August 22nd, 2004, 10:02 PM
I actually make my own CDs from the DL site as many shops do. Then we slipstream them into the images made for that day. We use the CD images until more patches come along then repeat the process.
Anyway, my two cents...
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
August 22nd, 2004, 10:58 PM
The problem with getting retailers to sell you patched computers that are guaranteed for x amount of days (and I know this from working in retail) is that computer retailers do not build the computers and install the software on them themselves. When we get the boxes at my work, they come sealed; if we touched them, customers would complain.
As well as the above problem, the computers sit in the store for a period that can range from hours to months before we sell them, depending on make, time of year, etc. so any hope of having them up to date for the users is quashed.
We couldn't take the computers out of the box and patch them even if users were willing to pay for it because of the fact that head office would never allow us to do this for insurance reasons. If we changed the computer in any way a user could quite possibly come back with an unrelated issue and demand their money back or worse.
As for us giving the users cds? Not likely for the above insurance reason, and also for the fact that these cds would not be made in individual stores, they would have to be made centrally and shipped out (head office wouldn't trust us "sales advisors"). That's a lot of cds, and when you take into account the frequency of new patches, it's even more.
To negate the cost of these cds, we could make ppl pay for them. Many people would pay for these cds either because they understood why they needed them or because the saleperson serving them is good, others would not because they don't understand the necessity of patches and don't understand why they don't come with the rest of the pc. And to be honest, that's a good question. You'd expect a necessary software update to be supplied by the manufacturer, but can you really see that happening? They're not going to send out new cds to us every time there's a new patch for something. Because of that reason, there's no way we could say to any customers that if they install the patches on a certain cd, they'll be certain for x amount of days.
I'm sure there is a way to do it, but it's unlikely that the manufacturer would be willing to do it. That leaves the retailer. As far as I can see, it would either be impossible for retailers to do (at least large retailers) or there is no way that the companies would do it because to be honest, as someone else pointed out, companies are there to make sales. I doubt most big ones would be willing to patch computers that they sell in order to gain a few more.
August 22nd, 2004, 11:57 PM
17 minutes avarage huh... I forgot to put some boxes I was installing behind a firewall of some sort... I hooked them up to the internet so I could quicly get past the activation stuff etc. all off them where infected even before I could run the installer app of a firewall (or any other app for that mather) and the worst thing was, they weren't infected with only one virus, but with like 20 different ones... I could aswell start over again because cleaning with an av took longer then reinstalling
August 23rd, 2004, 04:51 AM
<quote>What I would like to see happen is when any user connects to the internet for the very first time on a new computer internet explorer should automatically go to the windows update site and begin downloading any updates that have been released instead of going to the msn home page.</quote>
Correct me if i'm wrong, but i believe that one or two Linux distros (Mandrake or SuSe) does this already: during the install process, there is an option to update the system. But this still doesn't solve the "update before connecting to the internet" issue...maybe the system could be running in a sandbox at this time, with a firewall in place that blocks everything but the update program, until the update is complete?
One more reason for billy boy to adopt an open-source attitude... ;-)
August 23rd, 2004, 08:44 AM
Personally, I keep a rewritable CD handy and slipstream all patches that come along. Then, anything that can't be slipstreamed (some IE updates), I install BEFORE I go online. A good rule of thumb is to download all patches via the Windows Update Catalog rather than Windows Update itself. That way, you have the patch execurable with you when you reinstall.
August 23rd, 2004, 11:43 AM
Bear in mind that the 17 minutes is the average time *between* worm attacks. This means, that on average, you're going to get infected after 8.5 minutes, also, if you're really unlucky you should be infected as soon as you hit the net.
August 23rd, 2004, 11:52 AM
Wait, so does this mean I need to report that I've been running on my new XP pro installation, unpatched, for the past week (and yes on the net) and still remain uninfected, unbothered, and unmolested?
Come on now, generalizations are generalizations. Some get hit, some don't. Surley there is more to this than "the sky is falling!"?
I'm sorry, correct me if I'm wrong on this... but if I tell apt-get to update my entire system it still has to connect to the net for package checking, hash checking, and update downloads. How in the hell is it going to make a difference if the update protocol is open source or not? Both still have to connect to the net for downloads. And if you wanted to argue "Because then we could patch it and not have to worry about it", then you are still missing the primary factor of the OS still being insecure, and normal people who don't have time to manually patch files to still go online to get the updates.
One more reason for billy boy to adopt an open-source attitude
You want it in a sandbox? Forget it, that won't solve a single thing because the system itself still has to download the files to a temporary location, extract them to a temporary location, and then finally install them. You want the system behind a firewall, then turn on the ICF built into windows. It does the job well enough until a 3rd party firewall can be downloaded. An Opensource solution would do zilch in this situation.
There is only one thing that I hate as much as OS zealotry, it's open/closed source zealotry.
August 23rd, 2004, 12:52 PM
Do you believe it possible that some sort of 802.1x implementation could happen at this level?! The user buys new box, gets connected, ISP scans machine, detects missing patches,ala GFI Languard, downloads and installs them?! Or would this raise privacy issues in USA? Take vanilla box no user info etc etc, i know that ISP could slip own "malware/spyware" on machine..... here in South Africa, smaller providers, especially the ones with dsl, yes it has finally come to south africa, and is finally faster than the isdn......... back to the point ......... offer users the facility to scan them and patch them if needed. WIN2K and XP Pro only. also, there is also an rfc which the government here is starting to look at and "enforce". the rfc jist is that no traffic may traverse an isp if it is spoofed i think ......
other option is sell the computer with a cd of the patches. if users do not install patches, then they should be held accountable...... if not the peeps who manufacture these oses and software ....
here i go online, bank site says optimised for internet explorer or best viewed with ie 6 yada yada yada...... the problem is time ...... if said user now goes online and gets cracked due directly through the use of ie .... then we gonna have probs..... who has time out of work etc to research everything all the time, analysis paralysis + information overload ....... people want things too easy.... this problem will not go away, until you address the real issue, and that is WHY DOES IT TAKE ONLY 20 MINS?.......... and i must admit, there are Microsoft Evangelists, Preachers ..... in that case, I am Its Profit (pun prophet)............ hahahahahahahahahahahahaha......................
HO$H Pagamisa. Pro Amour Ludi....
August 23rd, 2004, 12:57 PM
It really does boil down to luck and ISPs. I seem to have the fortune of being on an ISP that cares enough to block most malicious activity that exists in the wild [well, as much as they can, naturally]. So a box could resist for quite a while, I think enough time anyway to update most of the stuff. Plus MS has/had a give-away of update CDs that included SP1 and all other updates up to March I think [that's when I ordered it - for free; not sure whether it was a promotion from my ISP and MS or just MS]. So that saves you up on the trouble of getting on the net DLing updates on a 'virgin' OS.
There are ways, there may be hard sometimes but not impossible.
August 23rd, 2004, 01:08 PM
Unrelated, but someone brought up linux in the discussion and brought out the 'learning curve'....this is another example of MS's crap, imo....they put something out for mass marketing, then there are problems....SP2 is supposed to address the problems, but the time to infection is much quicker than the service pack can be downloaded....not like any infection couldn't be dealt with, but it still shows the MS way of doing things....maybe it'll be good for people who already have the original, erm, 'service pack' installed...but back to the linux statement....there is no learning curve if you are introducing a user to computers through linux from the start....put them in front of Kmail, or put them in front of Outlook, they just want to know what to clicky clicky on..."how do I make it go?"
Every now and then, one of you won't annoy me.