LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

November 2005

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS November 2005

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Another quick Poll - TIA
From:	Joseph Murphy <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Wed, 16 Nov 2005 10:46:03 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (98 lines)

>> Forcing Incompatible Updates
>> ----------------------------
>>
>> We move finally to our greatest concern: forced updates. We are
>> naturally sympathetic to the idea that almost all users should have
>> installed antivirus software and have updated to current virus
>> defintions.  However system updates and patches raise the possibility
>> of serious incompatibilities.  Updates, service packs, and patches
>> sometimes produce incompatibilities that programmers need time to
>> resolve.  For example, each of the Windows XP service packs were
>> incompatible with some applications.  Requiring a system update in
>> order to be validated for network access raises the possibility  
>> that a
>> user may have to go for a time without access to a vital software
>> application on their machine. Such problems could lead to a slowdown
>> in vital research practices.
>>
> Tough. Anyone is free to remove their computers from my network.  
> You want to
> play on my network, you must follow my rules. In the current world  
> of day-one
> and day-zero attacks, it is no longer wise to delay implementation  
> of security
> patches. Perhaps a more-secure operating system should be  
> considered. If the
> software run on the computers in question is that sensitive, the  
> systems need to
> be taken off the network while testing of patches is completed.  
> Complacent
> software vendors need to be made aware of your concerns; this isn't  
> an issue
> with Microsoft or Cisco, but with the 'vital software application'  
> vendor. If
> the unprotected system is taken out with a rootkit, the process of  
> formatting
> the drive and reinstalling all the software would also lead to a  
> slowdown in
> vital research practices. Their choice. The third time around the
> nuke-from-orbit routine, we've managed to convince both our HVAC  
> and telephone
> vendors they need to pay more attention to security on the systems  
> they plant on
> our campus.

Another way to approach this is to play to the user's vanity.

"Well, I see your point, but I'm not personally aware of any computer  
broken by XP SP 2 which did not have a pre-existing spyware or virus  
problem. We pushed that out to every one of our campus-owned  
computers, and while it revealed some existing problems, it did not  
cause a single one. A user who's careful about what they install  
shouldn't have any problems. Are there specific packages you're  
concerned about?"

I'd really hit them with this one. Don't tell me that "everybody  
knows"; be specific about what is broken and why it's my problem.

We've found some tradeoffs - "we'll buy you a DVD burner if we can  
reposess the network card out of that Win NT machine," for some  
science labs; "you can have port 80 but nothing else including  
internal server access" for students who refuse to install the CCA  
Agent (or who cannot) on their PCs. (We're not too crazy about this  
last; it may or may not remain policy next year.)

Similarly:

"Oh, I know that you're oh so good and ever so smart. The sun does  
not rise nor the moon light the night sky but that you practice safe  
computing and meticulous maintenance.

But remember how the network went down in September '03? How about  
October '03? December '03? April '04? September '04? Didn't those  
events hold back your access, even though you were doing everything  
right?

See, the thing is, we've tried to reach those last couple of users.  
But they just don't get it, or don't listen, or the week the virus  
hits is the one where they're just too busy. We've made a lot of  
progress, but we're always going to miss just enough people to cause  
this kind of problem. The only way to keep your research going is to  
make sure that there's a consistent policy for everyone."

OK, you might want to tone down that first part. But the majority of  
our users seem to love it when we tell them how they're good, and  
someone else is bad, and that the policy is really about protecting  
them from the bad users.

If we only had honest people, you could leave the keys in your car  
ignition, and just borrow whatever car best suited your needs. But  
somebody won't play right, so nobody is allowed to...

Joseph M. Murphy
Librarian and Technology Consultant
Library and Information Services
Kenyon College
[log in to unmask]
740/427-5120

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU