Re: Microsoft distributes free CDs in Japan to patch Windows
And getting the lead time down to 4-6 weeks would be a challenge - remember you have to *ship* the re-mastered patch CD to every retailer and get it on
the
shelves. That's going to hit your bottom line.
Ever heard of Windows 98? How about Windows 98 SE (Second Edition)? They've done it before, they can do it again. --Michael Dillon
On Mon, 08 Sep 2003 17:01:51 BST, Michael.Dillon@radianz.com said:
And getting the lead time down to 4-6 weeks would be a challenge - remember you have to *ship* the re-mastered patch CD to every retailer and get it on the shelves. That's going to hit your bottom line.
Ever heard of Windows 98? How about Windows 98 SE (Second Edition)?
They've done it before, they can do it again.
Yes, I notice how they ship a refreshed 98SE every 8 weekss to roll in all the new security fixes.
And getting the lead time down to 4-6 weeks would be a challenge - remember you have to *ship* the re-mastered patch CD to every retailer and get it on the shelves. That's going to hit your bottom line.
* Michael.Dillon@radianz.com [Mon 08 Sep 2003, 18:03 CEST]:
Ever heard of Windows 98? How about Windows 98 SE (Second Edition)?
Windows 98SE was only available to OEMs and wasn't on shelves in stores. As Valdis also notes, it's an entirely different situation. -- Niels.
On Mon, Sep 08, 2003 at 06:59:25PM +0200, Niels Bakker wrote:
And getting the lead time down to 4-6 weeks would be a challenge - remember you have to *ship* the re-mastered patch CD to every retailer and get it on the shelves. That's going to hit your bottom line.
* Michael.Dillon@radianz.com [Mon 08 Sep 2003, 18:03 CEST]:
Ever heard of Windows 98? How about Windows 98 SE (Second Edition)?
Windows 98SE was only available to OEMs and wasn't on shelves in stores. As Valdis also notes, it's an entirely different situation.
Oh, this topic hasn't died yet? Very well: Of course the normal retail software channel doesn't work and would cost too much money. Strawman. A patch CD isn't a product, to be distributed in shrinkwrap and left to sit. It's a periodical (especially in the case of Microsoft, but really, for all of them) with a looser timetable. Ever notice how much trouble the Wall Street Journal has getting a daily issue out for under a buck? How about Business Week, or any of the weekly rags? While it may seem that MS has daily patches, a weekly update is essentially adequate, and likely the finest granularity most folks are going to update on if they actually do attempt it regularly. CDs happen to cost a lot less than a printed magazine, too. Back in the mid 90s, it was trivial to have batches in the low-thousands count (easily handled locally, near the customer acceptance point, rather than centrally, near the vendor) priced in whole cents. Today, it's possible to price the same for fractional cents. The real question: If people don't care enough to hold Microsoft (or any software producer) accountable for the product at sale, what good will having this alternate channel be? Arguing the practicality of CDs as a patch distribution mechanism is pointless, it's trying to find a technical cause for a non-technical problem. It's not a matter of being ABLE (technology) to do something, it's a matter of DOING (people). Sun (to pick a convenient example) was able to ship patch CDs every quarter or month, depending on when you asked and what your support options were, for years in the 90s. Yes, it did fall on us, the IT folks, whether we were called Systems Managers, Network Administrators, whatever, to ensure that policy and procedure included getting the updates IN. We learned our lesson with the Morris worm if we hadn't learned it before that. How many sites hit with Blaster or Sobig.f were business with at least one person designated as IT staff? Too many. That home users have multiplied to even greater numbers than business users is another problem, but realize that many folks who think they can handle their home PC believe so because of what they see at work. (Unemployed people, barring laid-off IT folks who shoul know better anyway, generally cannot afford computers). Culturally, people will be more likely to discpline themselves when they get used to seeing other people disciplined enough to maintain things elsewhere. Call it peer pressure if you have to. I seem to be repeating myself a lot: The problem is not technical; hence the solution is not technical either. Now, other than being a poor attempt to pass the buck, how does this help us as network operators (and similar IT professionals) in fixing the problem? -- Ray Wong rayw@rayw.net
I wrote before:
Windows 98SE was only available to OEMs and wasn't on shelves in stores.
* rayw@rayw.net (Ray Wong) [Mon 08 Sep 2003, 19:33 CEST]:
Oh, this topic hasn't died yet?
Well, maybe because 98SE apparently was in stores as I've been told in private mail, and 95OSR2 was the version that was released to OEMs only. [..]
I seem to be repeating myself a lot: The problem is not technical; hence the solution is not technical either.
In what way is a Microsoft product (or twelve of them as the case may be) auto-executing untrusted content not a technical problem? -- Niels.
On Mon, 8 Sep 2003, Ray Wong wrote:
I seem to be repeating myself a lot: The problem is not technical; hence the solution is not technical either.
Now, other than being a poor attempt to pass the buck, how does this help us as network operators (and similar IT professionals) in fixing the problem?
If infected users have an offline method for obtaining patches, then we don't need to figure out a way to keep their buggy, infected computers connected to the network long enough to download the patches. This is one reason why universities are distributing thousands of CDs with the fixes to their students.
On Mon, Sep 08, 2003 at 01:40:01PM -0400, Sean Donelan wrote:
On Mon, 8 Sep 2003, Ray Wong wrote:
I seem to be repeating myself a lot: The problem is not technical; hence the solution is not technical either.
Now, other than being a poor attempt to pass the buck, how does this help us as network operators (and similar IT professionals) in fixing the problem?
If infected users have an offline method for obtaining patches, then we don't need to figure out a way to keep their buggy, infected computers connected to the network long enough to download the patches.
very well. Then see my comments about how doable it is to produce and distribute CDs cheaply. It's practical if folks care enough to bother. Of course, since we STILL have to handhold users into doing things, why not just download the patches to our own servers, and either make CDs as a courtesy to customers, or setup a quarantine network we shove them off to, which only has access to our local patch server? M$ still does have everything downloadable, for those of us who can figure out how to do it.
This is one reason why universities are distributing thousands of CDs with the fixes to their students.
For this latest mess, a floppy actually suffices. I handed quite a few out, once I found some. :-) -- Ray Wong rayw@rayw.net
On Mon, 8 Sep 2003, Ray Wong wrote:
Of course, since we STILL have to handhold users into doing things, why not just download the patches to our own servers, and either make CDs as a courtesy to customers, or setup a quarantine network we shove them off to, which only has access to our local patch server? M$ still does have everything downloadable, for those of us who can figure out how to do it.
Its called Copyright law, but that's a layer 9 issue. What's the difference between downloading patches on demand through a squid cache, and keeping the file on your web server. Akamai really sucks for predicting where downloads will be sourced. On a more practical subject does anyone know of any useful cleaning tools for last months windows worms besides the "free" tools from the anti-virus vendors? Are there any freeware tools? Or any AV vendor willing to distribute their single fix tools through ISPs (with a link buy the full version)?
Sean Donelan wrote:
If infected users have an offline method for obtaining patches, then we don't need to figure out a way to keep their buggy, infected computers connected to the network long enough to download the patches.
And wouldn't it be nice if someone developed a good protocol that allowed the ISP to mandate specific patch revisions for various software before allowing the user to be connected and a way to push the revisions to the end user in the event that they weren't up to date? AOL can of course pull tricks like this due to the custom architecture. Currently, a standard PPP setup with M$ or other O/S doesn't have this level of support. VPN and various corporate security policies support pushing policies and mandating patches in their software. At some point, patching and maintaining security needs to be handled at the connection. If the protocol is written, the ISP supports it, then those with connection software supporting the protocol will maintain security while those circumventing it with other connection methods will not. However, given that the consumer base in question usually utilizes a default M$ install, if M$ incorporated it into their DUN, dhcp, pppoe, then a large portion of the problem would be solved. Would people honestly object to keeping a security patch server locally which received patches from the various software vendors to be pushed out to their customers? -Jack
Jack Bates wrote:
At some point, patching and maintaining security needs to be handled at the connection. If the protocol is written, the ISP supports it, then those with connection software supporting the protocol will maintain security while those circumventing it with other connection methods will not. However, given that the consumer base in question usually utilizes a default M$ install, if M$ incorporated it into their DUN, dhcp, pppoe, then a large portion of the problem would be solved.
How long until the next worm/virus/trojan would first disable this handshake and then attach to the network? Or you expect to terminate customers within the 24 hours new patches are out if they don´t patch? or 72 hours? Pete
Petri Helenius wrote:
How long until the next worm/virus/trojan would first disable this handshake and then attach to the network? Or you expect to terminate customers within the 24 hours new patches are out if they don´t patch? or 72 hours?
I fully expect malicious code and even users to disable the handshake. That's fine. If a user happens to become infected, then they can be suspended or transfered to *must* perform handshake. Not everyone uses antivirus software. Not everyone will patch the security holes in their current software. Many would object to having to perform patches and delay their Internet surfing. Yet with such a protocol, a way could be provided for allowing a user to establish a connection which only allows them to fix their system without the outside world able to attack them and vice versa. Once patched, the system would recognize them as patched and allow full IP connectivity. Imagine how nice it would be if someone buying an XP machine this morning could actually connect to the Internet, patch their system, and be able to use the Internet without ever having their RPC exploited. If a user is infected with a virus, wouldn't it be nice if they could purchase A/V software and then be able to perform updates and clean their system without causing any harm to the network? -Jack
Jack Bates wrote:
I fully expect malicious code and even users to disable the handshake. That's fine. If a user happens to become infected, then they can be suspended or transfered to *must* perform handshake.
Not everyone uses antivirus software. Not everyone will patch the security holes in their current software. Many would object to having to perform patches and delay their Internet surfing. Yet with such a protocol, a way could be provided for allowing a user to establish a connection which only allows them to fix their system without the outside world able to attack them and vice versa. Once patched, the system would recognize them as patched and allow full IP connectivity.
Imagine how nice it would be if someone buying an XP machine this morning could actually connect to the Internet, patch their system, and be able to use the Internet without ever having their RPC exploited. If a user is infected with a virus, wouldn't it be nice if they could purchase A/V software and then be able to perform updates and clean their system without causing any harm to the network?
I would like to see such functionality to be used for good purposes like you provide. However, since the world has it´s share of people who block ICMP because it´s all evil and break PMTU and other similar things, this technology should be deployed with caution to avoid collateral damage. Who picks up the bill if a windows machine across a DSL line gets infected, you apply filters to the connection and subsequently block the E911 VoIP call from the same subnet? Pete
On Mon, 8 Sep 2003, Niels Bakker wrote:
* Michael.Dillon@radianz.com [Mon 08 Sep 2003, 18:03 CEST]:
Ever heard of Windows 98? How about Windows 98 SE (Second Edition)?
Windows 98SE was only available to OEMs and wasn't on shelves in stores. As Valdis also notes, it's an entirely different situation.
True, Win98/SE was a marketfeature release. They couldn't call it Win98 with stuff fixed edition. But in the past Microsoft has release CD's of their patch rollups. Of course, they charged for them and you've got to find the right page on their web site. Windows 98 Customer Service Pack CD ordering information http://support.microsoft.com/default.aspx?scid=/support/servicepacks/Windows... Windows NT Service Pack CD order form http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/ordercd.asp Windows 2000 Service Pack CD order form http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/ordercd.asp Windows XP Service Pack CD order form http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/ordercd.as... Microsoft Office Service Pack CD order forms http://office.microsoft.com/home/office.aspx?assetid=FX010383631033&CTT=98
participants (7)
-
Jack Bates
-
Michael.Dillon@radianz.com
-
Niels Bakker
-
Petri Helenius
-
Ray Wong
-
Sean Donelan
-
Valdis.Kletnieks@vt.edu