Windows XP, Anyone?

V

Vladimir E. Zyubin

Hello List,

The problem is in the attempt of MS to _legitimize_ control of users' software... IMO, it is absolutely unacceptable for automation.

... and I do not mention the more bad things: a) total legitimate control over users MS achives via the EULA, b) new commercial concept - software
lease... c) legitimation of "infinite software changes" concept.

MS tryes to change legitamacy space... MS designs World Of E-Totalitarianism. (off-topic, of course) :-x

--
Best regards,
Vladimir E. Zyubin
mailto:[email protected]
 
C
Hmmm... A complete and total abrigation of security and privacy is in the best interest of the consumer and the world. Do you really believe that? Why don't you give me a login on your business systems for an hour or two with carte blanche and I'll see if I can change your mind. And I'm a lot more trustworthy than Microsoft.
I'd just embarrass you. :^) I'd sooner let Osama bin Laden hack my system than Bill Gates.

That has to be the most outragious thing I've heard this month. Again, the "Big Lie" so vast, it's hard to realize let alone refute.

Regards

cww
 
V

Vladimir E. Zyubin

Hello Peter,

Nuance is the following:
Upgrades in automation decrease time of availability.

...and the down time of control system can be much longer than the download time from MS site.
(also there are very bad cases/application when the upgrades lead to techno-disaster)

From this point of view the new MS policy is acceptable only for non-critical, e.g., home-game applications... for tasks with admissible downtime up to a day...

(IMO, the policy is not acceptable for home computers from "orwellistic" security point of view, but it is another story)

--
Best regards,
Vladimir E. Zyubin
mailto:[email protected]
 
Peter Whalley:
> This may sound like a problem but consider it from the point of view
> of the average user.

The average user will turn on Windows Update, which doesn't need these draconian terms. It just needs a clear statement of its purpose (like, say, a descriptive name, which it does have).

The advanced user will decide whether or not to turn on Windows Update, depending on the circumstances, which again doesn't need these draconian terms (and in fact is rather hindered by them).

> So Microsoft (like other companies such as AOL and Symantec)
> incorporate automatic update software. But what happens when one of
> their millions of customers doesn't like it and decides to sue them
> for updating the software without authorisation. They can point to the
> EUA and say it was part of agreeing to use the software. It keeps
> their lawyers (and their shareholders) happy.

If that's what they meant, that's what they would've said.

Also, this interpretation is at odds with the first reported instance, which was in the context of DRM (Digital Rights Management). It does not make much sense to make DRM updates optional.

> IA users either don't connect their systems to the Internet, disable
> the feature or live with it.

The feature cannot be "disabled", as it's a non-optional part of the EULA. (Presumably one could ask a court to cross it out, but afaik nobody's tried that yet.)

> I can't see Microsoft taking you to court for
failing to allow them to
> update the software automatically.

You know what? I can. Only on my paranoid days, but I can. Part of all this is about DRM - failing to allow them to update it is an attempt at copyright protection circumvention. Like I said - on my paranoid days.

Jiri
--
Jiri Baum <[email protected]> http://www.csse.monash.edu.au/~jirib
MAT LinuxPLC project --- http://mat.sf.net --- Machine Automation Tools
 
M

Michael Griffin

On September 17, 2002 02:37 pm, Peter Whalley wrote:
<clip>
> This may sound like a problem but consider it from the point of view of
> the average user.
<clip>

The problem with that argument is that this mailing list isn't composed of "average users". It is composed of people who are using software for the very unaverage purpose of industrial automation. We need to look at the problem from that perspective.

> But what happens when one of their millions
> of customers doesn't like it and decides to sue them for updating the
> software without authorisation. They can point to the EUA and say it
> was part of agreeing to use the software. It keeps their lawyers (and
> their shareholders) happy.

The reason why the customer may be unhappy is that Microsoft admits in the end user agreement that some of your existing software may no longer run after they quietly download their patch. If the result of this is that your plant no longer runs, then you can see why people would get rather excited over this prospect.

We repeatedly see discussed here the need to prevent unauthorised personnel on the night shift from loading video games onto the SCADA system. Now some clown on the other side of the earth is going to force feed multimedia patches into this self-same SCADA system - andwe "agreed" to it!

> IA users either don't connect their systems to the Internet, disable the
> feature or live with it.

You left out option 4 - don't use Windows XP for anything that really matters.

> I can't see Microsoft taking you to court for
> failing to allow them to update the software automatically.
<clip>

However, I certainly wouldn't want to suggest that anyone deprive Microsoft of their contractual rights. If you feel you cannot abide by the conditions they have set out in the license, then you are obligated to return their
property to them. In other words, saying that you don't think they'll sue you isn't a very useful answer.

--

************************
Michael Griffin
London, Ont. Canada
************************
 
Jiri;

As you are well aware, the EULA is an agreement between the MS and you, in which MS reserves the rights to update your machine with the latest
and greatest fix. It DOES NOT state that you must let them push these fixes onto your machine.

Turn off automatic update and these statements in the EULA are a moot point.

Would you rather MS ignored these issues ??

Mark Hill
Microsoft XP Associate Expert
 
C
What's really interesting here is that unannounced entry and mucking about by any other party is unquestionably a criminal action. Yet, when MS proposes it as a condition of using their
software, suddenly the clouds are parted, the light of day shines in and it's good for the user and the world at large. Moreover, it's a benevolent act, to save the world from the crap foisted on them in the first place and the blissful ignorance of users who actually believe the marketing.

For my part, I'd treat it as any other cracking attempt. And, if the truth be known (unlikely, considering the source) I'll bet it has a lot more to do with the self-help clauses in UCITA and the like than any higher ideals of service.
And, anyone who has experienced a few of their service packs would be flat out of their mind to allow them to mess with a working system across the net. As a professional system administrator, there is absolutely zero probability I'd allow that. I trust RedHat a lot more, and they wouldn't
get in either. It's insane to even consider it. You'ld have to take the machine down, overwrite the disks and reload everything to be sure of an uncompromised system. And then you should be fired for knowingly sharing company data with Microsoft.

Regards

cww
 
Vladimir;

Thanks for our reply.

As Peter Whalley wrote in a post a few minutes ago ....

"Automated updates are in the best interests of the average user, Microsoft, IT administrators and the world in general. It's in everybody's best interests for Internet connected computers to have the latest security patches installed as soon as they are released and with a minimum of trouble.

So Microsoft (like other companies such as AOL and Symantec) incorporate automatic update software. But what happens when one of their millions of customers doesn't like it and decides to sue them for updating the software without authorization. They can point to the EUA and say it was part of agreeing to use the software. It keeps their lawyers (and their shareholders) happy." (Well Said Peter !!)

MS isn't trying to force updates onto the IT community, they're trying to keep my clients XP boxes from being bombarded by the latest offering
produced by your friendly internet hacker.

I applaud MS for helping me keep my clients machines updated with the latest SP, patch or fix.
Otherwise I'd be visiting my clients every month or two installing the latest.
FYI .... I have the update feature turned off on all my clients machines. When I notice a SP or patch or fix that directly affects their machines,
I send them a quick email note suggesting they install it. This way I can service clients all over the world without leaving my desk.

One more comment .... WIN2K will be around (and supported) for a LONG time !!

Mark Hill
Microsoft XP Associate Expert
 
A

Anthony Kerstens

More work. More work. More work.
It's more billable time. (yeah!!!!)

Anyway, isn't that sort of grunt work usually passed off to low-paid co-op students who could benefit from the experience (if only to learn that they don't like it - huge grin).

Anthony Kerstens P.Eng.
 
M

Martinicky, Brian

Hi Ranjan,

It's an interesting puzzle, but perhaps part of your value-add is to put a VL version of XP on the boxes you receive from your customers. However, I would expect that you, like I, would rather not have to raise my costs by paying MS twice for a single running instance of an OS.

On another note, it seems as though a paper-thin barrier separates a retail XP install requiring activation, and the VL version that does not. Put
another way, a retail license has been paid for already, so where is the harm in 'converting' it to a VL license. Since MS has already received the
price of the retail license, and you can have a VL version and key, I am wondering if the only thing that is missing to make every body happier is some formal mechanism to make this conversion...

