Interesting People mailing list archives
IP: Dangers of U.S. Cyber Chief to Map Infrastructure for Security and forces patches down our throats (see last para)
From: David Farber <dave () farber net>
Date: Wed, 05 Dec 2001 12:00:49 -0500
To: farber () cis upenn edu Date: Wed, 05 Dec 2001 08:55:33 -0800 From: Lauren Weinstein <lauren () vortex com> > >Software companies should not just make ``patches'' available to fix > >vulnerabilities in their products, but automatically update users' > >software for them, he [Clarke] said. > > > >``It's not beyond the wit of this industry to figure out a way of forcing > >down these patches,'' he said. This concept, though appealing on its face to many, is extraordinarily risky and could be highly dangerous if widely implemented. The reasons are very clear. First, automatic or "forced" update paths create new hacking targets on a grand scale. Hackers, criminals, or even terrorists could concentrate their cyberattacks on the update mechanisms, potentially gaining access to millions of systems in one fell swoop. They might attack the individual user systems, or the central sites that distribute the automated updates (to corrupt vast numbers of machines from those central points). Would software vendors try to prevent this? Of course. Would they sometimes fail spectacularly in preventing such attacks? Definitely. It would only take one such major failure related to, for example, a popular windows-oriented operating system to do immense damage. Another problem even with legitimate automatic updates, of course, is that they would often cause more problems than they solve. One reason that so many people don't install existing security updates across a range of software systems, is that they've personally experienced the resulting new security holes opened, system crashes and corruption, and other problems that result from poorly implemented or tested software patches or "fixes" of various sorts. Forcing such materials down people's figurative system throats would be incredibly dangerous to security and reliability. There are indeed *major* and *serious* problems relating to security flaws in software systems. Automatic and/or forced updating systems are not the answer. --Lauren-- Lauren Weinstein lauren () pfir org or lauren () vortex com or lauren () privacyforum org Tel: +1 (818) 225-2800 Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, Fact Squad - http://www.factsquad.org Co-Founder, URIICA - Union for Representative International Internet Cooperation and Analysis - http://www.uriica.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy
For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: Dangers of U.S. Cyber Chief to Map Infrastructure for Security and forces patches down our throats (see last para) David Farber (Dec 05)