Slashdot Mirror
Microsoft wants Automatic Update for Windows
Edward Dao writes "After the embarassment of last week's blaster worm, Microsoft is weighing the possibility of automatic update. Microsoft not only wants to upload the latest patch on to users' computer but also installing it for them." This will work out really well for everyone I'm sure. Yikes! Can I at least press 'Ok' first?
Of course, this will be implemented in such a way that implantinga fake RR for windowsupdate.microsoft.com into a local name serverallows Windows to download and run any file with a certian file name. This should make it far eaiser to fool Windows Update into installing Linux.
This will make Linux rollouts a breeze after buying all those Dells.
Imagine the possibilities!
Then again, the Microsoft Tax is cheaper then the SCO tax.
If you RTFA you'd find that Microsoft is only "looking very seriously" at this idea,
that it would not apply to business users of XP (since they want careful control
of the patching of their machines), and that it would be possible to opt-out from
the automatic updates.
So if you are a business user you don't get automatic updates, if you are a home
user of XP that is technically savvy you can turn it off, and if you are a home
user who is not computer savvy then you are going to get automatic updates. This
latter group seems like the ideal set of people to get automatic protection.
John.
they want to reboot my computer without informing me?
Harder.. Better.. Faster.. Stronger
... how they will get people to activate the TCPA/Palladium features.
Now we know: MS will do it for you. How kind of them!
I know broadband usage is on the rise but really ... I use a modem. You know ... the kind that attaches to a phone line? Everytime I get online with my low bandwidth solution, I don't want my bandwidth eaten up by patches.
... no thanks.
Granted, by the time this is incorporated into the OS, phone line users may be in the minority but until then
KARMA TAG! You're it.
if someone breaks into MS WindowsUpdate servers, he could install ANYTHING on millions of computers!
wow... scary...
Some of us are still on dialup, and an automagic update of Windows via 56K modem would literally take HOURS if the connection even holds at all. I don't think I should be forced into high-speed access just so I can update my Windows partition periodically.
Be excellent to each other. And... PARTY ON, DUDES!
You can do this already with Windows XP if you set it up to do so. In the system properties go to the Automatic Updates tab and then click on the radio button next to the bottom option, "Automatically download the updates, and then install them on the schedule that I specify".
Of course you'd have to be out of your gourd to do this regarding MS's history of untested patches. Also I noticed that MS is including driver updates in the critical updates as well (nVidia driver). I've NEVER installed a driver from MS on my computer and every time a customer of ours does it, it seems to totally screw up everything.
Duris MUD - The best pkill MUD. Ever.
How do you know Microsoft is automagically updating your system? I think the fact that it reboots ten times in a row is quite a giveaway...
In the past MS has packaged EULA updates along with software updates. I really wouldn't have too much trouble with this as long as they don't try to push EULA changes along with the update.
Sure, some people might want to turn it off, but by and large I think there would be less damage with it on. I rarely meet a person who even knows what MS Update *is* let alone have used it.
I wonder how well this would work on dialup though? It seems like the world is really leaving dialup folks behind. I have cable myself but know a lot of people on dialup either because high speed is not available to them or because they really don't need a fulltime connection, and are getting by just fine on a $5/month dialup plan.
So what is it that you really want?
Manual updates? "LOLOLOL! M$ users are so stooopid that they can't do even that!".
Automatic updates? "LOLOLOLOLOL!!! You would let Microsoft to update your systems?! You fool! Why don't you download a Gentoo instead?!"
Systems that are secure and usable out-of-box? No such thing.
BOO! TERRO
MSBlaster wasn't an embarrasment for MS, but for the lazy sysadmins who, with a month's prior notice and the patch to fix it, were still hobbled by the bug. If people who are in charge of systems and security spent more time patching and paying ATTENTION to things like Bugtraq and less time complaining about MS the world would be safer.
How is this bug more of a bummer than how gnuftp was compromised and potentially more damaging? Oh, don't hear people moaning about that on here now do you...?
The tale is telling, is it not?
Resistence is futile, you will be patched...
"I have always been a fierce enemy of the Microsoft update feature, because I just don't like the idea of someone else -- particularly Microsoft -- controlling my system," said Bruce Schneier, co-founder of Counterpane Internet Security Inc. "Now, I think it's great, because it gets the updates out to the non-technically savvy masses, and that's the majority of Internet users. Security is a trade-off, to be sure, but this is one trade-off that's worthwhile."
And that concludes our evaluation of Counterpane's security consulting services. Have a nice day. Don't let the door hit you on the way out, Bruce.
Edith Keeler Must Die
1) WindowsUpdate needs to become MicrosoftUpdate. This would scan and offer patches for all MS software (OS, Exchange, SQL, IIS, Office, Visual Studio, ....). Also extend SUS to do the same.
...
2) Critical Update notification should be done the way OSX does it (with a little configging) -- instead of a tiny little innocuos icon in the system tray, put an obnoxious pop-up in the middle of the screen, with a big "Go Ahead and Install" button, with lots of skull & cross-bone icons.
3) Create patches using their own packaging structure: MSI. This allows for much simpler deployment and management, via Active Directory. No need to pay for SMS simply for patch deployment.
4) Supply MUCH MORE documentation to end users, discussing the importance of keeping one's machine patched.
5) Stop producing such buggy software! =}8v)
Just my $0.02
10b||~10b -- aah, what a question!
The main problem is people not knowing, or not caring about patching or updating the problems. This isn't something that's directly managable by MS. With an OS so widely used, how can updates be ensured to be installed on everyone's machine to stop spreading of viruses and exploits?
Some will say the user should have the choice... ok, so half the people who couldn't care less will still allow the spreading of the problems...
Some will say automatic background updating is the only solution... ok, so the majority of people still using low speed connections will bog down their systems, let alone major networks suddenly pulling huge bandwidth when every machine receives the command to update simultaneously...
And some still complain that even if the update is pushed and you need to say yes or no, it's still infringing on your privacy your own system...
Is there any way to implement a global, trustworthy, reliable patch service that is accepted by everyone? If not, there's no way to stop the virus spreading, work generating underground from having hay-days at the world's expense...
And this goes for any OS, not just Windows...
Microsoft is also considering whether to make the Auto Update mandatory earlier, through an interim upgrade known as a service pack.
This is a huge mistake. Talk about a support nightmare. I recently spent several hours trying to find out why my machine was freezing intermittently, only to find that Update 811493 was to blame. I uninstalled it and everything worked perfectly-- if they make it mandatory, and have a similiar problem what do we do? (Switch to Mac or Linux, right?)
For the record, there's still no way to tell Microsoft I NEVER want this update. If I use "auto update" at all it downloads it and wants to install. So, now I'm stuck using manual update or my machine might freeze up again.
Just great.
Most people are in far more danger of their computer being destroyed by a virus than they are of it being damaged by an automatic update.
If you think this is a bad idea, then you don't realize just how stupid the great mass of computer users are. I'm sure Microsoft will make this in a way that will allow anyone who knows what they are doing to turn this feature off. But it will kill viruses and worms that exploit windows holes, that's for sure. I can't recall one that's come out in years where the patch hadn't already existed, but that users were too stupid to download.
Besides, I'm sure that recent power outages spooked Microsoft for at least a few moments. They thought: Could this have been a computer problem? Not even Microsoft has that kind of money were it to be found liable.
* NB: allowed, not required---it's your choice.
20 mil and I will! Learn Esperanto with 20M others.
if (company_trusts_microsoft_code())
{
use_windows_OS();
allow_auto_updates();
}
else
use_some_other_OS();
/*
junk code
bitch();
moan();
flail_arms_wildly();
*/
Banu
Circa Windows 2000, service pack 3.
By default, this already happens.
The story here is that Microsoft backed off when privacy groups thought this was a crummy idea (especially with the EULA of SP3 and XP SP1, big-brother visions abound).
Now they are saying they'd consider giving you more control over this, and to, by default, accept security-relevant patches in this manner by default.
Also, (big item), they'll ship the machines with the firewall enabled. That alone is probably the best idea they've adopted under recent community pressure.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
* Check for warez/serialz -- disable them and alert the vendors. Vendors can subscribe to "MS Auto Alert" program.
* Check for downloaded MP3s (from a database of known MD5s) -- disable them and alert the record distributors. RIAA can subscribe to "MS Locked Tunes" for service.
* Check for P2P programs -- disable them and alert local gov't authorities. Gov'ts can give big grants to MS for this as part of their "Anti-Terror-and-Pro-Business-Computers" bill.
* Check for web/ftp/irc servers -- disable them and alert ISP as to uploading violations. ISPs can join the "MSN One-Stream" network.
* Check for NAT -- diable and notify ISP... part of the push towards "MS-IPv6-PLUS!"
* Check for competitors' products (DRDOS, Java, Mozilla, OpenOffice, etc) -- disable them and alert user that their software was incompatable with the latest service pack. This one is free for end-users!
I think this is great, most Windows-users don't know what Windows update is anyway. Of course it should only distribute critical updates.
You can already have Windows download and install the most important updates on its own. I have this feature enabled on an internal webserver at work, and it works very well. It downloads the patches as they become available, then it installs them att 3 AM when there's noone visiting the server anyway.
Corporate users probably don't want a feature like this though, if a fix breaks the most critical business application, it's better to not apply it at all. They would be better off with an internal Windows update-server that only hosts the patches that has been OK'd by the tech department. This feature is already available as well.
Martin
Anyone remember NT4 Service Pack 6? The first one? The one that broke tcp/ip?
It's like the old joke:
What's the difference between a light bulb and a pregnant lady?
You can unscrew a light bulb.
MS had better make very sure their functionality is more like a light bulb than a pregnant lady. :)
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
I'm not sure who these customers are that want this...but to me this amounts to saying "our customers are lazy and stupid". Maybe I'm trolling, but...the "kinds of threats" that are out there are caused by microsoft writing vulnerable code in the first place! Sure everyone has bugs, but maybe, just maybe, they'll write a buggy patch too! I don't see how anyone could even be considering this as the default. If these people want microsoft to automatically update their computer...they can turn it on right now!
I know you hear this a lot here, but people need to either
a) have a working knowledge of their computer/operating system, including how to maintain it.
b) have their computer regularly maintained by another live human being.
This isn't that hard. People have this perception of computers as the same as their television or washing machine in terms of support - don't touch it unless it's obviously unusably broken. They don't work that way, they're much closer to cars. Sure, some people don't maintain their cars either, but those people aren't in the majority.
I'm rambling at this point, but really this is a disaster waiting to happen. What, are we going to end up testing EULAS in court finally when microsoft breaks ten million computers automagically and then says "well, you clicked the agreement"? I guess that could be agreeable. Please, I know most people here know what they're doing with their computers, but this problem is not just caused by microsoft. Educate everyone you know about the needs for computer mainenence! Make them pay you, I don't care, do something. Of course, the stupid IT department here got the worm too, so maybe it's completely hopeless.
Sure the tech savvy users like those who frequent slashdot (and we're ignoring the rabid fascist anti-MS zealots here) will not like the idea - but the problem that Microsoft is having is that even the general public are starting to mistrust them.
A case in point is the abysmal failure of Passport. Sure it has hundreds of users, but nearly all of them were forced into getting it because they wanted a hotmail account. Very few people actually store all their personal details on there.
Until they get the trust issue sorted, people are never going knowingly let them take control.
Avantslash - View Slashdot cleanly on your mobile phone.
This is a bad idea on soooo many levels
First of all is their patches. They sure as hell aren't 100%. So one day your favorite program might work, and the next day it might not. All wihtout you doing anything. This is why businesses take a while to evaluate patches.
Secondly, what if there is an exploitable bug(and there will be at least one). Every windows machine out there might be downloading viruses instead of updates. If someone were to reverse engineer the network interface, and hack a couple DNS servers, they could have all those users downloading whatever they wanted, even illegal things, or viruses, hacks, anything.
Plus there's the privacy issues. I konw that right now windowsupdate could send MS anything anyway, but if we all expect it to update any time it wants, we have no controls at all on our system, MS could send an update to lock you out of your own system if they suspect you of something, or just for the hell of it.
While I don't expect this to actually go through, its important to be wary of just how abusive such a system could be.
P.S. I, for one, welcome our new windowsupdate.microsoft.com masters.
If Dell, HP, IBM, for Vendor X sells a PC to a customer, and Automatic Update causes that PC to no longer boot or work properly, that customer is going to back to where they bought the PC. Who is expected to pay the support? The vendor? Microsoft? The customer? My guess it'll be the customer one way or the other.
What if the machine is in a small or home-office business handling some critical task and the Automatic Update causes a failure or some data to be lost? Will M$ be liable and pay damages? Doubtful.
If the patch requires a reboot, will it also automatically reboot the machine?
I can see so many ways this is going to cause all kinds of problems.
My guess is that the "Home" version of the OS will have automatic update turned on by default, and probably difficult to turn off since M$ users don't know how to do anything for themselves, therefore if they try to turn this off they must really be trying to turn it on so they'll leave it on. (Hmm, that sounds kind of like turning off DCOM but it still being active).
The "Pro" of "Office" or "Server" or whatever they call the more expensive version used by IT departments will probably have this turned off so automatic update doesn't take out people's networks. Especially people big enough to be more than just a minor irritant.
Can you image a Fortune 100 company having 1/3 or 1/2 of it's systems down and its IT department totally consumed and in knots trying to fix a problem that looks like a virus. First just a couple of systems would have problems, but as their clocks hit a certain time and the Auto Update goes out and installs the new code, more and more systems fail.
And then there are the systems that report they have the update installed, but really they don't for whatever reason. Following NTBugTraq on this last virus has been more interesting than for past viruses. Several systems had DCOM turned off, all the tools said it was off, but the systems were still vulnerable. Other systems reported the patch was installed, but they were still vulnerable.
This auto update sounds like such a can of worms. M$ may just be giving more people the push they need to check out alternatives. Here's hoping.
. 62,400 repetitions make one truth -- Brave New World, Aldous Huxley
... as the 'Automatic Updates' control in Windows 2000 SP3 and beyond. It is enabled by default in SP3/SP4, and will place an icon in your taskbar when new updates are available. It won't download them until you ask it to do so.
You can set it completely off, or set it to automagically download and install updates.
What came before the Big Bang? Hum, it must have outside of time...
From the article:
"The company is 'looking very seriously' at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them..."
So yes you can "at least press Ok first." Although I'm sure CmdrTaco has nothing to worry about, since he doesn't run Windows any more, which I suppose is why he didn't read the article.
Personally, I think that this would probably be a responsible move on their part (and Bruce Schneier apparently agrees with me). I especially like the fact that they're going to start shipping Windows with the firewall enabled. As far as I'm concerned, no one should be worried as long as you can disable automatic updates and disable the firewall (though I think they should make it slightly non-obvious how to do so, so that the people this is intended to benefit won't turn it off). After all, you don't leave Windows exactly as it comes off the CD, do you? Hopefully, you'll also be able to create corporate install CDs with these features disabled if need be.
There are only two things that concern me:
1. Broken patches: What if, as has happened in the past, an update breaks the auto-update mechanism? Then they'll be pretty well stuffed. I'm not sure what to say about that other than "don't do that."
2. Dial-up users: As the article mentions, SP1a is big. Really big. I mean, you might think that the OpenOffice download is big, but that's just peanuts compared to...right. However, that was a combination of many small patches, and just like many other things in life, if people had updated incrementally as they should have, they wouldn't have a need for a giant update. Hopefully, MS will be able to keep the patch size down, and we can watch 2003 to see if they can keep the frequency down as well.
(Yes, I now have to care about Microsoft products again, which is annoying, but I might as well make the best of it).
WMBC freeform/independent online radio.
Tell ya what Microsoft, you can patch my machine automatically as long as I get to sue you the first time an automagic update foos my bar. Yeah, tough call huh?
You may not know this, but there are a lot of people who don't jump on the latest service packs not because they lazy, but because they are scared.
You don't really own your computer, Microsoft does. They can do whatever they want whenever they want. Isn't that right class? Now repeat after me...
I thought the Automatic Updating Service in XP Pro already did this. It has the options to download and install, download and let you decide, just tell you there is a patch or of course you can disable it totally... I fail to see how this "new" idea is any different. I thought the XP auto update was set to download and inform by default so perhaps they're just switching the default setting.
Just have a look for yourself. Control Panel > System > Automatic Updates
Let's assume for a moment that everyone's fine with Microsoft deciding you need to patch your system. Your home machine downloads the patch and installs it and your machine reboots - you're patched.
Those of us that work as sysadmins/netadmins/DBAs at various companies know that when Microsoft puts a patch out on Windows Update, it's not necessarily tested out to completion. That's part of why patches take so long to proliferate - dependable administrators test them in-house, instead of depending on MS's testers. Let's face it...if Microsofts Quality Assurance team were so sharp (or listened to - it can't ALL be their fault), many of the after-the-fact patches wouldn't be necessary.
Is Microsoft going to take responsibility for auto-installed patches that a) don't work b) make situations worse? Or are they going to take the stance of "The user could've refused our auto-install, but they didn't - they knew the risks."
We all know how hard it can be to opt-out of spam - how difficult will Microsoft make it to opt-out of auto-installed patches...and for those of us that can't/don't, how sure are we that it won't make things worse?
Actually, it's quite good. You'll note that it's emulating only the X11 libraries, really even only the X11 server itself. The slowdown of having X apps pass through that layer also occurs on Linux, *BSD, or any other OS. KDE and GNOME may be open standards, but they're not as nice-looking as Aqua, and the WindowServer that runs Apple's windowing system, is, AFAIK, part of Darwin, and thus open.
Darwin is not a kernel, Mach is the kernel. You'll note that it's the same micro-kernel that GNU Hurd uses, and if Hurd isn't Unix, what is (nowadays)? Darwin may be based on FreeBSD, but the kernel is Mach, which isn't. Also, you seem to be overlooking that most Linux programs are compiled for Intel processors, not PowerPCs. Thus, they wouldn't run anyways. However, most do compile with little or no modification. Netinfo is never used directly. Requests are handeled by lookupd, which uses Netinfo, but searches flat files (/etc/passwd, /etc/hosts, etc.) first. Netinfo also allows networks that share common printers, hosts, network configuration, users, mounts, etc. to be constructed easily. Unlike the registry, Netinfo is documented, and has manipulation utilities, for both the command line and the GUI. And, it's never gotten fscked up (for me.) Mac hardware may be expensive, but- it's better. Even the Linux people who use Linux on Macs agree it's faster, better, etc. on a Mac. Macs are more durable, featureful, more standard, and "just work" more and don't work less.
Okay, find music for that cheap on Linux (while still supporting the artisit. It's hard. The music industries wouldn't stand for a service without DRM, and you'll note Apple is pretty darn nice. Unlimited CD burns (but no more that 10 for the same playlist), 3 computers, unlimited iPods. Plus, AACs are MPEG-4, which is darn good quality, and darn small file size. I would never use Windoze, and always like Linux. But for me, Mac OS X is a great UNIX, and is all I need it to be.
It would seem youhaven't taken a close enough look at Mac OS X.
Moderators: Mod me down troll all you want, but mod the parent down troll as well.I have several people who use a web based service from my company that runs on Windows 2000 Server. I check for patches daily and install them as soon as I do a full backup (in case it shits out the whole system).
My users kept calling saying "You have that Blaster Worm on your system because every time I try to connect my computer dies!". So I explain to them my systems have been patched for that exploit for over a month and I have run all the proper testing software to verify. I then ask if they have AntiVirus software installed and their reply is "I don't know.". Lol, I don't know, so it must me my server! I immediately tell them to invest in a copy of Norton Antivirus and Norton Firewall.
Ah, the world of windows.
The funny thing is if these same people were running linux they would be logged in as root and still execute whatever script someone sent them. I'm not too sure Linux would be any more secure than Windows because in windows you can also run as just a User. However, when doing that a significant number of poorly designed programs will not work.
ahem, I think you left a few off...
- Check for Yahoo, AOL, IRC, etc. clients, as well as Jabber and Trillian, disable and cancel the user accounts, and re-enable with the new MSN client. Update registry so that system will no longer boot if MSN is tampered with.
- Check for the presence of Opera, Mozilla, other browsers, disable and delete them, then modify the registry so that their installers will no longer work, then reinstall Internet Explorer with fully idiotic preferences set as defaults, and provide support for a whole new set of web "standards" that only Microsoft will ever use.
- Filter through user's bookmarks and delete any bookmarks that match any of the following criteria: a) bookmark points to competitor's web site, b) bookmark points to web site that sell competitors products, c) bookmark points to site that mentions any competing product, or d) bookmark points to site that employs or otherwise associates with one or more individuals who currently, or have in the past, made use of or considered using a competing product.
- Remove all versions of email clients other Outlook. If user does not have Outlook or any other Office products currently installed, go ahead and continue removing other email clients, but after that's finished force the user to purchase a copy of Outlook because it's the only "safe" email client for Windows
- Check to see if user has updated their system prefs to show file extensions in the Explorer windows. If so, set it to false so that file extensions are no longer shown because that's really more "secure"
Did I get them all?
What's likely to happen? Microsoft will screw up a few times, to great embarrasment, then they will by economic necessity learn how to make reliable patches. After all, their only alternative is the greater embarrasment of rampant worms and viruses. The rest of the industry (including free software) will see that it is possible, and be pressured to do the same. It may be rocky for a while, but the end result is that millions of naive users will have reasonably secury systems. This is a huge improvement over today.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
Ok MS, that will work.
At least until someone finds out that the update system itself is broken and uses it to directly install stuff into your computer.
Oh wait... they've been on secure programming for some time now... ain't gonna happen.
well, technically you give permission when
i agree that not knowing what's getting put on your machine is irksome, but this idea has sprung from two problems that everyone here is very aware of:
now, having said that, i hate the idea on principle... but i can understand why redmond thinks it's a good idea. they're taking a beating in the press over security and they've determined that the real problem (rightly or wrongly) is the end user - so now they have a "solution"
2 1337 4 u!
The major problem with software distrobutions such as windows is that the entire OS thrives on the 'one click' philosophy. One-click update, one-click install, and one click virus infection. People are so used to windows giving them one click 'Ok' windows that they end up clicking Ok and worrying later. 90% of regular office users end up clicking okay to almost anything and installing spyware, viruses, etc.
Windows needs to 'brand' the update procedure; make it so obvious and un-repeatable by other apps, so that users are not duped.
Reason, free market capitalism, and individualism
I didn't bother to patch my office machine against MSBLASTER, and why should I?
I've been stripped of most of the permissions to admin my own machine because the internal IT support has been centralized. That means a few people service the rest of us in a way that generally has the good of the company in mind.
That said, if they take away my permission to do it, and they get caught with their pants down, why do they expect us all to run software locally on our own machines to fix the latest problem X? It's because oboviously these people do not have enough resouces support a network of our size.
If it wasn't the veil of "computers" clouding the issue, I bet someone upstairs would have corrected the logic of, "If they can't do their own job, we can get the whole company to waste a bit of time to help them out."
Certain systems require certain amounts of support, but this is not an OS issue. It's just more pronounced in systems that require more man hours to keep on the bleeding edge of security.
Idiot proof everything, like the way the standard RedHat install sets up all basic command line functions to be verbose by default. And then as you learn more about what you're doing you can set these preferences to something else.
Don't forget, people, in general, hate to A) Read and B) Learn
Then, as the user becomes more proficient, s/he can set things up the way they like.
Think about it, if you don't know enough about something to know how to turn it on or off, do you really think you should be able to choose if it's on or off?
"Whadda'ya watchin'?"
"Angry Monkey."
"That HORRIBLE monkey."
but i can understand why redmond thinks it's a good idea. they're taking a beating in the press over security and they've determined that the real problem (rightly or wrongly) is the end user - so now they have a "solution"
I don't want to stick up for MS or anything but the problem is the user. If there is a patch availiable and the user doesn't install it then it is the user's fault (even if the user is ignorant).
The way I see it there are two obvious solutions...
1. Force the update on people.
2. People should have to have a licence to own a computer and take a test so that they understand security issues. Now I realise that sounds a little extreme but if you take into account the the cost in bussiness that worms cause then it might be a good idea. It would certainly get rid of the ignorance defense.
