How to fool customers
-
control software for radiation treatment
I'm kind of wondering why real time treatment systems are ever connected to the network, especially if a problem during a treatment could lead to a dead person?
And these systems run on regular Windows, not Windows Embedded/CE, or something like VxWorks or Integrity? (I believe Varian uses VxWorks for some of their radiation therapy devices)
-
When you try to do updates, it will default to turning on always download & install updates. But it also puts you right in the window that has the "choose options to configure Windows updates" link, so it's not exactly rocket surgery.
It also defaults to a 3am reboot window (it will still install whenever the hell it feels like, complete with all the headaches associated with that when you want to do minor things like install software).
But the server defaults are actually pretty sane.
Similar to the W10 desktop defaults, really, it's just all us
nerds that have crazy default requirements. :P
-
Similar to the W10 desktop defaults
No, those are fucked up completely. There is no easy was to turn off updates or to do them manually. You have to hack shit to get to sanity on W10.
-
@royal_poet said:
Of course the hospital can't afford a new server
And they won't pay for a couple of DIMMs? That could be paid for with the padding one one CT.
Why spend hundreds of dollars on hardware that will only be thrown away when you can just install two copies of RAM Doubler?
By next year there may even be enough money in the budget for a third copy, bringing that server up to 16GB where it will just fly.
-
There's nothing insane about defaulting to "keep my system secure" and "reboot when I'm almost always away from the computer because you know when you're idle or not being, you know, a computer".
What's insane is people insisting that their system is so special that it must have manual (read: never) updates. And then wondering why all their files keep getting locked by this "Cryptolocker" thing...
Edit: If W10 defaulted into the fast release channels, then yes, I would agree that not being able to disable that is insane. But it doesn't, and the fast release channels are successfully catching a big cross section of the "oops, blue screen" patch compatibility problems.
-
There's nothing insane about defaulting to "keep my system secure" and "reboot when I'm almost always away from the computer because you know when you're idle or not being, you know, a computer".
Nothing insane about rebooting and causing data loss and loss of workflow?
What's insane is people insisting that their system is so special that it must have manual (read: never) updates. And then wondering why all their files keep getting locked by this "Cryptolocker" thing...
I have never been hit by Cryptolocker (which, BTW, I don't think Windows has ever put any sort of protection against in their OS, or through a Windows update, so your point is
). Also, I have no problem with it pestering me to update. Once a day is fine. After 2-3 days, I get annoyed enough that I install the updates and reboot when I want to.
-
@royal_poet said:
One of our clients was cutting costs by cutting defensive offsite backups that we manage. Guess what became very important this week when one of their techs fucked up. Guess what they're still cutting.backup
What's that?
We just won't fuck up next time.
Morons.
-
Nothing insane about rebooting and causing data loss and loss of workflow?
The insanity there lies in the operator who walked away from his work without saving it.
I mean, are you gonna complain about the power company ruining your work when a power outage lasts long enough to drain your UPS and wipe out your unsaved work?
Ok, that's about all the more blakey I can channel, but yeesh. Use the save button, Luke -- don't disable the security updates O_o
-
It's depressing how much we compromise because of stupid customers.
-
That and the customer's insatiable need to be online everywhere. You know things will go wrong when the radiographers check their Facebook feed on the treatment control system.
I keep telling people to not put exceptions for trivial shit into the routers and firewalls protecting the system.
-
Relevant bit is at 30 seconds in.
-
2012 and 2012R2 default behavior is to install updates and then reboot whenever the hell it feels like it
Yeah, what is up with that?
The last couple 2012R2 VMs I built defaulted to "download only" for updates.
Maybe you missed one of the cumulative update packages?
I think as soon as you check for updates it enables it.
That's probably it. If you just follow their sheeple wizard it will happen to you. If you don't, it's easy to avoid that pitfall because you set it yourself instead of through OOBE?
-
I really need to see this get 50 likes.
-
Their IT
It's not ignorance, it is ignorance in spite of knowledge that is the problem.
I don't have a problem with not knowing the answer, because most people on earth don't know the answer. That's why there's this thing called work experience.
It's when someone thinks something is impossible.
Is told it is possible.
And doesn't react with, Oh really? Please show me how, mentality.Good lor, I wish I could take every professional on here and know what they know through osmosis.
-
are being discontinued. 
are where it's at. As an added bonus, @blakeyrat can finally voice his opinions on posts because there's:- a
button no list of people thatDISREGARD THAT I WAS WRONG
this post
- a
-
There's nothing insane about defaulting to "keep my system secure" and "reboot when I'm almost always away from the computer because you know when you're idle or not being, you know, a computer".
What's insane is people insisting that their system is so special that it must have manual (read: never) updates. And then wondering why all their files keep getting locked by this "Cryptolocker" thing...
So, what you are saying is, Windows is such a security nightmare that, as soon as an update is out, you have to update it ASAP (and reboot) or you're gonna get infected right away ?
