I was talking with an insurance adjuster when he asked me what I do for a living. I explained that I help companies make sure they’re doing a good enough job of updating their computers. That visibly disturbed him. “So should I install updates on my computer or not?” he asked.
Security experts agree that installing updates on your computer is one of the top three things, if not the most important thing, you can do to protect your security and privacy. It’s also one of the easiest, and the most practical thing home users can do.
It’s literally what I do for a living
Installing updates is controversial, but some people find the controversy humorous. What I typically see, when working with large companies, is that first I have to get them convinced that installing updates is something they need to do. Then, once I manage to convince them that they need to install updates, they think I’m crazy when I tell them they don’t necessarily have to install all of them.
Don’t get me wrong. I’d rather they install all of them. But when you’re a large company with millions of missing patches, if I ask you to install all of them, you won’t. You say you will but I know from experience you won’t, because the task becomes too daunting.
What I find is once I get companies to install the most critical updates to their computers, it transforms their security program. They go from being infested with hackers to not having problems with hackers anymore.
Australian spooks agree
The Australian Signals Directorate, the Australian equivalent of the NSA, has a list of 35 recommendations to stop hackers. But they found four of those items give you 85 percent of the benefit. The ASD’s top four recommendations are these:
- Application whitelisting
- Install updates
- Disable Microsoft Office macros, except for vetted, trusted macros
- Block Flash and Java from the Internet and disable other unneeded features in Microsoft Office and Adobe Acrobat Reader
I have a smaller sample size than the Aussies have, but my experience matches theirs. Several years ago I worked at a small company that let me implement those four things. It took about six months, and I basically worked myself out of a job because there wasn’t much work left for me to do. They said my job was safe, but I was bored out of my mind.
At home, it’s difficult to do all of these four things. Application whitelisting is possible but clunky. When it comes to Microsoft Office, you’ll either disable macros entirely or leave them set at Microsoft’s defaults. It’s too difficult for a home user to implement government-grade security when it comes to Office macros. Blocking Java is easy. Home users can just uninstall Java and not miss a thing. Uninstalling Flash is impractical. Chrome automatically blocks Flash from less-popular web sites, and that’s the best you can expect a home user to do.
That leaves installing updates. Generally there are two reasons people object to installing updates.
Why should I install updates on my computer? Updates break things.
The first objection is that updates break things. And admittedly, this happens more often than it should, but it’s rare. People challenge me on this one, but then I ask when the last time was they updated something and it broke. The response is predictable.
“All the time,” they say.
That calls for further questioning. “So, last month then?” I ask.
When I press further, “all the time” really means there was one catastrophic incident, and it was probably several years ago.
And that lines up with what the numbers say. In a really bad year, updates break things about one percent of the time. The rest of the time, updates fix things. That’s what they’re designed to do. The reason computers need updates is because software has bugs in it.
The key is to install the good updates and avoid the bad updates. The easy way to do this is to not update your computer right away. Microsoft releases updates on the second Tuesday of every month. Not everyone follows that schedule, but generally speaking, more updates come out at the beginning of the month than at the end.
So wait until the 30th to update your computer. When a company drops a duff update, we know within a week, then they withdraw it. If you wait until the 30th, you’ve given them more than enough time.
What if someone uses computer updates to spy on me?
The other objection I hear is that someone might be using those updates to spy on people. And I admit, I’m going to have a hard time proving otherwise. I can run a packet capture on my computer and analyze the traffic flying out of it, but I have better things to do with my life.
It is true that Lenovo got caught installing spyware on its computers, and that hackers used Asus’ update mechanism to install spyware. But these were isolated incidents.
Look at it like seat belts in your car. When I was a kid, a significant number of people believed seat belts don’t work. But the numbers say otherwise. Wearing a seat belt decreases your chances of death or critical injury in an accident by a consistent 50 percent if you’re in the front seat, and a staggering 75 percent if you’re in the back seat. And if you’re in an accident, you are 16 times more likely to escape injury if you wear a seat belt.
While it’s possible your seat belt can hurt you, it’s 16 times more likely to help you escape injury. So the math says to wear a seat belt.
Updates, like seat belts, are designed to protect you. If you’re still not convinced, it may help to understand the threat.
Why people spy on you
The reason anyone, whether it’s a random evil hacker or a large corporation, might spy on you is simple. Money. The corporation is trying to figure out how to sell you stuff, then either use that information to sell you something, or sell that information to someone else so they can sell you something.
That’s the threat from a corporation.
The threat from a hacker is worse. The worst thing a hacker can do is break your computer, or lock your computer up and charge you hundreds of dollars to get it back.
“But if Dell pushes a bad update to my computer, they can make me buy a new computer,” my insurance adjuster said.
That’s possible, but it’s bad business. If Dell breaks your computer and you have to buy a new one, you might buy a Dell because you think every company does the same thing. But you’re much more likely to buy another brand. I don’t know how much more likely, but Acer, Asus, Dell, and HP know. They’re well aware of why there were 20 large companies selling computers at any given point in the 1990s and five today.
But Lenovo and Asus spied through computer updates anyway!
Yes, you may say, but Lenovo and Asus did it anyway. Agreed. Lenovo got caught installing spyware back in 2014 and 2015. Asus got caught in 2019, though in this case, it was someone else using Asus’ update mechanism, so Asus was unintentionally facilitating the spyware, rather than doing it themselves.
The key word is they got caught. Catching companies in the act of doing these things is a great way to make a name for yourself, so there’s no shortage of Internet vigilantes out there keeping these companies honest. When they do something stupid, they get caught. In Lenovo’s case, they even got fined.
They’ll learn. And the threat from not installing updates is worse. The worst thing they can do is break my computer. I can buy a new one for $300. The more likely thing they’ll do is figure out my shopping preferences. Whether I prefer Home Depot or Lowe’s is none of their business, but it doesn’t cause me a great deal of harm.
If a hacker installs ransomware on my computer, it could cost me $2,000 to get my computer back. That’s a far more severe outcome, and it’s also a rather likely outcome if I don’t install my updates. If HP figures out that I prefer Home Depot because it’s three minutes away, I’m OK with that.
How large companies spy on you
I’ll let you in on another dirty secret. Large companies spy on you anyway. HP probably knows nothing about me, but AT&T and T-Mobile and Google all know whether I prefer Home Depot or Lowe’s. AT&T is my Internet provider. T-Mobile is my phone provider. Google is my preferred search engine.
It’s trivially easy for any Internet provider to log what web sites their users are visiting. It’s so easy for them to do, it’s silly not to assume they are.
We know cell phone providers log where you go. On January 19, 2019, I picked up Thai food. There’s a lingerie store in the same plaza as my favorite Thai place. Did I wander into the lingerie store while I was supposedly just picking up Thai food? T-Mobile knows. T-Mobile probably can’t triangulate precisely which table I sat at while I waited, but they have enough data to extrapolate whether I went to the bathroom while I was there, and how long I was in there. And if they know how long I was in there, guess what else they can extrapolate?
Your cell phone is a far, far greater threat to your privacy than your up-to-date computer is. We accept that intrusion into our privacy. It’s ludicrous to worry about what Dell knows about us when our cell phone providers know enough about us to literally figure out our bathroom habits.
That’s not even to mention what people willingly share on social media.
How to keep your computer manufacturer from spying on you
If you don’t want Dell or HP or Lenovo or Asus spying on you, you can avoid the risk easily enough. Just download a copy of Windows 10 from Microsoft (they won’t charge you), then format your hard drive and install a fresh copy of Windows. Then you’re using Microsoft’s drivers, not the drivers from your computer manufacturer. The bare-bones drivers you get from Microsoft won’t have the spyware components.
If Microsoft doesn’t have the driver you need, they’ll suggest drivers, and those will come from AMD, Intel or Nvidia, which, again, are more stripped down and less likely to contain spyware.
If you don’t know how to do that, pay someone to do it. They’ll probably charge you less than $100 to do it. I recommend it, but that’s because it makes your computer run faster. I have no reason to believe HP or Dell know what kind of music I listen to, but should I care? Like I said, T-Mobile, and possibly Apple, both know my bathroom habits unless I leave my phone at my desk.
And if that’s not enough to make you feel safe, run Malwarebytes on it to clean up any spyware on it. The free version is good enough for home use.
Why you should install updates on your computer
Finally, there’s one much bigger, overarching reason why you should install updates on your computer. Updates fix things.
It’s natural for us to remember the one time we updated our computer and broke something, just like it’s natural to remember that time I mailed a letter from St. Louis to Columbia, Missouri, and the post office routed my letter through Birmingham, Alabama. We remember the one time the post office lost our mail and ignore the number of times it delivered the mail. I’ve actually tracked that, because I used to sell a lot of things online and if my package didn’t arrive, I had to give refunds. In the years when I shipped 7,000 packages, the post office lost five. That means the post office successfully delivered my package 99.92857% of the time.
The guy who told me he didn’t like installing updates because Dell might be using updates to spy on him admitted that he had problems with his USB ports not working. He couldn’t use a thumb drive, he couldn’t print, and he couldn’t use an external keyboard or mouse. His computer was bugging him to install updates, so out of desperation, he did. And then his USB magically all started working.
It wasn’t magic. It was the updates.
What you’re going to find is that if you install your updates, your computer will work better. I have a dozen other stories just like that one. The benefits outweigh the risks. Minimize the risk by installing a clean copy of Windows and waiting to update your system until the 30th of the month.
And besides, the risk from updating your computer is far less than the risk of carrying your smartphone around with you. Let alone the risk of spyware locking your computer up and charging you 2 grand to get it back.