This just in: unpatched computers are unsafe

I meant to post something about this five days ago, when this story was fresh. About five days ago, Slashdot reported that 1 in 3 PCs are still vulnerable to an attack on the Windows Server service that runs on all computers running Windows XP or later. Slashdot runs a snippet from the article where a CTO claims that the patch cycle is too slow, and then questions Microsoft’s Patch Tuesday as no longer being acceptable.

At first, you might think they have a point. Then you read the article and find that this particular worm is actually the same one that was patched almost three months ago. In fact, when Ars Technica fretted in early December that many PCs were still unpatched, I wrote a post suggesting managed PCs for most users so that updates would be handled automatically.

Another thing that’s clearly wrong about this argument: this flaw was patched ON A THURSDAY. Not only did Microsoft patch this months ago, they patched it outside of their normal patch cycle. And yet, people claim that Microsoft didn’t do enough to fix this flaw, because 1 in 3 people have not updated their PC in 3 months.

Security flaws happen. When they happen, the software producer can either leave it unpatched or patch it. In Linux, when flaws are discovered, it’s true that they are normally patched up very quickly – but how often do Linux patches break existing functionality? Even Apple can’t get this right – every patch they release seems to break something, and Apple has the one of the slowest patch cycles out there. (By the way, read that article: Microsoft is fastest.) Microsoft seems to have mastered the art of pushing patches out quickly but making sure they’re sound and play nice with everything else (and lately, they’re avoiding the need to patch at all).

Patch Tuesday works, for people who know what they’re doing. Even if people don’t, would it really help if Microsoft was releasing patches daily? Would people actually click that icon once a day even if they don’t click it in three months? Like many supposed problems with Windows, the main issue here is that Windows attracts the uneducated computer users (Apple does too, but to a far lesser extent). If the masses of people that used Windows suddenly switched to Linux, assuming they got their system to work, eventually you’d see articles on Microsoft blogs with titles of “Linux: vulnerable to a brute-force attack on user accounts with two characters or less”.

Slashdot is biased, but at least most of the time they have a valid opinion. This time, they were way off.

Seventh time’s the charm

Hello blogosphere. Did you miss me? I’ve missed you too.

It’s been a long month or so since I’ve written last, and since I wrote last I’ve had some ideas on stuff to write about: the Indians and their acquisition of Kerry Wood, a wrap-up to 2008, the ridiculousness of both the current government and the incoming administration… but I’ve always kind of lost interest, found something better to do, rather than writing. However, on Wednesday I downloaded the Windows 7 beta from MSDN, and tonight finally had some time to play around with it a bit. In short, Windows 7 is polished enough that it could be sold today, and is probably the most revolutionary version of Windows since Windows 95.

Installation
I decided to install the beta on a separate partition on my hard drive and triple-boot it with my Fedora 10 and Windows Vista installs. A couple reasons for doing this: a) I wanted to see how well it did with hardware recognition, and b) I wanted to see real performance, not virtualized.

The install was smooth, and for the most part like Windows Vista except for a much cooler boot logo. After the install, the initial setup screen is shown, where you pick the name of your computer, your username, etc. An odd thing I noticed while choosing a password was that a password was optional, but a hint was not: you have to have a password hint. After setting those things up, I was pleasantly surprised to see the next screen which enabled me to select my wireless network right from that setup screen. It’s a small touch, but it felt like I got running a lot faster with that embedded in setup. I was also asked to setup a HomeGroup, which I assume is like a workgroup only a little more modern, so I did that and finished setup.

First impressions
Logging into Windows 7 the first time, I noticed that my resolution was correct and it had even picked up my dual monitors correctly. There was no sound, but I was able to install sound drivers without a reboot by using Windows Update a bit later. The background is a little fish stuck in some ocean. It’s a nice image, but I’d check out the other themes available. I’m using the one of the snowy mountain (it seems appropriate this weekend).

I set up IE8, which was much better than I remember it being when I tested it earlier this summer on my Vista install. Instead of directing you to a website to set up your initial settings, there are now a series of dialog boxes which are much easier and faster. Still, the first place I went to in IE8 was www.google.com/chrome. I’m willing to give IE8 a second shot, but Chrome is my browser right now.

I ran Windows Update and found only a few updates, only hardware driver installs. They installed quickly (much quicker than Vista and instantaneous compared to XP) and did not require a reboot.

