Windows XP, Anyone?

R

Ranjan Acharya

Mark,

I do not care about update. Most of my customers would never connect to the Internet.

Will ignoring or turning off Windows Update help me with this too?

It is 02h00m your customer is in the middle of nowhere at a wood pulp factory. The Windows XP SCADA box died and the back-up is busted too (told ya' you should have used Win2000 or Linux). You quickly talked them through restoring from a Ghost or DriveImage to the plug-in spare hard drive back-up what next? Does it work? This customer, like many, does not understand what to do with PCs. I am under the distinct impression that some sort of
authorisation is required from Redmond if XP thinks that you have been tinkling around (guilty until proven innocent, after all).

I think that Microsoft want to make computers like TVs. You buy them, they break (a little sooner for PCs) and then you toss them away. That just does not fit with the tinkerers in automatia land.

RA
 
P

Peter Whalley

Hi Curt,

I already let Microsoft and Symantec automatically update my systems. I have no problem with this. I don't offer carte blanche however. It's because I do this that I have some hope of keeping the real hackers out. (This is not a challenge to the hackers - I know my systems aren't perfect).

I'm not suggesting that IA systems should be updated this way. Just the average home and small business systems. IA people should be knowledgeable enough to turn off the automatic updates if they don't want them. We can't however assume that the average home user is knowledgeable enought to turn automatic updates on, so the default for a system intended to be sold to these types of users must be to enable the feature as default.

Regards

Peter Whalley
Magenta Communications Pty Ltd
Melbourne, VIC, Australia
e-mail: peter*no-spam*@magentacomm.com.au
delete *no-spam* before sending
 
P

Peter Whalley

Hi Michael,

I'm afraid I have no expectation that Microsoft is going to design XP specfically to suit the needs of IA users and not the vast bulk of it's
customers. XP is designed for home and office applications not IA specifically. Sure we need to be aware of what it does and to know how to turn off the feature if we don't want it but its presumptions in the extreme to imagine that Microsoft is going to design XP specifically to
suit us.

By all means we need to discuss the implications for IA of XP having this feature and many may decide not to use XP. I don't use XP either. What I'm saying is that automatic updates are a good idea for the vast bulk of Microsoft's customers and that we get a benefit if those customers use it because we are less likely to be subject to denial of service attacks originating from their computers and the economies of our countries are
made more robust because millions of computers are better protected from cyber terrorism.

Regards

Peter Whalley
Magenta Communications Pty Ltd
Melbourne, VIC, Australia
e-mail: peter*no-spam*@magentacomm.com.au
delete *no-spam* before sending
 
Mark Hill:
> One more comment .... WIN2K will be around (and supported) for a LONG
> time !!

To be precise, it will enter the `Extended Phase' as of March 31 2003, though it'll still be available through all channels until March 31 2004
(presumably as a special exception).

The guidelines would seem to indicate that it'll become `Non-supported' at that point, with the remaining minimal support and availability being
subject to termination on 12 months' notice, but Microsoft only seems to be listing actual dates through to the end of December 2003.

"http://www.microsoft.com/windows/lifecycle.mspx":http://www.microsoft.com/windows/lifecycle.mspx
"http://www.microsoft.com/windows/lifecyclefaq.mspx":http://www.microsoft.com/windows/lifecyclefaq.mspx

Whether one and a half years is a ``LONG time !!'' or not obviously depends on what one intends to do with it.

Jiri
--
Jiri Baum <[email protected]> http://www.csse.monash.edu.au/~jirib
MAT LinuxPLC project --- http://mat.sf.net --- Machine Automation Tools
 
V

Vladimir E. Zyubin

Hello Mark,

Mark Hill wrote:
[...]
LM> MS isn't trying to force updates onto the IT community, they're trying
LM> to keep my clients XP boxes from being bombarded by the latest offering
LM> produced by your friendly internet hacker.

Why MS does not update NT for the USB? Why? Why does MS cancel to support NT? The answer is obvious! Why MS constantly changes formats in
MS Office, Word, etc.? Please do not tell me tales about progress... there was no any proncipial innovation since 1995.

LM> I applaud MS for helping me keep my clients machines updated with the
LM> latest SP, patch or fix.
LM> Otherwise I'd be visiting my clients every month or two installing the
LM> latest. [...]

There is no need to reflect it in the EULA. The secure acceptable way is to write a program-"Updater"... so, you (as a supporter) can install it on your clients' PCs.

The words in the EULA is an atempt to lock-in the users, obviously.

LM> One more comment .... WIN2K will be around (and supported) for a LONG
LM> time !!

Win-95 was around for a long time, as well as Win-98 was, as well as Win NT was, as well as Win MilleNium, as well as Win 2000... :) I must
confess, history makes me feel scepsis when I hear encouraging words from MS.

LM> Vladimir E. Zyubin wrote:
[...]
>>BTW, is it correct, in November we will have to say good bye to Win 2000?

--
Best regards,
Vladimir E. Zyubin mailto:[email protected]
 
Mark Hill:
> As you are well aware, the EULA is an agreement between the MS and
> you, in which MS reserves the rights to update your machine with the
> latest and greatest fix.

Precisely.

> It DOES NOT state that you must let them push these fixes onto your
> machine.

No, it just states that I'm agreeing to them doing so.

> Turn off automatic update and these statements in the EULA are a moot
> point.

Not really - since there's no legal connection between the EULA statements and the automatic update setting, I cannot rely on it for things like statutory confidentiality requirements.

And from a practical point of view, it's quite possible they'll decide in the future to have optional updates, which can be turned off, and
security updates which can't.

Jiri
--
Jiri Baum <[email protected]> http://www.csse.monash.edu.au/~jirib
MAT LinuxPLC project --- http://mat.sf.net --- Machine Automation Tools
 
P

Peter Whalley

Hi Michael,

I'm afraid I have no expectation that Microsoft is going to design XP specfically to suit the needs of IA users and not the vast bulk of it's
customers. XP is designed for home and office applications not IA specifically. Sure we need to be aware of what it does and to know how to turn off the feature if we don't want it but its presumptions in the extreme to imagine that Microsoft is going to design XP specifically to
suit us.

By all means we need to discuss the implications for IA of XP having this feature and many may decide not to use XP. I don't use XP either. What I'm saying is that automatic updates are a good idea for the vast bulk of Microsoft's customers and that we get a benefit if those customers use it because we are less likely to be subject to denial of service attacks originating from their computers and the economies of our countries are
made more robust because millions of computers are better protected from cyber terrorism.

Regards

Peter Whalley
Magenta Communications Pty Ltd
Melbourne, VIC, Australia
e-mail: peter*no-spam*@magentacomm.com.au
delete *no-spam* before sending
 
Peter Whalley:
> Personally I'm wouldn't trust the "average user" at home with a
> broadband internet connection to turn on some feature.

A dialog box during installation defaulting to `yes' should be both sufficient and likely to be left `yes'. For that matter, rephrasing the EULA so that it explicitly refers to `Windows Update' would do.

> It wouldn't surprise me if in a few years time the Department of
> Homeland Security decides they want to make it mandatory for software
> providers to incorporate automatic updating because of the security
> risk associated with not having it.

Yeah - or, for that matter, the RIAA. (Or whoever's looking after the industry's interest under whatever DRM scheme they come up with.)

> Certainly you can't turn of the EULA but you can turn off the feature
> so that it doesn't happen if you don't want it.

Well, you can turn off *one* of the features that do this.

> This is a good illustration of the dicotomy we face. We need to
> install security fixes ASAP but we also need to test updates for
> compatibility. Just goes to highlight the inherent dangers with
> connecting SCADA systems to the Internet.

Actually, it goes to highlight the inherent dangers of not having a decent security policy both for the OS and for the applications, but
that's a separate story.

Jiri
--
Jiri Baum <[email protected]> http://www.csse.monash.edu.au/~jirib
MAT LinuxPLC project --- http://mat.sf.net --- Machine Automation Tools
 
In response to my message, Michael Griffin said (minus some clippage):
> > To hear from BOTH sides of the story, read the following article:
> >
> > http://www.infoworld.com/articles/op/xml/02/02/11/020211opfoster.xml
> > (note, a credible news source)
>I followed your link and read the article you suggested. If you read
>it carefully enough, it seems to imply a situation which is even worse
>than that which was reported in "The Register" (see previous messages
>for that link).

Worse is not how I would describe it. Different than The Register reports, but not worse.

>If you read what Microsoft has to say - well there's a lot of words
there,
>but they really didn't say much. They even admitted that there are a
lot
>of implications about their new system they haven't told people about
yet.

I don't see where Microsoft admitted that. Nor do I see anything "new" about any of these update procedures the EULA statement refers to.

>They are a bit vague on the new "security component" updating, but it
seems
>to be something which is entirely separate from their "WIndows
Auto-Update".

Yes, it is. It's been part of Windows Media Player for over a year now. (maybe longer) Would you be surprise to know that Real has similar
update procedures? Try to play a .rm file created with a newer or different codec and Real will download the update for you too.

>The type of "security" they are talking about by the way, is not
intended to
>protect your computer from viruses and hackers. It is "security" which
is
>intended to limit what you can do with your computer (even if you have
>administrator priviledges).

I will not participate in a protracted Digital Rights Management debate. Suffice to say, people who don't own the legal right to play music and
video files or run software should not be able to do so. I'm not for giving up "fair use," but there is no mention of "fair use" in the law
itself -- but in court rulings. If you're worried about DRM, Microsoft should not be the target of your concern. Your senators and congressmen
are in the best position to effect "fair use" protections.

>One of the things they did manage to say though was (this is a quote
from Microsoft):
>
>"If the user elects not to update the security component, he or she
will be unable
>to play content protected by our DRM from that point forward, although
content
>previously obtained would still be usable."
>
>What exactly does that mean? It sounds like there is a lot more going
on than just
>"you didn't get the upgrade".

That sounds exactly like what's going on. Just like you can't open a Word 2002 document in Word 97, don't expect to open a document protected
by a new version of the "security component" if you have an old one, or don't have the software at all.

>How are they preventing downloads from being usable if they didn't
actually change
>anything on your computer?

PDF files are useless if you don't have Acrobat installed. So is Microsoft preventing you from using downloaded files because you don't
have the software?

>After all, existing data files stored elsewhere didn't miraculously
change to a new
>version just because Microsoft came out with a software upgrade. They
seem to be
>saying that they are doing something to prevent you from using hacked
versions of
>certain data files.

This is a bad thing? I avoid using all hacked files for obvious reasons.

>You've said that you feel this article is credible and balanced.
>OK, I will accept your judgement on that. However, this is what
>it has to say:

I prefer a balanced article, especially when the result is still mud in Microsoft's eye.

>"But if it is indeed Microsoft's intent to continue giving users the
right
>to decline downloads, why has the company written its XP agreements to
force
>users to explicitly surrender that right? Are customers supposed to
ignore
>what the licenses say and just hope Microsoft won't ever do what the
terms
>say it can do?"
>
>Isn't this what people here have been saying? If you intended to
reassure
>people like me with this sort of information, I can tell you that all
you
>are doing is making us more worried.

I must say, my goal was not to reassure anyone. While I openly use and vocally support Microsoft and Microsoft's products, everyone is free to
judge for themselves. I believe that there is no possibility of Microsoft updating software on my computer without my knowledge. I firmly believe they are not out to get me.

>I'm not an expert on WIndows XP, and I don't want to be either. I just
want
>to be able to get the job done without having to worry about this sort
of
>rubbish. An operating system is supposed to be there to support the
application
>software, not to become a hurdle which must be leaped on a continuing
basis.
>The ideal operating system should be one which you don't even notice is
there.

Then don't worry about this rubbish. I sure don't.

Jeff
 
V

Vladimir E. Zyubin

Hello Michael,

[...]
LM> The reason why the customer may be unhappy is that Microsoft admits in
LM> the end user agreement that some of your existing software may no longer
LM> run after they quietly download their patch. If the result of this is
LM> that
LM> your plant no longer runs, then you can see why people would get rather
LM> excited over this prospect.
[...]

