Do I really need Critical Updates if I practice 'safe computing'?

Windows/Security Updates, are they really required?

I run XP Home, SP2 with one update: The time zone update reflecting the new Daylight Savings Time changeover dates. That's it, NO other updates have touched my machine. It runs just fine, and I've never had a virus/intrusion into my machine.

So why all the hype over updates?

__________________
It's a good day when you learn something
-----------------------------------------------------------
Location: Alberta, CanadaD-A-L Hardware Scan

Hi again Dan...

I think for most home users, as they are not computer savy, I would say the answer would be Yes. "Users" are getting more and more infected because they, for the most part, are unaware of the dangers.

I'm going to guess, as I don't know you yet , that you are you are quite knowledgeable in dealing with computers so you know the dangers, the in's and out's to what to look out for. So someone with your knowledge running "naked" is not a big issue. But for the "user" who is not all that "savy" and maybe has kids who also are not all that "savy", running as "naked" as you are is just asking for trouble. I would say that they should install all the updates just to be on the safe side.

When I was a "HJT Helper" in the "Helper" (Dell, MRU, Spyware Warrior, etc) forums one of the biggest issues was getting users updated...Many were not even at SP1 or SP2.

__________________
~ dobhar ~

D-A-L Hardware Scan | Belarc Advisor | dobhar's place on the net <- Needs updating

Alot of people in my small town Dan run pirated copies of Xp that can't be updated. When they find out I run linux they figure I'm a Techy or something and ask for Help. I just tell em to run Avira, Malwarebytes, and SpywareBlaster and they should be fine. You should see the look in their eyes when I suggest I'll install Ubuntu so they will be legit and not have to sweat stuff. They're eyes get real big like I suggested to offer they're eldest kid for a human sacrifice. People are funny.

__________________
I’ll keep using Linux until they pry it from my cold dead fingers.

Wow, scary but great question Dan, and I sincerely hope hypothetical!

But first, I think this is more of a security question and this topic should be moved. I know we are just starting and testing these "discussions" and boundaries are not set, other than Software Discussion and Hardware Discussion topics, but IMO, this is not a software question, but a "General Security" Discussion topic - and for a separate category that perhaps needs to be created. But not my call.
***********

In the meantime, you can't unring the bell, so I will give my two cents because it would be horrible, if not disastrous for readers to get the idea an updated system is not necessary. It is, absolutely, necessary for all normal users - that's at least 90% of you out there.

Dan is a computer expert - he does NOT count! He is not a normal user! Surely he has an active firewall installed and a current AV/AM solution. He probably conducts periodic cleaning of crud and supplemental scanning with "on-demand" tools. He most likely has physical control over access to the computer, that is, it is not in a public area, or used unsupervised by unknown users - but rather used by just him, and maybe another "trusted" user. If using wireless, he has probably changed access defaults and uses the highest security possible. It is not likely he frequents P2P sites and participates in illegal filesharing of copyrighted materials, illegal porn or illegal gambling. He can recognize suspicious attachments and downloads and likely scans them before opening, and he probably does not click on every link he sees, wondering where it might take him.

Odds are, if you never lock your front door, you won't get robbed either. Careful folks lock doors, get a dog, turn on a light, leave a TV or radio on, and some even set up alarms. Will all that keep the determined badguy out? Of course not. Not all folks are lucky. But each layer is designed to stop some badguys, and together they stop 99% of the badguys. That's good enough for the vast majority of users.

The best defense is layered. You need to keep your systems updated and patched because in doing so, you establish a "critical" layer of protection over your system, your identity, and your families safety. Not doing so is like the folks who roll through stop signs. They may never get broadsided. But one day, a speeding idiot entering the intersection from the side might be going too fast for the "safe" rolling stop to avoid a collision. Hopefully the steel bars in the doors and roofs, the airbags, and seatbelt they are wearing (yeah right!) saves their lives, or at least leaves them in control of the vehicles so they do not run into and kill someone else. That assumes they did not ignore any safety recalls on the airbags. And hope they kept insurance current.

The decisions of those drivers can adversely affect innocents bystanders - not just themselves. That's a big part of the problem. Much of the malware today is designed to allow the compromised computer to be used as a weapon against the rest of us, while leaving as small, and hard to detect, footprint on the compromised host machine as possible. So, keeping our systems updated is also being a responsible driver on the Internet, so our deficiencies or slips in discipline do not hurt others. Bottom line, everyone needs to maintain their machines to current standards, if they connect to a network that has Internet access (even if a network of one).

