Saturday, 17 April 2010

To patch or not to patch, that is the question...

Well patch Tuesday has been and gone and I see that Microsoft has been put in a difficult situation this month with XP security patches. The month before last they released a patch that, when installed on computers that were infected with the Alureon rootkit, caused the machines to endlessly crash. The dilemma they face is if people suffer a bad experience when applying security patches then they are less likely to apply future patches. A kind of damned if they patch and damned if they don’t.

A lot of people slate Microsoft for producing insecure operating systems but the bottom line is that the products are so huge it is almost impossible to prevent vulnerabilities. Think about the complexity of creating an OS that will run on hardware that is outside of your control. A one size fits all product, it is a tall order. Also if I had a pound for the number of times I have heard "if you buy a Mac you won't have these problems" I would be very rich and it shows how naive this viewpoint is. Macs don’t suffer as much because it doesn’t make the headlines as much due to the number of users. Microsoft has far higher market share so generates more attention when exploited and you have a much wider attack surface.

When XP was first launched it comprised of approximately 40 million lines of code, Vista was 50 million lines, which is a lot of room for unforeseen errors.

So in this round of security updates Microsoft has made smart patches. They will check the machine to determine if it has the Alureon rootkit and if it does it will not install the security update to prevent the machine from endlessly crashing. Whilst I understand this approach it defeats the object of patching in the first place.

I think the only solution to this problem is that if you want machines to be stable and to function correctly then don’t be lazy, secure it with decent products and patch it regularly. After all, a security patch is an admission by Microsoft of a problem and highlights where the problem is, if you don’t fix the problem by patching someone will invariably exploit it.

Monday, 5 April 2010

Don’t we learn from lessons? Obviously not!

I read with worry that the NHS is offshoring medical records to India. The NHS is already the leakiest organisation in the UK haemorrhaging data as though the NHS computer system has a severed artery so what are they doing? Offshoring data processing to India, following the likes of mobile phone and credit card companies will only end in disaster, after all look what has happened, data has not been lost, it has been sold!

It infuriates me, offshoring data management has been proven to be insecure, impossible to regulate and a false economy. It is not cheap, it doesn’t save money in the long run, it costs money because of compensation, the cost of changing personal records and financial details and monitoring accounts for fraudulent transactions.

So a false economy and the stupidity of not learning from others mistakes make us all potential victims of data loss. What makes me even more frustrated is that Principle 8 of the DPA states:
“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.

Judging by their track record so far I would suggest that the Indian sub-continent has so far been found to be willing when providing adequate levers of protection for the rights and freedoms of data subjects, all that they have done is sell personal details to criminal gangs and now our medical details are about to go the same way.