Slashdot Mirror
The Costs of Patching
prestidigital writes "vnunet has a brief but interesting article in which Craig Fiebig, general manager of Microsoft's security business unit, is quoted as saying "In dollar terms, patching is the most expensive security measures and keeping your antivirus descriptions up to date is the least." That seems like an important statement coming from a company who's patches are possibly responsible for 45% of traffic on some networks."
... to realise that it costs more to do things 2, 3, or 4 times then if they had done it right the first time...
And that is costs more to have a new programmer look at and try to modify code that wasn't written by himself/herself...
Amazing reality breakthrough!
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
This statement is also known as "an ounce of prevention is worth a pound of cure."
evil adrian
Rather than throwing away an otherwise perfectly good pair of pants, patches have allowed me to fix them and extend their life. In some cases, patches can even be fashionable. Sewing is a great skill that all geeks should learn.
The difficult question is whether the costs of patching outweigh the costs of NOT patching. There's a lot to be said for "if it ain't broke, don't fix it" sometimes.
However, with security patches usually you have no choice. The only decision for some security patches is how long do you wait before deploying it. Don't wanna be the first ones to put a bad patch on now, do we?
My motto is: Never give up - unless it's harder than you want it to be.
This document was part of an interesting debate over the last year and a half between MS and Novell over whose product was more buggy (measured in terms of number of patches.)
(Google cache version in html.)
Why do I h8 apple?
IMHO getting hacked is much more expensive.
responsible for 45% of traffic
But spam is responsible for, what was it Taco, 60% of traffic on networks?
I'm at 105% utilization already!
BTW, it's just as costly, if not more, to have to rebuild your linux kernel, SSL, apache webserver, or samba installation when a bug is found there.
Quit pretending that MS has some sort of monopoly on software bugs. "Bad code" is a patentless technique used ubiquitously.
I don't need no instructions to know how to rock!!!!
The software industry has known for years that the later you find a bug the more expensive and messy it is to resolve
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
People who say 'they should have patched' do not understand the stress that installing a patch however critical on a few hundred servers, then in many cases rebooting them, can put in a commercial environment.
Pff.. you lamers with your fancy-pants Windows or your free Linux or *BSDs are all clueless. I haven't patched my Apple ][+'s DOS3.3 for 20 years and it still has yet to be 0wned.
Trolling is a art,
If MS wouldn't include so much "junk data" to keep their proprietary data secret in patches, they wouldn't be so large. And, if there was a way to do a patch "rollback", then faulty patches wouldn't bring down a system until a new fix-patch was released. (One of the recent MS patches was found to cause some machines to stop booting)
-----------
From Ape to Man: Evolution
Try to enter today's date in Appleworks.
I've applied my fair share of patches from MS, but lately I've become really nervous about doing so. I'm always thinking "what kind of DRM will they include in this one?". It's gotten to the point where I will NOT apply patches for anything but server products, and only reluctantly so. Call me paranoid if you wish, but I can't really shake that feeling. Hey MS, great way to promote security - making users reluctant to apply patches...
Black holes are where God divided by zero
..because one of the many new feature of server 2003 is the ability to update patches auotmatically.
So they will use this 'cost savings' to push the new product. At the launch event, they bagged on there older products pretty damn hard.
It's part of there latest slogan
"do more with less".
personally, I dln't know who this less guy is, or why I would want to do more with him. Ironically I prefer less to more.
The Kruger Dunning explains most post on
And maybe I should spend more time proofreading my own posts so that I don't mangle words so much!
There's a growing sense that even if The Future comes,
most of us won't be able to afford it.
-- Lemmy
RedHat's up2date works pretty well so long as you stick to their RPM releases of the software you want to keep updated.
It works well for me, and all I need to stay on top of are things I build be hand (typically Webserver and its ilk plus kernel), but all my libraries stay nice and fresh.
SPAM
apt-get update
apt-get upgrade
I don't run Debian's precompiled kernels though so I don't know what the patch/release policy on them is, but for all userland things it's better than WU.
Yeah and? Today is Thursday, May 1 10003.
Trolling is a art,
As the only sys admin in a company of 50 desktops and 4 Win2k Servers I can fully support the notion that patching is expensive...but not for the company...for ME!
Guess who gets to come in the office between 8 and 10pm to apply these patches to live servers...who has to wait if someone decides to work late. Who has to cross his fingers with every patch hoping that nothing else breaks...ME! And the only thing I get out of it is to be able to leave an hour or two early that friday...woot.
Sure some things I can and do install from remote, but almost every patch requires a reboot and you just never know when a Win2k system isn't going to boot properly and require you to drive in at 1am wearing your bath robe.
Apple free since 1990!
Microsoft has a free product out called SUS (see subject) the SUS works in conjunction with the BSA (no, Baseline Security Analyzer) to determin patch levels of 2000/XP clients and servers it then downloads all neccessary patches in a SIS (single instance storage) at the server. In this way every patch on your network is downloaded only once. If you only have four PCs this cuts update traffic by 75%. This is nearly as effective as ISA server but it is FREE. It is not as effective as coding it write the first time LOL but it is a start.
apt-get upgrade
That's what I do, and I'm not sure what all the fuss is about. Things get fixed, usually before I ever knew they were broken, deamons get restarted, nothing gets interrupted, life goes on ... If I took the trouble to make it a cron job, I'd never even know.
Is Mr Fiebig telling us that things don't go so smoothly if you use MS products? Or that MS can't keep up with a bunch of amatures? Do MS patches break non-MS apps? Could all this be why so many worms and viruses manage to spread across unpatched MS products? Could it be that MS patches are as bad as the bugs they fix? SAY IT AIN'T SO, CRAIG!
See what I've been reading.
I dont think a apt-get update && apt-get upgrade in cron is that hard work.
Yikes. I don't think 'apt-get update && apt-get upgrade' in your crontab is very smart. The probability of breaking something is too high. In fact, that's the message I'm reading between the lines: virus upgrades won't break anything, so they're no problem to automate, but OS/IIS/IE patches pose a much higher probability of risking extended downtime. I don't think the situation is all that different with the Red Hat Network-- look before you leap.
So long, and thanks for all the Phish
(Some patches break some applications) + (Applications being down means lost productivity, sales, possibly data, depending on the app) + (MS apps won't let you roll back the patch, so you can't recover) = Many companies feel the need to test the patches first.
My computer at work doesn't get patched all that often (luckally it's behind multiple firewalls), because Unigraphics is very touchy (according to our support people).
I'm not shy, I'm stalking my prey
Bell labs(now lucent) and various hackers have made string functions that do the same thing but are buffer safe. They are made to create more secure apps.
My question is if gcc or visualc for that matter switched to more buffer safe libraries would it make a difference? Trusted Debian is compiled with buffer safe string functions.
It may be time gnuc did this by default assuming all the apps could be recompiled without a problem.
This would seem to get rid of %90 of holes in user as well as kernel space.
http://saveie6.com/
Man, I can attest to this... patches... especially ones that screw up systems not only cost time/money/bandwidth but they cost HAIR.. yes thats right... admins lose their hair b/c of the stress this makes them go through..... ::looks in the mirror::
arrhhggghh..
Well... before the knee-jerk MS-bashing starts, let's think about it.
If you patch, you have to recompile the component, and possibly re-boot the machine or re-start the application. This is true for Linux too (unless there's a way to fast-swap kernels that I haven't heard about).
If you update, you don't need to re-start anything.
If you patch, you could have to patch just about anything on the system.
If you update, you are working through one application.
Of course, there's nothing to stop an OSS developer from writing something that just sniffs incoming data for known exploits, like a virus scanner does.
Ahhh... but that would slow the system down.
So I think you have to add "better performance" to the pro-patch argument.
But then, there is probably less effort to updating, especially if it's automated. Is there any OSS system with automated patching that people are willing to trust?
Either way, I think it's an interesting discussion. In practice, I patch.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
-- Argel