Login  |  Register  |  Contact

Lessons On Software Updates: Microsoft and Apple Both Muck It Up

I know this is going to sound intensely weird, or somewhat disturbing, but I'm fascinated by how we treat software as a product. It's kind of a mashup between content like movies and music, which we sort of purchase, but are really just licensing to use, and "hard" products like TVs, hammers, and decorative toilet paper dispensers. Most software companies just sell us a license to use their product, with all sorts of onerous (and potentially unenforceable) restrictions is what we politely refer to as "End User License Agreements", or EULAs. We only call them that because "Non-Consentual Ass Fuck" doesn't have as legitimate a ring to it.

But there's a HUGE difference between software and media. Media is passive- we read it, watch it, and listen to it, but it doesn't affect anything else it touches. A bad book doesn't screw up your library, and a bad CD doesn't ruin your CD player. Software, on the other hand, deeply affects our work and personal lives. We install software on systems running other software, and one bad error in one little program can ruin our entire system, corrupt data in other applications, or even damage hardware.

Because software is so different than other products, it exists, in essence, in a state of perpetual recall. A sizable portion of the technology industry is dedicated to pushing updates to our software. In some cases these updates change functionality, adding new features. In other cases these updates fix security or other product flaws. For a media file it would be like buying the original Star Wars on DVD, then later updating it will all the improvements Lucas made like emasculating Han and having Greedo shoot first. For physical products it would be like plugging my DeWalt compound miter saw into the wall to add a variable speed feature, or to extend the length of the finger guard.

This is an intensely new way of buying, selling, and owning products. One I'm not convinced we fully understand the implications of yet.

Let's turn back to software, keeping in mind that many products today, from MP3 players to phones, now ship with updateable software. As I mentioned before, we tend to lump updates into two categories:

  1. Functionality changes: adding or changing features
  2. Fixes- repairing security or functionality flaws

Ideally these updates benefit the customer by improving the product, but in some cases the update goes in entirely the opposite direction. Vendors can even use updates to deliberately remove functionality you paid for. Take a look at the Pioneer I

o; its FM feature to listen to XM radio using your car stereo was completely removed during a software update (Pioneer forgot to get FCC approval).

We thus have two situations we've never really encountered before in the world of buying and selling stuff.

  1. Updates can change how a product you paid for works.
  2. Updates can change how other products you paid for, on the same system, work.

This is a powerful change to the concepts of product ownership and customer relations and comes with certain responsibilities. Over the past few weeks we've seen two of the biggest technology names in the world totally muck it up: Microsoft and Apple.

One of the cardinal rules of software updates is that you never force an update. The change you're pushing might change vital functionality, and, to be honest, it isn't your right to change my system. That's called cybercrime. It appears Microsoft messed up and pushed out a "stealth" update for the Windows Update feature of Windows XP. This update installed itself even if you told Windows not to install updates. Worse yet, it essentially ruined the Windows Repair function of the system. Press aside, Microsoft probably opened themselves up for some lawsuits.

Another rule (probably more of a best practice) is that you should separate security and functionality changes in updates. This is something Microsoft generally does well these days (except for Service Packs) and Apple does extremely poorly. Security and other flaw updates should be separate from functionality updates because while a user may not want to be hacked, they might not want to change how their product works to be safe.This would be like turning in your car for a recall around a defective airbag and having the speedometer changed from miles to kilometers as a "bonus".

Apple updated the iPhone with critical security updates, but these updates are bundled with serious functionality changes. Thus if I don't want a little Starbucks logo to appear on my phone every time I walk past one, I have to leave myself vulnerable to attack. Nice one Apple.

I really do think we're redefining the concept of ownership, and the privacy advocate in my is worried things are swinging in the wrong direction. Device manufacturers are practically engaged in an all out war with their own customers, and most of it is driven by the content protection requirements of the media industry.

Here are a few recommendations when dealing with software updates:

  1. All updates should be optional
  2. Don't bundle security updates with functionality updates
  3. Don't break unrelated applications
  4. If you're an application, don't change the underlying platform
  5. Clearly notify customers what features/functions will change with the update

Or to be a little clearer- don't force updates, don't take away functions, tell people what you're doing, and don't break anything else.

—Rich

Posted at Monday 1st October 2007 4:09 am Filed under: non-geek

Previous entry: Yes, Hackers Can Take Down The Power Grid. Maybe. | | Next entry: Understanding and Selecting a DLP Solution: Part 4, Data-At-Rest Technical Architecture

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Network Security Podcast  on  10/02  at  09:32 PM

[...] Rich: Lessons on Software Updates:  Microsoft and Apple Both Muck it Up [...]

By Scott Wright  on  10/03  at  07:59 AM

Those final 5 rules would have been nice to have 5-10 years ago when I was in Product Management.  The turnover of PMs in an organization can be pretty high, and each one of us has a different style. Unless the senior PM, or even the head of Development draws the line and says, "Here’s what we will put in a release/patch/upgrade/etc." then it’s usually a free-for-all. The CASE tools don’‘t necessarily tell you what kinds of things to put in a release.

I guess a lot more companies do a better job of managing releases these days, but there are probably still too many PM’s who don’‘t follow these rules.  It would make everyone’s life so much easier if they did. Many just don’‘t know it yet.  Senior PM’s need to emphasize it constantly and put some anal geek in charge of release management, with these rules on their checklist.

By rmogull  on  10/04  at  12:15 AM

I think MS has some tighter guidelines than most companies, but this is definitely something a lot of people struggle with. I think part of the problem isn’‘t just the PMs, but in bigger companies it’s the split between security and product development. The product side and the security side don’‘t always talk the way they should.

I’‘d like to see companies just set this as policy so all the PMs know exactly how the suits want things to run, rather than handling it on a product by product basis. But I haven’‘t been a PM, so I’‘ll defer to your insider knowledge here…

By Echoes of Microsoft » Lessons On Software Up  on  10/13  at  08:17 AM

[...] unknown wrote an interesting post today onHere’s a quick excerptThis is something Microsoft generally does well (these days, except for Service Packs) and Apple does extremely poorly. Security and other flaw updates should be separate from functionality updates because while a user may not want to … [...]

By Network Security Blog » Network Security Pod  on  01/05  at  01:42 AM

[...] Rich:  Lessons on Software Updates:  Microsoft and Apple Both Muck it Up [...]

Page 1 of 1 pages

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: