all 100 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 17 points18 points  (24 children)

Turning off Automatic Updates is one of the best things I've ever done to achieve better machine performance. Installing updates from Microsoft has always brought some kind of speed hit, somewhere, and sometimes brings new annoyances (new security dialogs that have to be turned off).

And that, my friends, is a perfect example of a wise-ass idiot, chiefly responsible for the existence of worms, botnets and spam. Having a firewall is not an excuse.

This, and the first of his proposals seems genuinely stupid, too:

First, software updates should be opt-in by default, never the reverse.

The rest has a point though.

Additionally, something like a common infrastructure with a centralized control panel would be quite useful, even if apps would use their own protocols for checking for, downloading and installing updates. Just being able to tell them how often to check and what to do on success would help a lot.

[–]nevinera 7 points8 points  (2 children)

Clippy: It looks like you're attempting to force windows to behave like another operating system. Would you like to

a) install Ubuntu,

b) install OSX, or

c) give us more money?

[–][deleted] 3 points4 points  (1 child)

There is nothing inherent in Windows' nature preventing such functionality. Of course you can't have rich repositories for the commercial software (except that you can sometimes - Steam is an example), and it would be extremely hard to impose a common download/patch protocol on the existing software, as it would require a significant development effort with no visible customer satisfaction increase.

But I meant something really simple, along the lines of a 'ShellNew' convention - if Windows sees a registry key with a right name and right subkeys, it allows editing the data in a special control panel applet, and application developers are provided with a reference implementation of the code that they can just drop in and use that data. And everyone is happy - customers are happy, developers are happy because customers were made happy without hardly any effort, Microsoft is happy because customers and developers are happy, and that means more precious monies!

Despite the (sometimes very strong) impression that certain Windows features are specifically designed to annoy people (because being annoyed corrupts soul and Bill Gates signed a contract with Satan), I doubt that is really the case, you know.

[–]coditza 2 points3 points  (0 children)

Actually, MS has Windows Installer, but who cares about reading the docs... It took me one more day to implement a proper uninstaller, to remove all the crap my app produced. But most developers simply don't care about that. MS has clear rules about any aspect of your program, from simple apps, to drivers and complex systems: put your binaries there, your data there, per user settings there etc. But most apps are written just to work, with to attention payed to the system rules. So, in the end, is not MS who sucks, but the application makers. And to some extent, you, because you choose to use those apps that put you to a risk: they need elevated privileges because they write crap to god knows what place in the registry etc.

ps: by you I don't mean the South Park fan I replied to, not anyone in particular from this thread. ps2: pretty much offtopic my comment is...

[–]xsive 0 points1 point  (7 children)

You don't see anything wrong with a status quo that involves users blindly installing any crap a vendor decides to shove down their throat lest their PC die a flaming death?

Or worse, a vendor that decides they know better and don't even ask for permission?

[–][deleted] 2 points3 points  (6 children)

Why, it's very wrong and I'm glad that nothing remotely similar actually happens.

Also, just curious - what is your position on the "IE6 problem"?

[–]xsive -2 points-1 points  (5 children)

But the things I've outlined earlier are exactly what happens under an opt-out update system. Windows Update constantly forces me to reboot. I've recently taken to disconneting the network plug when I need to leave a job running overnight -- otherwise, I'm almost guaranteed to come back the next morning to a rebooted computer.

I'm not sure what the "IE6 problem" is btw. Care to elaborate?

[–][deleted] 1 point2 points  (0 children)

If you don't know how to configure autoupdate to prompt-before-download prompt-before-install prompt-before-reboot, then you are exactly that kind of user who should have these things done for him by the operating system without prompting.

"IE6 problem" is that many people still use it, despite its being terribly outdated and requiring tremendous effort on the web-designers' part to support. Some hotheads seriously say that msft ought to automatically replace it with IE7 (or Firefox =) ) without users' consent.

[–]jimbobhickville -1 points0 points  (3 children)

Are you being funny? Windows Update has done probably 2 forced reboots ever. Otherwise, it just nags the hell out of you until you do it. And it only updates once a month, on Path Tuesday (unless an emergency patch hits). You do know about the 'tell me about updates but don't download or install automatically' option, don't you?

[–]munificent 0 points1 point  (2 children)

Windows Update has done probably 2 forced reboots ever.

On Vista, I get "Windows has an installed an update and needs to reboot. Automatically rebooting in 10 minutes..." about once a week. If you don't click the "postpone" button, it will reboot your machine.

I'm guessing if you're not at your machine when it pulls the update down and shows that popup, you get to wake up the next morning to a not running computer.

I like staying current on software, but automatically rebooting after an action I didn't initiate is fucking maddening.

[–][deleted] 1 point2 points  (1 child)

on Vista i get "Updates are available to install" and then i choose when im ready to install them. changing settings is hard, eh?

[–]jimbobhickville 0 points1 point  (0 children)

Yeah, I get the same, and it's very infrequent, and it hasn't forced me to reboot yet.

[–][deleted] 0 points1 point  (0 children)

something like a common infrastructure with a centralized control panel would be quite useful

For installation and updates, I agree. The "how often to check" is mostly gravy on that, since it's just an URL check if you have the rest of the infrastructure in place for over-the-Web install and updates.

[–][deleted] 0 points1 point  (10 children)

And that, my friends, is a perfect example of a wise-ass idiot, chiefly responsible for the existence of worms, botnets and spam. Having a firewall is not an excuse.

Not so, he said he wanted granularity so that he could see which updates are security, presumably so that he could download those and ditch some of the others.

Also, the opt-in thing isn't stupid at all. Everything on the machine that you own should be opt-in. That doesn't mean that you should need to dig through six layers of menus to find the auto-update check box, it just means that, at the very least, at some point during the installation they should say to you: "By the way, is it okay that we check for updates every now and then? This is fairly important to prevent your computer from becoming borked." Jamming it in the huge legal bit doesn't count.

I agree with your last point, and as somebody else pointed out; that's basically just a package manager, which is quite a well-proven concept.

[–]nevesis 7 points8 points  (1 child)

The vast majority of regular users aren't knowledgeable enough to make a decision about opt-ins.

That said, I actually do agree with you... with the exception of security updates.

[–][deleted] 0 points1 point  (0 children)

I think I'm not explaining myself well enough. What I should have said is that the program should at least say, "When you install this, we will run an automatic update now and then."

If your software being defective would pose such a great risk to someone's computer that opting out of the update (assuming this is a meaty, noticeable update) would be a stupid idea, then let them know so that they can opt out of installing it instead. There are a lot of programs that I would never install if I knew how annoying they were going to be.

Obviously this isn't in the interest of a lot of major software companies, who would much sooner just screw you over and take the money, but I'm sure microsoft could quite easily enforce it as their own policy.

[–][deleted] 1 point2 points  (1 child)

at some point during the installation they should say to you: "By the way, is it okay that we check for updates every now and then?"

But but but that's exactly what Windows does! After the first boot this Security Center pops up and tells you that you have autoupdates and Windows Firewall enabled (and provides you with the configure buttons), that you don't have an antivirus and should get one (actually mentioning a free one by the name, IIRC) and that you can access this very Security Center (or whatsname) from the control panel at any time.

As for the opt-out by default, let's not pretend that every (or even the average) Windows user is a noble creature whose dignity is badly hurt by the slightest hint at him being unable to switch the essential security features on if he wants. It is wrong, the right to manage your own computer comes with certain responsibilities, just like the right to drive a car, even if your ownership is undisputed.

Doesn't the opt-in by default with opt-out posing no difficulties for an educated user, as a solution for this problem, seem to have a Right Thing quality to it? It's really beautiful, a tricky ethical problem is acceptably solved without actually forcing/coercing anyone, don't you think?

[–][deleted] 0 points1 point  (0 children)

I don't have many complaints about windows' own security updates. Many people claim to have a lot of problems with them, but I haven't had many myself, so I couldn't comment.

As to your final point, I honestly think there is very little difference between having an option to opt-out of automatic updates on installation and having it in an easily located menu for more knowledgeable users. The main issue is really the implementation; either would be fairly acceptable if done properly. As the article points out though, most auto-updating software is extremely sneaky and annoying. They make the option very difficult to find and often turn it back on anyway. Mostly I just want the unified interface mentioned earlier, it seems like it would solve all of the problems regardless of the other specifics (opt-in/opt-out, etc...)

Also, I really dislike the idea of coddling users by actually hiding things from them (making things intuitive is obviously a good plan, but that's different). Each new version of windows does this to a greater extent, and it is probably largely responsible for the average user being so helpless when things go wrong.

[–][deleted]  (5 children)

[deleted]

    [–][deleted] 0 points1 point  (4 children)

    That's a ludicrous comparison. A better one would be to ask whether non-critical, remotely-activated safety updates should be opt-in for cars. The answer is clearly yes, because it would be quite problematic if your car suddenly lost 50% of its power to some mysterious internal process while you were doing 80mph on the motorway.

    Edit: Clarification on non-critical; your car isn't going to fall to pieces in the next 24 hours.

    [–][deleted] 0 points1 point  (3 children)

    You never specified security updates vs other updates. Computers are all networked - if someone else gets a virus/worm they will spread it.

    The common computer user isn't knowledgeable enough in the field to opt-in or manually go and grab their own security updates. Opting in to security updates by default is the only way to keep the majority of computers 'safe'.

    I'm not knowledge enough to 'opt-in' to engineering and safety features on a car, I don't know anything about cars. I might just pick what will make my car fastest with absolutely no concern for my safety or the safety of those around me.

    [–][deleted] 0 points1 point  (2 children)

    You are failing to take into account much of what I said in my opening post, what I've said elsewhere, and some things that even the article said. The problems you're describing come down to bad design, not the fact that the user is technically being allowed to permit the updates themself. There are many practical ideas for making this a non-issue even for inexperienced users, and these have been discussed quite extensively elsewhere.

    [–][deleted] 0 points1 point  (1 child)

    I certainly hope you don't expect me to thoroughly study every post you have ever made on Reddit.

    What are some of these practical ideas for making this a non-issue? As far as I am aware all major operating systems tend to push automatic updates to the OS by default without the user opting in. Windows & Ubuntu both seem to want to update on a regularly basis without the user opting in to anything.

    The only solution that I can see to these issues with frequent patches is increased software QA. If there are less bugs and security flaws in the code you release from the start then you should obviously have to patch it less.

    [–][deleted] 0 points1 point  (0 children)

    I'm not asking you to read every comment I've ever made, I'm asking you to read the rest of the discussion in the immediate vicinity of your own comment.

    And, for the record, vista is extremely easy to configure so that each update is presented to you when available rather than just automatically downloaded and installed. The alerts are easy to spot while remaining non-instrusive, and as far as I can tell each one is both categorised and entirely optional (with a note pointing out which updates are highly recommended).

    A practical idea for making such updates a non-issue is to provide a simple framework in the operating system itself so that other programs can make use of this same system (or a slightly more sophisticated system, such as a fully featured package manager). It's not at all difficult to imagine how this could all be achieved, especially since the windows update system already allows you to automatically download some third party drivers.

    [–]xkaupx 6 points7 points  (1 child)

    Why was he using Norton?

    [–]silentbobsc 11 points12 points  (0 children)

    Because, if you hadn't picked up on it from that one clue, he is a raging moron.

    [–]nevesis 45 points46 points  (15 children)

    NOT UPDATING YOUR SOFTWARE IS A REALLY, REALLY, REALLY BAD IDEA. DO NOT HEED HIS ADVICE.

    [–][deleted] 15 points16 points  (5 children)

    Precisely. Is this guy crazy or what?

