Backlit header graphic

How to Block Forced Updates

Isn't a firewall meant to stop unauthorised entry?... Supposedly. So what, exactly, is it doing when your software providers gleefully shovel bucketloads of unwanted crap onto your system without asking and without challenge?

Bob Leggitt
Quote

Forced updates are not "protection against cyber attacks" - they are quite simply the cyber attack itself.

- Backlit

Let's open with the enquiry of the year:

"How can my software automatically download updates when I have a firewall?"

It's a brilliant question, because it cuts right through the core of an elite tech brainwashing regime which has tricked us into accepting firewalls that simply don't work. And that's the straightforward answer to the query:

If tech providers are able to get unauthorised downloads into your computer without your approval, your firewall doesn't work.

Read that again.

In this article I'm going to document the true facts about well-known consumer firewalls. What they're supposed to do, what they actually do, and how they've been deliberately engineered to block precisely nothing - allowing all manner of attacks, including forced updates, to persist. How they facilitate a scandalous, multi-billion-dollar malware free-for-all, helmed by the Digital Mafia itself. Take a seat. You'll need to be sitting down when you find out what they're doing, and how they've conned you into allowing it.


WHAT'S ACTUALLY HAPPENING?

Before we look at the scale of the problem, let's just consider a basic premise.

Anything that a third party does with your computer, if not authorised by you, is an attack.

It's not a "security upgrade", or a "feature rollout", or any other perversion of language that elite cybertech has managed to brainwash the public into using. It's an assault on your property, and if you did it to the fuckers who are doing it to you, you'd be in prison. We called it an attack before it became a normalised facet of corporate behaviour, and we called the perpetrators criminals. Why should the terminology be any different just because the perp is a corporation?


Said attacks are happening so frequently that people just don't believe it until they see it for themselves.

Even if you don't use a Linux operating system, you may have read that Linux is markedly better-behaved than Windows. That's absolutely true.

Nevertheless, the average Linux environment in 2025 will most likely witness a breach of your consent and security multiple times per minute. That's PER MINUTE. Multiple times PER SECOND during busy periods. And Windows is worse. Just think about that for a moment. Unless you take proactive prohibitive steps, every minute that your computer is switched on, the tech industry is secretly abusing it.

  • Stealing data.
  • Stealing content.
  • Logging your presence and activity.
  • Requesting silent downloads.
  • Installing software which was never given permission to download in the first place.
  • Etc.

How much of the above is in progress will depend on the operating system you use, and the software you've installed. But as I said, even on Linux, where the abuse prospects are considered low, the majority of users will be attacked in all or nearly all of the above ways.

This thoroughly mocks the security staple of permissions. A computer's permissions, in the eyes of the tech industry, are not there to enable you to protect your property. They're there to PREVENT you from interfering with the tech industry's self-assumed right to invade and piss with your property at will.

If you use a firewall that reports all network activity, you can see for yourself just how relentless the tide of digital disobedience is. Just how permissionless the use of your computer, for anyone but you, would otherwise be.

In a recent test on a PC with an Ubuntu-based Linux OS whose native settings had been tailored to optimise privacy, OpenSnitch firewall reported Floorp browser making more than 200 unauthorised network call attempts in the first minute after launch. All commercially-run or commercially-incentivised browsers, however "private" they claimed to be, did this to some extent - by priority in a desperate and persistent bid to self-update. It's the first thing they try to do. They're doing it even before the browser window has loaded.

Firefox was among the worst offenders, although Chromium forks such as Vivaldi, Slimjet, Opera and Edge also hammered at the door like a druggie in a jail cell. Most Chromium forks were worse than Chromium itself. Even Brave, whose entire marketing focus is "privacy", had a phone-home retry rate of over one call per second straight after launch. Librewolf and Mullvad chalked up rates of around 40 per minute, and although a proportion of this was coming from the bundled uBlock Origin extension, it still encapsulates the extent of the free-for-all, as well as the misplacement of our trust.

Nearly all attacks on domestic computers - including forced updates - are triggered from within the computer itself, and rely on outbound network calls, not inbound. Nearly. All. If your firewall is not blocking outbound calls, you're therefore exposed to 99% plus of attacks. So when Windows Defender tells you you're "protected" whilst your outbound traffic is totally unmanaged, it's a straightforward lie.

Staunchly non-commercial browsers such as Icecat, Lynx and Dillo achieved commendable zero scores. But outside of the Linux ecosystem, how many people have even heard of these alternatives? How many would deem them accessible or usable even if they had heard of them?

And of course, browsers are only one offender in a riot of different software definitions.

Bob Leggitt
Quote

Because I use a firewall that actually works, none of my software is able to automatically download updates, and therefore, for me, automatic or forced updates don't exist. If they exist for you, you can change that situation. But let's first look at how the situation came about.

- Backlit


AUTOMATIC UPDATES

If you try to search for a history of automatic updates you'll find nil but the repetitive drone of elite cybertech's leading sycophants and propagandists endlessly regurgitating the nauseating phrase "safe and secure". Their aim? To justify a hellscape in which almost everyone's computing hardware is controlled by a cartel of above-the-law criminals hundreds, or thousands of miles away.

"I'm sorry Mr/Ms PC owner, you don't have permission to edit these files ON YOUR OWN DRIVE. But every last injunction-case at the other end of your broadband connection does."

This is the reality of most people's computing lockstep. And it's neither safety nor security. It's carte blanche for a Digital Mafia to perpetually raid your property, break it, anti-competitively piss with its settings, and steal its contents. All of which they do. Because what incentive is there for them to behave better when the public majority sees no alternative and consumer law no longer meaningfully exists?

Indeed it's no surprise that the public majority sees no alternative, because the propaganda and censorship accompanying the Great Firewall Swindle is unthinkably prolific. A mass of so-called "tech blogs" - in reality just advertorial boards for the Surveillance Valley collective - dogpile the search results with industrial scale illusory truth.

The dirge of bone-idle, parrot-fashion press-releasery from staff writers is meanwhile punctuated by guest visits from upper-tier Big Tech propagandists like Doctorow. All mouth when it comes to complaining about tech companies "twiddling" with your setup. But do these hired gobs ever recommend an actual solution? Nope. They're under strict instructions to withhold that information and present corporate lawlessness as the answer instead.

If YOU wanna reset the time on your Linux computer, you need to enter a password. If a gang of tech bros thousands of miles away wanna bust in and do it literally every ten seconds, open door. A working firewall is the only way to reverse this insane state of affairs.

Later in the post we'll look back to the early days of automatic updates, observing how they entered the computing arena arm in arm with disabled and calculatedly inept firewalls. But first, lets see how even the most primitive firewalling principles can make forced updates near impossible.


THE LESSONS OF EARLY FIREWALLS

The first firewall ever created came in response to the Morris Worm, which attacked NASA's California base via the ARPANET email system in 1988. The same virus also mounted invasions at Berkeley, Lawrence Livermore, UC San Diego and Stanford, prompting NASA to take on the production of a countermeasure.

NASA's proto-firewall was a hardware setup - crude by later 1990s standards - which was rooted as much in containment of a virus as in outright blocking. The intranet was segmented into sections or zones. If an attack began in one zone, it could not spread to another, so its effect was limited.

Richard Stallman
Quote

Windows is malware.

- Free Software Foundation

This logical strategy is still remarkably effective today. Create your safe zone on a computer or partition that does not have any direct means to connect to the outside world, and it becomes near-impossible for software providers to execute automatic updates within that safe zone. But the safe zone can still be fed by other partitions or local computers, which do have direct access to the outside world.

This undeniably works, but it wouldn't meet with most people's convenience tolerances today. You have to reboot each time you want to move from one partition to another for a start. Networking multiple local computers via routers makes things easier, but not everyone can build a local computer network. So nearly all "firewalling" in the consumer domain is achieved with software. I used quotes around firewalling in the previous sentence because the best-known software-based consumer firewalls don't really do anything - and that's by design.


SOFTWARE FIREWALLING

The same year as the Morris Worm attack, DEC (Digital Equipment Corporation) came up with a radical firewall system of their own, centred around packet-filtering. Although this was again a very primitive implementation, its raw method would become a cornerstone of consumer firewalls. The basic packet-filtering principle of blocking a network call based on its source and/or its destination, was established at the off. But as attacks in the consumer domain became more and more inevitable, capable firewalls reversed the pattern. Instead of simply blocking network calls to or from known rogues, the system was set to block ALL network calls, and then whitelist the ones known to be harmless.

The principle is sound. But most implementations of it are deliberately obtuse. Ultimately, tech giants want to thieve data and control your system; firewalls prevent that. It's inevitable, therefore, that tech giants will seek to derail firewalls that genuinely protect the computer owner, and instead push pretend firewalls, or 'non-firewalls', whose only use is to divert attention away from the real ones.


THE FIREWALL SCAM

Mainstream non-firewalls like Windows Defender do actually provide the wherewithal to block specified connections. But what they also do, is obstruct the user's path to setting up a secure permissions framework. Windows Defender is set up to block unauthorised inbound connections which (importantly) are not pre-whitelisted by Microsoft. Which means that unless you de-whitelist Microsoft's collection of pre-approvals, Microsoft can attack your computer in both inward and outward directions, all the time. Which it does - the evidence for which any Windows 11 user will have seen over and over again.

But the real issue comes with outbound network calls, which facilitate the vast, vast majority of consumer domain attacks. I'm now going to explain something about domestic computing security. This is a truth that tech gaints proactively censor, and morbidly fear the public finding out:

Nearly all attacks on domestic computers - including forced updates - are triggered from within the computer itself, and rely on outbound network calls, not inbound. Nearly. All.

Why doesn't the tech industry want you to know this? Because the vast majority of said attacks are perpetrated by the tech industry itself, and if the general public learn to block these attacks, the tech industry loses tens of $billions in dirty revenue. People kill for that kind of money. Those are the stakes. End of part one. Here comes part two:

A download can't just start of its own accord. Someone, or something, has to request it via a network call, inside your computer. So when tech products force updates, they're doing so using OUTBOUND network calls, which a genuinely functional firewall would block.

That is why fake firewalls like Windows Defender make outbound blocking near impossible for the average domestic user. Even though Windows Defender does technically facilitate outbound blocking, it's set up to do next to nothing out of the box, and through a combination of false reassurance, warp-level clickwalling, and passive-aggressive silence, it obstructs meaningful use. Here's a summary of the obstruction...

  • Windows Security lists the non-firewall with a literal declaration of "No action needed" - even though it's not blocking any outbound traffic whatsoever, and is allowing a deluge of uninvited incoming traffic.
  • Click into the listing and you see some headlines, telling you that "Firewall is on" in three separate network designations. Still no settings.
  • To get a step nearer to the settings you have to scroll down to a tiny link that says Advanced settings, and click that. You then have to clear an Account Control popup, before finally, the firewall dashboard screen appears. Don't celebrate yet. You're STILL not there.
  • Nope, STILL no means to switch on outbound blocking. You're only seeing a report, made to appear that outbound blocking is simply not something the firewall does. To activate outbound blocking you have to click an even tinier link at the bottom of the block, which says Windows Defender Firewall Properties.
  • You now get a dialogue box which facilitates the activation of outbound blocking.
  • Even if you do activate outbound blocking, Microsoft's software is pre-whitelisted, so it'll all get through anyway.

And if any further proof of Microsoft's obstructiveness were needed, you find, this deep in the clickwalling quicksand, that whilst activity notifications are available for inbound connections, they're not available for outbound. Why?

Why would you only notify in one direction? The direction in which, basically, nothing happens. And just in case you're wondering how we know nothing happens in the inbound direction... Well, Windows Defender is set to notify you of inbound breaches by default, and how many times does it ever notify you of an inbound breach? Virtually never. The breaches occur on the outbound, which is totally unprotected by default, and could not notify you even if you battled through the clickwalling maze to switch outbound firewalling on.

This type of classic Surveillance Valley ruse is evil, but very clever. It's designed to persuade us that our computers are secure when they're anything but. And unlike the actual firewall, the ruse works. Many IT professionals claim Windows Defender does a great job. Even whilst tearing their hair out because the operating system broke due to an unauthorised software installation (AKA aUtOmAtIc UpDaTe) THAT NO FUNCTIONAL FIREWALL WOULD ALLOW TO HAPPEN! That's how well the tech elite have managed to brainwash society.

"I can literally see evidence that it doesn't prevent attacks or damage, but I know it's a great firewall because Microsoft and an inexhaustible array of palmgreased 'tech blogs' said so."