I don't think it's a horrible idea to make automatic silent updates the default. After cleaning up some of my relatives' machines after the Blaster worm, I set them all to automatic updates. Yes, there is a chance that an update might break something, but this chance is far less than the chance of another exploit or worm trashing the system.
They just don't understand it at all and as the person who gets called when there is a problem, I'll take any proactive measures that I can to make sure things continue running smoothly.
In fact I want MS to quietly run every aspect of my life unasked. I want multimegabyte SPs unasked. I want new and improved packaging and several dozen applet upgrades unasked. Especially the ones that break something else. I want updates to wipe out competing applications unasked. I want application changes on the fly so that file formats suddently become incompatible. I want their updates to clash with themselves. And mostly I want to pay for it.
Instead of taking the blame for writing yet another security hole (not even a novel one at that), they're pushing it off on the customers who are behind on patches. Yes, people should apply patches for these, but maybe they could be a bit more careful in writing the OS and apps in the first place. The blame here is on MS and the virus/worm writers, not on the customers who are having both inflicted on them.
Yes, no OS is perfect. But, their attitude here seems to be "you deserve to get hit if you didn't apply the patch-of-the week".
I can hear it now, a phone call from my Windows/56k modem afflicted parents, "Why's it all so slow?".
To which the only real reply is "Because Bill knows best Mum. Because Bill knows best". Add to this the fact that they crank up their computer on a six-monthly basis, and would probably stop altogether if each time they did, it rebooted the PC. Not that much different from MSBlast, really.
ooooooh! What does this button do? - DeeDee, Dexters Lab.
I'm sure these customers didn't know they had a problem with their PCs. That was the first fact that caused the worm to be a problem. The fact that the computers weren't patched was secondary. Instead of pushing the patches, why not be more aggressive about notifying customers, and giving us better tools to patch and scan? Asking millions of users to pull updates ALL THE TIME, or turn on an automatic pull where there are only 3 configuration options is a real lack of choice. There are lots of things in between that can be tried. If I were a home XP user, and I saw a notification, "Message from Microsoft Security: Due to a problem recently found in WinXP, You are at high risk of being hit with an intrusive virus or worm. Here is a web site with details. Here is a 1-800 number with details. To correct the problem now, press Ok." Supposing MS did give home users this easy to use scan, notify, patch utility, the only reason they would not use it is if the EULA were too scary. This is easy to fix. Put a big splash screen with "Absolutely no Information is gathered and Sent to Microsoft. To see how this tool works, click here. Microsoft will never change this policy without your consent. (Like we did with WindowsUpdate)" We shouldn't have to wait long to see an analysis of Blaster, but I am going to guess that the majority of infection vectors came from business or academic Win2000 installations. WinXP systems crashed so much, they weren't efficiently spreading the worm. So corporate tools to fill this middle ground need to be improved. The hard to learn and use tools like IIS lockdown, hfncheck, etc need to be seriously overhauled. At work, I would love to have a non-web-based WindowsUpdate SCANNER, and a separate PATCHER. They'd be easy to use with a GUI, but also have command line options so they could be used in scripts. (SUS isn't what I'm talking about, because it is browser based, and the process is still a pull. The only way you can push an important update is to go to each server, or set the servers auto-pull frequency really high) I also wonder if MS is afraid that making system maintenance too easy might cut in to their SMS server sales?
I owned that PC all the way out of the store. I owned it all the way home and out of the box. I plugged it all up, hit the power button, then the "transfer of ownership" started. Once the initial non-linux OS started to boot (or install for my "put together box"), my ownership went away. My PC told me it had to get some files. It reached out across the open internet and started doing things on it's own. Then a popup message appeared on the screen. "Your machine has been caught downloading Intellectual Property of !! Your harddrive is being wiped!!"
So the cycle of ownership goes.....
simply do an add deny tcp and add deny udp in ipfw on ms's address on your gateway and you don't have to worry about it.
Red Hat is for people who hate Windows, FreeBSD is for people who love Unix.
www.putertech.net
And, 10.3 Panther will also let you save off the updates. That way, you won't have to re-download them in case you need to rebuild the system (provided that you archive the packages).
Sure beats the "Winbows XP re-install and download 80 Mb of updates" hamster wheel.
Political correctness is the newest form of slavery.
Windows NT service pack 6
[RANT]
Remember this gem? All the people that installed it had inoperable machines. It was so bad that it was recalled *6* hours after being posted. Then a week later came SP6a. I definitely do *NOT* want them pushing crap to my machines. I have no problem getting my own updates. Set up auto-update by default, but let those of us that know what we're doing be able to turn it off. I'm all for (l)users getting crap in general (not necessarily viruses/virii). Maybe that will get them off computers and leave them to the experts.
How come everyone and their brother is allowed to operate a computer at will, but I need a license to fish?
[/RANT]
-Ab
Nothing fails quite like prayer.
Clearly the technology's simplicity is oversold. "Anyone can use it!" Hey, how about some intelligence/knowledge requirements for voting? Right now, just anyone can vote.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
This is a terrible idea. My brother is a sys admin and 9 times out of 10 the microsoft update patch breaks some or all of the 3rd party software installed like Backup Exec, anti virus.... you know... the minor things ;-)
Have a Happy.
I think forced immunization of vulnerable open machines on the network is a good idea, under the right conditions.
After public notification of the nature of the vulnerability.
After a patch has been made available and notices posted, sent out.
After a user or sysadmin keeps their machine unpatched and exposed.
After a second warning has been posted, sent that forced patching will occur.
Then, and only then, a worm-delivered patch should be administered.
But it should not be administered by MS, though they were responsible for the vulnerability.
MS is a profit oriented business, whose goals include many actions directed towards increasing their own profit in the long and short term, as well as fixing software that users have bought from them.
No. It should be role of people responsible for network health, because that is the public good that is impacted. As a public, non-profit entity, they would be free of conflict of interest, financial considerations. If MS were to administer remote administration in this way, they would be opening themselves up to conflicts of interest, particularly because of the monopoly market position they hold.
"Provided by the management for your protection."
HI, MY NAME IS ISAAC.
What I find really odd is that we threat computers so differently from the real world. If a real product is found to have a defect then a recall notice is published in all major newspapers (in europe don't know about rest of world) and you can return the faulty product for either a replacement or your money back.
Granted if software companies had to do it this way they would all have gone bust. Or maybe they would invest in real testing. Real testing is not to see if something works but to see if you can break it. When I hear excuses like people using the product wrong as an explantion for bugs I get pissed off. You are not supposed to bite the nose of a teddy bear and then swallow it. Nonetheless this is exactly what is tested against. A product should be safe to use or clearly labelled to indicate who it shouldn't be used by.
I think it says it all that unlike almost everything we buy in the netherlands, software is not tested by a goverment/indepedent organisation. Everything else is. Clothes, cars, books, movies, toys, furniture, food etc etc. But software and hardware are not.
Think this is a strange notion to test software by a central organisation? This what all the consoles do for their software. Oh and please don't mention MS certification, this are just logos you can buy.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I thought this service was already available from another shady vendor.
I guess it is time to embrace, extend, and extinguish another competing solution.
All data is speech. All speech is Free.
SP 6 broke Lotus Notes servers thus 6a came out.
Even worse, SP 2 installed over a network failed. Failed badly. It did something horrible to the ntfs.sys file IIRC. This meant that the box would blue screen on boot and be irrecoverable if you had an NTFS partition.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
If I have to reboot my servers every time a major bug hits (3 times/year) for 5 minutes, that's bad enough. (99.9971% availability) If I have to reboot the servers every week, now we're down to 99.95% uptime.
This, of course, doesn't count downtime or technical support issues caused by workstations missing their server connections, or the patches that didn't happen in time, or any of the various other factors that help kill capitalism, and endanger our National Security.
--Mike--
I don't want to stick up for MS or anything but the problem is the user. If there is a patch availiable and the user doesn't install it then it is the user's fault (even if the user is ignorant).
Wrong. There is absolutely no excuse for
a) opening this port AS DEFAULT for Internet connections (remember, this port is NEVER used for ANY legitimate service)
b) this buffer-overflow (do they have a QM department or what??)
The problem with Microsoft is that everything is very insecure _and_ activated by default. RPC port, SMB protocol, HTML mail, ActiveX, you name it.
If you pick up a CD of Windows 2000 from a local retailer, it is expected from you that you install the latest service pack (which will produce more problems -- remember the XP service pack which slowed the whole system down?), about 20 hotfixes (which may or may not really fix the problem -- remember the story about Windows Update saying a fix was installed when it really isn't?), a virus scanner, a firewall and whatever. And, it is additionally expected that you repeat this procedure at least every month or so. And all this just to surf the net, read mails and write letters!
If I buy a TV and I had to check all the wires every month or so to make sure it doesn't implode or start burning, I'd sure return it to the manufacturer.
I'm a programmer myself. I'm coding software for industrial machines. When the machine behaves wrongly and people are injured, I'm responsible. Personally. By my private property. And that's fair. Period.
If 90% of the consumers cant drive the new CarX is the fault in the consumers or in the car?
If 90% of the users don't know how to make a call in their new cell phone is the fault in the users or in the cellphone?
If 99.99% of the users cant read a book written in latin should we:
a) Translate the book
b) Teach everyone latin
Only people who would even consider option b are computer engineers.
If you don't like the fact that most people are ignorant about inner life of computers? Go back to BBSes. Oh wait, they dont have the content, the people, the cheap connectivity? Has it occured to you that those exist because internet is full of people! You cant have it both ways.
If companies think being on the internet is dangerous who forces them to put critical services there? Maybe they are there because the gains outweight the benefits?
And before you throw in the facts about traffic laws... Majority of drivers are in favor of some sort of laws existing, I'd even bet that they support the majority of the current laws. What you'd want is a law supported by the few, benefitting the few, paid by the majority (in work hours wasted studying computer security).
Sorry, but I do not agree.
A better suggestion is the Gator way. Make the updater/installer Nagware that in case of a critical update will not simply let you go until you apply the patch.
If you tell it NO, it should print a DIRE WARNING of DOOM that makes you pay notice.
People are not fools, and proper disclosure of the dangers they face should be enough. If i am reckless/fool enough to disregard due notice, then I am to blame, not Microsoft. Taking away my right/ability to control what goes into my computer is not the solution.
I guess it depends on what you're calling a defect. If someone comes along and pours sugar into your gas tank your car won't keep running right. Is that a recallable defect?
If someone sends a particularly malformed request to a process on your machine it won't run right. Is that a recallable defect?
I'd say no in both cases.
2) People whine that users are too lazy/stupid to install the patches
3) People whine about automatic patch installation
Well geez people, it looks like you're going to have to quit whining about at least one of these three things, because they aren't all compatible. If we admit that users are too ignorant/lazy/stupid to install patches, then we have no right to complain about MS wanting to automatically update things, because everyone is complaining that their security is terrible. It isn't fair to put people into an impossible situation like that, then blame them for it.
Like my ex-NASA boss likes to say: "Faster, better, cheaper. You can pick two."
Even if the automation was forced, the problem is that the majority of internet users still use dial-up. They are at a lower risk for infection, but they are still at risk (trust me, my father-in-law got hit by it). The problem with dial-up users is that they don't want to spend literally hours downloading patches, so they don't patch their system.
What would be nice is if Microsoft provided a CD subscription for their patches for cheap.
This sig has been temporarily disconnected or is no longer in service
Well, considering the quality of your post, I'm not sure many people will rush to try out your head-ass removal services. However, you are completely wrong about Linux. The first time my grandmother says, "I tried to install this piece of software, and it says I don't have privledges", and I reply with, "Just type Su and enter the root password"...she's going to think, "Why don't I just run as root all the time?" Problem solved, and Linux is once again shown to be as secure as any other OS. Forget removing the network cable, you wanna secure your system? Remove the user.
Who do you fine if a hole in Linux caused similar damage? Every person who's contributed to the kernel? Redhat? Registered Debian devs? All of the above?
The law demands equal protection. You can't just apply a law to one corporation or individual without applying it to all.
</flame>
-30-
The problems you had deleting Outlook Express are no doubt caused by Windows File Protection. In order to beat it, simply delete the copies of the files you wish to delete from the directory C:\Windows\System32\dllcache (or similar, depending on where you installed Windows).
Once the relevant files (such as msimn.exe) are not present in dllcache, you can delete the versions of them in the main program directory. Windows will, at this point, moan that it failed to restore the files and ask for the CD to restore them, but you have the opportunity to decline, and Windows will never bother you about those files again.
I don't advise that you delete the entire contents of dllcache, though, no matter how elite you think you are. Windows File Protection is good for protecting against apps which overwrite the installed libraries in the Windows directory which can render your Windows 2000 installation unbootable in some cases.
If you skip setting up standard users (which most grandmas would do) you can ONLY log in as root. Same goes for every distro I've used (Slackware, Debian, Redhat, Suse, etc...)
;)
It's not an attack on linux it's a fact of who is using the system and who is setting it up? IF it's the same person they are significantly more likely to use ROOT. This is the reason Linux has almost zero likelihood of being successful on the Desktop, it requires conceptual understanding of security and the how and why you should(n't) run as root. Grandma doesn't care.
Plus, most users of computers learnt the Windows-Way. All Admin, All the time.
If we could just get rid of the hackers there would be no security issues. BURN THEM AT THE STAKE!!! lol, j/k
1. Microsoft releases a patch a month before a virus hits.
2. People do not install the patch.
3. The virus hits affecting thousands of machines.
4. Microsoft comes under heavy criticism.
5. Seeing that a lot of people won't install patches manually, they look into automatic updates so that they can avoid wide-spread virus infections in the future.
Seems like MS is in a catch 22. People will criticize them for having manual patches available or for automatic updates. It seems like they would have to create the world's first flawless OS for everyone to be happy.
All OS's require security patches at some time or another. It just so happens that Windows has such a large customer base that their viri have a wide-spread effect while viri for another OS might not be as major. So I ask, what can MS do realistically to announce and distribute security patches?
"Oh dear, she's stuck in an infinite loop and he's an idiot" -Prof. Farnsworth (Futurama)
Uhm... last i checked, there's an option to do that already. I think it defaults to download automatically and then an icon in the taskbar lets you know they're ready to install and with 3 clicks you're installing them and getting ready to reboot 3 times. Maybe they're talking about making it default or forfced... maybe i should RTFA...
DONT PANIC
Think of it this way: Bob, a "Sys-admin" (at least on paper), buys a computer at retailer-X for his company which he turns into a webserver with some "a-little-too-easy-to-configure-and-set-up" MS software.
Bob has more or less no idea about the underlying technologies and back-end systems that go into making his "server" work and he puts it directly on his 1.5/1.5 SDSL circuit with no protection. (He doesn't know any better, he got his MCSE from the back of a box of Captain Crunch [WAIT!, they did give away that whistle a while back, maybe that is a good place for budding techies to start])
Anyway, OS flame wars aside, to Bob, service packs, bug fixes, and security bulletins mean nothing (patches?! we don't need no stinkin' patches!)
Anyway, so Bob thinks he's the schitt because he set up his "server" all by himself and it works. For now, at least...
Three months later Bob's server contracts a Worm something big time and starts becoming a liability on the Internet and his company's LAN/WAN/etc.
So, if Bob had been forced to RTFM in order to set things up insecurely that might have alerted him to the fact that he was making himself vulnerable! Call me a romantic, but I don't think users make themselves vulnerable on purpose. At the very least, Bob would have ended up setting up his Web server with standard configuration, which I am suggesting should be a highly protected and locked down config by default.
Want to unlock things and make your systems unsecure? Learn the hows and whys of the systems first! It doesn't really effect the REAL techies out there because we know how to, and even enjoy, doing things like READING DOCUMENTATION and learning how to secure our systems. OK, I'm rambling now because I have to go out on a call on Wall Street but, I hopw I got my point across.
I don't want to take away anything from the user, I only want to hand them a box off the shelf that isn't a ticking time-bomb of unsecured services and daemons.
Cheers!
Erich
"Whadda'ya watchin'?"
"Angry Monkey."
"That HORRIBLE monkey."
Just a note. Apple's X11 server on MacOS X is not an emulator at all. It is a window sever application, just like the ones you would have on Linux, Windows, BSD, or whatever. It is still in beta (not alpha as an earlier poster tries to say) but it works pretty much perfectly and is just as quick as other X11 window servers out there. Apple plans on releasing the completed version with MacOS X 10.3, Panther, and it will be a free download.
Take a look at Apple's X11 site for more information.
Sapere aude!
If the software update is a new version of Windows Messenger or iTunes, users should be able to say no. But what if the update prevents your computer from attacking other machines? Maybe your right to ignore software updates ends when your PC attacks my network!
At some point, we're going to have to make security updates mandatory. They would be downloaded and installed automatically, whether the user wants them or not.
The user might be able to say, "Not right now," but should not be permitted to reject security updates altogether. After a reasonable period of time, the system could be programmed to prevent all network access except to get the security update.
I'm not entirely comfortable with this idea, but I suspect that's where we're headed. I have no doubt that Microsoft will introduce something like this in the next XP service pack (or sooner).
Here's what's needed to make such a system succeed:
- Version 3.0 Quality
- No Tricks!
- Updates For All
- CD Distribution
I don't have much confidence in Microsoft's ability or desire to make a system that works this way, but I think that's what is needed.Most users and sysadmins have been burned at least once by beta-quality patches that do more harm than good. Every "Security Update" should be thoroughly tested before it's released. If a crisis makes a quick-and-dirty security fix necessary, a high quality fix should follow ASAP.
Any mandatory update system will fail if the updates are perceived to be unnecessary, unreliable or self-serving for the OS vendor.
In the past, Microsoft has used the Windows Update system to force unwanted Microsoft software on users. (If I remember correctly, IE6 was released as a "Critical Update" to IE5.) No more.
Also, system updates must be kept separate from application updates. (i.e. Disabled versions of Messenger should not mysteriously reappear after a system update.)
If one machine is insecure, we're all insecure. If Microsoft adds a security update system to Windows XP (or introduces this as a feature in "Longhorn"), a compatible system must be made available for older systems, including (at least) Windows 2000, Win98 and WinMe.
Although software downloads are relatively cheap and convenient for the OS vendor and for high-speed Internet users, dial-up users should be able to get the latest software updates on CD promptly, for a nominal fee.
Maybe there's a viable alternative to mandatory security updates, but I don't see one. Clearly, the current system doesn't work, and it's costing us all time and money.
I work for a post production company, recently was in the final week of a 3month long project; A full 30sec CG commercial for Clorox. So it's the final days before deadline and I'm working 100+ hr week, the worm is about to hit and I download the latest security patches, all is well...or so I thought. In my half-awake, overworked not quite alert fashion, I agreed to let windows update do its thing, a decision I now regret. It installs the latest patches including the one for RPC, and I continue with my work. I work through the weekend in "3d Studio Max" made by "Discreet" Saving my work diligently as I go. On Monday the other folks in the office come in and alert me to a minor problem that every time they try to click on one of my .max files in explorer, explorer.exe crashes. Just hovering over the damn thing causes a crash ( explorer in detail view, without the web features on) I checked the files myself and they all seem to work fine, but nobody else can open or render them. I check google, I check Discreet's support forums...nothing. Then I remember that I windows update ran over the weekend and 2 patches were installed, the DirectX patch and the RPC patch. Because 3dsmax utilizes directx or opengl for viewport rendering, I started there. Interestingly, there is no easy way to remove that patch, there is no listing for it in add/remove, I found an entry for it in the registry and called MS security dept to help me remove it, they had no fuckin clue. I tried my best and all my .max scene files were still coming up corrupt. So then I switched gears and tried removing MS03-026. BINGO. This little shit had caused every .max scene file I created over the weekend to be totally corrupt. I lost about 36hrs of work at a time where I couldn't spare a minute. Thanks Microsoft and Discreet!
I posted my story to the discreet support site, a couple days later discreet posted an official response, confirming what i had posted. Some customers were notified via email, many were not. A lot of people got screwed like I did with this bizarre conflict.
I learned my lesson, don't click on Windows system dialog boxes when you are half asleep and unable to make sound decisions.
In the beginning there was the Word. And the Word was a near pointer...and God said Let there be Light! And a light was instantiated...
Who volunteers to write the book of SCO? *ducks*
And as my father, a mechanic, will tell you, most people do not check the oil, coolant, power steering fluid, tire pressure, etc. The more careful ones bring in the car if it makes a funny noise long enough. Many people only think about the car when it won't run anymore. Putting gas in the car is pretty much the only thing "end-users" do reliably, and even that doesn't happen often enough sometimes (did you know that it's better for your car to not allow it to get below 1/4 tank, because then junk on the bottom of the fuel tank gets sucked into the engine?)
The frightening bit is that my mom, a Physician's Assistant, will tell you the same thing about people and their bodies. She gets in all sorts of cases where people have had horrible things wrong with them and haven't bothered to come in for a week, or the guy who drank 3 40-oz. beers a night, and his main concern was wondering why he had to wake up to go to the bathroom so often.
(as for dishwashers, most of them require you to at least scrape your plate before you put it in, and my father, having cleared out a dishwasher that pretended you didn't have to do that, will tell you that they ALL require this.)
WMBC freeform/independent online radio.
Windowsupdate is a god send for people with broadband but MS are going to be required to send CDs in the mail if they want to keep dial-up users up to speed.
Windows Update has an Automatic Updates feature that downloads updates in the background. It uses a service called Background Intelligent Transfer Service (BITS) to check for updates and download using idle bandwidth. While you are typing Slashdot comments, the connection is idle, and BITS can use this idle time to download updates. It can download part of it, and restart when you reconnect. So, unless your ISP charges you by the bit, you wouldn't notice it. Sure, it will take a while to get the update (weeks?), but you'll eventually get it.
Dial-up users aren't the weak link in the chain anyway - broadband users with insecure computers are, and are the reason these worms spread to rapidly.
There is an API for BITS if you are interested in making a self-updating application for Windows:
How reliable is a non-standard download protocol? Maybe it's described in the paper, and if I can't download the paper about BITS, I'm skeptical about using BITS to download hotfixes :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I wrote a post a little ago saying that Microsoft was going to use the excuse of virus and their inability to write secure software as an excuse to grant them power over all computers they have the OS on.
In short, what they are saying is because we cant write secure software, we want total control of the software so that no one can use it in anyway that is not approved by us.
Therefore now when I dont want to use Windows or even a patch windows, my computer is considered "untrustworthy" and maybe my ISP will block it.
I think we have to be very very very cafeful in where this war on terrorism, war on computer viruses, war on everying is going ot go.
I can see someone in power tell linux to do *this*, install that or we want let you on the internet. I am surprised at how very little freedom is left on the internet and we all need to watch carefully and pipe up with the time comes.
Sorry for the rabble rosuing rant but I had too much coffe
Sigs are dangerous coy things
What a *retarded* idea. Windows XP has automatic updates turned on by default, so there isnt much difference.
;)
Ok, I can see the logic in making Windows Update fully transparent (and for the majority of users, this would be a good idea).
Regardless, for users like me running on a 56k connection, downloading a couple of meg worth of useless patches, this is *not* an option. My firewall is a better preventative measure than patches upon patches, so i'd rather not bother.
And if the "functionality" is put in anyway? Well, there will be cracks - hey, my firewall will probably block it anyways
Of course, its all the more reason to convert to linux.
However it is looked at above we then must ask what is acceptable "problem fixing" behavior and methodology. Should I just walk in the customer's homes and fix it myself or should I at least schedule a time when convenient. What happens if my "fix" causes other problems or just incompatabilities and lost bread? For that matter, what about all that bread lost from my inept development?
What if some customers have bothered to pay attention to my lack of commitment to quality in both the initial development and in fixes and as such do not trust me to fix their systems until they hear from all their neighbors what they have experienced as a result of the fix? They may have real concerns that my toaster fix will not work and cause other problems and more lost bread. They may have even had relatives or friends be electrocuted.
What about other appliances? Perhaps in the past I have noticed that other components plugged into the electrical grid of the house fail to operate after earlier toaster patches. Maybe my refridgerator stops working and my Microwave's light and half of its controls go out. Who pays for those repairs?
I can tell you with certainty that if this was indeed about toasters (or TV's, Washers, or Microwaves) that there would not be any toaster makers in business still that produced such crap as Microsoft does. I think MS has done some great things but it is often hard to see the roses when all your vision is blurred by blood from the thorns.