Slashdot Mirror
Microsoft wants Automatic Update for Windows
Edward Dao writes "After the embarassment of last week's blaster worm, Microsoft is weighing the possibility of automatic update. Microsoft not only wants to upload the latest patch on to users' computer but also installing it for them." This will work out really well for everyone I'm sure. Yikes! Can I at least press 'Ok' first?
... how they will get people to activate the TCPA/Palladium features.
Now we know: MS will do it for you. How kind of them!
I know broadband usage is on the rise but really ... I use a modem. You know ... the kind that attaches to a phone line? Everytime I get online with my low bandwidth solution, I don't want my bandwidth eaten up by patches.
... no thanks.
Granted, by the time this is incorporated into the OS, phone line users may be in the minority but until then
KARMA TAG! You're it.
Automatic protection from running applications that break following a patch? At least a corporate user can call the helpdesk, while a novice home user would have no idea why something stopped working suddenly, and would chalk it up to "Computers are evil". The divide between the tech-aware and tech-unaware grows exponentially.
Feh.
In the past MS has packaged EULA updates along with software updates. I really wouldn't have too much trouble with this as long as they don't try to push EULA changes along with the update.
Sure, some people might want to turn it off, but by and large I think there would be less damage with it on. I rarely meet a person who even knows what MS Update *is* let alone have used it.
I wonder how well this would work on dialup though? It seems like the world is really leaving dialup folks behind. I have cable myself but know a lot of people on dialup either because high speed is not available to them or because they really don't need a fulltime connection, and are getting by just fine on a $5/month dialup plan.
MSBlaster wasn't an embarrasment for MS, but for the lazy sysadmins who, with a month's prior notice and the patch to fix it, were still hobbled by the bug. If people who are in charge of systems and security spent more time patching and paying ATTENTION to things like Bugtraq and less time complaining about MS the world would be safer.
How is this bug more of a bummer than how gnuftp was compromised and potentially more damaging? Oh, don't hear people moaning about that on here now do you...?
The tale is telling, is it not?
So who is held accountable when the latest patch breaks something and causes loss of data? The user, because they didn't opt out? Seems like a potential shitstorm for Microsoft there. If people are too dumb to patch their system with the existing Window Update, how in the hell are they going to diagnose problems when its being done without their knowledge?
Microsoft is also considering whether to make the Auto Update mandatory earlier, through an interim upgrade known as a service pack.
This is a huge mistake. Talk about a support nightmare. I recently spent several hours trying to find out why my machine was freezing intermittently, only to find that Update 811493 was to blame. I uninstalled it and everything worked perfectly-- if they make it mandatory, and have a similiar problem what do we do? (Switch to Mac or Linux, right?)
For the record, there's still no way to tell Microsoft I NEVER want this update. If I use "auto update" at all it downloads it and wants to install. So, now I'm stuck using manual update or my machine might freeze up again.
Just great.
Two things from the article:
And...
So... only for home users and users can shut it off!
So don't freak out too much... maybe this will actually help... think if this had been in effect for slammer... we keep bitching that the 'patch was available, why didn't people use it!'... well, this would fix that problem.
One other thing from the article:
Now that makes sense!
If you RTFA you'd find that Microsoft is only "looking very seriously" at this idea
Microsoft are MORONS. The fix for this particular worm required SP2 or greater. That is 8 hours and 10 minutes over dialup.
Windowsupdate is a god send for people with broadband but MS are going to be required to send CDs in the mail if they want to keep dial-up users up to speed.
Life is the leading cause of death in America.
Hmm.... you clearly don't get how Microsoft got to be so huge in the first place, do you? :) Home users actually want stuff like this.
"Times have not become more violent. They have just become more televised."
-Marilyn Manson
Okay, now what happens when they decide to enter some draconian language into the EULA that you supposedly agree to by installing these patches....are you now just agreeing to whatever they want by simply using Windows? You now have no choice in this case?
Karma: Chameleon (mostly due to the fact that you come and go).
If they don't know what a patch is, then they're in more danger of a virus attacking their computer anyway. So "the divide between the tech-aware and tech-unaware" shrinks exponentially, as viruses become far less likely. The very rare case of a WU breaking something will have little impact in comparison.
This is a bad idea on soooo many levels
First of all is their patches. They sure as hell aren't 100%. So one day your favorite program might work, and the next day it might not. All wihtout you doing anything. This is why businesses take a while to evaluate patches.
