>> Forcing Incompatible Updates
>> ----------------------------
>>
>> We move finally to our greatest concern: forced updates. We are
>> naturally sympathetic to the idea that almost all users should have
>> installed antivirus software and have updated to current virus
>> defintions. However system updates and patches raise the possibility
>> of serious incompatibilities. Updates, service packs, and patches
>> sometimes produce incompatibilities that programmers need time to
>> resolve. For example, each of the Windows XP service packs were
>> incompatible with some applications. Requiring a system update in
>> order to be validated for network access raises the possibility
>> that a
>> user may have to go for a time without access to a vital software
>> application on their machine. Such problems could lead to a slowdown
>> in vital research practices.
>>
> Tough. Anyone is free to remove their computers from my network.
> You want to
> play on my network, you must follow my rules. In the current world
> of day-one
> and day-zero attacks, it is no longer wise to delay implementation
> of security
> patches. Perhaps a more-secure operating system should be
> considered. If the
> software run on the computers in question is that sensitive, the
> systems need to
> be taken off the network while testing of patches is completed.
> Complacent
> software vendors need to be made aware of your concerns; this isn't
> an issue
> with Microsoft or Cisco, but with the 'vital software application'
> vendor. If
> the unprotected system is taken out with a rootkit, the process of
> formatting
> the drive and reinstalling all the software would also lead to a
> slowdown in
> vital research practices. Their choice. The third time around the
> nuke-from-orbit routine, we've managed to convince both our HVAC
> and telephone
> vendors they need to pay more attention to security on the systems
> they plant on
> our campus.
Another way to approach this is to play to the user's vanity.
"Well, I see your point, but I'm not personally aware of any computer
broken by XP SP 2 which did not have a pre-existing spyware or virus
problem. We pushed that out to every one of our campus-owned
computers, and while it revealed some existing problems, it did not
cause a single one. A user who's careful about what they install
shouldn't have any problems. Are there specific packages you're
concerned about?"
I'd really hit them with this one. Don't tell me that "everybody
knows"; be specific about what is broken and why it's my problem.
We've found some tradeoffs - "we'll buy you a DVD burner if we can
reposess the network card out of that Win NT machine," for some
science labs; "you can have port 80 but nothing else including
internal server access" for students who refuse to install the CCA
Agent (or who cannot) on their PCs. (We're not too crazy about this
last; it may or may not remain policy next year.)
Similarly:
"Oh, I know that you're oh so good and ever so smart. The sun does
not rise nor the moon light the night sky but that you practice safe
computing and meticulous maintenance.
But remember how the network went down in September '03? How about
October '03? December '03? April '04? September '04? Didn't those
events hold back your access, even though you were doing everything
right?
See, the thing is, we've tried to reach those last couple of users.
But they just don't get it, or don't listen, or the week the virus
hits is the one where they're just too busy. We've made a lot of
progress, but we're always going to miss just enough people to cause
this kind of problem. The only way to keep your research going is to
make sure that there's a consistent policy for everyone."
OK, you might want to tone down that first part. But the majority of
our users seem to love it when we tell them how they're good, and
someone else is bad, and that the policy is really about protecting
them from the bad users.
If we only had honest people, you could leave the keys in your car
ignition, and just borrow whatever car best suited your needs. But
somebody won't play right, so nobody is allowed to...
Joseph M. Murphy
Librarian and Technology Consultant
Library and Information Services
Kenyon College
[log in to unmask]
740/427-5120
|