks can quickly be put back again.

Re:I love home users.

"metallacity"

hey, Lars owns the rights to that word, you can't use it w/o paying him first!

Re:I love home users.

[riqnevala]

That being said, I still think that there should be a special circle of hell reserved for those idiots who actually buy things from spammers and who open any attachment they receive. Those people are just being very, very stupid.

Or maybe they just got a very very enlarged penis. :)

Re:I love home users.

[Patrik_AKA_RedX]

Another big step forwards would be getting rid of dynamic IPs. Let every user have his own personal IP # so you could block the right person when necessary.

Re:I love home users.

[kyz]

Or, how about ISPs bundle cable modems/DSL routers that, by default, block ALL inbound ports.

Tech people can then simply configure their router correctly, or even buy their own router. That's no hassle. Meanwhile, all the "blinking 12:00" people are protected from the big bad evil internet.

Now, if routers could filter out obvious Microsoft Outlook exploits and web-pages that tell you to click "yes" on the next "can I uninstall an untrusted ActiveX control" requester that comes up, we wouldn't have any home-user viruses at all...

Re:I love home users.

[danielsfca2]

Wait a minute... I thought he and the Owner of AOL were going to send $1 to that kid with no legs, arms or head that's dying of cancer... wait a minute.... was that... a hoax??

Oh, no!

I must tell my friend in Nigeria! I'd hate for him to get fooled by something like that.

Re:I love home users.

[danielsfca2]

This, considering how inexpensive basic routers are now, is an excellent idea.

Re:I love home users.

[kgbspy]

off topic, but... ssh can be proxied:

PuTTY SSH

Re:I love home users.

No - M$ is still the enemy.
This is like being forced to buy a house without locks because the carpenter thinks that locks are too difficult for Mom and Pop to operate.

Now they could easily sandbox any process started by Outlook or Internet Explorer, but they don't - who would want to handle the support calls?

Now if Linux was easier for Grandma to setup and use, then we would have a nice comfortable medium. Why not bitch at Linux if it is also a part of the problem..?

Because you get what you pay for...

Re:Three != scores

You have it wrong, Bozo. All the money from the sale of Iraqi oil goes to Iraq. Nobody is raping them; that was what Saddam and his bunch were doing. If you don't know the facts, keep your mouth shut.

Re:Ideas for auto-up, you forgot a few...

[kaan]

ahem, I think you left a few off...

- Check for Yahoo, AOL, IRC, etc. clients, as well as Jabber and Trillian, disable and cancel the user accounts, and re-enable with the new MSN client. Update registry so that system will no longer boot if MSN is tampered with.

- Check for the presence of Opera, Mozilla, other browsers, disable and delete them, then modify the registry so that their installers will no longer work, then reinstall Internet Explorer with fully idiotic preferences set as defaults, and provide support for a whole new set of web "standards" that only Microsoft will ever use.

- Filter through user's bookmarks and delete any bookmarks that match any of the following criteria: a) bookmark points to competitor's web site, b) bookmark points to web site that sell competitors products, c) bookmark points to site that mentions any competing product, or d) bookmark points to site that employs or otherwise associates with one or more individuals who currently, or have in the past, made use of or considered using a competing product.

- Remove all versions of email clients other Outlook. If user does not have Outlook or any other Office products currently installed, go ahead and continue removing other email clients, but after that's finished force the user to purchase a copy of Outlook because it's the only "safe" email client for Windows

- Check to see if user has updated their system prefs to show file extensions in the Explorer windows. If so, set it to false so that file extensions are no longer shown because that's really more "secure"

Did I get them all?

This is the only way

[The+Pim]

Microsoft and others aren't going to stop producing buggy software. (Really, the effort would be Herculean.) So when there's a hole that will harm users, and knowing that most users won't voluntarily apply patches, what are they supposed to do? Saying "you should have patched" doesn't help their image, and doesn't help computing in general. When exploits can spread across the net in minutes, it's not even tenable for sophisticated users. Having users apply their own patches is an inherently losing proposition.

What's likely to happen? Microsoft will screw up a few times, to great embarrasment, then they will by economic necessity learn how to make reliable patches. After all, their only alternative is the greater embarrasment of rampant worms and viruses. The rest of the industry (including free software) will see that it is possible, and be pressured to do the same. It may be rocky for a while, but the end result is that millions of naive users will have reasonably secury systems. This is a huge improvement over today.

Re:This is the only way

[mbourgon]

Microsoft will screw up a few times, to great embarrasment, then they will by economic necessity learn how to make reliable patches. After all, their only alternative is the greater embarrasment of rampant worms and viruses.

Which they've been happily doing for the past how many years? I had installed a patch for a SQL Server problem. Forward 6 months and I'm installing a new server, with the same patch - which I can't find. It's no longer available - the patch they say is the one I originally downloaded isn't the same.

It turned out that for this ONE bug, they had released EIGHT (yes, eight!) different patches. And if you installed one of the early ones, they didn't actually fix the problem (and a patch was released for one of those patches!). I wound up standardizing on the "final patch" for that bug, which came out 5 months later.

Saying they'll all of a sudden "get it" and make sure their patches work is [naive|disingenuous|dumb].

Re:This is the only way

[The+Pim]

Saying they'll all of a sudden "get it" and make sure their patches work is [naive|disingenuous|dumb].

I didn't say "all of a sudden", and "screw up a few times" was probably an understatement. Maybe they'll continue screwing up for years, and we'll all get a good laugh out of it. The difference is, if these screw-ups get automatically installed on millions of home computers, the public embarrassment factor will be much higher than for an SQL Server botch. That's the sort of experience they'ell learn from.

Bet on it, Microsoft will figure it out eventually. They already have one of the best security response processes (not the most secure software!) in the business, having started with one of the worst.

Headline 2004: Hacker exploits Windows Update.

[WareW01f]

A new worm is sweeping across the Net today. The worm, dubbed JudusUpdate.MSFT, apparently exploits yet another hole in Microsoft's enterprise class security, only this one has a twist, infected machines are instructed to auto-update from a trojan server. Once infected, computers that are able become "evil-update" servers themselves. Microsoft is not commenting at this point.

So uptime'll take a digger

[Matey-O]

Becaues every single hotfix I've EVER applied required a reboot.

What happened to them going from 50 situations that required a reboot to 6? (opening for a +5:funny below)

Of course, those 6 reboot situations are:
1. updating .DLL's
2. updating .exe's
3. updating .com's
4. updating .txt's
5. updating .jif's
6. updating printer settings.

Flamebait?

[Inda]

At least a corporate user can call the helpdesk

This is going to sound like a troll and so it should...

Just come off the phone to helpdesk; I have an email attachment that should be reported. They tell me "as the PIF file has made it through the firewall there shouldn't be any problems with it". Oooooookay phone monkey, log the call and go back to trying to sort the printing problem I gave you yesterday.

Seriously, these phone monkeys stay in the job 12 months. It is no more than a stepping stone for them. They know little to nothing about the normal power-user stuff. They are fresh from college looking for the money their careers advisor told them about 3 years ago.

"Cycle the power"
"The server is corrupted"
"I've logged your call"
"Are you sure the network cable is plugged in?"
"We have informed our network enterprise discovery analyst support migration team"

As a corporate user the helpdesk would be the last point of call. Anyone can log calls and even then it can be done wrong.

But can you trust the update system?

[JayJay.br]

Ok MS, that will work.

At least until someone finds out that the update system itself is broken and uses it to directly install stuff into your computer.

Oh wait... they've been on secure programming for some time now... ain't gonna happen.

Bruce Schneier

[gr8_phk]

I thought Bruce Schneier was a smart guy. Now he's advocating that you give control of your system to someone else? Why doesn't he promote better technology and software? MS is planning to turn on the firewall by default, Dell is shipping PCs with a long list of security related settings that are turned off by default. With all this happening, why is one of our favorite security guys supporting this idea?

Yes, the typical home user could use some help. Help them by setting up the existing security features correctly by default. This would take care of the majority of the problems.

The slasbot is just karma whoring.

Mention Debian's ability to do a apt-get/cron setup for security patches in a Microsoft article is instant free karma, regardless if it's even on topic. You risk lower karma by pointing out the true nature of the article. Slashbots with mod points are truly a sad sight to behold.

Sheesh

Some people just can't see shades of gray...

Yes, Saddam and his cronies were raping the Iraqis. No, the money from the sale of Iraqi oil doesn't go directly to Iraq -- it goes towards the "rebuilding" of Iraq, which means it is used to pay the companies like Haliburton who are doing the actual rebuilding. Some of the benefits (rebuilt infrastructure) will benefit Iraqis. Some of the workers will be subcontracted local Iraqi workers as well. Whoah -- not so clear now, is it?

Re:Sheesh

"which means it is used to pay the companies like Haliburton"

Who would you hire to do the work? WalMart? There are only a handful of companies in the world that are capable of doing that type of work. Why shouldn't U.S. companies get the contracts? The U.S. took all of the risks. When the work is finished, they'll leave until called on again to do maintenance.

"it goes towards the "rebuilding" of Iraq"

And when Iraq is rebuilt, it'll ALL go to Iraq. If we weren't there, Iraq would still have to hire someone to do the work and they'd still have to pay for it with the same money.

Speaking of raping the Iraqis, how about the money that the United Nations skimmed (stole) off the top during the "oil for food" deal?

An impassioned plea for help...

[GoNINzo]

billy gates why do you make this possible ? Stop making money and fix your software!!

actually, this won't help, in a larger sense

[Richthofen80]

The major problem with software distrobutions such as windows is that the entire OS thrives on the 'one click' philosophy. One-click update, one-click install, and one click virus infection. People are so used to windows giving them one click 'Ok' windows that they end up clicking Ok and worrying later. 90% of regular office users end up clicking okay to almost anything and installing spyware, viruses, etc.

Windows needs to 'brand' the update procedure; make it so obvious and un-repeatable by other apps, so that users are not duped.

Re:actually, this won't help, in a larger sense

[EvilTwinSkippy]

No, actually Microsoft needs to stop making bloated packages that require constant "improvements". A PC should be a hell of a lot simpler than it is. If you were popping parts in and out of your car as often as your computer is updating components, you would probably sue the manufacturer.

People want a bloody appliance. That's it. They don't want to learn how it works. They feel ripped off about having to replace a perfectly working machine because no modern peripherals will work with it. They hate throwing out old peripherals because their new computer won't work with it.

Industry needs to sit down and design "A" scanner. It needs to design "A" mouse. It needs to design "A" computer. They need to be black boxes. They can pop in and out whatever parts they want or desire. The interface should never change.

Now I can hear folks, but what about Industry? Well industry falls into 2 categories. The first are generic users who have been crying for commodization for decades. The other are folks who are so on the bleeding edge that they design their own components and/or write their own software.

A big-rig truck is designed differently than a mini-van. Industrial users are different than office and home users.

Why not just enable the firewall?

[_LORAX_]

XP has a firewall built in, why not just enable that to start?

Most people never do more than surfing and word processing, these people would be helped by enabling the firewall to start. Seems it would be accepted easier by the IT community at large and give XP a minimum of security right from the start. I also think that windows update *Notification* should be enabled as well so that people can never say that they were not warned.

What's wrong with the way it is?

[Yort]

I know, there must be something... but isn't there already an "automatic update" feature in place? Granted, as far as Windows2000 you had to download it from WindowsUpdate (I think), but then you had a little icon on the bottom that popped up and said "Would you like Automatic Update to periodically check for updates to your Windows system?" Then you had a choice whether you wanted to download them automatically or be asked everytime, and then whether you wanted them installed automatically or be asked everytime.

This worked fine for me, as on my machine (the one I run Windows on for the wife in Grad School) I have it download automatically but ask before installing, whereas on my parent's computer I have it do it all automatically.

So is there something wrong with the *process*? Are they just advocating to have this Auto Updater installed by default, but still ask you the questions the first time through? If so, I see no problem and think it's a great idea. It'd be just like "up2date" or RedCarpet.

there will always be "helpers" to "fix" this

[holy_smoke]

http://www.xp-antispy.org/

Re:there will always be "helpers" to "fix" this

[jo42]

No hable Deustche.

Re:there will always be "helpers" to "fix" this

[holy_smoke]

you can click on the english flag and it switches to English... good tool for turning off all the XP spyware

EGAD!!!

[Basil+Ganglia]

Shades of AOL!!!!

OS X has a nice compromise

[David+Kennedy]

Apple's OS X has a nice approach to this; it runs at a specified time that you decide, looks for updates, asks you to pick which you want to install, then installs and prompts for restarts if needed.

As it runs twice a day automatically, every couple of weeks I just see a indicator in my Dock and I can then load the patch, new foo etc while continuing other work. The restart I just put off until I'm done with my current task.

Better than asking me to do something via email, more comfortable than my computer being remotely controller.

Re:OS X has a nice compromise

[sammaffei]

And, 10.3 Panther will also let you save off the updates. That way, you won't have to re-download them in case you need to rebuild the system (provided that you archive the packages).

Sure beats the "Winbows XP re-install and download 80 Mb of updates" hamster wheel.

Re:OS X has a nice compromise

[TheNetAvenger]

And, 10.3 Panther will also let you save off the updates. That way, you won't have to re-download them in case you need to rebuild the system (provided that you archive the packages).


And you can do this already with WindowsXP as well... So?

Re:OS X has a nice compromise

[TheNetAvenger]

Apple's OS X has a nice approach to this; it runs at a specified time that you decide, looks for updates, asks you to pick which you want to install, then installs and prompts for restarts if needed.

Let me guess, you never used WindowsXP?

What you describe (and is in OSX) is almost exactly how one of the options of auto-update works on XP. (The Default one in fact).

You can also tell XP to check and notify you but not download the updates, or to fully install the updates during the night for you.

And also let me guess, you think Apple came up with the Idea all by themseleves? Even though it had been in Microsoft Products for over a year before it was added to the OSX betas.

Yeah, OSX has this idea nailed down better than anyone, except from the companies they copied it from like Microsoft. - Give me a break.

Why do people try to find a Mac as a solution to everything. I like my computer, but sometimes the affection for a computer displayed here seems scary.

And no this is in no way bashing OSX, I use it as well, in addition to XP and Linux.

But Geesh, at least know what the compettition has in their OS before you tell the world that OSX is the solution and make yourself look silly.

Re:OS X has a nice compromise

[The+Lynxpro]

David, I assumed that since OS X is built around BSD it could download the updates and install them - without rebooting... isn't that one of the compelling features of Unix-based operating systems [insert obligatory negative SCO reference]? On the otherhand, I can see why Apple would require a reboot - insurance just in case the end user is running a program created for OS 9 or prior and not fully OS X... wouldn't the iLife suite be included in those offending programs?

Lazy sysadmins? The problem is deeper.

[ebuck]

I didn't bother to patch my office machine against MSBLASTER, and why should I?

I've been stripped of most of the permissions to admin my own machine because the internal IT support has been centralized. That means a few people service the rest of us in a way that generally has the good of the company in mind.

That said, if they take away my permission to do it, and they get caught with their pants down, why do they expect us all to run software locally on our own machines to fix the latest problem X? It's because oboviously these people do not have enough resouces support a network of our size.

If it wasn't the veil of "computers" clouding the issue, I bet someone upstairs would have corrected the logic of, "If they can't do their own job, we can get the whole company to waste a bit of time to help them out."

Certain systems require certain amounts of support, but this is not an OS issue. It's just more pronounced in systems that require more man hours to keep on the bleeding edge of security.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Could this be an incentive?

[holy_smoke]

If users were given the option to send in a proof of purchase or just reference their activiation codes they could receive, free of charge, a CD with all necessary updates and patches from MS for their OS?

Yeah - this would be expensive, but besides the fact that MS can obviously afford to do this don't you think that it would motivate MS management to take a more aggressive stance on security vulnerabilities in general?

As it stands today if a (home) user has to do a system restore (from the computer manufacturer CDs) or wipes and reloads thier OS for one reason or another, they will risk getting a virus just trying to connect to microsoft update to download the large number of updates available since they purchased their system/OS.

As a side note, what about all the folks that buy PCs that are already in the sales channel that aren't protected from the Blaster worm?? Take it home, hook up to internet, boom...virus. (speaking specifically about the many folks who don't know what a router or firewall is)

There has to be a better solution to all this.

What happens when it gets hijacked?

[bo0ork]

If this is supposed to cure MS Windows of blaster and it's friends, it's sort of a dead end. As part of the worm payload, a hacker would just subvert the windowsupdate IP resolving; an entry in HOSTS would do just fine. Or patching the windows update software itself so it connects to a site of the hackers choosing.

Re:What happens when it gets hijacked?

[immel]

Apple has had patch their software update for the same reason. Fortunately, it was not hijacked. With an MS windows version, however, there will no doubt be lots of attempts to do so.

Re:What happens when it gets hijacked?

[Fyoozen]

Even the best system is ofttimes overcome by the everpresent "ingenious idiot". Unix and it's offshoots have been around for ages and still need patches. So the idea of doing updates is not bad. However, AUTOupdates are not desireable. I think your point is valid. I would not want M$ deciding my company's or my home computer's security policies. It would also provide a means of openning access to every system their software runs on (like it's not open already). Also, given the M$ past performance record for faulty or system crashing patches, I am rather hesitant about letting them decide what I need on my system and when to install it. The overall damage could be catastrophic for online university attendees, home businesses, and a plethora of other "home" users. Maybe SPAMMERS first???

Its about time!

[Ephemeriis]

Frankly, I think its about time that MS started at least trying to secure their products. I mean, we've had the ability to secure them for some time...but it wasn't enabled by default. The built-in firewall? Disabled by default. All those assorted patches and updates? Up to the user to actually go out and install them.

I would be thrilled to see a default install of Windows become more secure...it would make my life a lot easier. Just so long as they allow the option to disable things (like the personal firewall) if you choose to.

yrs,
Ephemeriis

3DStudio V4

[pommiekiwifruit]

Used to crash if you pressed the "windows" key, losing all your work. As a result, artists would rip the windows key out of the new-fangled keyboards.

Re:3DStudio V4

[Skye16]

I do that to stop the start menu from popping up on me in the middle of games, too.

Just an semi-interesting side note :)

Firewall by default?

[immel]

At the end of the article, there was some talk about enabling a firewall by default. No doubt, many users will not even know they have a firewall and certainly will not know how to disable it. I have had some negative experiences with users who don't know how to disable their own firewalls. Most notably the LAN party with in which I could not get rtsp working on all the computers because the MS users did not even know where their firewalls were! This also interfered greatly with the gameplay. Having a firewall engaged by default will interfere with file transfers on a home network using windows, especially those that are already walled in with ISP routers and no "home IT department".

Re:Firewall by default?

[R5900]

Most notably the LAN party with in which I could not get rtsp working on all the computers because the MS users did not even know where their firewalls were.

Do you really think lan parties are the major concern of most people? I consider people going to lan parties as, at least a little, computer litterate (as opposed to mom and dad).

No doubt, many users will not even know they have a firewall and certainly will not know how to disable it.

One annoying sideeffect is that there will be more crappy app.

I've been suprised by ICQlite (aka ICQ AsBloatedAsNotLite now). I installed this stuff on my xp laptop, and it disabled without telling me the builtin firewall to try to get incoming file transfer working. It was a windows system message box (and i'm not even sure it's standard, since i think it appeared after a ms hotfix) which told me that a dangerous app wants to disable the firewall. It doesn't affect me since i'm behind a decent linux box, but i don't like this attitude.

I guess more and more crappy apps will do the same, as builtin firewall will be enabled by default. And it might be even more dangerous for people who think they have some, at least basic, protection.

But I still consider it's better to get firewall enabled by default. If a user is so clueless he can't disable it, well, he deserves to have it enabled, for everyone who would have been the indirect victim of his owned box, if not for himseld.. But a firewall SHOULD NOT be disabled by any application except direct action of the user..

microsoft should qualify as a terrorist group

It seems to me that Microsoft creates environments where terrorism can thrive. Does this qualify as aiding terrorists?

So...

Microsoft wants to leave themselves an open channel into your computer to update windows. I wonder how long it will be before someone exploits it with a virus.

Debian?

[Jacek+Poplawski]

Isn't what Debian and other "automatic" distros do? Sure, you can decide what to install and what to uninstall, but how many people really do what installer is doing? Sure, Microsoft stuff is closed, and Debian/Gentoo/etc stuff is open, at least for now.

What I am trying to tell is: lots of you trust in Debian developers, you trust they give you good set of applications with good configuration. You don't trust Microsoft. But what about "standard users"? They trust Microsoft just like you trust Debian. What's the difference for them?

PS. yes, I am Slackware/LFS user

Re:Debian?

[bucky0]

Yes, you can have automatic updates by having cron call apt-get. But I think there's an important difference. Debian allows you to chose from 3 different branches: Testing, Unstable, Stable. The testing branch contains all software that was added within the past 2 weeks. (I.e. if your a package maintainer and you upload a package to the repository, it goes there) If and only if the package is a)Not updated in 2 weeks b)Doesnt have a critical error, it is moved to the Unstable branch, where it sits for a few months before it moves to the stable branch.

All that to say that if you run the 'stable' distribution, you can be fairly confident in the stability of your system because it has been tested not only by Debian developers, but by the hordes of users that enjoy testing out stuff like that. Also, all communication for debian is public and you can participate if you want to, which is somethine Microsoft doesn't provide.

Now granted, there is a separate security branch which handles patching exploited packages, but if your running the risk of getting exploited, the risk that something's gonna blow up is far less.

Re:Debian?

[TheNetAvenger]

And what makes you think the MS process is so different?

Windows Update only offers patches that have not gone through an extensive public testing when there is a major security concern. Period.

Other than that, patches are put through a long serious of tests, with many thousands of beta testers around the world. For example, the driver certification and the XP components updates that are not as important as having a 'security' fix immediately and other non-threat updates are put through public testing for a long period.

Trust me, our tech team have been Windows Update Beta Participants since its begining. We see the fixes before they are fully tested and released to the public, etc etc.

And we also have Microsoft's ear for feedback, just like the participation groups for Debian.

Just because it is Microsoft does NOT make it different tha Debian or other vendors providing the same process to users.

Microsoft does take the liberty of shielding the 'technical' jargon and experiental code from novice users.

So you won't see a patch written by 13 year old skippy posted at 3am as a Stable, or Unstable fix option on the Microsoft website. And thank God. *sigh*

make it the default

[mboedick]

I don't think it's a horrible idea to make automatic silent updates the default. After cleaning up some of my relatives' machines after the Blaster worm, I set them all to automatic updates. Yes, there is a chance that an update might break something, but this chance is far less than the chance of another exploit or worm trashing the system.

They just don't understand it at all and as the person who gets called when there is a problem, I'll take any proactive measures that I can to make sure things continue running smoothly.

Re:make it the default

[praedor]

I wouldn't want them to automatically and silently do ANYTHING with my system, no matter how "benign". Why? At least 2 reasons: 1) I, like millions of others, am still stuck with dialup internet. Upgrades can take hours of download time, totally absorbing virtually all available bandwidth - basically DoSing a dialup connection. Because the connection is transitory and relatively brief, the danger to and from such a system is minimal; and 2) Their "upgrades" will invariably include DRM restricted upgrades to otherwise perfectly fine software. They will use this autoupdate crap to restrict users by secretly and quietly replacing functional software with crippleware.

Piss off. Give a the right to say "yay" or "nay" or I'll just have to setup a firewall to block any ports you seek to use. My system is MINE to use or misuse as I see fit. Period.

Re:make it the default

[mboedick]

Piss off. Give a the right to say "yay" or "nay" or I'll just have to setup a firewall to block any ports you seek to use. My system is MINE to use or misuse as I see fit. Period.

I completely agree with the right to say "yay" or "nay". I was suggesting making it the default, but of course leaving an option to turn it completely off. I had not thought of dialup users, but a consideration could be made for them.

The blaster worm really hit home for me and made me rethink some of my ideas. It was the first worm that affected a number of people I know at their homes and made their machines unusable (the previous ones seemed to target Windows editions and services more commonly found in a business setting). The worm also required no user action for infection (wasn't caused by opening an email attachment or something). It could have been much more malignant than it was. As a programmer I actually felt bad for these people, who hadn't a clue why their machines stopped working.

And if you don't trust Microsoft not to secretly replace your perfectly fine software with DRM software, I guess you don't trust any of their patches or service packs, whether they are installed by you or automatically behind the scenes.

Worldwide DOS?

[coene]

And what happens when someone hacks into Microsoft's update servers and releases a patch that recursively writes over every byte of the hard drive to the tune of a 1980's video game MIDI file?

Is Microsoft going to be liable for the loss of all your documents, and time to recreate your system?

Software vendors (ahem, Microsoft) can't continue monopolizing themselves without offering more accountability.

W32.Welchia.Worm

[jolshefsky]

And I thought they already released this feature [that is, Symantec AntiVirus Center].

(har har.)

Probably a mis-quote

The journo possibly took him out to lunch, and he was commenting on the idea of being taken out to lunch ...

Where are the legal protections?

We hear lots of folks in the government and elsewhere clamoring for push-down patch solutions like this for the allegedly clueless home user.

But where are the legal protections against nefarious activities taking place during the push-down?

I would patch my home Windows box IF there was a legal mandate that MS could not lawfully change my EULA when doing so, and IF there was a legal mandate that MS could not push spyware or other changes to the OS down the pipeline and could lawfully push the patch and ONLY the patch down the pipe.

And, oh yeah, I forgot, I don't use Windows anymore because it doesn't work as well as Linux. So fix that OS first, and dem patches, and then maybe you'll see me back as a customer.

Re:People are lazy? People are stupid? Good heaven

[rcongdon]

While I am in complete agreement that I don't want MS screwing around with _my_ windows boxes, I'm not sure I agree with the premise that people need to "have a working knowledge of their computer/operating system" or have their computer regularly maintained by someone else.

It seems to me that the ideal for the naive home user would be to have Windows be as effortless as a gaming console. Yes, I know that hardware variety makes this difficult, but imagine if the only problems you are likely to have are hardware failures (linux, anyone? :)) and the box is easy to use. This is what MS should be striving for, and the automagic updates seems to me to be a way to accomplish this.

Some more minor improvements might help

Yeah, well, the other day I looked at the updates for my recent 2K install, and I've got tons of security patches. I hit install, and the sucker crashes. Ok, I'll install one at a time...I unclick all but one, install, reboot, and discover all the other patches are gone. Once I unclicked, it assumed I never wanted to install those patches.

And they wonder why people have problems!

Default set to on, but option to opt-out

[Phil+John]

IMHO, the best option would be to have it enabled by default on machines, with the option of disabling it for power users.

This means that the computer illiterate of this world will be automatically protected (some people I know have never heard of windows update before, let alone visited it).

For people who actually have some knowledge of what they are doing, well, they can just turn it off and complete upgrades in the normal manner...everybody wins.

Re:People are lazy? People are stupid? Good heaven

[Wyzard]

This isn't that hard. People have this perception of computers as the same as their television or washing machine in terms of support - don't touch it unless it's obviously unusably broken. They don't work that way, they're much closer to cars. Sure, some people don't maintain their cars either, but those people aren't in the majority.

Definitely. But taking this a step further, we have auto insurance, some forms of which are required in order to be legally allowed to drive. I wonder if we'll start seeing something like virus insurance, to pay for damages caused by security exploits.

People would want it, and it would be an encouragement to take short security courses -- you know, a few hours per day for a few days, going over how to install updates, common sense when downloading things, etc. -- because it would reduce their insurance premium. (Similar to how taking a driver's ed course can reduce a student's car-insurance payments.) And this would cause greater public pressure on Microsoft and other software vendors to make their software more secure, again because people would want to lower their insurance costs. No legal force would be needed; the market would offer all the incentives.

It could work...

Who is held accountable

Most EULAs state that the software vendor isn't accountable for lost data or functionality.

automatic update might not work properly on some

[happylinuxguy]

I noticed my system had a critical update notice each time I rebooted, and I dutifully applied the new patch each time, and about the 3rd patch, I noticed that it was _the same patch_ being downloaded, it just wouldn't take on my system.

Imagine, MS might DOS themselves to death with this automatic update feature.

Of course they should

[gelfling]

In fact I want MS to quietly run every aspect of my life unasked. I want multimegabyte SPs unasked. I want new and improved packaging and several dozen applet upgrades unasked. Especially the ones that break something else. I want updates to wipe out competing applications unasked. I want application changes on the fly so that file formats suddently become incompatible. I want their updates to clash with themselves. And mostly I want to pay for it.

Re:Of course they should

[eyepeepackets]

*clap* Bravo! Supurb sarcasm. Too Bad I can't give you mod points for sarcasm or I would. Can't mod you funny since it's not at all funny.

How about a sarcasm mod, /.?

Re:Of course they should

[Overly+Critical+Guy]

Where was the "insight" in this post? It was just FUD. Another tinfoil hat conspiracy theory. Right, Microsoft will wipe competing apps. File formats will magically become incompatible. And, of course, none of their updates have ever "clahed with themselves."

I swear, sometimes people don't even think before they post. Anything to get modded up in an obvious Microsoft flamebait article, I guess.

Re:Of course they should

In fact I want MS to quietly run every aspect of my life unasked. I want multimegabyte SPs unasked. I want new and improved packaging and several dozen applet upgrades unasked. Especially the ones that break something else. I want updates to wipe out competing applications unasked. I want application changes on the fly so that file formats suddently become incompatible. I want their updates to clash with themselves. And mostly I want to pay for it.

You want your tin-foil hat to be put on your head unasked as well?

LOOK -- I don't think that you guys are grasping..

[Biff98]

the problem.

I don't think people are reluctant about the idea.
"Oh, you want to patch my box automagically? Right
on." That's a great idea. I think the reason
people are hesitant is because Micros~1 makes you
click on that EULA which basically gives them
access to any and all information they want to.

The other side of it is, "Well don't click the EULA
dummy." Well then one (not I) can't use Micros~1
Windows! And even if you don't have a problem
with that, recall that Micros~1 patches are
known to really screw up machines sometimes.

What a dilemna no?

They're just blame-shifting

[djh101010]

Instead of taking the blame for writing yet another security hole (not even a novel one at that), they're pushing it off on the customers who are behind on patches. Yes, people should apply patches for these, but maybe they could be a bit more careful in writing the OS and apps in the first place. The blame here is on MS and the virus/worm writers, not on the customers who are having both inflicted on them.

Yes, no OS is perfect. But, their attitude here seems to be "you deserve to get hit if you didn't apply the patch-of-the week".

Re:They're just blame-shifting

Instead of taking the blame for writing yet another security hole (not even a novel one at that), they're pushing it off on the customers who are behind on patches. Yes, people should apply patches for these, but maybe they could be a bit more careful in writing the OS and apps in the first place. The blame here is on MS and the virus/worm writers, not on the customers who are having both inflicted on them.

Software is such a dynamic creature, it is very hard, almost impossible to expect a software maker to make perfect software that has no holes. No matter what, sometime after the software has been released, someone is going to find a hole of some kind, no matter what kind of software it is - whether it be OS, router, etc..

MS is trying to get a system in place to prevent this type of thing happening again, since they see that for the most part a big portion of their userbase doesnt update their systems (or use auto update). Now I have run a WinXP machine on a fairly secure network for a couple years without any problems at all. I don't apply every patch, but mainly just the critical ones, although I am behind a firewall and a NAT box. I think the users that MS is trying to target with auto updates are the ones who are directly on the internet, without any firewall (software) or even the know-how on setting one up. At the very least, a cheap little linksys router doing NAT can take away the some of the dangers of using your unpatched machine on the 'net.

It all goes back to what you said, no OS is perfect.

Actually it works fairly well

[mwood]

News flash: Win2k SP2+ and WinXP *already have* the code needed to run updates automagically. We use it here and it works quite well. A couple of Registry tweaks is all they need to turn it on.

HOWEVER we also run MS' Software Update Service, which lets us set up a local mirror of the Windows Update patch kits and decide which ones we'll allow the managed stations to fetch. We can test patches first and block any that seem troublesome. I wouldn't turn on automatic patch installation without this review.

Having said all this, I don't think that push-patching will be accepted by those home users who are aware of it. Having a PC that belongs to the company managed by people you could actually go yell at is a lot different from having your *personal property* adjusted without your consent by some faceless company a thousand miles away. The effort being spent on this scheme should be redirected toward teaching some of their coders basic sanitation (like, if you don't allocate net buffers from the stack, you won't facilitate any embarrassing stack-smashing exploits, duuh).

"Why's the Internet slowed down?"

[rleyton]

I can hear it now, a phone call from my Windows/56k modem afflicted parents, "Why's it all so slow?".

To which the only real reply is "Because Bill knows best Mum. Because Bill knows best". Add to this the fact that they crank up their computer on a six-monthly basis, and would probably stop altogether if each time they did, it rebooted the PC. Not that much different from MSBlast, really.

This can never happen...

[thepacketmaster]

I work in an environment where change control and 99.99% up time is a "must". Due to the natural interaction of some applications with the operating system, that require specific parameters, any patches that change those parameters could bring down the whole system.

So Microsoft, "No, you may not administer my systems!"

Try pushing notices, not patches

[DanMc]

I'm sure these customers didn't know they had a problem with their PCs. That was the first fact that caused the worm to be a problem. The fact that the computers weren't patched was secondary. Instead of pushing the patches, why not be more aggressive about notifying customers, and giving us better tools to patch and scan? Asking millions of users to pull updates ALL THE TIME, or turn on an automatic pull where there are only 3 configuration options is a real lack of choice. There are lots of things in between that can be tried. If I were a home XP user, and I saw a notification, "Message from Microsoft Security: Due to a problem recently found in WinXP, You are at high risk of being hit with an intrusive virus or worm. Here is a web site with details. Here is a 1-800 number with details. To correct the problem now, press Ok." Supposing MS did give home users this easy to use scan, notify, patch utility, the only reason they would not use it is if the EULA were too scary. This is easy to fix. Put a big splash screen with "Absolutely no Information is gathered and Sent to Microsoft. To see how this tool works, click here. Microsoft will never change this policy without your consent. (Like we did with WindowsUpdate)" We shouldn't have to wait long to see an analysis of Blaster, but I am going to guess that the majority of infection vectors came from business or academic Win2000 installations. WinXP systems crashed so much, they weren't efficiently spreading the worm. So corporate tools to fill this middle ground need to be improved. The hard to learn and use tools like IIS lockdown, hfncheck, etc need to be seriously overhauled. At work, I would love to have a non-web-based WindowsUpdate SCANNER, and a separate PATCHER. They'd be easy to use with a GUI, but also have command line options so they could be used in scripts. (SUS isn't what I'm talking about, because it is browser based, and the process is still a pull. The only way you can push an important update is to go to each server, or set the servers auto-pull frequency really high) I also wonder if MS is afraid that making system maintenance too easy might cut in to their SMS server sales?

Re:Try pushing notices, not patches

[TheNetAvenger]

But this is exactly how 'Automatic Updates' are set in WindowsXP by default unless their computer nerd friends turn them off in 'fear' of Microsoft.

Which has been the case I have found more than anything. Some 'Guru' or other OS Zealot that hates Microsoft screws with their friends computer and turns off the 'Automatic Update' Notification service.

Just leave it alone people and let it work, especially for your novice friends. Even if you think Microsoft is Satan himself and going to eat your children.

Geesh.

More time updating computer than using it

I do almost all of my computer work at work. I also
have a Windows machine at home, but I only use it occasionally (check for an important e-mail, check e-bay late at night, etc.).

The problem is that my home machine is a dial-up and every time I turn it on, Microsoft expects me to patch my system. If I installed every microsoft patch, it would take me longer to download and install the system updates than to
do what I wanted to do.

How many other people have machines that most of the system resources are used to patch the operating system???

I Bought a PC....

[Pitawg]

I owned that PC all the way out of the store. I owned it all the way home and out of the box. I plugged it all up, hit the power button, then the "transfer of ownership" started. Once the initial non-linux OS started to boot (or install for my "put together box"), my ownership went away. My PC told me it had to get some files. It reached out across the open internet and started doing things on it's own. Then a popup message appeared on the screen. "Your machine has been caught downloading Intellectual Property of !! Your harddrive is being wiped!!"

So the cycle of ownership goes.....

that's what firewalls are for

[chrismg2003]

simply do an add deny tcp and add deny udp in ipfw on ms's address on your gateway and you don't have to worry about it.

Fix for SP2

[bagofbeans]

No, the fix for SP2 largely involves telling ZoneAlarm (free) not to give the system process SVCHOST.EXE access to the internet. ZA is a 4M download.

will that include eula upgrades?

will it automaticly rewrite/upgrade the eula as needed?
ms media player 9 style eula
short version: i own your box

Re:will that include eula upgrades?

[gregarican]

Here's the company that wants to automatically tap into your box...

Digital Rights Management (Security). You agree that in order to protect the integrity of content and software protected by digital rights management ("Secure Content"), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer. If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update. "

No thanks. It's kind of like the book "Animal Farm." Things can creep in that wind up bastardizing the whole deal.

5 words for you ...

[Abm0raz]

Windows NT service pack 6

[RANT]
Remember this gem? All the people that installed it had inoperable machines. It was so bad that it was recalled *6* hours after being posted. Then a week later came SP6a. I definitely do *NOT* want them pushing crap to my machines. I have no problem getting my own updates. Set up auto-update by default, but let those of us that know what we're doing be able to turn it off. I'm all for (l)users getting crap in general (not necessarily viruses/virii). Maybe that will get them off computers and leave them to the experts.

How come everyone and their brother is allowed to operate a computer at will, but I need a license to fish?

[/RANT]

-Ab

Re:5 words for you ...

[shawnce]

What if the OS install defaults to automatic download and install of security patches (only those such patches). Yet it also provides a way to disactivate the automatic install (and/or download) aspect.

This would cover the folks that never update their systems because they don't know how/why/when. It would also cover the folks that are aware and want to control the update process.

Don't throw the baby out with the bath water.

3dsMAX v5

[djdrew6k]

Well, turns out that 3dsmax is only made for rc3 or earlier of Windows 2000. If you upgrade to rc4, it actually fucks with the .max format! Any MAX 3d files I make in a machine running Win2k RC4 will end up crashing the OS of a machine using RC3 or earlier. Let me tell you, this was endlessly frustrating for a video game development team. We had to roll back all of our computers to RC3, and then load all the MAX files into XP, save them in there, re-load them on an RC3 machine, and save them again. Bullshit. All because for some reason, upgrading (patching) to RC4 basically CHANGED THE FORMAT OF 3DSMAX files. Bullshit.

You forgot....

[docbrown42]

if (company_trusts_microsoft_code())
{

use_windows_OS();
allow_auto_updates();
crash_for_no_reason ();

}
else

use_some_other_OS();

/*

junk code

bitch();
moan();
flail_arms_wildly();

*/

The first step

[Dictator+For+Life]

Your sig:

yes, i am a leftwing whiner

Realizing that you have a problem is the first step on the road to recovery.

That's a joke, son. ;-)

Recall?

"You can't just send out a recall notice and hope that people come into the shop and do their maintenance."

Oh, yes! Great example. Last time I got a recall notice, an armed representative from Ford showed up and commandeered my vehicle. Can someone tell me where people get these ideas?

Will auto update eliminate the mandatory reboot?

[mencik]

I'd sure hate for the automatic update to interrupt my game playing by rebooting my machine!

I can see it now...

[WolfWithoutAClause]

"We've found a critical bug- don't worry, we've fixed your computer for you" -Microsoft

In other words: they've deleted your Linux root partition ;-)

Ugh

[ViceClown]

This is a terrible idea. My brother is a sys admin and 9 times out of 10 the microsoft update patch breaks some or all of the 3rd party software installed like Backup Exec, anti virus.... you know... the minor things ;-)

Re:Ugh

[compupc1]

That's why you'll be able to turn it off. All that's changing is that it's turned on by default. So all the sysadmins or corporations and universities and schoold can just set up their images with the option turned off or use SMS to change it.

Re:Ugh

[JTFritz]

Please... do you really think that MSFT would install software that would disable or break another company's (possibly competing) product?

My question is: Why do people think that this is not a controlled worm? MSFT sends out a notice to the WindowsUpdateable machines around the world and within minutes we have traffic jams and monstrous lag times while people are downloading MSFT's propaganda and DRM enabled software.

Thanks, but no thanx

Re:Ugh

[ViceClown]

I guess it's also possible that the auto updater could somehow be exploited and we could all get auto-update-installed worms or something. If it's turned on by default but can still be disabled, fine. That said, you just can't take away the autonomy that sys admins need for deciding when their systems should be updated... or if they should be at all.

Re:Ugh

[Overly+Critical+Guy]

Backup Exec? Anti-Virus? Those are system-level programs. Obviously, as a sysadmin, compatibility should be considered. Or, JUST TURN IT OFF (that's right, it's optional, though everyone's ignoring that).

All other kinds of apps are left unscathed.

This is not rocket science, people.

SP6.

[mbourgon]

If you look, the original SP6 for NT cannot be found. What is out now is "SP6A". SP6 had the unfortunate side effect of disabling Lotus Notes. It managed to break SMTP for Notes, and only Notes - Exchange was unaffected. Our IT group decided to wait before installing SP6, but our corporate offices were not so smart - they took themselves off email for 2 days or so. So yes, Microsoft patches do break things.

Yes, it is a very bad idea

[bankman]

In this kind of setup, how can one company (in this case Microsoft) make absolutely (as in beyond any doubt) certain that no one else can access home user's boxes to "update" the system via their mechanism.

The obvious answer would be, by signing the updates and verifying them on the recipient machine via public keys. Now, given this particular company's outstanding track record of handling security issues, how can anyone actually mandate this (and not be employed at MS)?

Other question that might arise: As a home user, who doesn't make constant backups of the whole system, how can I verify that one particular patch doesn't corrupt my whole system (as has happened before)? If it would be really automatic, how can I make sure that the same patch that hosed my system won't be installed right after I rebooted from backups? Wouldn't this be a Microsoft denial-of-service attack?

One would now argue, that it is possible to switch the automatic update off, but then what would this be useful for? After the first malfunctioning automatic patch many users will switch this feature off to prevent from further incidents. And we would be back to square one.

Now, what's the point in all this?

Yes, But Not MS

[4of12]

I think forced immunization of vulnerable open machines on the network is a good idea, under the right conditions.

After public notification of the nature of the vulnerability.

After a patch has been made available and notices posted, sent out.

After a user or sysadmin keeps their machine unpatched and exposed.

After a second warning has been posted, sent that forced patching will occur.

Then, and only then, a worm-delivered patch should be administered.

But it should not be administered by MS, though they were responsible for the vulnerability.

MS is a profit oriented business, whose goals include many actions directed towards increasing their own profit in the long and short term, as well as fixing software that users have bought from them.

No. It should be role of people responsible for network health, because that is the public good that is impacted. As a public, non-profit entity, they would be free of conflict of interest, financial considerations. If MS were to administer remote administration in this way, they would be opening themselves up to conflicts of interest, particularly because of the monopoly market position they hold.

why is this reminiscent....

of the Department Of Homeland Security after 9-11?

worms, and virii, and bugs, oh my...

I could just see the next M$ exploit... automatic virus downloads. No longer do you have to download a virus yourself, its automatic.

I'l definitely be blocking that port on my win box.

huge contrasts, free and non free.

[twitter]

What kind of performance do you get out of Windows on a modem these days? The average M$ computer is loaded with spyware, scumware and other stuff that bogs performance down even over a fast connection. I imagine the crap would be impossible by dial up.

You can contrast that with the performance I got out of a $10/month dial up service and free software. I fowarded it to a local net via ipchains and my wife and I were able to use it at the same time. She slowed it up more than I did because she refused to use any of Mozilla's pop-up or image blockers. By loading browser tabs with interesting stuff while reading other interesting stuff, I hardly noticed the difference. Of course mail worked just fine. The only difficulty I had was missing inbound phone calls and software updates.

The software update problem would not bother me as much today. I built a debian mirror using a script from debian.math.lsu.edu, rsync and debmirror. It's very efficient and the interactive nature of the script would keep it from being hung up on by my ISP, if for some reason it took that long to get everything in US stable i386. All my local machines use it for updates already to spare everyone bandwith.

What a contrast! I did not even mention the trust aspect of software updates and how Microsoft update break stuff while free software does not. Ah the Windoze concophony, the product is much greater than the sum of it's parts.

Regarding Linux and Windows

[chronos82]

I myself use RH9 on the laptop, and Slack-current on the desktop. However, the family computer back home is still chugging away on a well patched win2k. Im the only "tech" person in my family; I find my family demonstrates very well the vast difference in the world of computer users; on one hand you have the joe-average-user who can turn the computer on, surf the net, write papers and check their emails. These people generally use some flavour of winbloze on an x86. They care not and generally know not, or are too scared to apply patches, lest it breaks and swallows all their data.

On the other hand you have the geeks, the haX0rs, the more knowledgeable users, who may use winbloze for games etc, and generally use Linux. These are the people who are intimately aware of how their system works; they are comfortable at a bash prompt; they know about the latest vulnerabilities; they know how to close ports, hell they know what a port *is*.

I spent 20 minutes just explaining what a port is to my Dad, and why it had to be closed.

People use windows, because like it or not, windows brought computers to the masses.

In short, Windows brought computers to your Mom, your Dad, your grandparents. People who otherwise would never have touched a computer.

Problem is, Microsoft has to live up to its responsibilities, it brought computing to Joe Public; it cannot expect Joe Public to know about or understand patches.

Wiggi wiggi -

[Ayanami+Rei]

You're a piggy.

::shimmies and shakes::

Wooooooooooooo!

almost automatic update?

[lethalwp]

*working on important stuff you have to finish that day*

Alert Alert! Windows has detected that a new update is available from windowsupdate.microsoft.com (yeah the other site was disabled ;) )

Do you want to apply the update? Ok - Cancel; *CLICK*OK*

Are you sure? *Yes*

Downloading, please wait... (poor 56k owners)
Installing, please wait...

Windows has now to reboot your computer, please wait

*Nooooo* My word document!

Cruel world, isn't it?

Order the CDROM!

[reynolds_john]

You know, this is ridiculous. If you don't want to spend hours downloading the patch (justifiably) then simply order the cdrom for $9.
http://www.microsoft.com/windows2000/download s/ser vicepacks/sp4/ordercd.asp

All the rest after the service packs are patches; *most* aren't that large to begin with (other than DirectX 9 and Windows DRM -up-your-nose Player).

I can't understand why people bitch about this constantly. It might be $20 per year for the twice-yearly service packs they release.

Re:Order the CDROM!

[nojomofo]

It doesn't cost them $9 to burn and send a cd. I don't think that I want them to profit from the fact that their software is riddled with security holes.

Re:Order the CDROM!

[LetterJ]

Microsoft would say it costs much more than $9 to send it. I recently had to order a replacement Office XP disc set for a client and was told the discs were "free" but the shipping and handling was something like $29. Even late night TV doesn't go that far with shipping and handling.

Re:Order the CDROM!

[delus10n0]

Then go over to someone's house who has highspeed internet and a burner, and burn a copy.

Or go to an internet cafe with burners and burn a copy.

Or get a job, so $9 isn't that big of a deal anymore.

Seriously, guys. There is no excuse, here.

Re:Order the CDROM!

[nojomofo]

What I'm asking is this: why does Microsoft feel that they have a right to profit by this? By charging more than it costs them, they are certainly showing that they put profit ahead of customers and security.

Who do you trust?

It's a bad idea only because the premise behind it is so bad.

People don't want automatic updates because you never know what you're getting. It might not have received good QC and it will break a working system, it might contain malicious features (because the entity who makes it has interests that are ultimately in conflict with their users' interest), or it might offer a path for third parties (e.g. script kiddies, spies, etc) into your system.

That sounds bad, but that's the situation you already have, even before you factor automatic updates into it. Without updates, you also don't know that a working system will still work tomorrow, you don't know that it doesn't contain any malicious features, and you don't know if it contains a means for third parties to make your computer their bitch.

Keeping your machines secure requires that you take responsibility for your computer and don't make assumptions about what somebody else did. You audit, inspect, and must understand how things work. But a Windows user doesn't really have the means to do that because they don't have access to the source. While they are ultimate responsible for their computer, their last decision and act on the matter was to trust in Microsoft and then: "whatever's going to happen, is going to happen." It's not really a reponsible way to act, but it's a decision that has been made by millions of people and it's the reality of our world. It is impossible to run Windows without "I trust Microsoft" being the premise that your business, your homework, or your enjoyable video game relies upon.

If that's scary, well, yeah, it should be scary. It's more than scary, it's stupid because Microsoft has already tipped their hand and publicly revealed that they are untrustworthy and that their products are intentionally designed to serve more than one master (i.e. Palladium. Even before that, we all inferred that Microsoft products weren't written entirely for the interests of the users, but Palladium has made that explicit). But that's just how things are. And if you're going to trust Microsoft to have power over you, and you're already resigned to being at their mercy, then you might as well go all the way and give them maximum power to do whatever it is that they're going to do. Half measures suck.

When people complain about the security concerns inherent in automatic Windows updates, I'm reminded of a dream Lisa had on The Simpsons. Milhouse/Moses asks Skinner/pharoah to let his people go. The pharoah's reply: "I've never heard such insolence! You call yourselves slaves?!"

Re:Who do you trust?

[westlake]

Pop quiz:

In plain English and working solely from source explain to me the significance and vulneribilites of the ten last patches to your favorite Linux distribution.

If you fail the test than you are by your own standards no more independent and secure than anyone running Windows.

Automatic reboots??

Since so many of windows' updates require reboots, would they "automatically" reboot the machine when they finish installing the update? If so, how is their automatic update any different in effect on end users than the blaster worm, which rebooted machines?

Frankly, I'd get pissed off to find my machine rebooting during the middle of some important work/long computation.

Re:imagine... *not likely*...

[The+Lynxpro]

...afterall, isn't Microsoft running some of their servers on BSD? Oh wait, that was Hotmail...

Why not start a little simpler

[Cy+Guy]

During the peak of the blaster virus I firerd up IE (which of course was still set to the default homwpage) in order to go the MS update site. Well MSN which loaded into the browser as far as I could tell said nothing on the homepage on the blaster worm. You'd think that since this was a worm directed at MS itself that at a minimum there'd be a banner ad warning people to upgrade and if they were serious a forced push of the update to my machine as soon as I visited any MS controlled website (except maybe MSNBC or ESPN.com).

Instead of just pushing the upgrade on the people that visit their sites, they want to start by pushing to every user on the Net? Give it a go at MSN and Microsoft.com first and see what reaction you get before you make it mandatory - oh and another idea - make patches that don't require reboots.

Already Available Service

[LuYu]

I thought this service was already available from another shady vendor.

I guess it is time to embrace, extend, and extinguish another competing solution.

a good thing?

[dema]

Being a mac-savy person I don't have a long-time experience with Windows but I do work with it on a day-to-day basis at work. Recently I went to a friend's house to help her install a new computer she got and while running Windows Update I got that "NT/Authority System" shutdown dealy. After bouncing back and forth between symantec and microsoft I had managed to install like 2 different patches and run some application. I also found myself in regedit at one point.

Anyway, the point is, if the current system is confusing for someone who works with PCs as a techie for 8hrs a day 5 days a week, how confusing could it be for someone who only uses their computer for email and the internet?

Two good examples

[TheConfusedOne]

SP 6 broke Lotus Notes servers thus 6a came out.

Even worse, SP 2 installed over a network failed. Failed badly. It did something horrible to the ntfs.sys file IIRC. This meant that the box would blue screen on boot and be irrecoverable if you had an NTFS partition.

Re:Two good examples

[jeremyp]

Back in the late 90s, the company I worked for then wrote a volume scanning application for a large government agency in the UK. This was a volume scanning app i.e. up to 50 ppm for 8 hours a day, so we were using drivers from Kofax. We installed the s/w on machines running NT4 sp4.

The prime contractor (a company called IBM) found out that the OS was not Y2K compliant (in fact the only thing wrong was it was unable to set a password expiry date of 29/2/2000, but they didn't bother to find that out). So they put sp6a on all the machines which broke the Kofax drivers and hence our software.

For this reason, I would never accept an OS configuration where I don't get to say yes or no to a patch before it installs itself. Admittedly I never say no to M$ Windows Update patches, but at least I know I've put them on if something else mysteriously stops working. Note that I'm not necessarily saying M$ patches break things. In the case of the Kofax drivers above, there was a bug in the driver which they could get away with on sp4 but not on sp6a.

Re:Two good examples

[zero_offset]

SP 6 broke Lotus Notes servers

Trust me, that's a major benefit.

Re:You must be new here...

Someday, you too will embrace Penguin Love(tm) and shun the evil SoAp. The mighty will fall and a new 60's era will begin!

re: MS must send CDs in the mail

so you're happy to give your address to ms? good for you pal...

never happen

[BurKaZoiD]

and if it does, I'll just sniff the traffic, find out what port it's going out on, and just block that on my home LAN. Easy-peasy, japanesy....

this bad for many reasons

[f00zbll]

say you have a farm of servers. If microsoft forces updates to all systems, it could potentially break the servers, since it's happened in the past. On a typical home users system it's fine, but corporate server should not get automatic updates. The system administrators and developers should go through regression testing on select boxes before a complex wide patch is applied.

Uptime

[ka9dgx]

I remember the last big M$ push when they were saying how great their Uptime was. 99.9999%?

If I have to reboot my servers every time a major bug hits (3 times/year) for 5 minutes, that's bad enough. (99.9971% availability) If I have to reboot the servers every week, now we're down to 99.95% uptime.

This, of course, doesn't count downtime or technical support issues caused by workstations missing their server connections, or the patches that didn't happen in time, or any of the various other factors that help kill capitalism, and endanger our National Security.

--Mike--

Re:Uptime

It doesn't take 5 minutes to reboot. 3 times/year for one minute each time (30 seconds to reboot, 30 seconds to start up whatever service you're running) is 99.9994%, which isn't nearly what they promised, but at least it's within an order of magnitude.

RC4?

[sirshannon]

You mean SP4?

Re:People are lazy? People are stupid? Good heaven

[ath3na]

I like the car metaphor for computers...I think it is common knowledge that the oil needs to be changed +/- 3000 miles.

Is the idea of regular computer maintenance only for the tech-savvy? Perhaps not. Changing the perceptions of new/novice computer users can change - whether this is from the friend that builds you a PC to the salesperson at the store.

Perhaps vendors need to distribute a "Maintenance Checklist". There are certain things that one must do to their computer on a semi-regular basis. Whether it be cleaning the pet hair from fan intakes or applying virus defs and patches.

I really believe in personal accountability. If you purchase a car, you're responsible for the oil, tires etc....a computer is not the same as a toaster. It's a complex piece of equipment. It needs to be treated as such.

My $0.02

-carolyn

Updatus of Borg

You will be assimilated. Resistance is futile!

fsf compromise and proven problems.

[twitter]

How is this bug more of a bummer than how gnuftp was compromised and potentially more damaging? Oh, don't hear people moaning about that on here now do you...?

The record continues to speak for itself. Free software runs without being rooted, Microsoft continues to be an impossible mess. I have full confidence that the diversity, the ease of updating and sound security models of free software will continue and the situation will remain unchanged. That leaves little to moan about.

I don't know why I feed trolls like you. There's just something about a stupid lie that makes me cry out.

OT - is some email worm blasting away ?

