Linked by Thom Holwerda on Tue 14th Apr 2009 15:19 UTC
Windows The Conficker worm, which spreads by infecting Windows computers who are not properly kept up-to-date, was supposed to make a big splash on April 1, but that day passed with a deafening silence on the Conficker front. Since then, there has been some movement by the worm, and data gathered from enterprise users of Sophos' Endpoint Assessment Test indicates that 10% of Windows machines have still not been properly patched, leaving them wide open to a Conficker infection.
Order by: Score:
Comment by kaiwai
by kaiwai on Tue 14th Apr 2009 15:30 UTC
kaiwai
Member since:
2005-07-06

I had a look on the Sophos website and it appears that the patch to protect Windows was released October 23rd, 2008. The question is - at what point does this blaming Microsoft start to become ridiculous? The update has been out and yet there are people who don't install updates even though installing updates should be one of the very first skills one learns when they get their computer. Blaming Microsoft is easy because it is the old story of blaming the faceless multinational - but the reality is that people have chosen not to learn even the most basic of things.

With that being said, I also blame many of the so-called 'IT guru's' that advise people on what to do; I couldn't believe one person who said to a family member not to worry about installing Service Pack 2 for Windows or any of the updates. Alot of what I see are people who purchase computers, they have a family member who appears to know something about computers - and gives them all the wrong advice.

Getting back ontopic, I guess it is one of those things that are unavoidable; software is written by humans, humans make mistakes, therefore, software needs updates. The best I guess Microsoft can do is default to auto-install critical updates and pray that the end user doesn't fiddle with the setting.

Edited 2009-04-14 15:30 UTC

Reply Score: 6

RE: Comment by kaiwai
by sbenitezb on Tue 14th Apr 2009 15:58 UTC in reply to "Comment by kaiwai"
sbenitezb Member since:
2005-07-22

This sort of upgrades, critical upgrades, should be automatic and without user intervention. In other words, it should be pushed down the throat (at least after certain period of testing).

Reply Score: 2

RE[2]: Comment by kaiwai
by orestes on Tue 14th Apr 2009 16:03 UTC in reply to "RE: Comment by kaiwai"
orestes Member since:
2005-07-06

Nah, I'd rather not see someone without my admin password capable of installing random **** on my system under the guise of an important update. I'd be much more apt to say ISPs need to start sandboxing or outright kicking unpatched machines off their network or better yet, holding end users criminally liable for any damage caused by their machines due to negligence.

Reply Score: 3

RE[3]: Comment by kaiwai
by sbenitezb on Tue 14th Apr 2009 16:25 UTC in reply to "RE[2]: Comment by kaiwai"
sbenitezb Member since:
2005-07-22

End users are not responsible for defective software and malware development. You talk like a Microsoft's person, putting all that crap in the shoulders of users. Users are victims, and they shouldn't know how to fix they computers (which they didn't broke). It's Microsoft's fault if their OS is crap, and ISP's fault if they don't block shit comming through their lines (guess what, they do filter torrents).

Reply Score: 5

RE[4]: Comment by kaiwai
by aperh on Tue 14th Apr 2009 16:30 UTC in reply to "RE[3]: Comment by kaiwai"
aperh Member since:
2007-01-03

No this doesn't make any sense. You buy a device, you are expected to maintain it. Doing software updates is part of the day to day life of a computer user, be it windows, mac, or linux. That's like saying you should buy a car and never have to put gas in it or change the oil, it should do it by itself? See? It makes no sense. Whenever somebody purchases a product, there are some constraints that have to be met, in the case of a car you need to fill the tank and change the oil, tires, etc. With a computer you need to do updates.

Reply Score: 5

RE[5]: Comment by kaiwai
by sbenitezb on Tue 14th Apr 2009 16:39 UTC in reply to "RE[4]: Comment by kaiwai"
sbenitezb Member since:
2005-07-22

You cannot compare software with a car. This kind of analogies don't work. If you want to do the *-car analogy, then if your car is defective by design you have rights to sue and get your money back or a better/well designed car. Doesn't happen with software.

Still, if your car starts to missbehave, you don't actually fix it yourself, but send it to the mechanic. Now if we talk about software that would mean you should take your computer with the technician whenever a bug pops up. That's stupid. Ask most people and they don't even know what a bug is in software terms. You are certainly not to expect anyone to patch his own computer. That should be fully automatic. At least with critical updates. Car analogies don't work because the car itself can't changes his own physical parts, but I'm sure there are cars with digital equipment that can autoupdate their firmware as needed. In fact, it's most certain that your cablemodem/dsl modem autoupdates itself whenever the ISP thinks it's needed, and they surely don't ask you to do it manually or ask for your permission.

Reply Score: 2

RE[6]: Comment by kaiwai
by aperh on Tue 14th Apr 2009 17:17 UTC in reply to "RE[5]: Comment by kaiwai"
aperh Member since:
2007-01-03

But the analogy works when you consider updating as a regular maintenance task which is what it is. It is *exactly* like having to change oil, tires, etc, these are all part of regular maintenance of your device.

Reply Score: 2

RE[7]: Comment by kaiwai
by sbenitezb on Tue 14th Apr 2009 17:38 UTC in reply to "RE[6]: Comment by kaiwai"
sbenitezb Member since:
2005-07-22

Updating is needed because of defective parts in the software. You can't really map it to car fuel, which would be much like electricity to the hardware. Updating would be more like updating your car's microcomputer firmware. Imagine how you would feel if you had to manually patch the firmware all the time. Wouldn't you say "this car sucks"?

Reply Score: 2

RE[4]: Comment by kaiwai
by BluenoseJake on Tue 14th Apr 2009 16:33 UTC in reply to "RE[3]: Comment by kaiwai"
BluenoseJake Member since:
2005-08-11

You must be aware that all OS's need updates. If you are not, then you are either insane or a rabid anti-ms zealot. A sample list I used in an earlier post:

List of recent security updates for Debian Stable:
http://www.debian.org/security/

Fedora 8:
https://admin.fedoraproject.org/updates/

OS X:
http://support.apple.com/kb/HT1222

FreeBSD:
http://www.freebsd.org/security/advisories.html

Windows:
http://www.microsoft.com/protect/computer/updates/bulletins/default.....

As you can see, all OS's need updates, all software has bugs, and to blame MS for people being retarded and not patching their systems is just rampant fanboyism, or something worse.

Edited 2009-04-14 16:34 UTC

Reply Score: 7

RE[5]: Comment by kaiwai
by sbenitezb on Tue 14th Apr 2009 16:48 UTC in reply to "RE[4]: Comment by kaiwai"
sbenitezb Member since:
2005-07-22

Excuse me, but my FreeBSD, unpatched and all as it may be is more secure by default than any Microsoft ever made OS. That's the true. Now I wouldn't blame all of it in Microsoft. I know software has bugs and it will ever have bugs. But as they control a big peace of market it makes even more sense that they care much more about patching than us *insert alternative OS* users. They are the ones providing defective software (much more defective than other OS if you dare), so they should take care of patching. What the hell a normal user knows or care about patching? They surely know about browsing and writing mails, but they couldn't care shit about patching Windows. That's why patching critical bugs should be automatic.

No fanboyism here, whatever you may be thinking. Not because I use another OS it means I'm trolling. Perhaps someone touches your beloved Microsoft and you feel touched too?

Reply Score: 1

RE[6]: Comment by kaiwai
by BluenoseJake on Tue 14th Apr 2009 18:45 UTC in reply to "RE[5]: Comment by kaiwai"
BluenoseJake Member since:
2005-08-11

No fanboyism here, whatever you may be thinking. Not because I use another OS it means I'm trolling. Perhaps someone touches your beloved Microsoft and you feel touched too?


Actually, I use Debian and FreeBSD on most of my computers at home, and support Windows (and Novell, ugh) servers and desktops at work.

I use this experience in multiple operating systems to arrive at my conclusion based on common sense, and the amount of updates my machines get on a regular basis.

Windows is generally more at risk to virus's and worms because up until Vista, most users run as unrestricted administrators. I have never ran any version of Windows NT as an admin, and I have never caught a virus. It's common sense.

But if you running your computer as an admin, and not applying security patches, it doesn't matter what you run, Windows, BSD, Linux, you're an idiot and deserve to be pwned

Reply Score: 2

RE[5]: Comment by kaiwai
by DeadFishMan on Tue 14th Apr 2009 19:58 UTC in reply to "RE[4]: Comment by kaiwai"
DeadFishMan Member since:
2006-01-09

Whatever... My Debian box not being patched at least will not become part of a botnet to send SPAM or God knows what else. Kaiwai's Macbook not being patched with the fix for the latest 0-day exploit for Mac will not make it part of a huge botnet, etc.

It is about damn time you people stop making excuses and acknowledge that Windows is a fu%$&*# piece of s$%t and that the thing needs to be fixed once and for all for the good of everybody... MS has the resources: FIX IT!

Yes, some people are to blame for not applying patches but certain holes should not be there in the first place...

Reply Score: 1

RE[6]: Comment by kaiwai
by BluenoseJake on Tue 14th Apr 2009 20:31 UTC in reply to "RE[5]: Comment by kaiwai"
BluenoseJake Member since:
2005-08-11

Whatever... My Debian box not being patched at least will not become part of a botnet to send SPAM or God knows what else. Kaiwai's Macbook not being patched with the fix for the latest 0-day exploit for Mac will not make it part of a huge botnet, etc.


How do you know? The only reason your unpatched debian box will not become part of a botnet is because the total amount of linux desktop users is so small to make it uneconomical for spammers to use it. I posted the links for the different update pages, if you're to lazy to read them and realize that all OS's have buffer overflows, bugs and holes, then too bad for you.

When Linux get's a little more popular, we'll see then who's box lasts the longest, your unpatched debian box, or my fully patched debian box. Oh, and kaiwai is smart enough to patch his OS X install, so I guess that attempt at name dropping didn't get you very far. If you read his first post in this thread, he doesn't agree with you.

It is about damn time you people stop making excuses and acknowledge that Windows is a fu%$&*# piece of s$%t and that the thing needs to be fixed once and for all for the good of everybody... MS has the resources: FIX IT!


They did fix it, in October! Look at those friggin' links, you'll see that all the major desktop operating systems have holes, and they are fixed. This is not MS's fault, they did their job.

Yes, some people are to blame for not applying patches but certain holes should not be there in the first place...


10% of all windows users, apparently, what's that? 20,000,000 (I have no idea the real number) machines? They are all are to blame for conficker, everyone. If they kept their machines patched, then it wouldn't have been able to infect any machines, and would have died out. Stop blaming MS for users stupidity, there is more than enough to blame them for, this worm is not one of those things.

This problem with conficker was fixed in october, for gods sake. Oh, but it's MS's fault. Yeah right, whatever.

Edited 2009-04-14 20:33 UTC

Reply Score: 2

RE[7]: Comment by kaiwai
by DeadFishMan on Tue 14th Apr 2009 20:54 UTC in reply to "RE[6]: Comment by kaiwai"
DeadFishMan Member since:
2006-01-09

Whatever... My Debian box not being patched at least will not become part of a botnet to send SPAM or God knows what else. Kaiwai's Macbook not being patched with the fix for the latest 0-day exploit for Mac will not make it part of a huge botnet, etc.

How do you know? The only reason your unpatched debian box will not become part of a botnet is because the total amount of linux desktop users is so small to make it uneconomical for spammers to use it. I posted the links for the different update pages, if you're to lazy to read them and realize that all OS's have buffer overflows, bugs and holes, then too bad for you.


No, no, no... I cannot agree to this assertion at all. There was a time when Linux distros would ship with lots of services turned on, daemons that were listening for connections from the internet by default and stuff like that but that has been rectified a long time ago. Besides, Linux desktops maybe a smaller target than the huge number than Windows morons out there but there are plenty of Linux servers that, given the chance of them being rooted, would make for a far more attractive target for crackers.

When Linux get's a little more popular, we'll see then who's box lasts the longest, your unpatched debian box, or my fully patched debian box. Oh, and kaiwai is smart enough to patch his OS X install, so I guess that attempt at name dropping didn't get you very far. If you read his first post in this thread, he doesn't agree with you.


You were reading too much in what I said: I didn't mean to imply that Kaiwai's box is unpatched. I think that most OSNews visitors should know better than that. What I meant is that, even if it were, chances that it would become part of a huge botnet would be negligible given that it is not Windows.

It is about damn time you people stop making excuses and acknowledge that Windows is a fu%$&*# piece of s$%t and that the thing needs to be fixed once and for all for the good of everybody... MS has the resources: FIX IT!

They did fix it, in October! Look at those friggin' links, you'll see that all the major desktop operating systems have holes, and they are fixed. This is not MS's fault, they did their job.


Every operating system has holes, you will not see an argument from me there. However, I'd argue that the severity of Windows systems are far higher than the typical hole found on most other operating system these days. It seems as if any hole on MS OSes will let an attacker drive the machine to do anything, no matter what.

Yes, some people are to blame for not applying patches but certain holes should not be there in the first place...

10% of all windows users, apparently, what's that? 20,000,000 (I have no idea the real number) machines? They are all are to blame for conficker, everyone. If they kept their machines patched, then it wouldn't have been able to infect any machines, and would have died out. Stop blaming MS for users stupidity, there is more than enough to blame them for, this worm is not one of those things.

This problem with conficker was fixed in october, for gods sake. Oh, but it's MS's fault. Yeah right, whatever.


Hey, track record says that another Conficker will show up sooner or later. Is it MS fault? Perhaps not... But it is disgusting to see each and every Windows hole out there being blamed solely on the user. But that's me.

Reply Score: 2

RE[7]: Comment by kaiwai
by Piranha on Tue 14th Apr 2009 21:22 UTC in reply to "RE[6]: Comment by kaiwai"
Piranha Member since:
2008-06-24

10% of all windows users, apparently, what's that? 20,000,000 (I have no idea the real number) machines? They are all are to blame for conficker, everyone. If they kept their machines patched, then it wouldn't have been able to infect any machines, and would have died out. Stop blaming MS for users stupidity, there is more than enough to blame them for, this worm is not one of those things.

This problem with conficker was fixed in october, for gods sake. Oh, but it's MS's fault. Yeah right, whatever.


A lot of the machines have already been said to be located outside of North America. We can afford to spend a day or so's pay on an operating system and still have money left over. However, in third world countries (that makes up a large percentage of the conficker infections) they can't spend a month's, or more, pay on an operating system - they then pirate it. So, what Microsoft did to "help piracy" is reject these PCs that came in for security updates. So while you can view it as not being Microsoft's 'fault' they still did have a play in the numbers getting up there.

Luckily there hasn't been an issue that affects all internet users (yet), but what happens if there is? While Microsoft is pointing fingers at these 'pirates', Microsoft did have a role in causing such a large botnet.

Reply Score: 1

RE[5]: Comment by kaiwai
by lemur2 on Wed 15th Apr 2009 00:59 UTC in reply to "RE[4]: Comment by kaiwai"
lemur2 Member since:
2007-02-17

You must be aware that all OS's need updates. If you are not, then you are either insane or a rabid anti-ms zealot. A sample list I used in an earlier post: List of recent security updates for Debian Stable: http://www.debian.org/security/ Fedora 8: https://admin.fedoraproject.org/updates/ OS X: http://support.apple.com/kb/HT1222 FreeBSD: http://www.freebsd.org/security/advisories.html Windows: http://www.microsoft.com/protect/computer/updates/bulletins/default..... As you can see, all OS's need updates, all software has bugs, and to blame MS for people being retarded and not patching their systems is just rampant fanboyism, or something worse.


This is a semi-valid point. All OS's need updates, indeed. True and correct.

With Windows, the problem is that the updates are binary blobs, trade secrets, and you (or anyone else who is not Microsoft) are not allowed to vet what they contain. In the past Microsoft have used updates to push software on to users machines that is NOT in the best interests of said users. WGA is a perfect example of this.

With Debian, the updates are open source, people other than those who wrote the software, and who use the subject software themselves, are able to, and do, vet that source code. End users also have an assurance that the source code changes that are visible to everyone do in fact compile into the binary updates that they dowbnload. That update system therefore has auditability, and an assurance of integrity that the updates are written in the best interests of people who use the system. The track record of said updates attests to this integrity.

Edited 2009-04-15 01:00 UTC

Reply Score: 2

RE[4]: Comment by kaiwai
by bousozoku on Tue 14th Apr 2009 17:50 UTC in reply to "RE[3]: Comment by kaiwai"
bousozoku Member since:
2006-01-23

End users are not responsible for defective software and malware development. You talk like a Microsoft's person, putting all that crap in the shoulders of users. Users are victims, and they shouldn't know how to fix they computers (which they didn't broke). It's Microsoft's fault if their OS is crap, and ISP's fault if they don't block shit comming through their lines (guess what, they do filter torrents).


If you buy a car in the U.S.A. and there is a recall, you'll receive a notice but it's up to you to have the car repaired free of charge. You must make the appointment and go to have the work done.

It would be nice if everything was perfect but it isn't. If you don't do anything to maintain what you have, you can blame yourself first.

Reply Score: 5

RE[2]: Comment by kaiwai
by Jon Dough on Tue 14th Apr 2009 21:55 UTC in reply to "RE: Comment by kaiwai"
Jon Dough Member since:
2005-11-30

This sort of upgrades, critical upgrades, should be automatic and without user intervention. In other words, it should be pushed down the throat (at least after certain period of testing).


Only if the machine is configured to automatically set a restore point before the update is installed. I've seen way too many updates hose an OS to let it automatically install without a restore point.

Reply Score: 3

RE[3]: Comment by kaiwai
by hollovoid on Wed 15th Apr 2009 03:52 UTC in reply to "RE[2]: Comment by kaiwai"
hollovoid Member since:
2005-09-21

Cant be certain about earlier versions of windows, but I know in Vista it does create an restore point before an update is installed.

Edited 2009-04-15 03:53 UTC

Reply Score: 2

RE: Comment by kaiwai
by Doc Pain on Tue 14th Apr 2009 16:20 UTC in reply to "Comment by kaiwai"
Doc Pain Member since:
2006-10-08

The update has been out and yet there are people who don't install updates even though installing updates should be one of the very first skills one learns when they get their computer.


Read: "[...] should be the very first skills one learns when they get their 'Windows' PC." But I do agree: Doing the updates is a very important skill. But the problem is: "Windows" users see theirselves as users, not as administrators, and they believe that "Windows" administrates itself, so they simply don't care (TM).

Blaming Microsoft is easy because it is the old story of blaming the faceless multinational - but the reality is that people have chosen not to learn even the most basic of things.


I don't know how about other countries, but here in Germany, people *refuse* to learn anything. "The computer should know what to do." is a typical statement. So if problems occur, they are left to others, or "cured" by a new install.

With that being said, I also blame many of the so-called 'IT guru's' that advise people on what to do; I couldn't believe one person who said to a family member not to worry about installing Service Pack 2 for Windows or any of the updates. Alot of what I see are people who purchase computers, they have a family member who appears to know something about computers - and gives them all the wrong advice.


That's something I already could see. :-) The problem you're mentioning is that these "IT Gurus" are exactly as clueless as the ones they give advices to. "Service pack? No, you don't need this." (read: "I don't know what it is.")

Getting back ontopic, I guess it is one of those things that are unavoidable; software is written by humans, humans make mistakes, therefore, software needs updates. The best I guess Microsoft can do is default to auto-install critical updates and pray that the end user doesn't fiddle with the setting.


Updates with a certain severity should be forced updates. The user would (of course like with every maintenance operation at his system) give his password (if any) to authorize the update. A message should inform him briefly (so not to scare him) what the update will do and why is is absolutely neccessary. I don't think it's a problem to do so, the typical "Windows" user will click on every OK button just to see the dancing elephants, so he would do so if the system tells him to do so. Those who are more advanced users will surely pay more attention, but this is the group of users who will install service packs and updates anyway, so they won't have any problem at all.

Reply Score: 1

RE[2]: Comment by kaiwai
by sbenitezb on Tue 14th Apr 2009 16:32 UTC in reply to "RE: Comment by kaiwai"
sbenitezb Member since:
2005-07-22

Passwords are useless for updates. Encryption and digital signatures are the way to allow updates from Microsoft to come and install automagically without even asking. Now I wouldn't allow this sort of behavior in a *nix server, but it seems the Microsoft world is in big need of this exact methodology, so Microsoft should, for the interest of all of us, patch critical bugs without asking. After all, the bots network is ever increasing and the cost of maintaning all the spam flowing through internet is upon us, the consumers. We pay excesive ISP prices, expensive and useless antivirus/antispam/antispyware. Well not me actually, but you get the point.

Reply Score: 1

RE[3]: Comment by kaiwai
by Doc Pain on Tue 14th Apr 2009 16:55 UTC in reply to "RE[2]: Comment by kaiwai"
Doc Pain Member since:
2006-10-08

Forgive me my ignorance, but I haven't used any "Windows" yet, so my knowledge is very limited, and I'm sticking to universal and standardized principles when formulating my opinion.

I always assumed that most "Windows" versions feature a kind of security mechanism that prompts the user for a password - I think it's called the Administrator password - when some software tries to install itself on the system, and this operation requires the elevation of rights and permissions. This is needed if the user doesn't run in "Administrator mode". (Of course, if the user always runs as "Administrator" and has no password set, no interaction would be required for authorisation, I assume.)

This is what I referred to with "giving a password".

Encryption and digital signatures are the way to allow updates from Microsoft to come and install automagically without even asking.


This would of course give the user a feeling of security - he doesn't need to fear that somethin unauthorized will be installed on his system. If this obsoletes the need of interaction - yes, much better.

Now I wouldn't allow this sort of behavior in a *nix server, but it seems the Microsoft world is in big need of this exact methodology, so Microsoft should, for the interest of all of us, patch critical bugs without asking.


That's what I think, too. Maybe it sounds impolite, but those who run UNIX systems (with critical stuff on it) are usually smart enough to care for their updates theirselves. The average home user often even doesn't know about the neccessarity of updates, just wondering why his Internet is so slow (which is explainable when he's got some illegal file sharing hosts, spammers, scammers and who know what else running on his system without any knowledge.)

After all, the bots network is ever increasing and the cost of maintaning all the spam flowing through internet is upon us, the consumers.


I can understand that when abusing a "Windows" PC for data espionage, spamming and automated "follow-up PC detection" is made so easy by *not* installing the neccessary updates, it may be okay to blame the clueless home PC users. It's not that PCs are easy. No, they require a minimum knowledge. It's like driving a car. It's not *that* hard to learn it, but you *have* to learn it first (handle the car, know trafic signs and rules).

The user of a PC that is connected to a network (here: the Internet) has a certain individual responsibility. If he can't take it, he shouldn't own a PC. To avoid this implication on the market, the manufacturer of the PC's operating system should take the resonsibility (because he wants to sell his OS, as well as the PC vendor wants to sell his hardware along with the OS). By the means of advertising, the user has been convinced that everything works "by magic", he doesn't have to know anything, he may just go there and clickityclick. And now it's possible to turn the argumentation around again: If the OS's manufacturer made the user believe in such things, it's his responsibility again to make sure that it "just works" as he told in his advertisements.

The downside of this "responsibility ping pong" is that nothing will change in the future, because every side can deny its own responsibility and blame the other side.

As you mentioned, an automated solution without interaction would be best. For advanced users, there could be some kind of "expert mode" that gives more informations, but leaves more decisions to the user. This mode shouldn't be default; in fact, it should be hidden so that only those who are smart enough to do "expert stuff" should be able to find it. :-)

We pay excesive ISP prices, expensive and useless antivirus/antispam/antispyware. Well not me actually, but you get the point.


And I completely agree with you.

I'm sure you know common downsides of the missing updates: More than 90% of the mail transferred worldwide is spam. And most MTAs don't accept mail from dynamic IPs. In the past, this was no problem, but today, you need masquerading, mail relays, those have spam filters again, blah blah... you know.

Reply Score: 2

RE[4]: Comment by kaiwai
by sbenitezb on Tue 14th Apr 2009 17:32 UTC in reply to "RE[3]: Comment by kaiwai"
sbenitezb Member since:
2005-07-22

The user of a PC that is connected to a network (here: the Internet) has a certain individual responsibility. If he can't take it, he shouldn't own a PC.


I would mostly agree, except that most people I know really doesn't know how to use a computer. Should I prevent them access to it? I'm sure most of them manage to browse for information, chat, watch video, etc. They don't need a degree to use it in a basic form. Why should they know about securing an OS? Why would they even care about it?

To avoid this implication on the market, the manufacturer of the PC's operating system should take the resonsibility (because he wants to sell his OS, as well as the PC vendor wants to sell his hardware along with the OS). By the means of advertising, the user has been convinced that everything works "by magic", he doesn't have to know anything, he may just go there and clickityclick. And now it's possible to turn the argumentation around again: If the OS's manufacturer made the user believe in such things, it's his responsibility again to make sure that it "just works" as he told in his advertisements.


Well, it's certainly the manufacturer's responsibility to fix their shit. Look, I own a cellphone, as many people do. I *really* don't know shit about cellphones. I do know much more about *nix and other computer stuff, but I barely know about cellphones bar using it. Imagine a new virus starts spreading through the cell network infesting all devices. Is it my responsibility to patch my own phone? Shouldn't the manufacturer release the patch and the phone company send the patch to make the phone secure? It's the same with computers.


I'm sure you know common downsides of the missing updates: More than 90% of the mail transferred worldwide is spam. And most MTAs don't accept mail from dynamic IPs. In the past, this was no problem, but today, you need masquerading, mail relays, those have spam filters again, blah blah... you know.


Yeah, I so much would like to run my own mail server with my own rules, but my ISP blocks port 25 and I don't really want to spend money on a relay.

Reply Score: 2

RE[3]: Comment by kaiwai
by darknexus on Tue 14th Apr 2009 17:43 UTC in reply to "RE[2]: Comment by kaiwai"
darknexus Member since:
2008-07-15

One problem with making updates be free of user interaction. Given that a good number of critical updates require Windows to be restarted, do you want your computer restarting at random times after it has applied an update? Say you're in the middle of a very important video conference, or writing up a very important message... and your computer decides to restart without telling you. Not a good idea, imho. I actually had this happen, though it was a VMware tools update and not a Microsoft one that did it. Regardless, I wouldn't want that to happen, at least give the user a choice whether to restart now or later especially given how many security updates get released for Windows as compared to most other oses. Better yet... allow the individually updated components of Windows to restart without requiring a system reboot. Take UNIX and/or Linux for example, you almost never need to reboot it to apply an update, the one exception being if the kernel has been updated. Every other part of the system can be updated on the fly, and only the affected services need to be restarted.

Reply Score: 1

RE[3]: Comment by kaiwai
by UglyKidBill on Tue 14th Apr 2009 20:46 UTC in reply to "RE[2]: Comment by kaiwai"
UglyKidBill Member since:
2005-07-27

>> so Microsoft should, for the interest of all of us, patch critical bugs without asking.

...way too much damage has been made to the world by big/trusted/knowledgable people in the name of "our best interests" (whatever it happens to be at the moment) for me to consider that as a remotely reasonable compromise....

Reply Score: 1

RE[3]: Comment by kaiwai
by lemur2 on Wed 15th Apr 2009 00:48 UTC in reply to "RE[2]: Comment by kaiwai"
lemur2 Member since:
2007-02-17

Passwords are useless for updates. Encryption and digital signatures are the way to allow updates from Microsoft to come and install automagically without even asking. Now I wouldn't allow this sort of behavior in a *nix server, but it seems the Microsoft world is in big need of this exact methodology, so Microsoft should, for the interest of all of us, patch critical bugs without asking.


Windows Update does actually already have this exact capability:

http://www.osnews.com/permalink?358484

This capability does have its downside:

http://www.osnews.com/permalink?358567

Reply Score: 3

RE[2]: Comment by kaiwai
by Phloptical on Tue 14th Apr 2009 22:23 UTC in reply to "RE: Comment by kaiwai"
Phloptical Member since:
2006-10-10

I don't know how about other countries, but here in Germany, people *refuse* to learn anything.


I guess the old saying is right, "You can tell a german, but you can't tell him much."

Reply Score: 2

RE: Comment by kaiwai
by sc3252 on Wed 15th Apr 2009 06:18 UTC in reply to "Comment by kaiwai"
sc3252 Member since:
2005-09-06

Its easy to blame Microsoft because it is still their fault. Updates for windows are annoying to install, just about every one I install it asks to restart(windows vista). I say no to the reboot and it gives me a window in which it will do a forced reboot. yes Microsoft thanks for rebooting while I write my essay... After that I turned off auto updates and they are still annoying to deal with. At least when I am in Ubuntu or Debian it doesn't keep bugging me every freaking 5 minutes to reboot.

Edited 2009-04-15 06:24 UTC

Reply Score: 1

Hype Machine Overdrive
by Phloptical on Tue 14th Apr 2009 22:27 UTC
Phloptical
Member since:
2006-10-10

Wow....10% of all PCs everywhere. Excuse me whilst I quake in fear.

This conficker thing is so way blown out of proportion it isn't even funny.

MS did right by patching in Oct 2008. They found the hole and plugged it. Non-issue. Anyone who doesn't have the patch yet is probably still on dialup and refuses to take the 2 hours or more necessary to patch their PC.

McAfee has listed Conficker as a low priority threat from the beginning.

Useless media fodder, and FUD as usual.

Reply Score: 4

Alex Forster
Member since:
2005-08-12

Six months after a patch is released, 90% of all Windows machines have it? That's great! That's absolutely astounding. Considering the complexity of the task and the volume of absolute idiot computer users that are out there, I'm really really shocked by that figure. In fact, I see a very positive headline turned negative by Sophos to sell antivirus software.

Reply Score: 4

Users need to take responsibility
by 3rdalbum on Wed 15th Apr 2009 07:11 UTC
3rdalbum
Member since:
2008-05-26

I found it astonishing that only 10% of Windows users have NOT applied the update.

Whenever I get IM spam or IM viruses sent to me from a friend, I send them a message and say "Dude, you've got a virus, it's trying to send itself to me". Every time, the person replies and says "Yeah I know". Well, if you know, then why the fug are you still online and allowing it to infect your friends?!

Once, I suggested to one of them that it might be a good idea to disconnect from the Internet until they had removed the virus. "Mind your own business". Well, it IS my business if you're sending me viruses and slowing down the whole internet by contributing towards spam. On a similar vein, yesterday I told someone that they were sending viruses through IM and they said "Yeah I know, I'm going to buy an anti-virus next month". Heavens above, that's over two weeks away!

Windows users need to start taking responsibility for their computers. A virus is something that needs to be attacked ASAP to protect your money, your identity and other people's computers. No wonder all these worms, trojans and viruses run rampant on the Windows platform if users don't consider them important enough to do anything about them!

Reply Score: 1

Meanwhile, back in Linux land...
by obsidian on Wed 15th Apr 2009 09:10 UTC
obsidian
Member since:
2007-05-12

... all of the kerfuffle about Conficker is great entertainment when you have a Linux box... ;)

Reply Score: 2

Comment by BluenoseJake
by BluenoseJake on Thu 16th Apr 2009 12:34 UTC
BluenoseJake
Member since:
2005-08-11

Here's some info on unpatched holes in OS X.

http://www.h-online.com/security/Root-exploit-for-Mac-OS-X--/news/1...

Reply Score: 2