Home page logo

bugtraq logo Bugtraq mailing list archives

RE: Windows Update: A single point of failure for the world's economy?
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Thu, 4 Sep 2003 09:49:22 -0500

-----Original Message-----
From: Aaron Cheek [mailto:aaron_cheek () yahoo com] 
Sent: Wednesday, September 03, 2003 5:03 PM
To: Schmehl, Paul L
Cc: stefano.zanero () ieee org; BUGTRAQ () securityfocus com
Subject: Re: Windows Update: A single point of failure for 
the world's economy?

More of a risk than up2date for RedHat or emerge -u
system for Gentoo?  Or cvsup for *BSD?

Certainly!!! For Red Hat (and all the major distros), 
you have a zillion mirrors all over the world, and, 
additionally, you can in extremely straightforward way (e.g. 
wget -r) bulk download all the patches from any of those 
mirrors and apply them in a glitch (rpm -F).

And of course you can do exactly the same thing for Microsoft patches
(the downloading that is.)  You just have to know where to go.  But that
is usually the realm of sysadmins.  Individual users (obviously) don't
seem to have a clue how to patch their machines or even that their
machines are infected and spewing like crazy.  Which is worse?
Automated updates that keep them patched or infected bots DDoSing the

Even if DoS attacks against the official names, IPs or
whatever take place, you always have your "local"
mirror to download patches from, which will be named
as mymirrorsite.mymirrordomain.mycountry. And if the
guys from RedHat (et al.) are wise enough, they can
set up out of band channels to distribute the patches
to the mirrors in the event of a major DoS attack.

And you can do exactly the same thing for Microsoft patches.  In fact we
do exactly that here.  All Microsoft patches are stored locally and
distributed locally after thorough testing.

No single point of failure, as you can see.

I wouldn't exactly call Akamai a single point of failure, would you?  I
suspect Microsoft's distribution is broader and deeper than any *nix
mirroring system.  (For those unfamiliar with Akamai,
http://www.akamai.com/, they distribute load for large volume sites over
a massive number of servers distributed all over the world.)  Perhaps
this proposed system isn't *your* cup of tea, but then you don't have to
participate.  As far as its impact on the Internet goes, I suspect we
would all be a great deal better off if updates were automated for those
who don't know how to do anything else.  For the clueful, you simply
disable them.
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]