This idea is a great academic solution to the problem it tries to solve; but selection of software that implements it would show exceptionally poor judgment in the real world.

The answer to the problem of outdated software as presented could only assume that security is the dominant concern of a production system. After all, the system will sacrifice itself and all other dependent functionality should an arbitrary date pass in the name of security. However organizations don't implement systems to have the best secured system, they implement them because of the functionality and analytical capabilities they provide.

Determining what software to run and when to upgrade it is more than just looking at the latest release. In any serious IT operation, the decision to implement or upgrade (or not) is driven by a complex set of criteria: Does the upgrade, however minor, break something else? Does the patch alter functionality on which other applications depend? Did the failure in the test systems result from the upgrade or from another anomaly? Are there unexpected dependencies?

Those questions and many more can be quite difficult and complex to answer. Failing to do so properly while trying to meet an imposed deadline could ultimately result in more damage to organization operations and data integrity than any crackers may cause in a compromise. Indeed, Mr. Lasser?s proposal is very much like those old stories of writing a well intentioned virus that would in turn protect the infected computer from getting other malicious viruses: expiration of software is a denial of service attack in an effort to prevent denial of service attacks.

As a corporate IT manager I would never yield my decision-making authority to a disinterested and unknown third party as it pertains to my technological operating environment. I pay my systems administrators to keep up with current security thinking, to stay on top of alerts/advisories, and understand our systems? exposure and to work with me in determining the complete risk picture (including the risks of upgrade vs. vulnerability to attack.) As a proponent of open source software, I would have to rethink open source?s role in the business environment should time bombs start to appear in my systems.

Again great idea? lets keep it confined as a great fiction just like Blade Runner!


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/72/11653#11653