Feeds

Security patches via modem? Forget it!

11.3MB at 56kbps - you work it out

  • alert
  • submit to reddit

SANS - Survey on application security programs

Opinion I recently had two eye-opening experiences that made me aware of something that, to my shame, I had forgotten. In the first case, I was helping a friend perform a clean install of Windows 2000 on a used computer that he had bought. We installed Windows 2000 just fine. We then installed all the other software that you have to install along with Windows: anti-virus software, firewall, anti-spyware software, the whole works. We then started to update all of that extra software, and that's where the troubles began.

You see, my friend still uses a dial-up modem to access the Internet.

I have DSL at home, and have had it for years, ever since they offered it here in St. Louis. Before that, I had ISDN. When I head over to Washington University to teach, I'm on a crazily fast Internet connection that can download entire Linux ISOs in minutes. When I visit friends' houses to work, they all have DSL or cable modems (and wireless routers too, but that just makes enjoying the DSL or cable all the easier). When I leave my house to write, I head to any of the coffee shops and cafes in my area that offer wireless DSL connections.

I live in a broadband world.

My friend's Internet connection, however, was sloooooooooooooooooooow. Painfully slow. Make you want to get up, pace around the room, and rant furiously slow. Oh, it was a 56kbps modem, and we were connecting in the upper 40s. But still ... slooooooooow.

Downloading anti-virus updates took forever. Downloading anti-spyware updates took forever. And then the real fun began: it was time to update Windows 2000 using Microsoft's Windows Update service.

Forget it. It was impossible. Utterly impossible. There was no way we could get past even the first update: Internet Explorer 6. Oh sure, the initial download was 500kb. But that was just a stub that then wanted us to download 11.3MB of yummy IE6 Service Pack 1 goodness. According to Microsoft's installation utility, the estimated download time for 11.3MB on a 28.8 modem was 1 hour and 36 minutes.

Bill, I'll have some of what you're smoking. Seriously - pass it over here, buddy. Must be real good.

Back on planet Earth, I think most of you reading this - no, ALL of you reading this - know that there is no flippin' way that a 28.8 modem can download 11.3MB in one-and-a-half hours. Ain't no way. Just ain't gonna happen.

So I did what I'm sure a lot of you faced with the same situation would do, and undoubtedly have done: I sighed, packed up his computer, and took it home to my house where I could update it over a broadband connection. Counting just the security patches and other items marked Critical, here's what I had to download:

  • 500kb stub installer for IE6 SP1

  • 11.3MB of IE6 SP1 (followed by a reboot)

  • 589kb stub installer for Windows 2000 Service Pack 4

  • 36MB of Windows 2000 SP4 (reboot)

  • 18.9MB comprising 18 patches and updates (reboot)

  • 34.6MB comprising 7 more updates (reboot)

A rough total: 102MB! According to Microsoft's math, that should have taken a 28.8 modem only 36 minutes and 11 seconds to download. Amazing!

I brought my friend's computer back to him, along with stern admonishments to keep his system patched and up-to-date, just like all of us tell our friends and family members. Who wants to bet that he'll get real busy and download the next multi-megabyte update or patch or service pack? Anyone want to take that bet? Anyone?

Spreading the Blame

Now, before the Linux users start feeling too superior, let me tell you about the other experience I had. I take care of the computer for Hedy, an 80-year-old Holocaust survivor. She used to use Windows 98, but over time I got more and more nervous about the bazillion security holes on that OS. Finally, when her modem died and had to be replaced, I decided to migrate her over to Linux. She does four things on her computer - email, Web, word processing, and solitaire - so Linux would be perfect for her. And in fact, it has. It's been just fine for her. But I've been pulling my hair out trying to update her computer.

Guess what? She was on dial-up.

Guess what else? After an initial install of Libranet (my new favorite Linux distro, by the way), I had to download 550MB of updates.

Guess where her computer went so I could download those updates? Yup. Back to my house.

Now, before the Windows users start feeling too superior, remember, a Linux system typically comes with hundreds and hundreds of packages, so when you update a Linux box, you're changing a potentially immense number of packages, but all at the same time. Windows Update only updates Microsoft's stuff (and a few - very few - third party drivers). Out of those 550MB, a quite smaller percentage of that was for security. But still.

Fortunately, Hedy's story has a happy ending. SBC has been aggressively pushing DSL in St. Louis, and it's now available for only $28 per month. Since she was already paying $20 per month for dial-up, it was easy for me to convince her to pay an additional $8 per month for a much faster Internet connection - and less headaches and worry for me (heck, I was prepared to pay the extra $8 per month out of my pocket!).

