Original URL: https://www.theregister.com/2003/08/19/post_blaster_ms_floats_default/

Post Blaster, MS floats default auto updates for Windows

It's an ill Win... d'oh

By John Lettice

Posted in Software, 19th August 2003 15:07 GMT

Never happier than when making things compulsory, Microsoft is floating the notion of making home versions of Windows download and install software updates automatically by default. You'll be able to switch it off, of course (for a while), but the joy of shipping things to home users is that most of them leave the system's default settings as is, either because they don't know any different or because (grief) they trust software vendors.

Seamless, auto-updating without user intervention is something that Microsoft has wanted for a long time, as The Reg has frequently pointed out, sometimes without even using words like "evil", "bunch of" and "control-freaks". But it's not something the company has been able to achieve in the past, and the last serious flotation of the notion, at the time of XP's rollout, engendered significant adverse reaction to the possibility of Microsoft 'controlling' your machine.

But that was then, and this is now. The Blaster plague of boils ripped through the user base, and Microsoft's security people are now suggesting that customers want their systems to update automatically. We have a healthy disrespect for that old Microsoft marketing catch-all, "customer demand", but we're inclined to trust the security mob a tad more than the rest, so maybe some customers do want it. Not that we entirely grasp why they don't just switch the bleeding thing on then, if they do.

The slightly higher trustworthy rating of the security people is not however reflected elsewhere in The Beast's command structure, which brings us why you don't want this to happen, reason number one. You'll note the Washington Post's report gives Microsoft's justification of XP SP1 control-freak licence as a 'clarification' of the company's "ability to verify product information and provide accurate updates." Whoever told them this black lie has a trustworthiness rating somewhere south of duplicitous snake; any security implications of the new licence terms were merely a happy side-effect of Microsoft's paving the road to DRM.

There's a clear tension here, in that the security side of MS is pushing to secure Windows from a relatively genuine perspective, while the bean-counter driven side of the company is pushing ROI. The efforts of the latter frequently undermine the ability of the former to achieve their goal, by maintaining the essentially untrustworthy status of the company, and you can never be sure whether, or to what extent, the latter are overruling the former.

It may however be that you're confident that all your software, including all of the entertainment content of your system, is legal, and you fully agree that Microsoft has a right to audit you, and to install patches to keep your/their software secure. Do you then trust Microsoft to automatically download and install those patches without asking you first?

Next reason - of course you don't. Microsoft has a long and inglorious record of producing updates that break more things than they fix, patches cause unexpected failures of other software components, and some updates (thank you, Redmond Duplicitious Snake Division) switch off useful old stuff that somebody in there wants you to stop using. Do you honestly believe that anybody within Microsoft responsible for producing patches is going to wager their grandemother's life on their latest effort not breaking anything? Of course you don't, so they don't entirely trust themselves either.

Which brings us on to a reason for Microsoft not going the whole way initially. It's currently just about conceivable that Microsoft could clean up its security update operation to the extent where they largely did what they said on the tin, and where breakages were largely isolated and minor, and to be fair this is mostly the case already. But it's not when it comes to more general updates, and sane souls within Microsoft will point to the potential PR disaster of crippling ten of millions of machines in one night and argue for the procedure to be ringfenced at security updates. Personal security updates.

But doing that properly isn't just a matter of Microsoft solemnly binding itself to security, and promising not to happily ski down the slippery slope at some point in the future when it thinks the coast is clear. We've heard from Solomon Binding in the past, and don't trust him either. We're probably talking about a free-standing security update system here, nothing to do with Windows Update, nothing to do with shotgun licence changes and nothing to with Microsoft's financial security. And - here's a novel one - it ought to be accompanied by a sort of green kryptonite licence, where rather than establishing its rights over you and the software it turns out you only thought you bought, Microsoft establishes rights for, and makes guarantees to, you.

Nah, couldn't happen. And even if it did we probably wouldn't trust them anyway. But we're like that. ®