Thinking Different II

You probably know the current situation in one way or another:
You see a computer of a a friend (or just someone you know) that is not up to date, (usually it’s so not up to date, that you can see the interface and understand that), and when you give them a “tip” to update their Windows XP, they answer, “I saw the new interface in Windows XP SP2, and I didn’t like it one bit”.

Lets keep this example on Windows for now, because it’s the majority of users these days :( .

Then when you attempt to say something like “but Microsoft fixed a lot of security vulnerabilities”, you either get a response such as “nothing will happen to me” or you lose the conversation, and thats what I’m going to talk about in this blog entry.

I do not like the idea that an OS is binded with its GUI, because the vendor teaches the common users that GUI is the only real thing that is important. Thats true btw for many other OS’s and not just for Microsoft (Mac anyone? maybe you still use BeOS, OS/2 or even KDE/Gnome based Linux?).

The reason for that is simple. In WYSIWYG environments, you do not really know what you are getting… well you never do know what you get, but on GUI, people expect GUI updates. They do not accept that there can be other types of fixes, and they do not understand the importance of these updates.

The most scary part here, is that most of them do not think that they will be vulnerable although they do keep an AntiVirus (usually not 100% up to date), they understand that there is a spyware someplace that can hurt them, and other issues. But still, “If I can not see what was changed, why should I update ?” in the more naive response or “but nothing will happen to me, I’m behind firewall/antivirus/router/Other”.

In order to convince these people I think that we should use exploits that present the user with a GUI notification that they are vulnerable, like an “xmessage” with current user privileges (or use xhost for gaining X running option) on X based OSes, or just a popup dialog that can not be closed, or will appear at “random” :) .
Or just crashing programs and leaving a message in a text file on the desktop “upgrade me” or something similar.

Regardless of April’s fools day where it might be funny to see users suffer, they will also see that they are vulnerable, and be motivated to find a way to fix this problem.

Now all we should do is convince vendors to add this type of features instead of black hats breaking and entering to users’ computers and do what ever they want.

  • Arik

    As weird as it sounds, users will never think this way. You can’t convince them to think this way. You can only annoy the heck out of them.

    I happen to think Microsoft are going the right way by nudging the user to set up automatic upgrades at 3am. My only beef with them is that they need a reboot to make a big part of their updates to work.

    The ideal IMO would be to have an OS that updates itself without downtime. Windows would probably not be able to do it, because of the way they lock files. Linux is almost there – you can replace software packages but you can’t replace kernel modules or the kernel itself.

    I heard a lecture by Andrew Morton, where he says he intends to make kernel patches load like loadable modules, hence make this a reality for Linux – when you install a kernel patch it will both replace the kernel image file and patch the running kernel.

    – Arik

  • Jooni

    Thank for making this valuable information available to the public.n

  • Jesus

    Oh o ho! very nice site!b