[61140] in North American Network Operators' Group
Re: Microsoft distributes free CDs in Japan to patch Windows
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Aug 25 10:08:38 2003
To: Jack Bates <jbates@brightok.net>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Mon, 25 Aug 2003 08:35:43 CDT."
<3F4A10AF.7080903@brightok.net>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 25 Aug 2003 10:00:24 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-1227706688P
Content-Type: text/plain; charset=us-ascii
On Mon, 25 Aug 2003 08:35:43 CDT, Jack Bates <jbates@brightok.net> said:
> Which is why Microsoft should issue a software equivelant of a recall.
> Systems shouldn't be sold vulnerable without at least a patch CD.
The problem is that you need to look at the sum of (lead time) + (time patch CD
spent on shelf). Given a lead time of 4-6 weeks, and sitting on the shelf for
2-3 weeks... and suddenly you're looking at a 2 month old patch CD.
Now take a look at the last few year's Microsoft advisories, and ask yourself:
What percent of the time was the *last* remote-exploitable major hole more than
2 months old?
And getting the lead time down to 4-6 weeks would be a challenge - remember you
have to *ship* the re-mastered patch CD to every retailer and get it on the
shelves. That's going to hit your bottom line. And keep in mind that
Microsoft doesn't have to answer to its customers, it has to answer to its
shareholders. As long as security problems don't affect it's bottom line, we're
not going to see any change at all.
--==_Exmh_-1227706688P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE/ShZ4cC3lWbTT17ARAuD/AKDoqyz8drUqOUqTRk2SXY4tyJNndACfXWCN
+DvknaPfSKYXWPvRgWLnzXk=
=FWkI
-----END PGP SIGNATURE-----
--==_Exmh_-1227706688P--
