Re: Update on wide-spread NewTear Denial of Service attacks

From: Tim Newsham (newshamat_private)
Date: Wed Mar 04 1998 - 14:35:27 PST

Next message: Russ: "Re: Update on wide-spread NewTear Denial of Service attacks"

Previous message: Russ: "Re: Update on wide-spread NewTear Denial of Service attacks"
Maybe in reply to: Aleph One: "Update on wide-spread NewTear Denial of Service attacks"
Next in thread: Russ: "Re: Update on wide-spread NewTear Denial of Service attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> If every single patch/fix/hotfix for NT was fully regression tested
> before being released, such fixes would not see the light of day, let
> alone a customer's machine, for months.

I've gotten several replies like this already (and I just posted
the original post a few hours ago).  Yes, I know companies like to
disclaim things to "protect" themselves.  I know they want a quick
lead time.  I know all of this.  So what?  If microsoft puts out
a fix and RECOMMENDS that people dont apply it, guess what, people won't
apply it.  Microsoft  either needs to recommend that everyone applies
their security fixes, or they need to  EXPECT that people wont apply
them.  It's that simple.  They want to require that everyone has
the fixes without taking responsibility for problems that might
arise from installing the fixes.  This is unacceptable.

> Microsoft releases regular patch kits, which are fully regression
> tested, called Service Packs, which incorporate all the hot fixes
> released since the last one. I would much rather have Microsoft say they
> don't know if the fix will work in all environments, but make it
> available to me to try, than to have them wait for the full testing you
> call for.

I would beg to differ.  The problem with service packs is exactly that
they have not been released regularly.  I have no objection to
the strategy of releasing hot fixes quickly then following up
with more proper service packs.  I do have problems with microsoft
failing to take responsibility for patches that are obviously
"required" patches for anyone who has bought NT on the promise that it
is secure.

> For years people complained that Microsoft wasn't responsive enough to
> security issues and now, when they make patches available in days, it
> seems like you're asking them to go back to their old ways.

You seem to have entirely missed the point of my post.

> Nobody does full regression testing on an OS patch that's available in
> days, nobody. The warning is a simple reminder its not possible.

The way its worded, the warning is more than that.  The warning explicitely
states that you SHOULD NOT apply the patch unless you are  experiencing
problems.

Do you simply not see why I find fault with this?

> Russ


                                    Tim N.

Next message: Russ: "Re: Update on wide-spread NewTear Denial of Service attacks"
Previous message: Russ: "Re: Update on wide-spread NewTear Denial of Service attacks"
Maybe in reply to: Aleph One: "Update on wide-spread NewTear Denial of Service attacks"
Next in thread: Russ: "Re: Update on wide-spread NewTear Denial of Service attacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:11 PDT