Running late for college, and the scooter is stuck in an update(old.reddit.com) |
Running late for college, and the scooter is stuck in an update(old.reddit.com) |
Doing the same with vehicle firmware is a sad but predictable state of things.
Last update applied at z=???
Looking for updates...
Update server found [Alpha Centauri C]
Retrieving updates... 0% of ??? YB1) My LG webOS TV. Somehow it always does its thing in the dark. OS and application updates have never been visible to me.
2) My car. Even though it can update over wifi, and by other means, it never tries to do it unbidden. You have to invoke its maintenance mode, at the time of your own choosing, if ever.
3) Google/Nest Wifi, OnHub, et cetera. Always up-to-date, never noticed it updating at any time in 8+ years.
However, I can also think of devices where the updates are prominent. macOS, iOS, iPadOS, and Android are all in your face about OS updates, and Android will even throw up a notification that some app updates are available, as if I want to think about that. ChromeOS is a little better in that it silently downloads and installs updates, and they are applied almost instantly, but it does prompt you to apply them.
Today. That could change tomorrow. We already have forced updates for popular operating systems. Mandatory "safety" updates for car software will come one day.
I'm waiting for the day that different states implement different software rules. Imagine if Nevada implemented speed-governors but Texas didn't. I see a world where everyone has to pull over at the state line to allow their car to reconfigure software in order to accommodate local rules.
That said, I don't know why you would ever connect a transportation device to the internet. All of my vehicles are too old to connect to the internet, but when I finally have to replace them, the first thing I'll do is physically remove the Wi-Fi/cellular antenna
I would inclined to believe that maybe the manufacturer sends out an email or sms to notify you of am update and then you choose the time, while also being given a change log of what exactly is being updated.
otherwise what would prevent a bogus server asking for an update you have no idea about and installing something malicious and - whoopsie daisy - your car grows legs and disappears?
While playing, Windows would switch from the game to a stupid "Restart your computer now or in 1 hour?" modal - with no option to get it to permanently go away. And it kept popping up every hour. Infuriating.
See screenshot here: https://www.reddit.com/r/Windows10/comments/8kismw/wtf_micro...
I always ignore it, and within few hours there is another notification how they were updated. Seems like most idiotic approach, illusion of choice, effectively frustrating users.
Not everything that uses electricity requires an embedded computer connected to the internet.
We could ask the question as: Give me a list of good reasons why a scooter should be connected to the internet?
We might get answers like:
The built in map or GPS needs updating
The pricing list for hire needs changing
The battery monitoring software has changed
The problem is modularity, specifically the poor coupling and cohesion of subsystems within the design. Everything in our list relates to something other than the function as a scooter; like navigation, payments, telemetry.
In a properly designed system these have to be seen as essentially separate systems with diverged functional requirements. Each could operate and update in its own way if necessary. The default behaviour of the 'scooter' system should be to keep operating as a scooter, regardless.
Also the key problem is not iterated development but remote access (AKA backdoors) baked into designs as a way to hedge bets.
There's some cases where remote field maintenance is absolutely the right thing to do.
You would not send a space probe to Mars without the ability to radically change its software while in service.
When facing unknown future conditions the concept of deferred functionality is essential.
In situations of consumer electronics, which are designed, purchased and deployed within a rigid set of operational expectations, deferred functionality is a MASSIVE security risk and a subversion of expected trust models.
Convergence means that these days I can literally turn any of your devices into anything else... your wall clock into a radio, your fridge into a web-server, your television into spy camera.
It's not Agile as a development philosophy that is somehow "to blame" but its corruption by the devious into an excuse for reserving the ability to change functionality while hiding behind the plausible deniability of "necessary maintenance".
I don’t want to hear the manufacturer’s excuses. I know “most people” are clueless and leave security problems unpatched. “Most people” have also gotten accustomed to being abused by their software products that are out of their control. I’m not “most people” and I won’t tolerate being treated like this by device manufacturers. The product gets returned if I have no control over what it does.
That's, uhhh, really bad.
You know why I've just launched this game in Steam? Why I've just opened this shared meeting whiteboard software? Why I've opened my bank's banking app? Because this is the moment I want to use it.
If I open Skype it's because I need to be on a video call within the next 15 seconds. It doesn't matter what the popup says or does or how valuable it might be - I'm dismissing it, because I need to be on a video call within the next 15 seconds and it's between me and that.
How could a UX team possibly conclude that the precise moment a user shows unambiguous intent to use your product, is the best time to get in their way?
Well, the most natural answer is that it's not a UX team. It's the software engineers observing that since our program isn't running all the time, this is the moment we have to check for things.
And roll around that design issue a few more times and that's why your computer is running upwards of dozens bespoke programs that do nothing but scan for updates periodically and consume surprisingly large amounts of resources to do it since apparently most programmers can't write a program to try a network request every couple of days to consume anything less than a gig of RAM and 25%+ continuous CPU.
I'm not sure how the machines are set up, as I have an aversion to Windows from my time as an NT 'certified professional', but at least one machine will spend 10 minutes 'updating' during any class.
