SN #790, Misc., Why People Don't Update, Upgrade, and Patch

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

rfrazier

Well-known member
Sep 30, 2020
549
187
@Steve @leolaporte As is usually the case, I enjoyed SN #790, and it sparked some thoughts I wanted to share.

In the podcast, and frequently, you all ask several important questions, or express disbelief at people for:

* Why don't they patch?
* Why don't they auto patch?
* Why don't they update?
* Why don't they upgrade?

My answer is, in the nicest possible terms, you're kidding, right? :cool:

People in this audience, including me, are more knowledgeable, thanks to you, about security than most any average person not in the industry. We're more receptive to upgrading, updating, patching, and auto patching than almost any average person.

BUT, we're not average people. Average people have completely overly insanely full lives with work, kids, pets, school, zoom meetings, sports (for some), social activities (for some), home car and finance maintenance, etc. etc. taking up enough of their time to keep two people busy for each one person. Those people want to USE their PC to DO things, like posting forum posts, researching things, playing games, creating work products, having zoom meetings, etc. They DON'T want to use their PC and their time and emotional energy maintaining the PC. They also don't want to spend money that they don't have to. Not only that, most people don't even KNOW about the issues we discuss.

Why don't they patch? Because they don't know about it. Because they don't have time to mess with it.

I'm the same way to a slightly lesser extent. I'm typing this on a 5-10 year old Windows 7 PC. Why? Because it WORKS (most of the time). I, even I, an avid SN fan, do not wish to spend time patching 2-4 things per week on 2 PC's and 2 tablets. When you mentioned the Chrome problem, I thought, OH crud, I get to waste 2 hours of my time patching 4 different installations and checking all the settings, since they change and add things.

Why don't they auto patch? Why don't they update? Why don't they upgrade?

Because auto patches, updates, and upgrades OFTEN BREAK things or change things. You guys have talked about that a number of times. There are some threads floating around on the forum about it. Also, because updates and upgrades not only sometimes cost money, they OFTEN CHANGE things or REMOVE features. People HATE that. Very recently, my wife was complaining because some office upgrade changed a bunch of features and altered settings she had. She (we) had to go through a whole learning curve wasting time getting her to be able to work the way she was doing before.

Psychology, incentives, and motives. Simple. Patches, auto patches, updates, and upgrades PREVENT people from using their gear to do whatever they bought it to do. They cause hassle, grief, pain. They cost time and money and emotion. They cause all new learning curves.

People simply don't have the time, emotion, money budgets for this. Thus, they ignore it. There has to be a better way!

PS, I don't think IP locking a Wordpress login is a good idea. If you're on a VPN, as I am, your IP is always changing. Even if you're on a cable modem, it does. There's a good chance you'll get locked out of your own site.

The way to secure WordPress login, other than not using WordPress, is to get s SOLID and continually developed security product like WordFence. Then turn on login rate limiting and Google Authenticator time based 2FA or Yubikey 2FA. Use LastPass to generate a 32 or more character random password. It's highly unlikely that anyone will get in through the front door to your site. You could also country limit the login.

People may wish to see my threads on WordPress and Chrome security.



Hope this helps.

Ron
 
Last edited:
My team handles software operations to a datacenter hosting more than 100 applications. Keeping things up to date is not easy! Especially with the new Kubernetes/Containers trend. New versions of each component keep popping up every month, or every week!

One thing, for sure. It you are not automating, you are doomed.
 
One thing, for sure. It you are not automating, you are doomed.
No doubt about that. You also need to know where your vulnerabilities are and prioritize them according to risk (not just severity). When I was CISO for my company's program working for a large U.S. County, we used Nessus for vulnerability scanning. We would scan before patching, determine the risk of each vulnerability, schedule patching and rerun Nessus after patching to make sure nothing was missed.
 
All my Win10 systems use Pro and I have auto updates disabled via Group Policy and set to manual. I decide when I want to update, and I usually am 4-8 weeks behind security update releases unless some horrific 0day is involved. Let everyone else play beta tester.

All my systems are configured as non-admin main users, with a passworded admin account used only for makntenance, so when UAC is triggered, I can't just accidently hit OK. I do this for most of my small business clients as well. Usually only the office manager has the admin password to prevent employees from installing something nasty.

I also perpetually defer 'feature updates' (new Windows builds) until my current build is no longer supported, also via Group Policy. If it works, don't fix it. My main workstation was running 1803 until just a few months ago. After imaging it first, I upgraded to 1909 as that's the most recent version I trust. Microsoft supports builds with security updates for at least 18 months (longer, in my experience) for the benefit of enterprise users.

