product liability (was 'we should all be uncomfortable with the extent to which luck..')

Ryan Tucker rtucker at
Wed Jul 25 13:43:43 UTC 2001

On Wednesday, July 25, 2001, at 09:17 , Joe Shaw wrote:
> And with this latest threat of code red, Microsoft would have been 
> covered
> anyway, because a patch for this exploit existed well before CodeRed 
> hit.
> They released a patch for the indexing server on June 18, 2001, which as
> you know is a full month before CodeRed.  So, people had a MONTH to
> prepare for something like this, and it's a sad statement that they did
> not.

We did, and are quite amazed at how few others did.

None of *our* Win2k servers were affected (thanks to our NT admin's 
frequent overnight patchfests), but numerous customers were... most of 
this manifested as "your network is down" or "hi, we'd like an SLA 
refund" or "my web server keeps crashing, you guys sell hardware 
unworthy of a ghetto trash bin".

Windows is NOT easy to administer.  Unix (any of 'em) is NOT easy to 
administer.  You can NOT install and not think about it again.  You MUST 
continually think about it, look for updates for it, apply updates 
(usually overnight, as many of them require a reboot, and some of them 
wedge the machine), and keep the server in operating condition.

Reality is in direct contrast to Microsoft's main advertising pitch.  
How many of you have seen the Win2k Datacenter commercial with the 
unmanned array of large machines, with the voiceover falling just short 
of saying you can fly to Mars and back without having to do any 
administration oncesoever?

How many affected customers think that, because of that, no resources 
need to be devoted to administering their much smaller servers?

How many probably still think that?

It made it through the firewall and didn't set off the virus scanner, so 
obviously it's not that bad, right?

Something that might help is PSA's -- you know, those radio spots that 
tell you never to shake babies, drive drunk, or keep a pile of old tires 
around.  Perhaps it's time that everyone also knows keeping your servers 
secure is not only in everyone else's best interest, but your best 
interest as well.  Awareness is a wonderful thing.

I'll throw in a couple bucks towards airtime.  -rt

More information about the NANOG mailing list