No doubt you can turn this off or set update time windows or whatever, but I'm not the admin for these machines. At least the updates generally work. For my kids' machines at home, almost anytime they boot windows, it will do an update, and a good percentage of the time, the update will fail, and brick the machine, requiring a complete re-install.
Minimize the number of things in your life that need software updates.
It was on the earliest fly by wire versions as far as I recall, and was fixed pretty quickly :)
But your neighbour plugged into a life-support machine at the local hospital does, because your machine could be used as a staging point for further attacks.
When we built an "interconnected world" we created interconnected responsibility.
That said, I agree with you that products that assume permission to connect to the internet and update when they feel like it are a menace. They result from disgraceful, lazy, inept software engineering and allow sloppy manufacturers to unload responsibility on to users.
That is unacceptable and it is going to change in Europe with a slew of legislation coming soon.
But that law may actually make things worse because it misunderstands the locus of responsibility and trust models.
Centralising trust in automatic updates with a manufacturer makes security much worse in many regards. Solarwinds is nothing compared to what is coming when billions of connected devices can be owned and turned into a botnet in s single exploit.
Your right to control your device is not to be championed solely because of your property rights, but perhaps ironically, because that is the better security model as the lesser of two evils.
Please don't say "I don't care about CVE-1234567", because at the end of the day, you're the only one whose 'care' actually matters. The manufacturer doesn't care and cannot really be trusted.
Unless your machine is in a particularly privileged position (for instance, it's plugged into the hospital non-public network), there's nothing special the attacker can do with your machine that they couldn't do with their own machines. So this is just fear-mongering.
The rub is that this doesn't work as well in atypical setups like a lab. The machines are probably only on while students are using it, preventing the "install at night" strategy, and if your normal workflow includes restarts Windows will take that as a cue to finally install the update.
Of course all of this is avoidable by configuration, or by the user (restarting explicitly without updates). But the Home version hasn't always given you as much agency in this as the more expensive Windows versions.
I know I could probably suspend or something, but I never do that because it used to be a lottery on Windows whether your machine would actually unsuspend or you would need to fight it pressing the power button until it rebooted (did they ever fix that?)
My wife and kids all use and have used 2nd hand company Windows 10 laptops. Since one of my roles by day is being a system administrator, i took quite some time to setup Windows 10 as they and i like it, being very very thorough in its various settings. The things just.. work..
It's quite rare if they ask for help about updates, crashes, etc. Haven't had a bricked OS since Windows ME.
Getting Fifa 23 and FC24 to work flawlessly on the Windows 10 game computer on the other hand.... Maybe i should start working for EA :)
Perhaps that's the key. I don't have time for that, linux just works, though of course some apps aren't available at all on linux, hence the windows boots.
As a counterpoint anecdote, I've been using Windows 10 Pro on a half dozen both newer and older machines ever since it came out, and have never once had to re-install Windows due to a failed update (and in fact failed updates have only happened a few times, each simply requiring trying once again). But these machines are booted up and used on a regular basis.
So for your stats, last year we re-installed the windows partition of one machine 4 times and another I think 2 or 3. Could be hardware problems, of course. But each time was triggered by a windows update, so maybe the update stressed the hardware to the point of failure, which linux does not.
Maybe it works as intended if you use it daily, but as someone who only occasionally uses Zoom for external calls I'm in the habit of always opening it a couple minutes early to have time for software updates
Nobody wants that, least of all manufacturers, unless they can use backdoors to spy on and ransom customers like printer and car makers are starting to.
Any obtainable CPU power, memory, IP address or storage is an asset, so they could:
Run processes such as password cracking on your machine while still
having their own to use.
Store sensitive or illegal data encrypted on your disks as a dropbox
for themselves or others.
Launch recon scans or attacks from your device, using your IP address
while staying hidden and leading the authorities back to you.
Set up your machine as a proxy for routing other traffic, leveraging
your geographical location.
Set up your machine as a node in a distributed compute farm for
mining, cracking or other tasks.
Sell access to your assets to other bad hackers.
... we could literally go on for hours with ideas about how using
*your computer instead of their own* gives an advantage and thus
presents a motive.
Two points I'll make:
Maybe you *should* be afraid of all the ways contemporary
cybersecurity is an absolute shitshow. Fear is not the best motive,
but *is* a motive for making changes. There's a reason we have that
part of our brains and the emotion it provides.
I'm sorry you feel worried about what I said. Even though the
threats are real I don't believe in scaring people. I think a better
way is through education and empowerment. That's why I produce work
like the Cybershow [0], where we try to make cybersecurity a little
bit fun and irreverent. Come and listen to some shows if you care
about computer security for yourself and people you love.
It's also a bad idea when the power has gone out and the UPS battery will last for only a few more minutes. Or when you have no UPS, a storm is coming which you know will cause the power to fail, and you want to orderly power everything off as quickly as possible (not to mention that losing power during a software update is not ideal).
Which is why I love the way recent Gnome does it: when powering off, the confirmation dialog has an unobtrusive checkbox (checked by default) which selects whether you want to run software updates before powering off. If you're not in a hurry, you can keep it checked and wait for the software updates to finish; if you're in a hurry, just uncheck it before confirming and it'll turn off immediately.