I’ve been in and out of town quit a bit lately. I always power down all of the gear I leave behind when I’m gone.

After one trip on which my family joined me, I powered up two of my family’s PCs, one at a time and with the same results. They both run XP with automatic updates configured for the OS, anti-virus, anti-malware and half a dozen applications. Apparently the bad guys had been busy while we were gone because everything updatable decided to update for security reasons - all at once. After an hour and a half of manually fighting all the contention, I finally turned over the helms to family members curious to know what my security juju broke this time.

After another trip I powered up my Mac. With just one OS X security update it fared better. Nevertheless it got into a CPU fight with another application which I didn’t realize was still backgrounded when I launched the update. I’m not sure which won - the OS update, which finally slithered to completion twenty minutes later, or the application, which was eventually force killed by the security update. Depends on your definition of win I suppose.

The Mac story doesn’t end here though. Four minutes into the boot it still hadn’t finished. Luckily I’d long since learned to boot my Mac with a verbose console. A third-party driver was continually looping due to what it said was broken library dependency. Luckily it was smart enough to know that broken library dependencies don’t fix themselves during boot, so it decided to initiate its own reboot - which succeeded. Guess I was wrong about that.

Sorry, not done yet. Now enter my Blackberry. During the Mac episode I reached for it to google for details about the driver problem. I powered it on, saw the boot splash screen…and waited…and waited…and waited. The whole time it appeared hung save for the animated arrows indicating network traffic flow. After ten or fifteen minutes it displayed its white screen of death — maybe the blue one is copyrighted — and a “JUM Error 523.” A reset took twice as long to boot as usual. Truthfully, I’ve no idea if it was applying a security update. I don’t even know if anything on it can self-update. I hope not because I haven’t configured anything to. But it’s a nice addition to this story.

The good news is, people who write software are thinking about security. The bad news is, people who write software are thinking about security. They, and the people who pay them, should be thinking about how to build things that meet comprehensive sets of requirements: functional, performant, reliable, maintanable for starters. If you have those you already have security.

My solution to the automatic update problem is hardly rocket science: an integrated automatic update platform built on priority- and rule-driven queues with some process quarantining sprinkled on top. Come to think of it, operating systems already have stuff like that built in.

Related posts:

1. John Stossel, Give Me a Break!…20/20 is blind
2. NIST Guidance for Securing Microsoft Windows XP Home Edition
3. Trapplication Lifecycle
4. The Seven “Sees” of Security
5. Seeing Through the PCI Smokescreen

Posted by Larry J. Hughes, Jr. on Tuesday, April 24th, 2007, at 1:37 pm, and filed under Articles.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.