You missed the point

You missed the point

Posted Feb 14, 2008 4:19 UTC (Thu) by JoeBuck (subscriber, #2330)
In reply to: Notifying users of updates by midg3t
Parent article: Eee PC security or lack thereof

If a vendor sells someone a Linux machine, with a distro on that machine that is several months old, it might take a half hour to download all of the updates. During all that time, the machine is on the net. If that machine is only going to be operated on a home or corporate network behind a firewall, that interval might be safe enough to deal with. But if the user is more directly on a public network, he/she might be rooted before the updates complete. Once a single vendor has sold close to a million machines, that's a target that the black hats might consider going after aggressively. And if it comes up with Samba enabled by default, complete with remote root exploit, and this is known ...

So it isn't good enough to have a "notify that there are updates" mechanism.

A vendor might mitigate that risk by coming up initially in a "safe mode", where the very first thing the user does is grab the updates, with as tight as possible a firewall installed. If the purchaser of a new box pretty much has to install the security updates before having a fully functional machine, that should mitigate security disasters.

If vendors won't do the responsible thing, then we have to make sure that users understand that security updates are not optional. And if a vendor doesn't provide adequate security coverage, then we need to shame them into it.

---

(Log in to post comments)

I like your suggestion of requiring security updates upon first boot.

Of course there would have to be a small button that says "No thanks, I know what I'm doing"
for when the update server is unreachable.