In December of 2002, I started a page on my Computer Gripes site devoted to Dell.
Accumulating gripes about Dell was like taking candy from a baby; there was no sport in it. Eventually, I gave up maintaining the page, but despite a total lack of advertising or promotion, people kept finding the page and adding their own gripes.
Now these Dell gripes are official.
The Office of New York State Attorney General Andrew Cuomo won a lawsuit on Tuesday against Dell and affiliate company Dell Financial Services (DFS). The illegal activity involved both computers and finance. According to a government statement, "Dell and DFS engaged in fraud, false advertising, deceptive business practices, and abusive debt collection practices." Wow.
The Associated Press reports that the attorney general's office had 700 complaints when the lawsuit was filed and has received more than 1,000 since. And that's just in New York.
"For too long at Dell," Cuomo was quoted as saying, "the promise of customer service was a bait and switch that left thousands of people paying for essentially no service at all."
State Supreme Court Justice Joseph C. Teresi, who made the ruling, said, "Dell has engaged in repeated misleading, deceptive, and unlawful business conduct, including false and deceptive advertising of financing promotions and the terms of warranties, fraudulent, misleading, and deceptive practices in credit financing, and failure to provide warranty service and rebates."
On the computer side, the decision says (the bullet points below are taken directly from the official statement) that customers were deprived of warranty tech support by Dell:
- Repeatedly failing to provide timely on-site repair to consumers who purchased service contracts promising "on-site" and expedited service;
- Pressuring consumers, including those who purchased service contracts promising "on-site" repair, to remove the external cover of their computer and remove, reinstall, and manipulate hardware components;
- Discouraging consumers from seeking technical support; those who called Dell's toll-free number were subjected to long wait times, repeated transfers, and frequent disconnections; and
- Failing to provide rebates that were promised to consumers.
On the financial side, Justice Teresi concluded that "Dell lured consumers to purchase its products with advertisements that offered attractive "no interest" and/or "no payment" financing promotions. In practice, however, the vast majority of consumers, even those with very good credit scores, were denied these deals. In a classic 'bait and switch' scheme, DFS instead offered consumers financing at high interest rates, which often exceeded 20 percent. Dell and DFS frequently failed to clearly inform these consumers that they had not qualified for the promotional terms, leaving many to unwittingly finance their purchase at high interest rates."
The response from Dell, besides disagreeing with the ruling, was that not many people complained. The same AP story quotes a Dell representative, who says, "We are confident that when the proceedings are finally completed, the court will determine that only a relatively small number of customers have been affected," and it reports earlier statements by Dell that the company "had 6 million transactions in New York between 2003 and 2006, with alleged complaints representing only a tiny fraction."
To help draw your own conclusion, read the original decision and order (PDF).
See a summary of all my Defensive Computing postings.
According to perennial computer griper, Ed Foster, we should all do our duty and vote in his GripeLog Worst Vendor of 2007 poll.
Things must be pretty bad in the computer field. According to Ed, "...this year I couldn't pare down the list of Worst Vendor candidates to less than 25. And even then I know I'm going to hear legit complaints about some of the companies I chose to leave off the ballot."
The voting just started, and the early leaders are Microsoft, Sony, Symantec and Comcast.
Here's a story by Ed from a couple days ago, which illustrates why Microsoft has, at least so far, a large lead, Even the Homeless Hurt by Vista Updates.
There is a serious side to this, part of defensive computing is not dealing with bad companies. Now, let's see who those companies are...
On December 22, I wrote about problems updating the Flash player in Firefox, where I mentioned that the Adobe un-installer program for the Flash player does not always un-install the Firefox plug-in DLL version of the Flash player. Simply put, Adobe is not aware of all the places that Firefox looks to find the Flash player. The un-installer would run fine, but Firefox would nonetheless continue to use an old version of the Flash player, even after installing a newer version.
At the time, I reported this as a bug to Adobe (using this form). It is now two weeks later, and Adobe never responded, either to me or by updating the un-installer.
Realizing their press people might want to be aware of this, I also contacted the public relations department at Adobe (using this form). No response.
And then there is the whole issue of needing a special Flash player un-installer in the first place. Did you know this was necessary? Do your friends?
From where I sit, it doesn't seem that Adobe has done a good job of communicating this. And it's a necessary communication, removing the Flash player using the standard Add or Remove Programs applet from the Windows XP control panel doesn't work, and may or may not indicate that it doesn't work.
Speaking of communication, did you know that versions of the Flash player prior to "9,0,115,0" have serious security bugs (aka vulnerabilities or holes)? Secunia calls these bugs "highly critical." The tech support page for Flash doesn't mention them at all.
Then there are the recent stories about Adobe spying on how their customers use their CS3 software.
-- Adobe, Omniture in hot water for snooping on CS3 users
by David Chartier December 31, 2007
-- Wear tinfoil hats when using Adobe products
by Nicholas Carlson December 27, 2007
The CS3 software makes an outbound connection to something specifically designed to deceive. The connection is to a computer by name, but the name was chosen to look like a safe IP address. Specifically, the CS3 software communicates with 192.168.112.2O7.net.
Many people know that IP addresses that start with 192.168.x.x are for internal use only. That is, they are special IP addresses that do not exist on the Internet, but are instead reserved for use on local area networks. Adobe and tracking firm Omniture tried to use this commonly known fact to trick people who are not real techies.
Nerds know that this is 207.net, but many people no doubt see it as 192.168.112.207 and think it is a safe, internal-use-only IP address. Pretty sneaky.
By the way, Omniture owns two 207.net domains, one with the middle character the letter "O" and one with the middle character a zero.
Finally, there is another wrinkle to the problem of not fully removing the Firefox plug-in DLL version of the Flash player. Originally, I noted that Adobe's un-installer failed to remove the program from
C:\Program Files\Mozilla Firefox\plugins\
Recently, I worked on a computer that had Netscape Communicator installed (the e-mail program continued to be viable long after the Web browser fell by the wayside). On this machine, the Flash player DLL was in
C:\Program Files\Netscape\communicator\program\plugins
The un-installer missed this too.
If you know someone at Adobe, you might want to pass this on. They won't speak to me.
Update: Someone from Adobe contacted me on January 7th. They are investigating this now. Apparently many/most/all Adobe employees take off from December 24th until early January.
See a summary of all my Defensive Computing postings.
Installing a new version of software should be trivial thing--especially for popular software such as the Adobe Systems' Flash player, which is used by millions of people every day. But no.
For one, the Flash player does not play well with the other kids in the sandbox. That is, trying to remove the currently installed version via the Windows XP Control Panel Add/Remove applet is a waste of time. The first three machines I tried this on resulted in three different outcomes, and the software was not removed on any of the machines. Instead, Adobe has an uninstaller for the Flash player.
And why do I bring up removing old versions in the first place?
Because the Flash installer has never removed older versions of the program. The first time I ran the Secunia Software Inspector I almost fell off my chair at the huge list of old versions of the Flash player that were hanging around. Those old versions were flagged by Secunia because they had security vulnerabilities (a nice word for bug, which is itself, a nice word for a mistake by a programmer).
As I blogged about yesterday, this is now an important issue because the latest version of the Flash player fixes nine bugs, some of them critical (Adobe's term, not mine). Simply viewing a Web page can infect your machine, so removing the old buggy versions of Flash is important.
Unfortunately the bugs in Flash extend beyond the player itself, as I learned the hard way while trying to update a handful of machines to the latest version.
Two versions of the Flash player
IE ActiveX version of the Flash player (top) and the Firefox plug-in version
Even in the best of times, the Flash player is particularly annoying to upgrade because it has to be done twice, once for Internet Explorer and then again for Firefox. The player comes packaged as an ActiveX control ("control" is nerd talk for "program") for IE and as a "plug-in" for Firefox.
You can see this is the screenshot above from the Secunia Software Inspector, which shows both versions of the latest Flash player. The .ocx file at the top is the ActiveX version; the .dll file at the bottom is the plug-in version. As you can see, both files normally reside in
C:\WINDOWS\SYSTEM32\Macromed\Flash\
The problems described below were only with the Firefox plug-in version.
Fighting to upgrade
One computer in particular desperately resisted being updated to the latest version of the Flash player. I eventually got it working, however. So if anything similar happens to you, you may find a helpful tip below. The problematic machine was running the latest version of Firefox (2.0.0.11) and Windows XP with all bug fixes applied.
I mentioned yesterday that Adobe has what I refer to as a "tester" page for Flash, a Web page that displays the currently installed version of the Flash player.
When I approached the machine this morning, the Flash tester page showed that Firefox was running the old version 9.0.47* but Internet Explorer 6 was running the latest version 9.0.115. I dutifully ran the Adobe Flash uninstaller (the version from December 3, 2007) and then went back to the tester page to see what it had done. The ActiveX version for Internet Explorer was successfully removed, but the Firefox plug-in version remained.
I cleared the Firefox cache, rebooted and tested again. Still, the Adobe tester page reported that Firefox was using the old version.
I got a second opinion from the Secunia Software Inspector: it said there was no plug-in version of Flash. Who to believe, Adobe or Secunia?
My first guess was to believe Secunia since all they do is look for files in folders, a simple process that shouldn't break. Sure enough, when I checked, there was no NPSWF32.dll file in C:\WINDOWS\system32\Macromed\Flash.
But I figured the acid test was to visit a Web site that uses Flash, so I browsed around Yahoo.com a bit. Lo and behold, Firefox was able to display the Flash-based ads. Both the Adobe uninstaller and Secunia had failed to locate the copy of the Flash player that Firefox was using. Nice work, guys.
But, if the NPSWF32.dll file was not in it's official folder, Firefox was nonetheless picking it up from somewhere. To find out where, I ran a Secunia "thorough system inspection," something I suggested at the end of my previous posting.
Sure enough, it found three instances of the Firefox plug-in version of the Flash player.
A portable version of Firefox on the M disk was using Flash version 9.0.47, another portable version of Firefox on the Z disk was using Flash version 9.0.45 (the Adobe Flash tester page confirmed this). But the interesting file was on the C disk:
C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
This was probably the file Firefox was using.
from the downloaded EXE file
At this point I figured I'd just install the new Flash player and be on my way to the next machine. So I went to the Flash player download center and downloaded an EXE to install the plug-in version of Flash for Firefox. The install ran successfully as shown above (I can't show all the messages because the window is not re-sizeable).
Not trusting anything, I verified that the official folder C:\WINDOWS\system32\Macromed\Flash did, in fact, contain a file called NPSWF32.dll and that its properties showed it to be version 9.0.115.
I cleared the Firefox cache and restarted the browser. You could have knocked me over with a feather when the Adobe tester still showed that Firefox was using the old version 9.0.47 instead the just-installed latest version, 9.0.115.
Determined not to be defeated by Adobe's incompetence at the simple task of installing and uninstalling its own software, I renamed the NPSWF32.dll in C:\Program Files\Mozilla Firefox\plugins\ to NPSWF32.DONTUSE.ME.dll, cleared the Firefox cache again and restarted the browser.
It was still using version 9.0.47!
This I truly did not expect. After all, I had uninstalled the Flash player, installed it successfully and renamed the file it might have been picking up by mistake. Despite all this, it kept using the old version. But from where? Can you guess?
Fortunately there was no need to guess. The excellent Process Explorer can display the DLLs loaded by any running process.
A picture is worth a thousand words, so take a look at the screenshot of Process Explorer above. Despite renaming the NPSWF32.dll file and despite that it does not reside in the official folder, Firefox is still using it. Now I'm annoyed with Mozilla, too.
The next step was obviously to delete the NPSWF32.DONTUSE.ME.dll file, and, finally, this activated the new 9.0.115 version of the Flash player.
A parade of bugs
Let me wrap up by summarizing the virtual parade of bugs I ran into:
Adobe bug: Its uninstaller program did not uninstall the Flash player being used by Firefox. It missed the player used by both the normally installed copy of Firefox and by two portable versions of Firefox.
Secunia bug: Firefox was using an old buggy version of the Flash player, but its regular inspector didn't find any instance of Flash to report on, let alone object to.
Adobe and/or Mozilla bug: After successfully installing the new version of the Flash player, Firefox didn't use it.
Firefox bug: Using a DLL despite having the wrong name.
Firefox bug: There should be one and only one location that Firefox uses for plug-ins. The use of two folders for plug-ins fooled both Secunia and Adobe.
Not to mention the nine bugs in the Flash player that kicked off this endeavor. And not being able to use the Control Panel Add/Remove Programs applet in Windows XP to remove the Flash player. It works for everyone else, why not for Flash? All this is made even worse by the fact that Flash and Firefox are mature, popular products.
They don't make programmers like they used to.
Update: January 30, 2008. For more on this topic see A heads-up on the Adobe Flash player from January 26, 2008.
Update: January 6, 2008. There is yet another location that Firefox will pick up the Flash player from that the Adobe un-installer ignores. See Black eyes for Adobe.
Update: January 10, 2008. Based on this blog posting, Secunia is changing how their online inspector works. The below is from an email message from them to me:
By default the Secunia Online Software Inspector will only search default install directories, to our knowledge the default plug-in
directory for Flash in Firefox has previously been: %ProgramFiles%\Mozilla Firefox\plugins
However, with a recent update they (Adobe or Firefox) changed the Firefox Flash plugin directory to be: %SystemRoot%\SYSTEM32\Macromed\Flash
This is why a default inspector (non-thorough) wouldn't pick up any Flash files from the Firefox plug-in directory.
However, based on your findings we have chosen to re-insert the default Firefox plug-in directory again, so it should now pick-up Flash plug-ins located in both directories.
Update: April 11, 2008. For the latest on the Flash Player see Time to update the Flash player. Here's how.
* The full version numbers are 9.0.47.0 and 9.0.115.0 but I'm leaving out the last zero so your eyes don't glaze over and because it's not relevant to the point at hand. Adobe also uses commas in the version number instead of periods. I'm using periods here because that's the standard for version numbers.
See a summary of all my Defensive Computing postings.
My last posting described a situation in which the Java programming language knowingly produces wrong results. In the example I gave, Java added two positive numbers, produced a negative result and didn't consider it an error. Specifically:
2,111,000,333
+ 1,000,222,333
---------------
-1,183,744,630
I write this blog for a general audience, so I opted to leave out the technical details of how and why this happens. But, if you're not a computer programmer (the official term now being "developer") it may be inconceivable that a programming language can't do addition. Here, in a brief detour into nerdville, I'll try to explain it.
You can think of the problem as two pounds of baloney in a one pound bag (the reference being to an episode of the Honeymooners where Ralph gets stuck between two large pipes).
There are two types of programming languages, typed and non-typed. In a typed language, such as Java, programmers are required to specify data types for each variable. The numbers in the example were assigned to the "int" (short for integer) data type (the actual Java code is in the prior posting).
A number of the "int" type in Java can range from -2,147,483,648 up to 2,147,483,647. Another type, called "short" is used for integers up to 32,767. Smaller integer numbers can be assigned to the "byte" type which maxes out at 127. See Primitive Data Types for more.
Java stores "int" variables using 32 binary digits (bits). A binary digit is either a zero or a one. Everything to do with computers boils down to a bunch of bits at the lowest level.
The leftmost bit of a Java "int" variable represents the sign, the remaining 31 bits are the number itself. If the leftmost bit is zero, the number is positive, if it's a one, the number is negative. To illustrate, this is what a positive three and a negative three look like.
positive three: 00000000000000000000000000000011
negative three: 11111111111111111111111111111101
For the sake of simplicity, we can ignore the details of how negative numbers are represented, other than the fact that they start with a one bit.
At this point you can see that the mistake Java makes is easily detectable. If you add two "int" type numbers where the bit on the left is zero, then the result must also have a zero in the leftmost bit. At least the correct result has a zero there. If you add two positive numbers the result is also positive.
Where exactly did Java go wrong?
In the decimal number system the largest value that fits in three digits is 999, which is also 10 to the 3rd power minus one. The same formula applies to the binary number system. The largest value that fits in 31 binary digits is 2 raised to the 31st power minus one.
You can see this using the calculator built into Windows. Change the view from standard to scientific. It's helpful to also turn on digit grouping, another option under the View menu.
Click on 2, then the pink x-to-the-power-y button, 31, and equals. Subtracting one yields the largest possible integer in a Java "int" variable: 2,147,483,647.
Now click the Bin (for binary) radio button. The calculator shows 31 binary digits, all ones (see above). This is the binary equivalent of all 9s in the decimal number system.
To see the two pounds of baloney in the one pound bag, add one to this binary number.
Much like adding 1 to 99 results in 100 (an extra digit is needed and the low order digits are all zero), this results in a number that needs an extra binary digit on the left, and the remaining binary digits are all zero.
This is where Java goes wrong. While it does the addition exactly like the Windows calculator, it then maps the result back to the "int" data type. Thus, it considers this sequence of bits a negative number because the bit on the left is a one.
In other words, Java adds the two numbers as if they were 32 bit numbers. But they are not, they are 31 bit numbers with a sign bit on the left. Oops.
This is Java addition at the breaking point:
2,147,483,647
+ 1
----------------
-2,147,483,648
You can see this dynamically at the Inner Int Java Applet by Bill Venners, author of Inside the Java Virtual Machine.
To be clear, this is a Java issue. The results are the same on Windows, Linux, Mac OS X and the many other operating systems that provide a Java Runtime Environment (JRE).
What was the mindset when Java was being developed that thought returning wrong results was better than raising an error condition? Java treats division by zero as an error, but willingly allows integers to overflow such that you can add two positive numbers and get a negative result.
At the very least, computers should be able to compute.
Software can be made pretty reliable, lots of people and companies know how to do so. The auto-pilot on an airplane comes to mind, as do the computers that run financial markets. Then there's mainframe computers, perhaps the classic example of reliability (I spent many years working in a mainframe environment). But chances are that the computer you are reading this on is not as reliable as it could be.
Impolite Waiter
Let's start with an analogy. How would you feel if you were in a restaurant, in the middle of your meal, and the waiter takes your food away? It's a breach of the rules; food isn't supposed to be removed while the customer is eating.
Windows XP is that waiter. It lets you delete a file while an application is using it.
