Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security Microsoft Windows IT Technology

Oil Changes, Safety Recalls, and Software Patches (daemonology.net) 129

An anonymous reader shares a blog post: Every few months I get an email from my local mechanic reminding me that it's time to get my car's oil changed. I generally ignore these emails; it costs time and money to get this done and I drive little enough -- about 2000 km/year -- that I'm not too worried about the consequences of going for a bit longer than nominally advised between oil changes. I do get oil changes done... but typically once every 8-12 months, rather than the recommended 4-6 months. On the other hand, there's another type of notification which elicits more prompt attention: Safety recalls. There are two good reasons for this: First, whether for vehicles, food, or other products, the risk of ignoring a safety recall is not merely that the product will break, but rather that the product will be actively unsafe; and second, when there's a safety recall you don't have to pay for the replacement or fix -- the cost is covered by the manufacturer. I started thinking about this distinction -- and more specifically the difference in user behaviour -- in the aftermath of the "WannaCry" malware. While WannaCry attracted widespread attention for its "ransomware" nature, the more concerning aspect of this incident is how it propagated: By exploiting a vulnerability in SMB for which Microsoft issued patches two months earlier. As someone who works in computer security, I find this horrifying -- and I was particularly concerned when I heard that the NHS was postponing surgeries because they couldn't access patient records. [...] I imagine that most people in my industry would agree that security patches should be treated in the same vein as safety recalls -- unless you're certain that you're not affected, take care of them as a matter of urgency -- but it seems that far more users instead treat security patches more like oil changes: something to be taken care of when convenient... or not at all, if not convenient. It's easy to say that such users are wrong; but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.
This discussion has been archived. No new comments can be posted.

Oil Changes, Safety Recalls, and Software Patches

Comments Filter:
  • Article? (Score:5, Informative)

    by silverkniveshotmail. ( 713965 ) on Wednesday June 14, 2017 @01:33PM (#54618853) Journal
    This isn't an article, it's a blog, nothing of any consequence is revealed or detailed.
    • This post could well have been a comment on another Slashdot story that would have not even deserved a +5... Uninteresting, but there's a car reference, so let's make a "story" out of it!
    • It says "An anonymous reader shares a blog post"
    • No something very critical is revealed: The poster fundamentally doesn't understand the risk profile of a safety recall.

      He seems to imply that vehicle safety recalls mean that suddenly from one moment to the next he is incredibly unsafe and therefore should stop his activity immediately and send his car for a recall. This isn't the case. In nearly all recalls the car is no more unsafe after the issuance of a recall as it was before the problem was discovered.

      Likewise he postulates that people treat safety r

    • I don't even think the analogy is valid. I, and most people I know, have automatic security updates turned on, and many OSes come with that as the default, so even dumb people get them automatically. I don't even know if I get an update, unless it requires a reboot. The main culprits that don't have auto-update turned on are some Windows users, because Microsoft has a bad habit of abusing the update process to push out annoying marketing crap.

      • I don't even think the analogy is valid. I, and most people I know, have automatic security updates turned on, and many OSes come with that as the default, so even dumb people get them automatically. I don't even know if I get an update, unless it requires a reboot. The main culprits that don't have auto-update turned on are some Windows users, because Microsoft has a bad habit of abusing the update process to push out annoying marketing crap.

        I have notifications turned on but I wait a few days before installing patches. That gives some time to hear from early adopters if the latest batch of updates from MS is likely to trash my system

    • by bigtiny ( 236798 )

      I think that one problem (at least in MacOs land) is that security fixes are usually bundled with 'other' fixes in OS updates. I think a lot of people think that they might want to hold off on installing new features and such, and therefore postpone the updates. I think Apple should issue OS updates and Security updates so that a user can keep up to date on security even if they are slower to adopt complete OS updates. This might result in more people keeping their Macs up to date with security patches. Jus

      • I want to mod you up, but I hope adding my voice will be more effective at getting others to do so.

        Between the two Apple fists of 1) requiring feature releases to receive bug fixes and 2) having my essential jailbroken features forcibly removed if I "upgrade", I still run a version of iOS on my iPhone that is at least three major versions (and dozens of minor releases) out of date.

        The idea that I must acquiesce to Apple's UI design changes to get essential security updates borders on the criminal. I'm stil

  • Maybe we could get crash test ratings with dummies too?
  • by Anonymous Coward

    You can change your oil every 10 to 15000 km if you are driving a lot. If you are driving very little and the engine seldom warms up properly, then the problem is that you get water in the oil which doesn't evaporate, so you got to change oil more frequently. So, it is a judgement call, not an exact science. Oil is much cheaper than a new engine though...

    • by TWX ( 665546 )

      It does not take much driving to heat-up the engine enough to remove water. If the trip is more than say, 10 miles or 10 minutes, whichever comes first, the engine has been heated up enough.

      The restored cars we have get their oil changed every couple of years. They get driven very little. Even when we do change it that oil is probably still perfectly usable, we just change it because we don't know the upper limit on the longevity of the oil after it's been used.

      The reason for the timetable is that most p

      • Factory renegade keep oil is 7500 miles between changes.

        But what this article fails to note is how much of a pain in the ass it is for a person who works 5 days a week between the hours of 8-5 to go to a service center that does warranty work. You have to schedule it in advance take a day off of work which in 50% of the population means a days less pay to let them poke around for a couple of hours. Most dealerships keep some Saturday hours but they are full fast. I have to plan my oil change out at least

        • I usually do drop-off, pickup service.

          If your family has two cars, and can juggle the requirements, drop the car off of the night before, and pick it up later in the evening (frequently service closes at 5, but sales closes at 9, and can process payment for service). Alternatively I've dropped my car off at the dealer on the way to work, had a co-worker pick me up, then have them drop me off on the way home (I've also done the same for coworkers).

          This won't work in 100% of circumstances, but working 8-5 doe

      • The reason for the timetable is that most people are not very good at looking at their odometers, but they are capable of noting a future date in a calendar and taking action on that date. It's also why a lot of newer cars with computers in them will tell you when they need their oil changed instead of relying on a schedule.

        My car's computer is based on 12 months or 10,000 miles, they the dealer always applies a sticker for 6 months, 5,000 miles. I usually end up changing it half way inbetween.

    • I'm wondering who is giving out there email to all these different people/places in the first place?!?!

      My mechanic has not need to know any of my fucking email addresses...

      I have some throw away accounts I used for registering for things online that might be fun or get me a prize, but aside from that, I rarely give out an email address unless it is a person/friend I genuinely want to converse with on a regular basis.

      No wonder this guy in the article seems to get spammed a lot...

      • Wait, what? LOL you go to a mechanic? Not for everything, I hope?

        One of the stupidest things I've done was have a lift installed in one of my bays. Do not do that!

    • Re:Oil changes (Score:4, Informative)

      by turbidostato ( 878842 ) on Wednesday June 14, 2017 @02:23PM (#54619475)

      "You can change your oil every 10 to 15000 km"

      More like 25.000Km, even for some cars as old as the century.

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Something's not right. If I travel 8.53 cm at 20C, then that's 25 kelvin-meters traveled, and according to you I should be changing my oil?

      • Try 35,000km and my car is 10 years old, and the manufacturer makes no assumptions about the quality of the oil I put in.

    • The manuals for both my 2001 Honda Civic EX and 2002 Honda CR-V EX specify oil changes every 10,000 miles of normal driving. I used to to that when I drove more, but now I drive *much* less - probably around or less than 1,000 miles / year on each - and get the oil changed once a year when I take them in for their annual state safety inspections. My service rep says this is acceptable for my usage. Currently, the Civic has about 120k miles and the CR-V has about 45k miles on them -- the CR-V was my wife's c
    • by mjwx ( 966435 )

      You can change your oil every 10 to 15000 km if you are driving a lot.

      Depends on the car, depends on the oil, depends on the conditions. Less so on your driving style.

      My stock standard non-turbo 3L BMW petrol using fully synthetic oils tends to last 10-15,000 miles in the UK without sludging. My last car was a 2L turbo modified Nissan Silvia back in Australia, I did the oil on that every 5,000 KM.

      Synthetics last longer than mineral oils, engines that get stressed (I.E. highly modified ones) are less tolerant of bad oil and dusty environments like most of Australia tend

  • When you have companies who ignorantly and gleefully outsource their IT staff to cheaper alternatives, thinking they'll magically get the best of both worlds, more money for them, and same level of service, you should expect this.

    You get what you pay for. Literally. If it's cheaper, there is a reason. When you have competent, experienced IT staff who care about their work and take pride in security and performance, they cost more. Why? Because they know they can get it, and it will save companies money. Ev

    • Outsource doesn't automatically mean cheaper or India there are outsource companies in the US and Europe and they can be more expensive. They just call themselves logistics companies to distance them from the word outsource and they run anything from call centers, ware houses, repair facilities, IT, payroll, you name it but yes you get what you pay for.

      • by Tyr07 ( 2300912 )

        I haven't seen it ever mean not cheaper. It doesn't have to be India, there's call centers in Canada even, but any place that performs outsource work that I've seen is low wage employees, usually people with not a lot of experience.

        I know people who work for them first hand in north america.

        • Low wage is relative... I live in the mid-west have a nice house w/garage and a yard etc... and my son that lives in San Francisco who makes more than me is broke and lives in an little apartment that's costs him more than twice my mortgage.

          • by pnutjam ( 523990 )
            Yeah, but alot of that difference is renting vs owning. I live in the Midwest, make good money and rent. It costs me almost double what people who have owned a home for 15 years pay on their mortgage.
            • I will grant you that you could expect to pay 1.9 to 2.2 times as much to rent a similar house for or about the same as my mortgage or for a cheap 1 bedroom apartment locally but my son's cheap 1 bedroom apartment for the area he lives in costs about 2.4 times as much as my mortgage and a similar house would sell for triple what I payed.

        • by Altrag ( 195300 )

          Which is why outsourcing generally sucks. Its not a question of "outsourcing is cheaper" in general, its a question of "we want cheaper labor" and outsourcing to a cheap firm is a way to do that.

          But you still get what you pay for. If you outsource to a firm that has competent employees you'll generally get a reasonable product (or service) from them -- but you'll be paying similar rates to the staff you replaced. Maybe more since the outsourcing firm will want its cut on top of their worker's salaries.

  • The analogy is great, until you go to the end of the life of the given software. Like XP for example, it has reached end of life, so no patches are available for it any more. Many android devices are instantly end of life, without any patches being released for them.

    The security issues are not solved until you remove all deployments of software and hardware that have reached end of life. The only way to get this done is enforcement by law. In order to make actual comparison of products possible, manufacture

    • So don't fucking run end of life software in safety critical situations...

      Or in fact... at all.

      • Exactly. Just like people who are driving vehicles over ten years old. They've reached their end of life. The manufacturer is no longer supporting them. Go get a new car, or at least a recent used one.

        Money is free so there's no problem continually buying something new.

        • If you're putting your own life in danger by driving a 10 year old clunker, that's fine. If you're putting customers into 10 year old clunkers, that's a problem.

          Same with any other safety critical software. If you're putting customers (or taxpayers) lives in the hands of these systems, then you need to make sure you keep it up to date and secure.

        • by anegg ( 1390659 )

          A ten year old vehicle that has been maintained reasonably well is no where near the end of its service life. I currently have a 2000 model Dodge Caravan with 210k miles, and a 2000 Toyota 4Runner with almost 250k miles. Both are ok for regular use with a slightly higher expectation on my part that the Dodge's transmission is going to fail sooner or later. I take that into account when I use it. The 4Runner is still a daily driver; the Dodge has been relegated to non-time-critical uses such as occasiona

  • Industry (Score:5, Insightful)

    by Dunbal ( 464142 ) * on Wednesday June 14, 2017 @01:44PM (#54618981)

    but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.

    No. As an industry you have to think about a company like Microsoft who willfully waited over a DECADE to patch a KNOWN vulnerability which it was TOLD about a long time ago, but CHOSE to ignore - cos, security by obscurity at best, or intentional back door at worst. This should not be about "the patch has been out 2 months why haven't people patched" it should be about "Why did Microsoft wait until news of the vulnerability leaked before bothering to issue a patch".

  • by Waffle Iron ( 339739 ) on Wednesday June 14, 2017 @01:47PM (#54619021)

    That interval seems like a total waste of oil. I have an old vehicle for hauling stuff that gets driven about 1000km/year, and I might change the oil every five years. I know that's probably "bad", but the engine hasn't broken yet. In fact, I think that the only work I've ever had done on the engine over almost 20 years is change out the timing belt (at twice the recommended age, but still below the mileage limit). I do keep it in a garage and always run it until it's thoroughly warmed up.

    • by sinij ( 911942 )


      Oil degrades with time and mileage.

      You can thank EPA emission and fleet fuel consumption guidelines, but new engines are a lot more finicky. For example, direct injection - this technology marginally improves emissions while reintroducing issues of sludge and chain failure. Synthetic 0w20 oil is also problematic - it is too thin for manufacturing tolerances and results in engine oil consumption due to blow-by past piston rings. Combine all of these issues - and I wouldn't expect any new truck to last with
    • Re: (Score:2, Informative)

      by Anonymous Coward

      One of the reasons you change your oil regularly, even if you are not putting a bunch of miles on your car, is because of the increasing levels of contamination in the oil by gasoline. Every time the engine is run small amounts of gasoline contaminate the oil. The gasoline affects the ability of the oil to lubricate and therefore contributes to excessive mechanical wear.

      Additionally, the additives in the oil that improve it's viscosity performance, help it fight corrosion and add other beneficial effects do

      • by Anonymous Coward

        If the engine is not running the oil can't get contaminated by fuel

    • I know that's probably "bad"

      Why do you know it's "bad" other than what a mechanic has told you? Just how much do you expect refined oil to degrade? Additives in oil have a shelf life, but that shelf life is typically slightly in excess of 5 years.

      Your situation is not normal. Most cars would hit the km point to change the oil and remove wear contaminants from the engine oil. But you shouldn't feel guilty about changing your oil every 5 years.

    • You should have an oil analysis done, e.g. by Blackstone Labs. Then you will find out if you're damaging your engine or not. Your oil might even go longer but there's no way to know without an analysis.

  • Blame Microsoft (Score:5, Insightful)

    by monkeyxpress ( 4016725 ) on Wednesday June 14, 2017 @01:47PM (#54619027)

    I had no problem letting Windows 7 update itself automatically until Microsoft started incessantly nagging me about changing to Windows 10, and news of their telemetry patches came out. Oh, and the whole installing patches for 5-10 mins while you're trying to shut your computer down (always seemed to be before I needed to go somewhere) was pretty dumb as well.

    Microsoft took security updates and started abusing them for their own nefarious purposes. This, combined with their propensity to produce rubbish software, has created a dangerous situation for customers, and just goes to demonstrate that Microsoft has not moved on from producing extremely poor products in more than 30 years.

    Hopefully a few more Nokia style implosions and we can see the end of this company.

    • by hackel ( 10452 )

      Yet you still choose to support them and run their operating system, which you admit is an extremely poor product. Come on...

      • Yet you still choose to support them and run their operating system, which you admit is an extremely poor product. Come on...

        Right, because solidworks and powerpcb run on OSX do they?

        FYI, I run windows in parallels now, so you can calm down.

    • Jeez, I wish I had modpoints to mod you up!!! You are sooooo damn correct!!! I used/supported Windows for 20 years as a sysadmin.. When I retired in 2010, I was dual-booting Win7 and Linux, and due to being stuck using Windows at work day-to-day, by inertia I tended to spend most of my computer use at home on Win7 also. After being annoyed endlessly by Windows insisting upon taking a lot of time updating itself when all I wanted to do was shut the $#%@#$!% damn laptop down and get on with my day, plus a LOT

  • Forcing idiot Windows to install updates automatically is the right way to go. It shouldn't be possible for people to disable them, including and especially in corporate environments. I use unattended-upgrades to automatically install security updates on all my machines. Android is a bit of a concern still, unfortunately. Not only do they give users a choice they make it a ridiculously complicated process due to their use of signed system images. This needs to go away, to make installing security updat

    • Until Windows is refactored such that it isn't necessary to reboot the operating system every time there's an update, updates need to be optional.

      In 1995, it was considered a bug that the latest version of Windows at the time would crash and reboot after 100 days or so. Now people are patting Microsoft on the back for building an operating system that reboots every week, frequently more than once a week. This needs to stop.

      • In 1995, it was considered a bug that the latest version of Windows at the time would crash and reboot after 100 days or so

        In 1995, it was considered highly unlikely that you'd ever encounter such a bug while running Windows.

    • that would be fine if windows would would only limit the auto updates to security patches. I don't care about "feature updates" or "creator's updates" I just want security patches.
    • by Khyber ( 864651 )

      "Forcing idiot Windows to install updates automatically is the right way to go. It shouldn't be possible for people to disable them, including and especially in corporate environments."

      If only Microsoft limited itself to actually updating what it's supposed to, instead of rooting around your system and deleting shit it has no fucking business deleting.

      So I've got great reason to disable Windows 10 updates - they find programs you have installed, remove them, replace them with their competing product, and at

  • by DodgeRules ( 854165 ) on Wednesday June 14, 2017 @01:54PM (#54619111)

    With the huge recall in airbags, I have not heard of one replaced airbag rendering a car inoperable requiring the owner to pay to have someone diagnose and repair the incompatibility. How many times have we heard of a computer security patch causing a BSOD or computer crash because of bad or incomplete testing from the manufacturer?

    Some people wait and verify that a security patch doesn't end up as the next story on Slashdot rendering thousands of PCs unusable because "Oh, the patch seems to be incompatible with [fill-in-the-blank]".

  • The difference is that when you get a safety recall, only those things related to the safety recall are fixed (replaced). You get a security update for Windows and without a lot of time and effort to understand what all is rolled up in that patch, heaven only knows what else (telemetry?) you are getting.

    • Vaguely related rant:

      Honda called me for an airbag recall a year ago. Set up appointment to get airbag replaced.

      Arrived early Saturday morning- they didn't have any airbags in stock and had put me down for an oil change that I didn't want from them. Waste of an early morning. They told me they would call me when they had the parts but it could take a few months.

      A year later, got another airbag recall- called to confirm it was to replace a different airbag to the one they never replaced before tha

    • The fun part about automotive recalls is when they issue the recall, and then don't have the parts on hand to *service* that recall... I just traded in a 2012 Ford Escape which had an outstanding recall, where I'd received the initial notification letter from Ford over a year ago telling me to wait for another letter telling me to go to a dealer and have the fix applied. This recall being, of course, the now-famous Takata airbag issue. This Escape was in immaculate condition, with only 28K miles on it. Havi

  • by jargonburn ( 1950578 ) on Wednesday June 14, 2017 @02:03PM (#54619239)
    I like the analogy, but you missed a step. In this instance, you aren't the client with the car (that's the business/environment). YOU are the mechanic. The problem is, the manufacturer (Microsoft) ISN'T paying for what's being fixed in the safety recall; the customer still is. They have to pay you for testing, deploying, and verifying the replacement. Which means they'd rather not.
    • Double inconsistent analogy.

      The security update is more like the oil change. The safety recall has nothing to do with it and is done as a convenience by people anyway.

      If the OP is changing oil anywhere near as often as he recommends in his post then he sounds like the type of nutter running multiple antivirus programs in parallel, cleaning his registry on a weekly basis, and running a defrag while another defrag is going on in the background. He's a maintenance nutter.

      I drive 25,000km/yr I put my car in for

  • by Anonymous Coward

    So.. The last twenty years, how often have you brought your car in for a safety related recall. Once? Twice?

    And how many times has Microsoft issued a security patch? Note that to bring that number down, they stopped issuing separate patches, and bunch them together for patch tuesday. This way they rate limit it to max once a month.

    Every time you install a patch you risk losing access to features that you use. A while back a windows-10 patch broke internet connectivity. THAT is something a /lot/ of people no

  • by Anonymous Coward

    If i sometimes sent my car in for a safety recall and when I got it back the heated seats I installed in it didn't work anymore and the mechanics shrugged, gave me attitude, and refused to explain what they had done, then I wouldn't take my car in for safety recalls very often. Oh, and then you find out that it wasn't really about security, it was really about adding DRM to your radio.

  • I started reading that rambling summary, and stopped halfway through. Summaries are usually brief and concise, not rambling and long. There may be something worthwhile in that article or blog or whatever, but I really don't want to wade through someone's keyboard diarrhea to find it.
  • I might delay oil changes, but not that long. I do them as soon as I have time after they're due.

    With safety recalls, it depends on the recall. If the airbags are in imminent danger of exploding and sending shrapnel into my GF and myself, I'll take off work ASAP to get that fixed. If there's a slim chance of my doorlock breaking, I might wait until my next day off, same as with the oil.

    With software patches, I want to fix them quickly, but I also want reasonable assurance that they won't cause my

  • then watch out how that person buy toyata bike
  • I'm shocked no one explained how an EV would solve every one of your problems. No EV needs to be serviced ever.
    • EV's still needs servicing. Breaks pads still need replacing. Shock absorbers still need replacing. Battery packs need replacing. Wiper blades need replacing. Lights need replacing. Lots of things still need replacing because they wear out. Then there are the parts that need lubrication. If you don't lubricate them they wear out faster. They just don't have a ICE that needs servicing.

  • There should be some reasonable limit to the admissible frequency of safety recalls or software patches and the article barely touches that making the article incomplete. The article doesn't change these two truths:

    1. Oil change is a natural requirement. Safety recall is 'man made' due to somebody's shortsightedness.

    2. Harassment is harassment.

    My intention is not to be stringent, but to be open to negotiation. I believe more than an average of one software patch every 2 months (your tolerance may var
  • The problem is that oil changes are relatively benign. Oil changes extend the life of your vehicle by reducing wear on the internal components.

    Software updates make fundamental and permanent changes to the software on your computer, which means they're a lot more risky than oil changes.

    This is further exacerbated by the fact that companies now-a-days feel that it's ok to throw whatever they feel like into patches, consequences be damned. Microsoft is a posterchild for this, where their "updates" add unwan

  • I think this is very subjective and depends on your point of view. For one person an oil change or a car recall may seem like no big deal, something to be put off until convenient. However I imagine the dealer and your mechanic would view it much more seriously. We are talking about maintaining a large, complicated machine capable of killing people should it malfunction. And you want to complain I didn't update some random thing I don't understand on my computer in the back office? I have customers who
  • You do an oil change after 30,000km - 60,000km or after about 3 (to 5) years, what ever comes more early.

  • Most car owners don't take their car in every so often for oil changes nor do they go in for safety recalls, most people will ignore it until the light comes on or a safety inspection is required, according to NHTSA it's ~20% of people that don't heed safety recalls.

    Same goes for people and their vaccines, when was the last time you got your tetanus shot or any of the boosters? So why would you expect them to do the same for their computers, a machine they assume is even less maintenance-worthy than their d

  • I suspect the only way to get widespread patching of security issues is to have Windows have a sliding scale of how long you can delay a security patch for (e.g. 1 week for critical, 4 weeks for medium and, say, 13 weeks for low - and let the user set them lower than that if they want), but ultimately insist that security updates *must* be auto-applied by the end of the delay period (with pre-update warnings if an update is due to be applied in the next day or two). Microsoft would still be criticised for "

    • some forcing is necessary because some people will turn off all automatic updates and never update (or update very rarely).

      How does the fact that some people will never update mean that forcing them is necessary? It's their machine, if they don't want to update, that's their choice. There is zero excuse for forcing people to do it.

  • Companies who do not release security patches alone, but insist on folding them into updates that effect larger changes (feature additions, UI changes, etc.), are a factor for many people. Those who do not want to apply patches that make large changes to their systems will also not get security updates.

If I had only known, I would have been a locksmith. -- Albert Einstein

Working...