I'm getting bounce messages with attached .pif viruses coming in at an alarming rate. They are all hitting me because the original sender forged my address as the reply to, and then various mail daemons are bouncing them back at me.

New, or normal internet shit that just hasn't happened to me yet ?

They are bouncing to a freeshell.org account, by the way, and I have noticed that pop.freeshell.org is occasionally unresponsive this morning.

No easy solution

[StRex]

Agreed. The cry seems to be, "Patch our machines quickly, but not too quickly." We can talk on and on about Microsoft writing unstable software and make some pretty good arguments. However, the real problem is that it's a complex system that's designed to look easy. It only stands to reason that a complex system will have more vulnerabilities. (Again, in no way trying to defend Microsoft.)

So, we cry when Microsoft "allows" machines to not get patched. But can I really yell at my mom about this? She & Dad were under the impression this was easy! So now they need to learn a bunch of stuff about the technology--bzz, wrong answer.

Then we can cry when Microsoft makes the scary proposition of auto-updating machines. The fact is, these are tough choices to make, and none of the possibilities are without problems.

I think the auto-update with an opt-out is the best way to go. MS, for all its faults, I think has a decent track record on patches. I've never had an issue, nor known anyone who's had a patch break their machine.

Alerts would help

[Vincman]

I don't have a problem with an integrated update, as long as it alerts me, instead of downloading updates straightaway. Getting a message like "There's an update availabe, which fixes important security flaws" would definitely get my attention and get me to check for that update.

Funny.

[pclminion]

1) People whine that MS security is "teh suck"
2) People whine that users are too lazy/stupid to install the patches
3) People whine about automatic patch installation

Well geez people, it looks like you're going to have to quit whining about at least one of these three things, because they aren't all compatible. If we admit that users are too ignorant/lazy/stupid to install patches, then we have no right to complain about MS wanting to automatically update things, because everyone is complaining that their security is terrible. It isn't fair to put people into an impossible situation like that, then blame them for it.

Like my ex-NASA boss likes to say: "Faster, better, cheaper. You can pick two."

Re:Funny.

[cecom]

The problem with Microsoft's updates, and one that usually forces me to delay installing the patch for a while, is the need to reboot. While I would accept automatic installation of critical patches, automatic reboots are out of the question .. :-)

Re:Funny.

[Cyno]

There's another option. Let them continue using their insecure systems. Then us sys admins can patch them everytime they break. This equates to more jobs and is good for the economy.

Re:Funny.

[Overly+Critical+Guy]

It doesn't matter if it's fair. You forgot about the fourth factor involved here--anti-Microsoft bias. There's an undercurrent of it that flows through this entire site. Being fair isn't a consideration here. That's why articles like this get posted. Really, is this important news? Automatic Updates, which you can turn off? It was only posted to the front page to generate more W32.Blaster discussion and Microsoft bashing. Meanwhile, GNU was hacked.

Re:Funny.

[CoyoteGuy]

1) People whine that MS security is "teh suck"
2) People whine that users are too lazy/stupid to install the patches
3) People whine about automatic patch installation
Well geez people, it looks like you're going to have to quit whining about at least one of these three things, because they aren't all compatible. If we admit that users are too ignorant/lazy/stupid to install patches, then we have no right to complain about MS wanting to automatically update things, because everyone is complaining that their security is terrible. It isn't fair to put people into an impossible situation like that, then blame them for it.


Well, for some of us that can't take chances on others quick fixes, we have to test patches in a test environment before we can even let the patch onto our production network. Geez.. You think its as simple as click, oh! patch installed, have a nice day... We have to test the patches for bugs before they can touch any of our mission critical machines... Now imagine the amount of patches Microsoft pumps out... You do the math on man hours involved.

Just the usual Shasldot anti-MS FUD (probably)

[fzammett]

The article pretty clearly states that the idea is that the updates will be downloaded and installed automatically, UNLESS THE USER SPECIFICALY REFUSES TO ACCEPT THEM.

So, in typpical Slashdot form, the headline makes it sound much more ominous than it likely will be.

They will simply turn on by default the downloading and installing of patches, WHICH CAN BE DONE ON TODAY'S WINDOWS SYSTEMS. They are just changing the default setting, and I think most of us would say this is a good idea, given all the security problems we see day in and day out that result almost entirely because people don't patch their systems, home users and admins alike!

As long as you can disable the feature, there is no real privacy concern here. Yes, it should be stated clearly what is going on and that you can choose to disable it, but even if it's not, it's not that big a deal.

If they DON'T do this, then they get killed for having a flawed OS. And my grandmother shouldn't have to know about patching her system, right? But if they do this, then they are big brother trying to take over the world.

Show me the position they can take that is good for them AND us. And don't trot out the "they should just build better software" argument. Yes, they should. Now please rejoin the regularly scheduled program called REALITY, because it's not going to happen.

Back to semi-lucidity...

Now, if I *CAN'T* turn this proposed feature off, I'll jump to Linux full-time faster than anyone, believe me. But I don't think this will be the case at all, and the article states that I am right, so let's not overblow this, at least until we KNOW it's a problem.

Re:Just the usual Shasldot anti-MS FUD (probably)

You must be new here.

all new insecurities

[Adler]

how long until someone writes some worm that will pose as an automatic update and everyone using this method of updating gets infected that way? at some point you just stop supporting the stupid and the ignorant.

And you didnt see this coming?

[nurb432]

They will use the 'terrorist' umbrella to do what they want.

Next its 'automatic scanning' and 'automatic deletion', to protect us..

Hey, its working for everyone else on the planet. You can almost get away with murder if its under the guise of ' homeland security'...

Source?

[siskbc]

With a little more creative work you'd think they could find a more efficient way to insert the new code.

Well, source is a lot smaller than binaries. Huh? Oh. ;)

Re:Source?

[Bert64]

But then you`d still need to download a compiler, since windows doesn`t come with a compiler by default.
I miss the good old days when every computer came with a BASIC interpreter and actually encouraged you to learn about it, windows seems to go out of it`s way to keep the users as clueless as possible.

Re:Source?

[siskbc]

But then you`d still need to download a compiler, since windows doesn`t come with a compiler by default. I miss the good old days when every computer came with a BASIC interpreter and actually encouraged you to learn about it, windows seems to go out of it`s way to keep the users as clueless as possible.

I was kidding. You'll see MS give away source when you see Charlton Heston give up his guns.

Automatic Problems

[LivingSacrifice]

Anybody else nervous about this because of all the problems they have had with MS updates? We have had clients whose machines had the OS totally borked after an update was applied. We wont apply any MS patch or service pack until it has been tested really thoroughly first.
Granted it can create problems like the Slammer worm getting loose, BUT we didnt have a single instance of that happening, due to stringent antivirus rules.

Just my two cents worth.

New keyboards

[pommiekiwifruit]

Now that the (UK keyboard) shift keys are eaten away by a backslash and a euro, and the space bar has two ctrls, three windows keys and two alt keys alongside it, how long before it ends up being the size of the zx spectrums space key?

Viral Conclusion...

[MisterMook]

Of course if Microsoft opens it's own backdoor to the everyone's system then eventually someone will write a virus that spoofs itself as a Microsoft Update and tries to 'help out' everyone.

'expert mode'

[petwalrus]

I think it would be an excellent idea if the OS [Linux or Windows] asked the user what mode they want their OS in.

Beginner mode: take care of everything for me. I just want my e-mail and yahoo.com. Things like 'hide protected OS files' are enabled.

Normal mode: current state of OSs. Some automation, and some of those stupid 'protections' that we all immediately disable would not be put in place to start with.

Expert mode: no automation of anything. Think of this as slackware style windows. You have to configure a bunch of really technical details by hand, but since you know what you are doing you can take advantage of this and configure the system exactly the way you want.

sp4 makes net fail on omnibook 6000 laptop

[bwhalen]

Due to the above, I'd pass on auto update, but I also run windows update regularly, I'm sure many users do not.

Woohoo! Yet another way to spread virus code!

[linuxelf]

So, how long will it be before the method by which Microsoft intends to push these patches on the unsuspecting masses gets reverse engineered? Then, Mr. Hacker just writes MS Blaster 2.0, and sends it out as if it was a patch.

Actually the real problem...

[sterno]

Even if the automation was forced, the problem is that the majority of internet users still use dial-up. They are at a lower risk for infection, but they are still at risk (trust me, my father-in-law got hit by it). The problem with dial-up users is that they don't want to spend literally hours downloading patches, so they don't patch their system.

What would be nice is if Microsoft provided a CD subscription for their patches for cheap.

Re:Actually the real problem...

[AstroDrabb]

What would be nice is if Microsoft provided a CD subscription for their patches for cheap.

So charge people an arm and a leg for a crappy product, use those people as your QA process and THEN charge them again to fix the problems with the crappy product? This senario only sounds like it would benefit MS.

Re:Actually the real problem...

[riscthis]

Even if the automation was forced, the problem is that the majority of internet users still use dial-up. They are at a lower risk for infection, but they are still at risk (trust me, my father-in-law got hit by it). The problem with dial-up users is that they don't want to spend literally hours downloading patches, so they don't patch their system.

The patch could be downloaded using latent bandwidth of the connection whenever it was available -- indeed I believe that's the way it works at the moment.

It doesn't all have to be downloaded at once, or max out the connection in the process. Even if it takes a couple of weeks for a big patch to finally get downloaded in the background, it's better than nothing...

Re:Ah Samrt Linux Users Rebuke YOu

Well, considering the quality of your post, I'm not sure many people will rush to try out your head-ass removal services. However, you are completely wrong about Linux. The first time my grandmother says, "I tried to install this piece of software, and it says I don't have privledges", and I reply with, "Just type Su and enter the root password"...she's going to think, "Why don't I just run as root all the time?" Problem solved, and Linux is once again shown to be as secure as any other OS. Forget removing the network cable, you wanna secure your system? Remove the user.

all or nothing

This may or may not be evil on it's own, but why use the same model for everything. Can Microsoft not figure out how to package their junk? Let 'em sell a version that is mandatory update, with teh licence to go along with it. For the tech-savy or "ownership" type of person, sell a version that you buy and maintain yourself.
When it comes to cars, we can rent, buy, lease, etc. Why not the OS of our computer?

Actually, I know the answer: Microsoft is not intersted in fitting into the customer's needs. They have the goal of controlling the OS from the get go, they are just trying to push how fast they get there. Any other goal is kinda left behind...

What about the patches that screw up your machine?

[mkraft]

Q818043 - Caused many computers to lose their internet connection.
Q811493 - Caused severe slow down on many computers.

I don't think I'd patches that completely screw up my system automatically installed.

Beating Windows File Protection

[Nurgled]

The problems you had deleting Outlook Express are no doubt caused by Windows File Protection. In order to beat it, simply delete the copies of the files you wish to delete from the directory C:\Windows\System32\dllcache (or similar, depending on where you installed Windows).

Once the relevant files (such as msimn.exe) are not present in dllcache, you can delete the versions of them in the main program directory. Windows will, at this point, moan that it failed to restore the files and ask for the CD to restore them, but you have the opportunity to decline, and Windows will never bother you about those files again.

I don't advise that you delete the entire contents of dllcache, though, no matter how elite you think you are. Windows File Protection is good for protecting against apps which overwrite the installed libraries in the Windows directory which can render your Windows 2000 installation unbootable in some cases.

Re:Beating Windows File Protection

[crazyphilman]

Thanks for the tip! All I want to kill off is Outlook Express... It makes my system feel unclean. ;)

Re:Beating Windows File Protection

This brings up the serious question of why crap like pinball and freecel are in the dll cache?

I initally tried to delete pinball and got in my logs "Pinball.exe has been restored to maintain system stability" There certainly doesn't seem to be a lot of logic behind what is put in there.

Re:Beating Windows File Protection

[Nurgled]

It contains essentially every executable and library which comes with Windows. Sadly, this includes the pinball game, Solitaire, Paint etc.

If you decline to install the games during the install process it will not put them there in the first place, though.

No Ramming! Options are Okay.

[crashnbur]

For people who know nothing about computers (is that possible anymore?), maybe an option for this automatic update would be good. But we already have that now with the Windows Critical Update Notification application. To force updates down our throats would piss several of us off, especially when some of those updates actually hinder the performance of a system.

For instance, a couple years ago, on two different computers, I had installed a few Windows updates, and my F6 hotkey to highlight the location bar in Explorer stopped working. Now, some of you might not care about this, but I *hate* using the mouse unless I really need to, and I try to live my life on computers with hotkeys whenever possible. When one stops working following a regularly scheduled update, I get pissed. (In other news, I'd like help with that if anyone knows how to cure it!)

Err... I meant to say that an option is fine, but don't ram it down my throat. I like to be aware of updates as they occur, and I like to be the one that gives the final approval of any software that is installed/updated onto my system.

Have you ever installed RedHat?

[BoomerSooner]

If you skip setting up standard users (which most grandmas would do) you can ONLY log in as root. Same goes for every distro I've used (Slackware, Debian, Redhat, Suse, etc...)

It's not an attack on linux it's a fact of who is using the system and who is setting it up? IF it's the same person they are significantly more likely to use ROOT. This is the reason Linux has almost zero likelihood of being successful on the Desktop, it requires conceptual understanding of security and the how and why you should(n't) run as root. Grandma doesn't care.

Plus, most users of computers learnt the Windows-Way. All Admin, All the time.

If we could just get rid of the hackers there would be no security issues. BURN THEM AT THE STAKE!!! lol, j/k ;)

Re:Have you ever installed RedHat?

"If we could just get rid of the hackers there would be no security issues. "

If we could get rid of all that is bad in the world there would be no problems of any sort.
(Begin chorus of "I'd Like to buy the World a Coke")
That's about as silly as saying a person that doesn't lock his house bears no liability if he is robbed. I know that (at least) some states actually have laws on the book stating it's illegal to leave your car unlocked with the keys in it.

I wonder why that is?

It may not be a user's fault that modern software is about as secure as handcuffs made of angel-hair pasta, and it may not be their fault if they just don't understand how computer security works.
However, I challenge anyone to find an example(real world) of a person who does not have the means to secure their own PC enough to not be a menace to their subnet. Even old, non-techie, grandparents have children/grandchildren that can set up a personal firewall and automatically updating virus scanner.

It's not a person's fault there are bad things in the world, but it is a person's fault if they ignore the fact that there are bad things in the world.

Re:Have you ever installed RedHat?

[Hes+Nikke]

If you skip setting up standard users (which most grandmas would do) you can ONLY log in as root. Same goes for every distro I've used (Slackware, Debian, Redhat, Suse, etc...)
while Mac OS X, isn't a linux distro, it is a bunch of preparatory stuff on top of BSD, and it forces you to create an admin account before you can use it for the 1st time. (think of it as a sane root - it asks for passwords every time you try to do anything rootlike and then sudo's the command) It then disables the standard root account that you can later enable if you wish.

It's not an attack on linux it's a fact of who is using the system and who is setting it up? IF it's the same person they are significantly more likely to use ROOT. This is the reason Linux has almost zero likelihood of being successful on the Desktop, it requires conceptual understanding of security and the how and why you should(n't) run as root. Grandma doesn't care.
some distro should do it the Mac OS X way, no root, just access to sudo.

Plus, most users of computers learnt the Windows-Way. All Admin, All the time.
mac users seem to be adapting pretty well. that isn't to say that some aren't, but a lot are.

If we could just get rid of the hackers there would be no security issues. BURN THEM AT THE STAKE!!! lol, j/k ;)
riiiiiiigggghhhhtttt....

Re:Have you ever installed RedHat?

[Com2Kid]

• Plus, most users of computers learnt the Windows-Way. All Admin, All the time.

And this is bad why now?

I happen to LIKE being able to click on a link on a website, hit open, run, close, and be done with it. Installing applications is a cinch. I bought broadband for a reason, it gets things done!

Ah, then again, I also know what I am doing and have proper security setup around my box, boxes I setup for others I install whatever apps they want and leave it be. :)

Actually on Windows a person doesn't need Admin to install and run 3rd party applications, but, err, heh. Well any box that can run misc programs from the internet can also have its Admin PW taken away rather quickly. ^_^

Get ISPs involved!!!!!!

[mabhatter654]

Why hasen't MS gotten the ISPs involved with patching and preventing viruses?

Part of the problem is that they want to sell a big fat Win2k3 server to everyone so they can "maintenance" their PCs [nevermind just fixing the problems]. They need to put all their patches in the same place/structure for all the products. Then create a tool runable by any windows box That can act like a mini-update for the PCs on your network. The patch lists should be pushed to the ISPs and users so that everyone can be aware of them...not stashed on some obscure part of the site. Also, the update notification should be in generic email, useable by anyone [not just windows PCs] i.e. my ISP running BSD should be able to mirror the patches.

The net result would be that ISPs with "first contact" to the network could then firewall you off until you patch the approved updates. It's a bit harsh, but would be greatly effective. Also, ISP bandwidth would be saved by mirroring the patches "off the internet" rather than all that traffic going thru to MS...[they wouldn't have to meter for it]

Of course this will never happen in such a neat and clean manor because MS wants control..and if you won't give it up they want you to suffer the concequences. It's not about stuff just working...or this would have been done a long time ago!

Windows Update too prone to problems

[Experiment+626]

Microsoft's automatic update mechanism can provide a false sense of security. Case in point, my mother is your typical home user who uses her Vaio to send email and access the Web, but doesn't know much about patches or security or any of that, so I turned on XP's "download updates automatically" option for her computer.

Last week, I get a call that her computer had been infected by the virus. I removed it, set up XP's firewall feature, and all that, but one interesting thing I saw is that the logs showed that no new patches had downloaded in a couple months.

I went to Windows Update to get the patches manually, and see that something has gone awry and things are broken. You can pick your patches, agree to the EULA, start the download, but then the download abruptly cuts off and patches are all flagged as "failed". No, the computer isn't out of disk space or anything... I actually couldn't figure out what was wrong. If anyone has any ideas please post a reply.

But, back to my main point. When you apply patches manually, you can immediately see that for this particular PC, something in the update process is broken, but leaving things to automatic update, the only cue is that it's been a couple months since the "new updates are ready to install" dialog popped up.

For an even more automated update system to be at all a good thing, it would definitely have to be not only nice and easy when things go right (which Windows Update is) but able to handle it when a PC is at all screwy... as another example, I had temporarily bumped the PC's clock back a year to keep the virus dormant while getting rid of it, and noticed that if your PC's clock is off by more than 100 days, Windows Update breaks and displays cryptic hexadecimal errors. Not even a message remotely useful for identifying the problem.

In short, I think with something that can mysteriously stop working as easily as Windows Update, removing human verification from the loop is just asking for trouble.

