What's really broken with Windows Update - Trust

What's really broken with Windows Update - Trust

Summary: On Friday I posted briefly about yet another potential problem with Windows Update (my ZDNet blogging colleague Mary Jo Foley covered the issue in greater detail here and here). Initial investigations of PCs at the PC Doc HQ have turned up no leads but I have discovered some else that's broken about Microsoft Windows Update mechanism - trust.

SHARE:

On Friday I posted briefly about yet another potential problem with Windows Update (my ZDNet blogging colleague Mary Jo Foley covered the issue in greater detail here and here).  Initial investigations of PCs at the PC Doc HQ WhatÂ’s really broken with Windows Update - Trusthave turned up no leads but I have discovered something else that broken about Microsoft Windows Update mechanism - trust.

The overall impression that I get as someone who deals directly with the company is that Microsoft believes that it is right and anyone making a fuss is ultimately wrongSee, here's the problem.  To feel comfortable with having an open channel that allows your OS to be updated at the whim of a third party (even/especially* Microsoft ... * delete as applicable) requires that the user trusts the third party not to screw around with the system in question.  This means no fiddling on the sly, being clear about what the updates do and trying not to release updates that hose systems.  While any and all updates have the potential to hose a system, there's no excuse for hiding the true nature of updates and absolutely no excuse for pushing sneaky updates down the tubes.  Over the months vigilant Windows users have caught Microsoft betraying user trust on several separate occasions and this behavior is eroding customer confidence in the entire update mechanism.

I have no doubt that an automatic update mechanism is an important feature of any modern operating system.  Windows isn't alone in having this kind of mechanism - both Mac OS X and Linux distros ship with similar features.  Having the ability to automatically push critical security updates to vulnerable PCs keeps us all that little bit safer.  Problem is, each time an incident that erodes confidence in the mechanism is reported, more people decide to pull the plug on updates and decide that it's better to take their chances against the hackers and cyber criminals.  This is a bad thing all round.

What bothers me more than the specific issues themselves is the attitude that Microsoft seems to take to reported issues.  The overall impression that I get as someone who deals directly with the company is that Microsoft believes that it is right and anyone making a fuss is ultimately wrong.  This doesn't give me any confidence that the message that change is needed has been received and understood.  I've had reassurances that there will be greater transparency in future, but I've yet to see any progress made here.  Let's have a little less conversation and a little more action people.

Some people feel that stealth updates and pushing WGA to users under the guise of a security update is paving the way for all sorts of nasty and restrictive DRM mechanisms to be pushed down the system.  While I personally don't take this view, it's easy to see where these extreme ideas come from.

Personally, given the critical role that Windows Update plays in keeping the Windows ecosystem safer, I think it's time for someone to come forward and claim responsibility for the mechanism, what's pushed through it and how this is done.  Something needs to be done to rebuild user confidence in the system.

Thoughts? 

Topics: Software, Microsoft, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion
  • Microsoft Arrogance

    'Microsoft believes that it is right and anyone making a fuss is ultimately wrong.'

    And it is exactly this sort of arrogant attitude that will ultimately be the reason for Microsoft's fall from grace.

    Timbo
    TheBoyBailey
    • XP version

      I'm clinging to XP, and the options there are Windows Update (non-automatic) and Microsoft Update (automatic everything, including Office).

      Needless to say, I use option A. Trust? MS? Not this lifetime.

      IIRC, the EULA specifies that MS owns your OS; you just bought the privilege of using it. So therefore ...
      Brian H
  • RE: What's really broken with Windows Update - Trust

    You are right -- there ought to be a public face in charge of this on MSoft's end. Someone who will have to look nervous for his job whenever there is a rumor of something improper coming down the pipe, and someone who will actually LOSE his job when the rumors are correct. In short, there has to be visible and obvious proof that someone understood it should not have happened, and that it is a totally unacceptable breach of trust. Heck - it should be criminal, and there ought to be a law. We have to see someone paying. In the East, such a person would commit suicide. While we don't expect that, the Western equivalent must happen - someone should do time.
    Dirty Creature
  • It's the countless number of ...

    ... Microsoft's apologist that don't mine dropping the soap if Microsoft tell them to. And Microsoft makes that request quite often these days.

    If a NEW computer user (that doesn't have an agenda) have a problem/complaint with a Microsoft product eg. Vista, WGA, etc.., you are immediately marked as an ABMer and totally dismissed.

    George Ou and Ed Bott are just two example of those apologist that hurts Microsoft cause in the long run. They have this two culture mentality, if you have a complaint, you is an ABMer, or else you should be an apologist.

    Until Microsoft stop cheering on the countless apologist eg.'ye', 'ShadeTree', etc..., they will not be able to see beyond their 'Fort Knox' builded around Windows and Gates.

    PS. I'm only use Mr. Ou and Bott as examples that we readers here at ZDnet can relate to.
    ]:)
    n0neXn0ne
    • type --fixed

      George Ou and Ed Bott are just two example of those apologist that hurts Microsoft cause in the long run. They have this two culture mentality, if you have a complaint, you [i]are[/i] an ABMer, or else you should be an apologist.

      PS. I'm only [i]using[/i] Mr. Ou and Bott as examples that we readers here at ZDnet can relate to.

      @Webmaster:
      Can we PLEASE get a preview button, it's not that hard to do, after all it's open source, right? What was all the useless upgrade for anyway?
      x(
      n0neXn0ne
  • RE: What's really broken with Windows Update - Trust

    That's the price to pay when relying on companies like Microsoft and Symantec to keep your computer "safe" from Internet attacks. One day, for national security reasons or whatever, one or both of these companies with dominant market share will bend to external pressure and will install software on your machine that will run undetected by antivirus/antispyware programs and will report back to their creators and maybe attempt to control the way you conduct your business and personal life. It's not a mater of "if" but a matter of "when". Phone tapping was just the beginning.
    g_muppet
  • RE: What's really broken with Windows Update - Trust

    >>Some people feel that stealth updates and pushing WGA to users under the guise of a security update is paving the way for all sorts of nasty and restrictive DRM mechanisms to be pushed down the system.

    Well, that plus Microsoft essentially said they would do that very thing, buried inside one of their numerous license agreements.
    knot44
  • the price of doing business

    It's an unacceptable price. There are all sorts of companies that have access to one's system for one or another ligitimate reason. It doesn't give them the right to come in and just root around! There are laws in place already that ought to apply. All we need is a badass prosecutor and a solid instance (of which there are already many) where an update was for their benefit rather than ours, as well as with a purpose that was just plain lied about. The price for this has to be made unacceptably high, not just for them, but for anyone who has a door into peoples' systems. In a world where that sort of thing is a fact of everyday life, it's a point that has to start being made. If congress can ram health care down our throats whether we want it or not, WHY THE HE** aren't they on THIS? Why is it considered any different in the law from some punk kid hacking in? Jail is not just appropriate, it's a no brainer!
    Dirty Creature
    • read the EULA(s)

      For the answer to your question, try reading the EULA that Microsoft sends out and that everyone agrees to by clicking on the 'OK' button. You have given Microsoft permission to root around on your system. Why is is surprising that, given than that have basically unlimited access to your computer's OS, that they use that access for their own goals? I don't like it either, but they do have your permission and malware writers do not usually ask you to sign a EULA before they alter system DLLs. So, unless you challenge the legality of the EULA, I don't see that you or any prosecutor is going to get very far going after Microsoft.

      If you agree to patches that involve MB of binary files, you have no visibility in the the changes that occur. If you don't like, use something like OpenBSD, where you can see exactly what source code has been modified in each patch. You cant then apply the diff files to your own code and recompile if you choose. You can also accept the precompiled binaries if you want, but they never come close to the size of a Microsoft patch. Using Microsoft amounts to trusting Microsoft. If you don't trust them , stop using them and let the market work . Don't expect a prosecutor to save you from yourself.
      shis-ka-bob
    • OSS

      Wouldn't it be easier, safer, and just downright better, not to even have to worry about it? I use almost exclusively open source software and operating systems. I don't have to worry that any government, company, or ANY organization will ever do something nasty to me!
      alicia5
  • Mac OS X = non-auto updates

    Adrian wrote: "...automatic update mechanism is an important feature of any modern operating system. Windows isn???t alone in having this kind of mechanism - ...Mac OS X...ship with similar features."

    Uh, Mac OS X does not.
    Software Update allows me to schedule how often to check for updates.
    I can then choose to "download updates in the background" or not.
    I then have to manually select which ones to install or not.
    davebarnes
    • Adrian, that's what Automatic Updates does

      In Windows 2000, XP, and Vista you go to the Automatic Updates area and you have 4 basic choices:

      1) Automatic. You choose the time and day of week. Windows downloads and installs all 'critical' updates automatically, then notifies you if a reboot is needed.
      2) Download only. Windows downloads and notifies you. You pick which updates to install, and when.
      3) Notify only.
      4) Turn off Automatic updates

      Twice in the past month (and never before, to my knowledge), some users have been hit with updates being installed when they were using setting (2) or (3). No one with setting (4) was taken unaware in this way.

      This isn't me being an apologist; these are just the facts, stated clearly and succinctly.
      quux
    • Right, Software Update is not "automatic"

      OSX "Software Update" has these options only:

      * Check for updates (and you can set the frequency)
      * Download important updates in the background.

      There's no "automatically install".

      And when you install, you are not forced to reboot at any particular time... you can
      minimize the software update window and go on your way until you're ready.

      It seems that Windows not only wants you to automatically install, they don't want
      to let you have that option unless you completely turn off periodic checking for
      updates completely.
      Resuna
      • Reboots

        I use one of my computers as a television (I do NOT have Windows XP media center edition, I don' NEED XP-MCE). If I install an update while watching a program, ever 5 minutes the stupid system pops up a box to ask if I want to reboot now or later! I really don't want to reboot and miss 10 minutes of my program to satisfy Microsoft.
        alicia5
    • Wait...

      Are you complaining that Mac OS X [i]doesn't[/i] install updates without telling you?
      tuxedobob
  • Eula

    So you're saying the only alternative is not buying or using their stuff? As an MS apologist, is that really the message you want to be sending?

    I'm sure it is indeed in there, but there's no reason that has to be considered acceptable. An employer can put aquiescence to sexual advances right in your contract and you might even sign it; but that doesn't make it all right. Sooner or later it will have to become understood that you can't just sign away all rights to the most basic system security because the vendor has the nerve to ask you to. Then the terms in the EULA you mention will go the way of WB cartoon characters in blackface. Maybe not tomorrow, or the day after tomorrow, but it will happen. All it will take is for the right person to get burned.
    Dirty Creature
    • No MS Apologist here

      I think that you are right about the long run effect of the EULA. I am not an M$ apologist, just ask No_axe_to_grind. If anyone can recognize an MS apologist, it should be No_Axe. I'm running Ubuntu on my desktop, Ubuntu server for my PostgreSQL database server and OpenBSD on my home firewall/router/web proxy. I'm still using Windows for my app server because I can't magically change my employer's ASP.Net to run on Java. I read the EULA and I can't believe anyone would sign it if they managed to stay awake for the hours it takes to read. But, this seems to be a minority position.

      Judging from the reaction of others, 'minority position' is an understatement. Many on this site would prefer to call my position 'lunatic fringe'. But, I'll bet that they haven't read the EULAs either. After basically exempting themselves from anything other than a defective DVD (which they will replace with no compensation for the time lost), MS even forbids you from publishing performance test results. I guess they are afraid of the results of any comparison that they cannot control.

      I will also guess that 'the right person to get burned' will not be within the US. First, most computer users are not in the US, so this is just playing the odds. Secondly, it's pretty clear that the US Congress is so completely dysfunctional that it will not stand up for 'users' if campaign contributions are at stake. Many legislative bodies in Europe and elsewhere are not as easy to corrupt as our Congress, since they different rules governing campaign finance. So when (not if) Microsoft starts loosing EULA battles, it will not be in the US where Congress can be owned by any corporation that can spare a few million for campaign coffers.
      shis-ka-bob
  • You embraced this world

    from Microsoft when you defended WGA. Suck it up.
    frgough
  • RE: What's really broken with Windows Update - Trust

    idiot bloggers like you..also make it worse by spreading FUD....stop blowing things out of proportion..
    rohan.aarons
    • No

      Adrian is not an idiot, and he is also not blowing it out of proportion.

      Chill out man.
      nizuse