I ran into this recently while viewing an image with the popular IrfanView program. I was cleaning up files and deleted some pictures only to realize later that IrfanView was still running, minimized in the taskbar, and viewing one of the just deleted pictures.
This should never be allowed to happen, and it doesn't on a mainframe.
Windows knows full well what picture IrfanView is using. IrfanView didn't scan the sectors on the hard disk by itself to figure out which ones constitute the picture. It asked Windows to grant it access to the file. But when it comes time to delete a file, Windows has amnesia.
IrfanView is only one example. Windows XP will delete pictures while they are being used by a running copy of both Paint and the Windows Picture and Fax Viewer too.
Adding insult to injury is that Windows makes the opposite mistake too. Many times when I'm finished using the files on a USB flash drive, the Windows "Safely remove hardware" function won't let go because it thinks one or more of the files are still in use.
Multiple Updaters
Open a file in WordPad. Then open the same file in Open Office. Now both programs updating the same file at the same time. How come no one at Microsoft ever saw this as a problem?
To be clear, the gripe here is about Windows XP, not WordPad or Open Office. The operating system is in charge of the files. It has the responsibility for integrity, so it should not allow two programs, any two programs, to update the same file at the same time. Anyone with a database background knows what comes next.
Open a plain text file with Notepad and then open the same file with AbiWord (again the specific applications are not the issue). Make a change to the file with Notepad, save it and close Notepad. Open Notepad again and you will see the change that it just made. Now make a change with AbiWord and save the file. The change that Notepad made is gone. Disgraceful.
Ubuntu Linux
There's no gloating in Linux land either.
In a virtual machine running Ubuntu 7.04, I double-clicked on an image and opened it in the default application, Eye of Gnome. Here too, I was able to delete the image while viewing it. I also tried opening an rtf file in Open Office v2.2. Again, I could delete the file while an application was using it.
Ubuntu fared no better with multiple editors. I was able to open a file in both gedit and Open Office v2.2 at the same time. Changes made in gedit and saved, were wiped out by later changes made in Open Office. Just like Windows XP.
Java
This brings to mind my initial experience with the Java programming language back in February of 2001. The first thing I did was to write a simple program that added two numbers and printed the result.
To explain why I chose this as my first Java program, let's suppose that all numbers are limited to a single decimal digit. Then, if you add 1 and 1 you get 2. But, if you add 4 and 8, you should get an error since the result is larger than a single digit.
Along these lines, Java has a numeric data type called "integer" which is used for integer numbers up to 2,147,483,647 (let's call it 2.1 billion for the sake of argument). In my first Java program, I added two integer numbers and stored the result in a third integer - the code is below:
int var1, var2, var3;
var1 = 2111000333;
var2 = 1000222333;
var3 = var1 + var2;
System.out.println("var3=" + var3);
This adds 2,111,000,333 and 1,000,222,333. The result--roughly 3.1 billion--is too large to fit in an "integer" variable. I wanted to see how Java handled this. The result was:
var3=-1183744630
Not only is the answer wrong, but Java didn't crash, as I expected it would. Mainframe programs crash when they encounter this type of error - better to fail than produce wrong results.
Java didn't even issue an error message.
Update: October 22, 2007. I was asked by CNET if the above Java issue still exists. It does. Using Sun's JDK version 1.6.0_03 on Windows XP, I was able to re-create the problem. A screen shot is below.
Internet Explorer 7 was missing on a brand new Dell Latitude D630 running Windows XP SP2. I tried to find out why, which resulted in the saga below. Consider this a tip for anyone purchasing a new XP based computer and a heads up on how Microsoft and Dell treat their customers.
The machine arrived a few days ago, and one of the first things I dutifully did was run Windows Update from Internet Explorer (Tools -> Windows Update). I was surprised to find the machine came with Internet Explorer 6 considering that IE7 has been available for a year now.
After the usual round of updates to the Windows Update software, it found over 40 missing bug fixes and correctly installed all of them except for one. No big deal, I've seen this many times with one of the patches for .NET. Still, Windows seems pretty stale. It's hard for me to judge the age of 40 some odd bug fixes, but it could be that Windows hadn't been updated for over a year.
After rebooting, Windows Update finds the missing bug fix and installs it. Only then I notice that I'm still running Internet Explorer version 6. What gives? Hundred of times I've seen Windows Update try to install IE7.
Back to the Windows Update website. IE7 is not in the list of optional patches. A review of the update history shows only the one error I already knew about. Nowhere in the history is IE7. I try to restore the hidden updates, but there aren't any. I decide to investigate. Is it a bug in Windows Update?
