Software Inertia

[nate () ROOT ORG (Nate Lawson)]

Michael Howard wrote:
> we've always recommended people remove ALL samples from any production
> server - incl ExAir, WSH, and ADO samples etc.
>
> Cheers, MH
> IIS Security

While good advice, this doesn't consider one of the proven tenets of
computer systems:

    Nearly all software is run in default configuration.

The success of the "wizard" install is great proof of this.  People hit
the Next button until forced to enter something.  An adjunct to this is:

    Patches are not applied until a problem becomes intolerable.

People don't change until motivated by discomfort.  The effort required to
monitor advisories, download the patch, apply it, and then test it is too
high today for most IT departments.  Also, the sheer number of deployed
systems makes it very difficult to even locate assets (corporate Y2K
efforts demonstrate this -- the problem is one of asset management,
not technical prowess).  The impact of all this would be limited, except
for this final tenet:

    Software lives forever.  It will be molded, updated, patched,
    cut-and-pasted, emulated, and linked for decades.

This means that even when some systems are upgraded, bugs will survive in
the unpatched systems.  They will reappear and be written into new code.
A great example of this was the popen() hole in sudo a few years back.
Because the buggy code was published in a popular system administration
book, it continues to survive in the wild even though the distribution was
patched a while ago.

It is good advice to never run a system in its default configuration, but
if these sample scripts are part of the straight-and-narrow wizard path,
they will be found on nearly all systems.  To believe otherwise would be
hopelessly naive.

-Nate