While I'm at it, I'm not going to let the Mac OS X users off easily either. One of the companies I work with uses Mac OS X Server, and we've had our share of updates to download as well. Nothing in the double-digit megabyte range ... yet. And we're obviously on a fast connection. But what about the home users of Mac OS X stuck on dial-up?

What about the home users of every operating system stuck on dial-up?

Let's face it - there is no way for dial-up users on any major operating system to keep their computers up-to-date and patched. OK, maybe "no way" is an exaggeration. How about "a difficult, burdensome, time-consuming, very prone to failure way"?

Remember, only about 30 per cent of Americans online are using broadband at home at this time. 30 per cent. Fortunately, broadband is projected to rise to 40 per cent of US households. Yay! By 2008. Oh. Clearly, we're going to be stuck with dial-up for some time to come ... which means that we're going to have millions of users who simply can't keep their computers up-to-date with the latest patches and fixes.

Some solutions ... maybe

I'm often critical of Microsoft when it comes to security, but I'm also willing to commend it when it does something positive. Recently, the company started making the Windows Security Update CD available, for free, to anyone who requests it. You now have no excuse - get this CD! Now! Get copies for your friends, your relatives, your clients, everyone. Here's the URL: http://www.microsoft.com/security/protect/cd/order.asp. Then, after ordering it, you probably should also check out Microsoft Knowledge Base Article 833242, which details how to use the CD, since you may encounter "issues" during the installation process.

There's a lot to like about this CD. It contains updates for Windows XP, Windows ME, Windows 2000, Windows 98, and Windows 98 SE (Windows 95 users, you're out of luck ... and out of excuses. Upgrade. To anything. Just upgrade.), which is a nice switch from Microsoft's usual methods of benign neglect for earlier versions of Windows in an attempt to force users to upgrade. The CD is available for a wide variety of countries, which should help spread it further. Microsoft is also including a second CD with a free trial of anti-virus software and a firewall, which is a good thing. Also, even if you use broadband, this CD will definitely come in handy the next time you do a clean install of Windows.

There's a lot not to like about this CD. The UK version apparently requires you to use PassPort, Microsoft's problematic single sign-on sytem, in order to ask for the CD. And, of course, the biggest problem with the CD is that it is out of date the second it is pressed. In fact, the updates on the current CD only go up to October 2003. It's already 6 months out of date, which means that users need to use Windows Update to get the latest fixes, which means that dial-up users won't bother, which means ... and around and around it goes.

But on the whole, this is a good thing. Even so, it needs to be expanded. Paul Randle, Microsoft's product manager for Windows XP, has stated that the company "wasn't expecting huge demand for the CD." Well, duh. Instead of waiting for people to request these shiny little platters of safety, Microsoft should make these CDs available on a quarterly release schedule. In addition, they should be sent, in huge numbers, to CompUSA, Circuit City, Best Buy, Wal*Mart, campus bookstores, and Bob's Computer Shack - anywhere that people go to buy hardware and software. When folks check out, or even just leave the store without a purchase, one of those CDs should be given to them. If AOL can blanket the entire world with free CDs for their dial-up service, Microsoft can do the same with something a bit more useful like a Security Update CD.

When someone buys a new computer from Dell or IBM or whomever, one of these CDs should be included with the rest of the packaging. If their computer is sent in for repairs, the returned machine should be accompanied by the latest Microsoft Security Update CD. Security pros should carry copies of these CDs with them everywhere, and if someone even asks us to help them, we should force one of those CDs on them. At weddings, forget cameras and pins and pens - guests should be given Microsoft Security Update CDs as momentos. Along with our tax refund checks from the IRS, the government should include Microsoft Security Update CDs.

OK, I'm exaggerating. Just a little. But not by much. These CDs should be everywhere. They're not perfect, but they're better than nothing.

And while we're at it, other software vendors should do the same thing. Oracle and Sun already send out frequent CDs with updates, and bully for them. Apple, Red Hat, Mandrake, even Libranet: all should offer users the option of a free CD containing updates. I don't think we need to make those free CDs available quite like Microsoft's should be available - after all, those operating systems have neither the numbers of users or the numbers of security issues that Windows does - but they should be mailed to anyone who wants them.

I know this is going to cost software vendors money. But it's an obligation, I think. The security failures of operating system software - no matter the platform - cost all of us a lot of time, money, and energy. Not to mention, we don't want to turn Mom and Pop against the Internet, as viruses, worms, and even spam frustrate people to the point of logging off of computing and the Net. The least these companies can do is try to make things easier, and safer, for everyone.

And now, if you don't mind, I'm off to enjoy a cup of coffee and my favorite news-oriented Web sites, both served with smoothness and speed. And I promise to remember that coffee may be cheap and available for everyone, but broadband is not - and won't be for quite some time.

Copyright © 2004, 0

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.