The following question appears in my head after your words:

What do the XP-users plan to do when MS cancels to support the XP? Who will generate the authorization keys? Who will rewrite the software in order to port it on new MS OS - devil knows the name... MS produces a new OS every 2 years!

(IMO, it looks like a train of extortions... and the main motive of the new MS policy is to legalize the situation... to switch the extortions from the "per 2 year" base to the "per a month" base)

--
Best regards,
Vladimir E. Zyubin mailto:[email protected]
 
P

Peter Whalley

Hi Mark,

The average user went down to their local computer store and bought a PC for their kids to do their homework on. Then they got a broadband Internet connection for the PC so the kids could download music and videos. Do you really think they are going to configure their firewall to block these ports. Do you trust them to.

I'm talking about the average XP user not the average IA user or even the average IT system manager. When I read the computer adds in my local paper all of PCs come with XP pre-installed. This is and the average office user
(in both big and small companies) is Microsofts market. Its not IA. If we want to use XP we need to learn how to live with it. If we don't think we can live with these features then we don't use XP or figure out ways to work around them.

It seems ironic to me that when Microsoft shipped NT with minimum levels of security enabled people critisised them for not taking security seriously
because many users would not think about turning on higher levels of security. Now that they do something that enhances the security of the
average PC in the hands of non technical users they get criticised again.

Regards

Peter Whalley
Magenta Communications Pty Ltd
Melbourne, VIC, Australia
e-mail: peter*no-spam*@magentacomm.com.au
delete *no-spam* before sending
 
Joe Jansen/ENGR/HQ/KEMET/US:
> What if your system has to be certified with FDA? (pharm. and food
> come to mind.) When MS downloads an "update", do regulations require
> that the system be re-certified?

Technically, yes, that's a problem. (It's probably a problem even if the machine isn't connected to the network, simply on account of the EULA.)

In practice, it's not important: one does not connect a critical machine to a public network when the machine doesn't have any certified security (Windows had a certified security rating once, but it was: (a) different version, no longer supported, (b) with the network not connected, and (c) only C2 anyway).

Jiri
--
Jiri Baum <[email protected]> http://www.csse.monash.edu.au/~jirib
MAT LinuxPLC project --- http://mat.sf.net --- Machine Automation Tools
 
L
This is turning into a bit of a paranoid feeding frenzy. Can I point out that:

1) No-one is obliged to connect a PC on a production line or in a certified environment to the Internet. Indeed, if you do, you probably
run greater risks than the Microsoft Department of Evil.

2) No-one is obliged to use XP. As far as I know Win2000 doesn't require the same licensing terms, and is a better choice anyway. XP is supposed to be a mass market consumer O/S. As others have pointed out, O/S update is a useful feature in such environments, particularly when plugging
security holes. It is not appropriate in the commercial world, in general, and so will not be deployed.

3) Automation (or indeed general commercial use of PCs where IT depts certify OS levels) is a significant market for Microsoft. They will be
aware of the problems automatic update can cause, and will, I suspect, be working to obviate them.

4) Anyone relying on XP, or Win2000 at a single point of failure in safety critical situations is wrong to do so. This is not Microsoft specific -
anyone relying on Linux in safety critical situations is wrong too: the plant must have independant watchdog devices to shut down if danger is detected (this is the great problem with PC based control in general).

5) It is genuinely scandalous to compare Microsoft commercial practices with Osama Bin Laden hacking into a computer. Sorry Curt, but you have lost track of reality if you truly believe that.

Like I said a few months ago - proponents of Open Source would be better served arguing their case on the relative merits of their products rather than indulging in silly FUD and scare tactics and intimations that Microsoft is plotting to destroy the world. It isn't.

Cheers

Tim
 
C
Perhaps abuse of a monopoly so pervasive that nothing is out of bounds. No abuse of privacy or security, no matter how odious, no abrigation of rights or contractual demand so one sided that any will risk exclusion or financial ruin. This
and past EULAs read like an unconditional surrender, not an agreement between "partners". And even when the momopoly acts in ways that directly and negatively impact business, there
is nothing that can be done except accept and make the best of it or even apologize for them. Doesn't this strike anyone as a little bit strange in a free country?

