IP: Dangers of U.S. Cyber Chief to Map Infrastructure for Security and forces patches down our throats (see last para)

[David Farber <dave () farber net>]

> To: farber () cis upenn edu
> Date: Wed, 05 Dec 2001 08:55:33 -0800
> From: Lauren Weinstein <lauren () vortex com>
>
> > >Software companies should not just make ``patches'' available to fix
> > >vulnerabilities in their products, but automatically update users'
> > >software for them, he [Clarke] said.
> > >
> > >``It's not beyond the wit of this industry to figure out a way of forcing
> > >down these patches,'' he said.
>
> This concept, though appealing on its face to many, is extraordinarily risky
> and could be highly dangerous if widely implemented.  The reasons are very
> clear.  First, automatic or "forced" update paths create new hacking targets
> on a grand scale.  Hackers, criminals, or even terrorists could concentrate
> their cyberattacks on the update mechanisms, potentially gaining access to
> millions of systems in one fell swoop.  They might attack the individual
> user systems, or the central sites that distribute the automated updates
> (to corrupt vast numbers of machines from those central points).
>
> Would software vendors try to prevent this?  Of course.  Would they
> sometimes fail spectacularly in preventing such attacks?  Definitely.
> It would only take one such major failure related to, for example, a popular
> windows-oriented operating system to do immense damage.
>
> Another problem even with legitimate automatic updates, of course, is that
> they would often cause more problems than they solve.  One reason that so
> many people don't install existing security updates across a range of
> software systems, is that they've personally experienced the resulting new
> security holes opened, system crashes and corruption, and other problems
> that result from poorly implemented or tested software patches or "fixes" of
> various sorts.  Forcing such materials down people's figurative system
> throats would be incredibly dangerous to security and reliability.
>
> There are indeed *major* and *serious* problems relating to security flaws
> in software systems.  Automatic and/or forced updating systems are
> not the answer.
>
> --Lauren--
> Lauren Weinstein
> lauren () pfir org or lauren () vortex com or lauren () privacyforum org
> Tel: +1 (818) 225-2800
> Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
> Co-Founder, Fact Squad - http://www.factsquad.org
> Co-Founder, URIICA - Union for Representative International Internet
>                      Cooperation and Analysis - http://www.uriica.org
> Moderator, PRIVACY Forum - http://www.vortex.com
> Member, ACM Committee on Computers and Public Policy

For archives see:
http://www.interesting-people.org/archives/interesting-people/