The reason for all the hype is simple - Microsoft/Windows/Gates/IE Bashers, and of course, the so-called unbiased "professional" (yeah, right!) IT media/press outlets. Sure there are way too many vulnerabilities in XP - but what does it take for a badguy to exploit them? All of the below must happen:

(1) The user must put his UNPROTECTED machine in a position to be exposed (such as participating in risky practices like illegal filesharing)
(2) That vulnerability must be exploited - that is, there must be specific malware coded to look for that vulnerability
(3) The malicious code must get past the local firewall, and any security programs currently running
(4) The malicious code must run without being detected by security programs

That's a lot that needs to happen before your system is actually compromised. And that is why the vast majority of Windows users do not have malware problems. That said, because the damage can be substantial, and even deadly for extreme predatory scenarios, it is prudent to take necessary defensive steps to avoid "crimes of opportunity". You don't leave your car running in a depressed neighborhood alley and not expect someone to take off with it.

That said, the user is still the weakest link. If you get an email from your dear ol' grandmother's email address, and it has a nasty sounding attachment, delete it!!!!

The IT media and MS bashers would have us think any old badguy is going to sneak past all our other security defenses and practices and immediately take over, or destroy our machines for each new vulnerability discovered. It ain't happening. Facts are most of the nearly 1 billion Windows users out there are doing just fine with Windows Firewall, Windows Defender, Internet Explorer and some free AV!!!! Why? Because most users are cautious, don't use porn, gamble, illegal filesharing and they try to run a current anti-malware defenses. And it works - for almost everyone.

I urge and recommend everyone, including hypothetical Dan, check out Secunia PSI. This will analyze your computer and tell you where you are with security updates. What's nice, is it provides a nice UI so you can investigate each update to see if it affects your system and computing habits.

A 3rd cent about Windows Update. Since the vast majority of the nearly 1Billion Windows users out there run WU with NO problems - with most in full auto-mode no less - odds are you can too! That said, I personally have mine set to download, then notify me when ready. Then I wait, usually about 1 week, and listen for fallout to ensure none of the updates break something they should not, before I install them. And I install them on my test machines first - since MS does have a history of bad updates. I am not worried that I might be at risk from the latest threats because (1) I am careful where I go and what I open/click on, and (2) I keep my anti-malware scanners running and current.

And so they don't become a threat to the rest of us, that is probably fine. But, IMO, and BECAUSE there are free alternatives, you should ask them if they know that is stealing and they would be considered thieves in the eyes of the (legitimate) law (in ANY member country of the United Nations). Then see what their eyes do.

__________________
Bill (AFE7Ret)
Freedom is NOT Free!

Heat is the bane of all electronics!
─────────────────────

Please help us help you.

I know you are right Digerati. I just live in a different set of circumstances and environment then you do. Below is my rant/2cents on "Then see what their eyes do"

I can tell you are not from around these here parts. (I'm joking Digerati). You actually think they care if it's stealing. You must be truly insulated. I live in a area where stealing Windows Xp ranks right below Dealing Heroin, Coke, Breaking and entering. This is the Southwest. The Wild West. I'm just trying to get you to understand. I get a little respect from gangbangers because of how I carry myself. I can suggest, but if I wish a bullet later all I need to do is start talking down to a cholo running a pirated copy of XP. It's like a father telling his kid he is doing something wrong. Why do you think I offer to get them a Linux operating system for FREE, I'll set em up at no charge, Heck I even have the iso CD burned and ready to install. All I get for my suggestions is a glazed look in their eyes and a "whatever". I give up on trying to make people do the right thing. All I can do is try to keep them from harming the rest of us and covering my own @@@.

On a different note, any time a update shows up for my Linux Box, I like you check on whether it'll be fine to install or if it will break my install. So far any updates I get have been installed and my box is as current as the open source society sees fit to make it. I have yet to be attacked, highjacked, or messed with in general.

Edit: Hope I didn't get in trouble for posting this. I am not trying to start a flame war or troll (as if I know what that means). Just trying to show my side of things, I Humbly apologize if anyone takes offense, respectfully rokytnji.

__________________
I’ll keep using Linux until they pry it from my cold dead fingers.

No, it is more the attitude of the ex-smoker - always the worst critics.

Back in my Commodore 64 days, here and when I was stationed in England, we used to rent out recreation centers and social halls for software swap parties - no one thought it was stealing, or cared. But it put many good programmers and small computer shops out of business, created an over-reaction by the anti-piracy community, which caused law abiding folks to suffer with higher costs, dongles, 64 character key codes and more. It did not take long for the bad guys to realize they could easily distribute their wares through pirated software and so today, simply because these folks do not keep their systems current, these computers make up a huge chunk of the compromised computers out there, used by badguys to send spam under our names and IPs, or to join a DDoS attack on a site.

So whether rampant in our areas or not, it is important we send the right message.

__________________
Bill (AFE7Ret)
Freedom is NOT Free!

Heat is the bane of all electronics!
─────────────────────

Please help us help you.

First let me say that this thread was NOT meant to advocate running a machine without critical/security updates. I'm just wondering why the "hype/following" of them. I've never had a problem. I realize where kids are involved etc, there should be protection in place.

Correct on ALL counts. (I'm the only user.)

I run; avast!, Comodo Firewall, Comodo BOClean, and BillP Studios WinPatrol. This is my entire security/safety package. Those are the only four things I run. (See TaskBar pic)

As Digerati stated: which was really the essence of my thoughts on this.

When I see some of these critical update descriptions ie; "A security hole (or whatever the terms may be) exists where a system can be taken over and compromised etc etc etc" I have to wonder why I've never been taken over. I'll sometimes be lead to sites through research which contain virus's, trojans etc, but my AV or firewall takes care of it by giving me advanced warning, so I simply close or back out. If I do download something that hasn't given an advanced warning (even from my dear ol' grandmother), I ALWAYS right click on it and scan with avast before I do anything with it.

Doesn't everyone????? ;>)

Attached Images

untitled2.jpg (4.9 KB, 44 views)

__________________
It's a good day when you learn something
-----------------------------------------------------------
Location: Alberta, CanadaD-A-L Hardware Scan

Note - this thead has been moved to our new "Security Discussions" forum. If you have not done so already, please http://www.d-a-l.com/help/security-d...e-posting.html to learn about the important topic limitations.

__________________
Bill (AFE7Ret)
Freedom is NOT Free!

Heat is the bane of all electronics!
─────────────────────

Please help us help you.

I have been giving this matter a lot of thought. This topic might also get more attention if the topic were to be changed to:



Do I really need Critical Updates if I practice 'safe computing'?


A minor probability of risk to the few is still risk, no less. We are certainly free to make generalizations based upon our own experiences and act accordingly. Some of our common beliefs, risk assessments, rationalizations, and conclusions can turn out to be pretty interesting:

• Smoking – many of my relatives, who smoked, lived well past average life expectancy including my 83 year-old father. Should I be able to conclude that if smoking didn’t directly kill my relatives or adversely affect their lives that I should be able to enjoy the same seemingly mostly consequence free results.
• Cell phones – many studies have shown higher risk of distraction and accidents, and many jurisdictions have made it illegal to use a cell phone (in particular, hand held) while driving. Many still choose not to comply because of inconvenience, lack of perceived consequences, and minimal enforcement and fines - I am always in control and alert (invincible), and therefore no cell phone I use is likely ever going to lead to an accident. Similarly, I have never had a car accident so I guess a seat belt should be mostly optional at the users discretion.
• Insurance – most of us have had home and car insurance for years and never needed to claim on that coverage, ever. Yet, most of us would never take the chance that adversity might not befall us (say 1 in 100K) because our media is so efficient at reporting what can happen to those relatively few of us so unfortunate. If we take 50% of the commonly recommended liability insurance most of us will never live to regret that decision except those rarely misfortunate enough to be sued for substantially higher awards.

‘Critical Security Updates’ exist to address the risk to the lowest possible common denominator – which is often not likely the majority of us who mostly practice ‘safe computing’. As one of the most basic security steps recommended by experts – security 101, why would we even consider overlooking such a basic and simple step? We are best advised to take the simple insurance coverage being offered however unlikely the perceived consequences or incident likelihood is to most of us.

Do you really think that Microsoft is keen to put warning advisories out on its tools: WARNING: This product (our software as currently implemented) could be injurious to your PC’s health? No, it is simply a prudent business decision and good PR. You have been warned even though most of you are not likely to go to the places where such issues might manifest. They did their part and now you don’t have any business to complain should you or your PC’s users encounter problems easily prevented or fixed by such patches.

__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

Great question with a simple answer. If you walk on water and chew gum at the same time, then, no! You're safe.

Otherwise, there's too many assumptions.

• We are human. We might get distracted and click the wrong button or link. Or forget to scan an attachment or download before opening. No one can ensure zero mistakes.
  
• Humans made Comodo, ZoneAlarm, AVG, Avira, MBAM, etc. Even the best security programs break - once is too often.
  
• The best AV this year, may not be so good next year - usually because it was neglected while the world zipped by, or humans dinked with it.
  
• There must be ZERO possibility a spouse, child, friend, or nosy neighbor will ever be able to touch the machine. ZERO! (Unless they walk on water and chew gum too! )

Therefore I believe keeping a system updated is a key element, and defense layer, of Practicing Safe Computing.

__________________
Bill (AFE7Ret)
Freedom is NOT Free!

Heat is the bane of all electronics!
─────────────────────

Please help us help you.