Last week, a flawed McAfee Inc. (NYSE: MFE) anti-virus update overloaded enterprise IT staff as the updated signature file quarantined a crucial Windows system file and crippled unknown numbers of Windows XP computers -- causing the computers to shut down until they could be repaired and rebooted.
Combine this with the March 13 patch-tastic Tuesday, and some data center staff have spent most of April doing little more than dealing with software updates.
What’s the connection? Well, the Sony news reminded me of the pre-Internet "good old days" when IT staff actually owned the network.
Software came on one, two, or maybe 20 floppy diskettes and later on a CD, but IT decided when to install the software on both the network servers and on individual computers. Then, maybe a few times a year, a diskette with patches was shipped out. IT centrally ruled the enterprise and controlled the rollout of the updates.
However, with the advent of software delivery over the Internet, enterprise IT departments (as well as consumer users) have seen a substantial loss of control.
There are essentially two models of software delivery over the Internet: pull and push. With the pull approach, users have to specifically request that the latest updates be downloaded. With the push approach, the software is automatically updated with very little, or no, intervention on the part of users.
Both these approaches have serious flaws. First, they are based on the faith that the software developer will deliver accurate updates. Second, a lack of standards means that each software vendor takes its own approach.
Last week, McAfee showed its customers what happens when the software developer does not live up to that commitment. This vendor’s claim that it offers "security you can trust" was challenged to the core. In the words of David DeWalt, president and CEO of McAfee: "Even among the vast majority of customers who did not experience operating disruptions, the mere possibility created an unwelcome distraction and reason for concern."
DeWalt delivered this message publicly on the McAfee Website in both text and video format, an impressive use of new media, and McAfee has also offered to reimburse reasonable expenses incurred fixing this issue. However, it remains to be seen what impact this will have on customer loyalty.
"Unpatched vulnerabilities are the primary infection method of targeted and mass propagation threats," notes analyst Peter Firstbrook of Gartner Inc. , so responsible IT teams have to invest the time to update software.
But the only way to get software updates is to put your trust in the companies that created the defective software in the first place. Because of this, the companies most likely to benefit are businesses like Shavlik Technologies and Kaseya Corp. , which offer automated patch management solutions.
Instead of relying on users to pull down updates or software makers to push down updates, these tools allow enterprise IT to centrally manage the distribution of software patches. Perhaps most importantly, these tools support the deployment of patches in a test environment where they can undergo an approval process -- giving you the opportunity to not just rely on the vendor's word.
So long as software engineering is sloppy, there will be a need for patches. And so long as software testing is sloppy and there are no standards for the deployment of software patches, there will be a need for IT to continue to invest hours as the gatekeeper to keep the enterprise safe and sound.
— David Silversmith is VP Information Technology at FirstBook.org, an organization that provides new books to children in need.
I feel like you have run off onto an unrelated tangent with this topic, this problem would have happened no matter what kind of trust module or digital certification was present.
McAfee put out a bad update that caused problems.
McAfee wrote the original program, McAfee wrote update, McAfee compiled the update, McAfee distributed the update.
No matter what you do in terms of trust, certificates, or other validation used, this bad update would have happened for the end user.
If you want to talk about Quality Control, then that is a whole other issue, but security really isn't the concern with the problem brought up by this article and this type of situation. This was a huge QC/QA screw up, not a security screw up.
While it was an early design goal of Windows Vista to use elevations with the secure desktop, Windows Integrity Mechanism, and UIPI to create an impermeable barrier—called a security boundary—between software running with standard user rights and administrative rights, two reasons prevented that goal from being achieved, and it was subsequently dropped: usability and application compatibility.
Remember the x86 since 80386 provides kernel(RING0) and user(RING3) mode* enabling the O/S to monitor what the user is doing -- and to refuse any untoward requests
All that's left is to install the needed authentication requirement and we can snuff the hackers like a clay pidgeon
~~
*these act like two separate computers talking to each other... the user asks* for varous things while kernel gets it done. Certain things require Special Permission obviously and this is when UAC will ask the operator for permission... but this is where the authentication is needed. The Devil hath power to assume a pleasing form... but he cannot fool a digital signature -- where the Trust Model is properly used.
* has to: the user computer is only a simulator; it cannot do I/O or allocate memory; it has to ask the kernel for these things. this is in the hardware and is the difference between the RING0 computer and a RING3 computer.
~~
when influential people in business and industry realize that the argument that security is too complex to attain or too restrictive to be acceptable is entirely specious they will then insist on corrective service. If this is not promptly forthcomming steve and some of his buddies from msft will find themselves on the plane to washington. the issue affects not only business and industry, but our national security as well.
and there is not that much left to do.
we do not need to put the A/V people out of business in this either: we need them all to get busy with our softrware inventory audit and control programs so we can verify our results.
If you mean the CUSTOMER is responsible for testing the updates/patches, I’d disagree somewhat with your assessment here:“It sounds to me the McAfee's latest patches is a result of some IT staff not doing what they were supposed to do which is test the patches before a live installation.”
To me, actually, the main burden of testing falls onto the vendor McAfee. Yes, the customer COULD do additional testing in their environments, but most technical people know how that goes in companies these days (testing usually doesn’t occur, happens rarely or is incomprehensive). The software vendor is offering a product for a fee; if that product doesn’t work, the brunt of the issue falls to the vendor and as proof of that, McAfee backpedaled here offering free support and subscriptions to customers. Though this was a small issue, less than 0.5% of customers were effected, it still highlights the state of software (especially Security Software) in the Internet age – LOUSY.
The REAL answeras Bruce Schneier alludes tois to make computers, OS's networks and applications not only user friendly but also secure right out of the box; “If we want home users to be secure, we need to design computers and networks that are secure out of the box, without any work by the end users. There simply isn't any other way.”
Obviously this isn’t occurring with OSes or software. Will/Can technology ever be secure right out of the box?
Mike, I agree with your points on the validation. Those were the points that I agreed with rswinney.
It is also true that the open systems have redefined computing by the "user" markets which have confused the issue. That is where there should be no distinction in verifiable products and solutions. We have ended up "nuancing" technology. The standards should be consistent. The applications and commercial product solutions can vary by the end user and markets.
There are two types of computing users: individual and enterprise. For individuals, the push and pull methods are best because the typical individual just wants to use the computer for daily activities and does not desire understanding the underlinings of software maintenance. When discussing businesses like Shavlik and Kaseya, it is actually the business of enterprise IT staff to test patches and upgrades via sandboxes.
It sounds to me the McAfee's latest patches is a result of some IT staff not doing what they were supposed to do which is test the patches before a live installation. (Just like some programming students not testing their programs before submission.)
DC: "the point I was trying to make was that even WITH that OEM approved signature, couldn't a bad (buggy) update still get through"
yes. an example of this is the malware that was distributed pre-loaded on OEM drives recently manufactured off-shore and imported with malware pre-installed...
and this gets into DH question: "When it is being sold, it seems there should be a way to confirm that the deliverable is meeting the standards it is selling."
She's right except she needs to go 1 step farther: we need to apply Quality Control on everything that is received and before it is incorporated into any larger assembly
the software on those defective disks should have provided also the signature of the programmer and the auditor who certified that product.
the need for responsibility is not unique to the computer industry: I bought a brand new car for my wife. with less than 3,000 miles she complained it would not start.
engine replacement
whoever supplied the rod cap bolts did not supply grade 8s. and so the rod cap bolts broke
quality ain't free.
it's just cheaper than fixing things later
the point is: in software components -- as in other things -- OEM must take pride in their work, sign it, and take responsibility for quality. but remember this: quality is not something you get: it's something you do. we must all learn to apply a QC check on the parts -- software -- we receive before we incorporate them.
but here I'm talking the finer points.
before we go there we need to plug up the big holes
to get started we need everyone to understand what a digital signature is, how it fits into a Trust Model and how to properly manage a Trust Model
I agree with you, Mike. It affirms David's point about leaving the trust up to the software patches. I like your idea of responsibility for the software product, which Verisign cannot provide. When it is being sold, it seems there should be a way to confirm that the deliverable is meeting the standards it is selling.
I like the pull approach where there are options for the customer to select from verifiable software companies and/or patches. Of course David actually points out the best solution, which was when IT "managed" the systems.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
In recent years, software manufacturers appeared to be increasing the transparency of communication about bugs. The Internet has allowed for rather rapid delivery of software patches, and Microsoft Corp. (Nasdaq: MSFT) even releases details in its security bulletins and accompanying Webcasts.
If Charles Dickens were alive today, his MySpace page would most certainly be headlined by “It was the best of times, it was the worst of times,” for that is the story of MySpace .
The information age is built upon data. Often data is structured in neat spreadsheets and databases. But more often, data is unstructured and stored in text documents, emails, Web pages, books, instant messages, blogs like this, and even Tweets.
Web 2.0 has created numerous scenarios in which enterprise IT policies are at odds with social media. But we are seeing the early signs that the social media vendors have realized that a new focus is required to sustain businesses as customers.
Getting to Work on Smart Work: How IT Is Transforming the Implementation of the 'Internet of Things' Organizations in all industry sectors are becoming more instrumented, interconnected, and intelligent -- and that's changing the way they approach virtually every facet of their operations. It's up to IT to help organizations adopt a "Three I's" approach that leverages the emerging Internet of Things and enables them to work smarter. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Cisco's UCS and IBM's zEnterprise have upped the ante for virtualization and 21st century computing. In the future, look for integration of disparate operating systems at the firmware level, self-healing architectures, and workload optimization across entire data centers.
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
RIM is giving in to demands by India to snoop on encrypted BlackBerry data. It's time to develop cheap or free encryption software for BlackBerrys and other cellular phones.
High on the list of desired improvements from the mobile industry are: shared digital storage for the Internet; phone capability across borders; reduced electro-magnetic radiation; and rewards-based service plans.
Because 25% to 45% of broadband cost is due to sales and marketing, we could reduce our broadband prices by eliminating advertising and promotional spending by providers.
The next edition of one of the greatest English language reference books, the "Oxford English Dictionary," might not be published in paper. Bibliophiles might mourn, but should they?
RIM is giving in to demands by India to snoop on encrypted BlackBerry data. It's time to develop cheap or free encryption software for BlackBerrys and other cellular phones.
Nielsen’s recent numbers on the increasing use of texting bode well for enterprise networks. Shunning the phone in favor of text messaging could mean reducing bandwidth.
Two studios have filed suit against an ad broker for placing ads to help monetize P2P sites suspected of copyright infringement. That's taking a dangerous step toward what might be a worthy goal.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
