Patch management critiques

Scott Berinato’s article in CIO Magazine about the dangers of patch management, “FrankenPatch,” discusses the issues around patch management, the problems that come about with trying to keep on top of patches, what happens when patches break things, etc.

It suggests that the right approach is to be watchful, and to patch selectively and late after others have worked out the kinks, and to not disclose vulnerabilities so as not to give hackers a roadmap to exploit the problem.

Eminently sensible.

Except for this one small problem: in a highly networked world, where worms can infect all the world’s vulnerable systems in less than ten minutes, it’s hard to make a case that selective patching and risk management makes things better. In fact, I’d argue that it gives virus writers a broader target.

And not disclosing vulnerabilities? Smells like liability lawsuit to me. Even if it didn’t, though, I think we as software makers have an ethical obligation to fix vulnerabilities and tell customers about what we fixed.

An interesting factual error too: Berinato mischaracterizes MSDE (the Microsoft SQL Desktop Engine) as embedded database connection software. It’s actually a database engine that a developer can embed in a desktop application.

That said, applying the patches that prevent Slammer was a truly painful process.

Harry Potter y tu mamá también

The preview trailer for Harry Potter and the Prisoner of Azkaban has been released. This is the first movie not to be directed by Chris “let’s face it, I direct children’s movies” Columbus, and the trailer shows hints of Alfonso Cuarón’s approach: the choir of children singing “something wicked this way comes,” Snape and Draco Malfoy not looking like pure villains, the generally darker cinematography, the dread hand of the Dementor… The question is, how much of it is due to the new director, and how much to the generally darker tone of the third book? Hard to tell from just a trailer, but I like the note of dark humor that I detect in the choir.