21 comments

[ 5.7 ms ] story [ 80.2 ms ] thread
God, what a stupid rant.

Sure, a single point of updates would be nice, but when asking that reboots not be necessary, or that people just write better software in the first place he's just making himself look ignorant.

Companies don't put auto-update functionality in for fun - they're there because there _are_ security issues that need to be patched.

(comment deleted)
I think the point is that for those security updates to be properly address, security updates need to be less of a pain to install.
I just can't take one seriously if they think that using a firewall will protect them from security flaws in applications.
Not in applications, but operating system. Windows Automatic Update becomes quite unnecessary if you're behind a firewall.
I'm not sure how wanting to avoid reboots makes one sound ignorant. We've come a long way since the bad old days when you had to reboot virtually every time you installed or reconfigured anything. I agree with Yegge when he says "Systems should never reboot."

As for asking the developers to write better software in the first place, it's quite reasonable. It's extremely difficult (maybe even impossible) to catch all the bugs and vulnerabilities in a complex piece of software before publishing it, but having to update as frequently as we're usually expected indicates a lack of proper care for security issues in the first place. And that is what the author is complaining about. In a way, it's just like it often happens with videogames: release in time to catch an important date and then ship patches.

I have my own (much simpler) solution: 2 computers.

One for the internet, one for development.

Guess which one has virus protection?

Neither?
I too have been running for a good while now without ant-virus software. I stopped paying the "virus tax" when I realised that my SPAM filters were (collectively) filtering out all email virus packages - all I have to do now is refrain from clicking on the "dancing bunnies" when visiting new web sites.

In any case it was my experience from assisting family and friends that anti-virus software did a pretty poor job in the main - plus there were at least two occasions when I had to assist in major problems actually caused by anti-virus software deleting key system files.

1. Apple updates don't choke my bandwidth and so I let the updates happen. Reboots are still a pain. So I opt out of updates needing reboot sometimes (especially for stuff like quicktime)

2. I notice that firefox has downloaded updates only when I restart/start firefox. Again no trouble there.

I wonder if the author has had anyone extol the virtues of Ubuntu at him yet... Not to sound fanboyish, but Ubuntu's package manager (Synaptic) more or less meets a lot of hit requirements. The best part is that all of the updates are coming through the same source, so you don't have to hunt down the updater in every single piece of software you install.

Of course, I say Ubuntu because that's what I know. I would not be the least bit surprised if other linux distros/mac os had similar package managers.

It seems like even windows could form some kind of agreement with various software vendors allowing them to push updates through the windows updater. Opt-in of course.

All versions of Linux I know of have a similar package manager. Updates on the server and some more geeky distros tend to be run on the command line.

Some offer granularity of what types of updates to do (Mint classifies updates by riskiness to stability) and most offer some method of holding back updates on some packages (although not in the GUI in the distros I have used).

If you try a fresh install of XP even on older hardware it is lightning quick.

If you have a PC that is not connected to the Internet and runs the same software all the time, from a supplier you trust. Then yes automatic updates and virus checking is a waste of time.

Otherwise if you follow this advice you are asking to join a botnet.

I don't run virus protection on my Windows machines, but I am a stickler about automatic updates.

At work, where I manage a few hundred Windows machines with virus protection and updates (managed through WSUS), I'm able to see whenever our virus scanner gets a hit. It's almost always the same users doing the same stupid things. (They are all running in limited user accounts though, so it's usually only their own accounts they damage).

Linux machines are generally taken over through ssh key attacks, cgi vulnerabilities, or social engineering (this happens more than Windows machine takeovers at my workplace, unfortunately).

Or, alternatively, switch away from environments where that sort of pestering behavior is common!

I haven't used Linux in a while, but from what I remember it was rare to have a program itself tell me there were updates necessary, but the package manager globally managed those things for me on its own schedule.

The Mac application community has the fantastic Sparkle framework that lets individual applications poll for updates. This isn't nearly as bad as it sounds: generally speaking, applications have preferences to opt-out of automatic updates, and the updates include complete changelogs. It's gotten to the point where if an application doesn't include Sparkle, I get annoyed.

In short, the posters issues aren't with Automatic Updates, they're with an environment that doesn't respect users.

It's not unreasonable to say that you can run Windows XP without antivirus, assuming that you are a competent computer user and keep Windows Update going. Once you have a virus, you will have to reformat to guarantee a clean system anyway; antivirus is simply a conceptually wrong solution to the problem (see also http://xkcd.com/463/).

But, on the other hand, why not just use a better operating system? Linux, of course, but even Vista is going to have better lockdown of administrative privileges.

One of the things I really couldn't stand about Windows was how every program had to have its own stupid little updater, with its own rules, taking up resources and system tray space. This is the worst part of automatic updates -- somehow most Windows developers are totally incompetent at writing them.

Yes, program authors should just get it right the first time. If they hadn't written those bugs in the first place, there'd be no security exploits!

I understand that the updates are annoying, but all of the alternatives are worse. Silent updating? I want control. Manual updating? People won't do it. No updates at all? The botnet lords love this idea.

So the only real solution is to default systems to patch themselves, and hopefully get the experience right for the confirmation dialog.

No antivirus? I can understand that. But turning off windows auto updates? Way to get hit with the next Sasser/Blaster/Conficker.
Not very likely. According to the author, he's behind a well-configured firewall.