--On Thursday, October 04, 2001 8:26 PM +0200 Wim Remes
<wim.remesskynet.be> wrote:

> That 2nd last paragraph is a really stupid idea. Most Admins (at least
> the very few that are concerned about
> security on their network) already use programs or have developed
> techniques to push patches, etc to the
> clients. I'm certainly not gonna pay for another M$ product

http://www.microsoft.com/PressPass/features/2001/oct01/10-03securityqa.asp

"As part of the overall STPP effort, we are committing to five no-cost
deliverables to customers:"

Notice the words "no-cost".

> when I can
> handle updating of the clients with
> a simple tool like KixTart !!!!

KiXtart is nice, but not everyone is as intelligent as you apparently are.
Not everyone has the time to write them that you apparently do. (And
before you make assumptions about *me*, please note that my KiXtart scripts
for installing and updating McAfee VirusScan have been used worldwide, so I
do have *some* idea what I'm talking about. I have also written C++
programs, JAVA programs and Perl scripts.)

I think it's highly elitist to think that the way *you* "do security" is
the way *everyone* should do security. Every network is different and each
has their own unique quirks and problems. I would *never* presume to tell
someone else what they ought to do with their network. And you shouldn't
either. (And unless you can prove definitively that every single machine
on your network is up to date all the time, then you have just disproven
your own point.)

> That 'new' server product will in itself
> be subject to vulnerabilities, poor programming,...
> Let's imagine that a hacker succeeds in writing a virus that masks itself
> as a MS-update, gets access
> on the Local Update Server & sits back until the MS-server decides to
> distribute it to every single client on your network...
> That'd be fun ....

By the time your hacker has broken in to your Local Update Server, you have
a lot more serious problems than corrupted updates. Furthermore, the
patches are distributed as the admins decide, not automagically without
review.

Also think it's rather presumptuous to say that the software will be
subject to vulnerabilities and poor programming *before* it's even been
written. Have you ever written a complex GUI program for Windows? Writing
KiXtart scripts is child's play by comparison.
>
> Security ain't a thing you can buy ! It is a service you provide to your
> customers, something you work on every day &
> last but not least something that should never be put back with the simple
> question "Why would anyone target me?"

I disagree. Security is the responsibility of every person who logs on to
a computer on your network. You can't do it alone, and technology isn't
going to do it for you. It takes every person being aware of the risks and
the mitigation of those risks before a network could ever be considered
"secure".

Paul L. Schmehl, paulsutdallas.edu
http://www.utdallas.edu/~pauls/
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]