In regards to why some people are still running Win7, I have four Win7 Media Center PCs connected to HDTVs with cable card tuners. I use them as DVRs and for accessing my library of videos, music and photos. You can take my Media Centers from my cold dead hands. They're locked down and not used for web browsing. Since MS stopped supporting the channel guide for them, I use an open source channel guide server replacement called EPG123 and pay a subscription for the guide service. Works far better than the original guide. Once these MCEs were originally setup years ago, I have never allowed them to update. MS has had a habit of breaking Media Center with updates.

My bench/Spinrite PC still runs Win7. No Internet connection at all. I have it loaded with all the tools I need for data recovery.
 
Last edited:
On my personal devices, I run macOS-based systems, that I keep up-to-date almost daily, simply because I'm bored when I don't do anything, so I run update_macOS (personal scriptlet) in a Terminal window.

On the devices I manage, I'll be generic, I use Microsoft Endpoint tools to manage system and software updates, and apply the updates per the organization's policies. Typically, that's at most 30 days for critical updates, and 60 days for everything else. For Windows upgrades (currently, Windows 10 2004 to Windows 10 20H2), we deploy them in waves, starting by ICT personnel first and then to everyone else, with a tape delay of 30 days between each wave.
 
Well, I guess that's what .tar files are, after all... Tape ARchives. Somehow, though, I suspect you meant something else by tape.
 
Perhaps an industry "Norm" is we find a way to create a culture where a "SECURITY PATCH" is exactly that a SECURITY PATCH, and an "UPDATE/UPGRADE (thought the later is a very loose term these days, many of use have had the upgrade that takes a feature away, and in some case try and sell it to use gain in the future as NEW..lol)" is an Update/Upgrade.

I'm thinking if we start to make these two VERY distinct classes of updates, then perhaps we can start to tackle the problem of finding a smooth path to automating (always with the option for system managers to choose manual override, its a reality some of us need to test before applying any updates). Only too often these days does a vendor push out an update that changes and breaks things under the guise of "must have for latest security patches" when in actual fact these two classes should be distinctly separate.
 
  • Like
Reactions: rfrazier
create a culture where a "SECURITY PATCH" is exactly that a SECURITY PATCH, and an "UPDATE/UPGRADE
That sounds great in theory, but here's why that doesn't always work in practice:

Software is complex.

Oh, you wanted more details? Okay :)

Imagine you have a large enough piece of software that you have three teams. These teams report to various product managers and team leaders, and they are tasked with "getting shit done" that satisfies customer needs. Imagine they have a version 1.x product that is "stable" and nearing end of life, and a version 2.x product that is still receiving new features. They've already announced version 3.x will be coming soon, and it has some feature you can't wait to get, but the time scale is such that it's probably 6 months to a year off.

You just found what you believe to be a severe security vulnerability in your 2.x version (you're a version or two behind.) You report it properly, and you eventually get a confirmation from the team they can reproduce it, and they suggest you update to the most current 2.x version where the problem is believed fixed. You're unhappy because the new update has new features (and probably new bugs) you don't need. You ask for a patch for the version you're on, but they point to their support documentation which says patches will only be issued against the most current supported major version(s).

So what happened here. It probably turns out they don't know the exact cause of the problem right away, they're busy and when they found it was fixed in the current version, they decided to use that version as the "patch" to address the issue. Eventually they will isolate the specific bug, but it could probably be in code that changes frequently. It's possible the change could have come from any of three different teams, which could be, say, as many as 30 different people. Extracting just the necessary change is probably possible, but it could break some other feature, or have interactions as yet unknown.

Ideally, every version of the product is completely understood by every developer. In reality, people come and go from teams. Teams are made of humans, some are very skilled superstars, and some are just "putting in their time." The superstar you need to fix your problem doesn't enjoy doing bugfix. Everyone wants to be working on the hot new shizz. It is a very complex problem to isolate a serious bug, track all affected software versions, recreate the version with a possible fix, and test it. All of this takes time, and developers, and it is spending money that could have been spent of new features that will bring in more new customers (i.e. more new money.)

Eventually they find your problem was caused by a change way back in version 1.x. If they supported all possible versions, with all possible relevant feature matrices, it could easily go exponential. There could be 20 features in version 1, and 50 new features in version 2. If you could theoretically support building a version anywhere in that line of features, you might have at least 70 different versions, probably more. Compared to just patching the two versions that are currently supported, 70 is just impossible.

TL;DR Software development is complex, patching is even more complex, most products only support patching the latest version even if that included features you don't want because that manages the cost of the complexities.
 
  • Like
Reactions: EdwinG
That distinction of security patches and updates was something we had with Windows 7 to name one piece of software.

To add to what @PHolder mentioned, imagine a piece of application as complex as Windows, if we still were doing permutable updates instead of all cumulative, the number of permutations the Quality Assurance team would need to test to make sure nothing breaks. It just doesn't scale that well.
 
Software is complex.
I totally get that, I shall attempt clarify my previous post, apologies in advance if I struggle to articulate.

The original problem posed is why don't people just take all updates automatically,
the answer put it in one short simple sentence and I quote "Software is complex"...it sure is for all the reasons outlined by PHolder and more, things can and often enough do BREAK with updates also.

Perhaps a better way to express what I'm saying is if we start by separating the "SECURITY" from the "NEW FEATURES" in currently supported (as in "In-life cycle at the moment") software (lets not forget firmware either) I'm thinking we can start with a better foundation to create a culture of SECURITY updates being tested and applied sooner.

Let's take Windows as an example:
Cumulative rollups are great, actually a fan of them myself, they have a very good use case.
However incremental SECURITY updates are also very useful and equally important espeically when maintaining and existing fleet of machines.

It is inevitable that a version line will come reach end of life by its supplier, and at that stage we don't expect any updates anymore, if we have to keep that software around then we need to put it in a safe environment, I have had to do this with industrial machines, that either live in VMs or air-gaped networks
 
I think there are two legitmate reasons people don't update:
1. Updates break things, e.g.: Security Now! #675 - 08-07-18 An Open Letter to Microsoft About Poor Windows 10 Update Experiences, #771 - 06-16-20 The case of the disappearing printer port + Last week;s Patch Tuesday broke ALL PRINTING (even to PDFs) for many users
2. Updates are not available (/me, looking at my android phones by Samsung and Motorola).

Other than that, some updates are difficult to apply, for instance, require rebuild of an application.
 
Priority 1 - develop the product "Steve" style, almost completely debugged and tested without using users as unwitting beta testers and redesigning when they complain.
Priority 2 - FREEZE the design and get it out in the field for wide exposure.
Priority 3 - debug and patch any remaining bugs for people who've already paid money.
Priority 4 - after the product is VERY stable and reliable, consider features for the next version.
Priority 5 - develop the new version according to Priority 1. Repeat.
Priority 0 - if at any time critical bugs occur in ANY for sale version, those become top priority.
Priority 0.5 - All products should be supported for 5-10 years, perhaps more if millions of people own them or if the price is high or if the usable life is long.
Priority 0.75 - The motto should be "Getting stuff done RIGHT and not making paying customers' lives harder!"

Ron
 
I fall into the camp of being a regular updater, and wanting my devices to be current.
Having said that, my 3 year old Android phone had reached end of support. It was now two versions behind with Android OS and monthly security updates had stopped. The alternatives seemed to be just live with it and be careful, or get a new phone (exciting but costly). After some research I found there was another option. That was installing a Custom ROM. This is an excellent option for any semi-technical person. You can have the latest Android OS as well as getting monthly security updates.
There are lots of good Custom ROMs available for just about any phone, and I would recommend this to anyone who is concerned about no longer getting updates.
 
I fall into the camp of being a regular updater, and wanting my devices to be current.
Having said that, my 3 year old Android phone had reached end of support. It was now two versions behind with Android OS and monthly security updates had stopped. The alternatives seemed to be just live with it and be careful, or get a new phone (exciting but costly). After some research I found there was another option. That was installing a Custom ROM. This is an excellent option for any semi-technical person. You can have the latest Android OS as well as getting monthly security updates.
There are lots of good Custom ROMs available for just about any phone, and I would recommend this to anyone who is concerned about no longer getting updates.

I thought that wasn't really possible with new Androids and especially phones since the carrier wants to tweak things. Maybe I'm wrong.

I never connect my phone to the net. But, I do have an Android tablet that is becoming out of date. Unfortunately, I don't trust google these days.

Ron
 
  • Like
Reactions: Bplayer
Android is open source. Independent developers use this base to build, enhance, maintain, taking out any crapware, and fixing bugs. An example of this is Lineage. They have been releasing these Custom ROMs for years so the trust level is extremely high.
This would be an ideal time to try a Custom ROM if you are at the point of replacing your tablet. This is not Google.
 
  • Like
Reactions: rfrazier
This would be an ideal time to try a Custom ROM if you are at the point of replacing your tablet. This is not Google.

An android tablet without Google wouldn't really be much of a tablet, now would it. No store to speak of, no apps you didn't write yourself, no support library that most of the apps you would want will require (Google Play Services.) Might as well replace it with an Amazon tablet at that point.
 
  • Like
Reactions: rfrazier
With the Lineage OS, you can also install GAPPS, which is a bundle of Google applications, including Play Store. You can still get the apps you want.
 
  • Like
Reactions: rfrazier