Replies

Aren’t 99.9% of the people better off not rejecting the updates that repair weaknesses in their operating systems, software, and browsers when the creators of those items discover a weakness and create the update?

Most updates are not related to security, but they change or extend functionality, some are cosmetic changes. New data formats, new HTML extensions, changes to the code libraries that software calls to interact with the operating system or features bundled with it.

When these non-security updates are installed, they invariably create new security vulnerabilities, or reintroduce old ones.

So then we have another "zero-day" exploit, i.e., after the introduction of a vulnerability, there is some amount of time that users are vulnerable, until the thing is reported to the vendor and a solution is developed, packaged, and made available or pushed out to users.

I’ve been updating for almost 20 years, and like the idea, and have never understood the people who go years without updates, in fact, it seems to be the problem in almost every computer that I have ever looked at.

What was missing on the "problem" computers was the updates that were needed, not the whole stream of all updates.

Also, note that machines may be compromised but the user is not aware of it. For years. Also, one may be lucky for years and not be hacked, even though there are vulnerabilities on one's machine. It's also important to note that machines behind corporate firewalls are administered by professionals with a toolbox of software, whose job it is to keep everything updated. Of course, corporate networks are hacked quite often, so the approach of professional adminstration, and pushing updates often does not guarantee security at all.

There are basically two approaches for updates.

One, the riskier way: try to keep up with the latest stable versions of everything. You need to upgrade to the latest major release to do this - but you can't obviously upgrade to it if you have software or hardware that it does not support. Once you're on the latest major release, you keep trying to stay up with the latest updates and fixes. This can lead to problems that are introduced by the updates themselves.

The other way is the conservative way: get on a stable release and stay there for a while. Selectively install software so you don't have any installed that you don't need or user; this eliminates vulnerabilities in software that you don't even need. Do the research to find existing vulnerabilities for the software you run, implement the solutions for each that best suits your needs, i.e., turning features off, disallowing access from other IP addresses, apply software security updates that fix the software, etc.

This conservative approach is more "active", the first is more "passive", but more, shall we say, "adventurous".

You seem the guy to ask something that has puzzled me, for the people who don’t believe in updates,

It's not a matter of "not believing in" updates.

It's a matter of wanting to know what the proposed updates are and reviewing them before any are applied, then picking and choosing which to apply so as to avoid having the updates break things in the software that you use and rely on.

I assume they will keep using XP and IE, won’t they?

The userbase changes over time due to death and inactivity on the one hand, and births on the other hand, in addition to current users making the choice to use or not use software. Industry organizations continually extend data protocols and formats, which are then adopted by websites, but not backported to old browser versions. Old browers therefore don't have all the new pretty things enabled. This causes users to upgrade their browsers, which at a certain point will necessitate OS upgrades; the timing, of course, is up to the OS and browser owners/developers.

Interestingly, the hardcore web / tech folks will be familiar and wholeheartedly support the idea of the simplistic text-only browser.

Lynx is still distributed and available, and serves valid purposes.