Slashdot Mirror
Oil Changes, Safety Recalls, and Software Patches (daemonology.net)
An anonymous reader shares a blog post: Every few months I get an email from my local mechanic reminding me that it's time to get my car's oil changed. I generally ignore these emails; it costs time and money to get this done and I drive little enough -- about 2000 km/year -- that I'm not too worried about the consequences of going for a bit longer than nominally advised between oil changes. I do get oil changes done... but typically once every 8-12 months, rather than the recommended 4-6 months. On the other hand, there's another type of notification which elicits more prompt attention: Safety recalls. There are two good reasons for this: First, whether for vehicles, food, or other products, the risk of ignoring a safety recall is not merely that the product will break, but rather that the product will be actively unsafe; and second, when there's a safety recall you don't have to pay for the replacement or fix -- the cost is covered by the manufacturer. I started thinking about this distinction -- and more specifically the difference in user behaviour -- in the aftermath of the "WannaCry" malware. While WannaCry attracted widespread attention for its "ransomware" nature, the more concerning aspect of this incident is how it propagated: By exploiting a vulnerability in SMB for which Microsoft issued patches two months earlier. As someone who works in computer security, I find this horrifying -- and I was particularly concerned when I heard that the NHS was postponing surgeries because they couldn't access patient records. [...] I imagine that most people in my industry would agree that security patches should be treated in the same vein as safety recalls -- unless you're certain that you're not affected, take care of them as a matter of urgency -- but it seems that far more users instead treat security patches more like oil changes: something to be taken care of when convenient... or not at all, if not convenient. It's easy to say that such users are wrong; but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.
This isn't an article, it's a blog, nothing of any consequence is revealed or detailed.
Maybe we could get crash test ratings with dummies too?
"I say we take off, nuke the site from orbit. It's the only way to be sure."
Don't be a hypocrite.
You can change your oil every 10 to 15000 km if you are driving a lot. If you are driving very little and the engine seldom warms up properly, then the problem is that you get water in the oil which doesn't evaporate, so you got to change oil more frequently. So, it is a judgement call, not an exact science. Oil is much cheaper than a new engine though...
When you have companies who ignorantly and gleefully outsource their IT staff to cheaper alternatives, thinking they'll magically get the best of both worlds, more money for them, and same level of service, you should expect this.
You get what you pay for. Literally. If it's cheaper, there is a reason. When you have competent, experienced IT staff who care about their work and take pride in security and performance, they cost more. Why? Because they know they can get it, and it will save companies money. Even your cheaper IT forces - when one of them gets quite good, and meets all the criteria I mentioned above. Do you think they stay with the cheap outsourced indian IT service? No, they either work directly for a company in north america or a higher paid position with a company wherever they live.
Your cheap outsourced IT staff will always be worse, because you will either get those still learning, or those who never quite got it or cared, and those that learned and became good, will leave.
The analogy is great, until you go to the end of the life of the given software. Like XP for example, it has reached end of life, so no patches are available for it any more. Many android devices are instantly end of life, without any patches being released for them.
The security issues are not solved until you remove all deployments of software and hardware that have reached end of life. The only way to get this done is enforcement by law. In order to make actual comparison of products possible, manufacturers should be required to print how long they support some given software and if they stop supporting before that, they should be the first responsible party for any damage that is caused by hackers (as in: as long as the the hackers can't be identified or they can't pay, the manufacturer has to pay instead, similar to how insurances work).
but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.
No. As an industry you have to think about a company like Microsoft who willfully waited over a DECADE to patch a KNOWN vulnerability which it was TOLD about a long time ago, but CHOSE to ignore - cos, security by obscurity at best, or intentional back door at worst. This should not be about "the patch has been out 2 months why haven't people patched" it should be about "Why did Microsoft wait until news of the vulnerability leaked before bothering to issue a patch".
Seven puppies were harmed during the making of this post.
the patches that fixed the security holes were finalized, tested, and digitally signed 6 months prior to Microsoft released them. Make your own conclusions on what government agencies were involved in this, and what the motives were.
That interval seems like a total waste of oil. I have an old vehicle for hauling stuff that gets driven about 1000km/year, and I might change the oil every five years. I know that's probably "bad", but the engine hasn't broken yet. In fact, I think that the only work I've ever had done on the engine over almost 20 years is change out the timing belt (at twice the recommended age, but still below the mileage limit). I do keep it in a garage and always run it until it's thoroughly warmed up.
I had no problem letting Windows 7 update itself automatically until Microsoft started incessantly nagging me about changing to Windows 10, and news of their telemetry patches came out. Oh, and the whole installing patches for 5-10 mins while you're trying to shut your computer down (always seemed to be before I needed to go somewhere) was pretty dumb as well.
Microsoft took security updates and started abusing them for their own nefarious purposes. This, combined with their propensity to produce rubbish software, has created a dangerous situation for customers, and just goes to demonstrate that Microsoft has not moved on from producing extremely poor products in more than 30 years.
Hopefully a few more Nokia style implosions and we can see the end of this company.
Forcing idiot Windows to install updates automatically is the right way to go. It shouldn't be possible for people to disable them, including and especially in corporate environments. I use unattended-upgrades to automatically install security updates on all my machines. Android is a bit of a concern still, unfortunately. Not only do they give users a choice they make it a ridiculously complicated process due to their use of signed system images. This needs to go away, to make installing security updates as simple as it is on any desktop OS. Embedded IOT devices is a whole other can of worms, where security is woefully inadequate. Oh well. It's only my personal data, right? Not that important.
With the huge recall in airbags, I have not heard of one replaced airbag rendering a car inoperable requiring the owner to pay to have someone diagnose and repair the incompatibility. How many times have we heard of a computer security patch causing a BSOD or computer crash because of bad or incomplete testing from the manufacturer?
Some people wait and verify that a security patch doesn't end up as the next story on Slashdot rendering thousands of PCs unusable because "Oh, the patch seems to be incompatible with [fill-in-the-blank]".
Anyone got a good car analogy for this?
The difference is that when you get a safety recall, only those things related to the safety recall are fixed (replaced). You get a security update for Windows and without a lot of time and effort to understand what all is rolled up in that patch, heaven only knows what else (telemetry?) you are getting.
Get a life.
I like the analogy, but you missed a step. In this instance, you aren't the client with the car (that's the business/environment). YOU are the mechanic. The problem is, the manufacturer (Microsoft) ISN'T paying for what's being fixed in the safety recall; the customer still is. They have to pay you for testing, deploying, and verifying the replacement. Which means they'd rather not.
What you just posted is one of the most insanely idiotic things I have ever read. At no point in that rambling incoherent post were you even close to anything that could be considered a rational thought. Everyone in this thread is now dumber for having read it. I award you no points, and may God have mercy on your soul.
Bottom line, security costs money and guess what, companies like to spend as little as possible.
So.. The last twenty years, how often have you brought your car in for a safety related recall. Once? Twice?
And how many times has Microsoft issued a security patch? Note that to bring that number down, they stopped issuing separate patches, and bunch them together for patch tuesday. This way they rate limit it to max once a month.
Every time you install a patch you risk losing access to features that you use. A while back a windows-10 patch broke internet connectivity. THAT is something a /lot/ of people noticed. But if say the POS software breaks after a security patch, how long does it take to get fixed? What if microsoft says the OS is out of maintenance, and you're happily using software that's been paid for long ago and still works fine, but the manufacturer is out of business?
Some people have experience with security patches going wrong. Those people will be the ones that are hesitant to install patches.
If i sometimes sent my car in for a safety recall and when I got it back the heated seats I installed in it didn't work anymore and the mechanics shrugged, gave me attitude, and refused to explain what they had done, then I wouldn't take my car in for safety recalls very often. Oh, and then you find out that it wasn't really about security, it was really about adding DRM to your radio.
I started reading that rambling summary, and stopped halfway through. Summaries are usually brief and concise, not rambling and long. There may be something worthwhile in that article or blog or whatever, but I really don't want to wade through someone's keyboard diarrhea to find it.
When I go to get an oil change, they don't try to trick me into buying a new car that I don't want. They don't offer to do safety recalls but only if I allow them to install a GPS tracker. There is so much wrong with "software updates" today that you need a lawyer, a computer engineer, and a shaman to make sense of it all.
I might delay oil changes, but not that long. I do them as soon as I have time after they're due.
With safety recalls, it depends on the recall. If the airbags are in imminent danger of exploding and sending shrapnel into my GF and myself, I'll take off work ASAP to get that fixed. If there's a slim chance of my doorlock breaking, I might wait until my next day off, same as with the oil.
With software patches, I want to fix them quickly, but I also want reasonable assurance that they won't cause my PC to explode in a burst of shrapnel (or as close as software can come to that).
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
https://youtu.be/2-WPlvZguZ4
I agree in part with the authors comments. But here are the parts where I'll query the insight.
1. Safety recalls on vehicles should indeed be a priority. And you can start mentally thinking the same applies to software. But thats where it stops. To make the same level, cars would absolutely have to have a safety recall every month. Recalls are relatively rare, and the vehicles generally leave the factory well engineered. The software industry practices shit first. Shit fast. Fix later. Built often by the lowest cost, interns and off shored coding. If you had the wheels fall off every month on your car unless you took it in to the shop, and you had to suffer the ongoing inconvenience, you'd probably buy another car.
2. The car analogy - I'll use it again. You do not get your car telling you that on the 14th January 2020, you won't be able to drive it any more, because the wheels will come off and it won't be fixed. Nor do you get the car salesman screaming at you that you better get in the show room to buy a new car because XYZ.
3. At the engineering standpoint, if you literally shipped cars where the wheels fell off each month, or if in civil engineering your buildings or bridges had the same shoddy shit taking place, its been eroded out and not tolerated. You'd either face competition, or be sued out of the market.
4. Software somehow has managed the above by wrapping in questionable EULA and legal licensing. In the internet age, and in for example the age of the coming GDRP - this idea of ship shit, shit first, shit fast, and change the products running away from responsibilities every lifecycle might have been viable in the early developing years of software development, but I don't think they should now.
5. We are heading into vulnerability armageddon. We are. Every fucker out there has metasploit and faster access than the ever wideing fleets of end users and systems can ever face. The ever shortening life span where people pay again, and again, and get told that its their job to put the wheels on each month, only the number of wheels grows over time is horseshit. And in the cloud age, if the software is this fundamentally fubar, then everyone will be breached, and things like the GDPR will absolutly muller people - as well as generally seed an awful security/privacy paradigm.
6. To highlight this, but not to single someone out. Microsoft's Windows 10 - their most secure ever, can be viewed another way. Check the CVEs against it, then think carefully. The CVE picture indicates someone is lying. You can't have the highest number of CVEs and be the most secure.
7. Social, economic cost. The shit first, shit fast epidemic makes multi-billion dollar companies very wealthy. It is making their shareholders wealthy. It is making their customers poor. And at risk. And exhastivly putting wheels back on at a growing, alarming, unsustainable rate. You can scream all you like that they should have patched their machines. Who cares if the patch cycle is a complete and utter shitfest. Who cares if in fact it breaks everything. Its on the customer to now pull their business back from being put on its arse by patch problems.
8. This month's patch cycle includes .Net47, which the exchange team don't want you to install, but WU will anyway. If the vendors want this level of patch, they have to absolutely UP their patching and testing game. Microsoft culled theirs, removed trusted computing and decimated the QA and others. What lessons to take?
9. I'll end that yes, people need to patch. And they need to take it seriously. But they can't do where we are, and the vendor shunting of responsibility for shipping products that to some degree are unfit for purpose (argue/debate) cannot continue, even if you want it to, because its fucking unsustainable.
then watch out how that person buy toyata bike
I'm shocked no one explained how an EV would solve every one of your problems. No EV needs to be serviced ever.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
I say this on every thread that comes up pushing the same agenda (someone really wants us to enable automatic updates on Windows). Well, these pundits are simply misunderstanding the user's threat model. I do information security for a living, and even security professionals often fail to really understand the threat and risk model. The simply fact is that "hackers" are a vague and unlikely threat. The software vendor has been acting malicious with updates (pushing anti-features, fucking up computers intentionally and just all around being dick bags), making them highly likely to mess up your computer. It's a simply threat assessment, and the software vendor is a greater risk than hackers.
There should be some reasonable limit to the admissible frequency of safety recalls or software patches and the article barely touches that making the article incomplete. The article doesn't change these two truths:
1. Oil change is a natural requirement. Safety recall is 'man made' due to somebody's shortsightedness.
2. Harassment is harassment.
My intention is not to be stringent, but to be open to negotiation. I believe more than an average of one software patch every 2 months (your tolerance may vary) is reasonably a harassment and a symptom of lousy testing.
Developers: We just can't understand why users don't do exactly everything that we tell them to immediately every time! I mean sure, most of the time we are just asking for more money, or telling them to go fuck themselves, or can't be bothered to explain in an understandable way how to do something. But... what gives?
The problem is that oil changes are relatively benign. Oil changes extend the life of your vehicle by reducing wear on the internal components.
Software updates make fundamental and permanent changes to the software on your computer, which means they're a lot more risky than oil changes.
This is further exacerbated by the fact that companies now-a-days feel that it's ok to throw whatever they feel like into patches, consequences be damned. Microsoft is a posterchild for this, where their "updates" add unwanted code like telemetry, or are insufficiently tested and risk causing your entire computer to die on you.
The Anniversary update hosed every lenovo laptop we had. Their DHCP update knocked half of Europe offline.
And then people like the blogger wonder why people are afraid to run updates? Is it really that hard to figure out that after you've bitten the user multiple times, they quite rightfully say, "Screw that!" and give up on updates entirely?
I think this is very subjective and depends on your point of view. For one person an oil change or a car recall may seem like no big deal, something to be put off until convenient. However I imagine the dealer and your mechanic would view it much more seriously. We are talking about maintaining a large, complicated machine capable of killing people should it malfunction. And you want to complain I didn't update some random thing I don't understand on my computer in the back office? I have customers who need their cars back.
I'm not a mechanic, but you get my point. We view security patches as important because to us they are, and in general they are, but same as maintaining your vehicle. So it's just depends on your point of view and educating people to understand why any of these things are important and the ramifications otherwise.
I will shred my adversaries. Pull their eyes out just enough to turn them towards their mewing, mutilated faces. Illyria
You do an oil change after 30,000km - 60,000km or after about 3 (to 5) years, what ever comes more early.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Most car owners don't take their car in every so often for oil changes nor do they go in for safety recalls, most people will ignore it until the light comes on or a safety inspection is required, according to NHTSA it's ~20% of people that don't heed safety recalls.
Same goes for people and their vaccines, when was the last time you got your tetanus shot or any of the boosters? So why would you expect them to do the same for their computers, a machine they assume is even less maintenance-worthy than their dishwasher.
Custom electronics and digital signage for your business: www.evcircuits.com
When a safety recall is placed you perceived it as a danger to yourself and your beloved ones. For others you usually don't care. That's human nature. And you comply with it. The principle to how to extort money from people is based on this. That is rightfully or falsely presenting a danger to yourself. You can clearly distinguish the difference from safety recall and maintenance recall because if you ignore the latter one you possibly danger the commodity and lose money and that is a risk that you are willingly take.
In software area you can not make such discrimination. Let's look at windows 7. You get updates. You don't have a clue which one are necessary and which ones are optional. They change the behavior of 7. Well you can trust their explanation if there is one. And who would read a line or two for every update there is? It takes too much time. The thing is not every one likes or wants updates. Would you take your car to repair shop for every smudge that is pointed out to you? You want to use your car as much as you can and do to it as less as possible. Do the repairs that are strictly necessary. Not every one wants to pimp up their cars.
Microsoft takes a step further. With windows 10 you are robbed of possibility to even do such a thing if you are capable. We lost our independence. And what is worst that this is happening all around you. They are not the first and won't be the last. WWII happen because good people did nothing to prevent it. So is the climate change.
I suspect the only way to get widespread patching of security issues is to have Windows have a sliding scale of how long you can delay a security patch for (e.g. 1 week for critical, 4 weeks for medium and, say, 13 weeks for low - and let the user set them lower than that if they want), but ultimately insist that security updates *must* be auto-applied by the end of the delay period (with pre-update warnings if an update is due to be applied in the next day or two). Microsoft would still be criticised for "forcing" security patches on people, but some forcing is necessary because some people will turn off all automatic updates and never update (or update very rarely).
Of course, with Windows 10, Microsoft seem to have gone some way towards this, but without enough granularity - there's no distinction between security and non-security patches and no way for the user to fine-grain control the delay period for security-only patches like I mentioned. The same idea of a sliding scale needs to be added to Windows 7 updates as well of course.
The problem is when patches break things, not if. We wait a week to test them
A year doesn't pass in which at least one of my customers hasn't suffered a mission critical software outage caused by incompatibility with a Microsoft update.
Non-mission critical problems are far more frequent. Just this past weekend, an engineer's laptop docking station ceased working after applying Microsoft's updates. It turned out to be an NVIDIA driver issue, and yes, reinstalling the latest drivers fixed it. But these prerequisites are not well coordinated between vendors.
Companies who do not release security patches alone, but insist on folding them into updates that effect larger changes (feature additions, UI changes, etc.), are a factor for many people. Those who do not want to apply patches that make large changes to their systems will also not get security updates.