> -----Original Message----- > From: Aaron Cheek [mailto:aaron_cheek@yahoo.com] > Sent: Wednesday, September 03, 2003 5:03 PM > To: Schmehl, Paul L > Cc: stefano.zanero@ieee.org; BUGTRAQ@securityfocus.com > Subject: Re: Windows Update: A single point of failure for > the world's economy? > > > More of a risk than up2date for RedHat or emerge -u > > system for Gentoo? Or cvsup for *BSD? > > Certainly!!! For Red Hat (and all the major distros), > you have a zillion mirrors all over the world, and, > additionally, you can in extremely straightforward way (e.g. > wget -r) bulk download all the patches from any of those > mirrors and apply them in a glitch (rpm -F). And of course you can do exactly the same thing for Microsoft patches (the downloading that is.) You just have to know where to go. But that is usually the realm of sysadmins. Individual users (obviously) don't seem to have a clue how to patch their machines or even that their machines are infected and spewing like crazy. Which is worse? Automated updates that keep them patched or infected bots DDoSing the world? > > Even if DoS attacks against the official names, IPs or > whatever take place, you always have your "local" > mirror to download patches from, which will be named > as mymirrorsite.mymirrordomain.mycountry. And if the > guys from RedHat (et al.) are wise enough, they can > set up out of band channels to distribute the patches > to the mirrors in the event of a major DoS attack. > And you can do exactly the same thing for Microsoft patches. In fact we do exactly that here. All Microsoft patches are stored locally and distributed locally after thorough testing. > No single point of failure, as you can see. > I wouldn't exactly call Akamai a single point of failure, would you? I suspect Microsoft's distribution is broader and deeper than any *nix mirroring system. (For those unfamiliar with Akamai, http://www.akamai.com/, they distribute load for large volume sites over a massive number of servers distributed all over the world.) Perhaps this proposed system isn't *your* cup of tea, but then you don't have to participate. As far as its impact on the Internet goes, I suspect we would all be a great deal better off if updates were automated for those who don't know how to do anything else. For the clueful, you simply disable them. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
