7 June, 2006

Complacency spawns zombies

There's a spare PC in my office, very occasionally used by visiting staff.  Before today, the last time it was switched on was in November, so it hasn't been kept up to date with security patches.  The result is that it wouldn't allow someone to log in this morning, as it's a potential network vulnerability.

Fair enough, but when I contacted ISS, I was told to leave it connected to the network for an hour or so, and it'd discover the patches for itself.

I'm sure the internal network is secure, and on a purely practical level, this procedure works, but I have to question whether this conveys the right message to (often tech-illiterate) users: that it's safe and good practice to connect an unpatched computer to a network, and that "it'll sort itself out".

I can quite imagine someone buying a PC for home use, connecting it to the internet, then happily watching it spontaneously install, er, security-related software. "What's wrong with that? That's what the security professionals at work seem to recommend!"

Wouldn't it be better to invent some 'updating' interface, even an entirely spurious one, to give the impression that security updates are a big deal, and that network activity without them is unacceptable?