<< Web-Inspired Ads Coming To TV  |  Playing To Win: How EA Makes Games >>

Studies

Studies

by Mike Masnick

Tue, Nov 19th 2002 1:54pm




Security Holes Aren't Being Filled

from the of-course-not dept

There's a new study out talking about how many sysadmins don't do a very good job patching security holes. The study and its conclusions seem a bit flawed, however. First, the "study" is based on one single flaw that one security consultant decided to follow. He did a Google search to pick servers that had that flaw (he apparently found out about the flaw right before it went public). Then he kept testing those servers over time to see who fixed the flaw. Since it's only one instance, it's not clear how conclusive this study is. The conclusions also seem a bit off-base as well. The guy says he thinks that the sysadmins who didn't patch the hole are clearly lazy. However, with the incredible number of security hole announcements that come out every single day, I think it's more of a "crying wolf" situation. There are only so many security holes that sysadmins are going to respond to, and after a while they don't see the threats as being that strong, compared to the actual effort of patching.

3 Comments | Leave a Comment..

 
 

Reader Comments

(Flattened / Threaded)

    Nov 19th, 2002 @ 4:57pm

  • don't forget...

    by Dr_Stein

    A lot of sysadmins are forbidden from installing any software on machines unless management signs off on it, or the software has undergone some sort of QA/qualification process.

    Might not be lazy people.. *shrug*

    (reply to this comment) (link to this comment)

      • Nov 19th, 2002 @ 11:32pm

    • Re: don't forget...

      by ctrlz

      There are even more reasons:
      1. there are always a chance that patches will break something...
      2, many software products are supported only on certain patch levels. i.e. Service Pack 3 for Windows NT. If admin installs newer service pack -
      he is on his own.
      3. patches still cannot ( mostly ) be installed without downtimes. By installing patches admin has no chance to reach 99% uptime on unclustered servers. At the same time *ADMIN, YOU DO NOT UNDERSTAND, BUSINESS SIDE NEEDS IT*

      (reply to this comment) (link to this comment)

        • Nov 20th, 2002 @ 5:22am

      • Re: don't forget...

        by MLO

        Also lets not forget that a lot of companies require patches and fixes to be thoroughly tested in a test lab before being rolled out. What with the pared down staff of some organizations, and the increasing amount of patches being rolled out, I don't think its a question of laziness.

        (reply to this comment) (link to this comment)

Add Your Comment

Have a Techdirt Account? Sign in now.
Get Techdirt’s Daily Email
Plain Text HTML
Save me a cookie
  • Plain Text: A CRLF will be replaced by break <br> tag, all other allowable HTML is intact
  • HTML: No formatting of any kind is done without explicitly being written in
  • Allowed HTML Tags: <b> <i> <p> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Close
Have a Techdirt Account? Sign in now.
Get Techdirt’s Daily Email
Plain Text HTML Save me a cookie

<< Web-Inspired Ads Coming To TV  |  Playing To Win: How EA Makes Games >>

Search Techdirt
And now, a word from our Sponsors..
San Francisco Music Tech 2009
15% off discount for Techdirt Readers



Subscribe to Techdirt's Daily Email Newsletter

Techdirt's Daily Email Newsletter

Related Stories

We See Your 'Copyright Contributes $1.5 Trillion' And Raise You 'Fair Use Contributes $2.2 Trillion' (17)

Just Because People Say They'll Pay For Something, It Doesn't Mean They Will (21)

Mainstream Press Waking Up To The News That Musicians Are Making More Money (56)

New Economics Paper Explains How Shorter Copyright Stimulates More Music (144)

Video Game Developers Say That Piracy Really Isn't A Big Threat To Business (55)

Close
E-mail It