Regards,
Brian
 
P

Peter Whalley

Hi Jiri,

Personally I'm wouldn't trust the "average user" at home with a broadband internet connection to turn on some feature. Millions of such users may
well not turn on the feature and will then be hacked and will be used to launch distributed denial of service attacks. I don't have to be very paranoid at all to consider this to be highly likely.

It wouldn't surprise me if in a few years time the Department of Homeland Security decides they want to make it mandatory for software providers to incorporate automatic updating because of the security risk associated with not having it.

Certainly you can't turn off the EULA but you can turn off the feature so that it doesn't happen if you don't want it. For Microsoft to enforce the
requirement they would need to force all XP users to connect to the Internet and I can't see that happening.

I also understand may IT departments aren't allowing their users to install SP1 for XP until after they have completed testing it. I can't see
Microsoft going out and suing them for failing to install it.

On the other hand I read a report from SANS today advising users in this position to install Steve Gibson's quick fix for the serious XP
vulnerability (see "http://grc.com/xpdite/xpdite.htm":http://grc.com/xpdite/xpdite.htm ) that was mentioned on the list a few days ago.

This is a good illustration of the dicotomy we face. We need to install security fixes ASAP but we also need to test updates for compatibility.
Just goes to highlight the inherent dangers with connecting SCADA systems to the Internet.

BTW, for those that haven't see it,
"http://www.computerworld.com/governmenttopics/government/policy/story/0,10801,74077,00.html":http://www.computerworld.com/governmenttopics/government/policy/story/0,10801,74077,00.html is an interesting story about the need to develop better security for SCADA systems.

Regards

Peter Whalley
Magenta Communications Pty Ltd
Melbourne, VIC, Australia
e-mail: peter*no-spam*@magentacomm.com.au
delete *no-spam* before sending
 
M

Michael Griffin

On September 18, 2002 01:42 pm, Jeff Dean wrote:
<clip>
> I find it rather humorous that the Microsoft bashers always seem to
> reference the Register, as if it were a reputable, unbias news source.
> Such references do nothing but damage any credibility there may be to
> your argument.
<clip>
<clip>
> To hear from BOTH sides of the story, read the following article:
>
> http://www.infoworld.com/articles/op/xml/02/02/11/020211opfoster.xml
> (note, a credible news source)
>
> My take is, if you're that worried about auto-update or Microsoft
> accessing your computer then don't use it. Most of you who responded on
> this thread are already using Linux anyway...
<clip>

I followed your link and read the article you suggested. If you read it carefully enough, it seems to imply a situation which is even worse than that which was reported in "The Register" (see previous messages for that link).

If you read what Microsoft has to say - well there's a lot of words there, but they really didn't say much. They even admitted that there are a lot of implications about their new system they haven't told people about yet.

They are a bit vague on the new "security component" updating, but it seems to be something which is entirely separate from their "WIndows Auto-Update". The type of "security" they are talking about by the way, is not intended to
protect your computer from viruses and hackers. It is "security" which is intended to limit what you can do with your computer (even if you have
administrator priviledges).

One of the things they did manage to say though was (this is a quote from Microsoft):

"If the user elects not to update the security component, he or she will be unable to play content protected by our DRM from that point forward, although content previously obtained would still be usable."

What exactly does that mean? It sounds like there is a lot more going on than just "you didn't get the upgrade". How are they preventing downloads from being usable if they didn't actually change anything on your computer? After all, existing data files stored elsewhere didn't miraculously change to a new version just because Microsoft came out with a software upgrade. They
seem to be saying that they are doing something to prevent you from using hacked versions of certain data files. What kind of side effects can this have? Things seem to be so interdependent with Windows that otherwise unrelated things often affect one another.

You've said that you feel this article is credible and balanced. OK, I will accept your judgement on that. However, this is what it has to say:

"But if it is indeed Microsoft's intent to continue giving users the right to decline downloads, why has the company written its XP agreements to force users to explicitly surrender that right? Are customers supposed to ignore what the licenses say and just hope Microsoft won't ever do what the terms say it can do?"

Isn't this what people here have been saying? If you intended to reassure people like me with this sort of information, I can tell you that all you are doing is making us more worried.
I'm not an expert on WIndows XP, and I don't want to be either. I just want to be able to get the job done without having to worry about this sort of rubbish. An operating system is supposed to be there to support the application software, not to become a hurdle which must be leaped on a continuing basis. The ideal operating system should be one which you don't even notice is there.

************************
Michael Griffin
London, Ont. Canada
************************
 
Jeff Dean
> I find it rather humorous that the Microsoft bashers always seem to
> reference the Register, as if it were a reputable, unbias news source.
...
> To hear from BOTH sides of the story, read the following article:

> http://www.infoworld.com/articles/op/xml/02/02/11/020211opfoster.xml
> (note, a credible news source)

Sure, no worries. To quote the closing paragraph of that article:

Well, swell. But if it is indeed Microsoft's intent to continue
giving users the right to decline downloads, why has the company
written its XP agreements to force users to explicitly surrender
that right? Are customers supposed to ignore what the licenses say
and just hope Microsoft won't ever do what the terms say it can
do? That's not a concept that will make anyone other than Bill
Gates feel very secure.

Which is what I said.

Jiri
--
Jiri Baum <[email protected]> http://www.csse.monash.edu.au/~jirib
MAT LinuxPLC project --- http://mat.sf.net --- Machine Automation Tools
 
J

Joe Jansen/ENGR/HQ/KEMET/US

Which begs the question:

What if your system has to be certified with FDA? (pharm. and food come to mind.) When MS downloads an "update", do regulations require that the system be re-certified? By definition, the code base that is running in the machine has changed. I am sure MS will try to find a way to
circumvent this, but when lawsuits start flying around, FDA may want to know why the software was changed and not recertified. All it takes is a change to some obscure .dll that your scada package links to, and you can be sure that MS has disclaimed any responsibility for making changes to your system without your knowledge.

--Joe Jansen
 
If I had to choose between Bill Gates meddling with my computer over the Internet or Osama bin Laden flying a Boeing 747 into it, I'd pick the former.

There are some posts back there which had some actual technical information stating that remote updates can be disabled on WinXP. (I'd prefer this were the default setting.) What is this thread really about now ?

Jay Kirsch
 
M
> As you are well aware, the EULA is an agreement between the=20
> MS and you,
> in which MS reserves the rights to update your machine with the latest
> and greatest fix. It DOES NOT state that you must let them push these
> fixes onto your machine.
>
> Turn off automatic update and these statements in the EULA are a moot
> point.

What makes you so sure? Have you seen the code? How do you know that shutting off the automatic update will prevent you from getting updates. They could have other back doors built in that you don't know about. Someone at MS could come up with the idea, that in order to prevent the next internet worm from breaking in to you system, they will use the same exploit to automatically update your system.

> Would you rather MS ignored these issues ??

I would rather that they do the right thing.

Mark Blunier
Any opinions expressed in this message are not necessarily those of the company.
 
D

Donald Pittendrigh

HI All

Ummmm.... a thought crossed my mind..... what updates and what service packs, doesn't the new deal with corporate licencing and service agreements for microsoft software say no updates and service packs are going to be available anymore?

DP
 
J

Joe Jansen/ENGR/HQ/KEMET/US

I guess I fail to see the difference. If MS reserves the right to update your machine, and you agree to the EULA, how can you say later that they cannot? Even if you turn off "Windows Update", how can you be sure that there is no other channel that they can send updates through? Of course, this would only be done "for your own good", and you did "agree that they had the right" to update your machine. Whether it comes through media
player or internet explorer instead of windows update is really the moot point, IMHO. You agreed that they could do it when you turned on the software (Windows). You thus give up your right to tell them "no".

Am I missing something? If I am wrong, and it is possible to let them reserve the right to do it, while you still retain the right to ultimately stop them, please explain it. I would really prefer to be proven wrong on
this point, actually.

--Joe Jansen
 
M
> "Automated updates are in the best interests of the average user,
> Microsoft, IT administrators and the world in general. It's in
> everybody's best interests for Internet connected computers
> to have the
> latest security patches installed as soon as they are
> released and with
> a minimum of trouble.

No, it isn't. Many systems are behind firewalls and block access to the ports that may be vulnerable to exploits. While it would be nice to get the update, if your system is not use media player, for example, getting the automatic update to fix it, isn't a benefit. but if it
breaks the system, the EULA says too bad so sad, glad I'm not you.

> So Microsoft (like other companies such as AOL and Symantec)
> incorporate
> automatic update software. But what happens when one of their millions
> of customers doesn't like it and decides to sue them for updating the
> software without authorization. They can point to the EUA and
> say it was
> part of agreeing to use the software. It keeps their lawyers
> (and their
> shareholders) happy." (Well Said Peter !!)

Yep. MS breaks something, they do look to them to fix it, or pay for the damage or lost production. They are looking of the MS interests, not yours.

> MS isn't trying to force updates onto the IT community, they're trying
> to keep my clients XP boxes from being bombarded by the
> latest offering
> produced by your friendly internet hacker.

On the contrary, they are trying to force update on the IT community. If you read the EULA again, it does not say they will only provide security bug fixes, they can install software updates, something of a much larger scope

> I applaud MS for helping me keep my clients machines updated with the
> latest SP, patch or fix.
> Otherwise I'd be visiting my clients every month or two installing the
> latest.
> FYI .... I have the update feature turned off on all my clients
> machines.

What? After explaining why you think automatic updates are so great, and why we gladly grant MS our rights, you don't use it? Why not?

Mark Blunier
Any opinions expressed in this message are not necessarily those of the company.
 
J

Joe Jansen/ENGR/HQ/KEMET/US

Mark Hill:
>>>>>
I applaud MS for helping me keep my clients machines updated with the latest SP, patch or fix. Otherwise I'd be visiting my clients every month or two installing the
latest. FYI .... I have the update feature turned off on all my clients machines. When I notice a SP or patch or fix that directly affects their machines, I send them a quick email note suggesting they install it. This way I
can service clients all over the world without leaving my desk.
<<<<<

you are saying on the one hand that they are helping you with this and preventing monthly trips all over the place, But in the next sentence, you state that you have this option disabled? How is this feature relevant to saving you all this time if it is turned off?

The last paragraph above states that you send emails advising that people update their system when you see that a patch has been released that affects them... Why can't that be done without automatic updates?

>>>>>
But what happens when one of their millions of customers doesn't like it and decides to sue them for updating the
software without authorization. They can point to the EUA and say it was part of agreeing to use the software. It keeps their lawyers (and their shareholders) happy." (Well Said Peter !!)
<<<<<

I take that to mean that you don't feel that you should actually have control of the system that you are responsible for then? How can I put this simply? I do not, under any circumstances, in any event, on no way,
shape, or form, want microsoft to push down an update to media player, that includes a change to a .dll file that is linked to by a visualization package in my scada software that causes one of the screens in my scada to freeze up when it tries to play some stupid little animation that the machine builder put in, thus causing the operator to not have the screen updates when the process goes out of range, which causes a heat exchanger
to boil off, destroying the heater coils, and hopefully not causing the tank to overpressurize and burst, injuring or killing someone.

If I am going to be held responsible for the damaged equipment, and possibly someone getting killed, the last thing I want is some worthless update being shoved down my throat that puts the system out from under my absolute, explicit, and dictatorial control. That is the bottom line. I would suggest that if anyone here is responsible for equipment that could cause injury or death, and they do not have absolute final control of every line of code in that system, they are exposing themselves to a level
of risk that would border on being irresponsible. I am not saying that they have to have access to source code for the SLC 500 ladder interpreter or anything silly like that, but you very well should have control over when that or *ANY* code is changed.

Whether or not you uncheck a box, if you tell MS that you agree to let them do it, they are going to take advantage of that at some point. Whether you are willing to expose yourself to that is up to you.

-Joe Jansen
 
Top