Microsoft wants Automatic Update for Windows

Edward Dao writes "After the embarassment of last week's blaster worm, Microsoft is weighing the possibility of automatic update. Microsoft not only wants to upload the latest patch on to users' computer but also installing it for them." This will work out really well for everyone I'm sure. Yikes! Can I at least press 'Ok' first?

oh yeah?

[krisp]

Of course, this will be implemented in such a way that implantinga fake RR for windowsupdate.microsoft.com into a local name serverallows Windows to download and run any file with a certian file name. This should make it far eaiser to fool Windows Update into installing Linux.
This will make Linux rollouts a breeze after buying all those Dells.

Imagine the possibilities!

Then again, the Microsoft Tax is cheaper then the SCO tax.

Re:oh yeah?

[killthiskid]

Two things from the article:

...say that it is time to consider making software updates automatic for home users of the Windows operating system.

And...

The company is "looking very seriously" at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them...

So... only for home users and users can shut it off!

So don't freak out too much... maybe this will actually help... think if this had been in effect for slammer... we keep bitching that the 'patch was available, why didn't people use it!'... well, this would fix that problem.

One other thing from the article:

Microsoft also will begin shipping new versions of Windows XP with the built-in firewall activated by default, said Steve Lipner, director of the company's security engineering strategy.

Now that makes sense!

I love home users.

[BoomerSooner]

I have several people who use a web based service from my company that runs on Windows 2000 Server. I check for patches daily and install them as soon as I do a full backup (in case it shits out the whole system).

My users kept calling saying "You have that Blaster Worm on your system because every time I try to connect my computer dies!". So I explain to them my systems have been patched for that exploit for over a month and I have run all the proper testing software to verify. I then ask if they have AntiVirus software installed and their reply is "I don't know.". Lol, I don't know, so it must me my server! I immediately tell them to invest in a copy of Norton Antivirus and Norton Firewall.

Ah, the world of windows.

The funny thing is if these same people were running linux they would be logged in as root and still execute whatever script someone sent them. I'm not too sure Linux would be any more secure than Windows because in windows you can also run as just a User. However, when doing that a significant number of poorly designed programs will not work.

Re:I love home users.

[EvilTwinSkippy]

The funny thing is if these same people were running Linux they would be logged in as root and still execute whatever script someone sent them.

I definitely hear that. In fact Lindows operates in precisely this manner.

I am increasingly convinced that our enemy is not Microsoft, or even SCO. Our enemy is cluelessness. If we could somehow impart the masses with an infantessimal fraction of our sense of the big picture most of our problems would disappear.

When I say "our" I mean all computer professionals. I don't give a rat's ass what kind of Guru you are, Networking, Windows, Linux, BSD, Mac, or PDP-11. We all share a chunk of "the clue". It is our duty to impart "the clue" onto others, without bias, and without favoring any particular implementation.

What is the best way? I don't know. I can only shoot off a few half-baked ideas. My front-running suggestion is take an example from Mythology.

Think about it. How many people do you know who never change their oil, yet decorate for Christmas, throw salt over their shoulder after spilling it, and avoid black cats and ladders? Imagine a computer mythology complete with ritual, dogma, and superstition. The masses already have developed their own misguided rituals, we should just go ahead and publish a book on the proper ones.

Think about how complete a job all of the Greek god did to explain about weather, war, death, and fate. These are REALLY tough concepts even today. And yet, but putting names on them, giving them personalities, and endowing these creations with a sense of power people bought into it.

Of course, you should encourage those who show a natural aptitude to study computers in the conventional hacker sense. More or less the same way wizards always seemed to be operating on a different level than average folk.

Re:I love home users.

[greenhide]

I am increasingly convinced that our enemy is not Microsoft, or even SCO. Our enemy is cluelessness. If we could somehow impart the masses with an infantessimal fraction of our sense of the big picture most of our problems would disappear.

No, actually our enemy is the script kiddies and virus software writers whose goal is to shut down the whole system.

Whether they do it for fun or ...Profit?!?, what they're doing is morally wrong, invasive, etc.

And yet, it seems many here at Slashdot place all the blame on the users, and never on the virus writers. Heck, we've even deified some of these people and bitch and moan when virus writers are caught and put into jail.

This is like blaming people for leaving their doors unlocked, rather than blaming the thieves who are actually doing the stealing.

Obviously, it is our responsibility as slightly-more-savvy-than-average computer users to secure our own computers, and to encourage others to do the same.

But the truth is, computers should be easy. If I use a fork, I shouldn't have to worry about tine alignment or upgrade its metallacity or whatever. Computers are more complex than forks, obviously, but users shouldn't have to worry about the inner workings of their computers in order to use them to do they work that they *want* to do.

That being said, I still think that there should be a special circle of hell reserved for those idiots who actually buy things from spammers and who open any attachment they receive. Those people are just being very, very stupid. So maybe we could spread a myth that if you respond to any SPAM or open an attachment that has a virus, your computer will melt. I don't think that most users are impressed by the warnings that say things like, "If you open this attachment, there will be a bad file on your system, it will get sort of slower and might crash." That's pretty much an everday occurrence for many users anyway.

Re:oh yeah?

[blahlemon]

It does not make sense to have Microsoft's firewall activated by default. The thing is buggy as heck and some DSL accounts don't work properly when it is activated. Consider that their OS is NOT engineered for security (an admission they made themselves) and that they have a track record of "swiss cheese" code.

Additionally I would hate to think that computers would roll out with auto update automatically enforced on home users machines. Quite a few home users wouldn't know if they had turned it off or not for one. Can you trust Microsoft to have tested the patch against software you use? What if you've got a "pay for use" internet account? Do you want to pay for the bandwidth Microsoft uses? HINT: Think service pack. What if a patch goes wrong or the home user mistakes it for a virus and forces a shut down in the middle of a service pack?

I'm not going to suggest that Microsoft would use this to monitor individuals or covertly take over peoples machines, that's just more FUD. I do think, however, that the last thing Microsoft needs to do to their software is add another automated feature that can be comprimised and easlity manipulated because it's already built for interaction with external machines over an inherantly insecure environment.

You don't fix a hole in a dam by adding more holes.

Re:oh yeah?

[killthiskid]

Valid points... but we're talking lesser of two evils here. I would much rather see a single user of a computer have problems (due to firewall, updates) than their unpatched machine causing problems for more than one user.

We can't have it both ways... right now windows is set for ease of use over security... and having auto-updates and a firewall will move them towards the security side of things and away from ease of use... but isn't that what we've been bitching about for years?

Re:oh yeah?

[blahlemon]

How about developing a release of Windows that doesn't have extra ports open by default that the system doesn't need? How about recognizing some of the more common issues and have these default fixed?

I think that Microsoft should halt development and roll out of it's next OS's until it's fixed the base functions. They should start from the beginning, and review the code line by line with a focus for security. Stop adding more and more features until you've fixed the old ones.

I know, NO OS is 100% secure, no

Re:oh yeah?

[Virtex]

So... only for home users and users can shut it off!

According to the Windows XP EULA, Microsoft has already given themselves the right to install software on users' home machines without their consent or knowledge. And there's no provision for allowing users to "opt out".

Not such a bad idea

[JohnGrahamCumming]

If you RTFA you'd find that Microsoft is only "looking very seriously" at this idea,
that it would not apply to business users of XP (since they want careful control
of the patching of their machines), and that it would be possible to opt-out from
the automatic updates.

So if you are a business user you don't get automatic updates, if you are a home
user of XP that is technically savvy you can turn it off, and if you are a home
user who is not computer savvy then you are going to get automatic updates. This
latter group seems like the ideal set of people to get automatic protection.

John.

Re:Not such a bad idea

[John Paul Jones]

Automatic protection from running applications that break following a patch? At least a corporate user can call the helpdesk, while a novice home user would have no idea why something stopped working suddenly, and would chalk it up to "Computers are evil". The divide between the tech-aware and tech-unaware grows exponentially.

Re:Not such a bad idea

[Randolpho]

Hmm.... you clearly don't get how Microsoft got to be so huge in the first place, do you? :) Home users actually want stuff like this.

Re:Not such a bad idea

[numbski]

Okay, now what happens when they decide to enter some draconian language into the EULA that you supposedly agree to by installing these patches....are you now just agreeing to whatever they want by simply using Windows? You now have no choice in this case?

Re:Not such a bad idea

[Pirogoeth]

So you make the software update so that you agree to a EULA the first time you run it. As long as there are no changes, the patched get installed automatically. Any patch that brings a change to the EULA will not install. It would be downloaded, but a message would pop up saying that there is an update, and make you agree to the new EULA before it is installed.

At any rate, I think the EULA changes come with things like new versions of the Media Player and the like. Those shouldn't be done automatically any

Re:Not such a bad idea

[RoLi]

Those shouldn't be done automatically anyway. Only security patches should be automatic.

And Windows shouldn't crash. And there should be no war and no hunger. And there should be no need for any patches in the first place.

Re:Not such a bad idea

[Henry V .009]

If they don't know what a patch is, then they're in more danger of a virus attacking their computer anyway. So "the divide between the tech-aware and tech-unaware" shrinks exponentially, as viruses become far less likely. The very rare case of a WU breaking something will have little impact in comparison.

Re:Not such a bad idea

[jeffy124]

Microsoft would find out about it. Thousands (millions?) of machines would suddenly stop working, making news headlines similar to Blaster. Hence, MS would be forced into doing something, like a patch to rollback an earlier patch. It may also get regular people asking if anything else is out there if it starts happening a lot.

Re:Not such a bad idea

[Anonymous Coward]

"The divide between the tech-aware and tech-unaware grows exponentially."

...and so do my consulting fees. [insert evil laugh here]

Re:Not such a bad idea

[fireduck]

how often do MS patches actually break things?

I'm a home user. I've applied every critical update MS puts out. I apply practically everything available on the windows update site (even the beta versions of stuff like movie maker). I have never had a piece of software not work after applying an update. I think I'm a fairly typical home user. MS Office, MS Money, a bunch of games, photo editing software, winamp, random shareware. Stuff most people use. and stuff that has never broken on me.

Software breaking is definitely a problem, but how often does it really happen? I'd imagine that the liklihood of these people getting a virus / worm is greater than the liklihood of an ms patch breaking a piece of software...

Re:Not such a bad idea

[Malc]

The last thing that I saw break my system was a patch or update to DirectX. After it installed, my laptop blue-screened on boot. I was unable to fix. After re-installing the OS (and everything else) at great cost to my time, the patch/update worked the second time.

Right now we're holding off applying Win2K SP4 to our web servers. It contains a change to the security model that will break some of our ISAPI extensions. The fix is trivial, but we haven't had time to check it out on a test bed, nor deploy it to all our servers (unfortunately we have to do them manually as we don't have anything like SMS deployed).

Re:Not such a bad idea

[crazyphilman]

Well, I'm a developer, and I run Windows 2000 professional at home, with IIS and Visual Studio .Net installed. Wanna talk about patches breaking stuff? Here's my list of woes (noting that Linux has never given me this kind of trouble):

1. If you install the O/S, then patch it, and THEN try to install Visual Studio, the Visual Studio installer crashes. The problem seems to be that if you install Microsoft's updated .Net packages before Visual Studio, Visual Studio can't handle that and it chokes.

2. If you install the O/S, then Visual Studio, then Norton Internet Security (kind of important on a windows 2000 box, which doesn't have an integrated firewall), then try to update Norton and Windows, WHICH OUGHT TO WORK, Norton will update fine, Windows Update will crash several times, and the end result will be your IIS will stop working, so your Visual Studio won't be able to create VS.Net projects. I think this might be related to a recent patch, because it didn't happen before Service Pack 4 came out.

3. If you have a recent copy of Roxio's CD burning software, it'll stop working after you update Windows. The app will start up, but it'll crash as soon as you insert a CD-RW into the drive. I've updated the software from the Roxio site, too, hoping that would help (no luck). It's got to be something in one of the windows patches. So, patch windows or burn CDs! You seem to have to choose one or the other. Older, no longer available copies of Roxio seem to keep working, so if you get a Rio Volt MP3 Cd-player, you can install the older software off of their disk (warning: this might not be true anymore).

5. Windows patches keep restoring MS Outlook Express! If I kill it off, it keeps coming back like a friggin' vampire. It's the undead, unwanted email app. Actually, the only easy way I've found to kill it is to change the security on the Outlook Express folder so that no one has read-write priviledges, then boot from a floppy and clean the thing out. This way, Windows can't keep putting the files back (Grr... Windows puts 'em back THREE SECONDS after you delete them, otherwise!).

Ugh. I hate Microsoft. And, I'm a programmer who uses that platform! What does THAT tell you? ;)

Re:Not such a bad idea

[abulafia]

blah blah insult blah use the fricken' value add books, jerk blah should try reading MS books instead of burning them!

As opposed to a using a system that just works?

Re:Not such a bad idea

[crazyphilman]

I beg your pardon!

I don't "hate" windows because of WFP. I merely find WFP aggravating. I hate windows because windows doesn't work predictably, and frequently chokes on things it shouldn't choke on, like patches and updates. FOR EXAMPLE, I find it irritating that A) the installation of service pack 4 crashed, and B) that my IIS immediately stopped working afterwards, and C) because I now have no IIS, I can't create new Visual Studio .Net projects, so D) I can't bring work home, which E) was the only reason I set up that infernal Windows box in the first place!!! Please, explain to me why exactly windows' failure to survive this chain of events relates to a lack of knowledge or ability on my part. I promise I will pretend to find your explanation fascinating, and I'll even drink a double expresso and stay awake for the whole thing. No promises though.

Re:Not such a bad idea

[Slightly Askew]

I think one problem is the assumption that just because a SP is released, it will work perfectly in every situation without any other updates. This is silly. There is no way to test an OS update with every single piece of third-party software under the sun.

2. If you install the O/S, then Visual Studio, then Norton Internet Security (kind of important on a windows 2000 box, which doesn't have an integrated firewall), then try to update Norton and Windows, WHICH OUGHT TO WORK, Norton will update fine, Windows Update will crash several times, and the end result will be your IIS will stop working, so your Visual Studio won't be able to create VS.Net projects. I think this might be related to a recent patch, because it didn't happen before Service Pack 4 came out.

Under known issues with SP4, I found this [microsoft.com], which, I believe, addresses your Norton problem in item 2.

3. If you have a recent copy of Roxio's CD burning software, it'll stop working after you update Windows. The app will start up, but it'll crash as soon as you insert a CD-RW into the drive. I've updated the software from the Roxio site, too, hoping that would help (no luck). It's got to be something in one of the windows patches. So, patch windows or burn CDs! You seem to have to choose one or the other. Older, no longer available copies of Roxio seem to keep working, so if you get a Rio Volt MP3 Cd-player, you can install the older software off of their disk (warning: this might not be true anymore).

What CD burner do you have? I have found a reference to Sony burners failing with SP4 unless you install a fix from Roxio here [roxio.com], which may cover #3.

5. Windows patches keep restoring MS Outlook Express! If I kill it off, it keeps coming back like a friggin' vampire. It's the undead, unwanted email app. Actually, the only easy way I've found to kill it is to change the security on the Outlook Express folder so that no one has read-write priviledges, then boot from a floppy and clean the thing out. This way, Windows can't keep putting the files back (Grr... Windows puts 'em back THREE SECONDS after you delete them, otherwise!).

I have already addressed #4(or 5 :-)) when I discussed WFP.

1. If you install the O/S, then patch it, and THEN try to install Visual Studio, the Visual Studio installer crashes. The problem seems to be that if you install Microsoft's updated .Net packages before Visual Studio, Visual Studio can't handle that and it chokes.

That leaves #1 which, I too, had this problem with. However, all I did was go to add/remove programs, uninstalled the .NET framework that windowsupdate installed, then restarted VS.NET installation. Worked fine after that, and I just skipped the .NET framework recommendation on the windowsupdate site (it was not a "critical" update, anyway).

The point being that as awesome as the resources and support are for Linux and other open source OSes, there is a multitude of free support for Windows as well. I don't infer that this relates to a lack of knowledge or ability, but perhaps a lack of effort to resolve the problem?

Re:Not such a bad idea

[aliens]

I applied all critical fixes to a friend's computer. Suddenly his NIC was not recognized. Uninstalled all critical patches didn't bring it back. It works fine on a base install of XP.

But just imagine, you goto use your computer and boom, no more internet. Now you call your techie friend, he/she asks "What did you install recently?" Nothing that you know of, making both your lives that much more difficult.

Re:Not such a bad idea

[Dark Lord Seth]

No Updates Were Installed

The following items failed to install. To try installing them again, click Review and install updates, and then click Install Now again.

818529: June 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1
330994: April 2003, Security Update for Outlook Express 6 SP1
Security Update for Windows 2000 (823980)
823559: Security Update for Microsoft Windows
816093: Security Update Microsoft Virtual Machine (Microsoft VM)
814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP)
Security Update, February 13, 2002 (MSXML 3.0)

I like to think that I'm the only person where Windows Update consistently fails HORRIBLY but that'd be naive. At least I tried to apply every critical update. It somehow fails to download the files required. Good thing I got a decent firewall up and running because even the MS patching system is horribly shit. Ah well, that's the first thing to break down on a fresh (less then a week old) Win 2000 install.

This also raises another question: How many people were affected by the worm because Windows Update simply fucked up for them? Even if WU would die on updating for even 1% of all users, how many people would it affect then? I only just found another way to manually download the patches to see if that'll work. Oh and this isn't the first time Windows Update fucks up. I've had it crash PCs, screw up installations and I've made it succesfully install the same patch 5 times in a row.

Woot for Windows Update! Adding another weak link in an already fragile chain which is Windows security!

Two good examples

[TheConfusedOne]

SP 6 broke Lotus Notes servers thus 6a came out.

Even worse, SP 2 installed over a network failed. Failed badly. It did something horrible to the ntfs.sys file IIRC. This meant that the box would blue screen on boot and be irrecoverable if you had an NTFS partition.

Re:Not such a bad idea

[Psiren]

So who is held accountable when the latest patch breaks something and causes loss of data? The user, because they didn't opt out? Seems like a potential shitstorm for Microsoft there. If people are too dumb to patch their system with the existing Window Update, how in the hell are they going to diagnose problems when its being done without their knowledge?

Re:Not such a bad idea

[micromoog]

If people are too dumb to patch their system with the blah blah blah . . .

Too dumb? How about just not interested? Many people just want their computer to work, the way their car and dishwasher "just work". They couldn't care less about any of the technical details. Resistance from arrogant fucks like you has been holding this back, and Microsoft is finally making a bold move in the right direction.

Re:Not such a bad idea

[Xerithane]

Resistance from arrogant fucks like you has been holding this back, and Microsoft is finally making a bold move in the right direction.


Thank you for pointing this out. People don't want to know how the computer works, they just want it to work. I want to write an email, push the email button on my keyboard and click send. That's how a car works. 2% of the American population could actually fix anything that goes wrong with their car, why expect it to be different?

It's because of the computer elitist

Re:Not such a bad idea

[Psiren]

Too dumb? How about just not interested? Many people just want their computer to work, the way their car and dishwasher "just work".

Sorry, I don't agree. I still have to fill my car with diesel, check the oil and water, pressure on the tyres etc. This is all essential end user maintenance. Granted, I don't poke around in the engine when something mechanical goes wrong. The same goes for computers. It's a general purpose machine. It is complicated, and that will always be the case.

Indeed

[autechre]

And as my father, a mechanic, will tell you, most people do not check the oil, coolant, power steering fluid, tire pressure, etc. The more careful ones bring in the car if it makes a funny noise long enough. Many people only think about the car when it won't run anymore. Putting gas in the car is pretty much the only thing "end-users" do reliably, and even that doesn't happen often enough sometimes (did you know that it's better for your car to not allow it to get below 1/4 tank, because then junk on the bottom of the fuel tank gets sucked into the engine?)

The frightening bit is that my mom, a Physician's Assistant, will tell you the same thing about people and their bodies. She gets in all sorts of cases where people have had horrible things wrong with them and haven't bothered to come in for a week, or the guy who drank 3 40-oz. beers a night, and his main concern was wondering why he had to wake up to go to the bathroom so often.

(as for dishwashers, most of them require you to at least scrape your plate before you put it in, and my father, having cleared out a dishwasher that pretended you didn't have to do that, will tell you that they ALL require this.)

Re:Not such a bad idea

[bourne]

So who is held accountable when the latest patch breaks something and causes loss of data?

The same someone who is held accountable when the default OS installation is insecure and the system is compromised by a 2-bit, brain-dead worm.

That would be... um... hmm... lessee... ah... tumbleweeds blow by in the hot desert wind... nobody, and certainly not Microsoft.

You can be sure that whatever legalese is in the EULA puts the responsibility squarely on the administrator, where it belongs. If they don't

Re:Not such a bad idea

[swordboy]

If you RTFA you'd find that Microsoft is only "looking very seriously" at this idea

Microsoft are MORONS. The fix for this particular worm required SP2 or greater. That is 8 hours and 10 minutes over dialup.

Windowsupdate is a god send for people with broadband but MS are going to be required to send CDs in the mail if they want to keep dial-up users up to speed.

Re:Not such a bad idea

[TGK]

Where are my mod points when I need them? This is perhaps the single best argument raised in this thread. I'm a broadband user (ah the joys of in-home ethernet) and I'm in the process of puting together a new machine. It's running windows because some of the software my school requires is Windows only.

Now, I've been downloading updates for the last hour or so now. I understand that the Microsoft site is probably pegged following all the media coverage of the latest worm, but nonetheless, I'm a broadband user and it's still taking me a significant chunk of time to download all these updates.

Dialup can only be worse. If MSFT wants to keep the users current they've gotta either find some way of updating Windows that's not quite so hard on dial up (mailing CDs sounds good) or they need to find some way to bring the average patch size down. I have a hard time buying into the idea that the problems in the system really require a patch of that size. With a little more creative work you'd think they could find a more efficient way to insert the new code.

Re: Not such a bad idea

[Black Parrot]

> Microsoft are MORONS. The fix for this particular worm required SP2 or greater. That is 8 hours and 10 minutes over dialup.

Think how fun it's going to be when you re-install your media and then get to download three years of cumulative updates.

Re:Not such a bad idea

[evilandi]

downloads in the background and doesn't seem to be noticable

It'd be pretty damn noticable on my British Telecom phone bill.

Not everywhere has free/inclusive local calls, remember.

Re:Not such a bad idea

[penguinboy]

"People are going to have to accept mandatory updates as part of the warranty process,"

Since when does Microsoft include a warranty on Windows?

Re:Not such a bad idea

[RealErmine]

By default, automatic update is enabled for Windows. Anyone technically savvy immediately turns it off five seconds after installation is complete.

Sounds like you're unreasonably paranoid. I've been using Windows 2000 for three years and whenever I need to reinstall (usually due to hard disk crashes or building a new machine. NEVER because the OS or Microsoft did something stupid) the first thing I do is go get all the updates. Nobody who is "technically savvy" wants to run a version of their OS that is three years old. Why? For reasons of security, stability, and compatibility with new software. Why not have the OS go find them for me?

Stop speaking for me. I consider myself technically savvy due to my degrees in Electrical Engineering and Computer Science as well as my hobby of building PCs for my friends. At first, when a service pack added the auto-update feature to W2K, I had it set to let me verify updates, but then I noticed something: I kept hearing about worms and vulnerabilities in Windows on Slashdot and from my friends a day or two after I saw my PC automatically find the fix from MS. It certainly beats going to windows update myself after the fact. I let auto-update have free reign after that discovery.

The fact is that most people who use Windows do not understand that they need to update their OS in order to keep their computer running. What's the first thing you do if you try installing a piece of software and it doesn't work? Roll back to a earlier backup? I doubt it. If your hardware seems to be working you go and get all the current driver and OS updates because developers usually release their software built on platforms with recent OS and driver versions.

Obviously I think automatic updating could be a good thing, but there could be some problems. Nobody with a modem connection wants their OS to automatically dial in and start downloading 15MB patches. You also may not want your server to start downloading patches at peak traffic hours. I hope that MS leaves the option for user input for these reasons. It also only currently downloads critical updates. Their decisions about what is critical have been reasonable so far.

One good thing that you might not see coming from the auto-update is that now you don't need Internet Explorer to use the windows update site.

Re:Not such a bad idea

[MImeKillEr]

Sounds like you're unreasonably paranoid. I've been using Windows 2000 for three years and whenever I need to reinstall (usually due to hard disk crashes or building a new machine. NEVER because the OS or Microsoft did something stupid) the first thing I do is go get all the updates. Nobody who is "technically savvy" wants to run a version of their OS that is three years old. Why? For reasons of security, stability, and compatibility with new software. Why not have the OS go find them for me?


And my argum

Re:Not such a bad idea

[Jucius Maximus]

"How is this any different then the scheme they're using now? By default, automatic update is enabled for Windows. "

The current scheme requires users to still click OK on the update.

Keep in mind that 99% of users just want to use the computer and not worry about having to keep everything patched up and secure. They just want some sort of 'fire and forget' type solution that they just install and forget about it. This is why crap like Norton CrashGuard and such sells so well.

I think that the automati

Does this mean..

[DiS[EnDeR]]

they want to reboot my computer without informing me?

And we kept wondering ...

[OMG]

... how they will get people to activate the TCPA/Palladium features.

Now we know: MS will do it for you. How kind of them!

Re:And we kept wondering ...

[BiggerIsBetter]

Good point. Surely this would blow off any EULA type update licenses. How can you agree to an automatic update you didn't even know about?

Re:And we kept wondering ...

[gl4ss]

well, iirc, the 'standard' eula coming now basically allows them to change the rules of it as they see fit without you agreeing to it.

yeah it seems totally stupid and unforceable but so is most things in eulas nowadays anyways.

Bandwidth

[jmays]

I know broadband usage is on the rise but really ... I use a modem. You know ... the kind that attaches to a phone line? Everytime I get online with my low bandwidth solution, I don't want my bandwidth eaten up by patches.

Granted, by the time this is incorporated into the OS, phone line users may be in the minority but until then ... no thanks.

Re:Bandwidth

[Viol8]

Agreed. A lot of people forget that not everyone (in fact the vast majority of people still) do not connect to the internet via some fancy
umpteen mb/s broadband connection. It would be nice if occasionally marketing types (and some geeks for that matter) would remember this
simple fact.

imagine...

[borgdows]

if someone breaks into MS WindowsUpdate servers, he could install ANYTHING on millions of computers!

wow... scary...

Re:imagine...

[secolactico]

Actually, all they have to do is spoof your computer into thinking their computer is the WindowsUpdate system. Now this depends on how they implement their system but I'm willing to bet it depends on trusting some basic internet function that is exploitable one way or another.

Aren't MS patches signed? If they are, then fooling your computer (say, by poisoning dns) into connecting to a non-ms site would only yield invalid downloads. Even if they hijaak the actual servers, if they don't have the key, the

No thanks

[GeckoFood]

Some of us are still on dialup, and an automagic update of Windows via 56K modem would literally take HOURS if the connection even holds at all. I don't think I should be forced into high-speed access just so I can update my Windows partition periodically.

Re:No thanks

[erasmus_]

So in other words, you don't think the operation system could be smart enough to determine that you're on a dial-up instead of broadband, and schedule updates to be downloaded during off-hours, and only when it's detected that the computer has been idle for several hours? Yours is like the 3rd post to think that it will start downloading exactly when you're in the middle of something important - MS's usability engineers are not that dumb, no matter what Slashdrones say. Anyway, how do you get your updates

Re:No thanks

[gl4ss]

what off hours? there is no such thing in most cases. and the off hours wouldn't be enough time to download the patches anyways in time(speed just isn't fast enough)

typical users DON'T leave their home computers on when they don't use them btw.

and need that phone line occasionally for phone calls, i'm sure you've had one, but some people get them like all the time even on their landline.

most people when they are online with their modem, are in the middle of doing something important(they wouldn't be online unless they were). using the phone line isn't free either in majority of countries, so leaving it to up to the os to decide when to dial up is not an option.

the bloated drivers and updates are a real problem in todays world when you're trying to keep your relatives little computers running good enough (nvidia drivers take +30mb, for example). sure it isn't a problem when you have 100mbit jack on the wall but majority of people don't have that.

Re:No thanks

[PhoenixFlare]

what off hours? there is no such thing in most cases. and the off hours wouldn't be enough time to download the patches anyways in time(speed just isn't fast enough)

Do you not sleep, or what? And of course they're not going to download in one shot, that's what resumable multi-part downloads are for.

typical users DON'T leave their home computers on when they don't use them btw.

I feel like a broken record saying this, but you don't speak for everyone. Unless you regularly provide in-home support for a

You can do this already

[dlur]

You can do this already with Windows XP if you set it up to do so. In the system properties go to the Automatic Updates tab and then click on the radio button next to the bottom option, "Automatically download the updates, and then install them on the schedule that I specify".

Of course you'd have to be out of your gourd to do this regarding MS's history of untested patches. Also I noticed that MS is including driver updates in the critical updates as well (nVidia driver). I've NEVER installed a driver from MS on my computer and every time a customer of ours does it, it seems to totally screw up everything.

Re:You can do this already

[xanadu-xtroot.com]

You can do this already with Windows XP

You can do this with any Win* box that's running IE6-SP1 (with the latest updates). This stuff is installed for you (and no, I haven't noticed an option to stop it from doing so - I'm the admin of a 75 or so MS Shop).

Re:You can do this already

[PaschalNee]

A quick Google [google.ie] will provide loads of examples.

• Duplicate IP Addresses After Upgrading DHCP Clients to SP2 [microsoft.com]
• Cannot Log on Using IPX After Installing SP3 on Windows NT 4.0 [microsoft.com]
• SSIExecDisable Does Not Work after Applying Windows NT SP4 [microsoft.com]

Are you humoured yet?

Re:You can do this already

[Xformer]

How about a more recent development tool? eVC++ 4.0 SP2 has problems talking with emulated CE.NET devices, where earlier versions did not. Transferring files to the emulator is kind of necessary if you want to debug something w/o destroying an actual device. I ran into this just last week.