Regards

cww
 
B

Blunier, Mark

Jay Kirsch wrote:
> If I had to choose between Bill Gates meddling with
> my computer over the Internet or Osama bin Laden flying a Boeing
> 747 into it, I'd pick the former.

You don't have that choice.

> There are some posts back there which had some actual technical
> information stating that remote updates can be disabled on
> WinXP. (I'd prefer this were the default setting.) What is this
> thread really about now ?

It is about MS EULA that says that they can make any changes that they want to your computer. Some people here want to believe that MS will only do things in the consumers interest, and
that MS will never create a problem propagating 'updates'. We are trying to point out that we don't believe this to be the case.
We are also trying to point out that if the MS is only going to provide these updates when the update feature is selected, the EULA should state that the users are only going to give up these
rights when the update feature is activated.

Mark Blunier
Any opinions expressed in this message are not necessarily those of the
company.
 
R

Rokicki, Andrew

Who cares.
You want to use XP etc. use it.
This is like arguing what is better meters-feet, centimeters-inches etc.
(please do not respond about these systems.)
I don't want to use Microsoft products, so I don't.
Linux turned out to be much better solutions for us.
I know it is hard to let go off the mouse and actually use keyboard to do things, so what I like what I do and I like leaning new things.
Windows is an excellent system and has its place, when you use it you know what you are getting into.
When you use Windows products you know about licensing issues/support.
I am not sure if I can get DOS 3.1. But I know I can download version 1.0 of Linux if I need to.
 
C
Hi Peter

That's certainly making the best of a very bad situation, but the implications of allowing unfettered access to private systems, far outweigh any possible benefits IMHO. With this
arrangement and the secrecy of closed source, they could be doing absolutely anything, especially with the unsuspecting home user. To have a monopoly and this kind of power,
especially since they've shown that they will abuse it with the document fingerprinting scandal, etc. is simply a very bad and very dangerous idea. It is not the right way to handle the problem, but is extremely fortuitous for Microsoft. Not in their wildest dreams could you get people to allow you complete and total control of all their information. And the
ability to hold the Sword of Damacles over their heads. Pay up or else. My point is, what price will people pay, simply to avoid learning something new? Doesn't their privacy and the
security of their data have any value? This "solution" makes their systems utterly insecure, rather than more secure. And it gives MS more power and control than most would ever
willingly grant to anyone, _if_ they were paying attention. I liken it to the Stockholm Syndrome, or putting a frog in a pot of cold water and turning on the heat. As long as the change is slow enough, you can boil the frog without any
struggle. Project this onto your house, your car, or any more tangible posession. Would you allow this? How is MS that special or valuable to you? Home users can plead ignorance, but can you honestly say you can protect your customer's and
your owner's assets? Honestly?

It's this inexplicable adoration of convicted criminals that intrigues me. It's not unprecedented in history, but the consequences have been universally bad.

Regards

cww
 
Ranjan:

In response to your concerns about "Restoring From An Image", there has never been a need to re-activate as long as the image was created on the same computer. (at least in any of my installations and restores.) If there have been major hardware changes (and no images were created to reflect these changes,) then it MIGHT be necessary to re-activate.

Mark Hill
Windows XP Associate Expert
 
>>Windows had a certified security rating once, but it
>>was: (a) different version, no longer supported, (
>>b) with the network not connected, and (c) only C2
>>anyway).

The US Government (who created and certified "C2" security in Windows NT 3.5 and 4.0) and other governments changed it's security rating system
in 1998. The new system is called the "Common Criteria for Information Technology Security Evaluation (CCITSE)."

Windows 2000 is currently undergoing the rigorous review to achieve certification comparable to C2 as a distributed operating system (connected to a network). Windows XP has also started this process.

To read more about CCISTE see:
"http://niap.nist.gov/howabout.html":http://niap.nist.gov/howabout.html

To see other CCISTE certified operating systems see:
"http://niap.nist.gov/cc-scheme/ValidatedProducts.html#operatingsystem":http://niap.nist.gov/cc-scheme/ValidatedProducts.html#operatingsystem

To read Microsoft's explanation see:
"http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/secureev.asp":http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/secureev.asp

The truth, the whole truth, and nothing but the truth,

Jeff
 
Top