Slashdot Mirror
Oil Changes, Safety Recalls, and Software Patches (daemonology.net)
An anonymous reader shares a blog post: Every few months I get an email from my local mechanic reminding me that it's time to get my car's oil changed. I generally ignore these emails; it costs time and money to get this done and I drive little enough -- about 2000 km/year -- that I'm not too worried about the consequences of going for a bit longer than nominally advised between oil changes. I do get oil changes done... but typically once every 8-12 months, rather than the recommended 4-6 months. On the other hand, there's another type of notification which elicits more prompt attention: Safety recalls. There are two good reasons for this: First, whether for vehicles, food, or other products, the risk of ignoring a safety recall is not merely that the product will break, but rather that the product will be actively unsafe; and second, when there's a safety recall you don't have to pay for the replacement or fix -- the cost is covered by the manufacturer. I started thinking about this distinction -- and more specifically the difference in user behaviour -- in the aftermath of the "WannaCry" malware. While WannaCry attracted widespread attention for its "ransomware" nature, the more concerning aspect of this incident is how it propagated: By exploiting a vulnerability in SMB for which Microsoft issued patches two months earlier. As someone who works in computer security, I find this horrifying -- and I was particularly concerned when I heard that the NHS was postponing surgeries because they couldn't access patient records. [...] I imagine that most people in my industry would agree that security patches should be treated in the same vein as safety recalls -- unless you're certain that you're not affected, take care of them as a matter of urgency -- but it seems that far more users instead treat security patches more like oil changes: something to be taken care of when convenient... or not at all, if not convenient. It's easy to say that such users are wrong; but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.
This isn't an article, it's a blog, nothing of any consequence is revealed or detailed.
but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.
No. As an industry you have to think about a company like Microsoft who willfully waited over a DECADE to patch a KNOWN vulnerability which it was TOLD about a long time ago, but CHOSE to ignore - cos, security by obscurity at best, or intentional back door at worst. This should not be about "the patch has been out 2 months why haven't people patched" it should be about "Why did Microsoft wait until news of the vulnerability leaked before bothering to issue a patch".
Seven puppies were harmed during the making of this post.
That interval seems like a total waste of oil. I have an old vehicle for hauling stuff that gets driven about 1000km/year, and I might change the oil every five years. I know that's probably "bad", but the engine hasn't broken yet. In fact, I think that the only work I've ever had done on the engine over almost 20 years is change out the timing belt (at twice the recommended age, but still below the mileage limit). I do keep it in a garage and always run it until it's thoroughly warmed up.
I had no problem letting Windows 7 update itself automatically until Microsoft started incessantly nagging me about changing to Windows 10, and news of their telemetry patches came out. Oh, and the whole installing patches for 5-10 mins while you're trying to shut your computer down (always seemed to be before I needed to go somewhere) was pretty dumb as well.
Microsoft took security updates and started abusing them for their own nefarious purposes. This, combined with their propensity to produce rubbish software, has created a dangerous situation for customers, and just goes to demonstrate that Microsoft has not moved on from producing extremely poor products in more than 30 years.
Hopefully a few more Nokia style implosions and we can see the end of this company.
With the huge recall in airbags, I have not heard of one replaced airbag rendering a car inoperable requiring the owner to pay to have someone diagnose and repair the incompatibility. How many times have we heard of a computer security patch causing a BSOD or computer crash because of bad or incomplete testing from the manufacturer?
Some people wait and verify that a security patch doesn't end up as the next story on Slashdot rendering thousands of PCs unusable because "Oh, the patch seems to be incompatible with [fill-in-the-blank]".
I like the analogy, but you missed a step. In this instance, you aren't the client with the car (that's the business/environment). YOU are the mechanic. The problem is, the manufacturer (Microsoft) ISN'T paying for what's being fixed in the safety recall; the customer still is. They have to pay you for testing, deploying, and verifying the replacement. Which means they'd rather not.
There isn't one... mostly because most cars don't suddenly stop working the way they did before after getting an oil change. With Microsoft security patches, it seems to happen all the time.
Imagine what would happen if you needed to hire a QA tester to make sure that your car wouldn't crash after putting brand X oil in it before putting it in the rest of your cars.... suddenly, oil changes would cost $500 and people would only do it once a year at best.
It does not take much driving to heat-up the engine enough to remove water. If the trip is more than say, 10 miles or 10 minutes, whichever comes first, the engine has been heated up enough.
The restored cars we have get their oil changed every couple of years. They get driven very little. Even when we do change it that oil is probably still perfectly usable, we just change it because we don't know the upper limit on the longevity of the oil after it's been used.
The reason for the timetable is that most people are not very good at looking at their odometers, but they are capable of noting a future date in a calendar and taking action on that date. It's also why a lot of newer cars with computers in them will tell you when they need their oil changed instead of relying on a schedule. Wife's '15 Renegade has had exactly one oil change and at less than 13,000 miles on it probably won't alert for another oil change until close to 15,000 miles. Given the pain in the ass it is to remove the skidplate to get to the filter and drain I'm glad I'm not having to put it up on the lift every four to six months to change a fluid.
On the other daily-drivers I change the oil and filter every 7500 miles and I use a partial synthetic motor oil. We're at 172,000 miles on one car and no problems with the engine.
Do not look into laser with remaining eye.
"You can change your oil every 10 to 15000 km"
More like 25.000Km, even for some cars as old as the century.
that would be fine if windows would would only limit the auto updates to security patches. I don't care about "feature updates" or "creator's updates" I just want security patches.
Something's not right. If I travel 8.53 cm at 20C, then that's 25 kelvin-meters traveled, and according to you I should be changing my oil?