Playing To Win: How EA Makes Games >>
<< Web-Inspired Ads Coming To TV
 tdicon 


Studies

by Mike Masnick

Tue, Nov 19th 2002 1:54pm





Security Holes Aren't Being Filled

from the of-course-not dept

There's a new study out talking about how many sysadmins don't do a very good job patching security holes. The study and its conclusions seem a bit flawed, however. First, the "study" is based on one single flaw that one security consultant decided to follow. He did a Google search to pick servers that had that flaw (he apparently found out about the flaw right before it went public). Then he kept testing those servers over time to see who fixed the flaw. Since it's only one instance, it's not clear how conclusive this study is. The conclusions also seem a bit off-base as well. The guy says he thinks that the sysadmins who didn't patch the hole are clearly lazy. However, with the incredible number of security hole announcements that come out every single day, I think it's more of a "crying wolf" situation. There are only so many security holes that sysadmins are going to respond to, and after a while they don't see the threats as being that strong, compared to the actual effort of patching.

3 Comments | Leave a Comment..


If you liked this post, you may also be interested in...
 

Reader Comments (rss)

(Flattened / Threaded)

  1.  

    don't forget...

    identicon
    Dr_Stein, Nov 19th, 2002 @ 4:57pm

    A lot of sysadmins are forbidden from installing any software on machines unless management signs off on it, or the software has undergone some sort of QA/qualification process.

    Might not be lazy people.. *shrug*

    reply to this | link to this | view in thread ]

  2.  

    Re: don't forget...

    identicon
    ctrlz, Nov 19th, 2002 @ 11:32pm

    There are even more reasons:
    1. there are always a chance that patches will break something...
    2, many software products are supported only on certain patch levels. i.e. Service Pack 3 for Windows NT. If admin installs newer service pack -
    he is on his own.
    3. patches still cannot ( mostly ) be installed without downtimes. By installing patches admin has no chance to reach 99% uptime on unclustered servers. At the same time *ADMIN, YOU DO NOT UNDERSTAND, BUSINESS SIDE NEEDS IT*

    reply to this | link to this | view in thread ]

  3.  

    Re: don't forget...

    identicon
    MLO, Nov 20th, 2002 @ 5:22am

    Also lets not forget that a lot of companies require patches and fixes to be thoroughly tested in a test lab before being rolled out. What with the pared down staff of some organizations, and the increasing amount of patches being rolled out, I don't think its a question of laziness.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>


Playing To Win: How EA Makes Games >>
<< Web-Inspired Ads Coming To TV
 tdicon 

A word from our Sponsors...
Follow Techdirt
Flattr rss rss

Powered by Postrank

From the Techdirt Archive...
A word from our Sponsors...

Close

Email This