[94824] in North American Network Operators' Group
Re: Every incident is an opportunity (was Re: Hackers hit key
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sun Feb 11 14:00:15 2007
Date: Sun, 11 Feb 2007 13:49:13 -0500
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Dave Pooser <dave.nanog@alfordmedia.com>
Cc: nanog <nanog@merit.edu>
In-Reply-To: <C1F4A53A.D8265%dave.nanog@alfordmedia.com>
Errors-To: owner-nanog@merit.edu
On Sun, 11 Feb 2007 10:49:30 -0600
Dave Pooser <dave.nanog@alfordmedia.com> wrote:
>
> > He was both right and wrong -- patches do break a lot of stuff. He
> > was facing two problems: the probability of being off the air
> > because of an attack versus the probability of being off the air
> > because of bad interactions between patches and applications.
> > Which is a bigger risk?
>
> That's an argument for an organizational test environment and testing
> patches before deployment, no? Not an argument against patching. That
> said, I would LOVE to see MS ship a monthly/quarterly unified updater
> that's a one-step way to bring fresh systems up to date without
> slipstreaming the install CD. Then press a zillion of 'em and put
> them everywhere you can find an AOL CD, for all those folks on
> dial-up who see a 200MB download and curl up in the fetal position
> and whimper.
>
Surveys have shown an inverse correlation between the size of a company
and when it installed XP SP2.
Yes, you're right; a good test environment is the right answer. As I
think most of us on this list know, it's expensive, hard to do right,
and still doesn't catch everything. If I recall correctly, the post I
was replying to said that it was a non-profit; reading between the
lines, it wasn't heavily staffed for IT, or they wouldn't have needed a
consultant to help clean up after Blaster. And there's one more thing
-- at what point have you done enough testing, given how rapidly some
exploits are developed after the patch comes out?
--Steve Bellovin, http://www.cs.columbia.edu/~smb
