On Sat, 10 Feb 2007 23:36:32 -0600 "Stasiniewicz, Adam" <stasinia@msoe.edu> wrote:
Another time I was do some consulting work for a NPO. I was going over the findings of my audit and I told the IT manager that all of his machines were missing patches. His response: "we only install service packs, individual patches take too much time to install and tend to break more stuff than they fix". Ironically, a month latter he calls me back asking for help because his network got infect with Blaster...
He was both right and wrong -- patches do break a lot of stuff. He was facing two problems: the probability of being off the air because of an attack versus the probability of being off the air because of bad interactions between patches and applications. Which is a bigger risk? It's not an easy question to answer. One scenario that scares me is what happens if the April Patch Tuesday takes out, say, TurboTax, just as Americans are getting ready to file their tax returns. There are no good answers to this question. Of course, being an academic I can view such problems as opportunities, and it is in fact a major focus of my research. Today, though, it's a serious issue for system managers. --Steve Bellovin, http://www.cs.columbia.edu/~smb