In case it's not clear, "7" and "7 home" are the 32-bit versions. It took me rather longer than necessary to figure that out.
Instead, it now appears, the leading contributor to the virally spreading infection were Windows 7 machines that hadn't installed a critical security patch Microsoft issued in March
I'd guess a lot of those who don't install updates on 7 were greatly turned off by the aggressive Windows 10 upgrade promotions and other unwanted features Microsoft were trying to sneak by as security-related. Those still on XP didn't have to worry about that either.
I remember a memorable analogy about the nature of Windows updates: "they aren't just like vaccinations --- there's also a large chance of making you grow an extra 3 ears, lose one eye, and turn your skin bright green."
If only Microsoft had two "update channels", one for features and the other for security-only fixes...
On my Windows 10 install, Windows Update uses 100% of one core to do whatever it's doing. Once it starts, it seems to spin away indefinitely. Some searching shows that it's not just me that's affected by this. I've also noticed high resource usage from Windows Update on a family-member's laptop (Windows 7 I think). I can understand people disabling Windows Update for performance reasons. It seems to be very buggy and offers few visible improvements to the user. Compare with "apt-get upgrade", which seems to use very few resources, provides visibility on what it's doing and usually takes less than a few minutes to complete.
Yesterday, I "fixed" a two-year-old Windows 10 notebook computer. It's a cheaper model with one physical CPU core. As far as I could tell, there was no actual malware on it, just Windows and some terrible antivirus package that came with the machine. It hadn't been used all that heavily. Nonetheless, it took 15 minutes to boot and another 15 to present a usable desktop. Even with the AV disabled, the system was still basically unusable. I fixed it by installing Arch with XFCE. (It's in my household, so I'm not worried about the perils of nontechnical users failing to maintain the install.)
I'm disgusted by this situation. This was supposed to be a simple email-checker. But without anybody making any serious mistakes in its administration, (terrible AV software notwithstanding) it had degraded to the point of uselessness in two years and was headed for the dumpster. (There was still plenty of space on the hard disk, and as I said, no evidence of malware.) I could only conclude that the computer was behaving exactly as it was designed to. Under Linux, this computer remains perfectly suitable for its purpose. It's quite responsive even when running a modern web browser, and I have a whole separate rant about how insane web browsers have become.
At any rate, it's quite sensible that people don't apply updates, when updates literally make the computer impossible to use. This being Windows 10, there was no avoiding updates, but I can see why Windows 7 users wouldn't bother with them.
There is a common problem with windows xp and windows 7 failing to update and the process hangs consuming one core completely. Quite a bit of googling/duckduckgo usually fixes it, it's some updates that you need to download and install manually, seems a bit random which ones are needed each time but I have a collection saved for future use. :-)
After doing this I can update windows normally again.
Try these for starters:
kb3102810, kb3138612, kb3172605
I've heard of this problem too --- and it's interesting to ponder what the economic effects of this constant increase in power usage would be, vs. the "damages/costs" of WCry or similar malware outbreaks. Having a significant portion of the world's computers effectively wasting power can't be cheap...
The fact that Windows can't seem to have a sane system update facility continues to boggle me, especially considering that system-wide updates are comparably quite painless on just about every modern Linux distro (aside from the SAG Trifecta and some other oddballs) and have been for nearly multiple decades now.
But apt-get can get in pretty bad (almost unrecoverable) states concerning dependencies. The only OS that has updates down to perfection is macOS, sadly.
"The only OS that has updates down to perfection is macOS, sadly."
Even if that was true, it is valid only for system packages. Updating any other application means one of the three things:
1. Manual updates (and don't get me started on uninstalling).
2. Brew (which can be a hell of it's own kind).
3. Apple Store (a.k.e. the walled garden).
For completeness' sake, there's also MacPorts (and Fink, but I don't know anyone who's actually used it).
MacPorts is also hell for various reasons (not the least of which being the effectively-nonexistent integration with the rest of macOS, keeping its own little silo of an OS that gets huge if you install even relatively-simple graphical applications).
1. What? Almost every app uses Sparkle for seamless updates. And macOS has been lauded for a long time as having the simplest install and uninstall process. Drag into /Applications = installed, drag to trashcan = uninstalled. Snaps/Flatpaks will finally bring that to Linux
2. Again, what? Brew is dead-simple. `brew install whatever` and `brew remove whatever` work like butter.
3. Triple what. Sandboxed apps that cleanly update, with a gatekeeper that makes sure no trash comes through? And I can manually sideload stuff if I absolutely need to? Hell yes.
I have a pretty strong feeling you're a Linux elitist, probably running Arch. All the stuff you point out about macOS is plain wrong, and you'd know within a day of using.
And I have a pretty strong feeling that you are a Mac fanboi, jumping to a conclusion despite hints against it, simply because someone criticised your religi^H^H^H operating system of choice. ;-)
1. Oh yes, Mac has the easiest installation process. Deinstallation, not so much -- yes, you can draw your app to trashcan, but that leaves bunch of data files, configurations (depending on the app) etc on the disk. That is the reason for existence of a number of uninstallation utilities like AppCleaner or AppDelete (my tool of choice). And while Sparkle is useful, it is a third-party effort and not aprt of the OS.
2. Oh yes, brew is simple, there is no doubt about that. Except when a package becomes corrupted (e.g. while upgrading, or when there are missing dependencies, or when you accidentally install the same thing in two different ways), in which case it becomes a nightmare to untangle.
3. Oh yes, the gatekeeper is very useful -- unless you disagree with it about what represents "trash". And honestly, my strong belief is that Apple is going to restrict the other ways to install apps in favour of the Apple Store, moving towards a "desktop iOS"; which is perfectly fine if you just want to use certain apps, but isn't if you're a software developer building anything other than MacOS or iOS apps.
Edit: Just to clarify, I am giving my own opinion and pain points which have been turning me away from the Mac for quite a long time (and it's only getting worse). It is not my intention to force my opinion to anyone else or to pronounce Mac the worst and Linux (or anything else) the best choice. It's simply the case that each OS has it's own realities, and some are better fit for some purposes, and others for others.
Unless you use non supported 3rd party repositories, it never happens. Like never, ever. With snaps on the rise, people will probably not use ppa anymore unless they are tech saavy enough to take care of any (rare) problem.
>Unless you use non supported 3rd party repositories
Or you mix and match releases. I usually keep Sid sources enabled, so that I can quickly build a newer version of this or that package if necessary; 90% of the time this works flawlessly, but when it comes to complex stuff like python, the dependency graph can get a bit borked if I'm not careful. (Yeah yeah, not supported, but as I said most of the times it works just fine.)
Whereas Windows Update just screws up periodically on its own. Sometimes it sits at 0% for hours then BANG! 60 updates installed, please reboot. Once I had 100+ updates to apply and I couldn't see any progress, so I killed the wusua service and observed the download folder immediately filling up with packages, which clearly Windows was keeping somewhere else while lying about download progress. Then there are the times when it just refuses to install this or that update and doesn't tell you why...
>The only OS that has updates down to perfection is macOS, sadly.
Really?
Update downloads restart once in a while for no apparent reason. Also, installing Xcode after already having the command line tools messed up everything for me last week.
But sometimes, the broken packages error is illusory. Just a few days ago, I was installing some old thing on Debian jessie, and got that it depended on openssl (0.9.8). But apt wasn't going to install that. So I get that jessie has openssl (1.0.1). Hopeless? No. It turns out that both versions can actually coexist.
This isn't a problem with snaps (https://snapcraft.io), which bundle their dependencies. They're also transactional: if the update fails it just rolls back to the last known-good state.
I agree. At the peak of the "upgrade to Windows 10" onslaught, disabling updates was the simplest way to avoid forced upgrade. Users had many reasons to object. Fear that older machines would screw up. Fear that critical apps would'nt work. Fear of increased surveillance. Or just basic "You can't make me!".
Justified fear. 100% of the older machines I upgraded to Windows 10 stopped working in one way or another (e.g. Wifi didn't work, video drivers crashed) after upgrading.
Several friends computers just didn't boot any more. Luckily for the friendship I had made a complete image of the bootdrive before upgrading... Needlessly to say those friends are still running windows 7 from fear of what might happen...
Or even people taking a college exam and being forcibly rebooted in the middle of the exam, with potentially a non-functioning laptop (and definitively an updated and unfamiliar UI).
Yes, like that. Or just people doing whatever, where interruption would be painful, for whatever reason. Microsoft did settle with a few people with such claims.
Automatic rebooting in general might as well have one of those "considered harmful" articles, like with GOTO statements and $COMMONLY_DISLIKED_PROGRAMMING_LANGUAGE.
Considering that they were sneaking the Win10 update into random updates I expect that it would end up in the security-only channel almost immediately. Especially since one of the key arguments for the forced updates is security.
I suppose the counterargument there is "Win10 is not the security I want". IMHO I would define "security-only" --- or perhaps "critical-security-only" --- to be fixing remote code execution (e.g. WannaCry, various IE exploits, if/when anything is discovered in TCP/IP stack, etc.) and very little else.
The latest ltsb is 1607, and the next one is slated for 2019.
>can you even get an LTSB release for the latest Windows 10 1703 Creators Update?
Why get ltsb if you're going to get the latest version anyways? You might as well use regular enterprise and defer feature updates.
Because we're discussing getting features when the user wants them, not as a surprise auto upgrade in the middle of a presentation. And getting security updates quickly without having to buy-in to new features at the same time.
>Because we're discussing getting features when the user wants them, not as a surprise auto upgrade in the middle of a presentation
That's not the issue because even if there aren't feature updates to apply, there are still security updates that triggers a restart. They extended the working (no restart) hours to 18 hours, which should be enough to prevent surprise auto updates from happening.
>And getting security updates quickly without having to buy-in to new features at the same time.
Then get LTSB. But if you're going to be using the latest version anyways (as indicated by you wanting the creators update) use CBB + defer feature updates, which buys you at least 8 months of extra time.
The point is that you shouldn't risk having to learn a new UI or resolve driver issues in the middle of your exam or presentation. Or even during a particularly busy work week.
I stopped all Windows updates on my laptop because I use it mainly before going to bed to watch some videos and read a bit, and the constant updates and forced reboots (forced as in, it just CLOSES EVERYTHING and shuts down) are an incredible nuisance, I don't have that kind of time in the evening. I turn them on once in a while and do a big batch of updates, then I turn them off again.
Funny thing is, I am a developer myself. I just can't be bothered with a machine that auto-reboots all the time. I have no valuable data on that laptop, frankly, I'd rather have a virus every other year than deal with a machine that constantly updates when all I want is prolonged stability.
Wasn't it Microsoft itself who deemphasized "shut down" in favor of "sleep", by moving the shutdown command to a hard-to-find place? The intention was clear: the computer should be "always on", and a full shutdown should be done rarely, if at all.
I posted a brief rant elsewhere in this thread about a notebook computer that was basically unusable because of Windows. It had been configured at the factory so that the power button didn't actually turn it off. Because it was used infrequently, and because the power button caused it to sleep instead of powering down, this computer always had a dead battery. This particular machine had no sleep indicator light, so to all appearances it was truly turned off. I'm angrier at Microsoft than usual today.
True, this post did a poor job of making my case against Microsoft. My other post in this thread goes into more detail. With regard to power in particular, I'd argue that the "power button means sleep by default" is a terrible idea. By default, the power button should put the system into a state where it's not drawing an appreciable amount of current. Sure, Asus compounded the problem by not providing the computer with a sleep indicator LED, but Microsoft gets a lot of the blame for pushing the idea that we should suspend rather than power off our computers. I can only imagine that they wanted to mitigate their ludicrously terrible startup times.
Windows 10 has two update channels. Under "Windows Update" > "Advanced Options" there are two separate settings to delay "feature updates" and "quality updates".
I don't know whether earlier versions of Windows offer this level of control as I've got Win10 on all my machines. I just leave them on automatic update and yet I still only have two ears.
Not in its hayday. By the very act of clicking the 'exit' sign on a windows 10 update prompt, you were consenting to the update. The methods of turning off the background update service through task scheduler or registry keys was thwarted multiple times. The only real way to totally prevent upgrade was to disable windows update.
There were free utilities that blocked the update.
Also, for the record, I never saw any attempt at a forced upgrade across three different machines... even though I made no attempt to block them. This makes me doubtful about "forced upgrade" stories.
Hoever, even if someone correctly claimed that they were forced to upgrade and didn't, along the way, accept the Windows 10 terms and conditions, it was dead easy to roll back to the previous OS. Far easier, in fact, than coping with a ransomware attack.
If we're adding personal anecdotes, then I'd like to file my own experience. A lab colleague's computer upgraded to Windows 10 in front of my own eyes. All she did was leave it alone long enough for her to go and drink some water. It was the only computer in our group which had the 3D modelling software we needed, and the update managed to break that. (I think we tried the roll-back too and that failed). Anyway, this was a few hours before our assignment was due. That is not a time to be left without one's tools.
I talked about this before here on Hacker News. Many others did. Some journalists also covered it.
Even I couldn't believe the shady tricks everyone was accusing Microsoft of until I saw it with my own eyes. But then again, I should also have realized that if so many people feel tricked, then it doesn't really matter if it was technically a trick or not.
If it wasn't technically a trick, then it sure was designed to fool users, evidenced by the sheer number of people fooled into it.
> I think we tried the roll-back too and that failed.
I did a few roll-backs to test the system and they worked perfectly. However, if you're upgrading 400 million PCs, there will inevitably be some errors.
This is why we have backups ;-)
> evidenced by the sheer number of people fooled into it.
How many do you think there were, and what's the percentage error over 400 million or more upgrades?
Never10 was one of those utilities I've used in the past. Resorted to this or Group Policy to prevent Win10 upgrade only after Microsoft's persistence in pushing GWX related updates under changing names over the span of several months. Maybe not forced but likely intentionally deceptive upgrades. Have personally seen 2 PC's fail the rollback within a week of upgrade. Was able to extract system restore files and reinstall with source media then restore but had sys restore service been off it would have been a permanent 'trial' upgrade.
>However, even if someone correctly claimed that they were forced to upgrade and didn't, along the way, accept the Windows 10 terms and conditions, it was dead easy to roll back to the previous OS. Far easier, in fact, than coping with a ransomware attack.
From who's perspective? Microsoft? This was already fixed, just that people didn't update, because like I said, people just disabled updates. That trust was broken by Microsoft. Even if you are doubtful of 'forced upgrades', you can research for all the evidence yourself. I've had it happen to plenty of machines, and the free utilities, like I said, were negated multiple times as Microsoft kept changing how their win10 update service could be blocked. Sure, there were months where it would be perfectly stable, but if you needed to be sure, you turned off windows update.
> Even if you are doubtful of 'forced upgrades', you can research for all the evidence yourself.
The fact that people claim -- or journalists report -- forced updates doesn't make their claims true. Everybody who deals with real users knows how unaware they are.
Having said that, I agree that the "dark patterns" were a really bad idea. Microsoft actually does know how unaware real users are, and its upgrade offers should have reflected that.
Whether it was worth turning off security updates is another matter, and would depend on the circumstances. For most users, my opinion is that it was stupid.
Also, if you're installing a new machine you have to connect to the internet to get the latest updates. There's a good chance that WCry gets on the machine before, Windows update has a chance to install the patch. Windows update is very slow and installs unimportant updates before the critical ones.
Are you implying that WCry magically gets through firewalls? Last I read, that was not the case. So unless you're plugging in your brand new, unpatched machine into the public internet, without any router/firewall in between, you should be quite safe, no?
That's also how I understood it. Your NAT usually blocks incoming connections by default - it does not know which computer in the network behind it was meant to be the receiver anyway. If you direct your NAT to send all incoming connections to one PC, then this PC is vulnerable.
Fat chance of that happening; when Microsoft really wants you to avail yourself of their new spinning, dancing start button, they will flag it as a "critical" update, or attach it as a rider to a critical security fix.
Apple does this too; that's why I haven't bought a Mac in many years.
The C++-ABI-breaking libstdc++ from Mac OS 10.4 was backported to Mac OS 10.3 and pushed out in a hafta-havit security update -- but none of the compilers were. So any attempt to link C++ programs under Mac OS 10.3 suddenly broke.
How come? Apple issues security updates for older desktop OSes regularly. Furthermore, apple does not install new mac releases (e.g. Sierra) automatically. You have to install the Upgrade macOS app from the App Store. Sure there is a big banner above the security update screen which advertises the new version but you really do not have to install it. And it certainly does not trick you into installing it (in macOS, iOS is different). It just makes it easy and obvious how to upgrade.
Something tells me that people that still run XP aren't exactly the Kaspersky clientelle, so the sample is severely biased. Unless Kaspersky pro-rated the infection rates to accommodate for that, but it doesn't sound like they did.
I mean Win 10 and XP both have relatively similar install bases of around 10% of installed windows instances. So of course 7 spread it more... It's more commonly installed.
However, you might be able turn off SMB1 support is if you still have machines with Windows XP or 2003. This is a similar situation to SSLv3 when POODLE was discovered, in that the difficulty of getting rid of old protocols, is that of getting rid of the last ones (Though I realise WCry exploits an implementation bug).
Why is it enabled by default then? If you need such an old legacy thing, shouldn't it be the other way around? Like that you need to enable it if you need it rather than disable it if you don't.
I would suspect because they initially shipped with it enabled in 7, and changing that default during the product's lifetime, even with the loudest notification they could muster, would break people.
SMB1 will be disabled by default in the Fall Creators Update [1] and removed completely in a future release of Windows 10 [2]. It should have probably happened a lot sooner, but the protocol is still used quite a bit [3] despite Windows itself not requiring SMB1 for the past 10 years [4].
I had to update a Windows 7 laptop recently and the process was far from easy, the update process hang at 100% cpu for hours and I had to manually install the monthly update rollout, average people won't do that and just disable the updates.
That is what hasn't been mentioned in this thread. Around half of the Win7 systems I get asked to look at never actually pull updates because it's stuck checking forever. This is due to a WSUS client bug. Fix used to be to take the system offline and instal 3 hotfixes... not user friendly or obvious so it doesn't ever get done by end user.
Same... I have this old Windows 7 laptop I hadn't used in a couple of years... I had to wake it up again to do some testing of my new app on Windows, and the upgrade was just a total nightmare... I had to follow the old procedure on this [Microsoft forum](https://answers.microsoft.com/en-us/windows/forum/windows_7-...), which took me hours to do!
If it wasn't for the WannaCry problem, I wouldn't even have bothered!
Exactly. I've seen this problem on Windows 7 as far back as 2012. Any machine that is not constantly receiving updates will run into this issue sooner or later. On weaker machines, the update process will actually eat all the machine's memory and likely never finish. Also, the manual update which fixes this problem changes every few months. At this point I feel that Microsoft just wants to discourage people from using Windows 7.
Yeah, that dead horse called "New OS-Software every five years" still has some miles to go, before acceptance sets in- that buisness customers prefer stability over shiny any day and Infrastructure now sells as a service.
This is a nice example of blame shifting to either the consumers or the programmers..
Blame for the whole "deactivated" Updates affair should be upon the CEOs and marketing guys who tried to shanghai-shovel consumers and customercompanys Win10.
Yes, they might have saved microsoft in the short turn burning consumer trust, but if that consumer trust is part of the world wide infrastructure- they should be called liable for burning this resource.
The worm reused the meterpreter code which didn't target XP at all. For some reason some people are having are hard time dealing with this: https://news.ycombinator.com/item?id=14377799 and I am beginning to wonder why. Any insights?
>The worm reused the meterpreter code which didn't target XP at all
Small nitpick- though the worm aspect of WCry does have a lot of issues with targeting WinXP, the meterpreter part of that sentence is a widespread myth that originated from poor wording in a slide. Source, w/ a reply that has a link to correction from the original author: https://twitter.com/riskybusiness/status/864293475981729793
I think because they're aware Microsoft released a patch for Windows after XP, they're thinking as though XP can be the only one affected by the ransomware. As we've learned, that logic doesn't work since people turn off updates.
I think the reason that they were downvoted was not because people have a hard time accepting it but because they just stated that windows xp was not targeted without linking to any sources for that claim.
Well for one thing, people seem to really enjoy victim blaming. It's much easier to say, 'The people who got infected have only themselves to blame, they were using an old an unsupported OS!' rather than to accept that maybe it's not necessarily anyone's direct fault if their computer got infected.
It was patched for 7 months before WCry started to spread. So it's not "The people who got infected have only themselves to blame, they were using an old an unsupported OS!" it's "The people who got infected have only themselves to blame, they were using an old and extended support OS and turning off Windows Update!"
> according to a blog post published by AV provider Malwarebytes, it spread through a mechanism that scanned the Internet for computers with open Server Message Block ports
I'm still amazed so many PCs are directly online, and not trapped behind NAT or at least a firewall. Does this mean that the NHS, etc had DMZed machines on their LAN?
edit: Shodan shows over 1 million machines with SMB open
Instead, it now appears, the leading contributor to the virally spreading infection were Windows 7 machines that hadn't installed a critical security patch Microsoft issued in March
I'd guess a lot of those who don't install updates on 7 were greatly turned off by the aggressive Windows 10 upgrade promotions and other unwanted features Microsoft were trying to sneak by as security-related. Those still on XP didn't have to worry about that either.
I remember a memorable analogy about the nature of Windows updates: "they aren't just like vaccinations --- there's also a large chance of making you grow an extra 3 ears, lose one eye, and turn your skin bright green."
If only Microsoft had two "update channels", one for features and the other for security-only fixes...