Exactly why you should never, ever, enable auto update, for anything. Too often it ends up breaking something or patching something you don't want patched. It allows a profit seeking company to enable or disable software functionality on your device, regardless if it's in your interest.
It should be noted that unless you've modified an Xbox One, from what I understand you cannot stop it from auto updating unless you permanently disconnect it from the internet (which will cause your licenses to eventually expire, in the year timespan or so), new launch games won't run (they're tied to a minimum version of the OS).
I agree that the device updating without your consent should be illegal, but new games requiring the updates seems fair enough: the Xbox can still run all of the games it was advertised to be able to do so at launch, and if game developers could not rely on the presence of system updates, Microsoft would just release an entirely new, incompatible Xbox instead. I think that updates are fine so long as you can update and roll back whenever you want to.
The PSP had firmware updates as well, and certain games strongly encouraged you to do so. But many had a workaround: The firmware loaded from the UMD itself. This meant your minimum firmware version could be rolled back, or that in some cases you didn't need to update and then rollback at all, as it was all loaded from the UMD. No matter what though, Sony mandated that all games support a minimum version. The last minimum version I remember was 3.00 from 2007 that introduced MemoryStick verification as an alternative to UMD verification because the PlayStation Store necessitated the ability to run without UMDs, and the final firmware update being 6.60 from 2011.
We could easily go back to installing firmware on-disc or in-download and only calling it at runtime. We won't because devs are in a desperate and futile campaign to outrun console modding (and to some extent piracy) they can't control. With consoles moving to common PC hardware rather than custom hardware like Flipper or Cell they're just going to get broken into faster and faster, so the only bet is harsher and harsher DRM on the software side. AMD straight up sold PlayStation 5 defects as the AMD 4700S "all in one" board.
The CFAA's broad enough so as to allow a lot of creative interpretation. A journalist using view source was breaking the CFAA was one district attorneys view.
This is the only carve out I could find for manufacturers of computers:
> No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.
I guess Microsoft could argue their entire operating system business, app store, and update infrastructure are intentionally negligent, and so not covered.
I’d think a reasonable court would say that it’s working as designed, and therefore not covered by the carve out.
The same is the case with the Xbox Series X/S. I was shown three options for the last update: [Update Now] [Continue Offline without Updating] [Shut Down Xbox].
the "but muh security" argument is absolute horseshit 99% of the time. and the 1% that actually need it, are going well beyond automatic updates to secure their systems.
If you look at the background radiation of the Internet of automated things just hitting services to probe for exploits, they are most commonly looking for exploits from bugs in older software.
There's a timing argument - that unless you're at risk of zero days (like you're the DOD) - that you probably don't need to upgrade immediately. But it seems unarguable to me that the longer you wait, the greater the risk from a security perspective.
As always, security is a trade off. Risk of breaking from an update has to be balanced against risk of exploit. I'd argue the latter is going up more quickly than the former.
How many actual zerodays are there that don't require you to ALSO be doing something dumb per year? It seems exceedingly rare. I understand the argument if you're talking about like, a server running some CMS or whatever, sure that's gonna get pwned because it's a big target so it's worth going after. Your natted personal machine? You're fine unless you're running executable off random russian sites (and even then you're probably fine if you're getting your shit from reputable shady sites)
good thing i disable IPv6 at home because it's an annoying pita and i run no machines with windows in the cloud, checkmate :P
on a more serious note though I don't think machines with ipv6 enabled that are behind a NAT are likely to be vulnerable to this, i suppose maybe wormable if you can natpunch through some p2p voip or gaming service, it's the sort of patch i would probably install if i were made aware of it (if i had ipv6 enabled), but being made aware of it doesn't like, leave me worried, and i don't consider it to be likely to affect me unpatched
NAT and IPv6......you really should educate yourself about it IPv6 is not "that" new...trust me (bro). You know, keep learning is a big part of life ;)
It's really not, I never upgrade anything and I haven't been pwned in like a decade. (Or maybe I have been pwned but not in a way that's affected me at all so you know, whatever)
While sibling comment is correct about the discussion I do have a few VPS I've had around for a while (<5 years with only password based SSH too because keys are annoying asf to manage when you're like, on your phone trying to do something etc) and I barely ever upgrade those and everything seems fine. They have DNS pointed at them too so it's not like they're secret in any way.
I suspect it's because I don't use many common software packages so the attack surface is small-ish.
What's difficult about managing keys? I use key login with termux and if anything it's easier because typing passwords (or anything) on a phone is tedious.
Agree in general that people wildly overestimate the risk leaving things alone. e.g. nginx hasn't had a security advisory affecting basic http 1.1 serving static content without TLS in many years. And of course desktops are behind stateful firewalls.
For me a big appeal of having a "home" environment on a VPS is that I can just do useful things from any computer-like device, that's not really possible with keys. Rather than fucking around with keys I can just SSH in from wherever and roll the password when I'm done. High entropy non shared passwords are just fine, you'll get your IP timed out after a couple attempts, nobody is throwing a botnet at bruteforcing my pass.
I understand that auto updates aren't ideal, because they cause breakage (most of my systems dont auto update), but I don't get not updating your systems at all.
so true - the few who are at risk of real exploits are already aware of this and do more than just system updates
I only let my browser autoupdate (somewhat reluctantly) since I view that as the most likely security issue on my winpc but when I used to let win10 autoupdate (and other garbage dell drivers), things would start breaking after each update
this also applies to phone app updates - I only update if there's a reason to, not just for the sake of updating...
and people wonder why I have the best working phone and pc at the office...
Boxes get popped all the time. Why are you painting such a dishonest picture?
> and people wonder why I have the best working phone and pc at the office...
Probably because you know about computers. Nothing to do with your poor security practice.
And this still doesn’t say anything about the explicitly absolutist advice in the parent comment. “No matter the circumstance, turn auto-update off! Just in case you want to partake in some piracy!”
Absurd. There are benefits to enabling auto-updating (security, etc). One should weigh up the costs / benefits oneself and make a call based on that. As usual, such absolutist guidance is hyperbolic.
Nobody should follow this advice. Not least because you (the person giving it) wouldn’t have to live with the consequences of following it, but mostly because it’s idiotic.