If your networking...

[BobBoring]

was still disable how could you download the new patch to fix the issue? Many home users ran into this Catch-22 of needing a network interface to get the patch but couldn't because the previous one broke the interface. You remembered System Restore. You were lucky.

What happens when this kind of problem occurs auto-magically installing a patch without notification to the user?

AH HAH! Conspiracy!

[zapp]

Now I get it! Microsoft has been intentionally leaving all these vulnterabilities so people get frustrated to the point where we ("we" the public) WANT them to have complete control of what's on our computer.

What else should they do?

[prozac79]

Lets look at the series of events here:
1. Microsoft releases a patch a month before a virus hits.
2. People do not install the patch.
3. The virus hits affecting thousands of machines.
4. Microsoft comes under heavy criticism.
5. Seeing that a lot of people won't install patches manually, they look into automatic updates so that they can avoid wide-spread virus infections in the future.

Seems like MS is in a catch 22. People will criticize them for having manual patches available or for automatic updates. It seems like they would have to create the world's first flawless OS for everyone to be happy.

All OS's require security patches at some time or another. It just so happens that Windows has such a large customer base that their viri have a wide-spread effect while viri for another OS might not be as major. So I ask, what can MS do realistically to announce and distribute security patches?

Re:What else should they do?

[RevSmiley]

The problem you seem to miss is the fact that Microsoft has a very patchy (excuse the pun)record in the quality of patches and doing things in patches that the end user must then correct.

This is no good period.

I have just enabled all auto-updates.

[rixster]

and everything seems to be

conspiricy theory...

[kfuq]

i wonder what else would happen with the "automatic update"...


**AA ?

Wonderful

[isorox]

A few days ago I was very confused, a guy came in to our internet cafe, downloaded the blaster patch, and saved it on a floppy. I asked him about it, and he told me he had a laptop, and a 9,600GSM connection. 1 kilobyte per second, its great! He tried downloading the patch a couple of times, but it took way too long.

He'd have to be online 24/7 if he was forced to download every update, and he still wouldnt have the bandwidth!

Get a better test.

[autechre]

I don't think that the fact that some people who have passed the driver's test can't really drive is an invalidation of the concept of testing. I just think we need a more thorough test.

My father (who repaired county police vehicles at the time, and repairs state vehicles now) set up traffic cones and made me weave through them. I had to practice skidding on an empty, icy parking lot (and braking from 60mph on a non-icy lot) to see what would happen and prepare myself. I learned in a 1971 Plymouth Valiant with a 3-speed manual transmission and no power brakes.

After passing the current driving test, you are allowed to drive on the road. So take them through the above additions (maybe not the Valiant :), and take the test further: out on the road. Go through twisty backwoods roads. Merge onto a major highway, change a few lanes. Go through one of those freakish 5-way intersections with one direction of one road split by concrete medians into 3 segments, two of which turn left (in different ways) and one of which goes on only to be further split by highway entrances on both sides of the road, right after the traffic light.

Wait I thought windows HAD autoupdate???

[falcon5768]

Im confused, I was under the impression windows always had auto updating, just no one ever used it??? Eh its a great thing anyway, I use it all the time in OS X, its nice cause you still have to select the software (if its not a system dependant thing like iMovie) and type in your password to allow it to install. It will download it without the password, but in order to install it you must put the admin password in.

hmm

[simontek2]

What stops a coder from writing Virii that just goes into the Autoupdate? then everyone will be infected?

It already does that?

[x00101010x]

Uhm... last i checked, there's an option to do that already. I think it defaults to download automatically and then an icon in the taskbar lets you know they're ready to install and with 3 clicks you're installing them and getting ready to reboot 3 times. Maybe they're talking about making it default or forfced... maybe i should RTFA...

Great!

[bill_mcgonigle]

I don't think I should be forced into high-speed access just so I can update my Windows partition periodically.

I'm all for it. I think the Department of Homeland Security should realize what a risk having all these unpatched Windows computers is and urge Congress to pass a Rural Broadband Act, like they passed the Rural Electrification Act in the 30's.

Then I might actually be able to get a DSL line, which I can't now even though I'm a mile from a FOX (Verizon doesn't want to spend money to put a DSLAM in my FOX, IIRC).

Hey, Tom Ridge: we won't be safe from the terrorists until I can get something better than 26.4k at my house.

Asimov!

[tommck]

Sounds like the way the Foundationers were hidden in the Foundation series at one point. They made a religion out of it, and controlled all the advanced technology that way.

Pretty cool.

I like it. Let's start a religion! It'll be tax deductible too! Cha-ching!

Re:Asimov!

[EvilTwinSkippy]

In the beginning the world was Null.

Then the architect said, let there be on. He seperated the on from the off state, calling the on 1 and the off zero. He flipped one and zero, and declared the first clock cycle.

In the next clock cycle, the architect created the concept of fluid and static. The fluid was imparted with the forces of change, and the static those of structure and order. This was the end of the second clock cycle.

The Architect then executed programs in the Universe. The programs ran in their own space, generating and modifying data. This was the end of the fourth day.

The Architect then grouped programs into application and kernel routines. He introduced inheritance and object reuse. This was the end of the fifth cycle.

Finally the Architect devise the User. He imparted into the user to oversee the operation of his software and data. To organize, input, and output information. This was the end of the sixth cycle.

Having created the Universe, he sat back in bemusement and watched the ensuing chaos. This was the end of the seventh cycle.

Re:Asimov!

[Hes+Nikke]

reminds me of ReBoot

*warning! incoming game!*

Re:Asimov!

[shamino0]

1. Start a religion
2. Patch buggy versions of Windows
3. ???
4. Prophet!

Re:Asimov!

Glory to thee, friend! Best. Joke. Ever.

Whoa!

[freeweed]

You mean in the same manner that someone could have written a worm to take advantage of the RPC vulnerability and install ANYTHING on millions of computers?

They could call it Blaster, and get all sorts of media attention!

wow... scary...

(for the pedants out there, yes, Blaster only seems to have hit a few hundred thousand machines. Blame the worm authors for not being good enough coders)

Re:This is better than OS X

[Graff]

You'll note that it's emulating only the X11 libraries, really even only the X11 server itself.

Just a note. Apple's X11 server on MacOS X is not an emulator at all. It is a window sever application, just like the ones you would have on Linux, Windows, BSD, or whatever. It is still in beta (not alpha as an earlier poster tries to say) but it works pretty much perfectly and is just as quick as other X11 window servers out there. Apple plans on releasing the completed version with MacOS X 10.3, Panther, and it will be a free download.

Take a look at Apple's X11 site for more information.

i'm reminded of a sceen in start wars 4

[LifesABeach]

it goes something like this:

"...The more you tighten your grip, ..., the more ... systems will slip through your fingers..." -- Princess Leia

i see a day coming when the gate-ster bill will not only bend over to pick up a thousand dollar bill; he'll be very, very grateful. mu-hu-hu-hu-ha-ha-ha-ha-ha-ha.

Hmmm, this is not good....

[EmagGeek]

I guess the next time a recall is issued for my car, they'll just come and tow it away to be fixed regardless of where I am or what I'm doing..

Maybe the cops will pull me over and force me to take my car in to be fixed right there on the spot...

Maybe the government will start forcing me to do things "for my own good" because they know what's good for me better than I do...

Where the fsck does this look like we're going?

The first time M$ tries to connect to my computer, I'm going to consider it CyberTerrorism(TM) and press charges...

Mandatory Security Updates

[TechStuff.ca]

The current "Automatic Updates" system in Windows XP downloads automatically, but requires the user's permission to install the updates. Many users simply ignore the nag messages and never update their system. (Apple's "Software Update" system has a similar design: users are notified of new updates, which they can accept or reject.)

If the software update is a new version of Windows Messenger or iTunes, users should be able to say no. But what if the update prevents your computer from attacking other machines? Maybe your right to ignore software updates ends when your PC attacks my network!

At some point, we're going to have to make security updates mandatory. They would be downloaded and installed automatically, whether the user wants them or not.

The user might be able to say, "Not right now," but should not be permitted to reject security updates altogether. After a reasonable period of time, the system could be programmed to prevent all network access except to get the security update.

I'm not entirely comfortable with this idea, but I suspect that's where we're headed. I have no doubt that Microsoft will introduce something like this in the next XP service pack (or sooner).

Here's what's needed to make such a system succeed:

1. Version 3.0 Quality
   Most users and sysadmins have been burned at least once by beta-quality patches that do more harm than good. Every "Security Update" should be thoroughly tested before it's released. If a crisis makes a quick-and-dirty security fix necessary, a high quality fix should follow ASAP.
   
2. No Tricks!
   Any mandatory update system will fail if the updates are perceived to be unnecessary, unreliable or self-serving for the OS vendor.
   In the past, Microsoft has used the Windows Update system to force unwanted Microsoft software on users. (If I remember correctly, IE6 was released as a "Critical Update" to IE5.) No more.
   Also, system updates must be kept separate from application updates. (i.e. Disabled versions of Messenger should not mysteriously reappear after a system update.)
   
3. Updates For All
   If one machine is insecure, we're all insecure. If Microsoft adds a security update system to Windows XP (or introduces this as a feature in "Longhorn"), a compatible system must be made available for older systems, including (at least) Windows 2000, Win98 and WinMe.
   
4. CD Distribution
   Although software downloads are relatively cheap and convenient for the OS vendor and for high-speed Internet users, dial-up users should be able to get the latest software updates on CD promptly, for a nominal fee.
   

I don't have much confidence in Microsoft's ability or desire to make a system that works this way, but I think that's what is needed.

Maybe there's a viable alternative to mandatory security updates, but I don't see one. Clearly, the current system doesn't work, and it's costing us all time and money.

Agree to new EULA

As it works now when you click OK to install the update you agree to a new EULA. If they change the update to work automatically without the OK button would you still be agreeing to the new EULA? I don't think they could do that without asking you, because if they could do that they would be doing it now.

No Thanks! Patch MS03-026 hosed all my work!

[MrCaseyB]

I work for a post production company, recently was in the final week of a 3month long project; A full 30sec CG commercial for Clorox. So it's the final days before deadline and I'm working 100+ hr week, the worm is about to hit and I download the latest security patches, all is well...or so I thought. In my half-awake, overworked not quite alert fashion, I agreed to let windows update do its thing, a decision I now regret. It installs the latest patches including the one for RPC, and I continue with my work. I work through the weekend in "3d Studio Max" made by "Discreet" Saving my work diligently as I go. On Monday the other folks in the office come in and alert me to a minor problem that every time they try to click on one of my .max files in explorer, explorer.exe crashes. Just hovering over the damn thing causes a crash ( explorer in detail view, without the web features on) I checked the files myself and they all seem to work fine, but nobody else can open or render them. I check google, I check Discreet's support forums...nothing. Then I remember that I windows update ran over the weekend and 2 patches were installed, the DirectX patch and the RPC patch. Because 3dsmax utilizes directx or opengl for viewport rendering, I started there. Interestingly, there is no easy way to remove that patch, there is no listing for it in add/remove, I found an entry for it in the registry and called MS security dept to help me remove it, they had no fuckin clue. I tried my best and all my .max scene files were still coming up corrupt. So then I switched gears and tried removing MS03-026. BINGO. This little shit had caused every .max scene file I created over the weekend to be totally corrupt. I lost about 36hrs of work at a time where I couldn't spare a minute. Thanks Microsoft and Discreet!

I posted my story to the discreet support site, a couple days later discreet posted an official response, confirming what i had posted. Some customers were notified via email, many were not. A lot of people got screwed like I did with this bizarre conflict.

I learned my lesson, don't click on Windows system dialog boxes when you are half asleep and unable to make sound decisions.

Analogy Fixing 101

[phorm]

Most cars have a security cap or door (opened from inside the car) on their gas tank. Now say, the security cap/door had an issue wherein it was liable to pop off/open, or if it was very simple to pop (5-year-old-with-a-paperclip easy) that would be the defect.

I think that one of the scariest things is not the lack of security, but the lack of security obfuscated behind a wall of ignorance which mistakenly indicates safetly.

The Church of Slashdot

[Chakde+Phate!]

In the beginning there was the Word. And the Word was a near pointer...and God said Let there be Light! And a light was instantiated...

Who volunteers to write the book of SCO? *ducks*

Just give MS the world

[AstroDrabb]

I think this is a tough issue because while I don't like MS at all, I do want computing in general to be secure. Now the problem I have is that nasty ole MS likes to slip in additions to their EULA. They know most users don't read it and basically are being unethical IMO. So what happens now when an update is applied without ANY user intervention or knowledge with a new EULA? Will MS say that by not stopping the update or optting out you are agreeing to the new terms? Soon MS will have every MS windows user agreeing to allow them to scan for programs and remove any program that MS wants. Wait.. I think that already happend. I guess the next step will be to have every user "agree" without knowing to allow DRM to be put in their PC's. That would sure make user adoption very easy. I think the ONLY sensible solution is to not have RPC on by default. To not have SMB on by default unless a user chooses to share a folder. They should NOT have users belong to the administrator group by default. That is just brain dead IMO. They should do what Red Hat is doing. If a task requires root (admin) credentials, then prompt for the root(admin) password. Or you can just do what I have done and use Linux exclusivly and enjoy a much more "out of the box" secure computing experience.

Higher-level apps

[phorm]

I've found that most patches, as they apply to functions/etc used by higher-level apps, tend to break those same apps. MySQL server fragged after being patch, and require a patch-fixing-patch, and I've heard the same for other server-type apps. Drivers can also be an issue, as a driver that misinstalls can fubar a machine nicely so that it requires a full reinstall of the OS.

who is to say...

...that some black project group within Microsoft isn't releasing exploits that would force people to consider, welcome, and approve a service that provides automatic updates and fixes to be applied to all computers?

But it's a very effective vector...

[Chakde+Phate!]

...far more than current methods of virus transmission. What happens if a bug slips through testing which, say, messes with the TCP/IP stack? Then you have practically every home computer in the world unable to access the Net to get the fix. Or even worse, it could just muck up some kernel function, then the computer would be completely unusable. It will happen sooner or later.

Another thing: IANANG (network guru) but what would be the effect on, international Internet links if, say, every single computer in Europe tries to fetch a 20 MB file at the same time? At least the way things are now the load is distributed!

Re:But it's a very effective vector...

[Mryll]

I would also be dubious of MS implementing well enough to prevent some exploit down the road that will allow hijacking the patch channel.

Press OK first?

[Enzo90910]

Yes, of course, you can press OK first, if you want. There's no "Cancel" button on this dialog, mind you.

Re:Press OK first?

[grolschie]

One BIG reason why the Slammer hit so many people, is that MANY people don't trust the updates. Many updates screw other things or change the EULA. I know a heap of people who wait a few months to see the results of update patches before they decide to install them. Making it compulsary is a crock.

Worse case scenario:
What happens when the next MS patch cripples your system. MS get in trouble for disabling millions of computers. The computers are too crippled automatically download the next fix. Need a techician to fix. I want to decide if I want to press OK or not also.

Mod parent up

[autechre]

This is exactly what I was going to say, except that I was going to have to alter the analogy slightly since my car is so old that I forgot about locking gas caps. Older versions of operating system that made it onto the Internet were not designed for security, and originally cars (and doors) didn't have locks, etc. But it's irresponsible to fail to address discovered security problems in new releases.

Note to crazy people: I am not suggesting that Linux is perfect, nor any existing operating system. OpenBSD comes closest today (in terms of "general purpose" operating systems).

Re:Mod parent up

OpenBSD is pretty far from perfect. Fuck all that ignorant propaganda and fuck all the naive fat ass sheeplike zealots in their OpenBSD t-shirts. OpenBSD has lots that prevent it from being a good general purpose OS. I would say that Linux (any properly configured distro) would be a better all purpose OS than OpenBSD. Hell, FreeBSD would be a better choice for a general purpose OS than OpenBSD. SMP, RAID and plenty of other things suck balls under OpenBSD.

Re:Mod parent up

[autechre]

I may have just been trolled, but I think you misunderstood me. All of the base components of OpenBSD have been thoroughly audited, some multiple times, for security problems. Security issues will arise on BUGTRAQ for software distributed with other Unices (free and non-free), and OpenBSD will have preemptively fixed the bug months ago.

As for "general-purpose", I meant as opposed to operating systems that were, say, NSA-specific beasts that performed only a few tasks.

So, I run Debian on my desktop for usability and convenience, but the firewall runs OpenBSD.

Re:This is better than OS X

[JJcoolJ]

Still, even though XP has bugs..people are stillr etarded. for the average user who is above the MAC and too complicated for linux, windows isnt going anywhere.

Happened to me.

[CracktownHts]

DirectX 9 totally wasted my install - BSOD on boot. Couldn't even boot in safe mode. I reinstalled and it worked the second time, for some reason.

"Undead" Outlook fix

[phorm]

Somewhere in there replies is a message indicating you can remove outlook from the DLL cache. Another trick to nuking "vampire" apps is to remove the container folder, then make a file in the parent having the same name as the indicated folder. It won't be able to create a folder as long as a file by the same name exists...

Another really large pain is apps that come bundles. Some of the Norton stuff is like this - I have one package that had a bunch of Utils and then the antivirus. I only wanted the AV, but the utils kept coming back from the dead when I deleted them from the registry etc. Best way to solve that was to start in "safe mode" and rename the folder so that it can't find the files - then nuke registry entries.

Re:"Undead" Outlook fix

[crazyphilman]

Thanks for the ideas! Worth a shot. I like the file idea, I hadn't thought of that one. Thanks!

Re:Innovation

[Wehesheit]

so patch the laptops right away, I doubt those are production machines.

yeah right dream on...

[Archfeld]

Harris Miller, president of the Information Technology Association of America, applauded Microsoft for considering the move. "People are going to have to accept mandatory updates as part of the warranty process, and that's exactly what Microsoft should be doing," Miller said. "You can't just send out a recall notice and hope that people come into the shop and do their maintenance."
Great Harris,
#1 anyone with a last name as a first is suspect to begin with,
#2"...You can't just send out recall notices..." WHY NOT it works for companies that ACTUALLY have to accept responsibility for their products, like FORD and GM, if those companies who have liability can do it how come M$ can't ??
#3Sure I'll accept auto-updates as part of the product warranty, as soon as the M$ accepts financial responsibility for any downtime,damages or the cost of fixing programs that no longer work following an update, like corporate customers are the only ones with that problem.

Indeed

[autechre]

And as my father, a mechanic, will tell you, most people do not check the oil, coolant, power steering fluid, tire pressure, etc. The more careful ones bring in the car if it makes a funny noise long enough. Many people only think about the car when it won't run anymore. Putting gas in the car is pretty much the only thing "end-users" do reliably, and even that doesn't happen often enough sometimes (did you know that it's better for your car to not allow it to get below 1/4 tank, because then junk on the bottom of the fuel tank gets sucked into the engine?)

The frightening bit is that my mom, a Physician's Assistant, will tell you the same thing about people and their bodies. She gets in all sorts of cases where people have had horrible things wrong with them and haven't bothered to come in for a week, or the guy who drank 3 40-oz. beers a night, and his main concern was wondering why he had to wake up to go to the bathroom so often.

(as for dishwashers, most of them require you to at least scrape your plate before you put it in, and my father, having cleared out a dishwasher that pretended you didn't have to do that, will tell you that they ALL require this.)

Re:Indeed

[drinkypoo]

Strictly speaking you should be flushing your gas tank every few years if you really want your car to last forever, to get that crap out of it.

My girlfriend had nasty pains and was coughing up blood and concealed it from everyone. She ended up with an ulcer and gall stones at the same time.

Sadly, I know everything I SHOULD be doing to my car and I do almost none of it because it's too much of a pain in the ass. This is how people feel about computers too but everything you need to do to stay updated and safe can be done in a few moments (at least, a few moments of user interaction) so there's really no excuse. Of course, there's always ignorance, but windows actually tries to tell you about automatic updates, how to use them, etc. Hell you can even set them to download and install automatically already, can't you? (I always tell it to just notify me.)

Re:Indeed

What a load of crap.

Maybe your father should have explained to you the concept of FUEL FILTERS.

Even those that never check consumables should have those replaced at service time. Any car that MUST NOT go below 1/4 tank of fuel is clearly not designed well.

I'm going now - to have my brain's IDIOT FILTER replaced so I don't reply to anymore stupid off-topic posts.

Re:Indeed

[heim913]

(did you know that it's better for your car to not allow it to get below 1/4 tank, because then junk on the bottom of the fuel tank gets sucked into the engine?)

Obviously, you are one of the people who always lets your car run out of gas. Your mechanic father told you this, so he wouldnt have to bring you gas while stranded on the side of the highway in the middle of the night.

Cars have fuel filters to keep "junk" from getting to the engine. (a screen in the tank, and replacable filter in the fuel line)

Re:Indeed

[autechre]

Thanks for playing, but in 9 years of driving, I've never run out of gas. But I'll reply to you, since you were slightly less rude than the AC.

Computer networks have "firewalls" to keep "junk" from getting onto their networks. Water, air, many things are filtered. Are those filters perfect? My car is a generic block (Pontiac 6000) from 1988, and does not make any funny noises or need babying to be reliable. I guess maybe I can't be doing everything wrong.

Can I at least press 'Ok' first?

[Ripat]

> Yikes! Can I at least press 'Ok' first

Yes of course. You will be presented with a typical MS dialog saying:

---
Do you wish to continue?
OK
---

:-)

Good idea

The facility to push updates to end users should be included in Windows. It would have to be used carefully though -- not every patch needs to be pushed -- only critical updates or patches for bugs currently being exploited.

End users are obviously too stupid to keep their systems patched.. something like this has to happen.

Auto-update works for dial-up

[JWhitlock]

Microsoft are MORONS. The fix for this particular worm required SP2 or greater. That is 8 hours and 10 minutes over dialup.

Windowsupdate is a god send for people with broadband but MS are going to be required to send CDs in the mail if they want to keep dial-up users up to speed.

Windows Update has an Automatic Updates feature that downloads updates in the background. It uses a service called Background Intelligent Transfer Service (BITS) to check for updates and download using idle bandwidth. While you are typing Slashdot comments, the connection is idle, and BITS can use this idle time to download updates. It can download part of it, and restart when you reconnect. So, unless your ISP charges you by the bit, you wouldn't notice it. Sure, it will take a while to get the update (weeks?), but you'll eventually get it.

Dial-up users aren't the weak link in the chain anyway - broadband users with insecure computers are, and are the reason these worms spread to rapidly.

There is an API for BITS if you are interested in making a self-updating application for Windows:

Old Adage

[gregarican]

Off the subject, but hearing and experiencing increasing frustration with The Evil Empire..

All of the efforts Micro$loth has made to patch, update, and secure their software is akin to the adage, "You can't polish a turd."

That's what they have put out, and added layer upon layer to their bloated, pretentious OS and stagnant application suite.

Back in the day Windoze 3.1 seemed revolutionary. As did the quantum leap to Windoze 95. But past that end users started to see the instability, insecurity, and faults in their product.

Since then they have put on different window dressing on the same tired products. A future upgrade to Office 2003? Why, since most of the basic necessary business suite of features have been the present in the same form since Office 95? What is so new and must-have that some moron is going to shell out hundreds of dollars?

Bill Gates has never been a technical guru or industry visionary IMO. He just took other people's ideas, reinvented them as warmed over versions, and marketed them more effectively than predecessors.

MS-DOS versus PC-DOS. Windoze OS versus the Mac OS and UNIX X Windows. Excel versus VisiCalc and Lotus 123. Word versus WordPerfect. The list goes on and on.

After all of this crap now they want to drill into people's PC's? Yeah right. I'm about ready to take my XBox and set it on fire.

locks

[Scrameustache]

If someone comes along and pours sugar into your gas tank your car won't keep running right. Is that a recallable defect?

Yes. MY car has a locked gas tank. If its lock was so ineffective that anyone could put anything they damn well pleased in it, it would be a defect.

If someone sends a particularly malformed request to a process on your machine it won't run right. Is that a recallable defect?
I'd say no in both cases.

I guess the equivalent of a lock here would be some way for the machine to not run broken code...er...

Re:locks

Actually I'd say that any 5 year old with a good tool built by someone else (crowbar(?)) could open it and put sugar in it - in fact, if these crowbars where just lying around, and 5 year old kids had an environment where they could go anywhere anonimously, you'd see a lot more vandalism.

Have you been reading news articles?

[Above]

I've seen a ton of news articles on the "Anti-Blaster" worm. Virtually all of them quote users to the effect of "It's easier to let my computer be infected by the Anti-Blaster worm and let it deal with the patch then it is to figure out how to patch it myself."

Most people out there want to treat the computer like an appliance. It just works, they don't have to do anything to it. While I'd like to see less buggy code in the first place, I think an auto-update function is just fine for the vast majority of people. People don't complain (too much) when their DirectTV or Tivo auto updates it's software...for those who want the computer to be an appliance this is the same thing.

Re:This is better than OS X

[bratmobile]

Um, excuse me, but since when is the Windows Registry not documented? Have you ever actually opened the Win32 SDK? There's more and better documentation for the Registry than there are for most UNIX apps.

RTFM before you flame it.

XP killing itself "soft"ly

[bertvl]

Our one and only windows box (XP) was set up for auto updates, and one morning when we got in to work it just sat there with a blue screen hinting at some sort of problem with the graphics driver. We were able to revive the box after some effort, but had to get a vendor driver, since the one XP updated itself with killed the box... Thats just completely unacceptable if you'd ever want to consider using windows boxes for any kind of server software you're shipping, since its a QA nightmare (what does the customer know, except that the server you supplied him with is now broken).

Easy to abuse ...

[bizitch]

How long before a virus is made which will mod the HOSTS file to redirect windowsupdate.com to a pr0n site or whatever ...

Read it a bit more carefully

[CaptPungent]

He didn't update the driver. He applied patches. How are you going to use "Roll Back Driver" to undo Windows Updates? I'd like to know that one.

Now who's the dumbass?

Re:Read it a bit more carefully

[delus10n0]

There's always "System Restore", jabroni.

On top of the fact that he most likely chose to install a NIC driver from WindowsUpdate and that caused his problem; which in that case "Roll Back Driver" would work just as well.

Automatic Update needs to work better

[Qzukk]

If Microsoft is going to force me to use it, it needs to work better. I use it on my XP workstation at work since its behind a firewall and reasonably secure (nobody here has a laptop they bring in from outside). Yesterday I get to work and it tells me theres a "new" update. Its the DCOM fix (not that it tells you what it is anymore, but I can recognize the issue number now) a month late so I tell it to install. Today I get into work and it tells me theres a "new" update. Guess what it fixes? The same issue. Who wants to bet it will tell me to install the dcom patch again tomorrow?

This kind of service from an automatic system is inexcusable. If Microsoft can't figure out how to publish updates and "push" them out in a consistent and timely way, then they need better coders before they start requiring us to use this service.

Re:Automatic Update needs to work better

[gregarican]

Maybe they should use their own SMS product. That is really a quality waste of capital and manhours. BWAHHAHAHAHAHAHAHAHAHAHAHAHA!!!

Let me get this straight

[Overly+Critical+Guy]

So, let's see. You installed an unnamed critical update for Windows 2000. Then the next day, there were more that showed up. Clearly, they depended on that first update (kind of like when you install IE6, and suddenly the service pack for it shows up).

Then, you go to Windows Update for Windows XP--an entirely different Windows product--and there is a different amount of updates (after you claim there were none, which was probably just because you didn't let it update the Windows Update control when it asks you...the latest is V4).

In other words, all your little "problems" are perfectly explained away.

As far as GNU's hack incident, it's an "insider" now? Looks like historical revisionism to me. It gets me how Slashbots throw out small comments like that and start myths in an attempt to throw off criticism.

More than an innocuous icon

[Overly+Critical+Guy]

It pops up an entire balloon that won't go away until you click it.

Another hole to exploit?

Maybe I'm naive, but won't this just create another hole that can be exploited? If the bad guys figure out how to spoof Microsoft's AutoUpdate server, they can push evil code out to everyone and know that the code will be run automatically without any intervention needed by the user.
This will also require a known port to always be open on every single system that is set up to allow these updates. What a perfect setup for those who pride themselves in finding flaws in Miscrosoft products. Exploit the hole and gain access to almost any computer.

On the other hand, how will Microsoft get past all those DSL firewall appliances that are becoming so prevalent?

Rebooting

[krazo]

The only reason I don't install the updates on time is because I usually have 10 or 15 applications open at work and don't want to spend the time to close them all, install, reboot and reopen them (My computer dies when the hard drive is being used and takes > 5 minutes to reboot because of all the fun conflicts).

Anyway, I want to know if windows will auto-reboot during these installations. Last time I did windows update I had to reboot three times.

I'm hoping that it will just magically restart your computer while you are working. Then everyone can say "OMG my computer just restarted and I didn't do anything! I must have a virus."

And we can all say "Oh no, that's a Microsoft feature. It randomly reboots your computer at inopportune times so you don't get that virus that randomly reboots your computer at inopportune times."

Re:Rebooting

[gregarican]

That reminds of these Microsoft Business Network guys who installed some beta test apps at my company. These are for some .NET purchase order crap.

It took them 3 hours just to download and install countless service packs and security updates (although I told them that our private network is shielded from public Internet exploits therefore not all patches were necessary). They were rebooting over and over again and after 3 hours of work it took another 3 just to get the .NET Framework, IIS, and other services to communicate.

Personally I extract the security updates deemed Critical. Then I repackage them using a freeware packager called Little Setup Builder. The installations are all performed with the silent/no reboot option so they just deploy silently during the network logon scripting. Although the updates won't take effect because of not rebooting at least tons of business users aren't sitting on their hands while Micro$loth tries to polish their turd!

OT: Please correct your.sig

The quote is:

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.

It actually makes a difference.

Re:You can do this already - WU Nvidia driver ?

[Mryll]

It showed up as a critical update for me as well. I started laughing... I take it it's a WHQL version and they're so far behind on those that I probably wouldn't consider using it. Worse yet, there's no bloody information that I could see describing anything about versioning or why they consider the driver update "critical". Take it or leave it.

Anybody install it? WTF is up with it? Something in a newer Nvidia driver break DX 9.0b? Sheesh...

That's even SLOWER and less reliable

[billstewart]

The BITS paper can't find itself to download the proprietary-format document, but the abstract says that it'll soak up unused bandwidth at low priority. That means that the 100MB hotfix pretends that it won't dog down my dialup connection, but it also will take 40,000 seconds instead of 20,000 seconds to download. If I'm a dialup user, I'm not connected that long (especially because I'm usually a DSL user, so when I'm on dialup, I'm probably in a hotel or airport where I *really* don't want to stay on long.) So it'll take a few days before I've clocked enough dialup time, and by then there's another major security breach and another 150MB hotfix :-)

How reliable is a non-standard download protocol? Maybe it's described in the paper, and if I can't download the paper about BITS, I'm skeptical about using BITS to download hotfixes :-)

• Is it an incremental download protocol that can restart if it's interrupted?
• Can the protocol work through firewalls?
• Can the protocol work through proxies?
• Can the protocol work through VPNs?
• Does the protocol try to work *around* VPNs?
• What's the MTU size of BITS packets? Bandwidth percentage limitations are fine, but once a packet gets its turn on the wire, it's a latency hit, especially at low bandwidth.
• Is there some vague possibility of security?

Re:That's even SLOWER and less reliable

[delus10n0]

Here's a better link for more information about BITS.

Re:That's even SLOWER and less reliable

[sql*kitten]

How reliable is a non-standard download protocol?

Well, it's not "non standard" inasmuch as it's a documented part of the Windows API now.

Is it an incremental download protocol that can restart if it's interrupted?
From Microsoft's web site:

Background Intelligent Transfer Service (BITS) asynchronously transfers files in the foreground or background, throttles the transfers to preserve the responsiveness of other network applications, and automatically resumes file transfers after network disconnects and machine restarts.

Can the protocol work through firewalls?
Can the protocol work through proxies?
Can the protocol work through VPNs?

It's just HTTP or HTTPS as far as the network is concerned. So the answer is, if you can browse, you can use BITS. Note that the this isn't just for Windows updates; the API can be used by any application that needs to move a lot of data around and would prefer not to interfere with normal operation. The API works like the print queue; you can change the priority or order of jobs, authenticate for particular jobs, etc.

Does the protocol try to work *around* VPNs?

No, the underlying protocol is just HTTP/HTTPS.

What's the MTU size of BITS packets? Bandwidth percentage limitations are fine, but once a packet gets its turn on the wire, it's a latency hit, especially at low bandwidth.

Now you're trying to be too smart, and you just look silly.

Is there some vague possibility of security?

BITS is no more or less secure than anything that just downloads over HTTP, like say wget. How secure it is wholly depends on what you do with what you've downloaded.

What kind of automatic updates?

[billstewart]

Do you mean that if you're not comptuer savvy you'll get Official Automatic Updates from Microsoft, or do you mean that you'll get Unofficial Automatic Updates from Mafiaboy, Staecheldraht, MSBlaster, Slammer, IISvermin, and SpammerRelay?

Why is this news? Microsoft already does this.

[Wonko42]

The article throws around big angry words like "required" and "mandatory", but what it really boils down to is that Microsoft is just talking about enabling the existing auto-update functionality by default. The confusing thing is, they already do this.

When you install Windows XP, auto-update is enabled by default. You do get a little message notifying you of this, but it's enabled until you turn it off manually. In addition, the recently-released Windows 2000 Service Pack 4 enables auto-update without even informing you, even if you had manually disabled it prior to installing the service pack. Microsoft is already doing what this article seems to imply they're only considering doing. Where's the news here?

Re:Why is this news? Microsoft already does this.

[Winterblink]

Uhm, maybe it's different in home edition than pro (although I doubt it), but mine did NOT come up enabled at all by default. First time in it notified of the feature, then asked if you want to turn it on. You're then put into the configuration window for it where if you enable it, THEN by default it selects automatic all the way. But it's right there in your face, available to be turned off right then and there.

Re:Why is this news? Microsoft already does this.

[Wonko42]

Hmm. Last time I installed Windows XP Pro SP1, I'm pretty sure I only got a little system tray balloon popup notifying me that auto-updating was enabled by default. I could be wrong, though. That was a few months ago.

um...

[wolrahnaes]

Isn't there ALREADY a client that does this?

I'm damn sure that all the PCs at my school automatically check Windows Update and download the updates. They ask us if we want to install, but that can be disabled.

Chicken versus egg

[pkinetics]

First, I oppose MS pushing down these updates. The last thing I want is my computer doing something I don't want it to do. It does that enough, with BSOD, and some other lock ups.

Heck, if the OS isn't compatible with half the hardware out there already, how are they going to garunatee pushing patches down won't hurt more?

Comparing using a computer to driving a car is not equal comparisions. Driving a car has lots of responsibilities and accountabilities. There is an impact to society on a whole. Using a computer in your home, is just you and whatever you want to do. And don't anybody start comparing the Internet as a Superhighway mumbo jumbo.

Start taking away rights of the people, and you're playing with fire. The last thing I want to do is join the NCA, National Computer Association, to protect our rights to bare computers.... err... wait a second...

Anywho, but what bothers me most is that WE are debating the wrong issue. MS has cleverly shifted the burden of responsibility to the users. If MS had designed the OS a little more secure in the first place, we wouldn't be in this pickle.

Ok, so back to curing symptoms and not the actual problem. How do you force users to do their updates? Like Norton where you get a regular reminder? Isn't that Critical Updates.

Users need a tool to educate why the updates are necessary. Why do I need to download this 19MB file and how the heck am I going to do that over a 56k modem. They do not need to read a 6000 line. If the patches are 19MB, shouldn't MS be sending out the patches on cd? If you register your software, you can get the patches on cd. Maybe then MS will understand making buggy software.

Stupid users want it in clear and concise English / Spanish / Japanese / Australian / Martian, whatever. Why the heck don't they make a friggin multimedia tutorial??? Oh right, cause its not a Mac.

If the users choose to not to install patches that have been out for x number of months, then bullox for them, don't whine about MS. But a patch is out one month, and MS expects the whole world to be patched??? Get real.

They're just making PR statements to shift our conscious thinking. They're shifting the focus of the main problem by pointing out another problem. Taking the car analogy. Its like saying that the Exploder rollsover cause the driver goes to fast, and not that the vehicle has design flaws.

Anywho, I could be wrong, but that's just my opinion.

Morons

[anthony_dipierro]

After the embarassment of last week's blaster worm, Microsoft is weighing the possibility of automatic update.

You've got to be kidding. So now instead of a worm relying on making incoming connections to an open port on a computer not behind a firewall we're going to make outgoing connections and just trust that no one managed to steal Microsoft's private key which will surely be available to hundreds of employees?

Yeah, that sounds like a solution.

What a TERRIBLE idea!

[m11533]

I speak as someone who, in spite of running an totally up to date Norton Antivirus, Norton Personal Firewall, AND a hardware Firewall, got infected. And, the infection occured while I was manually running Windows Update to bring my Windows 2000 system totally up to date with the latest patches.

The most remarkable aspect of the infection was that Microsoft called me to try to help me recover and clean my system. When I asked how, with all of these protective measures, I got infected, I was amazed by their explanation. They explained that the files on their server(s) are fine, but that the payload was infected IN TRANSIT while I ran Windows Update.

I am stunned that someone would be able to infect something such that the windows update traffic could be intercepted and replaced by an infected version of the payload, all without affecting the performance of the network transfer as viewed by me the user.

I am doubly stunned that Windows Update would not protect against modification of the payload in-transit, particularly since it appears to sidestep both Firewalls and Antivirus protections. In its current state, it would seem Windows Update is a wonderful backdoor just waiting to be exploited.

Now there's something I want running without my knowledge...!

Re:What a TERRIBLE idea!

[gregarican]

The person you were on the phone with is probably a moron. I doubt packets were replaced with Folger Crystals or anything due to Windows Update compromises. You probably got RPC hit from another source while downloading the patch from Micro$loth.

Re:What a TERRIBLE idea!

[m11533]

The one aspect that lends credibility to the Microsoft explanation is this... My ISP is Comcast. And Comcast was publicly acknowledging that their network had been badly infected. Thus, if the hub that handles my cable link was infected... it has the feel of being slightly plausible.

On the other hand, I think I was so shocked at getting a phone call from Microsoft regarding this problem that I was not necessary at my most analytical during that conversation.

Trustworthy Computing Initiative?

[bluepinstripe]

Why doesn't M$ concentrate on the Trustworthy Computing Initiative they announced in the beginning of 2002. No matter what technology they implement and burdens they put on their users, they will never fix the problem if they don't fix the problem.

Re:Trustworthy Computing Initiative?

[gregarican]

What are you talking about? Micro$loth recoded Windoze 2003 Server from the ground up with security in mind. Each and every line of code was peer reviewed for quality assurance. I read this myself in some of their Scientology-like propaganda.

Probably a damn lie like everything else they say, since Windoze 2003 Server was hit by the same RPC buffer overrun exploit that affected Windoze NT 4.0 Server!

Re:People are lazy? People are stupid? Good heaven

[lambadomy]

Those people can buy WebTV. Hardware differences aren't the only issue here, software differences are. If microsofts automagic patch only kills computers running a few specific software programs, the whole default automagic updates is flawed. These boxes you talk about would have to have standard hardware and standard software, and I can't think of many people who would want that as their system.

Re:Ideas for auto-up, you forgot a few...

[mfrank]

You forgot detecting any Linux or other OS partitions and reformatting them to NTFS.

Gator, marketing tool of the decade!

[TheBeardIsRed]

This is a great point. People don't want security. They don't care about viruses (unless their connection slows). They don't care what they install. Lastly, as long as their "e-mail machine" isn't "broken" they don't give a rat's ass about anything that comes from their "`puter". I think that the only thing that will solve this is a strict regiment of euthanasia and eugenics!

You can't disable windows update

[edxwelch]

At the moment you can't fully switch off automatic updates on WinXP. I disabled the setting and even shutdown the service, but still IE automatically navigates to the windows update page, even though that's not my home page.

Re:You can't disable windows update

[AvengerXP]

Open IE, Tools, Internet Options, Advanced, uncheck Automatically check for new IE Version. Simple as that. Also, remove the super microsoft link from the starting homepage.

Re:You can't disable windows update

[edxwelch]

I didn't see that one. There seem to be so many settings for the WindowsUpdate scattered all over the place. But thanks for the info anyway, cheers, Ed

the real reason people dont patch and other stuff

[hitmark]

its all those reboots, having to reboot to install a patch only ot find a patch that was waiting for the other patch to install and both needing a reboot (thank god that most come with a "do it later" option)... how are you suppose to work in all this? oh and some finer control on things would be nice, like being able to shut down the general listening on stuff like the now RPC service. maybe give an ability to finetune the allowed ip ranges that you can get traffic from (who needs to share windows shares onto the internet?)... oh and maybe have most features turned of as standard, the last time i installed mandrake linux it first wonderd if i knew what i was doing when i selcted some server and then asked if i wanted to have them start at boot (it was off as standard)...

Press Release: Windows Automatic Update Hacked!

[pstreck]

Microsoft's new feature Automatic Update, which downloads and installs software onto a computer running Windows XP^2 has been hacked. It appears there is a security flaw that has been exposed by a virus writer know as Zero Cool. The new virus dubbed haha.gates.sucks.w32 installs a trojan cloaked as an update to the Windows system software. The trojan displays a message saying "Ha Ha, Bill Gates You SUCK! Why on earth did you put this feature into your already shitty software?" and then proceeds to clear random bits on your harddrive.

In other news, Linux is closing in on World domination.
All your boxen belong to us

nooo!

[luckyguesser]

There are a good number of windows updates that are already unnecessary for my personal needs, OR that are more hinderance than help!

Re:Bad Idea. - exclude it.

[pbulteel73]

Actually if you go to the windowsupdate you can "customize" the page and exclude any updates you want from the list of available ones. If you've already installed it, then it won't show up.

Microsoft and DoD

[chamcham]

DoD will never let something like that fly in any of its facilities. Microsoft will have to provide a way to disable that service.

I'm sure if MS does go that route then there will be a lengthy section in the Windows STIGs to destroy it.

Typical.

[AnotherBlackHat]

"People don't like installing patches? Well them, we'll force them to install them."

Sheesh - how about examining why people don't do updates and then doing something about that?

Most people I know don't like the updates because MS makes a lot of changes besides just the "critical" security flaw.
Every change is a potential bug, and MS's history on that front is abysmal.
If the patches really were patches instead of replacements, far more people would install them.
It wouldn't hurt if there was an "unpatch" too, and if patches weren't dependant on each other.

-- this is not a .sig

Re:People are lazy? People are stupid? Good heaven

[jpop32]

but to me this amounts to saying "our customers are lazy and stupid".

Hello? This is news to you? Wake up, dude, people _are_ lazy and stupid.

When Windows Update fails...

[jensend]

I can't get windows update to install fixes on my machine either. However, as long as it's downloading things correctly, you can still install things manually from the download location (a hidden folder which is, AFAIK, c:\WUTEMP by default). If it's not downloading them correctly, check out Daisy, which basically just parses lists of updates available, determines which ones you don't have installed, and wget's the installers directly.

Re: Privacy Issues

Anyone using XP should remember the Windows Media Player 9 update. You know the one I'm talking about -- the one that downloads and installs itself, THEN tells you that it is also updating copy protection schemes for Windows XP.

I have a legal copy of XP and yes, it continued working properly. But with WindowsUpdate, I sure as hell don't trust Microsoft to install what they say they are installing. What's going to be next... updates from the government to intercept my email?

At least if I don't use automatic updates, I get a chance to see what professional auditors are saying on security mailing lists before I install the patch.

If you think I'm paranoid you obviously haven't been reading enough articles about Ashcroft lately...

Not Surprising

[Synesthesiatic]

This isn't surprising considering how bad average users are at taking care of their computers.

from Wired News "I've been getting these pop-ups on my new computer's screen saying there was a patch that was downloaded and did I want to install it now," said Kathy Greeves, a schoolteacher. "I thought it could be an attempt to hack my computer, or give it a virus, so I always click 'no.' I thought I was being smart."

I bet this same woman thinks nothing of downloading spyware ridden crap because it's cute or makes piracy idiot-proof. Maybe if Microsoft had a purple gorilla sing the updates, people would take notice.

Re:No Thanks! Patch MS03-026 hosed all my work!

I learned my lesson, don't click on Windows system dialog boxes when you are half asleep and unable to make sound decisions.

Sounds like you hosed your work, not MS03-026. You know MS had a link available from their homepage for like a few weeks now - you know the one thats in RED. If you click on it, it'll take you to a webpage that has links to every OS thats affected - from there you can download the individual patch. I know its alot to expect, but yes, the same thing that people whine about not being able to disable (Windows Update) is NOT required for updating patches! Amazing, isn't it?!!?

EXCUSE ME!

[peripatetic_bum]

but isnt this what trusted computing is all about.
I wrote a post a little ago saying that Microsoft was going to use the excuse of virus and their inability to write secure software as an excuse to grant them power over all computers they have the OS on.

In short, what they are saying is because we cant write secure software, we want total control of the software so that no one can use it in anyway that is not approved by us.

Therefore now when I dont want to use Windows or even a patch windows, my computer is considered "untrustworthy" and maybe my ISP will block it.

I think we have to be very very very cafeful in where this war on terrorism, war on computer viruses, war on everying is going ot go.

I can see someone in power tell linux to do *this*, install that or we want let you on the internet. I am surprised at how very little freedom is left on the internet and we all need to watch carefully and pipe up with the time comes.

Sorry for the rabble rosuing rant but I had too much coffe

Re:EXCUSE ME!

man ur are absolutely right! didnt know u said anything about a virus for an excuse but when i read the article i knew that it had something with the once so called "palladium".

dont worry though, first i beleive that people will find ways through it by blocking every microsoft port or something like that, then ppl will attack microsoft, then everyone will switch to linux and the world will be happy, YEY!

Automatic updates instead of security???

First of all, I have to say that I come from germany and it is hard for me to write all these crap in english. I hope, you'll understand what I try tell you.

Why do a million-dollar-weight company like Microsoft need such ways to make their software secure. Sure, it is hard to make a software like windows absolutely secure, but should it be possible for hackers and scripters to create such a virus like BLASTER???? I often tried to configure the Windows XP Firewall, but does it make sense to configure a firewall which is not able to close some holes in Windows which HAVE to stay wide open??? Firewall active or not, some ports are still not closed by it. That should be changed. To make my system secure I must have the ability to shut all these holes.

In my opinion that is the only way to make a system secure. eMail-Attachments are not the only way to get those viruses. I allready said it.....remember BLASTER. That was only the first time, we heard of a kind of virus like that, I think! Look forward to the future, and make those ways unpossible instead of installing patches or stuff like that. When millions of users try to download those patches, the update-server will also crash,....so is that really the way of help we need???

Automatic update worm?

If they're going to do this, why not implement it using a distributed-computing model and releive bandwidth on their own servers? They could use some of the techniques of MSBlaster to do it. It would work something like this: The patch gets installed on the first computer. That computer then looks for other computers on the network, ftps the patch over to them, and forces them to install it. Then they go and find other computers to patch... Sound familliar?

Microsoft needs to back up its usability claims

[GuyMannDude]

Clearly the technology's simplicity is oversold. "Anyone can use it!"

I agree with this statement (not sure I understand what you're getting at with the rest of your post, though). Microsoft has been marketing computing as something for the everyman. Yet, their patching process is not understandable by most. They need to fix this.

The average person is not going to understand the messages that Windows Update gives. And they certainly will get lost with the descriptions at MS's Knowledge Base. What I'd really love to see is Microsoft use some of their mega-bucks to outsource the Windows Update service. Microsoft would still be responsible for creating the patches, of course, since they've got a closed-source OS. But it would be up to a third party to write the message that gets sent to the user. Something the average person can understand complete with a fair and unbiased description of the pros and cons of installing the patch. Clearly Microsfot does not have the interest in creating understandable messages because they sure as hell have the resources to implement this now. Right now the home user is confronted with a cryptic message about a new patch that they don't understand. "Well, since I don't understand what this patch does and my computer is working fine now," they reason, "why should I take a chance installing this new thing? Especially because I've been bitten by bad patches in the past!"

Gates loves to believe that his wealth is because of his great genius. But the fact of the matter is that he lucked out and entered a field that was ripe for explosion. Gates owes a huge, huge, huge debt to Tim Berners-Lee, the creator of the WWW. Remember, Gates thought the public's interest in the internet was going to be a fad. So he's an accidental success in my book. Now that the everyman is at Microsoft's mercy due to their monopolistic practices, it's really up to Microsoft to start making computer security accessable to those persons. If they don't start going that, then perhaps it's time to start thinking about government regulation (you can hear the collective groan of all the conservatives out there).

GMD

Re:Microsoft needs to back up its usability claims

[jazman_777]

I agree with this statement (not sure I understand what you're getting at with the rest of your post, though).

Just a comment about how anyone can vote, even masses of absolute dummies. Just like anyone can run a computer, even masses of absolute dummies. Mischief results both times.

Not so good for slow connections

[MoogMan]

What a *retarded* idea. Windows XP has automatic updates turned on by default, so there isnt much difference.

Ok, I can see the logic in making Windows Update fully transparent (and for the majority of users, this would be a good idea).

Regardless, for users like me running on a 56k connection, downloading a couple of meg worth of useless patches, this is *not* an option. My firewall is a better preventative measure than patches upon patches, so i'd rather not bother.

And if the "functionality" is put in anyway? Well, there will be cracks - hey, my firewall will probably block it anyways ;)

Of course, its all the more reason to convert to linux.

Worms, Viruses, Torjans, and more!

[Mastadex]

i think there is a good thing to all this. people write these viruses for a reason, to show to the public that thier pretty little OS is really buggy and has massive holes in it. i dont blame it on the user, i blame it on the people who write the OS. they should be responsible for all these matters!!! i say, give em' hell...

Lmp filaments for Windows

[rodmm]

Im convinced that ever Windows installation should have something like a lamps filament. Then, after some time of use, one morning the user should receive the message: "Your Windows filament had just burnt out. Please change your OS." When this occurs, the user would now that probably his system has a lot of deprecated DLLs and other stuff like that and that he needs to reinstall the Windows from zero.

Re:No Thanks! Patch MS03-026 hosed all my work!

[MrCaseyB]

Installed from Windows update or direct link from the web, results would be the same, bizzare software conflict that silently corrupted all my 3d scenes.

Now think about this one AC, what type of computer user is going to actively seek out the latest patches via MS website and install them, probably a more technically skilled user.

The novice or clueless user who has Microsoft change their computer completely behind the scenes without any notice or intervention could run into problems. Should those patches corrupt their system or conflict with software, is that novice going to be able clean up the mess? Not likely. But they may have a chance, if they were presented with a box saying "Hey Im going to install the following updates that address these issues, do you agree to install these?" Then the newbie user would at least have a small clue as to what the hell is going on with their computer.

I think tis best to alert the novice users, educate them on whats going on, not give them some false sense of security. "Oh my computer is fine, I dont need to be aware of viruses and exploits, because my computer is doing it all for me automatically, and gosh darnit, I trust those geniuses up in redmond to do whats best for me"

If you were a tech support guy and got a phone call "Hey all my .max scene files are corrupt"
tech: "Has anything changed on your computer recently"
"I have no idea"

Wouldnt you rather get
"Well recently I was alerted to a critical update by Microsoft, it was a patch called Ms03-026 or something and it was for some RPC vulnerability, whatever that is!"

Which call would you rather get?
I would rather speak to the user who has a slight clue as to what the hell is happening. Amazing, isn't it ?

Getting back to the article, I dont think its a good idea to make windows updates automatic and mandatory. I think they should have several more levels of notification and warning. Are you ready to surrender full control of your machine to Microsoft or any other third party? Im guessing not many people here are.

Microsoft has Automatic Update for Windows

[clifgriffin]

...you just have to turn it on.

What A Sanchez

[g_goblin]

You know if MS would have just taken from the *NIX community and put a simple firewall in their desktop OS's this thing wouldn't have happened.

There is no way I would allow them to automatically update "MY" computer without having knowledge of it. But hey maybe that is because I am a geek.

There are flaws in every OS, we all know that but with all the R & D money MS has, you can't tell me they couldn't port something like ipfilter or ipfwd.
I know this wouldn't solve viruses, but the average user should know better to click on an E-Mail from someone they don't know.

I'm William Wallace!!!!

Damnit...

[Jack+Schitt]

Whoops, I accidently blocked http://v4.windowsupdate.microsoft.com at my firewall. Oh well...

not quite.

[SomePoorSchmuck]

Nah, it's more like Gene Wolfe's "Long Sun" series, in which the everyday people actually perform rites to their virtual caretakers/overlords in order to receive fucntional rewards. It'd be like, if you consistently didn't bring at least a small bird to be sacrificed to the god Fanningus, he wouldn't keep your home network protect you from RIAA lawsuits, but if you bought a lamb for the priest of Billicose, your home-built DoomIII network would function smoothly and without lag.

By the way, Foundation's oft-cited status as "greatest SF series" is undeserved, in my opinion. It's somehow too... I dunno... deterministic. I suppose that's connotative code for "white, male, western, forty years dead", although I quite naturally wish to avoid the overtones of political correctness.

__

Re:not quite.

[thynk]

Umm... are you saying that sacrificing small animals to get computers working correctly isn't an already widely used practice? Hmmm... Might have to take that part out of our system troubleshooting manual, as it comes right after making sure the computer has been rebooted.

We need insurance!

[Mephie]

Hey, cars should be easy too. And while it's easy for me to lock my doors, it's easy for someone to break my window as well. If someone does break my window, pops my hood and pulls out a .. uh .. hose or something (I know nothing about the inner workings of cars) I can't hold Nissan liable for putting windows (*cough*) on my car.

The bottom line being that OS Security is in the same arms race as Network Security and Digital Rights Management: for every update to every system, someone's going to try to find a way around it. There likely isn't a good way to make an operating system (ANY operating system) completely secure, without lobotomizing it. Just like you're never going to make your car completely secure from thieves unless you make it unusable, and even then "completely" probably goes a bit far.

So who do we hold responsible? Surely the perpitrators of said attacks, just like we hold thieves liable. But thieves are sometimes quite hard to catch and hackers seem to be even more difficult. If we continue this comparason, the next logical step is Insurance. Maybe State Farm or Allstate should start offering PC Security insurance wherein, for a small monthly fee (or large, in the case of corporations), you can be compensated for damage done to your system or the time it takes you to restore your system post attack, as long as you can establish that you took the necessary steps to protect your system, which means, in part, applying patches in a timely manner.

And maybe, instead of overlooking cluelessness, it really could be punished. If someone's car gets stolen but they left the doors open and the keys in it, while we don't excuse them completely, we usually do say "well, wise up.. that'll teach you." But in the case of a worm, your unpatched system can go on to do damage to other systems, in which case you are (partially) responsible for the propagation of a damaging and costly problem. So you have to take responsibility for the damage you caused, just like I have to take responsibility for the damage I do with my car, even if that's as a direct result of a vandal, say.. cutting my brake line. It's still my fault. That's why I have insurance. Is there anyone from an insurance company reading? Do you see a money maker here??

