Forcing updates
A recent thread on the desktop-architects mailing list touched on a subject that tends to generate strong feelings: automatic, silent updates for security issues. At first blush, it is an attractive idea that might help slow down or stop a fast-moving virus or other malware. It also would help protect users who might otherwise ignore or delay updating their system. On the other hand, there are lots of concerns about whose decision it is to have a "mandatory" update, what else might be contained in such an update, as well as how to ensure that the update doesn't break the user's machine.
Dan Kegel kicks off the discussion by asking:
This goes not just for distros; any ISVs is on the hook for rapid security updates these days, I would think.
While there are attractions, one of the immediate downsides was noted by KDE hacker Aaron Seigo: "distro Q/A resources would have to _significantly_ increase for this to work
reliably. too many updates still break too many systems on too regular a
basis.
" The first time a silently applied "fix" breaks someone's
system, there will be a serious outcry. Microsoft and others have broken
people's systems before with security updates, but that doesn't seem a good
example to follow.
But, even with additional QA, there are plenty of reasons that a user might not want to get an update. GNOME foundation member Dave Neary presents several scenarios:
A kernel reboot or even application restart are definitely problem areas. There are many reasons a user might need to continue using a buggy application or kernel, even if the bug exposes them to an exploit. Some users have enough information to make that kind of determination, but others most definitely do not. How does the distribution or software package determine that? Presumably there will have to be settings to govern the behavior, which then begs the question: what is the default setting?
An additional problem is that users are training themselves—or the
desktops and distributions are training them—to ignore pop-ups of various
sorts. So suggestions like the one made by
Ritesh Raj Sarraf: "For updates with priority 'security', I think it
should just pop-up more
often
" are met with skepticism. Kegel opines:
That provoked a rather boisterous response from Linus Torvalds. His argument is that you can't trust the developers of various projects to determine what fixes should be applied. He is concerned that projects might want to slip other things into a "security" release:
His point is that he, and by extension other sophisticated users, are never
going to turn over their systems to the whims of outsiders. He is
willing to let distributions or even some
software packages make that kind
of decision, but only if things
are not done silently. "There
are programs that I trust to do their auto-updates, and I'm perfectly
happy having firefox check for extensions automatically, for example. But
even in the case of firefox, I want to _know_ when it does so.
"
Any kind of automated, silent upgrade feature from either a particular package or a distribution would be an enormous target for those with a malicious intent. It would be a kind of dream exploit to be able to inject malware into millions of unsuspecting systems—silent and unnoticed. A break-in to a distribution server might lead to an incredible malware outbreak, though the same thing could be accomplished today; it would just take more time.
But, the problem remains that there are lots of systems that are not getting updated and are thus vulnerable to a wide variety of exploits. As part of its Collaboration Summit, the Linux Foundation would like to have a meeting to discuss the issue. It is certainly an area where more thought is needed.
| Index entries for this article | |
|---|---|
| Security | Software updates |
Posted Feb 12, 2009 8:59 UTC (Thu)
by pcampe (guest, #28223)
[Link] (5 responses)
Maybe because it's Unix, made and developed with the fundamental assumption that users are not stupid?
Posted Feb 12, 2009 11:35 UTC (Thu)
by rahulsundaram (subscriber, #21946)
[Link] (3 responses)
Posted Feb 12, 2009 11:44 UTC (Thu)
by pcampe (guest, #28223)
[Link] (2 responses)
Fedora has SELinux enabled for default, which is the _right_ way to protect system from malware (assuming that such malware exists, I am not yet see it in the wild). Also Fedora has an icon tray and a pop up appears when a secuirity update is available, and the user _must_ _choose_ whether to perform it.
Posted Feb 12, 2009 20:52 UTC (Thu)
by southey (guest, #9466)
[Link] (1 responses)
Posted Feb 20, 2009 4:36 UTC (Fri)
by Drone (guest, #56757)
[Link]
It could SUGGEST what I may want to do. Nothing more.
Posted Feb 12, 2009 12:25 UTC (Thu)
by flewellyn (subscriber, #5047)
[Link]
Far better, I think, to insist on users having a good, solid, secure password that is not easy to predict, and then keeping it safe and in place for as long as it's secure. Or creating an environment in which fewer passwords are necessary, using things like cryptographic keys and such.
Posted Feb 12, 2009 12:36 UTC (Thu)
by tialaramex (subscriber, #21167)
[Link]
A modern Fedora includes a set-and-forget option for automatically applying security updates. You could default this to on, but I don't think it would actually make a big difference in practice.
There are a lot of things where customers/ users have unrealistic expectations and they're very stubborn. Driving a car is remarkably unsafe. When we improve the driving technology to make it safer, drivers compensate by going faster, leaving less room, paying less attention.
Giving people tools to protect themselves, making those tools easy to use, providing information about how to use them and why, those are all good strategies. Trying to make people safe against their will is just banging your head against a wall, give it up.
Posted Feb 12, 2009 14:55 UTC (Thu)
by mattdm (subscriber, #18)
[Link] (2 responses)
We've been doing this with BU Linux for about seven years. In that time (minus one exceptional situation, which wasn't that severe), the only Linux systems broken into were those a) running a different distribution or b) who had disabled the automatic updates. We had a couple of incidents where QA failures caused issues, but the number and severity of those occurrences pales compared to cases a) and b) (where system compromise appears to be almost inevitable). Admittedly, this is with a installed base of 1200 systems or so rather than millions, but it's also in a very hostile security environment. I think it makes a good case study.
Posted Feb 14, 2009 4:35 UTC (Sat)
by i3839 (guest, #31386)
[Link]
Posted Feb 20, 2009 4:45 UTC (Fri)
by Drone (guest, #56757)
[Link]
From another side there is nothing wrong if updates are automatically installed by default so non-aware users are updated. But there should be override and choice anyway so I can regain my power to make decisions. Or it will be considered as atempt to FORCE me to do something against my wishes. This is unacceptable and called "slavery" btw. It's my computer for me. Not I am for my computer...
Posted Feb 12, 2009 15:42 UTC (Thu)
by mrshiny (guest, #4266)
[Link]
Posted Feb 12, 2009 17:08 UTC (Thu)
by eli (guest, #11265)
[Link] (6 responses)
It is MY computer. Yes, it is running your software, but that
does not change the fact that it is MY computer. "Silent, automatic updates"? "Forced updates?" Um, no. Never. At
all. For any
reason. Even security reasons.
You have no right to make that decision on my behalf.
Period. End of discussion. ... um... I'll just step down from this soap box now...
Posted Feb 12, 2009 18:39 UTC (Thu)
by linuxjacques (subscriber, #45768)
[Link] (1 responses)
Posted Feb 20, 2009 4:53 UTC (Fri)
by Drone (guest, #56757)
[Link]
Posted Feb 12, 2009 23:47 UTC (Thu)
by xoddam (subscriber, #2322)
[Link] (1 responses)
But if we're talking about a supplier like Red Hat or Mandriva effectively becoming the system administrator for 90% of their less-technical users, all bets are off. They don't have the resources to properly run millions of machines without charge or to respond to the cases where automatic updates inconvenience their non-paying users.
OTOH it's something they or similar businesses could take on, maybe profitably, given the right wording in the contract and the right price -- using mandatory automated updates merely to make it possible.
Technical Unix users will take on their own system administrator role whenever they feel like it, whether their network admins or their OS suppliers want them to or not. So you're *not* the subject of this discussion and won't suffer, one way or the other, as long as you choose to run free software :-)
Posted Feb 20, 2009 5:04 UTC (Fri)
by Drone (guest, #56757)
[Link]
Posted Feb 13, 2009 0:08 UTC (Fri)
by khim (subscriber, #9252)
[Link] (1 responses)
It is MY computer. Yes, it is running your software, but that
does not change the fact that it is MY computer. But it's connected to public network. I think the eventual resolution
will be something like "treble damages apply if your system does not have
auto-updates and is actually hurt someone"... Or may be something like cars: you don't need automatic updates, but you
need to check your system regularly and can be disconnected from netwerk if
there are no "stamp of approval" for week or two. Bascially the story is simple: as long as your computer is truly yours
and does not connect to any other computer - you are free to use anything
you want. When you are becoming part of public network - some rules should
apply...
Posted Feb 20, 2009 5:13 UTC (Fri)
by Drone (guest, #56757)
[Link]
I am agree to receive certain punishment if I got actually infected as the result and some harm was done to others. Just like I am agree to get punished if I'm killed someone. That's necessary to enforce security.
But I will never agree to get jailed and forbidden to use even kitchen knives "for my own security" and without any other reasons - I will simply consider this as a slavery. I do not need security at price of my freedom since then I will be neither secure nor free. How can I feel secure if I can't even trust to my OS which does something against my wishes? And how can I feel myself free if my freedom of choice is taken away?