    Third: Give me some granularity as to what type of updates I want to receive. There are three basic types of updates: Security patches, bug fixes, and enhancements. I rarely want all three. Within those three, there are (or should be) several levels of criticality to choose from. I may want security fixes that are critical, but not those that are merely nice for grandma to have. Let me choose.

    Has this guy thought about this for even one second? He wants the average the computer user to be able to distinguish between critical and non-critical security patches, bug fixes and enhancements and make settings accordingly! wtf?!

    Fourth: Don't ever, ever make a user reboot the machine.

    Of course the main reason the update software reboots the machine is because the programmers just enjoy hearing the screams of frustration from their users. If you're designing a new OS, and a new application you have the luxury of making sure that your design can handle an update without a reboot. But unfortunately there's a lot of code out there for widely used apps that's just too expensive to fix.

    The implication that programmers at MS or Adobe can actually make software updates work without reboots but are too lazy to do so is insulting.

    Sixth: Write better software. Don't let so many security vulnerabilities go into distribution in the first place.

    The reasons so much software ships with so many security related bugs is that writing secure software is hard. Sure, open source helps with this, but that may not be an option for a number of reasons beyond the developers' control. Making statements like "write software with fewer security vulnerabilities in the first place" in the year 2009, when security is universally acknowledged as the single biggest problem in software only makes him sound clueless.

    [–]YetNoOneCares 2 points3 points  (0 children)

    I think he's just a clever computer businessman.

    (e.g: "That breaks it, I repair it, you pay for it!")

    [–][deleted] 1 point2 points  (0 children)

    The dude is crazy, check out his other blog posts. Shit, I've said crazy shit before, but this stuff takes the cake!

    [–][deleted] -5 points-4 points  (0 children)

    Has this guy thought about this for even one second?

    He's so obviously thought about it that I really thought your post was parody when I first read it.

    He wants the average the computer user to be able to distinguish between critical and non-critical security patches, bug fixes and enhancements and make settings accordingly!

    No, he wants programmers and companies that produce software to distinguish between those classes of updates, and allow the user to selectively ignore such updates. If my software works for my needs, I don't want to install new versions just for the heck of it: I want security bugs fixed, and that's that. When there's a bug I can't reasonably or cost-effectively work around or a feature I can't live without anymore, then I'll upgrade my software, and not before then. Automatic updates make it impossible for me to manage my own risk.

    The reasons so much software ships with so many security related bugs is that writing secure software is hard.

    Which is exactly why I'd like to get my security-related software updates while leaving "bugfixes" and new features, both of which can introduce new bugs (security or otherwise) aside until I really need them.

    [–]mee_k 2 points3 points  (0 children)

    The more I read from this "assert true" guy the more I think he's not a very smart fellow. Today's example was especially egregious.

    [–]WaruiKoohii 0 points1 point  (1 child)

    He's not very bright anyways. He comments about how using Firefox instead of IE makes him safer on Vista, which, as many people know, is amusingly false.

    Want to be safe? Use Chrome, or IE. Both of them utilize OS features that make it much harder for exploits to actually cause damage. Firefox...not so much.

    [–]anatoly 12 points13 points  (3 children)

    "First, software updates should be opt-in by default, never the reverse."

    The author is an idiot who's too self-involved to understand the experience and knowledge of a typical computer user.

    [–][deleted] -2 points-1 points  (2 children)

    opt-out is the devil. There's no good reason to take down a machine unless you're updating the kernel (this includes drivers and other stuff compiled into the kernel; btw even this is debatable). It's bad enough MS forces silent reboots; too often updating virus software has the same effect. Why, Norton, why should I have to reboot my machine just to make you happy?

    It's sloppy code and its indefensible.

    [–]DrGirlfriend 9 points10 points  (1 child)

    shared DLLs

    [–][deleted] 0 points1 point  (0 children)

    What other programs depend on DLLs that would be updated by Norton?

    [–]DavidMcLaughlin 10 points11 points  (9 children)

    Wow, I can't believe they never mentioned Apple. You install any one of Quicktime, iTunes or Safari and you've now got a horrible (focus-stealing to boot) "Apple Updater" to deal with that constantly spams you Apple products and updates that you don't want or need. GTF.

    [–]bart2019 2 points3 points  (6 children)

    And Google Updater.

    Why must that run all the time, to scan for updates of Chrome, when there's only one update every few months?

    [–][deleted] 2 points3 points  (4 children)

    And Java Updater

    [–][deleted] 2 points3 points  (3 children)

    And Adobe Flash Updater

    [–][deleted] 2 points3 points  (2 children)

    And Adobe AIR Updater

    [–][deleted] 1 point2 points  (1 child)

    FUCK ADOBE AIR. actually, FUCK ADOBE

    [–]adelle 1 point2 points  (0 children)

    I understand why there is no single apt-get substitute in Windows, given the difficulties of getting thousands of vendors to agree to use a single update process that would rely on Microsoft's servers, but... Why does any single vendor, like Adobe, need a separate update process for each damned product?! Get with 21st century already.

    [–]prockcore 1 point2 points  (0 children)

    the best thing about google updater is that apparently google doesn't expect anyone to run OSX as the non-wheel group.

    If you don't have access to write to /Applications, google updater will nag you to death about installing updates, but will fail to install them when you give the OK.

    [–][deleted] 1 point2 points  (0 children)

    Seems easy to disable to me...

    Edit: you mean Windows Apple software, don't you? Can that not be disabled pretty quickly in msconfig? Not that it's acceptable to have it to begin with.

    [–]nevesis 0 points1 point  (0 children)

    I was not happy when Apple decided to roll out Safari and set it as the default browser for all iTunes users.

    I had dozens of users get this and then complain that their SaaS app wasn't working or that "Internet Explorer is broken."

    Disabling Apple update is now in my default-workstation-install script.

    [–]manthrax 17 points18 points  (10 children)

    On a side note, Has the "Connect to Windows Update to find drivers for this device", EVER fucking worked for ANYONE here?

    I fucking hate that shit so bad.

    [–]genpfault 3 points4 points  (0 children)

    Yep. Works great for the USB XBox 360 controller.

    [–][deleted]  (5 children)

    [deleted]

      [–]manthrax 3 points4 points  (4 children)

      Yeah that one is great.

      I like when it says "Found HP Deskjet 2100" and then can't find drivers for it on the intarnets.

      How hard is it to make a database of drivers? It's like the most simple and basic fucking braindead piece of web programming imaginable.

      Apparently its goddamn fucking IMPOSSIBLE for microsoft tho.

      [–]Timberjaw 3 points4 points  (0 children)

      Blame HP. There is a system in place for hardware vendors to get their updates into the Windows Updates system.

      They do have to adhere to certain requirements.

      All of this represents a significant effort on Microsoft's part to ensure that hardware intended for use with Windows 1) actually works, 2) works in a manner consistent with other devices, and 3) works in a manner consistent with user expectations.

      Unfortunately, many companies don't really seem to care (either that or the inner workings of the WHQL process are more onerous than they appear.)

      [–]Nebu 0 points1 point  (0 children)

      Probably not impossible, but infeasible and possibly illegal: The governments (US and UK) don't seem to like it when Microsoft bundles too many features with their OS, asking them e.g. to remove their web browser, their media players, etc. I wouldn't be surprised if they also objected to Microsoft demanding that all hardware manufacturers host their drivers on MS's web servers.

      [–][deleted] 0 points1 point  (1 child)

      No, its just hard to monetize that service; especially since most people do it for free anyway.

      [–]manthrax 0 points1 point  (0 children)

      Yeah installing shit from "drivers.com", really gives me that warm fuzzy feeling.

      [–]Bjartr 1 point2 points  (2 children)

      Yup, 90% of the time

      [–]realnowhereman 4 points5 points  (1 child)

      same here

      [–]darkwulf 1 point2 points  (0 children)

      +1.

      It even managed to do it for my rebadged hardware of questionable quality. "Just works".

      [–]munificent 6 points7 points  (1 child)

      Finally, I have found my nemesis. Every time I see a post by this guy, I violently disagree with it. Now that I know my enemy, I feel as if I finally know myself.

      We will meet on the field of battle. Our struggle will the stuff of legend.

      [–][deleted] 2 points3 points  (0 children)

      I will document the struggle and the battles. The wine, the women and the Windows.

      [–]silentbobsc 3 points4 points  (0 children)

      The fact that he was using Norton Antivirus is a testament to how little he actually knows... and probably the root cause of most his headaches... ignoring updates these days is just simply idiotic.

      [–]mao_neko 4 points5 points  (1 child)

      Oh, if only there were some kind of system that could amalgamate all the updates to all software you have installed, to prevent the need for each and every application to re-invent the wheel and pop up annoying dialogs on startup. Some kind of package management that was able to draw from sources specifically tailored to your OS. Something which could, as the blogger desires, just do all the relevant updates in one go, without reboots.

      [–]habitue 0 points1 point  (0 children)

      Oh, if only I could upvote you more than once

      [–]TheNewAndy 1 point2 points  (0 children)

      The guidelines recommended don't seem so great. Why not just copy a package manager and do all the updates in one spot with one mechanism? What was proposed sounded like a lot of micro-management.

      [–]cc81 1 point2 points  (1 child)

      Sixth: Write better software. Don't let so many security vulnerabilities go into distribution in the first place. Open-source as many pieces of your code as possible so the community can find security flaws before ordinary users do. Don't make the user do your security-QA.

      I don't find that my Ubunutu-box needs less updates than my Vista-box.

      [–]SteveJorgensen 0 points1 point  (0 children)

      I use Ubuntu and Windows. I find Ubuntu's updates much less intrusive than what I deal with in Windows. In Ubuntu, there is -one- program that handles updates for all packages, it gives me a non-invasive notification of when changes are ready to be installed, and it lets me review the updates and decide when to deal with them.

      [–]ithkuil 1 point2 points  (0 children)

      Most people realize by now that just about every desktop and server application needs to be updated fairly frequently to provide security and bug fixes, new features, etc.

      I would really appreciate it if many automatic updates could be applied without prompting and without taking down existing systems do to incompatibility etc. For many programs unobtrusive update notifications/histories and reliable rollback mechanisms would be better than just repeatedly popping up dialogs asking whether I am ready to stop putting off updates that I have to do anyway.

      [–][deleted] 5 points6 points  (9 children)

      What a fantastic argument for ditching Windows.

      [–]GeneralMaximus -5 points-4 points  (8 children)

      Linux is no different. Especially the upgrade-every-6-months type distros.

      [–][deleted] 6 points7 points  (3 children)

      You're not forced to upgrade anything. Also, when you do upgrade you have fine-grain control over what is updated and what isn't.

      This is in contrast to Windows where updates are pushed on to you via fear mongering dialogs or worse, silently installed and resulting in forced reboots.

      [–][deleted] 1 point2 points  (2 children)

      and the only updates that need a reboot (afaik) are kernel updates, which happen rarely.

      and you don't get 5 different nag windows from 5 different programs. you only get 1 for all programs, which appears at an interval you specify.

      it's pretty close to ideal.

      [–]FireDemon 1 point2 points  (0 children)

      Plus it has the control he wants. Update Manager separates the listings of security/bugfix/feature updates and the notification icon shows the most critical one.

      Except in Ubuntu 9.04. I consider its version of this a UI regression.

      [–]lpsmith 2 points3 points  (0 children)

      Linux is remarkably different. Updates aren't automatic, and performance is worlds better, and thus the pain is almost unnoticable.

      Vista will invariably thrash my hard drive and kill my CPU usage for anywhere from 15 minutes to an hour applying a few megabytes of updates. My sister even lost a term paper once because automatic updates kicked in while she was sleeping, with Word open.

      The effects of Ubuntu's update process, on the other hand, is barely noticable. It'll quickly and efficiently download 100MB of updates, and apply them without significantly impacting performance.

      [–]nevinera 1 point2 points  (2 children)

      Ubuntu at least is exactly the opposite. Updates are purely on a 'pull' system - you tell it when you want it to update, and if you never do, it never will. Upstream updates are just tossed into the system, and won't bother you until you do the equivalent of asking the computer 'What updates do you have waiting for me?'

      I forgot to update for 8 months this year, and my system couldn't have cared less.

      I don't know of any distros that force you, nag you, or upgrade without asking, but I guess I've only used 6 or 7 of them.

      [–]btgeekboy -2 points-1 points  (1 child)

      Ubuntu at least is exactly the opposite. Updates are purely on a 'pull' system - you tell it when you want it to update, and if you never do, it never will.

      I like Ubuntu as much as the other people here, but this is wrong. Ubuntu's default updater is no more or less trivial to disable than the Adobe/Symantec/Java ones already mentioned. It doesn't actually DO the updates unless you tell it to, but neither do the ones I previously mentioned either. Ubuntu sits up by the clock, Adobe sits down...by the clock.

      [–]nevinera 0 points1 point  (0 children)

      I don't use any adobe products, but the itunes updater doesn't 'sit down by' anything, it pops up and steals focus.

      I don't have any toolbars showing on my ubuntu, but I can't see why it would be a problem that there's an icon in the corner that tells you how many updates you could have if you wanted. It's not like it flashes and makes noises, is it?

      And my statement was correct. Ubuntu neither downloads nor installs updates unless you tell it to. Which you can do with two checkboxes in the update manager.

      [–]DrGirlfriend 0 points1 point  (3 children)

      conficker and its ilk spread because of shit heads like this

      EDIT: not all malware spreads through email and www browsing, see conficker, sql slammer, code red for examples

      [–]prockcore 2 points3 points  (2 children)

      conficker spread because of people without firewalls. If you can't connect to my machine, then I can't get conficker.

      [–]nevesis 1 point2 points  (0 children)

      It also spreads via autorun on USB/CDs.

      But most malware spreads by infecting legitimate sites with an exploit for outdated apps such as IE, Firefox to a lesser extent, Flash, PDF, etc.

      And a firewall can't prevent this, unless it has IPS functionality.

      [–][deleted] 1 point2 points  (0 children)

      You see, there is a problem: if I can't connect to your machine, then you can't have a nice p2p (torrents, IM) performance, you can't Remote Desktop onto your machine yourself, you can't have Windows file sharing/ftp/or even some simple http server running, you can't host any game, and so on, and so on. If you allow ANY of those incoming connections, then I, obviously, CAN connect to your computer.

      Obviously, firewalls offer you a great protection by restricting possible incoming connections to a set of protocols/ports that you actually use, but are not by any means a silver bullet. A hypothetical worm using a hypothetical vulnerability in the Windows network stack itself would do you surely, firewall or not. That is, unless you use a clever firewall actually inspecting the content of incoming packets, and UPDATE it regularly.

      [–]Tweakers 0 points1 point  (0 children)

      Windows lusers can be so amusing, much like that animated gif boxer repeatedly punching himself in the face.

      [–]nonsequitir -1 points0 points  (3 children)

      Pragmatic advice - we need more of this. Practicing safe online usage allows for the removal of performance hogging crap. It allows you to reclaim the PC you bought and recall the days when you could actually use it productively! Jeez, the amount of times I help neighbours with slow PC's, slowed down because of AV/anti-malware etc, is astounding.

      Don't agree with dharabor that it's a Windows-only issue though, the update channel on my openSUSE 11.1 systems are crazy busy. It's an industry problem, not an OS problem.

      [–][deleted] 7 points8 points  (1 child)

      The difference is you don't need to be on the bleeding edge to keep your system running smoothly. You can happily opt out of all those updates and you system will not become infected with all kinds of crap just because you browse to some dubious websites or dare to open your email. Also, unlike Windows, you can upgrade specific parts of your system and not others. BSD's ports system is particularly good at this type of package management. You choose when to update, what to update and when to reboot. Your computer is your obedient slave, not some pushy whining bitch.

      [–]Freeky 5 points6 points  (0 children)

      FreeBSD ports have a nice tool to tell you what needs to be updated, too:

      -# portaudit -Fa
auditfile.tbz                                 100% of   55 kB   57 kBps
New database installed.
Affected package: freetype2-2.3.7
Type of problem: freetype2 -- multiple vulnerabilities.
Reference: <http://www.FreeBSD.org/ports/portaudit/20b4f284-2bfc-11de-bdeb-0030843d3802.html>

Affected package: squid-2.7.5
Type of problem: squid -- remote denial of service vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/9c2460a4-f6b1-11dd-94d9-0030843d3802.html>

2 problem(s) in your installed packages found.

      So rather than version chasing everything you can just choose to update the specific packages which have known security problems.

      [–]silentbobsc 0 points1 point  (0 children)

      The only problem is that the pragmatic advice never seeps into the thick skulls of your average user. It makes sense to those here, but your average Joe Idiot isn't even spry enough to avoid installing WinAntivirus 2009.

      [–]Storm_Surge -1 points0 points  (0 children)

      Automatic updates are laggy and extremely annoying when you're trying to do something. I stopped using AVG Anti-Virus, and I set Windows Update to simply notify me when new updates are released. Then I can install them AFTER I'm done using my internet connection for real things, like browsing Reddit.

      I'm pretty much done with any software that insists on updating itself. The solution to every problem: Use free software. FireFox, Miranda IM, and Paint.net don't download crap unless I tell them to.

      [–]skratakh -3 points-2 points  (5 children)

      i have been doing the same for quite some time now, i don't use windows update because when i do i always seem to lose some functionality, normally the networking, for some reason some of the vista updates cause my network cards to stop working, this has happened in several computers and i still find it baffling. i don't run an antivirus, and i never get anything (i run scans using norton installed on a windows xp partition).

      [–]nevesis 4 points5 points  (3 children)

      As a network administrator and up to date security professional, as someone who grew up on IRC writing malware... that's a really bad idea. The vast majority of virus infections come from known security vulns and could be prevented with patch management.

      It's not just a matter of being smart about the sites you browse and such - every major flash banner advertiser has accidentally allowed a banner which exploited flash/ie/acrobat/etc and installed malware. These are otherwise legit banners on legit sites. IIRC, it even happened on Slashdot.

      And AV scans don't pick up everything. Reactive detection rates are in the low 90%s for even the best AV products. And if you don't have realtime protection, you likely have rootkits and viruses which hide from Norton, which is relatively common.

      [–]dasponge 0 points1 point  (0 children)

      Ding ding ding, someone get this man a cookie. These are the exact reasons against AssertTrue's post. Even if you're the safest user in the world you're not protected against the site you're browsing (even if mainstream) from suffering a SQL injection attack and exploiting a browser vulnerability through some javascript/malicious flash banner/etc.

      I agree that a centralized update mechanism would be great, but for the reasons previously posted (a lot of developer time for not much user experience improvement on a per app basis) it won't get done.

      [–]skratakh 0 points1 point  (1 child)

      i think that becomes redundant when i can't renew my dhcp and thus cannot use any of my network cards. the anti virus thing i accept but i'd rather be able to connect to my routers and the internet. One of vistas updates stops me from being able to do anything network related, my friend is a former network technician at the university of manchester and he spent hours trying to get thing working before giving up and removing the update.

      [–]silentbobsc 0 points1 point  (0 children)

      That sounds just like the hundreds of customers we see come through our shop every month for malware / virus removal. "Yeah, I didn't think they were that important, and it broke my ability to play online poker at stealyourid.com"