This is definitely not a one-for-one comparason and I personally feel the computer security situation is far more complex than the car security bit. And just like car makers issue recalls and face liability issues for glaring oversights in manufacturing, I certainly think OS makers should face the same thing. But you're crazy if you think Microsoft makes unsecure software on purpose. Should they do more testing? Aboslutely, but how many applications really get tested as extensively as they should? But, people point out security problems, and sometimes, MS decides to fix them. Hey great. Then it's up to the user to apply the patch. This system is at least workable, so long as they don't put people in jail for discussing security holes. And while I'm ranting, if we're gonna do that, shouldn't we start putting the Consumer Reports people in jail for doing and releasing testing that leads to the indentification of a defect resulting in a recall? I mean really! Lets have some equality!

Alright, I'm done. Really.

lindows root user

[David+Jao]

Recent versions of Lindows no longer run everything as root.

Optional Automatic Update

Why should ANYONE be forced to update? It's ok to ask (hey, blaster's out - should we install this security fix? etc.)

However, I have re-installed Windows 2000 on my machine several times. I can tell you that every time I install the patches, it runs NOTICEABLY SLOWER. So I don't install the fixes but I do license firewall and virus software - and to date have had no viruses or trojans!!

Let's stop with the "we must" crap and get back to reality. Choice. It makes the world go around.

AC

Legal issues?

[killermal]

What about the legality of the issue? Is it legal for microsoft to dictate what and when to install on an end user system? Surely this breaches users privacy rights.

Re:Legal issues?

[RevSmiley]

Not if you use one of Bill's click through licenses or shrink wrap ones. He could have you assinging ownership of your house to him for all most people know. At least he will continue to be held hermless for any economic impact of his product on you that might be negative.

Hm. My reaction. . .

[Fantastic+Lad]

To that blaster silliness was to ditch my copy of 2000 and go back to 98. Yes, yes, I know Linux is a proper solution, but the learning curve on that looks monumental, and I have a business to run. All those drivers. . , and half my equipment is ancient legacy stuff. Another time when I have a whole month to screw around, perhaps.

But for now. . .

Man. Going back to Win98 has relieved SOOO much stress! (Which, honestly, I believe is one of the core reasons that computers exist; to cause society-wide stress and anxiety; but then I believe the cities are primarily just big negative energy batteries for the evil aliens to feed on. But then people also call me weird.)

Win98 does everything I need, and while it does not necessarily do so flawlessly, it does so reliably because at this point, I know that OS backwards and forwards. Whatever problems crop up I can fix in a few minutes because I've spent the last six years or so messing with that system. --Win2K had lots of bells and whistles, but it confused me with all of the new quirks and bits of bullshit which also came along with it.

Plus it was several major steps forward toward the whole massive information control society we all fear. (Well, those of us with brains.) Like this latest horseshit with auto-updates. Makes me wonder if Bill Gates isn't taking a page out of Bush's diary; invent a threat in order to advance your own agenda.)

But anyway. . .

--I don't mind email attachment trojans. Like safe sex, those dangers are a choice. But shit! That last virus was able to get into Win2000 if you were simply connected to the web! I mean, what the hell? And there were other strange problems cropping up which I didn't understand, and since all the latest viruses are focused on the platform du jour, going back a step is a virtual gurantee of safe computing! --I bet the guys who still run the old C64's never have to worry about such nonsense; they're off the grid!

The problem which downed the computer industry is the very thing which is going to make my life easier from now on; there are no more killer apps on the horizon. Once computers reached the point where all tasks could be done without hair-pulling delays, or with quality drops in the digital versus analogue contest, there was suddenly no longer any reason to keep up with the Joneses.

--Thank goodness I've grown past the point where I give two beans about the latest game advancements!

Yep. Off the grid, where the air is clear!

-FL

legal and "real" liability for a toaster

lets say I make toasters, now lets say that I consistently have problems where the toasters fail, die and need rebuilding for no apparent reason than that the user had the nerve to use me as a toaster. If my inept development of the toaster causes problems then I am at fault. If I send out recalls but then people knowingly fail to heed them... then who's fault is it? It then becomes a question of what defines "knowing." Just sending out a memo, especially when people get enough spam and crap as is, is probably not enough. I can't just fire off some cute little postcard and expect my end of the deal to be done with.

However it is looked at above we then must ask what is acceptable "problem fixing" behavior and methodology. Should I just walk in the customer's homes and fix it myself or should I at least schedule a time when convenient. What happens if my "fix" causes other problems or just incompatabilities and lost bread? For that matter, what about all that bread lost from my inept development?

What if some customers have bothered to pay attention to my lack of commitment to quality in both the initial development and in fixes and as such do not trust me to fix their systems until they hear from all their neighbors what they have experienced as a result of the fix? They may have real concerns that my toaster fix will not work and cause other problems and more lost bread. They may have even had relatives or friends be electrocuted.

What about other appliances? Perhaps in the past I have noticed that other components plugged into the electrical grid of the house fail to operate after earlier toaster patches. Maybe my refridgerator stops working and my Microwave's light and half of its controls go out. Who pays for those repairs?

I can tell you with certainty that if this was indeed about toasters (or TV's, Washers, or Microwaves) that there would not be any toaster makers in business still that produced such crap as Microsoft does. I think MS has done some great things but it is often hard to see the roses when all your vision is blurred by blood from the thorns.

Microsoft has enough 'automatic' stuff in it

[ALeader71]

I say 'nay' (or maybe 'Ni!') to another attempt by Citizen Gates to take more control over the end user's life. For users that are on a dial-up ISP, an 11 or 14 MB update will slow their system speed to a crawl and generate lots of hate calls to the service providers. Plus as a corporate IT manager I've enough work made for me and my staff having to shut down or securing all of the unnecessary crap that MS loads into the OS. For example: Outlook Express (and the icons that go with it) (and who's idea was it to make OE mandatory?) Messenger Service, Alerter, etc. Remote Access Etc. I could go on but you see my point.

for gods sake

[Mondain98]

The company is "looking very seriously" at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them,

You can turn it off. Relax. Fucking zealots.

Simple

Just write a law limiting what they can inflict on you when they 'update', do your best to make it easy to proven failure to comply, write huge penalties for non-compliance, and still watch MS completely abuse automatic update... Hmmm...

How long has this bug been known...

[nickgrieve]

Look at the vulnerable Version of windows. It is every one of the NT > 4.0 family.

The exploit was coded into every thing even after it was found. This bug has been around since 1993.

Re:SP6. -- slight correction

[GojiraDeMonstah]

What SP6 actually did (IIRC) was not to disable SMTP for Notes specifically, but to bind port 1352 to another process, which is THE main port that Notes/Domino uses to communicate (as important as port 80 is to a web server).

The conspiracy theorists suggested that M$ did it on purpose, this was at a time when the TCO wars were at a peak between Lotus/IBM and M$.

You want Horror Stories? Read NTBugTraq..

[linuxtelephony]

Read NTBugTraq. You'll find the "horror stories" your dismissing.

If your network didn't get affected - good for you. If you didn't have any applications stop working due to automatic updates or manually installed patches, even better. More than likely your not doing anything very advanced on your network making admin a lot easier.

But oh yes, you posted as an AC, so your probably just full of hot air and a troll.

Re:Hm. My reaction. . .

[redstoner]

I know how you feel. I get crap all the time from people saying "Switch to Linux." "Linux works better." "Blah, blah, blah Linux..." I'm sure Linux works fine, but until the huge variety of applications become available like all the stuff they have for Windows, I'm sticking with it, despite an occasional headache. Like you, I also have a job to do and don't have the time or money to learn start using a whole new operation.

Bigest problem with MS Auto Update IS A Virus

Now the only way Auto Update can work and work safely is if central servers are split and made mult target. It would take a virus writer a bit more time to work out a DOS attack on all to shut the network down. Number 2 users have to be able to redirect there auto update to a non server ie a Mag CD from a cover book in the worst case that something gets spreeding that is defeating the antivirus camp completely. Ie a virus that is watching the antivirus updates for its self and it changing to go under the radar. Note no virus writer has been good enought to write one like this yet but it may come. The antivirus jaming viruses are pretty dam effective.

Now this is MS bigest problem not have deals with Computer mags to have there update always on the cd. But instead wanting users to log into MS server so they can detect pirates. Basicly if MS fixs all the bugs they will have no way to track computer pirates. So I don't see defects going away any time soon.

Take them away!

[danielsfca2]

I thought what he meant by:

> Think about it, if you don't know enough about something to know how to turn it on or off, do you really think you should be able to choose if it's on or off?

was that since the majority of Windows "home users" arguably barely know enough about PCs to know how to turn them on or off, then maybe they shouldn't be able to choose if their PC is on or off, ergo, they shouldn't be allowed to use them.

I found it rather funny. In addition, "secure-as-default" is a commonsense idea that anyone should support.

So there I was...

[IBitOBear]

So there I was, presenting my proposal to the board when Microsoft Automatic Update kicked in. Id didn't so much as pop up a bubble-box notice. The interractive graphics ground to a halt and then the computer rebooted three times.

There was nothing I could do, and I couldn't explain it away because it was all happening in the background. They thought my general design was bad.

Fortunately it happened exactly the same way to the next three presenters, so I didn't lose my job.

Unfortunately the last guy got the bid, he'd still been working on his presentation via 802.11z in the back of the hall, so he was all patched up before it was his turn.

So what if it was only half-visualized demo-ware. His "worked" and mine "didn't"...

===

Don't think it will happen? Think I am just paranoid?

Think again.

"What can we do to your time-critical work-flow today?" -- New Microsoft marketing slogan.

Starts handing out ClueBats(tm)

[Makoss]

Come on people, time for something very much resembling Whack-a-Rat.

hmmm wonder why microsoft is reacting so strongly.

[shaitand]

could it be because these recent worms have been attacking THEM?

Re:Hm. My reaction. . .

"...Bush's diary; invent a threat in order to advance your own agenda."

If you haven't noticed yet that "invented threat (terrorism)" just blew up the UN compound in Bagdad. The US tried to provide security for them but "they didn't want it." Seeing as the UN was on record as against the US action against Iraq and theses "invented" terrorists it makes no sense unless they really are terrorists and were in Iraq. What do you know bathists and islamic terrorists do act in concert and want to kill everone. What ever aganda Bush might have he sure as fuck isn't wrong about these people.

Here's a compromise

[scott37]

An auto-update patch could first be sent out to, say, 100 volunteer test machines. If problems arise the first two days, go back and fix. Next, send it to 1,000 test machines and see what happens for a couple days. Then 10,000, etc. Gradually sweep out to the milliions of real machines in diverse scenarios as reliability is proven.

Re:Here's a compromise

[Goobah]

How about this? Why don't they come out with a "Windows XP Complete Idiot" edition, where it only allows the most basic ports available for web browsing, email, and IM, and no NetBIOS or other networking capabilities, and make all the people who are too ignorant to update their hotfixes purchase it.

UN compound

[Fantastic+Lad]

And the net result is. . .

You and everybody like you reinforcing their support for Bush.

Because you're right. There IS no rational reason for the Iraqis to blow up a UN compound. Neither tactical nor diplomatic. It's incredibly stupid. --The UN, the one world body which might have the ability to lean on the US and make things better for Iraq, and the Iraqis attack it. Hmmm.

Same thing happens all the time with the Palestinians. --Just when things are looking good for them; talks about land being returned, or the Jewish military pulling back in its supremacist policies, a 'Palestinian' suicide bomber will take out another busload of civilians. --I mean, EXACTLY when things are looking up. You can pretty much predict the day of an attack based on how good things are looking in the 'Roadmap to Peace' or whatever horseshit the media is shoveling on any given month.

It's the same old pattern, and it's happened, literally, countless times. Just when things are looking as though Peace might break out, the party with the most to gain shoots itself in the foot, thereby 'justifying' the aggressive force of the massively superior power of the Jews, or in this case, the US.

In warzones, it is very, very easy to get away with operations of this sort. You don't even need to Greenbaum, (Look that up!) a victim. You just need a charismatic CIA asset operating behind the enemy lines, (like Bin Laden for instance; that guy was created by the CIA a decade and a half ago. Any half-assed Googling will tell you that.), and get the guy to start distributing horseshit to his followers. The young men are cut off enough from world awareness so they don't really know what's going on, and they're angry enough at the violations played upon them and their land and their loved ones; that's a lot of bottled up rage and misery. It'd be very, very easy to whip them up into blowing up pretty much any target you convince them is 'Bad'. Hell, we've seen that very scenario played out in reverse; Americans seeing their 'Homeland' being hurt getting whipped up into a big enough frenzy to also blow up ridiculous targets which had nothing to do with the original injustice. Targets such as Afghanistan and Iraq, for instance. And who gains in the end?

Somebody is getting rich as hell, and it's not you or me! -Haliburton, Dyncorp, Carlyle Group and fucking Worldcom of all companies; they're the ones profiting! Oh, and a Jewish telco got another of the billion dollar reconstruction deals. --Companies which are either responsible for losing BILLIONS of dollars due to the recent economy-destroying frauds in 2001, (for which the perpetrators are STILL not being penalized thanks to friends in high places), or in which Bush and his cronies are actually direct shareholders!

So, I'm sorry. I just don't buy it. It makes zero sense for Iraq to bomb a UN holding, and (as you demonstrate), such ploys are simply far too effective a propaganda policy for them not to be regarded with a high level of suspicion. There's just too much money at stake, and the people in direct line to collect that cash have demonstrated time and again that they have no internal moral compases whatsoever. When I see 2+2, I can only say, "4".

-FL

microsoft wants?

[kbeast]

Users want realiable OS

Nonsense.

[jotaeleemeese]

I have provided some PC support professionally and as a "hobby" (friends, colleagues) in, let me count, 15 countries in four continents (perhaps even your corner of the US) and I can confidently say that only weirdos (like /.ers ) have their computer on at all times.

Most people realize the critter is using that thing some parts of the US lacked sorely this last weekend, electricity, and most people are sure as hell that that is not free since they are reminded of the fact periodically by the electricity bill.

Re:Nonsense.

[PhoenixFlare]

Err...Okay. Is there any specific reason you had to call me a dense weirdo twice in two seperate posts? It's rather hard to take you seriously that way.

And for the record, I usually leave my machine turned on due to the fact that I have need to access it remotely quite often. If it's not used for more than a half hour or so, all the power-saving options are set to kick on.

A computer doing nothing in a household for 22 hours wasting power is not only foolish (no matter how much you pay for your electricity) but wasteful.

Who said I only use my system 2 hours a day? Maybe someone you know, but that someone would not be me, that's for sure.

He feels touchy because you are dense.

[jotaeleemeese]

Every single computer that is on unnecessarily causes environmental damage, most goverments, individuals and organizations in general agree that such damage should be restricted in as much as possible without interfering with productive activities.

A computer doing nothing in a household for 22 hours wasting power is not only foolish (no matter how much you pay for your electricity) but wasteful.

A computer used in a lab for the best part of 12 or 14 hours is a completely different beast since society is getting a direct benefit and thus the environmental damage at least have a direct justification.

And in spite of all that, your friends are weirdos and in a minority. Most people have the common sense to turn off their computers when they stop using them.

They can't do anything. Their model is flawed.

[jotaeleemeese]

Because to do the right thing conflicts with their interests, their way to work and their perceived bottom line.

-They should respect the privacy of their users.
-They should not force feed EULAs with patches.
-They should take enough time to test patches, ensuring they don't brake things.

MS has willingly ignored the first two issues above, there are many examples of that.

As for the last one, they are completely lost: they are trying to integrate so many things in the OS (in their anticompetitive zeal to try to push out of the market every single company that produces any useful piece of software) that they are creating an unmaintainable pile of software kludge.

With the pressures to cut costs and to put patches out in service quickly there is a fundamental contradiction between effective software testing and complexity of a software kludge that includes everything and the kitchen sink.

They are becoming a victim of developping according to marketing strategy and not to sound software engineering principles. If they are in a catch 22 it is one of their own making.

Sorry but no kosher.

[jotaeleemeese]

There is only one entity that can force people to do something in a cumpolsory manner, yes ladies and gentlemen, your often depised goverment.

If a given goverment mandates software upgrades in the benefit of the common good then I will gladly agree. Of course this invasion of privacy to prop-up a private service means that the service provider becomes heavily regulated.

If mandatory pacthes woud mean that MS would be forced to produce quality software or it would be fined for endagering the public, I am all for it.

If mandatory patches means a company I don't trust will put whatever they see fit in the computers of my friends and relatives (not mine mind you, I don't have to worry about MS ever touching my hard disk) I will be a vocal opossition to such stupid, ludicrous idea.

Since when did MS became tha arbiter and regulator of how people use computers? That some people seem to believe they have that "right" shows in how horrible bad shape the IT industry is.

Recipe for Disaster

[phthisic]

What happens when MS puts out something that has bugs? It's not so bad if it's not a big bug, but that's not a given.

A couple years back, I was running Windows Update on a box at work and it installed a video driver (Intel, I think) which BSODd my box. I couldn't even rescue it and had to reload it. I knew other people who had the same problem with that update. A day or so later, MS yanked that update.

Now that was my fault. I had a back room of identical boxes on shelves that I could have tested the patch on first. But what about Mom and Pop? When their box BSODs, it'll cost them $100 to put it back working, and they may lose some pix of the grandkids. Who's going to pay for that? MS? Not bloody likely.

... right now windows is set for ease of use

[pensivemusic]

over whose dead body will you say that? i mean, if windows was really easy to use, users would be able to figure out what their systems needed to STAY easy to use. lets take just one issue; ports. how many of them are there in a WINXP system anyway? how many users could even tell you that with a hint of accuracy? the list goes on... the trend has been for MicroSoft to push more complex products into the pipeline on the consuming public who is untrained to handle (in my view be even be aware of) the complexity of the systems they have to be responsible to manange. when was the last time you saw a complete manual ship with a WINXP box? or, when was the last time you saw a step by step here are the _insert how many zillion___ (qty) things you the user 'must' do when you get your computer setup and power it on the first time? Message to the captain; your customers need better PC roadmaps Bill Gates!!!!!!

Oh puh-lease...

[aaaurgh]

"The UN, the one world body which might have the ability to lean on the US and make things better for Iraq"

The US completely ignored the UN and everybody else in the international community before the war and will continue to do so, so long as it remains the only bully in the playground. There is currently no other world power to keep Bush in check and his administration is determined to take over the world, at almost any cost.

I get more an more concerned every day when I hear those chilling phrases such as "the American Century" and "Homeland Security" and "Patriot Act". It's getting like the McCarthy era with the "reds under the beds" - genuine, peaceful Americans are becoming more afraid to speak out in case they're labelled as unpatriotic or supportive of terrorists - is that freedom?

The only phrase I'm still waiting to hear Bush come out with is "the final solution", then I know we're all going straight to hell.