Forcing updates

By Jake Edge
February 11, 2009

A recent thread on the desktop-architects mailing list touched on a subject that tends to generate strong feelings: automatic, silent updates for security issues. At first blush, it is an attractive idea that might help slow down or stop a fast-moving virus or other malware. It also would help protect users who might otherwise ignore or delay updating their system. On the other hand, there are lots of concerns about whose decision it is to have a "mandatory" update, what else might be contained in such an update, as well as how to ensure that the update doesn't break the user's machine.

Dan Kegel kicks off the discussion by asking:

Given how much malware is out there, shouldn't security fixes for remotely exploitable flaws be installed a bit more forcefully? e.g. instead of an ignorable notification, how about an in-your-face dialog saying they're going to be installed now? Or in some cases even just silently installing them?

This goes not just for distros; any ISVs is on the hook for rapid security updates these days, I would think.

While there are attractions, one of the immediate downsides was noted by KDE hacker Aaron Seigo: "distro Q/A resources would have to _significantly_ increase for this to work reliably. too many updates still break too many systems on too regular a basis." The first time a silently applied "fix" breaks someone's system, there will be a serious outcry. Microsoft and others have broken people's systems before with security updates, but that doesn't seem a good example to follow.

But, even with additional QA, there are plenty of reasons that a user might not want to get an update. GNOME foundation member Dave Neary presents several scenarios:

I for one would be a little paranoid about not being able to control installs of updates. I can imagine all kinds of scenarios where it would be undesirable: a 20M security fix starts downloading when I'm connected via GPRS at a conference, or over a 56K phone line; a kernel update downloads & requires a reboot; an application I am using and Absolutely Positively Must Keep Using for a few minutes upgrades, and isn't runtime-compatible with the update [...]

A kernel reboot or even application restart are definitely problem areas. There are many reasons a user might need to continue using a buggy application or kernel, even if the bug exposes them to an exploit. Some users have enough information to make that kind of determination, but others most definitely do not. How does the distribution or software package determine that? Presumably there will have to be settings to govern the behavior, which then begs the question: what is the default setting?

An additional problem is that users are training themselves—or the desktops and distributions are training them—to ignore pop-ups of various sorts. So suggestions like the one made by Ritesh Raj Sarraf: "For updates with priority 'security', I think it should just pop-up more often" are met with skepticism. Kegel opines:

People ignore dialogs like that. IMHO if we're going to avoid botnet nightmares, we're going to need at least some silent security updates.

That provoked a rather boisterous response from Linus Torvalds. His argument is that you can't trust the developers of various projects to determine what fixes should be applied. He is concerned that projects might want to slip other things into a "security" release:

Yes, they may "technically" be the people with the most information, but they are also the ones furthest removed from actual users - by definition. And they are also the ones that are most emotionally (and often financially) tied to things like "newest version".

His point is that he, and by extension other sophisticated users, are never going to turn over their systems to the whims of outsiders. He is willing to let distributions or even some software packages make that kind of decision, but only if things are not done silently. "There are programs that I trust to do their auto-updates, and I'm perfectly happy having firefox check for extensions automatically, for example. But even in the case of firefox, I want to _know_ when it does so."

Any kind of automated, silent upgrade feature from either a particular package or a distribution would be an enormous target for those with a malicious intent. It would be a kind of dream exploit to be able to inject malware into millions of unsuspecting systems—silent and unnoticed. A break-in to a distribution server might lead to an incredible malware outbreak, though the same thing could be accomplished today; it would just take more time.

But, the problem remains that there are lots of systems that are not getting updated and are thus vulnerable to a wide variety of exploits. As part of its Collaboration Summit, the Linux Foundation would like to have a meeting to discuss the issue. It is certainly an area where more thought is needed.

Index entries for this article
Security	Software updates

to post comments

Forcing updates

Posted Feb 12, 2009 8:59 UTC (Thu) by pcampe (guest, #28223) [Link] (5 responses)

Why not forcing the user to change its password and root password often?

Maybe because it's Unix, made and developed with the fundamental assumption that users are not stupid?

