SP1

[BillW50]

Oh, just that I asked a few weeks ago, and I thought you said you didn't
enable Windows Update (I hope I'm not misremembering) so do you pick and
choose the hotfixes? How do you know which ones are the real security
fixes?

No, I probably did say I didn't enable updates. This is true for some of
my computers, but not all of them.

Which hotfixes do I install? Not many on most of my computers. On XP SP2
ones which has more than 1GB of RAM I grab KB909095. Without it, XP may
not be allowed to hibernate. About 99.9% of hotfixes doesn't, nor will
ever effect me. So why install them?

Security fixes? I have done tons of experimenting on this. As when I
first heard some users doesn't install them and they also don't get
malware either. I needed to know why?

And what I had found to be the most important thing for security is a
stealth firewall. This stops 99.99% of the problems right there. As your
computer will no longer communicate from sources that you didn't
intentionally request. Not doing this, a computer can be infected within
90 seconds or less just by going to Windows Update. XP or later already
has a stealth firewall so no need to add one. Plus routers by default
act as a stealth firewall too (although you can configure them to do
otherwise).

The second important thing to cover the other 0.1% of the problem is a
real time AV scanner (and really keep this up-to-date). Which scans
everything that is being opened or executed (which stops it in its
tracks). And this is the only time malware can do any harm.

Just these two things will keep many users malware free. For the ones
who don't go to untrusted sites anyway. Although in either case, there
is a very small chance that one may run into a zero day malware.

Ah! Here is the third thing you need to cover these. Run all Internet
activities through a sandbox. Thus your OS, AV, firewall, or anything
else cannot be compromised. And after a day or two with a good AV, zero
day malware can no longer hide (even in the sandbox) and it is powerless
to stop the AV from removing it.

Now we come to Windows security fixes. Why do we need them again? As if
the firewall is blocking unsolicited attacks, the AV stops all malware
found in its database, and the sandbox is covering your butt for
everything else. Then why bother? As nothing can sneak in anyway no
matter if the OS has zillions of holes in it.

The real test is actually trying a number of computers on the Internet
and not installing any security fixes. And then see what happens. And I
was hearing reports of users of older version of Windows which Microsoft
doesn't supply security fixes for anymore and they aren't getting
infected either. So why was that?

After experimenting with this for many years, I can't find any evidence
whatsoever adding this extra layer does anything at all. As you are
already covered by a firewall, AV, and a sandbox anyway.

And you know how this security fixes work anyway. As holes are always
there in any complex OS (Windows isn't alone here). And programmers plug
the ones that are discovered, but there are always more. Worse, the OS
itself gets hotfixes which can also create more new holes. This is an
endless cycle that never ends. And it is always a day late and a dollar
short. It's best just to abandon this whole approach to trying to plug
holes and do something else for security.

I thought that was just a skin around the IE engine, but it seems that
it also includes the Webkit engine, do you disable the former, or
install hotfixes for IE?

Yes Maxthon 3 uses two rending engines. As it uses either Trident (what
IE uses) and/or Webkit (Chrome uses this one too). Depending on which
one of my computers, I could have either IE6, 7, or 8 installed. And so
far, I haven't had any problems by not installing IE hotfixes. So I
don't worry about it.

Are you safe from the recent kernel mode embedded font engine bugs?

They're your machines and of course you run them how you feel (as do I)
but as others have said, I can't see how you have the info to decide
which hotfixes are the real scary ones and which not to bother with ...

Well having experimented with this for many years and hotfixes for
security doesn't matter if you have a firewall, updated AV, and a
sandbox anyway. And the only hotfixes I like are the ones that actually
correct a problem that I am having like that KB909095 one.

 

[Gene E. Bloch]

<SNIP>

Although your list of methods is commendable, I'm not sure how my Aunt
Bessie would be able to set up and handle all that.

 

[BillW50]

<SNIP>

Although your list of methods is commendable, I'm not sure how my Aunt
Bessie would be able to set up and handle all that.

Well in such cases, Aunt Bessie can always install Windows SteadyState
(on a XP or Vista machine at least) and it is free. For Windows 7, there
are other software (probably not free) that does the very same thing.
This basically puts the user in a giant sandbox. And the OS and
applications are virtually totally protected against any malware that
comes down the pike. ;-)

 

[Gene E. Bloch]

Well in such cases, Aunt Bessie can always install Windows SteadyState (on a
XP or Vista machine at least) and it is free. For Windows 7, there are other
software (probably not free) that does the very same thing. This basically
puts the user in a giant sandbox. And the OS and applications are virtually
totally protected against any malware that comes down the pike. ;-)

I'm talking about Aunt Bessie, not about you.

 

[BillW50]

I'm talking about Aunt Bessie, not about you.

That is what I am talking about Gene. As Windows SteadyState (and
probably other third party clones) are very easy to install and setup.
There are only seven main settings and they are in simple plain English.
And I don't think Aunt Bessie will have any problems installing and
setting it up.

 

[Gene E. Bloch]

That is what I am talking about Gene. As Windows SteadyState (and probably
other third party clones) are very easy to install and setup. There are only
seven main settings and they are in simple plain English. And I don't think
Aunt Bessie will have any problems installing and setting it up.

Are you purposely missing the point?

Lots of people think that they are buying an operating system or a
computer that will work for them out of the box, and are neither
equipped for or interested in tracking down what they would see as
exotic and complicated software needed to make the computer/OS work for
them - especially when the OS actually *does* work for them to their
satisfaction, and especially when they have no reason to guess that
such software exists.

 

[Andy Burns]

Are you purposely missing the point?

Quite ... plenty of people with more IT knowledge than Aunt Bessie will
never of heard of SteadyState (which is a Dodo anyway).

 

[Andy Burns]

Quite ... plenty of people with more IT knowledge than Aunt Bessie will
never of heard of SteadyState

^^
argh! how did that happen?

 

[Wolf K]

^^
argh! how did that happen?

Brain fart. Like the other kind, you generate more of 'em as you age.

Wolf K.

 

[Gene E. Bloch]

Andy Burns wrote:
^^
argh! how did that happen?

At least what you misspoke was the truth

 

[Andy Burns]

Brain fart. Like the other kind, you generate more of 'em as you age.

It's almost as though my fingers are doing speech to text from what I
would hear if I spoke it, rather than what I actually thought. Never
wondered before, is that how a brain uses a keyboard?

 

[Wolf K]

It's almost as though my fingers are doing speech to text from what I
would hear if I spoke it, rather than what I actually thought. Never
wondered before, is that how a brain uses a keyboard?

Quite possible IMO. Read Oliver Sacks' books for intriguing insights
into how the brain works. The brain is a mysterious instrument, and does
99.9% (at least) of its work well below the level of awareness. As I
grew older, I began to use"it's" for "its" and vice versa. I speculate
that it was a side effect of marking these errors ad nauseam in
student's work.

Relevance to this NG? We all develop habits, and when the UI changes in
some _minor_ way, those habits interfere. Major changes aren't as much
of a problem, because they're obvious, so people know they have to learn
something new. You may have noticed that an excessive number of pleas
for help involve relatively minor tweaks to the OS/UI.

I had quite a lengthy exchange on mozilla.dev.usability about this very
issue: Firefox and Thunderbird have been changed in many small ways
recently, which have caused a great deal of annoyance. Considering how
very few average users still use Usenet, I'm certain that a fairly large
number of users simply abandoned these programs, but the influx of new
users has masked the drop offs. My wife was ready to abandon Firefox,
for example, until I tweaked the UI to make it as much like the old one
as possible. OP's rant about SP1 was IMO actually about unnecessary
tweaks and default changes which mess up long-established habits.

HTH
Wolf K.

 

[Gene E. Bloch]

Relevance to this NG? We all develop habits, and when the UI changes in some
_minor_ way, those habits interfere. Major changes aren't as much of a
problem, because they're obvious, so people know they have to learn something
new. You may have noticed that an excessive number of pleas for help involve
relatively minor tweaks to the OS/UI.

An anecdote in support of that idea:

Years ago I owned a 1958 VW Beetle. I had no trouble driving one
friend's Ford Station wagon, but I could barely drive another friend's
'56 Beetle.

 

[Ken Blake]

Years ago I owned a 1958 VW Beetle. I had no trouble driving one
friend's Ford Station wagon, but I could barely drive another friend's
'56 Beetle.

That sounds odd to me. Can you explain what the difference was between
the '56 and '58? Was it a manual vs. automatic transmission?

By the way, I used to own both a '56 and '59. I drove the '56 and my
wife drove the '59. I could drive both without a problem, but viewing
through the bigger rear window of the '59 (same as in the '58) was
much easier than in the '56.

 

[BillW50]

Are you purposely missing the point?

Lots of people think that they are buying an operating system or a
computer that will work for them out of the box, and are neither
equipped for or interested in tracking down what they would see as
exotic and complicated software needed to make the computer/OS work for
them - especially when the OS actually *does* work for them to their
satisfaction, and especially when they have no reason to guess that such
software exists.

Then if they are not even to bother to download and install a free AV,
then they really are going to have endless trouble, aren't they?

I must admit, the Internet seems a lot safer than years past. As years
ago POP and MAPI servers didn't scan for malware and lots of malware
came in that way. And I haven't seen any viruses in any of my email
servers in years now.

Another problem used to be Linux and UNIX web servers. As they didn't
bother scanning for Windows viruses (and sometimes not for *nix viruses
either). But the vast majority of them are now doing so. Thus using
trusted websites anyway it is rare nowadays for a server to try to
infect your computer.

So anybody who just wants to use it out of the box and won't even
install a free AV, well they might be better off buying a Windows
Embedded machine instead.

 

[BillW50]

Quite ... plenty of people with more IT knowledge than Aunt Bessie will
never of heard of SteadyState (which is a Dodo anyway).

Why is SteadyState a dodo anyway? I have the install and the manual, but
I never installed it on any of my machines (but I have read the manual).
But I would in a heartbeat if I allowed others to use my computers. Or
my perfect record of never getting a virus becomes broken.

Many IT people never heard of SteadyState? That wouldn't surprise me as
it isn't really an IT tool. As real IT folks would do it the hard way
and setup permissions for each given user.

What SteadyState does is basically the same thing, but oversimplifies
the process that no IT knowledge is necessary. And since it has so few
settings to set to protect the system, I would think most IT people
would like far more settings for them to tweak. Thus they probably
wouldn't like SteadyState that much anyway.

 

[BillW50]

That sounds odd to me. Can you explain what the difference was between
the '56 and '58? Was it a manual vs. automatic transmission?

I had a '68 Beetle for a number of years. It had a manual transmission.
And it was a year or so before when they actually started using a real
fuel gauge. Earlier Beetles used a stick under the gas cap to check the
level. And I don't recall any automatic transmission Beetles before say
'70 or so.

One friend bought a '72 Beetle. And that one was automatic. But you
still had to shift, but there just wasn't a clutch pedal.

 

[Andy Burns]

Why is SteadyState a dodo anyway?

Doesn't support Win7, no longer available for download (that can usually
be worked around).

Many IT people never heard of SteadyState? That wouldn't surprise me as
it isn't really an IT tool.

Like all these niche tools, you can't keep up with them all, I first
encountered SteadyState in a school where they "wound back" the machines
between each student logon ... they found it too slow in practice and
removed it after one term.

I would think most IT people
would like far more settings for them to tweak. Thus they probably
wouldn't like SteadyState that much anyway.

Either lock it down properly, use some sort of VM wwith non-persisitant
disks, or with Win7 Pro/Enterprise, boot into a VHD instance and
periodically restore that from a master.

 

[BillW50]

Doesn't support Win7, no longer available for download (that can usually
be worked around).

Oh is that all? That isn't too serious sounding to me. And if I am not
mistaken, I believe some have claimed to have install it under Windows
7. I am sure there is probably some work involved to make it work.

Like all these niche tools, you can't keep up with them all, I first
encountered SteadyState in a school where they "wound back" the machines
between each student logon ... they found it too slow in practice and
removed it after one term.

Oh that would bug me to no end. I've never seen a slowdown with Windows
Embedded which also blocks all writes to the system drive. The only
problem I ever saw was all writes are buffered to RAM and once the cache
got nearly full, you had a choice to make. Either allow the writes to
take place on the system drive, or reboot and start fresh once again.

I could usually go for about 20 hours without rebooting if all I was
doing was email and browsing the web. Although you were not forced to
use RAM for the write cache. You could use another drive too. But I
never used that option. That might be better for most people though.

Either lock it down properly, use some sort of VM wwith non-persisitant
disks, or with Win7 Pro/Enterprise, boot into a VHD instance and
periodically restore that from a master.

Yes and there are many other methods which uses the same basic idea. But
I don't think there is one method that is clear cut better than another.

 

[Andy Burns]

I've never seen a slowdown with Windows
Embedded which also blocks all writes to the system drive.

I've used both Win2K embedded and WinXP embedded in setups there writing
is definitely enabled to the system drive.

Yes and there are many other methods which uses the same basic idea. But
I don't think there is one method that is clear cut better than another.

Yes, as with everything, horses for courses, whatever suits the user and
their level of experience best.