Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – 31 days of paranoia – day 10

    Posted on October 10th, 2018 at 22:52 Susan Bradley Comment on the AskWoody Lounge

    Patch Lady here – I wasn’t going to do a post on Patching with a paranoid theme in mind until later in the month but several articles and the fact that this week is the 15 year anniversary of when we moved to a second Tuesday of the month routine prompted me to write this now.

    Today two more tech journalists have joined myself, Woody and others in tilting at the windmill, better known as Microsoft.

    Ed Bott and Mary Jo Foley added to the choir of voices asking Microsoft to slow down and focus on quality, not quantity.  I remember a time years ago that patches came out at any time, any hour and I had to review if I was at risk of attack and consider installing updates during lunchtime and rebooting our office server to ensure that I was protected.  Now we are at a point in time that no prudent person alive would install updates on the day they come out.  Even worst, most prudent folks are waiting at least a week or longer.  That’s making me very paranoid that we are going to have a very bad security issue arise because we aren’t patching.

    Make no mistake I strongly still believe that there are good people that work inside of Microsoft that care about consumers, that care about patch quality, that care about feature release quality.  But if I let my paranoia take over, and look at the focus on Azure, and know that once everything is packaged in a format that will run in a browser, then the desktop becomes irrelevant.

    In patching there is a point in time where the risk of installing the patch and the resulting side effects is less than the risk of the attack that the patch is protecting you from.  It’s that point in the middle where the scale tips away from patch pain to risk of attack that is the perfect point of installing updates.  Microsoft tries to be the system administrator for all home users and any small (or even medium) business that is looking to Microsoft update for their updates.  Right now I’m paranoid enough to say publicly that they are failing badly.

    I don’t even have to wrap my head with aluminum foil to know that the worse thing that can happen to a computer user is to reboot their computer after an update and have it not boot.  Yet that’s what happened to some in January of this year.  I don’t have to add to my paranoia of lack of backups to be concerned when users lose data during a process that should them bring excitement to their computing experience.  Once upon a time I knew people that camped out overnight at Best Buy to get the latest version of Windows.  Now we have people losing data when they get a feature release.  The fact that the amount of people impacted was not a material amount was just luck.  The second of the two data loss bugs (the one they fixed in KB4464330) had the potential to hit a lot of Enterprises if they hadn’t found that bug.

    My biggest paranoia about patching today is that all of this paranoia about patching is no longer irrational paranoia over immaterial corner cases that the vast majority of people would never hit.  My biggest paranoia is that more and more people will stop updating because of the reality that we are seeing.

    I’m also paranoid that folks in the insider program will overstate the severity of their bugs to the point that adding a severity rating to every bug will make no difference and once again we will have bugs that hurt lost in the firehose of feedback and upvoting.

    Microsoft needs to take a severe action like moving feature release cadence to once a year to showcase that they too want to stop the paranoia over patching and make us feel comfortable again.

    I remember when we had horrible patch quality.  I remember when we had patches released without a solid release schedule.  I remember when patches were pulled back, had to be redone.  And I feel paranoid that we are back to where we started 15 years ago.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Patch Lady – 31 days of paranoia – day 10

    This topic contains 18 replies, has 12 voices, and was last updated by  GoneToPlaid 5 days, 18 hours ago.

    • Author
      Posts
    • #223704 Reply

      Susan Bradley
      AskWoody MVP

      Patch Lady here – I wasn’t going to do a post on Patching with a paranoid theme in mind until later in the month but several articles and the fact tha
      [See the full post at: Patch Lady – 31 days of paranoia – day 10]

      Susan Bradley Patch Lady

      8 users thanked author for this post.
    • #223706 Reply

      mcbsys
      AskWoody Lounger

      Speaking of severe action, how going back to employing a separate group of in-house software testers rather than relying exclusively on this release-and-see-what-blows-up approach?

      3 users thanked author for this post.
    • #223717 Reply

      kiwigenie
      AskWoody Lounger

      Patch pain got to me.  I used to patch monthly a couple of years ago.  Just got PCs patched at home a few days ago after 6 months on one and 1 year on couple more.

      1 user thanked author for this post.
    • #223722 Reply

      GreatAndPowerfulTech
      AskWoody Lounger

      You are correct in that there are still good coders working at Microsoft. Too bad they’re not in charge. As long as the quarterly profits keep climbing, there is no reason for Redmond to change their sloppy ways. After all, by the time their big money Enterprise customers receive updates, millions of consumers have painfully found the bugs so MS could fix them. I remember attending a Microsoft sales seminar, over ten years ago, where one of the key messages was to sell by removing pain points that competitor’s products cause. At some point in the future Microsoft will likely see how their current AGILE system worked against them, from the bottom up, when consumer/educational Chromebook users move into management positions and move to eliminate Windows wherever possible. Those kids are growing up today.

      GreatAndPowerfulTech

      1 user thanked author for this post.
    • #223729 Reply

      SteveTree
      AskWoody Lounger

      In this regard, I face a dilemma. My son relies on a Windows laptop to run a Windows-only program that is central to his fledgling business. Do I give him the tools to block update and tell him to monitor askwoody for advice when to update knowing he is busy and likely to forget. Do I maintain my silence for the sake of his system’s security?

      Group A (but Telemetry disabled Tasks and Registry)
      Win 7 64 Pro desktop
      Win 10 32 Home portable

    • #223730 Reply

      woody
      Da Boss

      Aaaaaaaaaamen. Add Paul Thurrott to the list of voices crying in the wilderness – the Windows Weekly show that he and Mary Jo taped yesterday comes out strongly for a stroke of sanity.

      The world’s coming around. Will Microsoft?

      2 users thanked author for this post.
    • #223753 Reply

      Noel Carboni
      AskWoody MVP

      Why is there a complete disconnect between stock price vs. product quality and the way the company is being run?

      Money doesn’t grow on trees. Obfuscation does not a success make.

      -Noel

      1 user thanked author for this post.
    • #223763 Reply

      WildBill
      AskWoody Lounger

      From Patch Lady’s post on the Home Page:

      My biggest paranoia about patching today is that all of this paranoia about patching is no longer irrational paranoia over immaterial corner cases that the vast majority of people would never hit. My biggest paranoia is that more and more people will stop updating because of the reality that we are seeing.

      As the saying goes, “Just because you’re paranoid, doesn’t mean they’re Not out to get you.”

      Windows 8.1, 64-bit, Group A... switching to Group B in November!
      Wild Bill Rides Again...

      • This reply was modified 1 week ago by  WildBill.
      • This reply was modified 1 week ago by  WildBill.
    • #223725 Reply

      anonymous

      Well said, Susan. I feel exactly the way you do. In the past I have skipped updates as I dreaded more damage being done by Microsoft than the risk they were supposedly trying to protect us from.

    • #223801 Reply

      anonymous

      YES! This is a post I needed to see today. I admit that I have been even more aggressive in my stance not to update Windows because of the huge mess that is in the Windows patching world. I am honestly far more scared of Microsoft’s own patches than I am with malware exploiting a vulnerability in my system. This is NOT good.

      Yet it’s not just me, because I happily update other software openly and freely, like Chrome and Firefox. So if Microsoft could just make trustworthy patches that I knew would not botch my system and that I could rely on my computer working normally tomorrow, then I’d happily patch.

    • #223828 Reply

      Elrod
      AskWoody Lounger

      Very well said.

      From Patch Lady’s post on the Home Page:

      My biggest paranoia is that more and more people will stop updating because of the reality that we are seeing.

      I no longer use Windows at home, personally.  My workplace is covered under Enterprise, so they patch when they decide it’s safe. But my wife’s computers still use Windows 10.  I have used Windows for some time, and I am technical enough to know what the Windows message loop is.

      I was all set to patch last weekend when I saw the dire warnings/MSDEFCON 1 setting here on askwoody.com.  So I didn’t patch.  It’s now getting to the point that, between the horrible quality of the patches and the other demands on my time, I might get our Win10 computers patch maybe once every 2-3 months.  Thing is, I can’t just sit down and apply patches.  The patching procedure is such a chore now (because I have to protect our machines against garbage like last weekend’s fiasco) that that there are some months when I just decide that I have more important things to do.

      And I’m technical, and know the risks of not applying security updates.  Eventually, I would imagine that we’ll just find a non-Microsoft solution and put an end to the madness.

      Group "L": Linux Mint

      2 users thanked author for this post.
      • #223848 Reply

        Noel Carboni
        AskWoody MVP

        Thing is, I can’t just sit down and apply patches.

        I have more important things to do.

        Says it all, really.

        And I’m technical, and know the risks of not applying security updates. Eventually, I would imagine that we’ll just find a non-Microsoft solution and put an end to the madness.

        Says it all with exclamation points.

        Microsoft is either not listening or this outcome is their goal too.

        -Noel

        1 user thanked author for this post.
    • #223837 Reply

      georgesmiley
      AskWoody Lounger

      While your postings on computer security paranoia and the on-going debacle with regards to the Windows patching is welcome, the link to the Ed Bott article is incorrect.  The URL provided [1] is the same one as given for the Mary Jo Foley [2] article.  The correct URL should be to his ‘Two Windows 10 feature updates a year is too many’ [3] article. Just wanted to clear up.

      Regardless, your work is much appreciated.

      Regards,
      George

      [1] https://www.zdnet.com/article/microsoft-needs-to-refocus-on-windows-10-fundamentals-not-just-new-features/
      [2] https://www.zdnet.com/article/microsoft-needs-to-refocus-on-windows-10-fundamentals-not-just-new-features/
      [3] https://www.zdnet.com/article/opinion-two-windows-10-feature-updates-a-year-is-too-many/

      1 user thanked author for this post.
      • #223867 Reply

        Susan Bradley
        AskWoody MVP

        Apologies, fixed the links!!

        Susan Bradley Patch Lady

        1 user thanked author for this post.
    • #223846 Reply

      anonymous

      How do we know it’s not a “material” amount that was affected by the Documents bug. That group includes both ‘some’ OneDrive users and ‘some’ people with multiple drives who offload Documents to those drives, such as myself. I wasn’t affected since I lurk here. But I heard screams of anguish from folks I indirectly know who run Home and aren’t geeks, who will never post to Microsoft forums, who can’t effect their own repair and who cant afford expensive service depots and are distrustful of them anyway. They will simply dissappear into the ether and suck up the loss of all their precious files. I expect there are a lot of these users but we’ll never know.

      2 users thanked author for this post.
    • #223883 Reply

      anonymous

      Susan your last paragraph hit the nail squarely on the head. We are back to where we were fifteen years ago. This feels more and more like Windows ME every day.

    • #223944 Reply

      anonymous

      Increasingly, we are finding downtime to be a serious issue, even (or more so) in SMB environments (without clustered/HA setups). It’s hard to find maintenance time when patches are coming out 3-4 times a day and they mostly require reboots. Running the VMs on Hyper-V absolutely does not help here, since you need to reboot the hypervisor as well, so – everything goes down then.

      MS should seriously focus on fixing their servicing stack to get rid of the forced reboots – years and years behind Linux/*nix OS here.

      • #223948 Reply

        anonymous

        I meant a day a month obviously (not that bad yet)

        Edit to remove HTML. Please use the “Text” tab in the entry box when you copy/paste.

    • #224349 Reply

      GoneToPlaid
      AskWoody Lounger

      You are correct in that there are still good coders working at Microsoft. Too bad they’re not in charge. As long as the quarterly profits keep climbing, there is no reason for Redmond to change their sloppy ways. After all, by the time their big money Enterprise customers receive updates, millions of consumers have painfully found the bugs so MS could fix them. I remember attending a Microsoft sales seminar, over ten years ago, where one of the key messages was to sell by removing pain points that competitor’s products cause. At some point in the future Microsoft will likely see how their current AGILE system worked against them, from the bottom up, when consumer/educational Chromebook users move into management positions and move to eliminate Windows wherever possible. Those kids are growing up today.

      I disagree with your assertion that Redmond does not need to change their sloppy ways. Microsoft needs to change their sloppy ways, not just in terms of Windows Updates, but in terms of how hackers use fuzzing to find new holes in said Windows Updates since all updates are now left to the individual programmers. Individual programmers are notorious for repeating the same kinds of coding mistakes. In my opinion, Nadella’s firing of the Windows Update Quality Control Team will turn out to be the single greatest mistake for Nadella’s tenure as CEO at Microsoft.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – 31 days of paranoia – day 10

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: