Re: Microsoft finally acknowledges the security drumbeats

From: Howard Christeller (hchristeller@home.com)
Date: 02/11/02


From: Howard Christeller <hchristeller@home.com>
Date: Mon, 11 Feb 2002 01:44:55 GMT

On Sun, 10 Feb 2002 11:03:40 -0800, John R Pierce wrote:

> On Sun, 10 Feb 2002 16:30:17 GMT, Roger Marquis <not-for-mail@roble.com>
> wrote:
>
>>It does, however, further illustrate microsoft's approach to security.
>>By granting themselves remote root-access to your system and
>>write-access to your hard drive, at any time and for any reason (that
>>they can remotely justify), they've created yet another fundamental
>>security vulnerability.
>
> I have the windowsupdate thing set to notify me before install, so I can
> review what they want to install....
>
>
> I'm curious, how is this *ANY* different than RedHat's "up2date" thing?
> Or Solstice whatever from Sun? or any number of other 'automatic'
> update patch things?
>
> -jrp

You must explicitly configure up2date for auto installs; you can also
configure it so that it only downloads, but does not install.

I'm using a fairly vanilla configuration, where I run it manually. It
connects, gets a list of updated packages, compares (locally) that list
to what I have installed, and offers a list of updated packages. One
click gets me a description of the package, another lists the advisory,
and another selects the package for download. Or one click can select
all of the updated packages, if you don't feel the need for the details.

The administrator is in firm control with Red Hat. Microsoft is
reserving the right to force an update without your knowledge or
permission. Disclaimers to the effect that they have no intent to do so
leave me unimpressed. History suggests that they are only interested in
doing what is in Microsoft's interest, not the customer's.

Now that there's a public fuss, I'm sure that they will change the
license. I'm also sure that after the outcry dies down, the license
language will change again.