Re: Large ISP response to Code Red?

From: Mike Johnson (
Date: 07/31/01

Date: Tue, 31 Jul 2001 08:39:02 -0400
From: Mike Johnson <>
Subject: Re: Large ISP response to Code Red?
Message-ID: <>

Seth Arnold [] wrote:
> I think picking on the ISPs is the wrong approach. Ask Microsoft why it
> took over a month before their patches were applied to nearly half a
> million systems.[1] Ask Microsoft why they don't perform better code
> audits to find the gaping holes in their software. But don't bother the
> ISPs too much -- if they start blocking OS/WebServer specific yet
> RFC-compliant traffic, their customers may not like the intrusion. (I
> know I don't want my web traffic scanned to protect people who don't
> patch their systems...)

Agreed. The ISPs just can't possibly secure all their customer's
systems. They could, if they wanted to, charge the customer if
the customer attacks (either willingly or not) another.

However, I suppose it's -still- too difficult to keep a Windows box
up to date (for Joe 'I use Windows because it's easiest' User). It's
still a manual process that the user both needs to know about and
be willing to do. I recently got my hands on Mac OSX and they have
automated updates. When the system is first installed, it asks
the user if they want to download the updates. If so, it goes and
does it. At the same time, it sets up a schedule for weekly
-automated- updates. This means that an OSX box is never more
than a week out of date -and- the user has to do -nothing- to
acomplish this feat.

So, why doesn't Microsoft do this? Why not schedule automated,
unattended updates? Make it such that the user can turn this
off, but the default should be to update, -especially- for server
class systems (Win2k Server). Granted, this doesn't help those
without an Internet connection, but who cares? They're not
a problem.

If Win2k updated itself on a weekly basis, Code-Red (and the next
and the next and the next Windows based worms) wouldn't have
been able to infect -nearly- as many systems.

To me, this is the answer. Server based systems usually have
plenty of bandwidth. A different set of patches could be
offered for the desktop class systems (Win9x, Me, 2k Prof.)
that might be more bandwidth friendly and only applies to
the highest priority stuff.

Anyways, Microsoft? Hello? Are you there?

> [1] they put an awful lot of effort into copyprotection .. how about
> 'forced upgrade protection', that disables internet connections when
> computers are unpatched for 14 days after release of a patch? Or how
> about machines that automatically apply patches? Or email administrators
> every time a patch is released?

Exactly. Email isn't enough. Automatically apply patches.


Mike Johnson --
OpenNMS --
Like many things in awk, the majority of the time things 
work as you would expect them to work.  -- The GNU Awk User's Guide.

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: