2003.09.13 01:33 AM
Robert Scoble at Bat Again
Mr. Scoble was again brave enough to step up for MS in light of the recent Windows exploit with a link to Christoph Schittko's comments, which echoed the frustration of Sam Gentile. The numerous comments found at these links (and many others) speak volumes about the atmosphere in which MS now finds its Trustworthy Computing Effort, so I'm not going to try and add anything to that debate (other than to say that I'm a relatively fat and happy MS technology consultant who's mostly pleased with the new level of MS security and developer awareness, even if some crap still slips through).
However, I did post a comment in response to a link found in Mr. Scoble's text to an article by Mary Jo Foley regarding an interim security roll-up patch and want to repeat the comment here, as it will soon be lost in the myriad comments he's attracting (and, I might note, apparently also reading and responding to, thank you very much). Here was my comment:
"Regarding the Foley article, any idea why security patches aren't already cummulative (i.e., rolled-up)? It just seems like I should be able to browse to the MS support site and retrieve a single file containing all of the heretofore released security patches for my OS without worrying about the order I've retrieved them or whether I've missed one. Why aren't they packaged just so:
patch 1 (fixes A)
patch 2 (fixes B, includes A)
patch 3 (fixes C, includes A, B)
SP1 (fixes/enhances, includes patch 3)
Are the majority of Windows users really picking and choosing their security updates? And, if so, why would MS encourage it? Allowing someone to get it wrong results in MS being blamed anyway.
Anyone at MS considering the cost of preparing and shipping to all registered Windows/Office users by snail-mail a CD containing a program that will intelligently secure their OS (e.g., close ports, turn off DCOM, apply cummulative patches, etc.), free of charge? I suppose this would seem costly on the surface, but I wonder what the relative cost/value would be? Perhaps it would set a bad precedent for MS that would be hard to live with on-going?"
In re-reading this, I stand by the security patch roll-ups. There should always be a cummulative patch available.
On the second point, the prospect of MS sending an unsolicited prescription to everyone's home seems, on the surface anyway (and maybe a little deeper, what do I know), a little absurd. But why not? There's nothing about what I do when I disinfect and/or patch my clients' systems that a reasonably well written piece of code couldn't do. In fact, I've written a number of scripts to do just that (e.g., disable DCOM and unnecessary services, close ports, apply security patches, etc.). In terms of cost, I suppose it would help to factor in the marketing value, both prospective (new sales of products) and preventative (ally fears, show you care, etc.). If AOL can send CDs to everyone on the planet (and put them in magazines, airplane seat backs, etc.), why can't MS? There could be different CDs targeting different domains - home users, small business users, enterprise customers, etc. However, MS should consider sending people, not CDs, to the enterprise folks. I work for them and they are the least happiest of all the campers, probably owing to the $ they've shelled out.
Anyhow, that's my $.02, and I'm sticking to it.
TrackBack URL: http://www.typepad.com/services/trackback/6a00d8341c7bd453ef00d835378edc69e2
Listed below are links to weblogs that reference Robert Scoble at Bat Again: