Sean Donelan wrote:
If infected users have an offline method for obtaining patches, then we don't need to figure out a way to keep their buggy, infected computers connected to the network long enough to download the patches.
And wouldn't it be nice if someone developed a good protocol that allowed the ISP to mandate specific patch revisions for various software before allowing the user to be connected and a way to push the revisions to the end user in the event that they weren't up to date? AOL can of course pull tricks like this due to the custom architecture. Currently, a standard PPP setup with M$ or other O/S doesn't have this level of support. VPN and various corporate security policies support pushing policies and mandating patches in their software. At some point, patching and maintaining security needs to be handled at the connection. If the protocol is written, the ISP supports it, then those with connection software supporting the protocol will maintain security while those circumventing it with other connection methods will not. However, given that the consumer base in question usually utilizes a default M$ install, if M$ incorporated it into their DUN, dhcp, pppoe, then a large portion of the problem would be solved. Would people honestly object to keeping a security patch server locally which received patches from the various software vendors to be pushed out to their customers? -Jack