RE: Windows Update: A single point of failure for the world's economy?

From: Schmehl, Paul L (pauls_at_utdallas.edu)
Date: 09/04/03

  • Next message: Richard M. Smith: "RE: Blaster / Power Outage Follow up"
    Date: Thu, 4 Sep 2003 09:49:22 -0500
    To: <BUGTRAQ@securityfocus.com>
    
    

    > -----Original Message-----
    > From: Aaron Cheek [mailto:aaron_cheek@yahoo.com]
    > Sent: Wednesday, September 03, 2003 5:03 PM
    > To: Schmehl, Paul L
    > Cc: stefano.zanero@ieee.org; BUGTRAQ@securityfocus.com
    > Subject: Re: Windows Update: A single point of failure for
    > the world's economy?
    >
    > > More of a risk than up2date for RedHat or emerge -u
    > > system for Gentoo? Or cvsup for *BSD?
    >
    > Certainly!!! For Red Hat (and all the major distros),
    > you have a zillion mirrors all over the world, and,
    > additionally, you can in extremely straightforward way (e.g.
    > wget -r) bulk download all the patches from any of those
    > mirrors and apply them in a glitch (rpm -F).

    And of course you can do exactly the same thing for Microsoft patches
    (the downloading that is.) You just have to know where to go. But that
    is usually the realm of sysadmins. Individual users (obviously) don't
    seem to have a clue how to patch their machines or even that their
    machines are infected and spewing like crazy. Which is worse?
    Automated updates that keep them patched or infected bots DDoSing the
    world?
    >
    > Even if DoS attacks against the official names, IPs or
    > whatever take place, you always have your "local"
    > mirror to download patches from, which will be named
    > as mymirrorsite.mymirrordomain.mycountry. And if the
    > guys from RedHat (et al.) are wise enough, they can
    > set up out of band channels to distribute the patches
    > to the mirrors in the event of a major DoS attack.
    >
    And you can do exactly the same thing for Microsoft patches. In fact we
    do exactly that here. All Microsoft patches are stored locally and
    distributed locally after thorough testing.

    > No single point of failure, as you can see.
    >
    I wouldn't exactly call Akamai a single point of failure, would you? I
    suspect Microsoft's distribution is broader and deeper than any *nix
    mirroring system. (For those unfamiliar with Akamai,
    http://www.akamai.com/, they distribute load for large volume sites over
    a massive number of servers distributed all over the world.) Perhaps
    this proposed system isn't *your* cup of tea, but then you don't have to
    participate. As far as its impact on the Internet goes, I suspect we
    would all be a great deal better off if updates were automated for those
    who don't know how to do anything else. For the clueful, you simply
    disable them.
     
    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu/~pauls/


  • Next message: Richard M. Smith: "RE: Blaster / Power Outage Follow up"

    Relevant Pages

    • Patching Solaris 10U3 always corrupts....
      ... I have 1 global zone and 11 normal zones. ... installs the patches, and reboots just fine... ... on my production box that does have mirrors (both SVC and ... patch that is supposed to install or update the boot-archive. ...
      (comp.unix.solaris)
    • Rebooting from filesystems on broken mirrors
      ... When we apply any major Solaris8 patches we break the mirrors for /, ... What is required in order to be able to boot from the filesystems on the ...
      (comp.unix.solaris)
    • Re: Linux 2.4.34-pre2
      ... Apparently the patch is now relative to 2.4.34-pre1, not 2.4.33, while previous ... 2.4.*-pre* patches were relative to the previous full release? ... a few minutes for the mirrors to be updated. ... broken file there. ...
      (Linux-Kernel)
    • Re: Windows Update: A single point of failure for the worlds economy?
      ... For Red Hat (and all the major distros), ... of those mirrors and apply them in a glitch. ... mirror to download patches from, ... Do you Yahoo!? ...
      (Bugtraq)
    • Re: State of Lisp Documentation, mostly the Common Lisp Cookbook
      ... Permission to copy, distribute, display, and transmit the Common ... advantage, that notice is given that copying, distribution, display, ... Context diff patches quote some of the material for the context lines and so ...
      (comp.lang.lisp)