Slashdot Mirror
What's Really Broken with Windows Update - Trust
Be Cool writes "According to ZDNet, Microsoft has steered itself into a real trust tarpit with Windows Update: 'See, here's the problem. To feel comfortable with having an open channel that allows your OS to be updated at the whim of a third party (even/especially* Microsoft ... * delete as applicable) requires that the user trusts the third party not to screw around with the system in question. This means no fiddling on the sly, being clear about what the updates do and trying not to release updates that hose systems. While any and all updates have the potential to hose a system, there's no excuse for hiding the true nature of updates and absolutely no excuse for pushing sneaky updates down the tubes. Over the months vigilant Windows users have caught Microsoft betraying user trust on several separate occasions and this behavior is eroding customer confidence in the entire update mechanism.'"
This may have been a bad move, but Microsoft knows that in actuality there's nothing the users (corporate and private alike) are really going to do about this. They may complain a bit; write some unpleasant articles in some online sites/blogs, but at the end of the day you're still going to be using their stuff. Effectively saying "just suck it down and shut up". And in reality, this is what 99.999999% of Windows users are going to do.
If you have an effective monopoly, trust really doesn't matter.
-USR1
In order to break trust, you must first have trust.
I don't think 95% of Windows users care if Microsoft is untrustworthy or not as long as they feel it keeps their computer from getting hacked.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Even without TPM, even without CPU serial numbers, if the update software has to change my computer without telling me, it is operating out of bounds. I can't trust it in enterprise; I can't trust it at home; I can't trust it as an install or development environment.
kris_lang
* Fast
* Cheap
* Good
So when is MS going to offer any of these?
How about full disclosure about what's changing on YOUR PC? There's no reason why MS can't provide that in a timely, good, cheap manner. The real problem is that MS is a monopoly, and they can do whatever they want, and there's no other product that users can easily switch to.
I was working as as PC tech for a university at one point, and it was policy to install all critical Windows updates on the university-owned computers. On one computer, I accidentally checked the hardware updates as well as the critical updates. For some reason, Windows update decided that the video card (an Nvidia TNT2-based card) needed to be updated with the old, Microsoft-provided, French-language video drivers. This computer was using English Windows XP, and there were no language packs installed or anything. Anyway, Windows blue-screened when coming back up. I had to start it in safe-mode and remove the drivers to get it to work again. I remember thinking that if a "normal" user had installed that update, they would have been screwed into having to pay $100 for a "professional" to fix Windows. After that, I started paying attention to the hardware updates. And I noticed that on approximately 5/100 of their computers, Microsoft listed the French-language Nvidia driver as an appropriate hardware update.
I totally agree with the tag that reads "editorsdontgetit". The problem with having this stealth update capability in the first place is that it's a clear and obvious vector for attack and p0wn4g3.
If somebody figures out how to hack these stealth updates (and now that people know the capability exists they will definitely try), then we can all look forward to the time when a rootkit or other exploit is pushed down to machines and installed with the blessing of the OS and the complete ignorance of the person whose machine just got screwed. And it'll look like a legitimate update as far as all parties are concerned after the fact.
The author claims that it's a "Bad Thing(tm)" when people eventually decide to pull the plug on Windows Update, and I agree given all the legitimate patches that have been made available this way. But on the other hand, what choice do we have? Do we leave a door open that has been proven to be used in an untrustworthy fashion by the very people that are telling us to trust them and that they're making our machines better/safer/++?
Will somebody please start writing games for Linux so I can be free of this nonsense?
C
The Sun is proof that we can't even do fire properly.
That has nothing to do with it... the problem with Windows Update recently is not that they aren't pushing out updates in a timely matter or that they are pushing out buggy updates too quickly, it's that they are being sneaky about updates. There's no reason that they couldn't be up front in disclosing everything about what components of your system will be changed with any given update. It's when they say an update fixes a specific problem, and then also install windows genuine advantage behind the scenes that we have a problem.
Blindly trusting a third party, especially one with a track record like Microsoft, with updating your production systems may be an unwise move.
Linux sites have a far wider array of configuration differences than Windows systems do: Not the least of which being multiple cpus and generations of systems, Windows in the enterprise is kept solely single-use because Windows admins know maintainability is hard, but Linux in the enterprise tends to have a larger number of functions because the Linux admins know maintainability is a solved problem.
The reason both is true is a social effect of getting software from "third parties"- that is, a cloud of developers that do not communicate with eachother. Whenever one of them does something "tricky" or "wrong", generally speaking nobody else in the cloud knows that they are doing it (When they do, it's called a "known incompatibility").
Linux distributions don't have "third parties"- most Linux admins get all of their software from the distribution itself. That means there's no cloud where "that's a problem with your other vendor", or "that's a problem with running Microsoft Exchange on the same server as IIS", and so on. The buck stops immediately, it gets resolved and everyone benefits.
Historically, other unix suppliers have had the same problem, and a lot of people just assumed it was (practically) unsolvable until groups like Debian and Red Hat- looking to solve a particular technical problem (of managing the necessary modularity of a GNUish system) also built up the social framework necessary to solve this very social problem.
Microsoft simply cannot do this. It's not a matter of "just making better patches", they need to be the sole supplier of software in order to solve this problem, and their users need to be able to patch and redistribute that software. Not just legally, but actually encouraged to do so.
I call bullshit on this alarmist blog. 99% of the world's Windows users don't give a shit about the updates, and will click anything that pops up on their PC. Most of them likely have no clue what "Windows update" is. The 1% that know what their doing have likely never trusted Windows/Microsoft for anything in the first place. To say that "Trust in windows update is eroding" is just a bit fud-dish.
I guess I can see why they made this a 'stealth' update on Windows XP/Server 2003. I had to perform a fresh install of Windows Vista last week, and the first time I fired up Windows Update, it gave me a prompt which ran something along the lines of:
"Windows Update needs to download an update so that it can update to provide you with updates".
I felt so dizzy trying to comprehend that, I just clicked 'OK'.
The monopoly is part of it, but the other part of it is the whole notion of software licensing, which convinces companies like Microsoft that not only do they own the software you're running, but the computer it's running on.
The world's burning. Moped Jesus spotted on I50. Details at 11.
It may be obvious to us, but not to the general population. Remember that this is a ZDNet article. People reading ZDNet are in the majority, Windows users who don't know Microsoft's evil tricks as much as we do. I'm glad that columnists write these articles once in a while, to make people realize Microsoft is not the "quality assured" company they pretend to be.
If we want to evangelize about open source/gnu linux, articles from "relatively neutral" parties such as this one are a very good resource.
You forgot about the firstborn
1) Didn't even think about rebooting my box by itself, regardless of configuration
2) Installed updates when I turned my computer on, not off - if I'm turning it off, then any second I'm going to be slinging the machine in my backpack, and jumping on my motorbike. Last I heard, Microsoft didn't possess the magical mystical powers required to ensure a hard drive works perfectly in these conditions.
3) Fucked off when I press the "I don't want to reboot now" button, instead of pestering me every 30 seconds like a bloody 4 year old.
None of these should require registry tweaks or policy hacks - they should all be *defaults*.
...that developers from MS Gold partners are telling you to shut down automatic updates because they can/may/will ruin the $1 mill. .NET based project they are developing for you.
I have heard this from several different MS partners in the past years.
People can easily switch to Linux, right? Right?
Nope.
Hell, I've been coding for 7 years, and although I rely exclusively on my linux boxen for any large scale modeling or EA work, I wouldn't like to go without my windows machine. I like a lot of windows software. Winscp (http://winscp.net) alone is one of the greatest open source applications I have ever encountered, and it's windows only. I'm also a fan of putty, ssh session saving is great, and putty and winscp integrate nicely. I find it extremely easy to inspect progress of experiments on all machines using these two programs together, transferring files between machines is so easy its silly. This alone would encourage me to keep a copy of windows on one machine.
Anyway, in spite of my initial lack of interest in windows versions of my software, the mob has spoken, downloads of my software for windows (though still still tiny) outnumber those for Linux. So I couldn't drop windows if I wanted to
Not perhaps the most impressive list of reasons, but I suspect I'm not alone.
Not to forget there's also games, but everyone say that one.
The difference isn't the time it takes. The difference is what the time is spent for.
At MS, engineers argue who has to do the fixing.
With Linux, geeks argue whose fix is more elegant and better.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Or, to put it differently, there already is very little trust in Windows Update anyway (even though, from a technical perspective, their track record is nothing but spectacular).
Let's go with this a minute. To have a comparison, I will use Synaptic on Ubuntu. Both are consumer oriented. Both allow you to do unattended. Both allow you to get user aproval before patching. (Other then the WGA update, point to Ubuntu)
Ubuntu has had several spectacular failures that have resulted in a system that will not boot to the desktop. Microsoft has had a few good ones that call you a pirate and shut off functionality. The Ubuntu fix was within hours. The Microsoft fix was within days. On paper they are quite close, but in the real world MS is hated. Why this is should be the first priority at MS before more people realize just how viable Ubuntu is for many people.
This is a problem that the western world has. I'm 45 these days and I believe society is changing, while I can't be 100% sure, as I am getting older and changing as well, but apathy and disregard for our rights and freedom is growing at such an alarming rate.
We have rights, we do, but we need to fight for them or people, politicians, and corporations will simply assume we will be lazy fucks and taunt "nah nah nah nah nah" and take them away.
We have the right to own our machine. We have the right to tell companies "I won't open a word document, send it to me in ISO ODF or PDF or text." We have the right to remove Windows from our system. We have the right to sell our OEM Windows licenses.
Without even getting into politics or the growing U.S. police state, corporate america needs a dope slap. We, ALL OF US! have to stand up to corporate shit. We do not stand against it in great numbers, then nothing will ever get done.
Call tech support when shit happens, keep them on the phone for a long time, it costs them money. Send products back, it costs them money. Tell people to avoid products that suck, it costs them money. When the shit that comes from China has lead in it, sue them, it costs them money. The government isn't going to do anything for you, the politicians represent the corporations. It is only when bad corporate policy costs them money, will they change and not one minute sooner.
Start RETURNING computers, WHOLE COMPUTERS, because vista sucks. If Windows is part (as OEM's claim) of the computer, the the WHOLE COMPUTER is defective. That will make the Dells and HPs start to offer new options. Seriously, if 10% of the slash dot readers went out and bought new computers at the big retails stores tomorrow and returned them the next day siting that Vista does not work and is not reliable. It would make a HUGE impact on the industry. No one could ignore it.
But, no, no one will do that because they ARE to fucking lazy.
Wait - I don't understand... you have linux machines, you use linux machines, and you think PuTTY and WinSCP are great tools keeping you from using linux?
I assume you mean that there is a lack of graphical utilities under Linux for SCP/SSH? Konquerer has an scp agent built in (fish://user@host/path/to/dir), Gnome allows you to mount a server via ssh/scp, OSX has Fugu, and if you want a graphical SSH then kssh is pretty much identical to PuTTY (though personally, I like my shells to be simpler).
Now, the other arguments (number of sales/downloads etc) I can't argue. I have to admit in my own development I see far more OSX downloads than Windows, and more Linux than OSX. Of course, what I write is primarily server monitoring apps and dashboard/konfabulator stuff so that would be logical.
An operating system should be like a light switch... simple, effective, easy to use, and designed for everyone.
I don't think you understand the issue here. The issue is that MS users who chose not to get automatic updates got an automatic update anyway. This is a matter of trust. I don't know why you are talking about NDAs. Companies that didn't want automatic updates from MS had an automatic update installed. NDAs are neither here nor there. I also don't understand the relevance of Linux to this. It's not a matter of what was in the update. It's the fact that it was installed automatically despite the fact that users had expressed a preference not to install it automatically.
Reality is defined by the maddest person in the room
And, you know, even some geeks like having things that just work. There was a time when I'd build my own computer and spend every waking hour monkeying with the thing to make it perform 0.5% better in a specific task. Maybe I'm just getting too old for that, or maybe my interests have just shifted, but this Macbook I have, which doesn't really require anything of me to perform properly every day, is a needed breath of fresh air.
I think the big shift for me was during college, when my Frankenstein computer failed during the one particularly hectic spring essay rush. I bought a Dell laptop because it was cheap and could be at my door in three days. Since then, I've never built a "main" computer again. I still have my HTPC project and a few other things, but it's really, really nice to know that I have one computer that will always work when I need to actually, you know, DO something that matters. No driver headaches, no dodgy hardware, no constant configuration. I open the lid, do my thing, then close the lid. Although I have become a real Mac fan, this isn't a pro-Mac post at all... it's a post in strong favour of things that don't require me to screw around. If I WANT to screw around, I will, but at least the choice is mine now. I've put that same principle into play in what I drive, too. I have a 2000 Mazda Protege, which never fails, as my daily driver. Then, I have a 1988 Nissan Pathfinder with 31" tires, a lift, etc for those days where I feel like tinkering. That truck sits apart for weeks if I don't feel like getting my hands dirty, and you know why? Because it can -- I don't need it to get me to work. It's beautiful. If you can afford it, life really is better when you don't have to drive the project (both literally and as a metaphor for computers).
Frankly, even if it costs me my Geek Card, I'm never going back to the "old way."
-
Inventor of the term 'pardon my French'.
I'll admit this may be a little tinfoil-hattish but it makes me wonder if MSFT is the only player in this saga. Just supposed in the wake of 9-11 hysteria that someone in the administration had the brainy idea to slip a traceable...something...in PC's to track terror suspects. Not something that reported to a third party...too easy to spot the traffic. Something that relayed the data through MSFT so the destination would remain hidden. Now the forced updates are wiping out whatever it was.
Probably out there but a few years ago suspecting the phone companies of listening in on the phone calls of millions of Americans without a warrant would have been really out there.
And before that was the revelation that printers were spitting out identifiable information in the background.
It's a sad testimony that wholesale spying on PC users is not out of the realm of the plausible for the current administration to attempt or Microsoft to cooperate.
It may be years from now before we find out the whole truth. What we know today should send a shudder through every freedom loving person in this country. I'm mildly surprised so many hard-core right wingers are okay with the government spying on them.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Not only that, but the grandparent post deliberately, I suppose, obscured the issue. The issue is trust, not honest mistakes.
Microsoft's recent sneaky update has caused severe problems: Microsoft Stealth Update and Windows XP repair don't mix. If Microsoft weren't sneaky, at least customers could deal with the mistakes more easily.
Quote from the ZDNet article: "The overall impression that I get as someone who deals directly with the company is that Microsoft believes that it is right and anyone making a fuss is ultimately wrong". It's not surprising to me that billionaire virtual monopolists would have developed arrogance.
However, that's not the REAL problem, in my opinion. The real problem is that people think that Microsoft is a software company that is routinely abusive. But it isn't. Actually, Microsoft is an abuse company that uses software as a means of delivering abuse. I think a lot of people agree that, if you look at it that way, Microsoft is excellent at what it does.
I've often wondered with the slow Vista uptake whether MS would torpedo XP via updates that actually degrade performance or break things deliberately. It's weird, I have a number of XP boxes with very good reliablity, but in the last 3 months I have had a number of software related failures on nearly all of them - most requiring re-installs. The drivers haven't changed, usage hasn't changed, the only thing that has changed is the MS updates. No hard evidence, but many fellow admins I know have seen similar oddities occur (esp after the stealth update)...
It could just be coincidence as it would be a very dangerous move by MS, yet I wouldn't put it past them. Users who are having to fuck around are surely more likely to consider switching OS. For the bulk of desktop users that would be Vista.
The best fastest way to get people out a building is to set it on fire...