the samples install if you include the sdk components... Cheers, MH IIS Security -----Original Message----- From: Nate Lawson [mailto:nateat_private] Sent: Tuesday, January 26, 1999 12:59 PM To: BUGTRAQat_private Subject: Software Inertia Michael Howard wrote: >we've always recommended people remove ALL samples from any production >server - incl ExAir, WSH, and ADO samples etc. > >Cheers, MH >IIS Security While good advice, this doesn't consider one of the proven tenets of computer systems: Nearly all software is run in default configuration. The success of the "wizard" install is great proof of this. People hit the Next button until forced to enter something. An adjunct to this is: Patches are not applied until a problem becomes intolerable. People don't change until motivated by discomfort. The effort required to monitor advisories, download the patch, apply it, and then test it is too high today for most IT departments. Also, the sheer number of deployed systems makes it very difficult to even locate assets (corporate Y2K efforts demonstrate this -- the problem is one of asset management, not technical prowess). The impact of all this would be limited, except for this final tenet: Software lives forever. It will be molded, updated, patched, cut-and-pasted, emulated, and linked for decades. This means that even when some systems are upgraded, bugs will survive in the unpatched systems. They will reappear and be written into new code. A great example of this was the popen() hole in sudo a few years back. Because the buggy code was published in a popular system administration book, it continues to survive in the wild even though the distribution was patched a while ago. It is good advice to never run a system in its default configuration, but if these sample scripts are part of the straight-and-narrow wizard path, they will be found on nearly all systems. To believe otherwise would be hopelessly naive. -Nate
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:31:52 PDT