Windows Media Player was nice too. They’ve seperated the Now Playing and the Library screens, so for someone like me who doesn’t like all the UI chrome and just wants the video, the Now Playing screen that is simply a title bar and video, with controls when you hover over the video is a nice improvement. I was able to install DivX and watched a How I Met Your Mother episode with no problems. Another nice touch is that the “Keep player on top of other windows” has been replaced with “Keep Now Playing on top of other windows”, because no one in their right mind wants to see their library all the time.

I also liked the “Peek” feature, which just shows your desktop and outlines of the windows so you can see your gadgets (which are largely unchanged from Vista, as far as I can tell). I played around with the docking a little bit too – it’s a nice feature that I’ll get used to.

Conclusion
So say what you want, Mac fanboys or Microsoft haters: they’re working on a product that has a ton of potential. This is what Vista was supposed to be, and I’m really looking forward to what Microsoft has in store for the final release.

Forcing updates

Microsoft gets a lot of bad press for security issues, but seriously, how are you supposed to deal with something like this?

For those of you too lazy to read the article, the summary is that a bunch of Windows users are getting hit with some malware that is spreading over the Internet. If you were wondering, I am NOT getting hit with said malware, because I patched my computer a month ago. In essence, Microsoft released a patch to a security flaw in October, a month before exploits were in the wild, and now unpatched users are (surprise surprise) facing problems.

Linux has a couple advantages in the security area over Microsoft. Sure, the code is open-source and peer-reviewed, so anything that is insecure is likely to be discovered pretty quickly. But Linux also doesn’t have something that Microsoft has: computers selling at Wal-Mart.

That shouldn’t be taken entirely literally: I know Linux is being sold (to a limited extent) on pre-built machines at Wal-Mart. But I guarantee you, if you walk into a Wal-Mart electronics department and ask for a novice computer, you’ll get a pre-assembled Dell with Windows Vista (probably Home Basic). There’s definitely a market for computers like this: people who don’t care about computers other than having one so they can check their e-mail and surf the web.

These people don’t know (or don’t care to know) about viruses, worms, malware and spyware. All they use is the stuff that comes out of the box (Internet Explorer comes to mind). They’re not circling the second Tuesday of every month as Patch Day, waiting for new security fixes and service packs.

So what is Microsoft to do? They’ve already tried pushing out updates that install automatically (to some backlash) but these can be canceled or aborted. The article linked above asks if it’s time to start forcing critical updates on users: I don’t think that’s the right idea, but it’s close.

How far are we away from a managed operating system? That is, not an operating system that lives on your computer, but one that lives in the cloud waiting for you to connect? Most houses these days have broadband access, and for people who just want to check their e-mail or surf the web, a managed operating system is just what they need. They don’t want to have to worry about updating or patching, they don’t want to have to worry about spyware infections (although to be fair, neither does the company that manages it – there would have to be some huge restrictions in place). They just want a computer that works, and works well enough so that they can do their stuff and not worry about it.

I think we’re close. And I think it’s a better solution than forcing updates.

Windows 7: A modular approach

I posted yesterday about how I installed Service Pack 1 for Windows Vista. I imagine that any of you reading this know that Windows Vista will eventually be retired, just as XP was before Vista and 2000 was before XP. The internal working name for the next version of Windows is Windows 7, which is set to be released sometime in 2010 (there was talk of 2009, but thankfully Microsoft looks like they’re going to delay it long enough to get it right).

Obviously, I’m not writing an encyclopedia here, so why am I writing this post? Because multiple sources are speculating that Windows 7 will be module-based. A module-based OS will be familiar to those of you that have used a fairly modern version of Linux like Ubuntu or Fedora, which uses something called “packages” to customize an installation and add software if needed. The idea is that this way, users get what they want and nothing that they don’t want, and can add features later.

Windows has actually had “modules” of some sort for some time, albeit not visible to the user. In Windows Server 2003, something called “roles” was introduced. Users could specify what roles a given server would fill, and then the proper software would be installed. Roles became a bigger part of Server 2008; when you install Server 2008 only the core stuff is installed and then you pick stuff to add.

But for the consumer versions of Windows, which obviously have to cater to the lesser users, the concept of modules and roles has been mostly avoided (except maybe the “Add/Remove Windows Components” dialog box). Evidently this is set to change in Windows 7.

Let me just say that if this is done right, a modular Windows 7 is a fantastic idea. Most of the complaints with Vista is that the operating system is too bloated, comes with too much bloatware and is too expensive. With a modular implementation, all of these problems could be erased.

Here’s what I envision: you log in to a Windows Live site, and click around until you get to a page that lets you purchase a copy of Windows 7. Here, you have a few options. You can choose from a few pre-set module configurations that are perhaps a tad discounted, or you can choose to customize your copy of Windows 7. Also, you’d be able to have the box/disc shipped to your house for an additional fee or simply download an ISO image.

Under customization, you’d be able to select which components you want, with only a minimal core of modules that are required (kernel, networking, a “module manager”, etc.). Some modules would cost money (perhaps like Windows Movie Maker or Windows Media Center), while others would be free but optional (like IE). Once you’re done making your selections, an automated validation bot would go through your selections and make sure everything looked okay, perhaps make recommendations, and then send your selections to a server that would generate the ISO you need. I imagine creating an ISO would take a bit of time (even if it was done dynamically), so you would be directed to an optional registration page, and then you’d be provided with a link to download the ISO and a key. At any time in the future, you’d be able to return to this Live website to make changes to that ISO (and pay the difference if needed), order copies of the CD (with the same key), and most importantly, see your validation key. Once you install the OS, the “module manager” available within Windows would keep track of which modules are installed and allow you to purchase more if needed.

Now where it would really get interesting is if Dell and HP built something into their websites to allow you to customize your Windows OEM installation from there, so that way if you didn’t want some of the bloatware Dell and HP provide, you could simply choose to leave it out.

So why is that better? Overall, everything could be cheaper: only pay for what you want! I think things could be easier too, even for the mere mortals, because instead of buying a copy of Office 2010 or whatever, we could simply package it with our Windows ISO for a lower price because it is in a bundle.

I hope this is how things work out for Windows 7, but hopefully this post has enlightened those of you in the dark as to how powerful a modular OS can be. To 2010!

SP1

Forgot to mention this earlier, but I’m happy to say that I installed Windows Vista Service Pack 1 last night:


The installation was pretty smooth, it seemed to take about 15 minutes to decompress everything (which it did from within Windows) and then it installed in about 40 minutes after a reboot. Everything came up as it was supposed to, and none of my custom firewall extensions got disabled (as other Windows Updates have done). One weird thing is that I never saw this update as an optional Windows Update from within the Windows Vista interface, but actually had to download the standalone installer from the Download Center. I’m told this can happen for a variety of reasons, but I’m not sure what they are.

As for performance, I haven’t really noticed any difference (although I haven’t been benchmarking file-copying or network shares). I’ll keep you posted as I experience more with SP1, as its supposed to get pushed to all Vista users as a recommended update in April.

Early bedtime on a Tuesday night

I’m tired and ready to go to bed but before I do, a few recent happenings.

