XP has autoupdate notifications that nag you. They could make it automatic, but then everyone would sue them if it mucked up their system. And, MS has their HFCHECK program which checks which hotfixes should be installed. Again, not automatic because they would like the USER to sign off on installing it. On the Open Source side, you sort of have that when you build from source. Maybe apache should build a util to routinely go out and scan their source and all the myriad add on modules and build a new version when one of them has a fix to it, but we leave that to the sysadmin. Why, because the permutations are too many. Which is why we have Windows. To paraphrase a phone company line I heard in a sales meeting when reaming them, "we may suck, but we suck less ...". It ain't the best, but for the most part, it does what the user wants and is relatively consistent across a number of machines. User learns at home and can operate at work. No retraining. Sort of like the person who sued McD's when they dumped their own coffee in their lap because it was "too hot". Somewhere in the equation, the sysadmin/enduser, whether Unix or Windows, has to take some responsibility. To turn the argument around, people don't pay for IIS either, but everyone would love to sue MS for its vulnerabilities (i.e. CR/Nimda, etc). As has been said, no one writes perfect software. And again, sometime, the user has to share some responsibility. Maybe if the users get burned enough, the problem will get solved. Either they will get fired, the software will change to another platform, or they'll install the patches. People only change behaviors through pain, either mental or physical. Eric
-----Original Message----- From: Jack Bates [mailto:jbates@brightok.net] Sent: Tuesday, January 28, 2003 10:36 AM To: ekgermann@cctec.com; Leo Bicknell; nanog@merit.edu Cc: Eric Germann Subject: Re: What could have been done differently?
From: "Eric Germann"
Not to sound to pro-MS, but if they are going to sue, they
should be able to
sue ALL software makers. And what does that do to open source? Apache, MySQL, OpenSSH, etc have all had their problems. Should we sue the nail gun vendor because some moron shoots himself in the head with it?
With all the resources at their disposal, is MS doing enough to inform the customers of new fixes? Are the fixes and lates security patches in an easy to find location that any idiot admin can spot? Have they done due diligence in ensuring that proper notification is done? I ask because it appears they didn't tell part of their own company that a patch needed to be applied. If I want the latest info on Apache, I hit the main website and the first thing I see is a list of security issues and resolutions. Navigating MS's website isn't quite so simplistic. Liability isn't necessarily in the bug but in the education and notification.
Jack Bates BrightNet Oklahoma