Comment from Andy on 2009-10-19
I know that this is a security blog, but don't forget that once in a while patches are to fix functionality bugs rather than security bugs. Sometimes those are even as urgent. While we need to develop...
View ArticleComment from Jay on 2009-10-19
@Stefan: This old saw? You can pull out the "stop using C/C++" thing when your JVM/interpreted-language-of-choice is itself not written in C. Oh, and neither are any of the libraries it uses (so no...
View ArticleComment from Anton on 2009-10-19
@mr wriggly Planes don't crash because the software they deploy is well designed. The technology to create good software is on the table, the will and financial incentive to use it is not.
View ArticleComment from Nick Clarke on 2009-10-19
@Stefan W: a typical editor doesn't keep the file open (as in, keep an operating system file handle) once it has read and displayed the contents. It only momentarily has the disk file 'open' when it...
View ArticleComment from Bob on 2009-10-19
@Anton: "Planes don't crash because the software they deploy is well designed. The technology to create good software is on the table, the will and financial incentive to use it is not." A friend of...
View ArticleComment from billswift on 2009-10-19
Bob, you're missing the economics of a mass market. People pay much, much more than a million dollars for word processors - probably billions. The problem is that it goes into "features" rather than...
View ArticleComment from pik on 2009-10-19
(sorry for my english) What is the problem? "in house" I am after XPsp2 no more server, I am client. Look for issues after full (auto) patched XPsp3 as restricted user. Please tell me your exploits to...
View ArticleComment from Clive Robinson on 2009-10-19
@ billswift, "People pay much, much more than a million dollars for word processors - probably billions." Then you need to add the cost of the "blue screen of death", "Your program has stoped...
View ArticleComment from pdf23ds on 2009-10-19
"You can reach assurance, when you build-in 5 "walls" and HOPE, bad gay have after 4 wall no more desire. THATS ALL." I believe that's the approach the Pentagon takes.
View ArticleComment from Lawrence D'Oliveiro on 2009-10-20
Linux distributions typically do not have “Patch Tuesdays”, they tend to release patches very quickly from when vulnerabilities are discovered. Yet it’s rare to hear of fixes introducing new bugs,...
View ArticleComment from John on 2009-10-20
Security has to be designed in but more that than there has to be a well designed Software Architecture. People joked about the Software Architecture Architecture at DEC but it worked.
View ArticleComment from Nostromo on 2009-10-20
Does any of this matter? If security is important to you, you shouldn't be using Microsoft Windows.
View ArticleComment from nzruss on 2009-10-20
a quick way to get your PC up to patch state after a fresh install, is to use Offline Update tool from http://www.h-online.com/. (its free) It runs a script that gets all the patches from release up...
View ArticleComment from Markus on 2009-10-20
It is impossible to "mathematically prove" the correctness or security of a program -- you can only prove that the program behaves according to a specification. In the case of a modern word processor,...
View ArticleComment from Anonym on 2009-10-20
Well, MS has done really good in this regards. I especially admire the Windows Server Update Services (WSUS) helps a lot.
View ArticleComment from Clive Robinson on 2009-10-20
@ Nostromo, "If security is important to you, you shouldn't be using Microsoft Windows." Although I would agree with you if security where the only concern, in a modern business it is not. Security is...
View ArticleComment from HJohn on 2009-10-20
@Clive Robinson at October 20, 2009 8:53 AM: Although I would agree with you if security where the only concern, in a modern business it is not. ______________ I think you make a good point. MS...
View ArticleComment from Clive Robinson on 2009-10-20
@ Bruce, Without being seen to be or being nasty security experts and gurus are a large part of the problem. For instance you say, "We need to design security into our systems right from the...
View ArticleComment from David on 2009-10-20
@savanik: Many businesses treat Windows versions like that, not adopting an OS until it's been out a long time and service packs applied. Businesses tend to be well behind the leading edge, and often...
View ArticleComment from David on 2009-10-20
@Stefan: There is no such language as C/C++, and I don't trust anybody who uses that particular phrase to know much about either. Modern C++, for example, can be easily written to avoid all of the...
View ArticleComment from moo on 2009-10-20
@David: Real applications are not written like that. I can only laugh at the claim that C++ has "a consistent method for managing all resources". Spoken like a true language wonk. :) RAII is some nice...
View ArticleComment from moo on 2009-10-20
wow.. edit and multi-post for the win! Maybe Moderator can blow away some of those. @David: @Stefan: @Everybody! Anyway its flamewar territory and irrelevant to the main post. Sorry Bruce, feel free...
View ArticleComment from Spider on 2009-10-20
@nzruss. Are you really suggesting people trust a man in the middle to update their systems? I think you may be on the wrong website ;) @Bruce. OK microsoft's patching sucks, their systems aren't...
View ArticleComment from Ellison on 2009-10-20
It's a good thing that Oracle doesn't need patches. You can't break it and you can't break in.
View ArticleComment from Ageless_Stranger on 2009-10-20
Check out Marcus Ranum's excellent article about patching: http://www.ranum.com/security/computer_security/editorials/master-tzu/index.html
View ArticleComment from Clive Robinson on 2009-10-20
@ HJohn, "best we can do is harden our environment to reduce the risk a vulnerability will be exploited and reduce the damage that can occur." It's not just hardening the environment. One issue I'm...
View ArticleComment from HJohn on 2009-10-20
@Clive: "It's not just hardening the environment. One issue I'm sure you have seen is peoples unwarented access after they have been promoted or moved to another department. _________ I would agree. I...
View ArticleComment from HJohn on 2009-10-20
HJohn: "bad news gets camoflauged" ___________ Reminds me of the old story: 1. Staff tests product or service, tells supervisor "it is a crock of crap." 2. Supevisor tells division head "it comes in a...
View ArticleComment from Hey Nony Mouse on 2009-10-20
Ellison : It's a good thing that Oracle doesn't need patches. You can't break it and you can't break in. Diden't some "Larry" make a similar comment and then had to eat it? Ah the joys of marketing...
View ArticleComment from HJohn on 2009-10-20
@Hey Nony Mouse: "Diden't some "Larry" make a similar comment and then had to eat it?" _________ I remember some spokesperson stating that their product "could be hacked." Honestly, it had pretty good...
View ArticleComment from Mark R on 2009-10-20
@Savanik: "Now, on the other hand, take the console industry - Playstations, N64, etc. Up until a few years ago, they never patched anything. They couldn't, without internet access. Every game that...
View ArticleComment from Tom on 2009-10-20
You want an operating system that was designed with security in mind then look at z/OS for the IBM mainframe. You will find that when a operating system is originally designed for business, and not...
View ArticleComment from moo on 2009-10-20
@Savanik: To build on Mark R's point.. modern console games are far more complicated than the earlier-generation games. They have a lot more code in them, and therefore a lot more bugs. We're talking...
View ArticleComment from el chubbo on 2009-10-20
bruce is right when he says "There were jokes that a Microsoft patch was indistinguishable from a DoS attack." i used to tell this joke at swanky cocktail parties in Manhattan, and i got laid like a...
View ArticleComment from HJohn on 2009-10-20
@el chubbo: "i used to tell this joke at swanky cocktail parties in Manhattan, and i got laid like a bandit." ________ Probably works better than talking about 3 1/2 inch floppies.
View ArticleComment from David on 2009-10-20
@Tom: Thing is, modern Windows was designed for businesses. The line of development from 3.11 to 95 to 98 to Me was based on the idea of a single user, and the later versions of this line were...
View ArticleComment from Nick P on 2009-10-20
It's quite easy to reduce this steady stream of patches. The methodologies to do it already exist. All of them have a consistent focus on security and/or quality throughout the lifecycle. Problematic...
View ArticleComment from Josh on 2009-10-20
"We need to design security into our systems right from the beginning. We need assurance. We need security engineers involved in system design." Arguably MS is more thorough about this than any other...
View ArticleComment from anonymous moi? on 2009-10-20
@Josh I thing the sarcasm tag was missing from the original "can't break" quote. What's David Litchfield's new book?
View ArticleComment from Clive Robinson on 2009-10-20
@ moo, "Exception handling is not really practical in languages without garbage collection. What most people do in real C/C++ applications (yes, that label you disdain) is write their code and manage...
View ArticleComment from DC on 2009-10-20
@Craig, It's even worse than you describe (long time systems programmer for windows, finally out of that game). How 'bout the registry, which just about everything needs to make changes to? It has the...
View ArticleComment from Eric H on 2009-10-20
The neat thing about going in for automatic patch updates is that you have decided to trade known problems for unknown problems and a possibly false sense of security. Given the regularity of patches,...
View ArticleComment from Nathan Tuggy on 2009-10-21
@DC: "How 'bout the registry, which just about everything needs to make changes to? It has the same problem set -- can't change the underlying file without a reboot." I'm not quite sure what you mean....
View ArticleComment from Richard on 2009-10-21
From IT operations perspective, reboot or not reboot differs significantly. "reboot" means service down time. So it's much more sensitive to business user and systme admins. Actually, many MS patches...
View ArticleComment from anon on 2009-11-15
It would be curious to see the comparison with various Linux distributions. I've had Ubuntu patches break a computer just as I've had Windows patches. I've had it to "here" with the frequency and...
View ArticleComment from Peter Meldrum on 2009-11-15
I've got on average five machines running XP at any given time. Eah and every one of them has been buggered at least once by a patch from MS. Invariably requiring a full Repair Install and attendant...
View ArticleComment from Mike Acker on 2009-11-16
when you connect with the internet you are connected to a world-wide network. and the world-wide network is connected to you. this is why authentication is important: we all need to be certain who we...
View ArticleComment from OPV on 2009-11-17
I'm no longer so worried about the MS updates. The lurking danger is stuff like Adobe's Flash Player and Adobe Acrobat Reader. These are full of very serious security problems, infrequently patched...
View ArticleComment from gary on 2009-12-01
That last paragraph about Security Engineers is important. The current thinking about Security Engineering (SE) is that an SE checks things after design. The SE needs to be involved in the design and...
View ArticleComment from Otto Hottentot on 2011-12-19
@all: For everybody reading this, Markus here is the only one that knows what he is talking about, and Bruce Schneier talking is just silly: - security dont bring money like features. The security...
View Article
More Pages to Explore .....