Slashdot Mirror
Oil Changes, Safety Recalls, and Software Patches (daemonology.net)
An anonymous reader shares a blog post: Every few months I get an email from my local mechanic reminding me that it's time to get my car's oil changed. I generally ignore these emails; it costs time and money to get this done and I drive little enough -- about 2000 km/year -- that I'm not too worried about the consequences of going for a bit longer than nominally advised between oil changes. I do get oil changes done... but typically once every 8-12 months, rather than the recommended 4-6 months. On the other hand, there's another type of notification which elicits more prompt attention: Safety recalls. There are two good reasons for this: First, whether for vehicles, food, or other products, the risk of ignoring a safety recall is not merely that the product will break, but rather that the product will be actively unsafe; and second, when there's a safety recall you don't have to pay for the replacement or fix -- the cost is covered by the manufacturer. I started thinking about this distinction -- and more specifically the difference in user behaviour -- in the aftermath of the "WannaCry" malware. While WannaCry attracted widespread attention for its "ransomware" nature, the more concerning aspect of this incident is how it propagated: By exploiting a vulnerability in SMB for which Microsoft issued patches two months earlier. As someone who works in computer security, I find this horrifying -- and I was particularly concerned when I heard that the NHS was postponing surgeries because they couldn't access patient records. [...] I imagine that most people in my industry would agree that security patches should be treated in the same vein as safety recalls -- unless you're certain that you're not affected, take care of them as a matter of urgency -- but it seems that far more users instead treat security patches more like oil changes: something to be taken care of when convenient... or not at all, if not convenient. It's easy to say that such users are wrong; but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.
This isn't an article, it's a blog, nothing of any consequence is revealed or detailed.
Maybe we could get crash test ratings with dummies too?
"I say we take off, nuke the site from orbit. It's the only way to be sure."
You can change your oil every 10 to 15000 km if you are driving a lot. If you are driving very little and the engine seldom warms up properly, then the problem is that you get water in the oil which doesn't evaporate, so you got to change oil more frequently. So, it is a judgement call, not an exact science. Oil is much cheaper than a new engine though...
When you have companies who ignorantly and gleefully outsource their IT staff to cheaper alternatives, thinking they'll magically get the best of both worlds, more money for them, and same level of service, you should expect this.
You get what you pay for. Literally. If it's cheaper, there is a reason. When you have competent, experienced IT staff who care about their work and take pride in security and performance, they cost more. Why? Because they know they can get it, and it will save companies money. Even your cheaper IT forces - when one of them gets quite good, and meets all the criteria I mentioned above. Do you think they stay with the cheap outsourced indian IT service? No, they either work directly for a company in north america or a higher paid position with a company wherever they live.
Your cheap outsourced IT staff will always be worse, because you will either get those still learning, or those who never quite got it or cared, and those that learned and became good, will leave.
but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.
No. As an industry you have to think about a company like Microsoft who willfully waited over a DECADE to patch a KNOWN vulnerability which it was TOLD about a long time ago, but CHOSE to ignore - cos, security by obscurity at best, or intentional back door at worst. This should not be about "the patch has been out 2 months why haven't people patched" it should be about "Why did Microsoft wait until news of the vulnerability leaked before bothering to issue a patch".
Seven puppies were harmed during the making of this post.
That interval seems like a total waste of oil. I have an old vehicle for hauling stuff that gets driven about 1000km/year, and I might change the oil every five years. I know that's probably "bad", but the engine hasn't broken yet. In fact, I think that the only work I've ever had done on the engine over almost 20 years is change out the timing belt (at twice the recommended age, but still below the mileage limit). I do keep it in a garage and always run it until it's thoroughly warmed up.
I had no problem letting Windows 7 update itself automatically until Microsoft started incessantly nagging me about changing to Windows 10, and news of their telemetry patches came out. Oh, and the whole installing patches for 5-10 mins while you're trying to shut your computer down (always seemed to be before I needed to go somewhere) was pretty dumb as well.
Microsoft took security updates and started abusing them for their own nefarious purposes. This, combined with their propensity to produce rubbish software, has created a dangerous situation for customers, and just goes to demonstrate that Microsoft has not moved on from producing extremely poor products in more than 30 years.
Hopefully a few more Nokia style implosions and we can see the end of this company.
Forcing idiot Windows to install updates automatically is the right way to go. It shouldn't be possible for people to disable them, including and especially in corporate environments. I use unattended-upgrades to automatically install security updates on all my machines. Android is a bit of a concern still, unfortunately. Not only do they give users a choice they make it a ridiculously complicated process due to their use of signed system images. This needs to go away, to make installing security updates as simple as it is on any desktop OS. Embedded IOT devices is a whole other can of worms, where security is woefully inadequate. Oh well. It's only my personal data, right? Not that important.
With the huge recall in airbags, I have not heard of one replaced airbag rendering a car inoperable requiring the owner to pay to have someone diagnose and repair the incompatibility. How many times have we heard of a computer security patch causing a BSOD or computer crash because of bad or incomplete testing from the manufacturer?
Some people wait and verify that a security patch doesn't end up as the next story on Slashdot rendering thousands of PCs unusable because "Oh, the patch seems to be incompatible with [fill-in-the-blank]".
The difference is that when you get a safety recall, only those things related to the safety recall are fixed (replaced). You get a security update for Windows and without a lot of time and effort to understand what all is rolled up in that patch, heaven only knows what else (telemetry?) you are getting.
Anyone got a good car analogy for this?
Subby's Dad didn't wear a patch when he took Subby's Mom in the car on lover's lane. Now they both have viruses and WannaCry?
"That's the way to do it" - Punch
I like the analogy, but you missed a step. In this instance, you aren't the client with the car (that's the business/environment). YOU are the mechanic. The problem is, the manufacturer (Microsoft) ISN'T paying for what's being fixed in the safety recall; the customer still is. They have to pay you for testing, deploying, and verifying the replacement. Which means they'd rather not.
There isn't one... mostly because most cars don't suddenly stop working the way they did before after getting an oil change. With Microsoft security patches, it seems to happen all the time.
Imagine what would happen if you needed to hire a QA tester to make sure that your car wouldn't crash after putting brand X oil in it before putting it in the rest of your cars.... suddenly, oil changes would cost $500 and people would only do it once a year at best.
So don't fucking run end of life software in safety critical situations...
Or in fact... at all.
So.. The last twenty years, how often have you brought your car in for a safety related recall. Once? Twice?
And how many times has Microsoft issued a security patch? Note that to bring that number down, they stopped issuing separate patches, and bunch them together for patch tuesday. This way they rate limit it to max once a month.
Every time you install a patch you risk losing access to features that you use. A while back a windows-10 patch broke internet connectivity. THAT is something a /lot/ of people noticed. But if say the POS software breaks after a security patch, how long does it take to get fixed? What if microsoft says the OS is out of maintenance, and you're happily using software that's been paid for long ago and still works fine, but the manufacturer is out of business?
Some people have experience with security patches going wrong. Those people will be the ones that are hesitant to install patches.
If i sometimes sent my car in for a safety recall and when I got it back the heated seats I installed in it didn't work anymore and the mechanics shrugged, gave me attitude, and refused to explain what they had done, then I wouldn't take my car in for safety recalls very often. Oh, and then you find out that it wasn't really about security, it was really about adding DRM to your radio.
I started reading that rambling summary, and stopped halfway through. Summaries are usually brief and concise, not rambling and long. There may be something worthwhile in that article or blog or whatever, but I really don't want to wade through someone's keyboard diarrhea to find it.
I might delay oil changes, but not that long. I do them as soon as I have time after they're due.
With safety recalls, it depends on the recall. If the airbags are in imminent danger of exploding and sending shrapnel into my GF and myself, I'll take off work ASAP to get that fixed. If there's a slim chance of my doorlock breaking, I might wait until my next day off, same as with the oil.
With software patches, I want to fix them quickly, but I also want reasonable assurance that they won't cause my PC to explode in a burst of shrapnel (or as close as software can come to that).
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
https://youtu.be/2-WPlvZguZ4
How about...
If you fill your engine with transmission fluid it will quickly ceases?
then watch out how that person buy toyata bike
I'm shocked no one explained how an EV would solve every one of your problems. No EV needs to be serviced ever.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Anyone got a good car analogy for this?
No, but I've got a great movie quote:
"You know, we just used so many metaphors I forgot what the hell we were talking about."
This is /. for crissakes - we don't need basic computer security explained as a barely coherent rant equating it to automotive maintenance. Most of the readership here understands that you keep your machines updated or they're likely to be pwned.
---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
There should be some reasonable limit to the admissible frequency of safety recalls or software patches and the article barely touches that making the article incomplete. The article doesn't change these two truths:
1. Oil change is a natural requirement. Safety recall is 'man made' due to somebody's shortsightedness.
2. Harassment is harassment.
My intention is not to be stringent, but to be open to negotiation. I believe more than an average of one software patch every 2 months (your tolerance may vary) is reasonably a harassment and a symptom of lousy testing.
If you're putting your own life in danger by driving a 10 year old clunker, that's fine. If you're putting customers into 10 year old clunkers, that's a problem.
Same with any other safety critical software. If you're putting customers (or taxpayers) lives in the hands of these systems, then you need to make sure you keep it up to date and secure.
I do all the work on my cars and I run a Linux desktop.
Have gnu, will travel.
Close... Most here understand that if you use Windows then your computer is by definition owned, and not by the person or entity that purchased it. You literally can't apply just security updates, and that is by design.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
A ten year old vehicle that has been maintained reasonably well is no where near the end of its service life. I currently have a 2000 model Dodge Caravan with 210k miles, and a 2000 Toyota 4Runner with almost 250k miles. Both are ok for regular use with a slightly higher expectation on my part that the Dodge's transmission is going to fail sooner or later. I take that into account when I use it. The 4Runner is still a daily driver; the Dodge has been relegated to non-time-critical uses such as occasional cargo duties and may be replaced by a trailer that will be owned behind the 4Runner.
Oil change intervals recommended by the manufacturer vary, with the manufacturer typically differentiating between standard duty and heavy duty environments (and heavy duty is defined as driving that breaks down oil more quickly, such as many short trips, etc.). Further differentiation may depend on type of oil. Businesses that make their money off of oil changes typically recommend shorter (sometimes much shorter) intervals.
Software changes, including those intended to correct security vulnerabilities, all carry an inherent risk of unintended consequences. Blindly applying any/all manufacturer-supplied software changes doesn't always go well. It should be noted that most mainstream/big name software vendors appear to have gotten their security vulnerability patch testing in order and it seems to be extremely rare now that a security patch causes an outage. When a manufacturer stops supply security patches the device in question doesn't immediately fail open.
All of these things have notifications related to servicing. Whether or not the notification requires immediate reaction (or even any action) depends on the particular circumstances of the item and its use. A Windows server attached directly to the Internet with no firewall is a very different risk item than a Windows server on a small private network.
When an item is end of life from a manufacturer, the manufacturer may no longer provide support. But that doesn't mean that the item is useless. It simply means that your risk profile for the use of the item has changed and you should adapt your thinking/planning accordingly.
The problem is that oil changes are relatively benign. Oil changes extend the life of your vehicle by reducing wear on the internal components.
Software updates make fundamental and permanent changes to the software on your computer, which means they're a lot more risky than oil changes.
This is further exacerbated by the fact that companies now-a-days feel that it's ok to throw whatever they feel like into patches, consequences be damned. Microsoft is a posterchild for this, where their "updates" add unwanted code like telemetry, or are insufficiently tested and risk causing your entire computer to die on you.
The Anniversary update hosed every lenovo laptop we had. Their DHCP update knocked half of Europe offline.
And then people like the blogger wonder why people are afraid to run updates? Is it really that hard to figure out that after you've bitten the user multiple times, they quite rightfully say, "Screw that!" and give up on updates entirely?
I think this is very subjective and depends on your point of view. For one person an oil change or a car recall may seem like no big deal, something to be put off until convenient. However I imagine the dealer and your mechanic would view it much more seriously. We are talking about maintaining a large, complicated machine capable of killing people should it malfunction. And you want to complain I didn't update some random thing I don't understand on my computer in the back office? I have customers who need their cars back.
I'm not a mechanic, but you get my point. We view security patches as important because to us they are, and in general they are, but same as maintaining your vehicle. So it's just depends on your point of view and educating people to understand why any of these things are important and the ramifications otherwise.
I will shred my adversaries. Pull their eyes out just enough to turn them towards their mewing, mutilated faces. Illyria
You do an oil change after 30,000km - 60,000km or after about 3 (to 5) years, what ever comes more early.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Most car owners don't take their car in every so often for oil changes nor do they go in for safety recalls, most people will ignore it until the light comes on or a safety inspection is required, according to NHTSA it's ~20% of people that don't heed safety recalls.
Same goes for people and their vaccines, when was the last time you got your tetanus shot or any of the boosters? So why would you expect them to do the same for their computers, a machine they assume is even less maintenance-worthy than their dishwasher.
Custom electronics and digital signage for your business: www.evcircuits.com
I suspect the only way to get widespread patching of security issues is to have Windows have a sliding scale of how long you can delay a security patch for (e.g. 1 week for critical, 4 weeks for medium and, say, 13 weeks for low - and let the user set them lower than that if they want), but ultimately insist that security updates *must* be auto-applied by the end of the delay period (with pre-update warnings if an update is due to be applied in the next day or two). Microsoft would still be criticised for "forcing" security patches on people, but some forcing is necessary because some people will turn off all automatic updates and never update (or update very rarely).
Of course, with Windows 10, Microsoft seem to have gone some way towards this, but without enough granularity - there's no distinction between security and non-security patches and no way for the user to fine-grain control the delay period for security-only patches like I mentioned. The same idea of a sliding scale needs to be added to Windows 7 updates as well of course.
Companies who do not release security patches alone, but insist on folding them into updates that effect larger changes (feature additions, UI changes, etc.), are a factor for many people. Those who do not want to apply patches that make large changes to their systems will also not get security updates.