Untrustworthy Computing

Computerworld - We all knew it was coming, didn't we? There was no surprise when the Blaster worm began its Internet rampage last week.
This latest crippling attack was launched against yet another security hole in Windows. We were warned a month ago, remember? Right around the time Microsoft was giddily signing a $90 million enterprise software deal with the U.S. Department of Homeland Security (oh, the irony), it was solemnly warning that three serious new flaws had been discovered in Windows.
One of those babies was destined to be exploited by the now-infamous Blaster (a.k.a. Lovsan), a pernicious self-propagating worm that has infected more than 100,000 systems worldwide. Homes and businesses alike have been hit, their computers repeatedly shutting down. The wave of massive inconvenience and frustration has gotten TV, radio and newspaper coverage everywhere. Another black eye -- not just for Microsoft, but for the technology industry, too. When it's not spam clogging your e-mail, it's a barrage of viruses and worms disabling your PC.
The cure was almost as bad as the disease. Updated virus protection definitions (a bit sluggish in making their appearance from the major security vendors) had to be downloaded and installed in a global IT fire drill. Since all versions of Windows XP, 2000, NT 4 and Windows Server 2003 carry this flaw, they also had to be patched ASAP. Did your IT department have better things to do last week? Tough luck, huh?
"The thing about patching is that it is so darn reactive. And that can kill you," Dave Jahne, a senior security analyst at Banner Health System in Phoenix, told our reporter . "You need to literally drop everything else to go take care of patching."
Even worse -- as if things could be -- is that the Microsoft patches aren't even considered trustworthy enough to roll into a production environment without additional quality testing. In Arlington County, Va., for example, the IT staff ran into deployment problems last week while using Windows Update server technology and switched to Novell's ZENworks so that staffers could automatically distribute the necessary patches, said Vivek Kundra, director of infrastructure technologies.
Among the many IT professionals watching this wormy nightmare unfold was Carl Ness, distributed information systems coordinator at Clarke College in Dubuque, Iowa. He e-mailed me with a straightforward but difficult question: Why?
"Why aren't people, especially at the chief executive level, asking: 'Why are we still using this stuff?' " Ness wanted to know. "If these problems were at this level for any other