  • A lot of media speculation lately about a Hillary-Barack or Obama-Clinton ticket and how well it would do. I’m not sure how well it would do (although my guess is that the Democrats will run away with this election anyway, so it doesn’t particularly matter), but I do find it incredibly funny how much disagreement there is; take the opinion of Bill Clinton vs. that of Rush Limbaugh.
  • The city of Cleveland is an absolute mess right now thanks to the visit from Father Winter this weekend. On Saturday…well, you saw the picture of the road (which has won acclaim from some for its artistic nature!). On Sunday, the highways were okay but the roads around Case were terrible. And now, it’s Tuesday and the roads around Case aren’t much better. That’s to say nothing of downtown. Getting there today wasn’t…terrible. But getting back was a nightmare. Not only is all of East 9th under construction, but now there’s snow on the sides of the road, so there are less lanes and thus cars (and pedestrians) are being stupider than ever. A general traffic tip: if the light is green, check to make sure you can get through the intersection entirely! If you do this, there aren’t as many times when you want to shoot yourself and wonder how a device as advanced and state-of-the-art as a traffic light could have allowed such a situation to occur.
  • I might post a bit tomorrow about Microsoft’s recent efforts in research and development, as some of the stuff they’re doing is pretty awesome. People really don’t give Microsoft a lot of credit (ahem), but they come up with some pretty crazy stuff. I think you can compare Microsoft to the Cleveland Indians. In the 90s, Microsoft was a big company who was buying and overpowering and getting wins. But in the early 2000s, the company (and the Indians) decided a rebuild was needed, and here we are in 2007 with the Indians returning as the Central Division champions. I think Microsoft’s rebuilding will take a bit longer – because software development often takes longer than rebuilding a baseball team. But if you ask me, Windows 7 will put Microsoft back on the innovation forefront – along with other technologies.
  • Today is March 12th, which means the Indians open their season about three weeks from now against the White Sox at Progressive Field. I hope to post some longer thoughts about what I’ve seen so far, but for now I’ll say a couple quick things:
    1. Travis Hafner was worrying me a little bit but he seems like he’s coming along, hitting a couple doubles the other day. He had a terrible spring last year and that said a lot about his year, so hopefully a better spring means more Travis Hafner like we know and love him.
    2. Same for Grady Sizemore – he hit his first two home runs today.
    3. Pitching-wise, sounds like Sabathia is lights-out, Carmona is still nasty and Westbrook knows what he’s doing. The other guys – well, they’re coming along. Laffey would be my pick for the 5th spot in the rotation, but his performance a couple days ago kind of hurt his stock.
  • I watched most of the 6 PM edition of SportsCenter tonight and noticed something entirely disconcerting: in the midst of the football offseason, there were 4 segments out of 6 with one or more football bits. In the baseball offseason, you’re lucky to get one. Dear Todd McShay: I don’t care that much about the draft! I’ll watch on April 28, until then, get a life! Seriously, Todd McShay must have been born on Leap Day or something, because you have got to be completely used to waiting for happiness in order to spend that much time covering a one-day event.

And on a final note, I found a new coffee shop in the first floor of our building today, A.J. Rocco’s. I really liked it – cheap but excellent coffee and a nice selection of breakfast stuff, and quite a nice atmosphere. I look forward to going back tomorrow. I’ll try to write more tomorrow, until then, stay warm!

Apple

Saw an article on Slashdot about how Apple seems to be intentionally slowing down competitors’ software. I’m not really sure why this is a win for anyone – as Apple, don’t you want people to be able to use the software they want to use? If you want them to use Safari, make it not suck!

It’s another issue in a long line of issues I have with the browser wars. To summarize, I have no idea why what you browse with should matter at all. And in fact, that’s what groups such as the World Wide Web Consortium aim to fix – in their belief, every page should look the same, regardless of which browser you visit from.

Many of you who read this blog probably know that my browser of choice is Internet Explorer 7. But Jimmy, you ask, confused, “You just said you wanted standards compliance, which is what IE famously avoids. What’s up with that?” I use IE7 because, and this may sound cliche but I don’t really care, everyone else does. And because everyone else does, every web developer out there may curse under their breath every time they have to fix something for Microsoft, but they’ll do it because right now, IE has over 50% market share. And to be fair, many of the standards that are now in place came into place AFTER Internet Explorer first implemented their own versions (ActiveX is a good example).

In essence, IE has good reasons for not being as 100% standards-compliant as maybe it could be – a lot of Microsoft software relies on these proprietary standards for it to work properly. The plus side is that we get some cool technology, and the down side is that it doesn’t work perfectly in every browser, but because IE is free and Windows is installed on over 90% of the world’s computers… I’m willing to overlook the occasional standards headache if I get technology such as Windows Update that wouldn’t work in any other browser. And even though Microsoft really has no reason to change, no reason to get better, they continue to do so – IE8 is supposed to be even more standards-compliant.

The title of this post is “Apple”, and yet I’m talking about IE7. So I’ll switch back to Apple and ask, “Why?” Why, Apple, did you even create Safari? Why not publish these faster APIs so that browsers such as Firefox and Opera can run well on your OS? For all Apple says about being standards-compliant and welcoming to software developers, they’re not. In fact, every product Apple has ever created tries to reinvent the wheel – they never create something truly new, like every Apple fanboy claims. Fortunately for them, a lot of the time they do a nice job doing so.

And by the way, out of the four browsers I have installed on my Windows machine, Safari is my last choice – it eats up 150+ MB of RAM compared to about 50 for IE7, 40 for Firefox and 20 for Opera, looks ugly, and doesn’t offer anything new.