Comments on: The lessons of Sasser

CenterBeam CEO Kevin Francis says this security intrusion highlights fundamental weaknesses in the practice of software patch management.

[Clues]

The Logical Solution or Blind Ignorance

Of course lets not forget that all these "solutions" require that
you remain firmly entrenched in the infinite loop of blind
ignorance. Some day one would expect you to connect your
perpetual headaches with continuing to hammer your head
against the same brick wall, over and over, could that day be
today?

Using Mac OS X you will have none of these issues and can
simply spend all your time and money actually getting work
done. IT will cost a fraction of what it does now and capital costs
will drop like a rock over time. Of course productivity will
skyrocket and profits escalate out of control but even the
perpetually ignorant should be able to deal with that. On top of
these onerous challenges you will have excellent software that
works and peripherals that actually plug and play, networks that
well like all things Mac, just work.

Of course you could continue to do what you have always done
and blindly use Windows, the most insecure platform on earth,
by a factor of several magnitudes I might add. Blind ignorance
has always controlled the herd and Microsoft FUD keeps the
timid little morons trapped in their ignorance as always.

Is the pain and control of mediocre crap like, anything Microsoft,
enough to stop beating your head against the wall yet? When will
the pain be enough do you think?

Amen, but...

...what can I do? All the enterprise software that I need is written for the Microsoft platform only. This is the true price of Microsoft's monopoly. The worst aspect of this is that Microsoft patches can destroy systems or cause mission-critical software to stop working, and are in many cases, uninstallable. When industry wags write articles about how IT managers don't install patches quickly enough, it's not because we don't want to, it's because we've been burned before...and will be again. It's the worst part of my job (webmaster of 11 systems).

You are OH SO WRONGLY STUPID

I guess you are right in the sense that you have absolutely no problems with your MAC. That is because it is usless to attempt to cripple something that is already useless. I manage a MS network and I have no problems with the constant patching due to free downloaded tool from Microsoft called Software Update Services. It retrieves all of the updates for you and publish them to your workstations. You cannot sit around and cry about something that you have absolutely no idea what can be done on an MS network. And I am on both sides of the gate because I do manage 2 MAC's also but they are only used for video editing purposes ONLY. Dont talk about something you dont understand because ignorance is something you cant pay for you inherit it.

what the?

Seriously all it takes is a measly firewall and you will never have problems with these worms. Why do these large companies not have strict firewall rules? what is wrong with the idiots that work there?

Its crazy if it is quote "grounded at least 40 Delta Air Lines flights and delayed many more. The U.K. Coastguard was figuratively run aground and was completely offline for most of a day."

I mean how does this even happen to these people?... incompetent employees sounds more like the issue here.

Yes, but...

...you still have to install the patches eventually. A firewall, which we have, and which, you are right, saves you from the worst problems, does not help you if the virus comes in on a student computer that connects to the network (we are a college). The problem is that the patches themselves can destroy the system or make important server software stop working. Every administrator I know who has dealt with Microsoft patches over the years has had a bad experience at some point.

[bjbrock]

WRONG

Some of these worms come thru on connections your browser makes out. The only way to stop them is to quit browsing the Internet. Or find an OS that isn't dangerous to use.

Outsourcing = Blame Management

If the in-house staff does not have the resources to do the job, get them the resources. An Outsourcer has no incentive to do things right beyond the next paycheck.

The reason Outsourcing is so popular is not because it is cheaper. It's never cheaper to hire someone else's employees at a markup. And the argument that an Outsourcer has some kind of 'special sauce' is bogus when dealing with commodity technology.

When an Outsourcer can be valuable is when you want to stage a 'coup' and shake up IT.

A small company doesn't need an Outsourcer, they just need a decent local consultant. The marketing aspects of Outsourcing do not 'add value' for small business. Marketing just drives up the price.

Its annoying to have someone sell his wares like this. How much did the guy pay for this advertisement?

Sorry, but...

I don't wish to participate in this discussion any longer. A little too much hostility between individuals who don't share the same viewpoint for my taste. One can disagree without making things personal, but on the net, these conversations always seem to end up rancorous. Bye for now.

[bjbrock]

The observation was right on...

but the solution is from an obvious moron. Having to patch software is not an option - period. This simply lets software developers sell dangerous products that have not been fully tested. Mistakes can happen, but we have let patches get so far out of hand that billions of dollars have been thrown down the drain as wasted resources and that costs everyone. When are we going to get quality products like we expect to get from any other industry.

Microsoft sold me a product that literally put me and my ability to provide for my family at a very great risk. Raising a family is tough enough. But to have some billion dollar company sell me a product which they lied about what was being sold and then it cause me to redirect resources from what sustains my family and me, is nothing less than criminal. PERIOD!

Patch management not the issue.

Talking about Sasser patch management in terms of patch management misses an important point: Where were the firewalls and the router access lists to block the traffic? Why are unsecured systems being allowed via VPN to access core infrastructures?

Patching systems takes time, as well it should. Moreover, patching is inherently re-active; one cannot patch before the patch is released.

Firewalls and access-lists, on the other hand, are inherently proactive. I do not need to know about a vulnerability within LSASS to know that unrestricted access to UDP port 445 is a bad idea. I do not need to know about malicious URLs to know that links referencing "cmd.exe" should be kept away from the user.

The lesson of Sasser is not about patch management. The lesson of Sasser is that there is no substitute for strong firewalls.

Cordially,

Peter Nayland Kust,
TEKMedia Communications
http://www.tekmedia.com
pkust@tekmedia.com