If the software you are using auto-updates and you lose business or esteem of peers -- it's YOUR fault.
Allowing most software companies to update anything on an running functioning work-related machine that you use to make $$, is ASKING FOR IT. WHEN it breaks something that is your fault for being so stupid.
I update software in most cases by installing it on another machine/device and then once it is confirmed to work, switching devices and wiping the former-work-device.
Yes I have more than 2 of everything critical for making $$.
Yes I filter all my inbound and outbound network traffic and default deny, at home and on the road
Software that prevents you from disabling auto-updates is a virus.
I have been burned often enough by software that auto-updates itself that I am positive I don't want it enabled by default on _my_ systems. Anywhere from between "this feature I really liked is gone" to "now it crashes every five minutes."
Perhaps more importantly, companies that offer software that can auto-update itself, can also make it so that the software uninstalls itself. Or worse, installs something you don't want. It also makes for an especially juicy target for supply chain attackers. So you have quite a bit of a double-edged sword there, from a security standpoint.
I wonder when we're going to stop pretending that there shouldn't be at least a fuzzy divide between software and systems intended for technical users and software for non-technical users. (And we should not be afraid to label them as such.) I fully agree with auto-updates for mass-market software but as a technical user, I don't want the system that I rely upon to make a living to constantly be changing out from underneath me.
Automatic updates are terrible and the first thing I do when I get a new device or reinstall an OS is try to figure out how to disable them. Sadly, I am losing this battle and more and more stuff insists on updating behind my back, without me commanding them to update. This should be unacceptable. When I buy something I should be in full control of what it’s doing, not the manufacturer. I dont care if the software is vulnerable to CVE-1234567 or if there are lots of great bug fixes or if the manufacturer simply really really really wants me to see the yet-another big UI update it’s done. Updates should be done when I say they are done (or not), on my schedule, and only after I know what the update changes.
I don’t want to hear the manufacturer’s excuses. I know “most people” are clueless and leave security problems unpatched. “Most people” have also gotten accustomed to being abused by their software products that are out of their control. I’m not “most people” and I won’t tolerate being treated like this by device manufacturers. The product gets returned if I have no control over what it does.
Those aren't the only choices though. The objection is that you shouldn't force people to use auto-updates, because it impedes their ability to use their software.
Let's say I'm writing software for something important with a deadline, and my OS decides to update itself and break some of the libraries I was using. That would be completely unacceptable. It's almost no worse than walking up to my computer and smashing it to pieces.
You have to be able to control updates because that's the only way to ensure your system is stable. It may not be secure, but stability is often more important than security, especially during critical periods. Most people want their computers to work today the same way it worked yesterday. If updates didn't break things, nobody would have any reason not to get them. But updates are destructive.
There are reasons behind updates and auto-updates. Bugs, features, users which did not consistently update and were left with insecure or buggy software. Then again, updates are also a mess.
I think this is a problem which should have a mostly technical solution: If most software was updated as today and users could rollback at will, most problems would be solved. That's a better way than making updates illegal.
Even if it is software, I don't want automatically updating. The problem introduced by automatically updating is higher than the problem they fixed in my experience.
For example, windows updating. There was an updating when professor gave the talk in class. Windows updating popped out. There is no way for professor to stop the updating. He missed the chance and windows already went into blue updating screen. So, We had a break, and professor went to his office to find another computer.
Another problem is that automatically updating almost always runs silently. When I played online game and the game went laggy, I always tabbed out to see what happened with resource monitor. It is easy to find out there is whatever updating using CPU or bandwidth.
I feel updating just like legally raping my device. Oh. It is OUR device.
I'd be 100% in favor of automatic software updates if there were some guarantee that it was just used for security fixes and nothing else. But if you leave it up to the software vendor to decide what gets automatically pushed, you inevitably backslide back to where we are today where everything gets jammed down the user's throat.
I'm sympathetic to this, and usually find these sorts of things annoying, but in this case I'm not so sure.
If there is any application I want to autoupdate, it's my web-browser. It's a giant bundle of security vulnerabilities whose main purpose in life is to hit untrusted servers that might be sending me malware, and when an update is available to me, the list of security fixes is also available to attackers.
I though I agree most of the points in this article except `Auto-updates you can’t switch off`. Well, It never should, at least not done easily. The windows xp told us a serious lesson about that. Countless of systems compromised due update disabled. Although I also think push feature removal updates forcefully is silly. The only thing should be forcefuly updated is bug fix.
I don't think anyone (at least not me) is claiming that auto-updates are very good. However, I will argue 'till the cows come home that they are better than the alternative in many cases.
Installing software in the first place is placing a lot of trust into whoever made that software from the get-go. There are a myriad of ways a bad vendor can abuse a software installation without having to involve auto-updates. Singling that as a specific abuse vector that's orders of magnitude worse than giving filesystem access to an opaque binary just doesn't make much sense to me.
If I don't trust a vendor enough to allow auto-updates, then I don't trust them enough to install the software in the first place (dev dependencies notwithstanding for obvious reasons). Combine this with the well known fact that optional updates just don't get installed, and the cost/benefit calculus of the feature becomes not that hard to motivate.
Fwiw, I also think that a switch to disable the feature should always be present for those of us who care.
If your software auto-updates, then you no longer own your device. Anti-features, spying can be pushed onto it from above and you have no choice but to accept it.
I like auto-updates. I almost always turn them on. But being able to turn them off is an important bargaining chip, to pressure devs to behave. I'm not excited about giving that up.
This is why I disable updates for every piece of software that I use. People criticize this often, but it puts me in control. I can then review updates when I feel like it, and update as I see fit.
To be fair, they are damned if they do and dammed if they don’t. Don’t include auto updates, you’re in the news and people are upset that they have been hacked or catching viruses.
For the average user, auto updates are a blessing.
Nearly every system I’ve used does still give you control by allowing you to opt out.
Once again automatic updates are shown to be fundamentally malicious. Would you let an incompetent mechanic come to your home and fiddle with your car at random times of the month, even though nothing was wrong with it, on vague promises of minor improvements he might be able to make?
If a serious security issue or amazing feature you can't live without comes along, patch it manually. Otherwise, updates are the devil.
Allowing most software companies to update anything on an running functioning work-related machine that you use to make $$, is ASKING FOR IT. WHEN it breaks something that is your fault for being so stupid.
I update software in most cases by installing it on another machine/device and then once it is confirmed to work, switching devices and wiping the former-work-device.
Yes I have more than 2 of everything critical for making $$.
Yes I filter all my inbound and outbound network traffic and default deny, at home and on the road
Software that prevents you from disabling auto-updates is a virus.
reply