BACK TO THE HISTORY

Let's now look at the reasons why Microsoft felt the need to even bother offering a firewall at all.

As one might expect, consumer-level firewall releases arrived just as the WWW hit the consumer domain in 1994.

Check Point Software's FireWall-1 - widely credited as the original consumer firewall - was a culmination of work done at AT&T in the late 'eighties and early 'nineties, and in particular some early 1990s development of a consumer-friendly graphical interface from Annette DeSchon and Bob Braden at the Uni of Southern California. By the end of the 1990s, the consumer market was rich with firewalling options.


WINDOWS NON-FIREWALL

But consumer Windows systems didn't have one. That's right; firewalls everywhere, except in the most obvious place of all: your Windows operating system. Despite the WWW's snakepit of danger, which was viciously biting an enormous number of home PC users, Microsoft didn't think a firewall was necesssary. Even as late as 2001, if you went to your local retail park and bought a PC, it would have full Internet capability, but no firewall.

After much pressure, Microsoft finally bundled a native "firewall" with the new Windows XP, which hit the scene in the second half of 2001. Great - a change of heart then? Nah. XP's diabolical excuse for a firewall - Internet Connection Firewall, or ICF - came both hidden, AND switched off.

That's right, disabled and hidden.

To find the original Windows ICF, you had to right-click on a network connection, select Properties, and then pan across to the Advanced tab, where there was a checkbox to turn the thing on.

But for all the use it was, there was little point in ICF being there. It was hardwired NOT to give any control over outbound connections at all. And as regards the Web, consumer configuration was limited to whitelisting programs or ports for inbound access.

And there the average Windows user remained, in insecure bliss, until... Until 2004, when an apparent landmark decision prompted Microsoft to bring this lunk of a non-firewall out into the open, enabled by default, and integrated into a new "Security Center" via an XP service pack. But why now? Why would MS wait ten years and then suddenly decide users needed a firewall? The answer is simple:

By 2004 it had become abundantly evident that if Microsoft did not activate a pretend firewall and make it plainly visible, Windows users would install a real one. And they were, indeed, doing just that. Microsoft's own capacity to remotely interfere with the operating system was steadily diminishing in the process.

Thus, the basically useless ICF was repackaged as the headlining component in the Windows Security Center. Other than the glossy visuals, the rebranding as "Windows Firewall", and the nice green shield with a reassuring white tick, it was the same lucidly gormless piece of idleware. But it achieved its brief - which was to persuade the average Windows user that they no longer needed a third-party firewall.


AUTOMATIC UPDATES, DO YOUR WORST

Microsoft's campaign of remotely interfering with consumers' computers was already well into its stride by 2004. Automatic Updates had arrived with Windows XP in 2001 - notably alongside the switched-off firewall. In stark contrast to the firewall, Automatic Updates were enabled by default, and without explicit consent. The system was designed to give Microsoft control over the consumer's PC, whilst covering the PR bases with an opt-out, which the vast majority of owners would never find.

Months before XP and its automatic updates hit the streets, John Lettice reported Bill Gates' announcement of it in a grim foretelling of the exact dystopia it eventually caused.

"Resistance is futile..."

...Conjectured the article, before going on to document some of the damage Microsoft's updates had already done, and to warn that Gates was a "serial control freak".

What the article didn't mention was the relationship between Gates' obvious desperation to interfere with everyone's computer on the sly, and a competent firewall's ability to stop it. Although at that time, the updates were still to be technically optional, meaning that anyone who really took exception to them could banish them with a switch.


FORCING MICROSOFT'S HAND

The average consumer firewall in the early 2000s had been poor. Options such as TermiNET and Sphinx Personal came with low asking prices and were diabolically difficult for the average consumer to properly configure. This complaint was levelled at TermiNET in a mid 2001 edition of PC Pro magazine, which said:

"The documentation and online help are woefully inadequate. Home users shouldn't be expected to know about TCP, UDP and ICMP, but [distributor] Danu industries makes no effort to enlighten them. Also, if you opt to create custom rules, you'll need to know which port numbers must be specified to control incoming traffic from remote systems, but no light is shed on this subject."

Even back then, it was as if there was a conspiracy to make firewalls as incomprehensible as possible to the consumer.

BlackICE Defender was a much better product, able to operate with aggression and communication, and importantly, with no compunction about reporting privacy violations as attacks. As a result, BlackICE achieved significant popularity. But it was subsequently bought out by IBM and then shut down with no credible explanation - adding fuel to the conspiracy theory that major tech companies will seek to obliterate any firewall with teeth.

Microsoft could probably have got away with forevermore hiding the Windows firewall, disabled, behind a Network Connection's Properties right-click - had it not been for a genuinely functional, freely available, early 2000s firewall called ZoneAlarm.

If there was a script stating that intuitive, talkative firewalls were not to be given to consumers, then Zone Labs - the makers of ZoneAlarm - had not read it. ZA reported both inbound and outbound connection attempts with popup alerts, allowing the user to accept or decline - permanantly if required. This was the system consumers had needed. The system Microsoft could build, but wouldn't.

Accordingly, ZA spread like wildfire, and by late 2003 it had locked the gates to over 25 million Windows PCs (stellar share at the time), as well as inevitably becoming a priority acquisition target. Check Point paid more than $200 million for ZA firewall, and in the early 2000s, post Dot Com Bubble burst, that was a bloody big sum of money. Of course, as in every tale of cybertech glory, ZoneAlarm was rapidly pumped with malware post-acquisition, and became just another surveillance tool.

But it did scare Microsoft into switching on, and making visible, their own non-firewall. Lo and behold; right after the Zone Labs / Check Point handshake, Microsoft finally decided to place its own firewall centre stage, headlining the new Windows Security Center. The Redmond Recidivist knew that the only way to stop upstarts like Zone Labs was to create a sense that Windows was already protected. It wouldn't be. But in consumerism, perception is all.

It's interesting to note that Windows Firewall, and subsequently Windows Defender, were/are of no more use to the average consumer than the crappy little rejects that reviewers panned in the early 2000s.

You can read the complaints in those old reviews today and directly apply them to Windows Defender. No communication, clear-as-mud documentation, users can't configure it, defaults to a "might-as-well-not-be-there" tantamount, doesn't stop attacks. But the planted reviewers of today won't slam Windows Defender, because the Surveillance Valley cartel pays their wages.


SOLVING THE PROBLEM

To meaningfully protect your computer from forced updates, you need a firewall which:

  • Defaults to blocking ALL inbound and outbound network connections.
  • Reports every attempted network call to you - whatever the direction - and gives you the choice to block it or allow it. Not in a little log-viewer that you have to open to see. In a desktop popup, in your face.
  • States the source and destination of each network call, and allows you to block/approve either by source, or by destination. That is, if Firefox is trying to call push.services.mozilla.com, which it will, the firewall allows you to block either Firefox, or push.services.mozilla.com. The reason you need the option to block destination domains as well as source applications, is that some software, such as a browser, cannot simply be blocked at source. If you merely block the Firefox application from accessing the Internet, it won't be able to load any websites. But the facility to block destination domains (which will include the update download domains), lets you still access websites, but prevent the application from phoning home.
  • Allows you to approve/block either permanently or temporarily. See below for more on this...

When you start using a firewall that actually works, the popups will overwhelm you. One after another, a bombardment of popups saying: "This is trying to connect to this", "That is trying to connect to that. It's Hell. And the nightmare of relentless popups is a measure of how far the surveillance machine has run out of control.

So it will feel like playing a zap-the-alien game immediately after you install a working firewall. But as you permanently block more and more connection attempts, the barrage fairly quickly dies down, and you then enter a second phase of occasional popups. You'll still go back to the bombardment when launching various pieces of software. But again, it will subside as you teach the firewall how to behave, using the Accept or Decline buttons on its popups.

Do not give up!

Do not, under any circumstances, think: "This is too much hassle; I can't be bothered". Every time one of those annoying popups appears, consider it an opportunity to deprive a CRIMINAL, corporate stalker of revenue. You will reach the point where there are no popups left and you've successfully locked down your system. Even if it takes a week, the value of what you've done is immeasurable.

You now control your computer.

You update what you want to update, at a time that suits you, if at all. You have vastly, vastly better privacy. And you gain a fantastic (if disturbing) insight into how the surveillance machine works. You'll see what your browser extensions are failing to block.