And, oh yeah, this is on XP with all relevant updates applied (by relevant, I exclude things like fax and game related patches, which mean nothing on this machine).

As long as there are no automatic EULA changes

[jridley]

In the past MS has packaged EULA updates along with software updates. I really wouldn't have too much trouble with this as long as they don't try to push EULA changes along with the update.
Sure, some people might want to turn it off, but by and large I think there would be less damage with it on. I rarely meet a person who even knows what MS Update *is* let alone have used it.

I wonder how well this would work on dialup though? It seems like the world is really leaving dialup folks behind. I have cable myself but know a lot of people on dialup either because high speed is not available to them or because they really don't need a fulltime connection, and are getting by just fine on a $5/month dialup plan.

Re:As long as there are no automatic EULA changes

[ebuck]

Actually, it seems that an automatic pactch installer could totally render EULA updates null and void. This could have the unexpected effect of the owner bound to the original EULA which may not be available except via original media.

I can see Microsoft arguing to a court that the use of the software implys that they automatically accept a new EULA with each patch; however, I would be very shocked and dismayed if any court in the US would uphold that you could automatically agree to licensing changes without being at least notified that a change had taken place.

Microsoft could worm their way around the last part with a pop up window asking you to accept the latest EULA; however, that would be a public relations nightmare, and even though Microsoft is keen to kill off any professional competition, they are not in business to openly defy their users.

The only way an EULA holds up as legal when not read (if my memory serves me correctly) is that you implicitly agreed to it by opening the box. Automatic EULA updates lack even this token agreement. If the automatic update is turned off by default, you might be seen as "implicitly" agreeing to all future EULAs by turning it on. If it is on by default there's no action to bind you to any sort of agreement.

Mabye they'll put in a clause, "By agreeing to use this software you agree to all future licensing agreements with respect to this software which will invalidate this agreement", ie viral EULA.

Of course I'm not a lawyer, but if you believe this is sound legal advice, let me write your will.

MSBlaster

[fudgefactor7]

MSBlaster wasn't an embarrasment for MS, but for the lazy sysadmins who, with a month's prior notice and the patch to fix it, were still hobbled by the bug. If people who are in charge of systems and security spent more time patching and paying ATTENTION to things like Bugtraq and less time complaining about MS the world would be safer.

How is this bug more of a bummer than how gnuftp was compromised and potentially more damaging? Oh, don't hear people moaning about that on here now do you...?

The tale is telling, is it not?

Re:MSBlaster

[twelveinchbrain]

You mean lazy sysadmins who, after installing the hotfix necessary to protect from MSBlaster, found that their applications stopped working? The ones who had to spend hours examining trace files to determine the exact root cause, and download several more hotfixes, with a cascade of errors, to get everything working again? Those lazy sysadmins?

Re:MSBlaster

[linuxtelephony]

Or even the few lazy SysAdmins that believed the M$ app that said the patch was installed, or took the time to disable DCOM if they didn't need it, and then found out they were still vulnerable to this worm? Do you mean those lazy SysAdmins?

Re:MSBlaster

[_|()|\|]

MSBlaster wasn't an embarrasment for MS, but for the lazy sysadmins who, with a month's prior notice and the patch to fix it, were still hobbled by the bug.

I'm using critical update notification on Windows 2000. I installed a generic critical update the day before Blaster really took hold. The next day, I had six new critical updates.

That same day, Windows Update on three Windows XP systems showed no updates. when I ran Windows Update again in the afternoon, there were twenty critical updates.

If the p

Lazy sysadmins? The problem is deeper.

[ebuck]

I didn't bother to patch my office machine against MSBLASTER, and why should I?

I've been stripped of most of the permissions to admin my own machine because the internal IT support has been centralized. That means a few people service the rest of us in a way that generally has the good of the company in mind.

That said, if they take away my permission to do it, and they get caught with their pants down, why do they expect us all to run software locally on our own machines to fix the latest problem X? It'

Re:MSBlaster

[4minus0]

How is this bug more of a bummer than how gnuftp was compromised and potentially more damaging? Oh, don't hear people moaning about that on here now do you...?

Do you not read the newspapers?
When the GNU ftp site was compromised did it affect any DMVs?
Did the cracking of the GNU server cause disruption at entire school districts?

In case you missed it, look here [arnnet.com.au]
or here [clarionledger.com]
If you follow the first link you'll see that even Cisco's VoIP customers are affected by Blaster, not just WIndows users.
I'd call th

Re:MSBlaster

[fudgefactor7]

If your IT person(s) can't do the patching on that few a number of computers in the span of a month then, yes, they're lazy. I deal with that number of systems, in MULTIPLE countries, every time there's a new patch/fix. The IT depertment that you are referring to either (a) is filled with incompetents, or (b) need to hire someone who knows what their doing.

...as they don't want to take down a critical production machine.

Why would you so foolishly have a purduction machine open to the Internet? Firewall,

Bye Bye Bruce

[kindbud]

"I have always been a fierce enemy of the Microsoft update feature, because I just don't like the idea of someone else -- particularly Microsoft -- controlling my system," said Bruce Schneier, co-founder of Counterpane Internet Security Inc. "Now, I think it's great, because it gets the updates out to the non-technically savvy masses, and that's the majority of Internet users. Security is a trade-off, to be sure, but this is one trade-off that's worthwhile."

And that concludes our evaluation of Counterpane's security consulting services. Have a nice day. Don't let the door hit you on the way out, Bruce.

A few things Microsoft needs to do...

[forsetti]

1) WindowsUpdate needs to become MicrosoftUpdate. This would scan and offer patches for all MS software (OS, Exchange, SQL, IIS, Office, Visual Studio, ....). Also extend SUS to do the same.

2) Critical Update notification should be done the way OSX does it (with a little configging) -- instead of a tiny little innocuos icon in the system tray, put an obnoxious pop-up in the middle of the screen, with a big "Go Ahead and Install" button, with lots of skull & cross-bone icons.

3) Create patches using their own packaging structure: MSI. This allows for much simpler deployment and management, via Active Directory. No need to pay for SMS simply for patch deployment.

4) Supply MUCH MORE documentation to end users, discussing the importance of keeping one's machine patched.

5) Stop producing such buggy software! =}8v)

Just my $0.02 ...

Bad Idea.

[asdfasdfasdfasdf]

Microsoft is also considering whether to make the Auto Update mandatory earlier, through an interim upgrade known as a service pack.

This is a huge mistake. Talk about a support nightmare. I recently spent several hours trying to find out why my machine was freezing intermittently, only to find that Update 811493 was to blame. I uninstalled it and everything worked perfectly-- if they make it mandatory, and have a similiar problem what do we do? (Switch to Mac or Linux, right?)

For the record, there's still no way to tell Microsoft I NEVER want this update. If I use "auto update" at all it downloads it and wants to install. So, now I'm stuck using manual update or my machine might freeze up again.

Just great.

Great

[Henry V .009]

Most people are in far more danger of their computer being destroyed by a virus than they are of it being damaged by an automatic update.

If you think this is a bad idea, then you don't realize just how stupid the great mass of computer users are. I'm sure Microsoft will make this in a way that will allow anyone who knows what they are doing to turn this feature off. But it will kill viruses and worms that exploit windows holes, that's for sure. I can't recall one that's come out in years where the patch hadn't already existed, but that users were too stupid to download.

Besides, I'm sure that recent power outages spooked Microsoft for at least a few moments. They thought: Could this have been a computer problem? Not even Microsoft has that kind of money were it to be found liable.

Perspective

[mukund]

if (company_trusts_microsoft_code())
{
use_windows_OS();
allow_auto_updates();
}
else
use_some_other_OS();

/*
junk code

bitch();
moan();
flail_arms_wildly();
*/

Yawn. "Keep my computer up to date"

[Ayanami Rei]

Circa Windows 2000, service pack 3.
By default, this already happens.

The story here is that Microsoft backed off when privacy groups thought this was a crummy idea (especially with the EULA of SP3 and XP SP1, big-brother visions abound).

Now they are saying they'd consider giving you more control over this, and to, by default, accept security-relevant patches in this manner by default.
Also, (big item), they'll ship the machines with the firewall enabled. That alone is probably the best idea they've adopted under recent community pressure.

Ideas for auto-up

[jamienk]

* Check for warez/serialz -- disable them and alert the vendors. Vendors can subscribe to "MS Auto Alert" program.

* Check for downloaded MP3s (from a database of known MD5s) -- disable them and alert the record distributors. RIAA can subscribe to "MS Locked Tunes" for service.

* Check for P2P programs -- disable them and alert local gov't authorities. Gov'ts can give big grants to MS for this as part of their "Anti-Terror-and-Pro-Business-Computers" bill.

* Check for web/ftp/irc servers -- disable them and alert ISP as to uploading violations. ISPs can join the "MSN One-Stream" network.

* Check for NAT -- diable and notify ISP... part of the push towards "MS-IPv6-PLUS!"

* Check for competitors' products (DRDOS, Java, Mozilla, OpenOffice, etc) -- disable them and alert user that their software was incompatable with the latest service pack. This one is free for end-users!

Good for home users

[martingunnarsson]

I think this is great, most Windows-users don't know what Windows update is anyway. Of course it should only distribute critical updates.
You can already have Windows download and install the most important updates on its own. I have this feature enabled on an internal webserver at work, and it works very well. It downloads the patches as they become available, then it installs them att 3 AM when there's noone visiting the server anyway.
Corporate users probably don't want a feature like this though, if a fix breaks the most critical business application, it's better to not apply it at all. They would be better off with an internal Windows update-server that only hosts the patches that has been OK'd by the tech department. This feature is already available as well.

Service Packs

[Ratbert42]

Anyone remember NT4 Service Pack 6? The first one? The one that broke tcp/ip?

Re:Service Packs

[nuser]

Anyone remember NT4 Service Pack 6? The first one? The one that broke tcp/ip?

Can you imagine the consequences?

1.Get auto patched.
2.No TCP/IP so get disconnected from net.
3.Reinstall OS
4.GoTo 1.

Familiar statistic restated - 90% of the worlds useful computers don't run windows!

People are lazy? People are stupid? Good heavens!

[lambadomy]

From the article:

"What we're finding now is that through a combination of the availability of broadband and customers wanting to stay up to date with security patches, and, most importantly, considering the kinds of threats out there now, that customers want us to keep them up to date automatically -- not just by downloading the patches for them but installing them as well."

I'm not sure who these customers are that want this...but to me this amounts to saying "our customers are lazy and stupid". Maybe I'm trolling, but...the "kinds of threats" that are out there are caused by microsoft writing vulnerable code in the first place! Sure everyone has bugs, but maybe, just maybe, they'll write a buggy patch too! I don't see how anyone could even be considering this as the default. If these people want microsoft to automatically update their computer...they can turn it on right now!

I know you hear this a lot here, but people need to either

a) have a working knowledge of their computer/operating system, including how to maintain it.
b) have their computer regularly maintained by another live human being.

This isn't that hard. People have this perception of computers as the same as their television or washing machine in terms of support - don't touch it unless it's obviously unusably broken. They don't work that way, they're much closer to cars. Sure, some people don't maintain their cars either, but those people aren't in the majority.

I'm rambling at this point, but really this is a disaster waiting to happen. What, are we going to end up testing EULAS in court finally when microsoft breaks ten million computers automagically and then says "well, you clicked the agreement"? I guess that could be agreeable. Please, I know most people here know what they're doing with their computers, but this problem is not just caused by microsoft. Educate everyone you know about the needs for computer mainenence! Make them pay you, I don't care, do something. Of course, the stupid IT department here got the worm too, so maybe it's completely hopeless.

Trust

[Mr_Silver]

The major problem here is: How many people trust Microsoft not to do "other things" whilst they're installing your patches?

Sure the tech savvy users like those who frequent slashdot (and we're ignoring the rabid fascist anti-MS zealots here) will not like the idea - but the problem that Microsoft is having is that even the general public are starting to mistrust them.

A case in point is the abysmal failure of Passport. Sure it has hundreds of users, but nearly all of them were forced into getting it because they wanted a hotmail account. Very few people actually store all their personal details on there.

Until they get the trust issue sorted, people are never going knowingly let them take control.

Bad, Bad idea

[Harbinjer]

This is a bad idea on soooo many levels

First of all is their patches. They sure as hell aren't 100%. So one day your favorite program might work, and the next day it might not. All wihtout you doing anything. This is why businesses take a while to evaluate patches.

Secondly, what if there is an exploitable bug(and there will be at least one). Every windows machine out there might be downloading viruses instead of updates. If someone were to reverse engineer the network interface, and hack a couple DNS servers, they could have all those users downloading whatever they wanted, even illegal things, or viruses, hacks, anything.

Plus there's the privacy issues. I konw that right now windowsupdate could send MS anything anyway, but if we all expect it to update any time it wants, we have no controls at all on our system, MS could send an update to lock you out of your own system if they suspect you of something, or just for the hell of it.

While I don't expect this to actually go through, its important to be wary of just how abusive such a system could be.

P.S. I, for one, welcome our new windowsupdate.microsoft.com masters.

Well, yes.

[autechre]

From the article:

"The company is 'looking very seriously' at requiring future versions of Windows to accept automatic software fixes unless the user specifically refuses to receive them..."

So yes you can "at least press Ok first." Although I'm sure CmdrTaco has nothing to worry about, since he doesn't run Windows any more, which I suppose is why he didn't read the article.

Personally, I think that this would probably be a responsible move on their part (and Bruce Schneier apparently agrees with me). I especially like the fact that they're going to start shipping Windows with the firewall enabled. As far as I'm concerned, no one should be worried as long as you can disable automatic updates and disable the firewall (though I think they should make it slightly non-obvious how to do so, so that the people this is intended to benefit won't turn it off). After all, you don't leave Windows exactly as it comes off the CD, do you? Hopefully, you'll also be able to create corporate install CDs with these features disabled if need be.

There are only two things that concern me:

1. Broken patches: What if, as has happened in the past, an update breaks the auto-update mechanism? Then they'll be pretty well stuffed. I'm not sure what to say about that other than "don't do that."

2. Dial-up users: As the article mentions, SP1a is big. Really big. I mean, you might think that the OpenOffice download is big, but that's just peanuts compared to...right. However, that was a combination of many small patches, and just like many other things in life, if people had updated incrementally as they should have, they wouldn't have a need for a giant update. Hopefully, MS will be able to keep the patch size down, and we can watch 2003 to see if they can keep the frequency down as well.

(Yes, I now have to care about Microsoft products again, which is annoying, but I might as well make the best of it).

patch reliability

[jdvernon1976]

Let's assume for a moment that everyone's fine with Microsoft deciding you need to patch your system. Your home machine downloads the patch and installs it and your machine reboots - you're patched.

Those of us that work as sysadmins/netadmins/DBAs at various companies know that when Microsoft puts a patch out on Windows Update, it's not necessarily tested out to completion. That's part of why patches take so long to proliferate - dependable administrators test them in-house, instead of depending on MS's testers. Let's face it...if Microsofts Quality Assurance team were so sharp (or listened to - it can't ALL be their fault), many of the after-the-fact patches wouldn't be necessary.

Is Microsoft going to take responsibility for auto-installed patches that a) don't work b) make situations worse? Or are they going to take the stance of "The user could've refused our auto-install, but they didn't - they knew the risks."

We all know how hard it can be to opt-out of spam - how difficult will Microsoft make it to opt-out of auto-installed patches...and for those of us that can't/don't, how sure are we that it won't make things worse?

This is the only way

[The Pim]

Microsoft and others aren't going to stop producing buggy software. (Really, the effort would be Herculean.) So when there's a hole that will harm users, and knowing that most users won't voluntarily apply patches, what are they supposed to do? Saying "you should have patched" doesn't help their image, and doesn't help computing in general. When exploits can spread across the net in minutes, it's not even tenable for sophisticated users. Having users apply their own patches is an inherently losing proposition.

What's likely to happen? Microsoft will screw up a few times, to great embarrasment, then they will by economic necessity learn how to make reliable patches. After all, their only alternative is the greater embarrasment of rampant worms and viruses. The rest of the industry (including free software) will see that it is possible, and be pressured to do the same. It may be rocky for a while, but the end result is that millions of naive users will have reasonably secury systems. This is a huge improvement over today.

actually, this won't help, in a larger sense

[Richthofen80]

The major problem with software distrobutions such as windows is that the entire OS thrives on the 'one click' philosophy. One-click update, one-click install, and one click virus infection. People are so used to windows giving them one click 'Ok' windows that they end up clicking Ok and worrying later. 90% of regular office users end up clicking okay to almost anything and installing spyware, viruses, etc.

Windows needs to 'brand' the update procedure; make it so obvious and un-repeatable by other apps, so that users are not duped.

make it the default

[mboedick]

I don't think it's a horrible idea to make automatic silent updates the default. After cleaning up some of my relatives' machines after the Blaster worm, I set them all to automatic updates. Yes, there is a chance that an update might break something, but this chance is far less than the chance of another exploit or worm trashing the system.

They just don't understand it at all and as the person who gets called when there is a problem, I'll take any proactive measures that I can to make sure things continue running smoothly.

Of course they should

[gelfling]

In fact I want MS to quietly run every aspect of my life unasked. I want multimegabyte SPs unasked. I want new and improved packaging and several dozen applet upgrades unasked. Especially the ones that break something else. I want updates to wipe out competing applications unasked. I want application changes on the fly so that file formats suddently become incompatible. I want their updates to clash with themselves. And mostly I want to pay for it.

They're just blame-shifting

[djh101010]

Instead of taking the blame for writing yet another security hole (not even a novel one at that), they're pushing it off on the customers who are behind on patches. Yes, people should apply patches for these, but maybe they could be a bit more careful in writing the OS and apps in the first place. The blame here is on MS and the virus/worm writers, not on the customers who are having both inflicted on them.

Yes, no OS is perfect. But, their attitude here seems to be "you deserve to get hit if you didn't apply the patch-of-the week".

"Why's the Internet slowed down?"

[rleyton]

I can hear it now, a phone call from my Windows/56k modem afflicted parents, "Why's it all so slow?".

To which the only real reply is "Because Bill knows best Mum. Because Bill knows best". Add to this the fact that they crank up their computer on a six-monthly basis, and would probably stop altogether if each time they did, it rebooted the PC. Not that much different from MSBlast, really.

Try pushing notices, not patches

[DanMc]

I'm sure these customers didn't know they had a problem with their PCs. That was the first fact that caused the worm to be a problem. The fact that the computers weren't patched was secondary. Instead of pushing the patches, why not be more aggressive about notifying customers, and giving us better tools to patch and scan? Asking millions of users to pull updates ALL THE TIME, or turn on an automatic pull where there are only 3 configuration options is a real lack of choice. There are lots of things in between that can be tried. If I were a home XP user, and I saw a notification, "Message from Microsoft Security: Due to a problem recently found in WinXP, You are at high risk of being hit with an intrusive virus or worm. Here is a web site with details. Here is a 1-800 number with details. To correct the problem now, press Ok." Supposing MS did give home users this easy to use scan, notify, patch utility, the only reason they would not use it is if the EULA were too scary. This is easy to fix. Put a big splash screen with "Absolutely no Information is gathered and Sent to Microsoft. To see how this tool works, click here. Microsoft will never change this policy without your consent. (Like we did with WindowsUpdate)" We shouldn't have to wait long to see an analysis of Blaster, but I am going to guess that the majority of infection vectors came from business or academic Win2000 installations. WinXP systems crashed so much, they weren't efficiently spreading the worm. So corporate tools to fill this middle ground need to be improved. The hard to learn and use tools like IIS lockdown, hfncheck, etc need to be seriously overhauled. At work, I would love to have a non-web-based WindowsUpdate SCANNER, and a separate PATCHER. They'd be easy to use with a GUI, but also have command line options so they could be used in scripts. (SUS isn't what I'm talking about, because it is browser based, and the process is still a pull. The only way you can push an important update is to go to each server, or set the servers auto-pull frequency really high) I also wonder if MS is afraid that making system maintenance too easy might cut in to their SMS server sales?

5 words for you ...

[Abm0raz]

Windows NT service pack 6

[RANT]
Remember this gem? All the people that installed it had inoperable machines. It was so bad that it was recalled *6* hours after being posted. Then a week later came SP6a. I definitely do *NOT* want them pushing crap to my machines. I have no problem getting my own updates. Set up auto-update by default, but let those of us that know what we're doing be able to turn it off. I'm all for (l)users getting crap in general (not necessarily viruses/virii). Maybe that will get them off computers and leave them to the experts.

How come everyone and their brother is allowed to operate a computer at will, but I need a license to fish?

[/RANT]

-Ab

Ugh

[ViceClown]

This is a terrible idea. My brother is a sys admin and 9 times out of 10 the microsoft update patch breaks some or all of the 3rd party software installed like Backup Exec, anti virus.... you know... the minor things ;-)

Yes, But Not MS

[4of12]

I think forced immunization of vulnerable open machines on the network is a good idea, under the right conditions.

After public notification of the nature of the vulnerability.

After a patch has been made available and notices posted, sent out.

After a user or sysadmin keeps their machine unpatched and exposed.

After a second warning has been posted, sent that forced patching will occur.

Then, and only then, a worm-delivered patch should be administered.

But it should not be administered by MS, though they were responsible for the vulnerability.

MS is a profit oriented business, whose goals include many actions directed towards increasing their own profit in the long and short term, as well as fixing software that users have bought from them.

No. It should be role of people responsible for network health, because that is the public good that is impacted. As a public, non-profit entity, they would be free of conflict of interest, financial considerations. If MS were to administer remote administration in this way, they would be opening themselves up to conflicts of interest, particularly because of the monopoly market position they hold.

Uptime

[ka9dgx]

I remember the last big M$ push when they were saying how great their Uptime was. 99.9999%?

If I have to reboot my servers every time a major bug hits (3 times/year) for 5 minutes, that's bad enough. (99.9971% availability) If I have to reboot the servers every week, now we're down to 99.95% uptime.

This, of course, doesn't count downtime or technical support issues caused by workstations missing their server connections, or the patches that didn't happen in time, or any of the various other factors that help kill capitalism, and endanger our National Security.

--Mike--

Re:This is better than OS X

[jesboat]

Let's start with the windowing environment, since that is the first thing users will notice. While both KDE and GNOME are mature, stable, and accepted as IEEE standards, Apple has elected to use neither. In fact, they don't even use X at all! Their display system is a proprietary, closed-source system called Quartz Extreme. In addition to the moral issues involved with closed software, this precludes the user from running X apps. There is an untested and alpha-quality X11 emulation layer available for download, but it is emulation, so programs will be slow. Does this sound like a standards-based system to you?

Actually, it's quite good. You'll note that it's emulating only the X11 libraries, really even only the X11 server itself. The slowdown of having X apps pass through that layer also occurs on Linux, *BSD, or any other OS. KDE and GNOME may be open standards, but they're not as nice-looking as Aqua, and the WindowServer that runs Apple's windowing system, is, AFAIK, part of Darwin, and thus open.

Looking under the hood, it gets worse. While all other *nixes use standard ELF binaries, Darwin (Apple's name for their proprietary "Unix" kernel) does not. It uses Mach-O, an unproven format that is proprietary to Apple. The moribund FreeBSD, off which OS X is based, uses ELF, so clearly Apple went to the extra effort of "switching" (heh) simply to break compatibility. With ELF, users would be able to run most of their Lunix apps; with Mach-O this is impossible. Additionally, Apple has moved most configuration info fromhuman readable text files into a proprietary database called "NetInfo", which is much like the Windows registry we all loathe. Why? These are only a few of the ways that Apple has deliberately broken compatibility with other systems, presumably in order to lock users in to expensive Mac hardware.

Darwin is not a kernel, Mach is the kernel. You'll note that it's the same micro-kernel that GNU Hurd uses, and if Hurd isn't Unix, what is (nowadays)? Darwin may be based on FreeBSD, but the kernel is Mach, which isn't. Also, you seem to be overlooking that most Linux programs are compiled for Intel processors, not PowerPCs. Thus, they wouldn't run anyways. However, most do compile with little or no modification. Netinfo is never used directly. Requests are handeled by lookupd, which uses Netinfo, but searches flat files (/etc/passwd, /etc/hosts, etc.) first. Netinfo also allows networks that share common printers, hosts, network configuration, users, mounts, etc. to be constructed easily. Unlike the registry, Netinfo is documented, and has manipulation utilities, for both the command line and the GUI. And, it's never gotten fscked up (for me.) Mac hardware may be expensive, but- it's better. Even the Linux people who use Linux on Macs agree it's faster, better, etc. on a Mac. Macs are more durable, featureful, more standard, and "just work" more and don't work less.

When we factor in the threat to users' civil liberties that is posed by the DRM included to support the iTunes Music Store (do you really think it will end there?) it is obvious that real *nix gurus should give OS X a wide berth. Caveat emptor.

Okay, find music for that cheap on Linux (while still supporting the artisit. It's hard. The music industries wouldn't stand for a service without DRM, and you'll note Apple is pretty darn nice. Unlimited CD burns (but no more that 10 for the same playlist), 3 computers, unlimited iPods. Plus, AACs are MPEG-4, which is darn good quality, and darn small file size. I would never use Windoze, and always like Linux. But for me, Mac OS X is a great UNIX, and is all I need it to be.

It would seem youhaven't taken a close enough look at Mac OS X.

Moderators: Mod me down troll all you want, but mod the parent down troll as well.

Re:M$ worm.

[Frymaster]

I don't want anything installed on my system without my permission too.

well, technically you give permission when

1. you agree to the eula
2. you don't activate the opt-out option

i agree that not knowing what's getting put on your machine is irksome, but this idea has sprung from two problems that everyone here is very aware of:

1. people don't do their patches! blaster is all over the news yet a casual poll of my non-geek friends (the windows ones at least) showed that only one had done the patch!
2. joe avg. user doesn't know what half this stuff is anyway? he can get an "agree?" box but he doesn't know what he's agreeing to anyway. the thinking is that the savvy will go for the opt out.

now, having said that, i hate the idea on principle... but i can understand why redmond thinks it's a good idea. they're taking a beating in the press over security and they've determined that the real problem (rightly or wrongly) is the end user - so now they have a "solution"

Re:M$ worm.

[Paleh0rse]

I think, in light of recent events, the default settings for operating systems should be "kid gloved".

Idiot proof everything, like the way the standard RedHat install sets up all basic command line functions to be verbose by default. And then as you learn more about what you're doing you can set these preferences to something else.

Don't forget, people, in general, hate to A) Read and B) Learn

Then, as the user becomes more proficient, s/he can set things up the way they like.

Think about it, if you don't know enough about something to know how to turn it on or off, do you really think you should be able to choose if it's on or off?

Re:M$ worm.

[EpsCylonB]

but i can understand why redmond thinks it's a good idea. they're taking a beating in the press over security and they've determined that the real problem (rightly or wrongly) is the end user - so now they have a "solution"

I don't want to stick up for MS or anything but the problem is the user. If there is a patch availiable and the user doesn't install it then it is the user's fault (even if the user is ignorant).

The way I see it there are two obvious solutions...

1. Force the update on people.

2. People should have to have a licence to own a computer and take a test so that they understand security issues. Now I realise that sounds a little extreme but if you take into account the the cost in bussiness that worms cause then it might be a good idea. It would certainly get rid of the ignorance defense.

Re:M$ worm.

[jazman_777]

People should have to have a licence to own a computer and take a test so that they understand security issues. Now I realise that sounds a little extreme but if you take into account the the cost in bussiness that worms cause then it might be a good idea. It would certainly get rid of the ignorance defense.

Clearly the technology's simplicity is oversold. "Anyone can use it!" Hey, how about some intelligence/knowledge requirements for voting? Right now, just anyone can vote.

Re:M$ worm.

[SmallFurryCreature]

People undertake training and a test to verify that they can drive a car. How many people die on the road each year due to people being incapable of handling their car? So much for testing people.

What I find really odd is that we threat computers so differently from the real world. If a real product is found to have a defect then a recall notice is published in all major newspapers (in europe don't know about rest of world) and you can return the faulty product for either a replacement or your money back.

Granted if software companies had to do it this way they would all have gone bust. Or maybe they would invest in real testing. Real testing is not to see if something works but to see if you can break it. When I hear excuses like people using the product wrong as an explantion for bugs I get pissed off. You are not supposed to bite the nose of a teddy bear and then swallow it. Nonetheless this is exactly what is tested against. A product should be safe to use or clearly labelled to indicate who it shouldn't be used by.

I think it says it all that unlike almost everything we buy in the netherlands, software is not tested by a goverment/indepedent organisation. Everything else is. Clothes, cars, books, movies, toys, furniture, food etc etc. But software and hardware are not.

Think this is a strange notion to test software by a central organisation? This what all the consoles do for their software. Oh and please don't mention MS certification, this are just logos you can buy.

Re:M$ worm.

[E-Rock]

I guess it depends on what you're calling a defect. If someone comes along and pours sugar into your gas tank your car won't keep running right. Is that a recallable defect?
If someone sends a particularly malformed request to a process on your machine it won't run right. Is that a recallable defect?
I'd say no in both cases.

Re:M$ worm.

[Lord Kholdan]

If 90% of the consumers cant drive the new CarX is the fault in the consumers or in the car?

If 90% of the users don't know how to make a call in their new cell phone is the fault in the users or in the cellphone?

If 99.99% of the users cant read a book written in latin should we:
a) Translate the book
b) Teach everyone latin

Only people who would even consider option b are computer engineers.

If you don't like the fact that most people are ignorant about inner life of computers? Go back to BBSes. Oh wait, they dont have the content, the people, the cheap connectivity? Has it occured to you that those exist because internet is full of people! You cant have it both ways.

If companies think being on the internet is dangerous who forces them to put critical services there? Maybe they are there because the gains outweight the benefits?

And before you throw in the facts about traffic laws... Majority of drivers are in favor of some sort of laws existing, I'd even bet that they support the majority of the current laws. What you'd want is a law supported by the few, benefitting the few, paid by the majority (in work hours wasted studying computer security).