RE: how to get people to upgrade? (Re: The weak link? DNS)

["Kuhtz, Christian" <christian.kuhtz () BellSouth com>]

> CK> The way I see it, the issue isn't that there aren't enough
> CK> notifications of BIND vulnerabilities.
>
> Perhaps.  But how much is enough?  Current notification levels
> certainly get a fair number of admins to upgrade.

Feel free to elaborate on where you think gaps exist.. 
 
> CK> Administrator inertia is the root cause.  I don't see how an
> CK> automatism such as the one described changes human behavior.
> CK> And unless you change that inertia, no amount of
> CK> notification, databases, registries, yada yada yada will make
> CK> any difference.
>
> Correct.  Human behavior won't change.  The pain must exceed the
> inertia.

I'm always open to suggestions.

Let's just suppose for a moment that pain is in fact the right approach.
How do you create such 'pain'?

Spamming admins with (even more) emails is a bad idea, IMHO.  I'm sure it'll
catch some of those who enable the feature it, but will it really make that
much of a difference?

For example, I can't think of a precedent for self-updating software that
works (well), especially with the high degree of customization available in
BIND.  

Until we find that holy grail, IMHO, the most you can do is make an update
readily available and tell people about it.

Thanks,
Christian




*****
"The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential, proprietary, and/or
privileged material. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from all
computers."