There’s a hole in your mind

“Delenn, just before he died, the Minbari assassin looked at me and said: ‘There’s a hole in your mind.’”
“An old Minbari insult. Nothing you need worry about.”
Sinclair and Delenn in “The Gathering” – Babylon 5

You probably know this situation : You see a computer that still running an Windows XP prior to SP1.

Many times the reason for not updating is “why do you need to update?”. But in many other occasions its due to the “arms race” between your resources and the OS requirements.

I do not know if any of you noticed it, but Windows XP SP2 requires much more memory and disk space then Windows XP prior to SP1.

People want to use their computer for a period longer than one year. Or in most cases, as do I, using it for at least 5 years before needing to change or upgrade the computer. But closed sourced OS such as Windows, that “anything” comes part of the kernel (even the GUI !!), cause users to stop upgrading the computer.

And when these people stop updating their Windows, they soon will stop updating the O’ mighty AntiVirus , and practically everything else.

Another problem that Windows users have, is that most Linux users (well at least those that uses package manager), does not have is the fact that they do not read malling lists or web sites such as SecuriTeam, and they do not read any of my blogs on this site as well, or even as Matthew mentioned in his blog, the press does not really help, and usually the press even makes things worse.

Shouldn’t we find a better way to cause vendors to actually notify users on problems And make vendors to drop the useless need for arms race on every update, and only fix the problems?

Share
  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    You bring up an interesting point, which is that users often aren’t aware. I only briefly touch on it, but you do a good job of explaining exactly why that’s the case.

    Perhaps we should treat security patches more like what they are: software recalls.

    If your car has a recall associated with it, you’re going to get a recall notice. They will track you down and make sure you get it. This makes sense, as your safety is at risk.

    As more and more people invest more and more valuable information (and confidence as a result) in computer networks, a similar system for technology seems like a good idea. Registering software should be as necessary as registering a vehicle is here in the U.S., and then each and every registered customer should receive notices that an update is available.

    These notices may consist of boiler-plate stuff like “Go to Windows Update and apply patches”, but if people start getting “recall notices” once-a-month for Windows, security at MS will change fast. :-)

  • sunshine

    Sci-Fi injection!

    Babylon 5.. ah, the memories. :)

  • http://BeyondSecurity.com ido

    sunshine, i hope you understand how this quote is connected to the blog ;)

    anyway, i read my blog (again for the 10th time or so) and i realize now that i did not emphasis the bottom line of what i wanted to say, correctly.

    i meant that the vendor must separate security and bug fixes from upgrading to newer versions of the products.
    today i can not install security updates without upgrading my computer to a new version of windows media player for example.

    the second issue is that most users do not understand why they need this updates. thats btw the reason why microsoft added the automated updating system for example. but i think that the user should know more that there is a security vulnerability and that he or she must install patch x or patch y to fix that vulnerability. i do not think that it’s too much to ask, and i do see it part of the service that the i paid for when buying a license to use any software.

    i hope now things are a bit more clear.

  • Pingback: SecuriTeam Blogs » Microsoft does it again with SP3