Subscribe to our mailing list

* indicates required
Close

Friday, April 24, 2009

Automatic Update Hell Must End

I recently stopped using anti-virus software. People think I'm crazy. But I'm not. It's about getting out of Automatic Update Hell.

And BTW, it's been a year now and my machines (Win XP and Vista) haven't been overtaken by the Bogeyman, because I don't practice the PC equivalent of unsafe sex. I'm not in the habit of opening e-mail attachments from people I don't know, clicking links in e-mails that have "Viagra" in the subject line, etc. I don't download games, wallpapers, screensavers, utilities I haven't heard of, crackz, hackz, or any of the other stupid-idiotware that can get you in trouble. I sure as hell don't run Internet Exploder, and guess what? I have a firewall, and a brain, and I know how to use them. (So Symantec, read my finger.)

Uninstalling Norton anti-virus software is extremely difficult, it turns out -- more difficult than uninstalling the malware it supposedly protects you against. But once it's gone from your machine, the hard-disk thrashing stops, the sudden CPU-spiking disappears, and the telltale sluggishness that accompanies a background download of the latest patch(es) vanishes.

Also, without a virus-scan of every document you open, the whole machine feels faster. Things like EditLive! and other applets load twice as fast. Zip archives open faster, etc. Sure, you can achieve this by turning off Norton's file-scan feature. But that's my point: Why are you buying software that you turn off?

So merely by getting rid of pointless anti-virus lockin-ware, I've scored a useful speedup and probably doubled the life of my hard drive. But I'm not totally out of Hell yet. There's still Microsoft to deal with.

Turning off Automatic Updates is one of the best things I've ever done to achieve better machine performance. Installing updates from Microsoft has always brought some kind of speed hit, somewhere, and sometimes brings new annoyances (new security dialogs that have to be turned off).

I'm very glad to be rid of Automatic Updates.

Sun's automatic Java updates are another painful annoyance. Again, though, you can turn this off fairly easily. But every time you manually upgrade your JDK, it seems Sun re-enables automatic Java updates. So you end up turning them off again.

But even after you get rid of Norton lockin-ware, disable Windows updates, and shut Sun the hell up, you're still not out of Hell yet, because there's yet another offender on your machine, a stealth daemon from Hades that sucks bandwidth needlessly while putting your hard drive through a rigorous TTD (test-to-destruction) regimen. I am talking, of course, about Adobe and its pernicious suite of updaters.



There's a famous line in Ace Ventura that makes me smile every time I hear it: "Dan Marino should die of gonorrhea and rot in hell." I would like to repurpose this statement somehow, except that corporations can't die of gonorrhea (any more than anyone else can), so Adobe, all I can say is: enough with the updates.

I can't think of a worse impediment to the widespread adoption of Adobe AIR than this:



I've seen this dialog far too many times this year already. It makes me want to empty a full clip of copper-jacketed hollowpoints into my machine. What is so defective about AIR that I have to update it every other time I fire up Yammer? (For that matter, what's so hopelessly broken about Yammer that I have to update it five times a week?)

Enough ranting. All rants should end at some point, and be followed by a constructive proposal aimed at solving the problem(s) in question.

So let us ask: What, if anything, should software vendors do about all this?

I can suggest a few things.

First, software updates should be opt-in by default, never the reverse.

Second: A vendor should never silently turn automatic updates back on after the user has turned them off.

Third: Give me some granularity as to what type of updates I want to receive. There are three basic types of updates: Security patches, bug fixes, and enhancements. I rarely want all three. Within those three, there are (or should be) several levels of criticality to choose from. I may want security fixes that are critical, but not those that are merely nice for grandma to have. Let me choose.

Fourth: Don't ever, ever make a user reboot the machine.

Fifth: Let me have the option, stupid as it sounds, of checking for updates at an interval of my choosing. Not just "daily, weekly, or monthly." Let me actually specify a date (e.g., December 25) on which to check for updates and receive them all in a huge, bandwidth-choking download that utterly shuts me out of the machine for 24 hours instead of torturing me daily, throughout the year, with paper cuts.

Sixth: Write better software. Don't let so many security vulnerabilities go into distribution in the first place. Open-source as many pieces of your code as possible so the community can find security flaws before ordinary users do. Don't make the user do your security-QA.

Microsoft, Sun, (Oracle), Adobe, are you listening?

36 comments:

  1. Anonymous8:51 AM

    Couldn't agree more :)

    ReplyDelete
  2. I agree 10000000000%. In fact, I wrote a very similar piece on a blog post of mine: http://jasonmbaker.wordpress.com/2009/02/03/software-update-hell/

    It's interesting because you and I point out almost the exact same things.

    (hope you don't mind the shameless plug)

    ReplyDelete
  3. I think there are two avenues of thought here... the first is maintenance updates or patching that improves features or stability... I think regular intervals would be appropriate instead of ondemand.

    The other avenue is security and that's not as simple. These companies MUST react immediately when there's a threat to ensure their clients are not in danger of someone hacking their system.

    I hope you're right... I hope that your system is safe without the updates. As for me, I won't take those chances! I like automatic updates - I just don't appreciate that software companies are doing less QA and security testing now... since they depend on their users being their beta testers.

    ReplyDelete
  4. I'm not sure how open source software is less prone to updates; Ubuntu seems to have updates every few days. Though here all your software (that is installed through repositories) is updated from the same place so you don't have a million different icons to annoy you.

    ReplyDelete
  5. I like the way Firefox handles updates. Installs a new version in the background and tells you that its done it.

    ReplyDelete
  6. Chris: My open-source remark was more aimed at security aspects (I agree with you that Linux updates can be onerous). Security flaws are uncovered much more quickly in open-source software than in COTS. That's all I meant.

    ReplyDelete
  7. Anonymous9:46 AM

    Interestingly with Ubuntu (and most other linux distro's) you can choose the types of updates you want.

    I turn on automatic downloading and installation of security updates. But all other updates are done manually by me. Still using the same single program, that updates everything I have installed. When I do it manually, I can also uncheck whatever I don't want or need.

    However, after a release the only updates we get are bug fixes anyway. No new features. For that we have to wait 6 months, and then all apps can be updated at once, for new features.

    However, Chris is right about Ubuntu have several updates every day. But that is during the unstable period. When released, there are still some bug fixes and security patches. But you can completely control the update experience for all programs at once. So the Author of this blog, should be very satisfied.

    Also, it preinstalls a lot of software, way more than windows. And it all uses the same update tool, so there is another explenation for the amount of updates. If you add windows updates, to adobe updates, to java updates to firefox updates, etc. If you add them all up, you get about the update frequency of ubuntu. Which is indeed why I have turned updates into manual mode, except for the security patches, which may be downloaded immediately and applied immediately. But that happens about once a week at most. And more often than not, when I'm not sitting behind my PC.

    ReplyDelete
  8. Anonymous9:55 AM

    Adobe upndates can suck my crankKKKKKKKK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    AHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

    -Ibod Catooga

    ReplyDelete
  9. I installed IE8 and it blew my machine to pieces, result is won't install it.

    Can you please add Apple to your list, I don't use iTunes or any of the other crap so please?!

    Also add phantom services to this, why do I have services that I will never use and if and when once a year let me turn it on then.

    Damm this ranting feels good, so good... what have you started!

    ReplyDelete
  10. Agree completely... it's pretty absurd. And I like your solutions.

    FWIW I recently switched from McAfee to Trend Micro and it's MUCH better in both intrusiveness level and performance hit.

    ReplyDelete
  11. Anonymous11:13 AM

    Adobe developers are dumb idiots, by default all its product updates silently gets downloaded and eats up the bandwidth :-(

    ReplyDelete
  12. Anonymous11:50 AM

    Windows really needs an appropriate API for auto updating so that all the applications can be controlled on a schedule that is set on the operating system.

    Every piece of software needs to auto update itself for security patches and updates and its quite hard coming back to Windows from Linux to not have all the updating done for you. What in linux took a few minutes of machine time takes an entire afternoon of hunting around for updates and uninstalling/reinstalling of software manually.

    ReplyDelete
  13. Anonymous11:56 AM

    Use Debian.

    ReplyDelete
  14. I'd leave you a more eloquent message, but (yes, it's true), AVG just told me that I *must* restart my computer due to updates in 54 seconds. Arghhh!

    ReplyDelete
  15. Well, first, while it is possible to be well protected against things you have to click on, it is difficult to impossible to protect yourself from things that find you, like worms, malicious web pages (you read web forums right?) etc. On the other hand, Norton is one of the worst antivirus programs out there, so I can feel your pain. Just switch to NOD or Avast! and while you are still going to get regular updates, it is nothing compared to the weight laid down by Norton protection. Avast! compared to Norton is like a local police department compared to an occupation army, both keep criminals in check, but the latter also invades your home and rapes your wife.

    ReplyDelete
  16. Anonymous12:35 PM

    You sir, are an idiot.

    ReplyDelete
  17. This is a really terrible idea. Especially turning off Windows automatic updates is a great way to get your computer compromised, your credit cards stolen, etc.

    ReplyDelete
  18. I urge everyone reading this post to ignore the advice of the author and to, in fact, do the opposite.

    1. Please ensure that you do run antivirus software and keep it current. Simple practicing 'safe computing' does not do enough to prevent your computer from being infected. There are a myriad of ways for a PC to be infected, some of them involving no action from the user, some masquerading as legitimate actions. Without an up-to-date virus scanner in place, you could be infected right now and your computer could be a zombie participating in a botnet and you would never realize it.

    2. Turning off automatic updates ensures that you run out of date, potentially exploitable software. Software bugs are a fact of life; wishing or demanding that they go away won't change that. Having programs update automatically is currently the best way of eliminating or mitigated the effects of those bugs. I find it very strange to, on one hand to demand better software and on the other to decry the process by which software improvements are made.

