RE: Windows Update: A single point of failure for the world's economy?
From: Schmehl, Paul L (pauls_at_utdallas.edu)
Date: Thu, 4 Sep 2003 09:49:22 -0500 To: <BUGTRAQ@securityfocus.com>
> -----Original Message-----
> From: Aaron Cheek [mailto:firstname.lastname@example.org]
> Sent: Wednesday, September 03, 2003 5:03 PM
> To: Schmehl, Paul L
> Cc: email@example.com; BUGTRAQ@securityfocus.com
> Subject: Re: Windows Update: A single point of failure for
> the world's economy?
> > More of a risk than up2date for RedHat or emerge -u
> > system for Gentoo? Or cvsup for *BSD?
> Certainly!!! For Red Hat (and all the major distros),
> you have a zillion mirrors all over the world, and,
> additionally, you can in extremely straightforward way (e.g.
> wget -r) bulk download all the patches from any of those
> mirrors and apply them in a glitch (rpm -F).
And of course you can do exactly the same thing for Microsoft patches
(the downloading that is.) You just have to know where to go. But that
is usually the realm of sysadmins. Individual users (obviously) don't
seem to have a clue how to patch their machines or even that their
machines are infected and spewing like crazy. Which is worse?
Automated updates that keep them patched or infected bots DDoSing the
> Even if DoS attacks against the official names, IPs or
> whatever take place, you always have your "local"
> mirror to download patches from, which will be named
> as mymirrorsite.mymirrordomain.mycountry. And if the
> guys from RedHat (et al.) are wise enough, they can
> set up out of band channels to distribute the patches
> to the mirrors in the event of a major DoS attack.
And you can do exactly the same thing for Microsoft patches. In fact we
do exactly that here. All Microsoft patches are stored locally and
distributed locally after thorough testing.
> No single point of failure, as you can see.
I wouldn't exactly call Akamai a single point of failure, would you? I
suspect Microsoft's distribution is broader and deeper than any *nix
mirroring system. (For those unfamiliar with Akamai,
http://www.akamai.com/, they distribute load for large volume sites over
a massive number of servers distributed all over the world.) Perhaps
this proposed system isn't *your* cup of tea, but then you don't have to
participate. As far as its impact on the Internet goes, I suspect we
would all be a great deal better off if updates were automated for those
who don't know how to do anything else. For the clueful, you simply
Paul Schmehl (firstname.lastname@example.org)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member