Bob Leggitt
Quote

Properly firewalling your computer is one of the most militant actions you can take against a regime that relies on you offering an open door.

- Backlit

You'll see what your browser itself is trying to do before the extensions even load. You'll see your operating system itself trying to "check the time" - which, if done every few seconds as it commonly is, serves as a perfect way to log your computer usage with precise-minute accuracy.

You'll see dumb little apps that you didn't even need, aggressively and persistently trying to phone Google, or Amazon, or any of the other usual suspects.

And especially on Linux, you'll see which applications are impeccably behaved, simply doing their job with full respect for your consent. We're often too busy applauding marketing bullshit to spend time applauding genuinely well-behaved software. But compare respectful developer tools like Vim and Emacs, to surveillance tools like Microsoft's VSCode, and you begin to respect the good stuff back. Maybe the quirks of Vim and Emacs take a bit of time to get used to, but investing time in something you can see is trustworthy is worthwhile. And for anyone who would suggest VSCodium as an "independent" version of VSCode: yes, it's better, but still phones Microsoft, and it's still at the mercy of evil overlords' whims. Committing to something like Vim or Emacs is a much safer bet in the long term.


I'm not going to pretend firewalling is easy. Even with a good firewall, like OpenSnitch, which is free, and which covers all of the bases listed above, it's hard work. One tip I would give is to increase the decision period. Out of the box, OpenSnitch gives you 15 seconds to decide what you're going to do, and then intervenes, temporarily blocking the connection. Increasing this to half a minute or more, will let you make better choices.

If you make bad choices - in particular, permanently blocking a critical connection - you can experience major problems. In extreme cases, total loss of networking access. Obviously, disabling the firewall will restore your access, but then you're not protected, and this is the exact ultimatum that junk like Windows Defender uses to get consumers to enable all outbound connections.

Defender and its ilk don't offer any notifications on outbound traffic, so for most consumers either the firewall doesn't work, or the computer doesn't work. Mafia 101. Good firewalls, conversely, do provide notifications, which help you organise an effective setup. But if you permanently block something you need, even a firewall with notifications will not report it again, so it can be difficult to see where the problem is.

Treat firewalling as the challenge and potential achievement it is. Don't tell yourself "It's just a firewall". It's literal freedom. Getting it right takes time investment, and warrants time investment. If you'd been wrongfully jailed, and you'd been given the chance to appeal, would you invest two minutes in your planning and then say: "This is too much hassle, I can't be bothered"? No. You'd persevere until you fell asleep on the job, because freedom is worth that much.

If you don't have a working firewall, you don't own your computer.


BUT I CAN'T USE OPENSNITCH ON WINDOWS

No. And I'm not going to waste time trying to find a genuinely effective firewall for an operating system whose manufacturer roots in backdoors and pays OEMs to brick competitors. I don't recommend using Windows at all, and I think that if the lure of OpenSnitch prompts people to switch to Linux, it's two wins in one. If enough people do it, it's also a win for society, because it restores competition and diminishes the power of dangerous, authoritarian, digital vandals and extortionists.

Please consider at least trying out Linux, which you can do for free, and without even installing if you download a "live" ISO - which boots and runs from a flash drive or DVD. And with most major Linux distributions, even if you do install, you don't have to delete Windows. You can install alongside a Windows OS, on a dual boot, which gives you a menu when the PC starts.

And neatly, this brings us back to the oldest firewalling concept of them all. Safe-zoning. Disconnect Windows from the Internet, and it can no longer update. But you can still feed it via your Linux OS on the other partition. A Windows drive can be mounted by Linux on demand, with a simple click, which gives you an easy means to transfer programs, downloads and files back and forth.


IN CONCLUSION

In the history of the world, it has never been possible to win freedom by clicking a button provided to you by a commercial enterprise, for free. That's just a marketing meme. It doesn't work, and it's delusional to imagine that it would. If you will not fight for your freedom, you will never be free. It's a simple as that. And the law cannot protect you from entities with more power than the lawmakers. Entities who, indeed, themselves make the law. Entities with the power to shut down a country.

You have to go militant. And properly firewalling your computer is one of the most militant actions you can take against a regime that relies on you offering an open door.