Most active commenters
  • ranger_danger(5)
  • orf(3)

Sysadmin shock as Windows Server 2025 installs itself after labeling error

(www.theregister.com)
91 points robaato | 26 comments | 06 Nov 24 23:02 UTC | HN request time: 1.113s | source | bottom
1. Animats ◴[06 Nov 24 23:53 UTC] No.42071463[source]
"or paying for the required license?"

Where was the acceptance of a contract requiring that? Microsoft just gave people a free upgrade.

replies(2): >>42072582 #>>42075922 #
2. ahoka ◴[07 Nov 24 00:03 UTC] No.42071554[source]
“installs itself” = a 3rd party patch management product installed the update
replies(2): >>42071963 #>>42072024 #
3. gnabgib ◴[07 Nov 24 00:06 UTC] No.42071594[source]
Discussion (75 points, 18 hours ago, 26 comments) https://news.ycombinator.com/item?id=42057451
4. troseph ◴[07 Nov 24 00:22 UTC] No.42071721[source]
David Attenborough voiced "Sysadmins are cautious by nature" in my head.
replies(1): >>42072922 #
5. heraldgeezer ◴[07 Nov 24 00:49 UTC] No.42071963[source]
Or if you auto approve security updates. As is common. Azure VMs even default to auto-update pulls from MS.

https://imgur.com/a/RvEx3yn

6. Brian_K_White ◴[07 Nov 24 00:55 UTC] No.42072024[source]
A 3rd party tool did what MS told it to do.
7. PittleyDunkin ◴[07 Nov 24 02:15 UTC] No.42072582[source]
I imagine the definition of "upgrade" depends on the needs of the customer. The merchant of the license is inherently unable to evaluate this. Installing software without explicit consent, especially not-functionally-equivalent-software, is inherently wrong.
replies(1): >>42072809 #
8. mattsimpson ◴[07 Nov 24 02:33 UTC] No.42072721[source]
We got an urgent notice today from our central IT group warning of this catastrophic screw up of epic proportions, and I could hardly believe it.

This is way worse than the Crowdstrike debacle.

9. causality0 ◴[07 Nov 24 02:46 UTC] No.42072809{3}[source]
It's amazing to me that we're all so chill about a company in Redmond having root access to our PCs because they pinky-swear they will never misuse it.
replies(1): >>42072826 #
10. ranger_danger ◴[07 Nov 24 02:48 UTC] No.42072826{4}[source]
And yet when you call it what it is (a backdoor) people get highly offended. Same thing with ubuntu snaps or really anything that updates automatically.
replies(1): >>42073901 #
11. gjvc ◴[07 Nov 24 03:03 UTC] No.42072922[source]
and ending with "why they do it? -- we just don't know..."
replies(1): >>42075130 #
12. yonatan8070 ◴[07 Nov 24 04:47 UTC] No.42073501[source]
I'm not sure I understand what Heimdal actually does. Aren't updates handled by Windows Server itself?
replies(1): >>42075638 #
13. 112233 ◴[07 Nov 24 06:11 UTC] No.42073901{5}[source]
How exactly updating non-automatically would help you avoid vendor backdoors that could be placed in the software by a request from the vendor government?
replies(1): >>42080200 #
14. tetris11 ◴[07 Nov 24 08:39 UTC] No.42074822[source]
Windows decided to ruin its desktop, but that's okay because the business servers are where the real money is at, and thankfully they'd never do anything to destabilise that customer base...
15. rgbswan ◴[07 Nov 24 09:32 UTC] No.42075130{3}[source]
so they don't get caught passing down and spreading backdoors and illegal telemetry ...
16. rincebrain ◴[07 Nov 24 11:09 UTC] No.42075638[source]
I believe Heimdal is supposed to provide patch management cross-platform, so similar to what RHN/WSUS/etc provide, but for all your platforms on one system.

Also, Microsoft has been aggressively removing the ability to control what patches you install, I assume because they don't test most combinatorics of possible patches running and people kept picking and choosing, so if you still wanted that level of control despite being told "don't do that", you would use a system like that.

17. thro1 ◴[07 Nov 24 12:04 UTC] No.42075922[source]
Right. From the comments:

>Even better, legally if something is provided as a gratuity without any bargained-for exchange, then it is considered a gift as there is no basis in contract to support a claim that payment is due.

>Given that the existing software on the server may not work with the new server I'd start with this being an offence under the Computer Misuse Act and ask for damages.

>The proper procedure is Redmond sends its engineers to reinstall the original version - at its own cost - and presents its excuses to the customers that it fucked over.

>>Or make Windows 2025 a free upgrade to Windows 2022 licensors, just like how Win11 is free to licensors of Win10

18. kotaKat ◴[07 Nov 24 13:12 UTC] No.42076351[source]
Why the hell is Microsoft offering in-place OS upgrades of Windows Server in Windows Upgrade that are one-click "sure, why not, let me just break my license"?

https://i.redd.it/xgk7t0sii3zd1.png

https://i.redd.it/4o92m0nwi5zd1.png

19. ranger_danger ◴[07 Nov 24 19:50 UTC] No.42080200{6}[source]
If you or someone else inspect the update and find something malicious before the update is actually applied, I think that's useful.

For example look at how many "patch tuesday" update fails there have been... I think it's sometimes a good idea to not always apply new updates immediately for this and other reasons.

replies(1): >>42081435 #
20. orf ◴[07 Nov 24 21:46 UTC] No.42081435{7}[source]
Right, but this is expensive and dumb so nobody is going to do it themselves.

And then you’re back to trusting an external third party, just slower and with greater expense.

replies(1): >>42081537 #
21. ranger_danger ◴[07 Nov 24 21:57 UTC] No.42081537{8}[source]
I don't think it's dumb, I have been saved from disaster too many times to count, by just waiting a little bit after something new comes out, to see if other people start having problems that might affect me.
replies(1): >>42081602 #
22. orf ◴[07 Nov 24 22:03 UTC] No.42081602{9}[source]
That’s a different thing entirely - waiting for a review of a product before purchasing is different from inherently untrusting the manufacturer of the product, as it may contain something malicious that is targeted at you.
replies(1): >>42081715 #
23. ranger_danger ◴[07 Nov 24 22:17 UTC] No.42081715{10}[source]
I'm still only talking about updates. I didn't update xz for example, and I'm glad I didn't because it turned out to be compromised in certain versions.
replies(1): >>42081833 #
24. orf ◴[07 Nov 24 22:30 UTC] No.42081833{11}[source]
Sure, or it could have left you vulnerable in other versions.

Waiting for others to hopefully discover targeted security vulnerabilities and only updating after an ad-hoc timeframe if nobody shouts “FIRE!” isn’t a security posture, it’s just terrible patch management.

replies(1): >>42083843 #
25. ranger_danger ◴[08 Nov 24 03:29 UTC] No.42083843{12}[source]
I don't think things are always so black and white but I respect your opinion.