The only way that administrators are going to be diligent about patches/updates is for the bean counters to show the CTO/CIO what the bottom line is for not installing updates when something like code red happens. Then management will crack the whip and the administrators will have to constantly search for updates. Of course this is all subject to the Dilbert Principle and some companies will get stupid about it: CIO: "Why wasn't that patch installed as soon as it became available, that problem brought us to our knees!!!!" Administrator: "Well, the patch became available after the attack started and since it brought us to our knees, I couldn't download the patch because we had no connectivity and neither did our peers." CIO: "From now on I want to see a report of all upcoming attacks 48 hours in advance or you'll be looking for another job!" Oh come on, you can't tell me that some of you don't work for people like this. Larry Diffey ----- Original Message ----- From: "William Allen Simpson" <wsimpson@greendragon.com> To: <nanog@nanog.org> Cc: <caida@caida.org> Sent: Tuesday, July 24, 2001 11:42 PM Subject: product liability (was 'we should all be uncomfortable with the extent to which luck..')
Perhaps a different approach is in order -- product liability.
When Firestone made a large number of bad tires, they compensated the purchasers by PAYING for replacement, including those that had not yet been injured. That included the upgrade, and the installation cost.
Network operators have been injured by the distribution of buggy software
from M$. We need to be compensated for our time and expenses.
End users need to be compensated for their costs to upgrade.
A check in the mail would be a better incentive to administrators than "automatic" updates.
"Wayne E. Bouchard" wrote:
On Tue, Jul 24, 2001 at 10:35:37PM -0700, k claffy wrote:
==> 5.4 billion people haven't selected an OS yet
[k: maybe we can get them on OS-antioxidants before it's too late]
... Doing this, right now, can be difficult for many users to grasp (lets face it, some software doesn't update well, if at all) and may require more effort than even reputable administrators are willing to extend.
How to go about making the public more secure, of course, is an on-going debate and perhaps even a losing battle but still worth the effort.
-- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32