Stealth Updates are just wrong

[MICHAEL]

* Charlie Tame:

As do I, however we are approaching the last straw here methinks...

I really hope so, Charlie. Sadly, there are still those dimwits that
seek to justify any and all of Microsoft's actions.


-Michael

 

[The poster formerly known as 'The Poster Formerly]

Thanks for the link. I read the blog.

OK, the blog admits to the terrible crime. Maybe they shouldn't have
done that, but in my estimate it is completely inconsequential. The
updater fixed itself, no reboot required. And I think they are now aware
they should have explained it. While I empathize with the concern for
privacy, but I think there was no harm intended (quite the contrary) and
this one should just be let go ..

Saucy

So what are you saying, it's inconsequential for MS to sneak into the
privacy of my home on my computer, but it's not OK for say, a hacker to
do it? Talk about a double standard!

--
Priceless quotes in m.p.w.vista.general group:
http://protectfreedom.tripod.com/kick.html

"Fair use is not merely a nice concept--it is a federal law based on
free speech rights under the First Amendment and is a cornerstone of the
creativity and innovation that is a hallmark of this country. Consumer
rights in the digital age are not frivolous."
- Maura Corbett

 

[The poster formerly known as 'The Poster Formerly]

I agree that this practice is wrong. However, more of a concern is that it
is possible to do this at all. The implication is that there is a "back
door" that is deliberately held open, and it will only be a matter of time
before it is exploited by someone other than Microsoft. Even if there is
some good reason to have this vulnerability -- although I doubt that there
is -- it certainly doesn't help to increase user confidence in the
integrity of their computers, networks, and the security of the sensitive
data that might be held on them. So, at this point, I would find no
comfort in any statement that this practice will be discontinued.

Regards,

I'm wondering if my firewall held it off. Mabey MS isn't done updating
computers out there yet, but I just checked the date and version of
several of these files on my machine and they do not reflect having been
updated.

--
Priceless quotes in m.p.w.vista.general group:
http://protectfreedom.tripod.com/kick.html

"Fair use is not merely a nice concept--it is a federal law based on
free speech rights under the First Amendment and is a cornerstone of the
creativity and innovation that is a hallmark of this country. Consumer
rights in the digital age are not frivolous."
- Maura Corbett

 

[Kerry Brown]

"The poster formerly known as 'The Poster Formerly Known as Nina DiBoy'"

I'm wondering if my firewall held it off. Mabey MS isn't done updating
computers out there yet, but I just checked the date and version of
several of these files on my machine and they do not reflect having been
updated.

In some cases it appears you have to check for updates to get the update. If
you do touch the update site the Windows Update service is updated no matter
what you have your settings set to. I have mine set to "Check for updates
but let me choose whether to download and install them". When I was notified
of new updates I checked what they were, downloaded and installed them. The
stealth update came along for the ride. Clearly I didn't have the
opportunity to choose this update. Microsoft says it was a necessary update
in order for me to get the other updates. That may be true but it is still
an update that I didn't get to choose if I wanted it or not. With all of
Microsoft's resources how hard would it be to notify me that there was an
update I needed before I could download the other updates? If the problem is
one of security then this is very scary indeed. If this relatively obscure
back channel method for updating had been compromised then full disclosure
of how is needed so we can protect ourselves in the future. For me I'm going
to turn the service off and only turn it on when I want to check for
updates. That way at least that attack surface will only be open for a short
time.

 

[Guest]

Are you not feeling well today ?

 

[Saucy]

* Saucy:


I really shouldn't be, but I am amazed at what people willingly seem to
accept and how readily they offer up their hind quarters.

Your obvious attempt to deflect blame away from Microsoft is
simply pathetic.

I'm sure when you bend over, your elbows can touch the ground.


-Michael

People go to such extremes. It seems every misdemeanor is opportunity to
make terrible accusations, make disgusting suggestions (as you have done
here), or go to some other strange extreme. They did something wrong, albeit
a minor and inconsequential a thing, they owned up to it. No big deal, move
on.

Saucy

 

[Charlie Tame]

"The poster formerly known as 'The Poster Formerly Known as Nina DiBoy'"



In some cases it appears you have to check for updates to get the
update. If you do touch the update site the Windows Update service is
updated no matter what you have your settings set to. I have mine set to
"Check for updates but let me choose whether to download and install
them". When I was notified of new updates I checked what they were,
downloaded and installed them. The stealth update came along for the
ride. Clearly I didn't have the opportunity to choose this update.
Microsoft says it was a necessary update in order for me to get the
other updates. That may be true but it is still an update that I didn't
get to choose if I wanted it or not. With all of Microsoft's resources
how hard would it be to notify me that there was an update I needed
before I could download the other updates? If the problem is one of
security then this is very scary indeed. If this relatively obscure back
channel method for updating had been compromised then full disclosure of
how is needed so we can protect ourselves in the future. For me I'm
going to turn the service off and only turn it on when I want to check
for updates. That way at least that attack surface will only be open for
a short time.

These "Minor Faux Pas" MS are making are not doing their reputation any
good at all among those in the IT field who need to do everything
possible to reduce the threat of compromise.

In my reading the EULA and the wording of the settings dialog
both "Imply" that if you adjust auto updating to your preference it will
do as you request.

I have one small app on a machine at work that demands I manually update
and restart else people are at risk while the restart takes place,
thus ANYTHING that interferes with the running of the app is a hazard.
MS have clearly just proven that their software can be error prone and
fail, as can their infrastructure, just the same as anybody else's can.
They also just discovered that what "Should be" an unnoticeable quick
fix sometimes is not.

Whilst this particular instance may not have caused me any problem the
fact that it took place without my being aware of it is a concern, I had
"Assumed" that auto updates off = MS not interfering with anything
unless requested.

Had this update somehow caused the system to crash there is another
aspect. We are all used to having to turn auto off and manually update,
that is a given, and when something fails you have a starting point.
Being unaware of this potential problem means that a great many IT
managers would have spent a lot of time looking in the wrong place.
Multiplied by the number of MS systems out there this is a huge cost.

As you rightly point out the possibility of some malicious use being
found for this is worrying enough, but add to that the fact that as in
the WPA debacle MS obviously don't fully grasp the full implications of
failures and how far reaching they can be is even more worrying. I don't
"Blame" anyone for not being able to foresee every possible
circumstance, that would be unfair because with the complexity of
systems these days I don't think anyone could... but I blame them for
not understanding that they can't foresee every possibility.

 

[Guest]

Don't Worry, I Already Changed The E-mail Address And Windows Live ID That
My MSDN And Microsoft Tech Net Direct Subscriptions Are Registered To, Just
FYI.

 

[jonathan perreault]

well, don't come whine to us if a hacker gets your info from your info, you
are obviously fine with people being on your pc without permission, microsft
is just the start of these example, for example if you complain that people
are driving dangerously about 20 miles over the speed limit but are excuse
everyone that cuts you off but only do 10 miles over the limit, aren't you
promoting people to not care about what they do, i mean why care if i do 10
or 20 over. let me stop this i just think this is stupid microsoft should be
made a example to other people that we will not accept being accessed to
without permission

--
Jonathan Perreault

Personnal Advice To You:
#1: Do Not Undermine Windows's Work, Or It'll Undermine You As A User.
#2: Torture Windows (Any) Now Before It Tortures You

Best Comments From Users:
No Matter The Problem Even With Linux, It's Microsoft's And Windows's Faults

A common mistake that people make when trying to design something completely
foolproof is to underestimate the ingenuity of complete fools.

 

[Stephan Rose]

well, don't come whine to us if a hacker gets your info from your info,
you are obviously fine with people being on your pc without permission,
microsft is just the start of these example, for example if you
complain that people are driving dangerously about 20 miles over the
speed limit but are excuse everyone that cuts you off but only do 10
miles over the limit, aren't you promoting people to not care about what
they do, i mean why care if i do 10 or 20 over. let me stop this i just
think this is stupid microsoft should be made a example to other people
that we will not accept being accessed to without permission

You can't reason with someone like him. There likely isn't a thing in the
world that Microsoft could do that he wouldn't find an excuse for.


--
Stephan
2003 Yamaha R6

å›ã®ã“ã¨æ€ã„出ã™æ—¥ãªã‚“ã¦ãªã„ã®ã¯
å›ã®ã“ã¨å¿˜ã‚ŒãŸã¨ããŒãªã„ã‹ã‚‰

 

[Saucy]

You can't reason with someone like him. There likely isn't a thing in the
world that Microsoft could do that he wouldn't find an excuse for.


--
Stephan
2003 Yamaha R6

å›ã®ã“ã¨æ€ã„出ã™æ—¥ãªã‚“ã¦ãªã„ã®ã¯
å›ã®ã“ã¨å¿˜ã‚ŒãŸã¨ããŒãªã„ã‹ã‚‰

That's not fair. Over the years I've posted my concerns. For instance, I did
protest the inclusion of WGA Notifications among 'critical' updates and let
it be known I wouldn't install it on my computer. I'm not a complete
pushover .. but in the same vein, I think the guys and gals at Microsoft
should be cut a little slack from time to time. I haven't completely
investigated this latest, but I doubt there was any malicious intent. I
concede it might have been wrong to do, but I don't think it's "arrogance"
or "a conspiracy" or somesuch nonsense.

Saucy

 

[Kerry Brown]

As you rightly point out the possibility of some malicious use being found
for this is worrying enough, but add to that the fact that as in the WPA
debacle MS obviously don't fully grasp the full implications of failures
and how far reaching they can be is even more worrying. I don't "Blame"
anyone for not being able to foresee every possible circumstance, that
would be unfair because with the complexity of systems these days I don't
think anyone could... but I blame them for not understanding that they
can't foresee every possibility.

This is the key. The incident is relatively trivial. The issue is not.
Microsoft's assumes they know what is best for me even when I've told them I
don't think so.

 

[The poster formerly known as 'The Poster Formerly]

"The poster formerly known as 'The Poster Formerly Known as Nina DiBoy'"



In some cases it appears you have to check for updates to get the
update. If you do touch the update site the Windows Update service is
updated no matter what you have your settings set to. I have mine set to
"Check for updates but let me choose whether to download and install
them". When I was notified of new updates I checked what they were,
downloaded and installed them. The stealth update came along for the
ride. Clearly I didn't have the opportunity to choose this update.
Microsoft says it was a necessary update in order for me to get the
other updates. That may be true but it is still an update that I didn't
get to choose if I wanted it or not. With all of Microsoft's resources
how hard would it be to notify me that there was an update I needed
before I could download the other updates? If the problem is one of
security then this is very scary indeed. If this relatively obscure back
channel method for updating had been compromised then full disclosure of
how is needed so we can protect ourselves in the future. For me I'm
going to turn the service off and only turn it on when I want to check
for updates. That way at least that attack surface will only be open for
a short time.

My automatic updates service has always been set to automatic start up
because I use AU and I have it set as you do to notify only when updates
are available. I do not ever go to the WU/MU site. Is there something
documented somewhere saying if the service is off, it will not stealth
update?

--
Priceless quotes in m.p.w.vista.general group:
http://protectfreedom.tripod.com/kick.html

"Fair use is not merely a nice concept--it is a federal law based on
free speech rights under the First Amendment and is a cornerstone of the
creativity and innovation that is a hallmark of this country. Consumer
rights in the digital age are not frivolous."
- Maura Corbett

 

[Kerry Brown]

"The poster formerly known as 'The Poster Formerly Known as Nina DiBoy'"

My automatic updates service has always been set to automatic start up
because I use AU and I have it set as you do to notify only when updates
are available. I do not ever go to the WU/MU site. Is there something
documented somewhere saying if the service is off, it will not stealth
update?

I don't know of any documentation regarding how Vista updates work. I have
set the following two services to disabled for now.

Background Intelligent Transfer Service
Windows Update

I don't recommend this for everyone. It is then incumbent upon you to turn
them on once in a while and check for updates.

 

[Charlie Tame]

That's not fair. Over the years I've posted my concerns. For instance, I
did protest the inclusion of WGA Notifications among 'critical' updates
and let it be known I wouldn't install it on my computer.

So how do you get updates?

I'm not a
complete pushover .. but in the same vein, I think the guys and gals at
Microsoft should be cut a little slack from time to time.

A little? My company could get sued for millions and closed down for one
information leak, this IS a serious matter.

I haven't
completely investigated this latest,

I think you made that pretty obvious already...

but I doubt there was any malicious
intent. I concede it might have been wrong to do, but I don't think it's
"arrogance" or "a conspiracy" or somesuch nonsense.

You would have had that last sentence right if you had stopped at "I
don't think"

 

[Charlie Tame]

This is the key. The incident is relatively trivial. The issue is not.
Microsoft's assumes they know what is best for me even when I've told
them I don't think so.

Well I have no problem with Activation or WGA in terms of defending
Microsoft's copyright or with their attempts to implement both per se,
as MICHAEL can tell you I've defended their right to do so on numerous
occasions, but I did so with the condition that none of these things
would significantly impact genuine users. In fact someone at MS stated
early on that WGA would not become a "Kill Switch" and it hasn't not by
itself, but in concert with Activation, as we saw recently, it is a
"Kill switch" for at least some functionality and a very limited time.
This seems to me to be a dishonest play on words, as is the EULA saying
that Windows Update can be turned off. Correct legal wording it may be,
but deceptive it sure is.

However, dishonest or not, it is still a dangerous precedent and a
dangerous procedure from a security point of view, and more class action
material perhaps.

We have all seen the growth in "Spyware", one way or another even
reputable companies like Google and Yahoo try to mine information. The
conclusion that MS are threatened by Google and are therefore seeking
similar revenue streams is almost inescapable, but MT are trying to do
it in such a way that they can describe it as being something different.
This also forces one to wonder, with the recent legislation on
warrantless wiretapping, just how many are involved. Obviously Google
and others can contribute, as can ISPs, but none of them are in the OS
itself. One reason I'd never use pirated copies is the simple fact that
you don't know what might be hidden in it, but a pirate copy with this
stealth stuff removed might now be the safer bet

http://www.securityfocus.com/infocus/1822

 

[DevilsPGD]

In message <#[email protected]> "Saucy"

"Public outcry"? Have you had your coffee this morning Mr. Brown?



You can turn off automatic updating fully or partially. Here's the list:

- Install update automatically (recommended)

- Download updates but let me choose whether to install them

- Check for updates but let me choose whether to download and install them

- Never check for updates (not recommended)

That pretty much covers the gamut, doesn't it?

Yes -- What part of "Check for updates but let me choose whether to
download and install them" would include "Install updates
automatically"?

That is the crux of the issue.

 

[DevilsPGD]

In message <[email protected]> "Kerry

This update was pushed out to all Windows computers (XP and Vista for sure,
Windows Server maybe) regardless of what you had set Windows update to do.
In other words even if you had set "Never check for updates" this update was
downloaded and installed without any notification.

Actually, in that case, there was no update. The problem is that when
you have "Check" or "Download" selected, this update was installed
automatically.

 

[jonathan perreault]

i still think we should do a gang sueing of the pigs

--
Jonathan Perreault

Personnal Advice To You:
#1: Do Not Undermine Windows's Work, Or It'll Undermine You As A User.
#2: Torture Windows (Any) Now Before It Tortures You

Best Comments From Users:
No Matter The Problem Even With Linux, It's Microsoft's And Windows's Faults

A common mistake that people make when trying to design something completely
foolproof is to underestimate the ingenuity of complete fools.

 

[Synapse Syndrome]

People go to such extremes. It seems every misdemeanor is opportunity to
make terrible accusations, make disgusting suggestions (as you have done
here), or go to some other strange extreme. They did something wrong,
albeit a minor and inconsequential a thing, they owned up to it. No big
deal, move on.

You're so naive. The EULA states that they can do this whenever they
please.

ss.