On a side not, I am professional enough that I keep my Win7 machine on manual update and never got infected (and it is up-to-date).
-
-
I am professional enough that I keep my Win7 machine on manual update and never got infected (and it is up-to-date).
This. Eventually though I'm going to try getting WSUS working (after I get rid of all the PCs running Home editions) and see if it can splash the updates that reboot the PC only every "once-in-a-while".
-
The insanity there lies in the operator who walked away from his work without saving it.
I save things but I still have a lot of shit open at all times, and I hibernate instead of shutting down precisely to avoid getting back to where I was. Automatic reboots are not fine, no matter when they're done.
So, what you are saying is, Windows is such a security nightmare that, as soon as an update is out, you have to update it ASAP (and reboot) or you're gonna get infected right away ?
That's true for security updates to anything. Exploits might be in the wild way before the updates are released.
On a side not, I am professional enough
It's not about what you do. It's about what you can't control (e.g. an RCE in image processing in a browser will make you vulnerable every time your browser encounters an image; same goes for OS components, it's not hard to imagine). You'll be hit without even realising it, hence why keeping all software up-to-date is crucial. Being careful is important but it's not sufficient.
-
-
I was on mobile at the time.
-
shrug Obviously, as seen in the previous posts in this vein, how to handle updates and auto reboots is kind of a religious issue for techies.
But given that some 90%+ of the American population are not IT experts1, the defaults need to be sane, and need to be such that security updates get applied in a reasonable time frame. So I'm in favor of not allowing it to be turned off, so that the 60-something computer user can't turn off updates after they see a horror story on CNBC about two computers that didn't come back after updates. Or their know-it-all-grandkid who knows (/sarc) exactly how evul Microsoft is doesn't disable updates while setting it up and then provide gramma and grampa a 13 step process on how to update their computer that will never get followed.
Because, having had to deal with people who have lost everything (or at least, all their kat videos and pictures of the grandkids) because they fell victim to a drive by download exploit that had been patched months ago... Security problems suck, and anything that improves the uptake rate of Windows updates is worth a moderate amount of workflow pain to us super users.
1Presumably the 90%+ generalizes globally, but I'm too lazy to try to find other stats -- the American workforce estimates are 5 million out of 150 million employed are IT workers, sort of)
And in the realm of disclaimer - I'm horrible at leaving stuff open on my computer all the time. And my 3DS capture card software is a serious PITA to get working with its sound output on the correct channel every time I have to re-open it after closing it or a reboot, so I usually leave it open all the time and grumble a bit when I have to futz with it because updates happened. But I still would gladly leave the auto-updates on, and within a month of switching to this new computer with Windows 10, I haven't had any occurrences of the updates trying to trigger or even popping up to nag me while I'm working on the computer. The computer just knows when I'm not going to need it, and takes care of business, silently, then.
-
How about giving the "Professional" version a setting to disable auto-update ?
It's not like if the general population is using the professional version.
-
How about giving the "Professional" version a setting to disable auto-update ?
You can switch it to "just notify me" with group policy.
-
You can switch it to "just notify me" with group policy.
Ok. But how many IT professionals have a need for a home network with Active Directory? How many of those want to shell out the money for and spend the time maintaining an Active Directory install for their home network?
-
IT professionals have a need for a home network with Active Directory?
(Though I don't really consider myself an IT professional as such)How many of those want to shell out the money for and spend the time maintaining an Active Directory install for their home network?
Can't Samba be an AD DC now?
-
You don't need to setup AD to use group policy on a single computer. Just run
gpedit.msc. Relevant setting is inLocal Group Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates.
-
I suspect that puts you in the minority.
Can't Samba be an AD DC now?
I suppose …
You don't need to setup AD to use group policy on a single computer. Just run gpedit.msc. Relevant setting is in Local Group Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates.
I hope you can script that because I don't want to do that 4 times.
-
I suspect that puts you in the minority.
I have no confidence issues that entice me to parade my ineptitude.script that
Yeah, it's a simple .Reg file with the necessary flags. 'course, finding out where that is a trip to MS anyways....
-
Yeah I mentioned gpedit.msc before in another thread complaining about the reboots. You can configure all sorts of things with gpedit. Any self-respecting windows "techie" ought to know about it, msconfig, and Sysinternals. And most things related to the first two items can be done with a powershell command.
-
I suspect that puts you in the minority.
high fives @tsaukpaetra
But yeah, probably in the minority.
-
Like in that Tom Cruise movie where they can see crimes being committed before they happen, or somesuch?
-
No, because that would require that a third person make a report and disagree with us.
Sorry, did I kill the joke?
-
I think you euthanized it, poor thing.
-
I hope you can script that because I don't want to do that 4 times.
Open "Local Security Policy" administrative tool. Right click on "Security Settings" and choose "Export Policy" from menu. Save somewhere. Do the same, except chose "Import Policy" on the other three computers. You can do the same with
SECEDIT /importandSECEDIT /export.
