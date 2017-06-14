Oil Changes, Safety Recalls, and Software Patches (daemonology.net) 28
An anonymous reader shares a blog post: Every few months I get an email from my local mechanic reminding me that it's time to get my car's oil changed. I generally ignore these emails; it costs time and money to get this done and I drive little enough -- about 2000 km/year -- that I'm not too worried about the consequences of going for a bit longer than nominally advised between oil changes. I do get oil changes done... but typically once every 8-12 months, rather than the recommended 4-6 months. On the other hand, there's another type of notification which elicits more prompt attention: Safety recalls. There are two good reasons for this: First, whether for vehicles, food, or other products, the risk of ignoring a safety recall is not merely that the product will break, but rather that the product will be actively unsafe; and second, when there's a safety recall you don't have to pay for the replacement or fix -- the cost is covered by the manufacturer. I started thinking about this distinction -- and more specifically the difference in user behaviour -- in the aftermath of the "WannaCry" malware. While WannaCry attracted widespread attention for its "ransomware" nature, the more concerning aspect of this incident is how it propagated: By exploiting a vulnerability in SMB for which Microsoft issued patches two months earlier. As someone who works in computer security, I find this horrifying -- and I was particularly concerned when I heard that the NHS was postponing surgeries because they couldn't access patient records. [...] I imagine that most people in my industry would agree that security patches should be treated in the same vein as safety recalls -- unless you're certain that you're not affected, take care of them as a matter of urgency -- but it seems that far more users instead treat security patches more like oil changes: something to be taken care of when convenient... or not at all, if not convenient. It's easy to say that such users are wrong; but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.
You can change your oil every 10 to 15000 km if you are driving a lot. If you are driving very little and the engine seldom warms up properly, then the problem is that you get water in the oil which doesn't evaporate, so you got to change oil more frequently. So, it is a judgement call, not an exact science. Oil is much cheaper than a new engine though...
When you have companies who ignorantly and gleefully outsource their IT staff to cheaper alternatives, thinking they'll magically get the best of both worlds, more money for them, and same level of service, you should expect this.
You get what you pay for. Literally. If it's cheaper, there is a reason. When you have competent, experienced IT staff who care about their work and take pride in security and performance, they cost more. Why? Because they know they can get it, and it will save companies money. Ev
Outsource doesn't automatically mean cheaper or India there are outsource companies in the US and Europe and they can be more expensive. They just call themselves logistics companies to distance them from the word outsource and they run anything from call centers, ware houses, repair facilities, IT, payroll, you name it but yes you get what you pay for.
The analogy is great, until you go to the end of the life of the given software. Like XP for example, it has reached end of life, so no patches are available for it any more. Many android devices are instantly end of life, without any patches being released for them.
The security issues are not solved until you remove all deployments of software and hardware that have reached end of life. The only way to get this done is enforcement by law. In order to make actual comparison of products possible, manufacture
but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.
No. As an industry you have to think about a company like Microsoft who willfully waited over a DECADE to patch a KNOWN vulnerability which it was TOLD about a long time ago, but CHOSE to ignore - cos, security by obscurity at best, or intentional back door at worst. This should not be about "the patch has been out 2 months why haven't people patched" it should be about "Why did Microsoft wait until news of the vulnerability leaked before bothering to issue a patch".
That interval seems like a total waste of oil. I have an old vehicle for hauling stuff that gets driven about 1000km/year, and I might change the oil every five years. I know that's probably "bad", but the engine hasn't broken yet. In fact, I think that the only work I've ever had done on the engine over almost 20 years is change out the timing belt (at twice the recommended age, but still below the mileage limit). I do keep it in a garage and always run it until it's thoroughly warmed up.
Oil degrades with time and mileage.
You can thank EPA emission and fleet fuel consumption guidelines, but new engines are a lot more finicky. For example, direct injection - this technology marginally improves emissions while reintroducing issues of sludge and chain failure. Synthetic 0w20 oil is also problematic - it is too thin for manufacturing tolerances and results in engine oil consumption due to blow-by past piston rings. Combine all of these issues - and I wouldn't expect any new truck to last with
I had no problem letting Windows 7 update itself automatically until Microsoft started incessantly nagging me about changing to Windows 10, and news of their telemetry patches came out. Oh, and the whole installing patches for 5-10 mins while you're trying to shut your computer down (always seemed to be before I needed to go somewhere) was pretty dumb as well.
Microsoft took security updates and started abusing them for their own nefarious purposes. This, combined with their propensity to produce rubbish sof
Yet you still choose to support them and run their operating system, which you admit is an extremely poor product. Come on...
Forcing idiot Windows to install updates automatically is the right way to go. It shouldn't be possible for people to disable them, including and especially in corporate environments. I use unattended-upgrades to automatically install security updates on all my machines. Android is a bit of a concern still, unfortunately. Not only do they give users a choice they make it a ridiculously complicated process due to their use of signed system images. This needs to go away, to make installing security updat
With the huge recall in airbags, I have not heard of one replaced airbag rendering a car inoperable requiring the owner to pay to have someone diagnose and repair the incompatibility. How many times have we heard of a computer security patch causing a BSOD or computer crash because of bad or incomplete testing from the manufacturer?
Some people wait and verify that a security patch doesn't end up as the next story on Slashdot rendering thousands of PCs unusable because "Oh, the patch seems to be incompatibl
Anyone got a good car analogy for this?
Subby's Dad didn't wear a patch when he took Subby's Mom in the car on lover's lane. Now they both have viruses and WannaCry?
There isn't one... mostly because most cars don't suddenly stop working the way they did before after getting an oil change. With Microsoft security patches, it seems to happen all the time.
Imagine what would happen if you needed to hire a QA tester to make sure that your car wouldn't crash after putting brand X oil in it before putting it in the rest of your cars.... suddenly, oil changes would cost $500 and people would only do it once a year at best.
The difference is that when you get a safety recall, only those things related to the safety recall are fixed (replaced). You get a security update for Windows and without a lot of time and effort to understand what all is rolled up in that patch, heaven only knows what else (telemetry?) you are getting.
Honda called me for an airbag recall a year ago. Set up appointment to get airbag replaced.
Arrived early Saturday morning- they didn't have any airbags in stock and had put me down for an oil change that I didn't want from them. Waste of an early morning. They told me they would call me when they had the parts but it could take a few months.
A year later, got another airbag recall- called to confirm it was to replace a different airbag to the one they never replaced before tha
