Bugtraq mailing list archives
Software Inertia
From: nate () ROOT ORG (Nate Lawson)
Date: Tue, 26 Jan 1999 12:58:31 -0800
Michael Howard wrote:
we've always recommended people remove ALL samples from any production server - incl ExAir, WSH, and ADO samples etc. Cheers, MH IIS Security
While good advice, this doesn't consider one of the proven tenets of computer systems: Nearly all software is run in default configuration. The success of the "wizard" install is great proof of this. People hit the Next button until forced to enter something. An adjunct to this is: Patches are not applied until a problem becomes intolerable. People don't change until motivated by discomfort. The effort required to monitor advisories, download the patch, apply it, and then test it is too high today for most IT departments. Also, the sheer number of deployed systems makes it very difficult to even locate assets (corporate Y2K efforts demonstrate this -- the problem is one of asset management, not technical prowess). The impact of all this would be limited, except for this final tenet: Software lives forever. It will be molded, updated, patched, cut-and-pasted, emulated, and linked for decades. This means that even when some systems are upgraded, bugs will survive in the unpatched systems. They will reappear and be written into new code. A great example of this was the popen() hole in sudo a few years back. Because the buggy code was published in a popular system administration book, it continues to survive in the wild even though the distribution was patched a while ago. It is good advice to never run a system in its default configuration, but if these sample scripts are part of the straight-and-narrow wizard path, they will be found on nearly all systems. To believe otherwise would be hopelessly naive. -Nate
Current thread:
- IE4 Persistent Connection Bug Joel Moses (Jan 22)
- Re: IE4 Persistent Connection Bug Drazen Kacar (Jan 24)
- Re: IE4 Persistent Connection Bug Justin Dolske (Jan 25)
- IIS - reproduction... Pete Juvinall (Jan 25)
- Win98 crash? DEF CON ZERO WINDOW (Jan 24)
- Re: Win98 Crash? dorqus maximus (Jan 25)
- Re: Win98 Crash? Bruno Coelho (Jan 26)
- Software Inertia Nate Lawson (Jan 26)
- Re: Win98 Crash? Vanja Hrustic (Jan 26)
- Re: Win98 Crash? route () RESENTMENT INFONEXUS COM (Jan 26)
- Re: Win98 crash? Robbert Muller (Jan 27)
- Re: Win98 Crash? dorqus maximus (Jan 25)
- Re: IE4 Persistent Connection Bug Drazen Kacar (Jan 24)