Amusement in retail

Despite my best efforts, the Conficker.c worm is set to do something tomorrow. No one really knows what, for sure, but since such a large number of computers are rumored to be infected already (between five and ten million, if CNN is to be believed), the mass media such as CNN, Fox News and MSNBC have taken notice.

With such a large portion of the computing population threatened, I guess I shouldn’t have been surprised to hear my local radio station, WTAM, interviewing an expert on the subject on this morning’s Wills and Snyder show. I was surprised, however, to hear who the “expert” worked for:


I haven’t really mentioned Geek Squad in this blog yet, but those of you who talk to me in person probably know my feelings on this organization.

To put it bluntly, portraying Geek Squad as an expert on anything computer-related would be just about as believable as Michael Scott being called to CTU to replace Jack Bauer (since Jack is indisposed, currently).

The fact that Geek Squad exists isn’t really avoidable – it’s a market that really had no competition (at least on that level – you might have your neighborhood computer guy, or you might have your nationwide tech support company for hardware issues or Windows or other software, but nothing that’s all-encompassing) when Best Buy entered it, so it made a lot of business sense for Best Buy to do so. Why WTAM had them on the air, though, is beyond me. Surely they could have found someone from Microsoft’s local headquarters to talk about it for a few minutes. Surely they could have gotten a professor from CSU or a professor from Case to talk about it. Surely they could have gone down to their own IT department and brought that guy up to talk about it.

Instead, someone from Geek Squad showed up. Now to be fair, the guy wasn’t completely incompetent. He recommended patching your computer, using anti-virus software and using a firewall. Let me assure you: this is the best Geek Squad has to offer, and even if you see one person like this at your local Best Buy, the rest of the team is not like that.

I implore you: don’t go to Geek Squad for anything. They’ll cause more harm than good.

This just in: unpatched computers are unsafe

I meant to post something about this five days ago, when this story was fresh. About five days ago, Slashdot reported that 1 in 3 PCs are still vulnerable to an attack on the Windows Server service that runs on all computers running Windows XP or later. Slashdot runs a snippet from the article where a CTO claims that the patch cycle is too slow, and then questions Microsoft’s Patch Tuesday as no longer being acceptable.

At first, you might think they have a point. Then you read the article and find that this particular worm is actually the same one that was patched almost three months ago. In fact, when Ars Technica fretted in early December that many PCs were still unpatched, I wrote a post suggesting managed PCs for most users so that updates would be handled automatically.

Another thing that’s clearly wrong about this argument: this flaw was patched ON A THURSDAY. Not only did Microsoft patch this months ago, they patched it outside of their normal patch cycle. And yet, people claim that Microsoft didn’t do enough to fix this flaw, because 1 in 3 people have not updated their PC in 3 months.

Security flaws happen. When they happen, the software producer can either leave it unpatched or patch it. In Linux, when flaws are discovered, it’s true that they are normally patched up very quickly – but how often do Linux patches break existing functionality? Even Apple can’t get this right – every patch they release seems to break something, and Apple has the one of the slowest patch cycles out there. (By the way, read that article: Microsoft is fastest.) Microsoft seems to have mastered the art of pushing patches out quickly but making sure they’re sound and play nice with everything else (and lately, they’re avoiding the need to patch at all).

Patch Tuesday works, for people who know what they’re doing. Even if people don’t, would it really help if Microsoft was releasing patches daily? Would people actually click that icon once a day even if they don’t click it in three months? Like many supposed problems with Windows, the main issue here is that Windows attracts the uneducated computer users (Apple does too, but to a far lesser extent). If the masses of people that used Windows suddenly switched to Linux, assuming they got their system to work, eventually you’d see articles on Microsoft blogs with titles of “Linux: vulnerable to a brute-force attack on user accounts with two characters or less”.

Slashdot is biased, but at least most of the time they have a valid opinion. This time, they were way off.

Forcing updates

Microsoft gets a lot of bad press for security issues, but seriously, how are you supposed to deal with something like this?

For those of you too lazy to read the article, the summary is that a bunch of Windows users are getting hit with some malware that is spreading over the Internet. If you were wondering, I am NOT getting hit with said malware, because I patched my computer a month ago. In essence, Microsoft released a patch to a security flaw in October, a month before exploits were in the wild, and now unpatched users are (surprise surprise) facing problems.

Linux has a couple advantages in the security area over Microsoft. Sure, the code is open-source and peer-reviewed, so anything that is insecure is likely to be discovered pretty quickly. But Linux also doesn’t have something that Microsoft has: computers selling at Wal-Mart.

That shouldn’t be taken entirely literally: I know Linux is being sold (to a limited extent) on pre-built machines at Wal-Mart. But I guarantee you, if you walk into a Wal-Mart electronics department and ask for a novice computer, you’ll get a pre-assembled Dell with Windows Vista (probably Home Basic). There’s definitely a market for computers like this: people who don’t care about computers other than having one so they can check their e-mail and surf the web.

These people don’t know (or don’t care to know) about viruses, worms, malware and spyware. All they use is the stuff that comes out of the box (Internet Explorer comes to mind). They’re not circling the second Tuesday of every month as Patch Day, waiting for new security fixes and service packs.

So what is Microsoft to do? They’ve already tried pushing out updates that install automatically (to some backlash) but these can be canceled or aborted. The article linked above asks if it’s time to start forcing critical updates on users: I don’t think that’s the right idea, but it’s close.

How far are we away from a managed operating system? That is, not an operating system that lives on your computer, but one that lives in the cloud waiting for you to connect? Most houses these days have broadband access, and for people who just want to check their e-mail or surf the web, a managed operating system is just what they need. They don’t want to have to worry about updating or patching, they don’t want to have to worry about spyware infections (although to be fair, neither does the company that manages it – there would have to be some huge restrictions in place). They just want a computer that works, and works well enough so that they can do their stuff and not worry about it.

I think we’re close. And I think it’s a better solution than forcing updates.

Windows 7: A modular approach

I posted yesterday about how I installed Service Pack 1 for Windows Vista. I imagine that any of you reading this know that Windows Vista will eventually be retired, just as XP was before Vista and 2000 was before XP. The internal working name for the next version of Windows is Windows 7, which is set to be released sometime in 2010 (there was talk of 2009, but thankfully Microsoft looks like they’re going to delay it long enough to get it right).

Obviously, I’m not writing an encyclopedia here, so why am I writing this post? Because multiple sources are speculating that Windows 7 will be module-based. A module-based OS will be familiar to those of you that have used a fairly modern version of Linux like Ubuntu or Fedora, which uses something called “packages” to customize an installation and add software if needed. The idea is that this way, users get what they want and nothing that they don’t want, and can add features later.

Windows has actually had “modules” of some sort for some time, albeit not visible to the user. In Windows Server 2003, something called “roles” was introduced. Users could specify what roles a given server would fill, and then the proper software would be installed. Roles became a bigger part of Server 2008; when you install Server 2008 only the core stuff is installed and then you pick stuff to add.

But for the consumer versions of Windows, which obviously have to cater to the lesser users, the concept of modules and roles has been mostly avoided (except maybe the “Add/Remove Windows Components” dialog box). Evidently this is set to change in Windows 7.

Let me just say that if this is done right, a modular Windows 7 is a fantastic idea. Most of the complaints with Vista is that the operating system is too bloated, comes with too much bloatware and is too expensive. With a modular implementation, all of these problems could be erased.

Here’s what I envision: you log in to a Windows Live site, and click around until you get to a page that lets you purchase a copy of Windows 7. Here, you have a few options. You can choose from a few pre-set module configurations that are perhaps a tad discounted, or you can choose to customize your copy of Windows 7. Also, you’d be able to have the box/disc shipped to your house for an additional fee or simply download an ISO image.

Under customization, you’d be able to select which components you want, with only a minimal core of modules that are required (kernel, networking, a “module manager”, etc.). Some modules would cost money (perhaps like Windows Movie Maker or Windows Media Center), while others would be free but optional (like IE). Once you’re done making your selections, an automated validation bot would go through your selections and make sure everything looked okay, perhaps make recommendations, and then send your selections to a server that would generate the ISO you need. I imagine creating an ISO would take a bit of time (even if it was done dynamically), so you would be directed to an optional registration page, and then you’d be provided with a link to download the ISO and a key. At any time in the future, you’d be able to return to this Live website to make changes to that ISO (and pay the difference if needed), order copies of the CD (with the same key), and most importantly, see your validation key. Once you install the OS, the “module manager” available within Windows would keep track of which modules are installed and allow you to purchase more if needed.

Now where it would really get interesting is if Dell and HP built something into their websites to allow you to customize your Windows OEM installation from there, so that way if you didn’t want some of the bloatware Dell and HP provide, you could simply choose to leave it out.

So why is that better? Overall, everything could be cheaper: only pay for what you want! I think things could be easier too, even for the mere mortals, because instead of buying a copy of Office 2010 or whatever, we could simply package it with our Windows ISO for a lower price because it is in a bundle.

I hope this is how things work out for Windows 7, but hopefully this post has enlightened those of you in the dark as to how powerful a modular OS can be. To 2010!

SP1

Forgot to mention this earlier, but I’m happy to say that I installed Windows Vista Service Pack 1 last night:


The installation was pretty smooth, it seemed to take about 15 minutes to decompress everything (which it did from within Windows) and then it installed in about 40 minutes after a reboot. Everything came up as it was supposed to, and none of my custom firewall extensions got disabled (as other Windows Updates have done). One weird thing is that I never saw this update as an optional Windows Update from within the Windows Vista interface, but actually had to download the standalone installer from the Download Center. I’m told this can happen for a variety of reasons, but I’m not sure what they are.

As for performance, I haven’t really noticed any difference (although I haven’t been benchmarking file-copying or network shares). I’ll keep you posted as I experience more with SP1, as its supposed to get pushed to all Vista users as a recommended update in April.