I just find it interesting and a bit ironic.
http://news.com.com/2100-1001-982305.html?tag=cd_mh
http://news.com.com/2100-1001-982305.html?tag=cd_mh
Microsoft Failed To Apply Their Own Security Patches
- Thread starter Empath
- Start date
Help Support Candle Power Flashlight Forum
I don't find it ironic in the least...
Please remember that corporations like MS are huge, and have many departments that are not connected at all.
HP is in the same boat. I worked at HP in Boise, where they specialized in printers. I could walk 100' from my cube in firmware development, and could find people that knew nothing about using or operating printers.
If a similar exploit were found for HPUX (HP's unix OS), I can guarantee that HP would be one place that would be hit just as hard as other corporations.
Corporations are not single-minded entities. The business plan division thinks and operates completely differently than development, engineering, marketing, etc. They all have their own goals, budgets, and perspectives on things.
Am I excusing it? No. Am I asking everyone to think about how large corporations work? Yes.
-Darin
Please remember that corporations like MS are huge, and have many departments that are not connected at all.
HP is in the same boat. I worked at HP in Boise, where they specialized in printers. I could walk 100' from my cube in firmware development, and could find people that knew nothing about using or operating printers.
If a similar exploit were found for HPUX (HP's unix OS), I can guarantee that HP would be one place that would be hit just as hard as other corporations.
Corporations are not single-minded entities. The business plan division thinks and operates completely differently than development, engineering, marketing, etc. They all have their own goals, budgets, and perspectives on things.
Am I excusing it? No. Am I asking everyone to think about how large corporations work? Yes.
-Darin
Anarchocap
Enlightened
The company that I work at is pretty much assumed to be bound to Microsoft at the hip. There is even an acronym that is derived from the two of our company's names/product.
Our internal SQL servers were down the whole weekend and most of Monday. We are still blocking ports and dropping nodes as I type today.
Along the lines of what Darin says, think about what it would take to proliferate a patch released ~4 months ago to ~10,000 servers. Then think about all the issues that might be caused because you didn't test out if the patch created more problems than it fixed. Then think about the fact that all of those servers need down-time. Then think about that down time and how it would interrupt how your employees get their jobs done.
At my company alone, if we have unscheduled downtime it costs us about $1,000,000 an hour in just one factory.
The best you can hope for in a large company is to test patches as quickly as possible for negative interactions as soon as they are released, but it takes at least a couple of months of testing in a non-production or a non-critical production environment just to make sure you aren't going to screw up the rest of the company.
You can't even begin to imagine the negotiation of all that downtime once the patch as been tested and all the interaction issues are documented.
Yeah, its real easy to install a patch on one server, but do it on ~10,000 when it can't be undone and see if you have a job for much longer.
The whole scenario is just a massive nightmare, and we have to do it over and over, multiple times a year.
FWIW, there were HUGE holes found in Solaris and other Berkley based Unix OSs last year. But those systems are an order of magnitude less prolific than the relatively cheap MS based platforms. That also means there are an order of magnitute less hackers and virus coders trying to maliciously bring down those systems.
If you had any experience in dealing with this at large companies, you would find there is certainly no irony what-so-ever. It is a planned, malicious, and criminal act, and deserves to be punished accordingly. Anything to the contrary is akin to saying it was your fault your house was broken into and all your things were smashed because even though you locked your doors, you didn't have bars on your windows (pun intended).
Our internal SQL servers were down the whole weekend and most of Monday. We are still blocking ports and dropping nodes as I type today.
Along the lines of what Darin says, think about what it would take to proliferate a patch released ~4 months ago to ~10,000 servers. Then think about all the issues that might be caused because you didn't test out if the patch created more problems than it fixed. Then think about the fact that all of those servers need down-time. Then think about that down time and how it would interrupt how your employees get their jobs done.
At my company alone, if we have unscheduled downtime it costs us about $1,000,000 an hour in just one factory.
The best you can hope for in a large company is to test patches as quickly as possible for negative interactions as soon as they are released, but it takes at least a couple of months of testing in a non-production or a non-critical production environment just to make sure you aren't going to screw up the rest of the company.
You can't even begin to imagine the negotiation of all that downtime once the patch as been tested and all the interaction issues are documented.
Yeah, its real easy to install a patch on one server, but do it on ~10,000 when it can't be undone and see if you have a job for much longer.
The whole scenario is just a massive nightmare, and we have to do it over and over, multiple times a year.
FWIW, there were HUGE holes found in Solaris and other Berkley based Unix OSs last year. But those systems are an order of magnitude less prolific than the relatively cheap MS based platforms. That also means there are an order of magnitute less hackers and virus coders trying to maliciously bring down those systems.
If you had any experience in dealing with this at large companies, you would find there is certainly no irony what-so-ever. It is a planned, malicious, and criminal act, and deserves to be punished accordingly. Anything to the contrary is akin to saying it was your fault your house was broken into and all your things were smashed because even though you locked your doors, you didn't have bars on your windows (pun intended).
Albany Tom
Enlightened
You can't just patch systems, either, especially if those patches are from Microsoft. There is a history of patches completely wrecking systems. We wait on many, to see what the feedback is.
Running any Microsoft product on the outside of a firewall, or accessible through a firewall without authentication is NUTS, though, in my opinion. To use the house analogy, if your home security system was Microsoft, all your stuff would be sitting on the lawn.
Running any Microsoft product on the outside of a firewall, or accessible through a firewall without authentication is NUTS, though, in my opinion. To use the house analogy, if your home security system was Microsoft, all your stuff would be sitting on the lawn.
