On Thu, 2003-09-04 at 00:02, Robert Ahnemann wrote: > > "Richard M. Smith" <rms@xxxxxxxxxxxxxxxxxxxx> writes (quotes): > >> ;; Q. "The buffer overrun flaw that made the Blaster worm > >> ;; possible was specifically targeted in your code reviews > >> ;; last year. Do you understand why the flaw that led to > >> ;; Blaster escaped your detection?" > >> ;; > >> ;; A. "Understand there have actually been fixes for all of > >> ;; these things before the attack took place. The challenge > >> ;; is that we've got to get the fixes to be automatically > >> ;; applied without our customers having to make a special > effort." > >> > >> "Don't trust our software. But do trust our patching/update > >> process..." > > > >Don't trust software but trust our software patches... > > > >We can continue the sentence by adding that the special effort is > >needed because new bugs are generated by these patches. > > Let's relate this to real life (flame that line if you want). Your car > has a defect that causes the oil pan to leak. Ford (I drive one, I can > talk) issues a recall saying they know about the leak and are offering > you a free fix, if you would just take the time to take the car to the > shop. You decide that you know better and that you would rather not > invest the time. You engine is lying on the ground three weeks later. > Whose fault is it? They told you it was a problem. You neglected to > address it. I can tell you who will be paying for the engine. Today's > society is about dissolving accountability. I'm all for changing this > around. I think you miss the point, and this is more the typical scenario than anything else. Microsoft issues patches that are highly unreliable, even till today. If we do a comparison to Ford, as per your scenario, Ford issues a recall, but Ford also has a reputation for fixing something and breaking something else, you'll let someone else take the fix, and wait in the bylines to see if the fix broke something for him/her. In fact, the unreliability of M$'s patches has become so widespread that typical IT shops manage their software with at least a 3 month testing/trial period even for software that is not demographically as bad or even as unreliable as M$'s. Again, the message is M$ should fix their software. Trying to automate the patch cycle without the permission of the user is and still does not solve the initial problem. Ciao ST Lim > > (forgot to send to the list poo) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- [ Hobbes: What would you call the creation of the universe? ] [ Calvin: The Horrendous Space Kablooie! ] [ ]
Attachment:
signature.asc
Description: This is a digitally signed message part