Windows update

[RLT69]

I find it interesting those who advocate not updating their OPERATING SYSTEM with the latest patches to fix security issues and yet these same people tell you to update and patch your anti-virus.

Oh come now ROF, that's a bit of a straw man don't you think.

I and others were not advocating people do not update their anti virus software. Anti virus software needs updated virus definitions in order to detect viruses. That's not the same for security fixes. Depending on the security exploit - you may never need the fix. The security fixes clearly delineate what the exploit is and how to avoid it. For example, if it's a service running in the background that you never use, you simply shut it down.

Security starts with the user. Microsoft has had to issue security fixes on top of security fixes, because the first fix did not fix the exploit. This would give the user a false sense of security. It's better to understand the exploit and how best to avoid it rather than assumed your PC is safe because you have all the latest security updates.

[ROF]

It's better to understand the exploit and how best to avoid it rather than assumed your PC is safe because you have all the latest security updates.

If you know all the exploits and have all security updates and have all updated software patches, fixes, definitions, etc. and you still assume you are safe my question(s) to you starts with is that computer reading this and:

Which planet do you live on?

Which part of computer technology for the last 30 years do you not understand?

You obviously either live on some planet nobody knows about or you don't understand that even the most secure computer is insecure once it's connected to the world wide web.

It's better to patch your core systems and your protection systems too then to leave something open. You may not use a particular service, but that hacker who just hacked cnn.com for example might be able to use it because you failed to patch the exploit in it.

[RLT69]

ROF it's comments like the last one that have certainly supported your reputation on these forums.

What I and others have pointed out is that you do not need to continue to use Windows Updates and apply the latest updates to have a safe and secure system. In my first post I listed various things people can do to secure their system:

1. Run anti-virus software actively and keep updated.

2. Run spyware software.

3. Use a firewall and know how to configure it!!

4. Use a router.

5. Shutdown Windows services you do not need running.

6. Test your machine to see if it is secure.

7. Don't be stupid!


These steps work. It's not fool proof because of item number 7. But if you don't trust Microsoft and no longer want to bother with their updates, those steps will help protect you.

In end if you want better security, use Linux.

[lordsmurf]

Security starts with the user.

I've never heard computer security defined so succinctly (and correctly).
That's pretty much it.

Your 7-STEP plan of protection is also the one smart folks follow:
1. Run anti-virus software actively and keep updated.
2. Run spyware software.
3. Use a firewall and know how to configure it!!
4. Use a router.
5. Shutdown Windows services you do not need running.
6. Test your machine to see if it is secure.
7. Don't be stupid!

That's worth repeating until I'm blue in the face. No pun intended. :P

And I'd add an 8th one: DO NOT USE IE! Use Firefox or something else.

As RLT69 said, most Windows updates tend to be for services you don't need and shouldn't be running anyway. Most of that stuff should be turned off for most users. Quite a few of them are for IE browsers and fixes to fixes because they did it wrong the first time or more. Many more are for crap you don't actually need and just try to add more DRM and anti-piracy and whatever else that only half works.

In end if you want better security, use Linux

Or a typewriter or pen and paper to write letters or papers. If you need to send messages, I hear the phone companies and postal service is still in business. For information, they sell newspapers and phone books, have library with books etc. For games, Parker Brothers still makes them from cardboard and plastic.

Some people are too scared and paranoid for their own good.

[MOVIEGEEK]

I have eleven(and updating Windows/Office is one of them):
https://forum.videohelp.com/viewtopic.php?t=307253&highlight=

[MOVIEGEEK]

7. Don't be stupid!

The biggest security risk is you! Too many people click on EXEs without knowing what they are or scanning for viruses. Too many people willingly give out personal information. Too many people go to toxic sites and wonder why they are infected. Too many people download files from P2P programs and assume they are safe.

Security starts with the user. Know what you are doing and know what your computer is doing. Yeah that's a pain in the ass but welcome to the internet. You wouldn't leave your house unlocked why would you leave your computer?
....
I only got one virus in that time and that was my fault - didn't check a P2P file - stupid me.

Agreed,maybe you should heed you own advice and not use P2P.
BTW...you can make IE6 just as safe as other browsers if you configure it properly:
http://www.malwarehelp.org/ten-steps-to-malware-prevention-part-1.html

[CrayonEater]

It's better to patch your core systems and your protection systems too then to leave something open.

Yes, it's better to patch and that's what I recommend to my clients, but mostly because that's what you're "supposed" to say. However, Microsoft has made it increasingly difficult - to the point of reckless disregard of the online safety of their customers and others - when it comes to patching. I have not had trouble patching without WGA, fortunately, but if it should come to the point where I need it to patch, I will stop patching, and may start advising clients to use other software and/or hold Microsoft legally accountable for problems that may occur, if you get my drift.

Frankly, nearly all Microsoft-related flaws are a non-issue as long as you don't use Internet Explorer, and follow rule 7 - don't be a dumbass. My main test machine, which I use to look for web exploits, have been "owned" more times because of Microsoft's "features" (i.e. ActiveX drive-by installs) than any exploit. And even though sploit-related hacks are becoming common, virtually all are easily prevented by simply not using Microsoft's browser, email client, and media player.

[ROF]

I have not had trouble patching without WGA, fortunately, but if it should come to the point where I need it to patch, I will stop patching, and may start advising clients to use other software and/or hold Microsoft legally accountable for problems that may occur, if you get my drift.

Which problems would those be? Validating your clients systems as genuinely licensed? That is all WGA does.

BTW, In August alone there are 9 critical updates, three of which the services for can not be shut down and no matter what your habits one of them can cause errant code to be run on your machine just by visiting a website. Surfing is dangerous and all your firewalls and what-not make no difference. You viewed the code of the site. You allowed your machine to allow you to view the website. You allowed the errant code behind your firewall. As I posted above and was laughed at by someone. This is not a laughing matter. An compromised computer on the web effects everyone on the web. While it may not effect you today or tomorrow it may effect you in the future. Running a non-updated OS with all the latest security fixes is just plain not smart.

[CilyPudi]

My 2 cents, If your run Windows, like do (because I like it), you are a fool if you don't install every security update Microsoft offers. Noone else is trying to fix and patch their product. I need not say how notorious the flaws are in Windows. It's daily front page news.

I've got at least 15 AV programs available on my OS but I could never trust them to defend against an unpatched/not updated Windows system. I'm not crazy about WGA either, but I fear it is a necessary(?) sign of the times. Microsoft just looking for their money. If you got Windows, you gotta get WGA'd or change systems as far as I can see. With the Feds asking major search engines for databases, I think computer privacy is now totally eroded.

Again, IMHO, only a fool would completely not update or patch Windows. If you hate Microsoft that much, I'd go Linux.

[CrayonEater]

Which problems would those be? Validating your clients systems as genuinely licensed? That is all WGA does.

WGA is known for false positives (some accounts up to 20%), which means, if it a prerequisite to updating, that those users don't get the updates, and can can think they're protected when they're not = good way to get owned. This is particularly true if your line of work, like mine, entails doing risky stuff.

[ROF]

False Positives are taken care of before you can finish a cup of coffee. I say that from my own experience with a false positive. Took Microsoft 15-20 minutes from the time I dialed them to correct it for me. You're gonna have to do better than that to claim WGA does any harm.

[KBeee]

If you analyse the 30 attempts to access your computer, you'll find they are probably all p2p programs looking for p2p connections. The trouble with much firewall software is that it'll give you a bare message like "xxx tried to access your computer", or "xxx tried to access port...", without giving you a hint why.
Which can be scary to the uninitiated.

Except I was not running P2P software at the time. These were users actively scanning for open ports. I can read a firewall log and deduce when it's a valid attempt and when it's an intruder.

:P

What has you not running p2p software got to do with other peoples p2p software scanning for p2p ports? It just means that in your case the software didn't find any.
I gave up analysing "attacks" after 99% of them turned out to be coming from Kazaa on other peoples machines.
Of course, things have changed a little now. If you instal Windows XP without SP2 it will probably get pwned before the online registration has happened.

[lordsmurf]

False Positives are taken care of before you can finish a cup of coffee. I say that from my own experience with a false positive. Took Microsoft 15-20 minutes from the time I dialed them to correct it for me. You're gonna have to do better than that to claim WGA does any harm.

That's just not so. As I said earlier, MS usually plays the same old "ask your vendor" games. In my case, I no longer have my OEM warranty and I am no longer a student, so neither of my "vendors" will talk to me unless I give them gobs of money for renewal or re-enroll, or re-buy Windows directly from MS. As I said before, they can all basically go to hell.

Plus I don't drink coffee. Bad for your system.

[gll99]

I'm not a fan of wga but I regularly get my updates from MS. I agree that updates should be kept up even if it means getting them elsewhere.
Although you may not use some features like say wmp or ie, the substitute programs you use are likely based on the wmp sdk or use the same access protocols as ie so you could be exposed to the same dangers. As I said before, these updates could also affect the way some other programs and drivers will work with windows so it's important for smooth operation to keep things as up to date as possible.
I know ms has sometimes caused more problems than they solved with their updates but they usually have repaired their errors fairly quickly. I hate being a beta tester for them but it is a complex OS.
The fault may lie in that they have tried to build too much within the OS to stifle competition.

None of this will necessarily protect your system from hackers so I also agree with those who have said that you need to regularly use the variety of tools and equipment mentionned in this thread.

[RLT69]

What has you not running p2p software got to do with other peoples p2p software scanning for p2p ports? It just means that in your case the software didn't find any.

That makes no sense and defeates the purpose of P2P. If I'm part of a P2P network and sharing a file there's no need to randomly scan for ports, I already have a port open. If I'm not part of a network and the P2P looks for a port, it might find a port open but it won't find any files to share.

Now I understand that other P2P networks share traffic so a bittorrent network might have cross traffic with gnutella and then I might see some activity, If I'm on-line.

If your off-line and see random scans, chances are it's a script kiddie with a port scanner looking for something.

[RLT69]

Plus I don't drink coffee. Bad for your system.

I hear vegetable oil makes a good coolant for your PC :P

[ROF]

False Positives are taken care of before you can finish a cup of coffee. I say that from my own experience with a false positive. Took Microsoft 15-20 minutes from the time I dialed them to correct it for me. You're gonna have to do better than that to claim WGA does any harm.

That's just not so. As I said earlier, MS usually plays the same old "ask your vendor" games. In my case, I no longer have my OEM warranty and I am no longer a student, so neither of my "vendors" will talk to me unless I give them gobs of money for renewal or re-enroll, or re-buy Windows directly from MS. As I said before, they can all basically go to hell.

In which case Microsoft should not authorize your unlicensed copy of windows. It is up to you to prove you have a license. Try telling the cop who pulls you over for speeding you no longer have your operators license, it expired, or you lost it. Chances are the cop will give a ticket for not having a license or in the case of expired a non-valid license.

Microsoft should do the same thing. That is what WGA is designed to do.

[lordsmurf]

It is up to you to prove you have a license. Try telling the cop who pulls you over for speeding you no longer have your operators license, it expired, or you lost it. Chances are the cop will give a ticket for not having a license or in the case of expired a non-valid license.

Your analogy is screwed up. My Windows license is neither expired nor lost. It's more along the lines of I show my license to the officer and he closes his eyes and says "I can't see it".

[ROF]

It is up to you to prove you have a license. Try telling the cop who pulls you over for speeding you no longer have your operators license, it expired, or you lost it. Chances are the cop will give a ticket for not having a license or in the case of expired a non-valid license.

Your analogy is screwed up. My Windows license is neither expired nor lost. It's more along the lines of I show my license to the officer and he closes his eyes and says "I can't see it".

That's just not so. As I said earlier, MS usually plays the same old "ask your vendor" games. In my case, I no longer have my OEM warranty and I am no longer a student, so neither of my "vendors" will talk to me unless I give them gobs of money for renewal or re-enroll, or re-buy Windows directly from MS. As I said before, they can all basically go to hell.

Sounds expired and or lost to me and Microsoft and your vendors seem to agree with what I've said here. Unless you are not posting something that would make your student license valid again such as enrollment, renewal of your license, or re-purchased windows. It is casual license breakers as well as piracy that is the target of Windows Genuine Advantage. You are what is considered the casual license breaker. Your license is no longer valid and therefore you are not entitled to use the product but because you are does might your license is valid it means you haven't been caught until Microsoft installed WGA and informed you of your license violation.

Remember you purchase or granted a license to use the Operating System. You do not own it. You just own the license to use it. Software Licensing agreements have been like this since I purchased my first TRS-80 with RS-DOS.

[lordsmurf]

I fail to see how the OEM or university refusing to talk with me equates to them agreeing with MS. Your logic is backwards and take great leaps in many places.

John likes blue. John likes bananas. Bananas must be blue.

[lordsmurf]

By the way, ROF, here is my license/EULA from the university:

Terms and Conditions of this Agreement
The Software is made available to you because the University has purchased license coverage through a Microsoft Campus Agreement Subscription. The University is extending to you the right to use the Software on a personally owned computer for University-related business. You do not own the license or the Media; rather, you are leasing the license and Media from the University for the term of the agreement. You are required to remove the Software from your personal machine immediately upon the earlier of (a) any event, with the exception of graduation, which causes you no longer to be affiliated with the institution or (b) expiration and non-renewal of the Campus Agreement Subscription term. Students who graduate during the agreement term receive a perpetual license (meaning you own the Software) as verified in the Student License Confirmation, which may be obtained from the University when you graduate. The signed Student License Confirmation is proof of Software ownership. The entire listing of terms and conditions for this agreement can be found at ....

I graduated during the required timeframe. I own the software. It's mine. Legally.

The problem all comes back to the fact that WGA doesn't work correctly a measurable % of the time, and while some folks (supposedly) can handle it on the phone in minutes, some get bounced back and referred to third party companies. And in some cases, those third party companies no longer have a relationship with the customer (warranty ended, student graduated, etc), so you end up screwed over by all involved. So, again, they can all basically go to hell.

[Dv8ted2]

Remember you purchase or granted a license to use the Operating System. You do not own it. You just own the license to use it.

This logic sounds foolish when you really think about it.

If I buy a set of tires for my car, that does not give Goodyear the right to come back and say that my tires are not valid and I do not own the tires. I bought the tires with my hard earned money. The tires are on my car. I own the car, so I also own the tires. This also does not give Goodyear the right to come take the tires off my car.

If I buy a book from that store, that book is mine. I own the book.

This whole ownership dispute is nonsense and the industry knows it.

[ROF]

Students who graduate during the agreement term receive a perpetual license (meaning you own the Software) as verified in the Student License Confirmation, which may be obtained from the University when you graduate. The signed Student License Confirmation is proof of Software ownership. The entire listing of terms and conditions for this agreement can be found at ....

Do you have this? From your previous post it sounds like you lost this or as most students do when they graduate, you left without getting this. In either case, you do not own the software anymore and your license is invalid because you do not have proof of ownership.

[ROF]

Remember you purchase or granted a license to use the Operating System. You do not own it. You just own the license to use it.

This logic sounds foolish when you really think about it.

If I buy a set of tires for my car, that does not give Goodyear the right to come back and say that my tires are not valid and I do not own the tires. I bought the tires with my hard earned money. The tires are on my car. I own the car, so I also own the tires. This also does not give Goodyear the right to come take the tires off my car.

If I buy a book from that store, that book is mine. I own the book.

This whole ownership dispute is nonsense and the industry knows it.

Correct. You bought your tires and your bought your books. You did not buy the license to use them. You bought the ownership right to use them. Software licensing and A/V media purchasing is quite different. Read the EULA or view the ownership labeling and warning as displayed on such software and media to learn more about why the foolishly logical you quoted from above is 100% true.

[INFRATOM]

computers can never be secure in the absolute sense there is always a back door the way windows is designed. The only way to be sure is Not to have internet connection. In these days most programs have check for updates and it checks your profile and what you do for marketing purposes and from your IP address know who you are. All softwares are going towards check update meaning get your profile and usage and their goal is to turn the licensing into time period like per year so you keep paying actually renting your software. It looks like MS is making everything dependent on update so one better learn Linux or else if not happy. Open source intelligence I think is lack of windows security or at least part of it. There are some programs that load which does not show itself in any windows task or services so ....

[ricoman]

The hell with WGA. You can update any windows apps here: http://windizupdate.com/

[ROF]

The hell with WGA. You can update any windows apps here: http://windizupdate.com/

Well at least you do update your core Operating System and not falsely brag that just because you have third party software, security hardware, or shut down unused windows services that you are somehow supporting safe computing and that your computer is protected by avoiding updates.

[lordsmurf]

From your previous post it sounds like you lost this or as most students do when they graduate, you left without getting this. In either case, you do not own the software anymore and your license is invalid because you do not have proof of ownership.

And again you're wrong. (Yeah, what a shock, ROF wrong. )

The XP OEM license is on the shelf with some manuals (printers, motherboards, etc), and the student license is in the file cabinet. The issue here is MS does not give a shit. They say the license # is invalid, and they refer me to people whom I no longer have relationships with. The paper apparently does not mean anything to them.

You act like a Jack Valenti clone who now works at MS. Give it up.

I gave up on all this months ago. They can pretty much just go to hell, I don't need the updates anyway, computer is fine and protected in other ways.

[ROF]

Too bad your license isn't valid. The school should be the one your are mad at, not Microsoft. They are just following their licensing rules. It is your school or you that is at fault for this not Microsoft.

But I would still update your Core Operating System. If not for yourself but for those who you care to list info on your computer about. Nothing is 100% protected, but surely not updating your Operating System is not a very intelligent thing to do. All the firewalls and anti-virus, anti-spam, and anti-anti will not protect you when you visit a compromised website that gets beyond all these protections because you left your core Operating System open to remote control.

[CrayonEater]

Related to that, Microsoft would be opening themselves up to major liability if they suppress critical updates for any user, since that impacts everybody. Then again, Microsoft is so arrogant, nothing is a surprise.

All softwares are going towards check update meaning get your profile and usage and their goal is to turn the licensing into time period like per year so you keep paying actually renting your software. It looks like MS is making everything dependent

Exactly. That's the basis of the so-called "Trustworthy Computing". Because the eventual goal is to require authentication to run anything, there is no extra work in simply requiring that certificates need payment to be renewed. That's why folks had better avoid TCA-based operating systems (i.e. Microsoft VISTA) and software which requires VISTA or uses a similar model of it's own.

Related to this, that's also part of the reason why the trend in the last few years has been towards web-based applications. Software manufacturers would rather you pay a monthly or yarly fee than buy software once and use it as long as you want.