Auto-updates: Is It Just Me…?

October 17, 2012

I just came across yet another security discussion, in which at least one poster emphasized the importance of auto-updates as a means of keeping a system protected. Here’s the response I added:

I couldn’t agree less. Auto update is a huge vulnerability. It’s literally a welcome mat for some third party to shove software into the bowels of your system. That third party may be both trustworthy and technically competent… but there is no guarantee that it will remain so over time, and no likelihood that you’ll know if and when it becomes untrustworthy or incompetent.

Ironically, far from “getting it right,” [as the previous poster had suggested] Microsoft provided the best-ever example of the auto-update fallacy, when it mis-used the mechanism to shove Windows Genuine Advantage (WGA) onto systems around the world. WGA is not a ‘feature’ that any user would want. It gives Microsoft extra control over your PC, and opens the possibility of false positives that could literally require you to buy a new copy of Windows. No, the problems are not frequent… but the point is that whether an update is to your benefit or not, you gave up the right to complain about it when you enabled (failed to disable) the service.

I’m still waiting for someone to hack the auto-update feature. What better mechanism could their be, for installing malware? Even if Microsoft’s auto-update service happens to be secure (a big if), there are probably lots of others on your system by now, some of which you’re probably not even aware of.

It’s your system, do what you think is best. But on my gear, all auto-update services remain in the OFF position.

Am I being unreasonable? Paranoid? I don’t think so. I have never seen any compelling advantage to automatic updates. If the software is so crappy it can’t work without constant updates, I’ll just pass on it entirely. On the other hand, if there are substantial changes, I will inevitably want to assess them before allowing them on my equipment. I don’t give anyone carte blanche to enter my front door, and I can’t see why I should be less stringent with my electronic devices.


Security backdoor in Vista?

March 12, 2008

This is one of the scariest things I’ve seen yet about Windows Vista. According to Bruce Schneier, who literally wrote the book on cryptography, it seems that Microsoft has added a new standard random-number generator, which very possibly has a built-in backdoor, whose ‘keys’ are held by parties unknown, and which would open any material encrypted using random numbers generated by Windows to scrutiny by said unknown parties.

This is so scary, I’d happily dismiss it as mere paranoia, were it not that Schneier is definitely not prone to wild statements, and is certainly one of the greatest current experts in cryptography and security. What’s more, he’s published a detailed analysis of the math that suggests the presence of a backdoor, so if you’ve got the background to make sense of it, you can check his argument for yourself.

Of course, this random-number generator is not something that will concern most users. It’s a facility that application software can take advantage of, or ignore. However, at the very least, this allegation suggests a rather slipshod approach to security in The Most Secure OS the World Has Ever Seen. And at worst, it suggests the possibility that it’s not me the OS is trying to safeguard.