As usual, great informative podcast. One point I'd like to bring up is that even though IT folks know about the release of Microsoft Hotfixes, deploying them quickly is not always as easy as it sounds.
Due to Microsoft's track record, I'm sure many companies download them right away, but have to take some time to test the patches against "standard builds" (both server and workstation) to be sure that it doesn't break anything else first. Fixing one problem has, at times, introduced others.
Then there's the matter of setting deployment and making sure that the package provided by Microsoft can easily be rolled out to the user base by a given deployment mechanism (Zenworks, SMS, etc). Then depending on the size of the organization, these files/jobs have to be staged and scheduled.
And don't forget the politics involved in larger corporations; Change Approvals, Line of Business (LOB) sign off, etc. Sometimes it amazes me how ANYTHING gets done at all... let alone within 24 hours.
Posted by: Dave at August 18, 2005 7:54 AM
Good points Dave. You're quite right about the first one ... compatability testing is indeed an important part of the equation that I skipped.
As for deplying, that's simply technology. I don't mean to sound trite, but really, it's just about copying bits to lots of machines, and there are several solutions. If *that* is the bottleneck, then it's the wrong solution for your organization.
I suspect that more often than not the real problem is the politics and unneeded red tape ... and that's my real concern. The Zotob attacks are an example that IT managers should be using to justify cutting through that, if that was their problem.
Posted by: Leo at August 18, 2005 9:25 AM
Leo,
I appreciate the intended fairness of your podcast, but I found the IT-folks-should-get-the-patches-out-sooner thesis naive. Corporate IT folks can't deploy software, especially OS patches, without first regression testing them in conjunction with the corporate suite of applications. Depending on how many versions of Windows they support, as well as how many corporate applications they have, this level of regression testing adds days or weeks, certainly not 24-hours. And we're not even considering the problems incurred with auto-pushing out updates to 1000's of machines – i.e. one is guaranteed to have the auto-pushed update fail on some small % machines, perhaps even crashing them – lovely to come into work in the AM to find a blue-screen courtesy of an IT auto-pushed patch.
If you're looking towards IT to share the blame on virus propagation, how about corporate IT's role in recommending homogenous computing environments? Darwin showed us how homogenous solutions are an anathema in the real world – a virus would wipe out an entire species if it weren't for diversification. Similarly in IT, a heterogeneous mix of MS and non-MS solutions would ensure that at least some machines would be unaffected by any given virus attack. In other words, should IT be promoting some reasonable level of diversification (through standards) to reduce the impact and spread of virii?
Posted by: Ben at August 18, 2005 1:57 PM
I am not an IT professional but as an seasoned user of Microsoft products I have been the victim of "patches" on several occasions. How can you blame IT pros for not immediately deploying a "fix" when the past has shown them that the medicine is often worst than virus.
Posted by: Larry Griffin at August 19, 2005 6:40 AM
You've listed three blameworthy sources. I do think Microsoft should share some of the blame.
However I think not only should the companys who got infected share the blame they should be the first to blame.
Protecting the servers is the IT departments job. It isn't Microsofts job and it certenly isn't the virus writers job.
Adding a patch isn't the only way to guard the servers. Worms are restricted to attacking one port (the port where the defective feature is active) if you can't add the patch quickly block the port with a firewall. Everyone should have one.
Blamming the company has a part 1 and 2. The IT department that didn't take action and the person who didn't fire the IT department for not taking action.
Exactly how much responsability belongs to the IT and how much to the person who didn't fire the IT depends on how the company is structured and just how much control the IT departent has.
Next is the virus writer.
How nice that they are now waiting untill a patch comes out.
Or maybe they are just getting lazy.
Actually both in my opinion.
Of course we wouldn't need to worry about patching bugs if people didn't go around exployting them. But they do so we do.
Also we wouldn't have to look for bugs if thies people didn't look for them themselfs.
Just becouse it took Microsoft years to find it dosen't mean it'll take virus writers as long.
But thies days they aren't trying. Microsoft finds and fixes a bug and an evil programmers knows a bunch of companys won't be downloading the patch in time.
Pritty dang easy.
Lastly Microsoft.
True enough no operating system is bug free. Seems every day a new Linux bug is found and fixed.
However instead of sitting down and fixing bugs Microsoft adds new features (and new bugs). This is part of why it took so long for Microsoft to even find this bug.
The classic Windows design (I'm talking the now obsoleted Win 1,2,3 95/98 system) was poorly designed and contributed to huge design flaws.
The NT legacy is a far better design and should be far easier to maintain.
I've heard storys about Micrsofts develupment cycle. Nightmarish. However Microsoft has sense revised this plan and I think I heard they even have a team dedicated to the job of finding and fixing bugs. If not they will it's a logical move.
Microsoft is to blame. They aren't offically owning up to it but they are taking charge where it really matters.
I think you'll find thies attacks happening less and less over time.
Still I'd like it if Microsoft would also admit as you have that ultimatly it's the IT departments job to protect the servers and not rely on security patches to make that happen.
There are many tools available to IT profesionals and home users to secure Windows boxes. There is no reason to rely on Microsofts security patches as a first line of defense.
Posted by: Jeffery McLean at August 19, 2005 7:25 AM
Post a comment on "Zotob Attacks! Who's to blame?":
•
Leo,
As usual, great informative podcast. One point I'd like to bring up is that even though IT folks know about the release of Microsoft Hotfixes, deploying them quickly is not always as easy as it sounds.
Due to Microsoft's track record, I'm sure many companies download them right away, but have to take some time to test the patches against "standard builds" (both server and workstation) to be sure that it doesn't break anything else first. Fixing one problem has, at times, introduced others.
Then there's the matter of setting deployment and making sure that the package provided by Microsoft can easily be rolled out to the user base by a given deployment mechanism (Zenworks, SMS, etc). Then depending on the size of the organization, these files/jobs have to be staged and scheduled.
And don't forget the politics involved in larger corporations; Change Approvals, Line of Business (LOB) sign off, etc. Sometimes it amazes me how ANYTHING gets done at all... let alone within 24 hours.
Posted by: Dave at August 18, 2005 7:54 AMGood points Dave. You're quite right about the first one ... compatability testing is indeed an important part of the equation that I skipped.
As for deplying, that's simply technology. I don't mean to sound trite, but really, it's just about copying bits to lots of machines, and there are several solutions. If *that* is the bottleneck, then it's the wrong solution for your organization.
I suspect that more often than not the real problem is the politics and unneeded red tape ... and that's my real concern. The Zotob attacks are an example that IT managers should be using to justify cutting through that, if that was their problem.
Posted by: Leo at August 18, 2005 9:25 AMLeo,
I appreciate the intended fairness of your podcast, but I found the IT-folks-should-get-the-patches-out-sooner thesis naive. Corporate IT folks can't deploy software, especially OS patches, without first regression testing them in conjunction with the corporate suite of applications. Depending on how many versions of Windows they support, as well as how many corporate applications they have, this level of regression testing adds days or weeks, certainly not 24-hours. And we're not even considering the problems incurred with auto-pushing out updates to 1000's of machines – i.e. one is guaranteed to have the auto-pushed update fail on some small % machines, perhaps even crashing them – lovely to come into work in the AM to find a blue-screen courtesy of an IT auto-pushed patch.
If you're looking towards IT to share the blame on virus propagation, how about corporate IT's role in recommending homogenous computing environments? Darwin showed us how homogenous solutions are an anathema in the real world – a virus would wipe out an entire species if it weren't for diversification. Similarly in IT, a heterogeneous mix of MS and non-MS solutions would ensure that at least some machines would be unaffected by any given virus attack. In other words, should IT be promoting some reasonable level of diversification (through standards) to reduce the impact and spread of virii?
Posted by: Ben at August 18, 2005 1:57 PMI am not an IT professional but as an seasoned user of Microsoft products I have been the victim of "patches" on several occasions. How can you blame IT pros for not immediately deploying a "fix" when the past has shown them that the medicine is often worst than virus.
Posted by: Larry Griffin at August 19, 2005 6:40 AMYou've listed three blameworthy sources. I do think Microsoft should share some of the blame.
However I think not only should the companys who got infected share the blame they should be the first to blame.
Protecting the servers is the IT departments job. It isn't Microsofts job and it certenly isn't the virus writers job.
Adding a patch isn't the only way to guard the servers. Worms are restricted to attacking one port (the port where the defective feature is active) if you can't add the patch quickly block the port with a firewall. Everyone should have one.
Blamming the company has a part 1 and 2. The IT department that didn't take action and the person who didn't fire the IT department for not taking action.
Exactly how much responsability belongs to the IT and how much to the person who didn't fire the IT depends on how the company is structured and just how much control the IT departent has.
Next is the virus writer.
How nice that they are now waiting untill a patch comes out.
Or maybe they are just getting lazy.
Actually both in my opinion.
Of course we wouldn't need to worry about patching bugs if people didn't go around exployting them. But they do so we do.
Also we wouldn't have to look for bugs if thies people didn't look for them themselfs.
Just becouse it took Microsoft years to find it dosen't mean it'll take virus writers as long.
But thies days they aren't trying. Microsoft finds and fixes a bug and an evil programmers knows a bunch of companys won't be downloading the patch in time.
Pritty dang easy.
Lastly Microsoft.
True enough no operating system is bug free. Seems every day a new Linux bug is found and fixed.
However instead of sitting down and fixing bugs Microsoft adds new features (and new bugs). This is part of why it took so long for Microsoft to even find this bug.
The classic Windows design (I'm talking the now obsoleted Win 1,2,3 95/98 system) was poorly designed and contributed to huge design flaws.
The NT legacy is a far better design and should be far easier to maintain.
I've heard storys about Micrsofts develupment cycle. Nightmarish. However Microsoft has sense revised this plan and I think I heard they even have a team dedicated to the job of finding and fixing bugs. If not they will it's a logical move.
Microsoft is to blame. They aren't offically owning up to it but they are taking charge where it really matters.
I think you'll find thies attacks happening less and less over time.
Still I'd like it if Microsoft would also admit as you have that ultimatly it's the IT departments job to protect the servers and not rely on security patches to make that happen.
Posted by: Jeffery McLean at August 19, 2005 7:25 AMThere are many tools available to IT profesionals and home users to secure Windows boxes. There is no reason to rely on Microsofts security patches as a first line of defense.