Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Anyone who has had to administer anything user-facing will tell you that some users will ignore any warning. Updates need to be automatic and mandatory. You can give them a grace period, but you have to force the issue after a while, or users will delay the update prompt every 15 minutes for months.


Anyone who has owned a cloud connected device or software will tell you that companies cannot be trusted with remote access, they will abuse it every single time. And they'll have the useless cargo-cult security industry telling users that it's "best practice" and for our own good while their companies are spamming us or spying on us or removing features or outright hacking us or taking away access to our own data while they sell it to third parties and try to lock us into their ecosystem.


It was not my intention to defend large corporations and their sleazy practices. I just wanted to say that the average user cannot be trusted with an easy option to ignore updates, especially when it comes to security.

Users will do things like ignore updates and then trash you on the internet or spam your support because the software no longer works properly with service xyz. We regularly hear about major hacking incidents where internet-facing software hasn't been patched for years. Things like this will give your company a bad reputation.

I think the best compromise is to have automatic updates by default and a slightly hidden option in the menu to turn them off. If the user goes out of his way to turn it off, then it is his own damn fault, but if you make it too easy (like presenting it with every update prompt) you are courting disaster.


Not every computer is a part of managed corporate inventory. And some suppliers will happily ignore any issues their updates are causing. E.g. forced Windows feature updates can just disable a computer by throwing out essential but unsigned drivers.


This is more of a technical problem. If your update either breaks something or leaves gaping security holes, then there is no good solution. I think I would rather inconvenience a customer by turning off functionality than leave a bad vulnerability unpatched, but delay an update if it is not security related.


Nope, annoying forced update stuff goes in my trash. Already said bye bye to Windows for this reason. If your thing is gonna update itself, it can't disrupt me or make itself worse.


There should always be an option to turn off automatic updates (unless we are talking about a corporate network), but the option should be opt-in and require some initiative on the part of the user. If the option is presented together with a prompt to update, users will simply turn it off without knowing what they are doing.

If it is in an options menu, power users can choose to turn it off, but normal users will probably never find the option.


I agree for most software in general. Mac updates are auto by default iirc, and that's good. Just not Chrome extensions. The risk of attacks by the owner seems much higher than the risk of attacks by websites on outdated extensions.

And the problem with Windows is you can't really turn minor updates off, they require reboots, it nags you a ton about major ones, and the updates basically just make it worse.


I don't think manual updates would solve this security problem. The new owner would just have to delay the activation of the malicious parts of the software. No one is going to check the binary of an extension or try to replicate it if it is open source.

It's strange that Windows updates are still such a big problem, and I'm not talking about the ones caused by Microsoft's greed. Even Linux systems, which for a long time were pretty user-unfriendly, have largely managed to make updates seamless. I have automatic updates turned on on my computer, and the only indication is that once in a blue moon I can't turn the system off for a minute while it's running an update.


It wouldn't solve it, but at least an update couldn't get instantly pushed and run by all users. These extensions are JS rather than compiled binaries, so they're not too hard to inspect (and if the code is intentionally obfuscated rather than just minified, you know something is up).


If you want to limit the initial impact of a malicious extension, a mandatory hold or slow rollout would be more appropriate. There is no need to bother normal users if they would never inspect the code anyway. If some users want to inspect it first, they can go into the options and turn off automatic updates. Fixes for serious vulnerabilities that require immediate rollout are much rarer and often small, and could be reviewed by the extension store team.


I mean linux updates are everything but seamless, it highly depends on your exact config and distro, certain hardware configs break every single kernel version, hell even Nvidia would break they drivers super often not even that long ago. Smaller vendors with closed source drivers were even worse. Software just breaks sometimes no matter the amount of testing that you do. It's better just just accept that and deal with it when it comes up.

And in my experience (mostly server linux, client Windows/macOS) the worst updates are still macOS, they take for ever to install. Linux and Windows seem to at least install quickly, like a full upgrade takes less than 20 minutes on both, while a minor release for macOS will make my MacBook try to lift off like a jet engine for 45 minutes.


Mac updates take the longest for sure. I feel like they used to be shorter too.


so when one software company does it to you it's good you say but when a different outfit does it goes in the trash. nice consistency you got there, bud.


Apple doesn't force the updates, Microsoft does. You can turn off automatic Mac updates, and even the automatic ones won't force reboot your machine while you have stuff open. And you aren't greeted with a "please switch to Safari" modal when it boots back up.

What's true about both is the updates require a reboot and take way longer than they should.


I mean macOS will spring the "Your computer will reboot within 60s" with the count down on you, if you don't watch out. And the "Reopen" feature only barely works.


But if anything is open that asks if you want to quit, it'll prevent shutdown. Unlike Windows which just kills everything.


But I don't want windows 11.


...says the 1st party, in a world where 1st party malware is a serious problem.


If the software you are using is so bad, or the distributor so untrustworthy, that you would classify it as malware, then I think it is time to switch to an alternative.

For example, it is now quite feasible to use only open source software in everyday life, which usually operates according to better ethical principles and has greater difficulty in enforcing problematic changes.


The concern is that for a lot of software these days, it starts in the "good" bucket (and often open source even), and then once it gets popular, it is bought out and enshittified.


Yes, unfortunately this happens regularly, but with open source software it is at least possible to fork it. We often see forks when there are major disagreements. Not all of them survive, but if the original is bad enough, the chances are pretty good. There are also projects that are developed or supported by a trustworthy foundation/organisation, where you don't have to worry about such bad development.


F/OSS is usually not the kind of software that pushes automatic updates on you in the first place.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: