Windows update nightmare scenario

[ruirib]

This is an old discussion, really. Somehow, Fred is always involved in it .
I have said before and will say it again. Advising not to patch is quite risky. What if someone so advised, gets infected and comes here and complains about bad advice?

The "stable and working" argument misses the point, hugely, IMHO. A security bug most of the times has no impact on functionality. So, unpatched system will be stable and working ... and vulnerable. Most of the hugely advertised security attacks take advantage of "old" security vulnerabilities. Take the much "popular" Stuxnet and Flame, for example. The problem with reactive protection is that they look of signatures of known attack malware. That's why it is advantageous to plug the original hole, other than put a "police" officer making sure no one gets in through the hole. He may fall asleep or not recognize a rogue attempt to use the hole. Even other types of protection may not be effective against unknown malware.

The fact that one specific person took a given strategy and that has worked for that person is statistically irrelevant. Jokingly, I would say that it somehow makes me remember a portuguese joke about a guy that was shaking arms and legs wildly in one of the main plazas in Lisbon. When asked about the reason for his behavior, he simply answered he was trying to scare crocodiles away. When someone remarked that there were no crocodiles there, the person's response was immediate - "see how this strategy is effective?!!".

Of course, there is no guarantee that patched systems will be always immune to malware and there is no guarantee that the patching process itself won't create problems of its own - some people die or get seriously ill from vaccines. We all make decisions based on probabilities, every single day, most times without even thinking about it. On a forum like this, all we can recommend is best practices. Statistics are well supportive of best practices.

That said, I also think the recent versions of NIS are better than the older ones, that basically wrecked NIS reputation. They are lighter and much more effective. Do they avoid the need for patching? IMHO, no.

I use two paid apps from Emsisoft, which frequently rank among the best in the market and I still patch. It's all about probabilities. It's my own crocodile scaring strategy and I can say it does work for me and the people I advise, even those who are not computer literate.

[Xircal]

Adblock Plus for Firefox also has a useful subscription which can be added to the browser to provide additional safety. It's called "Malware Domains" and can be subscribed to simply by clicking the link at the foot of their subscriptions page: https://adblockplus.org/en/subscriptions

[Just Plain Fred]

What if someone so advised, gets infected and comes here and complains about bad advice?

The "stable and working" argument misses the point, hugely, IMHO. A security bug most of the times has no impact on functionality. So, unpatched system will be stable and working ... and vulnerable. Most of the hugely advertised security attacks take advantage of "old" security vulnerabilities.

rui,
Hello...The same thing....As if someone who patches and updates gets infected, and comes here and complains about "bad advice"? And i always make sure that i explain that this is MY experiment!...Nothing to do with the W.S. Lounge. Or would you rather have it that everyone "sing off the same page" and ignore some "uncomfortable" facts?
Your missing my point... "Stable and Working" OS's I'm referring to putting "Non security" patches on...Let me ask you. If my OS's are stable and all my programs are working (for years) doesn't that say that if there were problems with the OS it would have manifested itself at some point during the years of running?.. Putting a patch on this would be looking to introduce or create possible system instability . Now Security ...as i said before "i roll my own" Regards Fred

[Drew1903]

The irritating thing here is ( & this has been discussed in the forums recently) is the potential impact on others. Any machine, on the Net & unprotected can hurt others. Oft it is compared to being HIV+ & having unprotected sex. Many feel it should be a crime, punishable by law. Personal 'experiments' cross some drastic & severe lines when they can harm others. Others who are innocent, unknowing victims. Being one's own worst enemy, maybe... putting others @ risk, ah, NO! Absolutely unacceptable & wrong.

Cheers,
Drew

[Xircal]

I think the biggest danger these days emanates from social networking sites like Facebook. What many people don't understand is that these kind of sites are visited by users from all over the world and that means also from countries where a Western alphabet may not be the one in use.

That presents a problem when composing passwords. For example, users in Thailand cannot use their own language to create a password because the Thai language isn't recognised by browsers. So what they do is to a create a numerical one instead. Consequently, passwords are very easy to crack especially since the figure '555' which is pronounced and written as "hahaha" meaning to laugh is often used as part of a numerical password.

Also, many social networking users like to have lots of 'friends' even though they don't have a clue as to who these people are. Consequently, they're often duped by these individuals into clicking a link which takes them to a malware site. Similarly, they often lose control of their accounts when Facebook blocks them because their password has been hacked and they're unable to regain control of their account because they can't identify their 'friends' from a series of photographs that Facebook presents them with. So they create another account and then make the same mistakes all over again.

Worse still, naive users don't seem to grasp what all the fuss is about when their machines do get infected and treat the whole incident as some kind of joke. They install AV apps of course, but never use them to scan the system regularly and once they unknowingly install a trojan, the hacker will ensure that the AV is effectively disabled along with Windows updates.

Businesses in Thailand don't fare that much better and I've stayed in hotels in Phuket where free Internet access is available but the machines are absolutely riddled with viruses and trojans. One of them had no less than 113 malware infections at the time, many of which were keyloggers. Imagine using your credit card online in one of those! More often than not as well, the router password is often the same as the hotel's phone number, the latter of which is often painted on a window outside.

Fortunately, in Thailand at least, very few individuals users have a credit card, or online banking so there isn't much danger that they'll be financially affected. But that country will doubtless feature high on the list of countries where machines have been compromised to be used in DDoS attacks. But to try and get that message across to many Thai users will be little more than an exercise in futility.