Posted Feb 12, 2009 18:52 UTC (Thu)
by jreiser (subscriber, #11027)
[Link]
Posted Feb 12, 2009 19:57 UTC (Thu)
by wilreichert (guest, #17680)
[Link]
'cept I don't own a garage. Or a car. But you prolly get the point.
Posted Feb 13, 2009 13:23 UTC (Fri)
by ber (subscriber, #2142)
[Link] (2 responses)
Note that for the reboot problem, one operating system I know has good
solution: It will only install them automatically when the users powers
down the system.
Posted Feb 13, 2009 14:07 UTC (Fri)
by dlang (guest, #313)
[Link]
for example,in ubuntu you can tell it to download and install updates automatically, if the update requires a reboot an icon will appear on the task bar telling you that updates have been installed that require a reboot.
but this is a configurable item. you can also tell it to download, but not install the updates, to just check if updates are available (and tell you if they are), or to leave it to you to do everything manually.
Posted Feb 20, 2009 5:20 UTC (Fri)
by Drone (guest, #56757)
[Link]
But... I still want to retain power to make decision myself when I have to install update and when I'm not. Anything else is a tyranny and in spirit, everyone hates tyrants. Even administrative ones.
Posted Feb 15, 2009 10:06 UTC (Sun)
by JesseW (subscriber, #41816)
[Link] (8 responses)
Such "whitehat botnets" would simply harden/patch the systems they infected, devote a small portion of their host's resources to spreading the infection, and otherwise leave the user alone. The bots could even be programmed to attempt to avoid infecting computers that appeared to be already secured. Yes, this would be illegal, a blatant violation of the user's ownership of their machines, and a vigilante action, but, realistically, I don't see any other solution.
No, I'm not doing this, or volunteering to do it, or even suggesting someone else should do it. I'm just speculating publicly.
Posted Feb 15, 2009 10:36 UTC (Sun)
by dlang (guest, #313)
[Link] (1 responses)
they start off with the best of intentions of only blocking the bad guys, but over time every one of them has started blocking more, and taken a more and more draconian definition of what they would block, until they become more of a liability than an advantage.
luckily anto-spam blacklists are opt-in (for the recievers) and so can mostly be worked around as they go bad.
I would expect the same type of pattern to show up with the 'whitehat botnets', they start off 'just' installing security updates, then move to installing newer versions (it's too hard to backport the security fixes, so move them to a version that has them), then more updates (hey, after all, just about any bug can be a security issue), then to removing software (after all, isn't it insane to allow someone to run telnet or ftp?), etc. each step of the way would cause more grief (starting with interrupted programs as they are restarted and going from there)
I don't believe that such an approach would be a 'whitehat' botnet. dark grey at best
Posted Feb 15, 2009 20:12 UTC (Sun)
by JesseW (subscriber, #41816)
[Link]
Posted Feb 15, 2009 17:49 UTC (Sun)
by mmarsh (subscriber, #17029)
[Link] (5 responses)
Posted Feb 15, 2009 20:17 UTC (Sun)
by JesseW (subscriber, #41816)
[Link] (4 responses)
Posted Feb 16, 2009 20:51 UTC (Mon)
by BackSeat (guest, #1886)
[Link] (3 responses)
Open Source is about freedom. Forcing updates to a subset of users, even those that use closed source software, is about as far from freedom as it's possible to get.
Posted Feb 16, 2009 21:22 UTC (Mon)
by JesseW (subscriber, #41816)
[Link] (2 responses)
In any case, after further thought, I've partially changed my mind. While I still think criminal botnets would be less successful if the "good guys" were willing to act without the permission of non-technical lusers, I think there is a better way.
That better way is two fold: first, massive marketing campaigns to convince non-technical users that they should pay someone (probably antivirus vendors, they're already best placed to do this) to "take care of their computers", for a small monthly fee. Second, an optional add-on to this service, whereby subscribers could permit their unused computer power to be rented, thereby covering their monthly fee, and maybe making them a little money. Also, enlisting ISPs to pro-actively test (i.e. try to break into) their customers computers and cut off those who have vulnerable computers. This would work better than the vigilante solution, because these folks would have a positive economic incentive to keep their customers computers under their control, rather than letting them be used by criminals. Your thoughts?
Posted Feb 16, 2009 23:50 UTC (Mon)
by mmarsh (subscriber, #17029)
[Link]
Posted Feb 20, 2009 5:31 UTC (Fri)
by Drone (guest, #56757)
[Link]
However, there is no service-mans sneaking into my garage to fix my car. Even if it needs fixing in their opinition, it is up to me to go to service. Furthermore, such service-man will be shoot on sight by me for breaking into my private property, if anyone will risk to do so. I do not see why this should not apply to silent attempts to break-in into my computer. Even if this was intended to fix it. My PC is my private property. You are not allowed to enter without my permission.
Posted Feb 20, 2009 4:33 UTC (Fri)
by Drone (guest, #56757)
[Link]
Let's remind: "best intentions often do not lead to best results". That's exactly about silent updates. Result will be simple - loss of trust to such system. Even worse than to Vista, iPhone kill switches or whatever.
Posted Feb 23, 2009 16:22 UTC (Mon)
by ortalo (guest, #4654)
[Link]
Well, the first time I remember hearing this remark was in 2000 (at the RAID symposium) and made by the main CERT/CC coordinator (and founder IIRC - sorry I cannot find his name again).
Of course, my favourite alternative is: not introduce security bugs at all in the first place, but I confess I may be satisfied by guaranteed limited impact of security failures too... (Oops, shouldn't have said that...)
Forcing updates
Forcing updates
Forcing updates
Forcing updates
Forcing updates
Forcing updates
Forcing updates
Forcing updates works
Forcing updates works
Forcing updates works
The only problem is that your case study does not accounts any potential losses which may occur if system update interrupts me and my job or whatever else. And if someone willing to obtain even more backslash than Vista and MS from users for harming their privacy and freedom of choice, annoyance, etc - that's right way to go.
Forcing updates
Forcing updates
Forcing updates
Forcing updates
Forcing updates
Forcing updates
But only in CERTAIN scenarios. If you will attempt to break in and "administer" MY computer, I will consider this as attempt to remove MY FREEDOM, violate my privacy and so on. It's my computer and it have to obey to ME. So if you will try to do otherwise, I will put all my forces to enforce you (and anyone involved) to administer only your toilet until end of your days. That's a only fate any tyrant deserves (administrative tyrants are not exception). Do not mix your sucking enterprises with corporate half-slaves behind computers and free people who does not receives salary from you so they have zero tolerance to your attempts to invade into their private lives. Also I can recommend to half-slaves to stop being such ignorant morons so someone always allowed to takeover your power to make decisions. Power to make decisions on your own is a great thing. This is what really called as freedom, actually.
It's only matter of time...
It's only matter of time...
I can buy kitchen knife and then I can kill someone with it. Is this a valid reason to enforce people to stop using kitchen knives? Or maybe it is a valid reason to jail everyone "by default" and only sometimes release for short time? No?! Same goes here.
No change without real money on the table
Ever heard of basic maintanence?
Personally I wish for a service that keeps my system up-to-date. For this
I am willing to pay for this to happen in the background. Of course I want
this to be configurable and have several vendors to chose from, but I am
also offering money. This should include security updates in the
background.
Updates by servants
Updates by servants
Updates by servants
You can already configure Linux packages managers to do so. Even "3rd party" software which is installed from repositories is auto-updated and this is convenient.
Whitehat botnets (ha ha only serious)
Whitehat botnets (ha ha only serious)
"darkgray hat" is a better term, I agree.
Whitehat botnets (ha ha only serious)
Whitehat botnets (ha ha only serious)
for now, we need something that can force patches on Windows users
Whitehat botnets (ha ha only serious)
Whitehat botnets (ha ha only serious)
Whitehat botnets (ha ha only serious)
Whitehat botnets (ha ha only serious)
When you're driving a car you're agree to obey some rules targeted to overall safety. And you must learn these rules, etc. Only then you're allowed to travel by car. And you will be held liable if you kill or harm someone due to your bad driving. Same should be with computers: before connecting to public network certain customer, ISPs have to ensure that this user really haves certain level of knowledge of rules similar to car driving rules. So, they have to avoid viruses and held liable if infected and inflicted damage to others.
Forcing updates
Forcing updates
Most proeminently, I remember him presenting figures such as "20% of the systems never get patched - at all" as a state of fact, not as a complaint.
IMHO, we should think about how to deal with this state of fact rather than try to force updates on systems. In fact, I've always been reluctant at trying to improve security patch flows and, the more I get involved with growing computer security responsibility, the more I would like to see totally alternative approaches to security be explored.