    ReplyDelete
  19. Anonymous4:17 PM

    If you're gonna use antivirus software use NOD32 or Kapersky. For the love of Jebus, don't use Norton.

    ReplyDelete
  20. Anonymous5:10 PM

    I was actually amused by your "I sure as hell don't run Internet Exploder," comment, since on Vista, IE, or Google Chrome, are significantly safer than Firefox.

    Low IL's, DEP, and ASLR beat just using DEP.

    ReplyDelete
  21. Anonymous10:26 PM

    The first thing I do is turn off Microsoft automatic updates. 2nd is to stop the rest of the automatic updates referred to above. I haven't run an antivirus program for 10 years and I won't ever.

    I prefer to use Process Explorer, Startup monitor, and autoruns and other free (& tiny) tools from from www.sysinternals.com.

    I will occasionally install an AV or spyware package, update it, scan, uninstall. Just to make sure nothing's slipped through - and they never find anything.

    ReplyDelete
  22. Anonymous11:45 PM

    "The first thing I do is turn off Microsoft automatic updates. 2nd is to stop the rest of the automatic updates referred to above. I haven't run an antivirus program for 10 years and I won't ever."

    Is it any wonder that the botnet sizes are reaching into the millions? That statement is the best argument for licensed Internet connections that I have ever seen.

    ReplyDelete
  23. Anonymous3:24 AM

    "I'm not sure how open source software is less prone to updates"..? OSS with its mantra of release often is actually much worse when it comes to the updates, I tend to prefer the monthly "patch Tuesday" approach, generally no patch is that important that it needs to be installed immeadiately (anti-virus is the maybe exception, but this could be limited to the type of people who like to install smilies or earn money from home...)

    I'd have to say that one of the worst offenders is Firefox, prettymuch everytime I open it up it either updates itself, or one of its plugins. And then I get the the splash screen to tell me what got updated - seriously who cares?

    ReplyDelete
  24. Good comments! After decades of PC use I switched to a Mac last year and went anti-virus free. And now I resent the Windows PC I still have around because once all these software products start doing their update checking and security scans a perfectly fast machine becomes a sloth.
    But I still think leaving automatic updates on is probably better for the average Joe. But once I choose to turn them off they should never EVER come back on unless I ask.

    ReplyDelete
  25. We call a person who is trying to stare into their own head to catch it thinking the wrong things "psychotic". We call this state in a computer "anti-virus".

    ReplyDelete
  26. excellent information about Automatic Update Hell Must End and I don't think that you are crazy I'm crazy i want to take Generic Cialis and I'm healthy

    ReplyDelete
  27. Hi
    my friends let me tell you i just find out of a great pill it give you a great power in bed the sex is amazing my wife is happy because my power and stamina is so high that sex for my last for more that 6 hours is AMAZING.buy viagra you wont regret it . :D :o

    ReplyDelete
  28. Hello
    help me please
    I can t understand this information about uninstalling Norton anti-virus software

    ReplyDelete
  29. Anonymous6:18 PM

    I also went without Antivirus software for lots of years. Until this one moment I never forget. I didn't use my PC for months. When I started it up, the PC was already infected. The virus came from the internet due to a Microsoft operating system bug, before I had a chance to patch the system. It was the only PC and I had a modem connection to the internet (without firewall). That was the time to install an Antivirus software for me. I still don't like automatic updates (except for thie Antivirus software), but I want to choose the time when all updates get installed. I still didn't manage to turn off the Java updates. In Vista you have to run the Control Panel application as Administrator. But even if you turn it off as Admin, other users (which are not admin) still get asked to update. That's useless and very annoying, as they don't even have the rights to update it. Let me know if you found a solution to this. Eric

    ReplyDelete
  30. Melinda Pride8:12 PM

    I am a simple computer user. I recently had to get rid of my Mac for compatibility (business software) issues. I bought an HP cheap and upgraded to windows 7. I am being very mellow right now. If I get one more update with language I don't understand I may fire-bomb something or someone. What are updates? Fuck-ups that someone didn't catch the first time? A way to gather info? If you spend three years to five years programming something, would it not be right? To me it seems like a way to overload your hard drive so you have to buy, purchase, upgrade, essentially spend more. Either way, grab your ankles and squint your eyes. We are getting screwed again.

    ReplyDelete
  31. Thanks for the review. I hope that your system is safe without the updates.

    ReplyDelete
  32. I am amazed by the way you keep posting such humourous and relevant content on your blog.Keep posting.This is something that is best.

    ReplyDelete
  33. Nice 1. Totally agree as this is something which has bugged me for ages and with the rise of mobile apps it's even more absurd. Why do you need a weekly update of simple apps like Compass or Alarm Clock? Public outcry should be perfomred and honest developers (like Ghisler's Total Commander and I'm sure many other's) should be given a tap on shoulder. :)

    ReplyDelete

Add a comment. Registration required because trolls.