Forcing updates

Posted Feb 12, 2009 11:35 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link] (3 responses)

Non-technical users are not stupid and Unix was never targeted at desktop users anyway. With Linux distributions increasingly reaching a non-technical audience, it is good to relook some long held assumptions.

Forcing updates

Posted Feb 12, 2009 11:44 UTC (Thu) by pcampe (guest, #28223) [Link] (2 responses)

I couldn't care less of non-techical people that cannot be educated to understand what an upgrade is and how and when to accomplish it.

Fedora has SELinux enabled for default, which is the _right_ way to protect system from malware (assuming that such malware exists, I am not yet see it in the wild). Also Fedora has an icon tray and a pop up appears when a secuirity update is available, and the user _must_ _choose_ whether to perform it.

Forcing updates

Posted Feb 12, 2009 20:52 UTC (Thu) by southey (guest, #9466) [Link] (1 responses)

Which is why many people just disable SELinux when installing Fedora, disable soon after when it becomes too much effort to maintain, or just apply the recommended 'fix' to get those stupid messages away.

Forcing updates

Posted Feb 20, 2009 4:36 UTC (Fri) by Drone (guest, #56757) [Link]

Btw, Vista got backslashed due to excessive annoyance. Someone want to repeat this mistake with Linux? The more system annoys and fools the users, the less trust it will have. And how can I recommend or use system to which I do not trust? I will surely abandon such system. After all, it's my computer for me and I have to control it's behavior. Not I am for my computer so it can be allowed to dictate me what I have to do right now...

It could SUGGEST what I may want to do. Nothing more.

Forcing updates

Posted Feb 12, 2009 12:25 UTC (Thu) by flewellyn (subscriber, #5047) [Link]

Frequent password changes don't necessarily enhance security. In fact, they can be a detriment, because if you have to change your password often, it means you have to remember a new one, and this can lead to either using easier-to-remember passwords based on dictionary words (bad), or writing passwords down and taping them to your monitor (also bad).

Far better, I think, to insist on users having a good, solid, secure password that is not easy to predict, and then keeping it safe and in place for as long as it's secure. Or creating an environment in which fewer passwords are necessary, using things like cryptographic keys and such.

Forcing updates

Posted Feb 12, 2009 12:36 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

You can't save people from themselves.

A modern Fedora includes a set-and-forget option for automatically applying security updates. You could default this to on, but I don't think it would actually make a big difference in practice.

There are a lot of things where customers/ users have unrealistic expectations and they're very stubborn. Driving a car is remarkably unsafe. When we improve the driving technology to make it safer, drivers compensate by going faster, leaving less room, paying less attention.

Giving people tools to protect themselves, making those tools easy to use, providing information about how to use them and why, those are all good strategies. Trying to make people safe against their will is just banging your head against a wall, give it up.

Forcing updates works

Posted Feb 12, 2009 14:55 UTC (Thu) by mattdm (subscriber, #18) [Link] (2 responses)

We've been doing this with BU Linux for about seven years. In that time (minus one exceptional situation, which wasn't that severe), the only Linux systems broken into were those a) running a different distribution or b) who had disabled the automatic updates. We had a couple of incidents where QA failures caused issues, but the number and severity of those occurrences pales compared to cases a) and b) (where system compromise appears to be almost inevitable).

Admittedly, this is with a installed base of 1200 systems or so rather than millions, but it's also in a very hostile security environment. I think it makes a good case study.

Forcing updates works

Posted Feb 14, 2009 4:35 UTC (Sat) by i3839 (guest, #31386) [Link]

It seems simple en safe enough if you replace the existing software with exactly the same version, but with that bug fixed. Most possible problems seem to come from the urge to update the software at the same time as fixing a security problem, which is oh so very tempting...

Forcing updates works

Posted Feb 20, 2009 4:45 UTC (Fri) by Drone (guest, #56757) [Link]

> I think it makes a good case study.
The only problem is that your case study does not accounts any potential losses which may occur if system update interrupts me and my job or whatever else. And if someone willing to obtain even more backslash than Vista and MS from users for harming their privacy and freedom of choice, annoyance, etc - that's right way to go.

From another side there is nothing wrong if updates are automatically installed by default so non-aware users are updated. But there should be override and choice anyway so I can regain my power to make decisions. Or it will be considered as atempt to FORCE me to do something against my wishes. This is unacceptable and called "slavery" btw. It's my computer for me. Not I am for my computer...

Forcing updates

Posted Feb 12, 2009 15:42 UTC (Thu) by mrshiny (guest, #4266) [Link]

If my distro forced security updates on me I'd have to switch or disable it. Fedora 8's kernel and dbus updates systematically broke my notebook as time progressed and I had to keep reverting updates.

Forcing updates

Posted Feb 12, 2009 17:08 UTC (Thu) by eli (guest, #11265) [Link] (6 responses)

It is MY computer. Yes, it is running your software, but that does not change the fact that it is MY computer.

"Silent, automatic updates"? "Forced updates?" Um, no. Never. At all. For any reason. Even security reasons. You have no right to make that decision on my behalf. Period.

End of discussion.

... um... I'll just step down from this soap box now...

Forcing updates

Posted Feb 12, 2009 18:39 UTC (Thu) by linuxjacques (subscriber, #45768) [Link] (1 responses)

Same here. No forced updates no way no-how.

Forcing updates

Posted Feb 20, 2009 4:53 UTC (Fri) by Drone (guest, #56757) [Link]

Absolutely. And you will have my backslash for attempts to take control over my computer. I do not see how silent actions which are against my wishes could be better for me than viruses itself. As for me, such behavior is a trojan horse on it's own. You can offer defaults updating most unaware users (if this does not interrupts their jobs and not annoys them or you will have awful backslash for a good reasons). But if you will really FORCE me to do something... I will be forced to send such system to /dev/null and seek for better replacement. And I will HATE you. Everyone hates tyrants and enslavers. I'm surely doing the same.

Forcing updates

Posted Feb 12, 2009 23:47 UTC (Thu) by xoddam (subscriber, #2322) [Link] (1 responses)

Forced updates *are* applicable in certain situations -- see mattdm's case above -- but only where the user who sits in front of the computer is obliged, or willing, to delegate system administration tasks to the OS supplier. In the Boston University situation, the OS supplier *is* the administrator and vice versa, so there's no ambiguity.

But if we're talking about a supplier like Red Hat or Mandriva effectively becoming the system administrator for 90% of their less-technical users, all bets are off. They don't have the resources to properly run millions of machines without charge or to respond to the cases where automatic updates inconvenience their non-paying users.

OTOH it's something they or similar businesses could take on, maybe profitably, given the right wording in the contract and the right price -- using mandatory automated updates merely to make it possible.

Technical Unix users will take on their own system administrator role whenever they feel like it, whether their network admins or their OS suppliers want them to or not. So you're *not* the subject of this discussion and won't suffer, one way or the other, as long as you choose to run free software :-)

Forcing updates

Posted Feb 20, 2009 5:04 UTC (Fri) by Drone (guest, #56757) [Link]

> Forced updates *are* applicable in certain situations
But only in CERTAIN scenarios. If you will attempt to break in and "administer" MY computer, I will consider this as attempt to remove MY FREEDOM, violate my privacy and so on. It's my computer and it have to obey to ME. So if you will try to do otherwise, I will put all my forces to enforce you (and anyone involved) to administer only your toilet until end of your days. That's a only fate any tyrant deserves (administrative tyrants are not exception). Do not mix your sucking enterprises with corporate half-slaves behind computers and free people who does not receives salary from you so they have zero tolerance to your attempts to invade into their private lives. Also I can recommend to half-slaves to stop being such ignorant morons so someone always allowed to takeover your power to make decisions. Power to make decisions on your own is a great thing. This is what really called as freedom, actually.

It's only matter of time...

Posted Feb 13, 2009 0:08 UTC (Fri) by khim (subscriber, #9252) [Link] (1 responses)

It is MY computer. Yes, it is running your software, but that does not change the fact that it is MY computer.

But it's connected to public network. I think the eventual resolution will be something like "treble damages apply if your system does not have auto-updates and is actually hurt someone"...

Or may be something like cars: you don't need automatic updates, but you need to check your system regularly and can be disconnected from netwerk if there are no "stamp of approval" for week or two.

Bascially the story is simple: as long as your computer is truly yours and does not connect to any other computer - you are free to use anything you want. When you are becoming part of public network - some rules should apply...

It's only matter of time...

Posted Feb 20, 2009 5:13 UTC (Fri) by Drone (guest, #56757) [Link]

> But it's connected to public network.
I can buy kitchen knife and then I can kill someone with it. Is this a valid reason to enforce people to stop using kitchen knives? Or maybe it is a valid reason to jail everyone "by default" and only sometimes release for short time? No?! Same goes here.

I am agree to receive certain punishment if I got actually infected as the result and some harm was done to others. Just like I am agree to get punished if I'm killed someone. That's necessary to enforce security.

But I will never agree to get jailed and forbidden to use even kitchen knives "for my own security" and without any other reasons - I will simply consider this as a slavery. I do not need security at price of my freedom since then I will be neither secure nor free. How can I feel secure if I can't even trust to my OS which does something against my wishes? And how can I feel myself free if my freedom of choice is taken away?

No change without real money on the table

Posted Feb 12, 2009 18:52 UTC (Thu) by jreiser (subscriber, #11027) [Link]

If you lose your own data or time as the result of malware that you introduced to your own machine, and there was a merchantable update (effective, efficient, available, reputable, ...) that would have prevented the loss, then it's your own fault. If malware running on your machine causes such a loss to somebody else, then the current situation is likely to persist until you are forced to pay money (tort damages, a government fine, ...) as a result. Probably this will lead to insurance and other legal changes, including shared responsibility if the victim's machine was not running such an update.

Ever heard of basic maintanence?

Posted Feb 12, 2009 19:57 UTC (Thu) by wilreichert (guest, #17680) [Link]

If I don't change the oil in my car it will stop running eventually. I am not an auto mechanic, but I understand my oil needs to be changed on a regular basis. I accept this responsibility as a car owner. I do not want an mechanic sneaking into my garage at night and changing my oil for me.

'cept I don't own a garage. Or a car. But you prolly get the point.

Updates by servants

Posted Feb 13, 2009 13:23 UTC (Fri) by ber (subscriber, #2142) [Link] (2 responses)

Personally I wish for a service that keeps my system up-to-date. For this I am willing to pay for this to happen in the background. Of course I want this to be configurable and have several vendors to chose from, but I am also offering money. This should include security updates in the background.

Note that for the reboot problem, one operating system I know has good solution: It will only install them automatically when the users powers down the system.

Updates by servants

Posted Feb 13, 2009 14:07 UTC (Fri) by dlang (guest, #313) [Link]

linux systems offer this today, for free.

for example,in ubuntu you can tell it to download and install updates automatically, if the update requires a reboot an icon will appear on the task bar telling you that updates have been installed that require a reboot.

but this is a configurable item. you can also tell it to download, but not install the updates, to just check if updates are available (and tell you if they are), or to leave it to you to do everything manually.

Updates by servants

Posted Feb 20, 2009 5:20 UTC (Fri) by Drone (guest, #56757) [Link]

> Personally I wish for a service that keeps my system up-to-date.
You can already configure Linux packages managers to do so. Even "3rd party" software which is installed from repositories is auto-updated and this is convenient.

But... I still want to retain power to make decision myself when I have to install update and when I'm not. Anything else is a tyranny and in spirit, everyone hates tyrants. Even administrative ones.

Whitehat botnets (ha ha only serious)

Posted Feb 15, 2009 10:06 UTC (Sun) by JesseW (subscriber, #41816) [Link] (8 responses)

I strongly suspect the only way anyone is ever going to resolve the zombie problem is by releasing botnets/worms themselves. (By "zombie problem" I mean the problem of non-technical users having their networked computers taken over and used without their knowledge or consent.)

Such "whitehat botnets" would simply harden/patch the systems they infected, devote a small portion of their host's resources to spreading the infection, and otherwise leave the user alone. The bots could even be programmed to attempt to avoid infecting computers that appeared to be already secured. Yes, this would be illegal, a blatant violation of the user's ownership of their machines, and a vigilante action, but, realistically, I don't see any other solution.

No, I'm not doing this, or volunteering to do it, or even suggesting someone else should do it. I'm just speculating publicly.

Whitehat botnets (ha ha only serious)

Posted Feb 15, 2009 10:36 UTC (Sun) by dlang (guest, #313) [Link] (1 responses)

one problem with this approach can be seen by looking at the example of spam blacklists.

they start off with the best of intentions of only blocking the bad guys, but over time every one of them has started blocking more, and taken a more and more draconian definition of what they would block, until they become more of a liability than an advantage.

luckily anto-spam blacklists are opt-in (for the recievers) and so can mostly be worked around as they go bad.

I would expect the same type of pattern to show up with the 'whitehat botnets', they start off 'just' installing security updates, then move to installing newer versions (it's too hard to backport the security fixes, so move them to a version that has them), then more updates (hey, after all, just about any bug can be a security issue), then to removing software (after all, isn't it insane to allow someone to run telnet or ftp?), etc. each step of the way would cause more grief (starting with interrupted programs as they are restarted and going from there)

I don't believe that such an approach would be a 'whitehat' botnet. dark grey at best

"darkgray hat" is a better term, I agree.

Posted Feb 15, 2009 20:12 UTC (Sun) by JesseW (subscriber, #41816) [Link]

The points you bring up, about the expansion of what the self-appointed "fixers-of-the-net" would rationalize themselves into doing, seem quite plausible, and certainly represent a downside to darkgray hat botnets. I'm still partially convinced that they would still represent a net advantage (no pun intended) to everyone **not** infected with them -- since even if they made the infected machines unusable by their owners, as long as they made the machines unusable by other botnets it would benefit the rest of the 'net by a decrease in spam, DDOS abilities, distributed password-cracking speed, etc. And I still don't see any other feasible way to prevent computers owned by non-technical users from being used for these sorts of purposes.

Whitehat botnets (ha ha only serious)

Posted Feb 15, 2009 17:49 UTC (Sun) by mmarsh (subscriber, #17029) [Link] (5 responses)

The problem with "whitehat" botnets is that you have all of the problems of vendor-pushed automatic updates plus a lack of quality assurance. An ostensibly protective worm has no idea what's running on a system, what's essential, and how much of a calculated risk went into the configuration. A patch could well break essential functionality, and clearly such a worm wouldn't be released by the distros themselves (who could potentially mitigate possible breakage, but see the bug reports for well-supported distros), for legal and practical purposes. Besides, distros have an easier avenue for distributing updates, by the suggested forced-update mechanism.

Whitehat botnets (ha ha only serious)

Posted Feb 15, 2009 20:17 UTC (Sun) by JesseW (subscriber, #41816) [Link] (4 responses)

Certainly such involuntary patching would be more likely to lead to breakage than QAed, thoughtfully applied patches -- but the sort of non-technical users whose computers currently get drafted into botnets don't voluntarily accept *any* patches. And a *nix-only solution wouldn't help until/unless World Domination happens -- for now, we need something that can force patches on Windows users. And I don't see any other alternative than a botnet/worm.

Whitehat botnets (ha ha only serious)

Posted Feb 16, 2009 20:51 UTC (Mon) by BackSeat (guest, #1886) [Link] (3 responses)

for now, we need something that can force patches on Windows users

Open Source is about freedom. Forcing updates to a subset of users, even those that use closed source software, is about as far from freedom as it's possible to get.

Whitehat botnets (ha ha only serious)

Posted Feb 16, 2009 21:22 UTC (Mon) by JesseW (subscriber, #41816) [Link] (2 responses)

Certainly, but keeping criminals and terrorists from taking over computers for their own nefarious ends is not about Open Source (although it may, or may not, involve the use of FOSS). So, the distance between freedom and forcing patches on Windows users isn't relevant.

In any case, after further thought, I've partially changed my mind. While I still think criminal botnets would be less successful if the "good guys" were willing to act without the permission of non-technical lusers, I think there is a better way.

That better way is two fold: first, massive marketing campaigns to convince non-technical users that they should pay someone (probably antivirus vendors, they're already best placed to do this) to "take care of their computers", for a small monthly fee. Second, an optional add-on to this service, whereby subscribers could permit their unused computer power to be rented, thereby covering their monthly fee, and maybe making them a little money. Also, enlisting ISPs to pro-actively test (i.e. try to break into) their customers computers and cut off those who have vulnerable computers. This would work better than the vigilante solution, because these folks would have a positive economic incentive to keep their customers computers under their control, rather than letting them be used by criminals. Your thoughts?

Whitehat botnets (ha ha only serious)

Posted Feb 16, 2009 23:50 UTC (Mon) by mmarsh (subscriber, #17029) [Link]

I think home-user-level security "maintenance" contracts are a good idea, and some ISPs provide something along these lines (I think -- I wasn't much interested in Verizon's security plan, since it's for Windows). Most people don't maintain their own cars; some do, but they're more technically knowledgeable. People also install alarm systems in their houses. I think there's definitely a way to market this to the general public. The only real hitch is how the liability is handled if a compromise does occur.

Whitehat botnets (ha ha only serious)

Posted Feb 20, 2009 5:31 UTC (Fri) by Drone (guest, #56757) [Link]

> Your thoughts?
When you're driving a car you're agree to obey some rules targeted to overall safety. And you must learn these rules, etc. Only then you're allowed to travel by car. And you will be held liable if you kill or harm someone due to your bad driving. Same should be with computers: before connecting to public network certain customer, ISPs have to ensure that this user really haves certain level of knowledge of rules similar to car driving rules. So, they have to avoid viruses and held liable if infected and inflicted damage to others.

However, there is no service-mans sneaking into my garage to fix my car. Even if it needs fixing in their opinition, it is up to me to go to service. Furthermore, such service-man will be shoot on sight by me for breaking into my private property, if anyone will risk to do so. I do not see why this should not apply to silent attempts to break-in into my computer. Even if this was intended to fix it. My PC is my private property. You are not allowed to enter without my permission.

Forcing updates

Posted Feb 20, 2009 4:33 UTC (Fri) by Drone (guest, #56757) [Link]

As for me, the day when my operating system will silently update itself will be the day when I will consider such system is a trojan horse itself and erase it from my HDD due to loss of trust to such system. Even Windows does not allows such level of annoyance and brute interference with my privacy, day to day jobs and tasks. Some tasks may me mission critical or whatever. You (as well as anyone else) do not have any rights to interrupt me with damn updates or whatever. It is up to me if I am going to undertake some risk in some scenario. To be short: if I want to shoot myself into my leg, you can try to tell me not to do so, etc. But let me to make a final decision, yeah? Since otherwise you will have to kidnap me to prevent this and since this point I am can't be considered a free citizen. I'm rather getting your non-free slave and you are dictating me what I have to do against my wills and wishes. And enforced security which you can't throw away is nothing more than just usual...jail! Do you expect people will be happy if they are jailed "for their own security"? Nope. They will really HATE you and you will lose trust for such trojan-horse-like actions. And backslash on Vista will be nothing compared to backslash of such trojan-like system and it's updates. And I personally will only recommend such system only to my worst enemies so they will be constantly bothered and f...ed up by their OS so I can laugh a bit. As for me, such trojan-horse like actions are against OpenSource software nature.

Let's remind: "best intentions often do not lead to best results". That's exactly about silent updates. Result will be simple - loss of trust to such system. Even worse than to Vista, iPhone kill switches or whatever.

Forcing updates

Posted Feb 23, 2009 16:22 UTC (Mon) by ortalo (guest, #4654) [Link]

"But, the problem remains that there are lots of systems that are not getting updated and are thus vulnerable to a wide variety of exploits."

Well, the first time I remember hearing this remark was in 2000 (at the RAID symposium) and made by the main CERT/CC coordinator (and founder IIRC - sorry I cannot find his name again).
Most proeminently, I remember him presenting figures such as "20% of the systems never get patched - at all" as a state of fact, not as a complaint.
IMHO, we should think about how to deal with this state of fact rather than try to force updates on systems. In fact, I've always been reluctant at trying to improve security patch flows and, the more I get involved with growing computer security responsibility, the more I would like to see totally alternative approaches to security be explored.

Of course, my favourite alternative is: not introduce security bugs at all in the first place, but I confess I may be satisfied by guaranteed limited impact of security failures too... (Oops, shouldn't have said that...)