Microsoft
At the home page for Internet Explorer (microsoft.com/ie) the lead story is "Internet Explorer 7 now available to all users running Windows." This, of course, is not true. IE7 does not run on Windows 2000 or any of the earlier versions of Windows.
I follow the link to "Find help get answers" which leads to the Internet Explorer 7 Support page. Here too, Microsoft makes a statement for which truth is not an appropriate attribute. The page says "Support for Internet Explorer 7 is available via the phone based on your locale."
I call the Support number and answer the phone menu questions. In the end, Microsoft says it's not their problem. Because Windows XP came pre-installed on the computer, the instructions say to contact the hardware manufacturer.
I called Microsoft again and this time chose the option for Windows Update returning an error. In response, the telephone system sent me to the Windows Update website with instructions to click on "Get help and support". Speaking to a person was not an option, even though I was calling during the hours of operation. The linked-to web page didn't provide anything useful.
In a third go-round with Microsoft's telephone system, I chose the security and virus problem option figuring that IE7 is supposed to be more secure than IE6. The telephone system told me go to onecare.live.com/scan and run a full service scan. At this point I could take the hint, so I tried Dell.
Dell
At the home page for Dell support (support.dell.com) there is a "Live Chat" link at the very top. I clicked it, opted to chat with technical support and entered my service tag. This starts a hardware chat. My problem is software, but there isn't a software chat.
After entering my name and email address, IE issues two different warnings about problems with digital certificates.
The text in the chat window at the bottom of the resulting page is small, click I click on a link in the top part of the page for large text. This changes the text size in the top, but not in the chat window. Looks like Dell hasn't put much effort into this chat thing.
Fairly quickly, someone starts chatting with me and they confirm that the chat is only for hardware problems. So I ask where the software chat is. Rather than answer the question, the person asks what the software problem is. After explaining it, I'm told "... what I can do is give you the number to Microsoft and they will be able to assist you with this issue." I'm told to call (800) MICROSOFT. Thanks Dell.
I call this new Microsoft number and end up with the same phone menu options as before. Again, when I tell Microsoft's telephone system that Windows XP came pre-installed, they tell me to call Dell (in so many words).
I soldier on to Dells' technical support web page where it correctly auto-detects that I'm running a Latitude D630. I click the Contact us link and end up here where I opt to call Technical Support on the phone.
Calling requires an Express Service Code, a different number from the Service Tag. There is a link to display your Express Service Code but it only works in Internet Explorer. Still, it wasn't hard to find.
The instructions offer different phone numbers to call depending on who or what you are. I don't' know who I am. The computer belongs to a client of mine and I don't know if it was purchased as an individual, small business or perhaps higher education. The phone number for each differs and I'm too pessimistic to call any of them.
Back to Microsoft
But I decide to spend a few more minutes searching Microsoft's site. As Jerry Pournelle often says, I do this stuff so you won't have to.
Somehow I end up at the Internet Explorer Solutions Center. There is search box for searching the tech support Knowledge Base. I enter "windows update", click the arrow and find nothing that answers my question in the search results.
At the top of the list is a link to the Windows Update Solution Center. The initial page has nothing about IE7 disappearing from Windows Update, so I try Other Issues. From the list of products, I select Windows Update, say I'm in the United States and end up at a page where I can submit a problem report. Looks like there is free technical support for Windows Update. Yippee.
But before submitting a problem you're presented with a long "Agreement for Microsoft Services". This is the end of the line for me, I resent being bound by this agreement just to get help with Windows update. Also, there is a section in the agreement on confidentiality that starts with "The terms and conditions of this agreement are confidential..." I want to write this posting so confidentiality is out of the question. It does however, beg the question of why Microsoft needs confidentiality for tech support.
Get the Memo?
Maybe I didn't get the memo. Maybe everyone but me knows IE7 is no longer available from Windows Update. I do a web search for "internet explorer 7 windows update".
IE7 has been in the news lately. Microsoft dropped the requirement for WGA validation. This means that people running illegal pirated copies of Windows can now get IE7 (see Microsoft disables Internet Explorer 7 validation process by Tom Espiner) . The article doesn't mention Windows Update.
Installing
At this point, I download and install IE7 without incident. It's available from microsoft.com/ie and microsoft.com/downloads (where it heads both the popular and new lists).
After the required reboot, I run the Secunia Software Inspector (a future blog topic) for an unrelated reason only to have it point out that I'm missing a bug fix to IE7. Windows Update confirms this, as shown below.
Thanks Microsoft, for letting me download a known buggy version of IE7 and not warning me to run Windows Update afterwards. Or was the bug left there for those running pirated versions of Windows?
P.S. You're still better off with XP as opposed to Vista.
Update: October 14, 2007. According to the Automatic Updates Distribution Process page at Microsoft's website, IE7 is being distributed by Windows Update. Either this page is wrong or there is a bug in Windows Update.
On October 4th, Steve Reynolds, Program Manager for IE at Microsoft, wrote:
"If you are not already running IE7, you can get it now from ... or, if you haven?t already received it via Automatic Updates, this version will be delivered to you as we described previously."
I confirmed on another Windows XP machine that IE7 is not offered via Windows Update.
Update: October 15, 2007. I tried a third XP computer running IE6 and this time IE7 did appear in the list of missing updates. I tried a fourth machine and it too, was offered IE7. The best guess is that it was a temporary problem with Windows Update.
Update: October 16, 2007. Rather than a bug, this was probably a temporary takedown of IE7 having something to do with the recent removal of the WGA requirement. As with so many computer gripes, it boils down to bad documentation.
Update: October 18, 2007. Finally, closure. Susan Bradley, writing for Windows Secrets, covered the disappearance of IE7 in an article today Internet Explorer 7: missing in action or not?. Susan says "We honestly don't know why IE 7 was gone for nearly a week." It re-appeared Sunday October 14th. As noted above, this is yet another case of bad documentation.
A few days ago, I wrote about my experience using the new Amazon MP3 Download store. Perhaps the most important point I raised was that it was possible to purchase songs without having to enter an Amazon userid/password, let alone a credit card number. I have purchased many things from Amazon over a number of years and this was a first for me.
Two days after my posting, fellow computer griper Ed Foster, of Gripe to Ed fame, wrote about the issue of logging off Amazon.com in more detail. See Amazon Makes You Lie to Log Off.
Ed's article includes this quote from Amazon, which gets to the heart of the defensive computing aspect:
"If the particular system which you are using is being shared with any another user, and if you leave your system with out logging out from your account of Amazon.com, they will be able to view your account information and also will able to place an order from your account."
Place an order? Up until a few days ago, I thought that leaving myself logged in to Amazon.com was no big deal, since every purchase required entry of a userid and password. But this quote confirms what I experienced, this is no longer the case, at least not always.
To triple check, I purchased another song from Amazon's MP3 Downloads using Internet Explorer (the first time around I had used Firefox). Again, I purchased a song without entering any information at all.
This is a shame. I've been a happy Amazon customer and don't appreciate their choosing ease of use over security.
This time I ran across another purchasing issue. Using IE6 on Windows XP, the browser issued a warning and initially blocked Amazon from downloading my MP3 file. The warning was a yellow stripe just under the address bar. At the point where the warning is issued, you have already purchased the song, but not downloaded it. Not good.
Even in beta, Amazon should have some warning about this. I knew what to do, but I'm a computer nerd. Not everyone knows how to respond to this warning, if they even notice it at all (click on the yellow stripe and allow IE to download the file). Many web sites that download files include up-front instructions and warnings about this IE yellow stripe. But not Amazon.
The beta (read "unfinished") status also shows in the song previews which seem to always be the first 20 or 25 seconds of a song. Many of the live performances I checked out started with an instrument tune-up session that had nothing to do with the upcoming song, rendering the preview useless. In the track I downloaded today, the performer asks the audience if they are ready for some rock and roll a minute and 35 seconds into it. The first recognizable note of the song comes at 2:09. Turns out this wasn't the live performance I was looking for. Needless to say, there are no returns.
But to end an important note, always log out of Amazon.com.
Yesterday I wrote that Windows is malware. I said this because:
Microsoft can and will update your copy of Windows whenever they feel like it, regardless of your wishes. And, they feel no obligation to tell you what they've done. Your computer is just a zombie to them.
Defending yourself against Microsoft involves turning off automatic updates and that's what this posting is about.
At first glance, turning off Automatic Updates seems simple enough. In Windows XP, you go to the Control Panel, then System, then the Automatic Updates tab and click on the radio button to turn off automatic updates (as shown below). But Windows is lying to you, simply doing this does not turn off Automatic Updates.
The thing that actually installs bug fixes is a component of Windows called the Automatic Updates service. A service is a computer program that runs in the background, so you're not aware that it's there. You may not even see it listed on the Processes tab of Task Manager. A single instance of the svchost.exe process hosts from one to many different services.
Windows consists of many services, the XP machine I'm using to write this posting has over 90. Some services directly translate to a visible feature of Windows. For example, if you have ever used Windows to configure a WiFi connection, then you've been communicating with the Wireless Zero Configuration service. The Automatic Updates service is the one that handles patches to Windows. The name sounds better than the Automatic Bug Fix Service, but that's what it is.
At any point in time a service is either started (on) or stopped (off). A computer that does not use WiFi, for example, should have this service turned off since it won't be needed.
When Windows starts up, it turns on some services and does not turn on others, depending on an attribute of the service called the Startup Type. If the Startup Type is Automatic, the service is automatically started when Windows boots. If the Startup Type is either Manual or Disabled, the service is not started.
A Manual service can be started by another service on an as-needed basis. A Disabled service can not be started until the Startup Type is changed to either Manual or Automatic.
When I said earlier that Windows is lying to you, I meant that even when Automatic Updates are turned off in the Services applet in the Control Panel, the underlying Automatic Updates service remains on. This is why Microsoft can update your computer whenever they feel like it.
To defend against the Borg Microsoft, disable the Automatic Updates service.
In Windows XP, go to the Control Panel, then Administrative Tools, then Services. You'll see a window like that above, listing each service, its current Status and Startup Type. A blank status means the service is not running (off), a status of "Started" means that it is (on). Get the properties of the Automatic Updates service and change the startup type to disabled (see below).
Interestingly, disabling a service does not stop it, if it's already running. If you want, you can also stop the current instance of the service, but the more important point is that the next time Windows starts up, it will be off. And it will remain off/disabled until you manually change the Startup Type.
But, sometimes you want to install Windows bug fixes.
To do so, you need to change the startup type of the Automatic Updates service to Automatic and then start the service. Interestingly, the Windows Update web site will not function if the Automatic Updates service is running but the startup type is set to Manual. Microsoft really wants this service running all the time. I wonder why.
When you are done installing bug fixes, stop and disable the Automatic Updates service until next time. Note that the Background Intelligent Transfer service is also required for Windows Update to function, but it works fine, in Windows XP, with a Startup Type of Manual.
Interestingly, this has always been my advice for dealing with automatic updates. At first, my opinion was based simply on the fact that I prefer to run Windows Update manually, so there is no need to have the Automatic Updates service running. Then, my opinion was strengthened by a bug in the Automatic Updates service that caused the poor processor to run at 100% usage rendering your computer slow as molasses.
And now this.
Update: September 16, 2007. Clarified the point that disabling a running service does not stop the current instance of that service.
Microsoft has crossed the line. They have been disliked by many techies, for arrogance, incompetence and more. But, this wasn't a universal opinion and reasonable people could have disagreed. Now however, the question of Microsoft's corporate character has left the realm of opinion and landed firmly in fact.
They are bad guys.
If there was any doubt, the final straw came today, in the September 13 edition of the Windows Secrets newsletter where the lead article by Scott Dunn (Microsoft updates Windows without users' consent) ended the debate.
According to Scott, "Microsoft has begun patching files on Windows XP and Vista without users' knowledge, even when the users have turned off auto-updates."
Wow. Updating Windows without your being aware of it? And after telling it not to? That's what spyware does. It's what the bad guys do. And now, it's what Microsoft does. They seem to think that they own Windows, and you and I are just renting our copies. Maybe we should read the lease.
There's a saying in the computer security field that if a bad guy gets physical access to your computer, it's not your computer anymore. If Microsoft can silently update Windows against our will, whose computer is it?
Over at ZDNet, Adrian Kingsley-Hughes has Confirmation of stealth Windows Update. He describes a Windows XP machine that was set to download new bug fixes and notify the user, but not to automatically install anything. Yet, install it did.
He writes "I just don't like the idea of having updates foisted upon systems without being aware that they are coming in and having the option to postpone them. Why? Simple. IT'S MY PC!!!" No, Adrian, it's not your computer anymore. It has been assimilated into Microsoft's collective. Rather than being an individual, your copy of Windows does what the Queen tells it to do.
Windows is now malware and our computers are zombies.
The changes Scott describes affect Windows Update. Anyone who runs Windows Update manually, as I prefer to, has been forced to install new versions of it over and over and over again. So why the secrecy this time? And speaking of secrecy, Scott says "To make matters even stranger, a search on Microsoft's Web site reveals no information at all on the stealth updates."
It's inconceivable to me, that any other software company would do exactly what their customers told them not to do.
Exhibit Two
Exhibit two against Microsoft's corporate character is Windows Update.
Many Windows users still have a dial-up Internet connection. The bug fixes to Windows are often large, and a dial-up user may find them too big to download, especially after falling way behind in applying them. Nothing new here, it's been true for years.
So why doesn't Microsoft sell, at cost, a CD containing Windows bug fixes? They did once, briefly, in reaction to a torrent of publicity about security problems in Windows. Why was this the exception and not the rule?
Next time, defending yourself against Microsoft--how to really turn off Automatic Updates. Then back to surge protectors.
Update: September 14, 2007. Integrated Adrian Kingsley-Hughes topic into the posting.
