| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Should Microsoft pay your security patch costs? | |
|
||
| Time: 10:25 EST/15:25 GMT | News Source: ZDNet | Posted By: Todd Richardson | ||
|
Bill Gates must be livid. Just after he publishes an e-mail letter to customers outlining Microsoft's progress on its Trustworthy Computing initiative, the SQL Slammer worm--376 bytes of code also known as Sapphire, w32.SQLexp.worm, and Helkern--exploits known vulnerabilities in Microsoft SQL 2000 servers. It creates a global Internet slowdown and another embarrassment for the chairman of the world's most powerful software company. And to top it off, Microsoft's own servers were Slammed. With more than $40 billion stashed away, waiting for a good use besides providing a dividend for shareholders, Microsoft should use a small amount of those cash reserves to pay customers for the cost of testing and installing patches that address specific vulnerabilities. You don't pay to have your car repaired when a manufacturing defect is found. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 160 Last | Next |
The time now is
6:53:53 PM
ET.
Any comment problems? E-mail us |
| #1 By 665 (64.126.91.172) at 1/31/2003 10:30:48 AM |
|
"With more than $40 billion stashed away..."
Just because they have the money is no reason why they should have to pay for "testing and installing." It shouldn't even enter into the equation. Maybe they should have to pay for other reasons (I don't think that, personally), but not just because they can. |
| #2 By 2459 (24.170.151.14) at 1/31/2003 10:58:35 AM |
|
"You don't pay to have your car repaired when a manufacturing defect is found."
You do have to pay if you ignore the recall notice and cause more damage due to such neglegence (like the DBAs that waited so long to secure their systems this and previous times). MS' responsibility ended when they issued the patch. Most other companies would have stopped there, but MS has continued to take further steps to improve the patching process and make customers aware of the steps they should take to secure their products. Bugs and patches are not unique to MS, and they should not have to pay anyone's security costs. Security is the responsibility of the individual, company, and IT staff. You automatically assume the risk of attack or exploitation when you place your computers on the net. If anyone should be made to pay for anything, it should be the author of the exploit. |
| #3 By 135 (209.180.28.6) at 1/31/2003 11:32:00 AM |
|
sphbecker - The SQL Server patches were not easy.
n4cer - MS's responsibility will end when they provide a mechanism which makes it trivial to install the patch to thousands of machines. For instance this would be possible with Active Directory if the patches were packaged correctly. JaggedFlame - I do agree, but I think MS deserves some of the heat. Look on the bright side, it makes them better. The heat they received forced them to re-release MS02-61 as an easy to install patch. Further heat will insure that they make the installs of new MSDE, SQL Server, etc. versions more consistent so that they don't have to release 5 versions of a patch. baarod - We have a firewall too. But all it took was someone to bring a laptop in. |
| #4 By 7390 (63.211.44.114) at 1/31/2003 11:49:55 AM |
|
1. Why only Microsoft? why not every company that makes software?
2. No one is forcing them to use anything. Use Oracle or DB2 or tab delimited text file, heck use whatever. 3. The cost per client would be too subjective. |
| #5 By 8062 (206.72.66.205) at 1/31/2003 1:05:01 PM |
|
“You don't pay to have your car repaired when a manufacturing defect is found."
You don't know what you're talking about! Free car repairs are only made when a manufacturer’s defect has already killed hundreds of people and the gov forces them to recall the vehicles. Rarely has an auto manufacturer voluntarily recalled vehicles. Usually if they do it because they and their PR and Legal departments see the handwriting on the wall. Software bugs have never been shown to kill hundreds of people. This post was edited by BTD on Friday, January 31, 2003 at 13:07. |
| #6 By 1643 (131.107.3.84) at 1/31/2003 2:08:39 PM |
|
#7 - The SQL Server patches were not easy
Yes they were, copy files, check the version, done. MS's responsibility will end when they provide a mechanism which makes it trivial to install the patch to thousands of machines. For instance this would be possible with Active Directory if the patches were packaged correctly. SMS, SUS (Software Update Services), or AD. #9 The hacker should be accountable, not the manufacturer. The patch was out and noted for some time...it is up to the individuals running the application to secure it, MS did there part. #10 Actually, software is not a Chevy or a screw driver...it is IP. So if you don't like paying x,xxx dollars for a database, code it yourself perfectly for free. Software will always have defects until the computers rise up and take over...because humans make mistakes. MS has made tremendous progress in the last year in securing its' software and you will see auto-patching in future versions. 5 Years ago (most) customers where not as concerned about security as today, they wanted features, features, features...now MS is giving them what they want better, more reliable, and highly secure computing. This post was edited by humor on Friday, January 31, 2003 at 14:29. |
| #7 By 7390 (198.246.16.251) at 1/31/2003 2:25:53 PM |
| #13, every day that I use Sun's java I die slowly same goes for Nutscrape..I mean Netscape |
| #8 By 135 (209.180.28.6) at 1/31/2003 3:25:34 PM |
|
humor - "Yes they were, copy files, check the version, done."
Your argument would be better made if you weren't purposefully being obtuse. "SMS, SUS (Software Update Services), or AD." SMS is an expense, if Microsoft is serious about the TCO argument being forced to buy additional software just to distribute patches does not help. SUS definately does not work, it is only for patches available off WindowsUpdate which not all patches(such as SQL Server ones) are. AD does not work well for patches, as they come as .exe's and AD works best with msi's. |
| #9 By 1643 (207.46.228.98) at 1/31/2003 3:49:59 PM |
|
#16 I agree with you on most points. My humble opinion is that the software wasn't insecure by design...it was a buffer overflow attack which although was a coding error, happens all too frequently on a variety of application and platforms. I am sure MS put a lot of thought and attention to the security of the product, and did not release a known insecure product. Now as too who is ultimately responsible, it will always be the customer (legally) unless the vendor is hosting the services (for now, maybe a new novel approach will develop). I am sure if you want MS to manage the application or platform in your environment, they will, but not at the cheap prices of their software. And
#17 I am sorry, I just believe that most admins should be able to replace files and right click on the properties to verify the versions. It is that simple, just because it doesn't come in an exe, doesn't mean that it is difficult. I apologize if that was an “obtuse” comment, buit it is correct. Well, SMS does a lot more than security fixes, hence the expense...but there is no reason you could not script a solution that requires no cost using vbs or VB. SUS works for the platform which is still important, not the application,…but you can extend that by developing your own tools to patch your applications (not just MS products). I think you will see a more central patch management for all enterprise software from MS sooner than later. Note - AD works well for patches, but requires you to repackage them...hopefully MS will distribute everything in a MSI, but for now, an MSI packager is all that is required. If your looking for a perfectly secure auto updating platform/application, no vendor has that yet…but I believe that MS is closer than anyone. |
| #10 By 3653 (216.153.67.116) at 1/31/2003 3:57:13 PM |
| this sort of tactic by the media shouldn't surprise us. We all know that the media STRIVES to find a "Microsoft Killer". Well, the media's perusings around security is nothing more than an admission that there isn't a MSFT Killer out there. But the media feels compelled to hit MSFT anyway. |
| #11 By 1643 (207.46.228.98) at 1/31/2003 4:19:24 PM |
|
#22 Awesome!!!
#20 MS is just an aggressive type 1 company, why else do you think there is a computer in >50% of homes (I think…my numbers might be wrong). But I think they have matured in the last year tremendously...IMHO. #21 One more point, and it relates to the litigious society we are in...I think MS would a little more responsibility, but if they did, customer prices would be higher and they would get sued by everyone for every time a computer locked up. I mean, in the US, insurance (in all sectors)rates keep rising, basically to fund morons. 1. The McDonalds coffee lady 2. The guy who sued and won against the Winnebago company because he set the cruisecontrol, made a cup of coffee, and rolled the damn thing because the auto-pilot (aka cruise control) didn’t work. 3. I could go on, on…SUN is a post in itself :) |
| #12 By 1643 (207.46.228.98) at 1/31/2003 5:19:24 PM |
|
#32 I wasn't aware of the facts...I only read the news papers, thanks for the correct info. Regardless, my point still stands.
#33 Incorrect, you license the use of the bits, with no stipulations on performance. This post was edited by humor on Friday, January 31, 2003 at 17:20. |
| #13 By 3653 (216.153.67.116) at 1/31/2003 5:20:34 PM |
| #32, I don't care of Mrs. Liebeck is a/k/a Mother Teresa... the payout amount was ridiculous. |
| #14 By 1643 (207.46.228.98) at 1/31/2003 5:33:16 PM |
| #37 Let me try to make it clearer (basics) - You license the use of all the IP (coding, testing, research, etc) that generated certain "bits" for use on a single machine. Microsoft may or may not provide updates (but almost always WILL) to that version of the product, for a period of not less than 5 years. |
| #15 By 135 (209.180.28.6) at 1/31/2003 5:46:48 PM |
|
humor - Again, please don't be obtuse.
You claim that all of these things are "easy", but you have clearly never been in a situation where you have had to utilize them. Repackaging .exe's into MSI's to make them work with AD is not "easy". Having to utilize SMS is not "easy", nor universal. Copying files manually, and verifying file versions manually is not "easy". Especially when you are doing this to 1,000 machines and each machine may have multiple instances. Yes, one could write a script to do this with WSH but you know what? So could Microsoft. In fact Microsoft could write one script and millions of people benefit. Whereas with your position Microsoft does nothing and millions of people are stuck with the cost of writing the same script. Is that efficient? Is that easy? No, it is not. |
| #16 By 135 (209.180.28.6) at 1/31/2003 5:57:02 PM |
|
As for lawsuits... I'm all for reasonable limits. But what I fear happening is some company deciding that saving the $2 for that screw is worth it because they estimate only 30 people will die each year as a result, and that's worthwhile. If you don't believe that's possible, we have about 200 years of historical evidence in this country showing otherwise.
The most amazing one was when the railroads refused to install airbrakes in trains because of the cost. Congress finally mandated it, and the net result was that trains actually were able to run faster because the braking system was more efficient, this speed increase dropped the overall cost of operation for the railroads. Still I do not see Microsoft being liable in this case, certainly not to install patches. There responsibility is to provide the patch, and to provide a mechanism to the consumers to painlessly deploy the patch. They are succeeding on the former, but they still have a great deal of work to be done on the latter. The thing is, if they improve the latter, these events will be far less likely and they'll improve their PR. You'd think that this would be a win-win, but for some reason they aren't real motivated on this. |
| #17 By 1643 (131.107.3.78) at 1/31/2003 7:11:14 PM |
|
Actually, I utilize them quite often...
I will say it is fairly easy (wizard driven and everything) to repackage a hotfix...I have done it on a number of occasions (without training). The SMS rebuttal, can't agree with you more. However, we are IT professionals, it is not a requirement to be easy...just doable :) Though the easier...the better. Note - You have resorted to name calling twice, using the word obtuse...keep in mind just because I don't agree with you, does not mean I am wrong. Resorting to using any type of verbal attack, only means that you lack the intelect to counter with fact and reason. Let's call a misunderstanding ;) ob•tuse [ b tss, ob tss ] adjective 1. slow to understand: slow to understand or perceive something 2. mathematics between 90º and 180º: used to describe an angle greater than 90º and less than 180º 3. mathematics with internal angle greater than 90º: used to describe a triangle with one internal angle greater than 90º 4. blunt: not sharp or pointed This post was edited by humor on Friday, January 31, 2003 at 19:28. |
| #18 By 135 (208.50.206.187) at 2/1/2003 1:04:18 PM |
|
Ok, the people trying to defend Microsoft by blaming the Administrators are being pretty blatantly ignorant, since we're not talking about Administrators here.
bjd145 - agreed |
|
Write Comment
Return to News |
Displaying 1 through 25 of 160 Last | Next |
The time now is
6:53:53 PM
ET.
Any comment problems? E-mail us |