Secondly, what if there is an exploitable bug(and there will be at least one). Every windows machine out there might be downloading viruses instead of updates. If someone were to reverse engineer the network interface, and hack a couple DNS servers, they could have all those users downloading whatever they wanted, even illegal things, or viruses, hacks, anything.
Plus there's the privacy issues. I konw that right now windowsupdate could send MS anything anyway, but if we all expect it to update any time it wants, we have no controls at all on our system, MS could send an update to lock you out of your own system if they suspect you of something, or just for the hell of it.
While I don't expect this to actually go through, its important to be wary of just how abusive such a system could be.
P.S. I, for one, welcome our new windowsupdate.microsoft.com masters.
From the article:
"The company is 'looking very seriously' at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them..."
So yes you can "at least press Ok first." Although I'm sure CmdrTaco has nothing to worry about, since he doesn't run Windows any more, which I suppose is why he didn't read the article.
Personally, I think that this would probably be a responsible move on their part (and Bruce Schneier apparently agrees with me). I especially like the fact that they're going to start shipping Windows with the firewall enabled. As far as I'm concerned, no one should be worried as long as you can disable automatic updates and disable the firewall (though I think they should make it slightly non-obvious how to do so, so that the people this is intended to benefit won't turn it off). After all, you don't leave Windows exactly as it comes off the CD, do you? Hopefully, you'll also be able to create corporate install CDs with these features disabled if need be.
There are only two things that concern me:
1. Broken patches: What if, as has happened in the past, an update breaks the auto-update mechanism? Then they'll be pretty well stuffed. I'm not sure what to say about that other than "don't do that."
2. Dial-up users: As the article mentions, SP1a is big. Really big. I mean, you might think that the OpenOffice download is big, but that's just peanuts compared to...right. However, that was a combination of many small patches, and just like many other things in life, if people had updated incrementally as they should have, they wouldn't have a need for a giant update. Hopefully, MS will be able to keep the patch size down, and we can watch 2003 to see if they can keep the frequency down as well.
(Yes, I now have to care about Microsoft products again, which is annoying, but I might as well make the best of it).
WMBC freeform/independent online radio.
So you make the software update so that you agree to a EULA the first time you run it. As long as there are no changes, the patched get installed automatically. Any patch that brings a change to the EULA will not install. It would be downloaded, but a message would pop up saying that there is an update, and make you agree to the new EULA before it is installed.
At any rate, I think the EULA changes come with things like new versions of the Media Player and the like. Those shouldn't be done automatically anyway. Only security patches should be automatic.
As long as there is a way to disable it, I don't see why this would be a problem. The users who don't care about this are exactly the people that need it anyway.
Happiness is like peeing yourself. Everybody can see it but only you can feel its warmth.
"People are going to have to accept mandatory updates as part of the warranty process,"
Since when does Microsoft include a warranty on Windows?
Actually, it's quite good. You'll note that it's emulating only the X11 libraries, really even only the X11 server itself. The slowdown of having X apps pass through that layer also occurs on Linux, *BSD, or any other OS. KDE and GNOME may be open standards, but they're not as nice-looking as Aqua, and the WindowServer that runs Apple's windowing system, is, AFAIK, part of Darwin, and thus open.
Darwin is not a kernel, Mach is the kernel. You'll note that it's the same micro-kernel that GNU Hurd uses, and if Hurd isn't Unix, what is (nowadays)? Darwin may be based on FreeBSD, but the kernel is Mach, which isn't. Also, you seem to be overlooking that most Linux programs are compiled for Intel processors, not PowerPCs. Thus, they wouldn't run anyways. However, most do compile with little or no modification. Netinfo is never used directly. Requests are handeled by lookupd, which uses Netinfo, but searches flat files (/etc/passwd, /etc/hosts, etc.) first. Netinfo also allows networks that share common printers, hosts, network configuration, users, mounts, etc. to be constructed easily. Unlike the registry, Netinfo is documented, and has manipulation utilities, for both the command line and the GUI. And, it's never gotten fscked up (for me.) Mac hardware may be expensive, but- it's better. Even the Linux people who use Linux on Macs agree it's faster, better, etc. on a Mac. Macs are more durable, featureful, more standard, and "just work" more and don't work less.
Okay, find music for that cheap on Linux (while still supporting the artisit. It's hard. The music industries wouldn't stand for a service without DRM, and you'll note Apple is pretty darn nice. Unlimited CD burns (but no more that 10 for the same playlist), 3 computers, unlimited iPods. Plus, AACs are MPEG-4, which is darn good quality, and darn small file size. I would never use Windoze, and always like Linux. But for me, Mac OS X is a great UNIX, and is all I need it to be.
It would seem youhaven't taken a close enough look at Mac OS X.
Moderators: Mod me down troll all you want, but mod the parent down troll as well.Where are my mod points when I need them? This is perhaps the single best argument raised in this thread. I'm a broadband user (ah the joys of in-home ethernet) and I'm in the process of puting together a new machine. It's running windows because some of the software my school requires is Windows only.
Now, I've been downloading updates for the last hour or so now. I understand that the Microsoft site is probably pegged following all the media coverage of the latest worm, but nonetheless, I'm a broadband user and it's still taking me a significant chunk of time to download all these updates.
Dialup can only be worse. If MSFT wants to keep the users current they've gotta either find some way of updating Windows that's not quite so hard on dial up (mailing CDs sounds good) or they need to find some way to bring the average patch size down. I have a hard time buying into the idea that the problems in the system really require a patch of that size. With a little more creative work you'd think they could find a more efficient way to insert the new code.
Killfile(TGK)
No trees were killed in the creation of this post. However, many electrons were inconvenienced.
By default, automatic update is enabled for Windows. Anyone technically savvy immediately turns it off five seconds after installation is complete.
Sounds like you're unreasonably paranoid. I've been using Windows 2000 for three years and whenever I need to reinstall (usually due to hard disk crashes or building a new machine. NEVER because the OS or Microsoft did something stupid) the first thing I do is go get all the updates. Nobody who is "technically savvy" wants to run a version of their OS that is three years old. Why? For reasons of security, stability, and compatibility with new software. Why not have the OS go find them for me?
Stop speaking for me. I consider myself technically savvy due to my degrees in Electrical Engineering and Computer Science as well as my hobby of building PCs for my friends. At first, when a service pack added the auto-update feature to W2K, I had it set to let me verify updates, but then I noticed something: I kept hearing about worms and vulnerabilities in Windows on Slashdot and from my friends a day or two after I saw my PC automatically find the fix from MS. It certainly beats going to windows update myself after the fact. I let auto-update have free reign after that discovery.
The fact is that most people who use Windows do not understand that they need to update their OS in order to keep their computer running. What's the first thing you do if you try installing a piece of software and it doesn't work? Roll back to a earlier backup? I doubt it. If your hardware seems to be working you go and get all the current driver and OS updates because developers usually release their software built on platforms with recent OS and driver versions.
Obviously I think automatic updating could be a good thing, but there could be some problems. Nobody with a modem connection wants their OS to automatically dial in and start downloading 15MB patches. You also may not want your server to start downloading patches at peak traffic hours. I hope that MS leaves the option for user input for these reasons. It also only currently downloads critical updates. Their decisions about what is critical have been reasonable so far.
One good thing that you might not see coming from the auto-update is that now you don't need Internet Explorer to use the windows update site.
Dewey, you fool! Your decimal system has played right into my hands!
The last thing that I saw break my system was a patch or update to DirectX. After it installed, my laptop blue-screened on boot. I was unable to fix. After re-installing the OS (and everything else) at great cost to my time, the patch/update worked the second time.
Right now we're holding off applying Win2K SP4 to our web servers. It contains a change to the security model that will break some of our ISAPI extensions. The fix is trivial, but we haven't had time to check it out on a test bed, nor deploy it to all our servers (unfortunately we have to do them manually as we don't have anything like SMS deployed).
Idiot proof everything, like the way the standard RedHat install sets up all basic command line functions to be verbose by default. And then as you learn more about what you're doing you can set these preferences to something else.
Don't forget, people, in general, hate to A) Read and B) Learn
Then, as the user becomes more proficient, s/he can set things up the way they like.
Think about it, if you don't know enough about something to know how to turn it on or off, do you really think you should be able to choose if it's on or off?
"Whadda'ya watchin'?"
"Angry Monkey."
"That HORRIBLE monkey."
but i can understand why redmond thinks it's a good idea. they're taking a beating in the press over security and they've determined that the real problem (rightly or wrongly) is the end user - so now they have a "solution"
I don't want to stick up for MS or anything but the problem is the user. If there is a patch availiable and the user doesn't install it then it is the user's fault (even if the user is ignorant).
The way I see it there are two obvious solutions...
1. Force the update on people.
2. People should have to have a licence to own a computer and take a test so that they understand security issues. Now I realise that sounds a little extreme but if you take into account the the cost in bussiness that worms cause then it might be a good idea. It would certainly get rid of the ignorance defense.
what off hours? there is no such thing in most cases. and the off hours wouldn't be enough time to download the patches anyways in time(speed just isn't fast enough)
typical users DON'T leave their home computers on when they don't use them btw.
and need that phone line occasionally for phone calls, i'm sure you've had one, but some people get them like all the time even on their landline.
most people when they are online with their modem, are in the middle of doing something important(they wouldn't be online unless they were). using the phone line isn't free either in majority of countries, so leaving it to up to the os to decide when to dial up is not an option.
the bloated drivers and updates are a real problem in todays world when you're trying to keep your relatives little computers running good enough (nvidia drivers take +30mb, for example). sure it isn't a problem when you have 100mbit jack on the wall but majority of people don't have that.
world was created 5 seconds before this post as it is.
Additionally I would hate to think that computers would roll out with auto update automatically enforced on home users machines. Quite a few home users wouldn't know if they had turned it off or not for one. Can you trust Microsoft to have tested the patch against software you use? What if you've got a "pay for use" internet account? Do you want to pay for the bandwidth Microsoft uses? HINT: Think service pack. What if a patch goes wrong or the home user mistakes it for a virus and forces a shut down in the middle of a service pack?
I'm not going to suggest that Microsoft would use this to monitor individuals or covertly take over peoples machines, that's just more FUD. I do think, however, that the last thing Microsoft needs to do to their software is add another automated feature that can be comprimised and easlity manipulated because it's already built for interaction with external machines over an inherantly insecure environment.
You don't fix a hole in a dam by adding more holes.
It take more faith to believe in evolution than it takes to believe in God
Too dumb? How about just not interested? Many people just want their computer to work, the way their car and dishwasher "just work". They couldn't care less about any of the technical details. Resistance from arrogant fucks like you has been holding this back, and Microsoft is finally making a bold move in the right direction.
Clearly the technology's simplicity is oversold. "Anyone can use it!" Hey, how about some intelligence/knowledge requirements for voting? Right now, just anyone can vote.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
It'd be pretty damn noticable on my British Telecom phone bill.
Not everywhere has free/inclusive local calls, remember.
Andrew Oakley - www.aoakley.com
If 90% of the consumers cant drive the new CarX is the fault in the consumers or in the car?
If 90% of the users don't know how to make a call in their new cell phone is the fault in the users or in the cellphone?
If 99.99% of the users cant read a book written in latin should we:
a) Translate the book
b) Teach everyone latin
Only people who would even consider option b are computer engineers.
If you don't like the fact that most people are ignorant about inner life of computers? Go back to BBSes. Oh wait, they dont have the content, the people, the cheap connectivity? Has it occured to you that those exist because internet is full of people! You cant have it both ways.
If companies think being on the internet is dangerous who forces them to put critical services there? Maybe they are there because the gains outweight the benefits?
And before you throw in the facts about traffic laws... Majority of drivers are in favor of some sort of laws existing, I'd even bet that they support the majority of the current laws. What you'd want is a law supported by the few, benefitting the few, paid by the majority (in work hours wasted studying computer security).
I guess it depends on what you're calling a defect. If someone comes along and pours sugar into your gas tank your car won't keep running right. Is that a recallable defect?
If someone sends a particularly malformed request to a process on your machine it won't run right. Is that a recallable defect?
I'd say no in both cases.
And as my father, a mechanic, will tell you, most people do not check the oil, coolant, power steering fluid, tire pressure, etc. The more careful ones bring in the car if it makes a funny noise long enough. Many people only think about the car when it won't run anymore. Putting gas in the car is pretty much the only thing "end-users" do reliably, and even that doesn't happen often enough sometimes (did you know that it's better for your car to not allow it to get below 1/4 tank, because then junk on the bottom of the fuel tank gets sucked into the engine?)
The frightening bit is that my mom, a Physician's Assistant, will tell you the same thing about people and their bodies. She gets in all sorts of cases where people have had horrible things wrong with them and haven't bothered to come in for a week, or the guy who drank 3 40-oz. beers a night, and his main concern was wondering why he had to wake up to go to the bathroom so often.
(as for dishwashers, most of them require you to at least scrape your plate before you put it in, and my father, having cleared out a dishwasher that pretended you didn't have to do that, will tell you that they ALL require this.)
WMBC freeform/independent online radio.