RE: What could have been done differently?

["Eric Germann" <ekgermann () cctec com>]

XP has autoupdate notifications that nag you.  They could make it automatic,
but then everyone would sue them if it mucked up their system.

And, MS has their HFCHECK program which checks which hotfixes should be
installed.  Again, not automatic because they would like the USER to sign
off on installing it.

On the Open Source side, you sort of have that when you build from source.
Maybe apache should build a util to routinely go out and scan their source
and all the myriad add on modules and build a new version when one of them
has a fix to it, but we leave that to the sysadmin.  Why, because the
permutations are too many.  Which is why we have Windows.  To paraphrase a
phone company line I heard in a sales meeting when reaming them, "we may
suck, but we suck less ...".  It ain't the best, but for the most part, it
does what the user wants and is relatively consistent across a number of
machines.  User learns at home and can operate at work.  No retraining.

Sort of like the person who sued McD's when they dumped their own coffee in
their lap because it was "too hot".  Somewhere in the equation, the
sysadmin/enduser, whether Unix or Windows, has to take some responsibility.

To turn the argument around, people don't pay for IIS either, but everyone
would love to sue MS for its vulnerabilities (i.e. CR/Nimda, etc).

As has been said, no one writes perfect software.  And again, sometime, the
user has to share some responsibility.  Maybe if the users get burned
enough, the problem will get solved.  Either they will get fired, the
software will change to another platform, or they'll install the patches.
People only change behaviors through pain, either mental or physical.

Eric


> -----Original Message-----
> From: Jack Bates [mailto:jbates () brightok net]
> Sent: Tuesday, January 28, 2003 10:36 AM
> To: ekgermann () cctec com; Leo Bicknell; nanog () merit edu
> Cc: Eric Germann
> Subject: Re: What could have been done differently?
>
>
> From: "Eric Germann"
>
> > Not to sound to pro-MS, but if they are going to sue, they
> should be able
> to
> > sue ALL software makers.  And what does that do to open source?  Apache,
> > MySQL, OpenSSH, etc have all had their problems.  Should we sue the nail
> gun
> > vendor because some moron shoots himself in the head with it?
>
> With all the resources at their disposal, is MS doing enough to inform the
> customers of new fixes? Are the fixes and lates security patches
> in an easy
> to find location that any idiot admin can spot? Have they done
> due diligence
> in ensuring that proper notification is done? I ask because it
> appears they
> didn't tell part of their own company that a patch needed to be
> applied. If
> I want the latest info on Apache, I hit the main website and the
> first thing
> I see is a list of security issues and resolutions. Navigating
> MS's website
> isn't quite so simplistic. Liability isn't necessarily in the bug
> but in the
> education and notification.
>
> Jack Bates
> BrightNet Oklahoma