Seth Arnold [sarnoldat_private] wrote: > I think picking on the ISPs is the wrong approach. Ask Microsoft why it > took over a month before their patches were applied to nearly half a > million systems.[1] Ask Microsoft why they don't perform better code > audits to find the gaping holes in their software. But don't bother the > ISPs too much -- if they start blocking OS/WebServer specific yet > RFC-compliant traffic, their customers may not like the intrusion. (I > know I don't want my web traffic scanned to protect people who don't > patch their systems...) Agreed. The ISPs just can't possibly secure all their customer's systems. They could, if they wanted to, charge the customer if the customer attacks (either willingly or not) another. However, I suppose it's -still- too difficult to keep a Windows box up to date (for Joe 'I use Windows because it's easiest' User). It's still a manual process that the user both needs to know about and be willing to do. I recently got my hands on Mac OSX and they have automated updates. When the system is first installed, it asks the user if they want to download the updates. If so, it goes and does it. At the same time, it sets up a schedule for weekly -automated- updates. This means that an OSX box is never more than a week out of date -and- the user has to do -nothing- to acomplish this feat. So, why doesn't Microsoft do this? Why not schedule automated, unattended updates? Make it such that the user can turn this off, but the default should be to update, -especially- for server class systems (Win2k Server). Granted, this doesn't help those without an Internet connection, but who cares? They're not a problem. If Win2k updated itself on a weekly basis, Code-Red (and the next and the next and the next Windows based worms) wouldn't have been able to infect -nearly- as many systems. To me, this is the answer. Server based systems usually have plenty of bandwidth. A different set of patches could be offered for the desktop class systems (Win9x, Me, 2k Prof.) that might be more bandwidth friendly and only applies to the highest priority stuff. Anyways, Microsoft? Hello? Are you there? > [1] they put an awful lot of effort into copyprotection .. how about > 'forced upgrade protection', that disables internet connections when > computers are unpatched for 14 days after release of a patch? Or how > about machines that automatically apply patches? Or email administrators > every time a patch is released? Exactly. Email isn't enough. Automatically apply patches. Mike -- Mike Johnson -- mikejat_private OpenNMS -- http://www.opennms.org -- Like many things in awk, the majority of the time things work as you would expect them to work. -- The GNU Awk User's Guide. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 09:29:58 PDT