 7:30:04 PM Don’t Touch Me!
In the 1990s my son had a computer game that allowed him to build whole cities. He controlled multiple serfs, specialized tradesmen, and soldiers. The sound track fit what the workers were doing, and most of them mumbled or graciously cried “Yes my lord” when prodded into action by his mouse clicks. But one particular worker bee had a different retort. “Don’t Touch Me!” he’d cry.
I’m beginning to feel like that person. Every time I turn around some new utility on my desktop wants to auto update itself. Working on its own, it contacts some update URL, downloads new code and installs it without asking me! More ...
I’m not talking about Windows XP here; I can elect to turn that automatic update off. It’s a very simple chore to access Control PanelSystemAutomatic Updates and select “Turn off automatic updating. I want to update my computer manually.” And yes, I believe you should do this. What I’m complaining about is the audacity with which an ever- increasing number of companies think that they know what’s best for me, and that they have the right to touch my computer and change the code running on it. We used to call that cracking and it used to be illegal.
An example of what I’m talking about is EarthLink’s Update Manager. This little bugger runs all the time and periodically checks for changes that EarthLink would like me to believe are critical. Not only is it using resources on my machine, but it doesn’t ask me before an update. I’ll keep my EarthLink account, but recent updates to my system blocked me from getting any mail via dialup the last time I was on the road. I don’t mean to single out EarthLink--it just happens to be the one I’ve had the most problems with lately. EarthLink at least displays their update service on the task bar, and defines it in their help system. They’re also extremely responsive to customer calls.
The most egregious example of this desire to control my computer is the EULA for Windows 2000 Service Pack 3 (and others tell me it’s the same for XP SP1). It gives blanket permission for Microsoft to change code on your computer any time it wants to. The statement below is taken from the EULA.
"...You acknowledge and agree that Microsoft may automatically check the version of the OS Product and / or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer."
To me this says that when I click “I agree”, Microsoft can come calling anytime it wants and download upgrades and fixes. At least XP allowed me to turn the feature off. This new EULA seems to say I can’t. I know there are those among you who think automatic updates are the only thing that will save us. You think a software company should do this automatically and transparently.
Hogwash. Do you allow the company that made your refrigerator, furnace or television set to come inside your house without your permission to see if these appliances need updating? Would you think it’s OK if your leased cars got pulled over, inspected and updated? Who’s to say these upgrades and fixes won’t crash the computer or interfere with something else I’m doing (It’s not like a service pack or hotfix has ever done that before, is it)? I want--and you should demand--the right to control what fixes are applied, when they’re applied, and to which version of the OS or any other software you’re running.
Another issue is that you can’t guarantee integrity and privacy. If a software company’s allowed to muck about in your system’s internals, you can’t prove in a court of law that they haven’t violated the privacy of your employees, customers or patients. In fact, I know several organizations subject to HIPAA (the Health Insurance Portability and Accountability Act of 1996) that aren’t installing SP3 because of this issue. HIPAA affects hospitals, doctors, clinics, insurance companies and any organization that deals with patient data. It requires strict protection of patient information and proof that access is denied to unauthorized individuals. Since when is Microsoft authorized to see my medical history?
Let’s stop the automatic editing of our computer systems by companies that think they know better than us.
Roberta Bragg, MCSE, MCT, CISSP, runs her company, Have Computer Will Travel Inc., out of a notebook carrying case. She's an independent consultant specializing in security, operating systems and databases. Send her your questions or comments at mailto:roberta.bragg@mcpmag.com.
By Roberta Bragg
Security Watch September 16, 2002
Copyright 2002 101communications LLC. |
"Data! data! data!" he cried impatiently. "I can't make bricks without clay."