Fog Creek Software
Discussion Board




MS Blaster Part II

Earlier, Grumpy Old Guy Wrote:
>We are a big - and I mean big - company. 
>You've heard of us.  Am I wrong in thinking
>that a patch that's been available for a
>month should have been applied to all
>our servers by now? 

I used to work at a fortune 200 company that you've heard of. 

My experience was that they were so big that everyone always had someone else to point a finger at. 

A few years back, when one of the big worms came through, MS had a security patch, and our local webmaster-guy called the hosting company (corporate Branch X, Service Guy A) to see if they would apply the patch.

They said "No, security lady Y hasn't said anything"

A quick call to security lady Y confirmed that she was PHYSICAL security (locks and passwords and stuff) not Operating System Security.  She wouldn't know where to start with applying patches.

So, we re-called service guy A.  He said something like "Well, I don't know about that.  Talk to my boss, service manager B."

Service Manager B said "I can't apply anything without higher authority.  You need to contact Service Director C."

He said pretty muc the same and referred us to Service Executive D, who was at corporate HQ.

Service Executive D's reply was something to the effect of: "I'm a vice president.  If you need a patch applied for a security hotfix, why are you talking to me?"

And on it went.  From what we could tell, the ISP didn't apply ANY patches ... if the patches they applied hosed the system, they would be in trouble, but if some WORM hosed the system, they had something to blame.

So, basically, IMHO, one of the problems with a big company is that, all too often no individual takes responsibility for things, so, all too often, that thing just doesn't get done.

Comments?

Matt H.
Friday, August 15, 2003

maybe its the company culture to pass the buck...

Prakash S
Friday, August 15, 2003

Cringely hits on this in his pulpit this week. 
http://www.pbs.org/cringely/pulpit/pulpit20030814.html

His bigger question is:
If this was identified as an issue to MS in 1991, why did they wait 12 years to patch it?

MSHack
Friday, August 15, 2003

Umm, here's exactly what Cringely said:

"Microsoft is hardly blameless, either. A very good friend of mine (one of Microsoft's major customers at the time) recommended to Redmond precisely the e-mail safeguards that would have made this week's problem impossible. Since he was a big customer, they said they'd look into it, but did nothing. That was in 1991. Is 12 years too long to wait for vendor responsibility?"

E-mail safeguards would have made this week's problem impossible?  Huh???  What does email have to do with it? 

SomeBody
Friday, August 15, 2003

If the friend is as tech savvy as the Cringly team he probably sent some half assed "my Apple crashed, so you better fix that Eudora" email to boss@microsoft.com, and has been telling "I told them what to do in 1991" stories every time any computer problem comes up in the news.

They do realise that 1991 is pre Windows 3.1 rigth? AFAIK there was not even a standard MS TCP/IP stack included in Windows 3.0, and here we are talking about a Windows NT RPC problem. The first >beta< of NT 3.1 shipped in oktober 1992.

Just me (Sir to you)
Friday, August 15, 2003

The first TCP/IP stack from Microsoft appeared as an add-on to Windows for Workgroups 3.11, and only supported Ethernet. By today's standards, it was very light in the feature list. It wasn't until 18 months or so later that they shipped something that was usable to the general public (Windows 95, how we did love thee, and hate thee now). :)

Brad Wilson (dotnetguy.techieswithcats.com)
Friday, August 15, 2003

*  Recent Topics

*  Fog Creek Home