Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)

["Steven M. Bellovin" <smb () cs columbia edu>]

On Sun, 11 Feb 2007 10:49:30 -0600
Dave Pooser <dave.nanog () alfordmedia com> wrote:

> > He was both right and wrong -- patches do break a lot of stuff.  He
> > was facing two problems: the probability of being off the air
> > because of an attack versus the probability of being off the air
> > because of bad interactions between patches and applications.
> > Which is a bigger risk?
>
> That's an argument for an organizational test environment and testing
> patches before deployment, no? Not an argument against patching. That
> said, I would LOVE to see MS ship a monthly/quarterly unified updater
> that's a one-step way to bring fresh systems up to date without
> slipstreaming the install CD. Then press a zillion of 'em and put
> them everywhere you can find an AOL CD, for all those folks on
> dial-up who see a 200MB download and curl up in the fetal position
> and whimper.

Surveys have shown an inverse correlation between the size of a company
and when it installed XP SP2.  

Yes, you're right; a good test environment is the right answer.  As I
think most of us on this list know, it's expensive, hard to do right,
and still doesn't catch everything.  If I recall correctly, the post I
was replying to said that it was a non-profit; reading between the
lines, it wasn't heavily staffed for IT, or they wouldn't have needed a
consultant to help clean up after Blaster.  And there's one more thing
-- at what point have you done enough testing, given how rapidly some
exploits are developed after the patch comes out?


                --Steve Bellovin, http://www.cs.columbia.edu/~smb