[Re: how to get people to upgrade? (Re: The weak link? DNS)]

• Previous message (by thread): [Re: how to get people to upgrade? (Re: The weak link? DNS)]
• Next message (by thread): Odd DNS Traffic
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2003-03-26 at 10:52, Joshua Smith wrote:
>
> don't foget to include some useful/helpful comments regarding where to
> look for more info

Yes, the TXT record would inlcude the entire text of the security notice
(hmm... how big can TXT records be?) or at least a URL.

> i like this idea better, and every little bit helps, but i still have
> some reservations:
> for the install-and-forget crowd (it is runnning right - well then why 
> would i want to mess with it), i don't know that they would see the 
> periodic messages, know how to act on them (although i am sure that very 
> detailed instructions could be included in each email), or care to act on 
> them.  unless there is a blinking icon in the 'taskbar' that they click 
> on, and then magically when the machine has rebooted, they are up2date 
> with everything, i have doubts that it would work for a lot of the
> servers out there

<sarcasm>Ideally, you would get a mild electric shock from your keyboard
if you were running software that had known security problems.  Not
enough of a shock that would numb your hands (you need them to upgrade!)
or send you into cardiac arrest, but just enough that using a computer
would be uncomfortable enough so that you would apply security patches
in a timely manner.   However, the technical and legal issues are
unsolvable (I'm fine with the moral/ethical issues here) so I didn't
mention it before.</sarcasm>

Seriously, you can do only so much to *force* people to apply security
patches.  Basically, when it comes to security patches, there are two
classes of admins, the kind that do hear about security advisories and
the kind that don't.

For those admins that do hear about security advisories there are going
to be some admins that don't apply security patches because they just
don't care.  There are also going to be some that don't apply security
patches because they don't know how and don't care enough to learn how.
There's not much we can do about those people.

What we CAN so is to reduce the number of people that don't hear about
security advisories.  Web pages, CERT mailing lists, etc. don't reach
enough people partly because people don't know about them or don't have
the time to check a bazillion web pages or read a bazillion mailing list
posts that talk about software that they don't even use.  However, if MY
DNS server started emailing ME, I'd be a little more likely to sit up
and take notice and maybe do something about it.

>  (besides, how will any of this prompt those whom are
> currently out of date to upgrade?)

Unfortunately, any proposal like this can only affect future versions of
software.  Fortunately, most systems get upgraded eventually (although
it could take years, maybe decades).

Jeff

• Previous message (by thread): [Re: how to get people to upgrade? (Re: The weak link? DNS)]
• Next message (by thread): Odd DNS Traffic
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]