Jason et al, You are absolutely correct, anything that automatically updates a system is bringing in additional issues itself (i.e. the updating software and any updates that haven't been tested). That is part of what makes Pantek Server Security Guard better than things like Windows automatic updates, or things like 'auto-rpm'. I don't usually like to plug commercial products on lists like this, however with Pantek Server Security Guard the updates are applied manually. Since this is not meant to be an advertisement, you can find information regarding it at http://www.pantek.com/security/ . When I referenced the Automatic Updates, I didn't really explain what I was getting at enough. Basically, my point of view is that not only is it there for the people whom are uneducated or do not have the resources to go to windowsupdate.microsoft.com but maybe it can be something to alert that there are vulnerabilities out there besides service pack updates to the systems. Now, there are some pitfalls to it because upon the first initialization of it (i believe by default) the configuration is set to automatically download and automatically install them so the user doesn't have to do any work. The user just clicks on OK to be ready to install the automatic updates. This is a problem because it doesn't really alert them that security is an issue, but that the computer mysteriously can re-boot some mornings at 03:00. I think that a notifying service of some form could be more successful at keeping people from updating and not paying attention to what is being updated. This then brings in the fact that there are services like the above mentioned, where companies will install the updates on the system for you. This to many comes across with things like 'if Microsoft already does it (or if auto-rpm already does it), why do i need to pay for a service, or for one of my administrators to take the precious time out of their day to do it'. Things like if the company has their own custom written software on the system that is linked against specific libraries and versions of those libraries, the software could break at any point because of the update. But, as I mentioned, you are absolutely correct. Anything that automatically downloads and executes applications is by far something that brings in more elements of insecurity, but when used appropriately (i.e. using it more as a notification service than an installation/update service) it _can_ bring in an bit of knowledge to the end administrator that there are applications that need to be updated on a regular basis. Then again, if they don't care, then its completely useless. ,_____________________________________________________, \ Ryan Yagatich supportat_private \ / Pantek Incorporated (877) LINUX-FIX / \ http://www.pantek.com/security (440) 519-1802 \ / Are your networks secure? Are you certain? / \___5AD777E93D62CC6D850A4DD3F2F730F882532B502A777873___\ On Mon, 20 Jan 2003, Jason Coombs wrote: >Ryan, > >You seem to be implying with your comments below that an auto-updater is a >*good thing* that makes computer systems more secure. This is just not true. >A computer system designed to do things without your knowledge or permission >that runs services that you don't need or want and can't turn off is the >starting point of insecurity. You cannot add yet another complex automated >service that downloads and executes code automatically to an already complex >bug- and service-ridden infrastructure and think this makes everything okay >now. > >Many computerized systems would be far better off (more secure, cheaper to >operate, etc.) using a couple full-time humans with calculators, pen and >paper, and maybe even telephones provided the staff receive proper security >training. > >> Microsoft has created the 'auto update' scheduler which runs regularly >> 'behind the scenes' that the administrator can use to have it >> automatically apply these patches. >> How is it that with services like this available that people are >> still not aware of them? Or, could it be that they are well aware of them >> but are falling victim to the notion that there really is no need for >> security in general, and that they are not at risk? > <original message snipped> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 07:03:35 PST