Re: [Fed-Talk] Apple security update policy, Java
Re: [Fed-Talk] Apple security update policy, Java
- Subject: Re: [Fed-Talk] Apple security update policy, Java
- From: "Villano, Paul A CIV USARMY TRADOC (US)" <email@hidden>
- Date: Wed, 23 Oct 2013 12:18:39 +0000
- Thread-topic: [Fed-Talk] Apple security update policy, Java
I think the enemy is bureaucracy. As long as we're in a different pool on older versions of software (and hardware) in DoD we will continue to be struggling to catch up. Yes, in a way it helps us to keep control when there are issues rather than falling prey as quickly as the world when there's a sudden assault, but the answer must be more of a fishing net and less of a wall. We fix old issues on older machines. That's safer, in a way, and would work if we were in our own little enclave. But we interact too much with the world these days. We will be forever impacted by the issues of the world and the enclave/wall system doesn't work anymore. We need to update regularly to stay up to date with everything as it is posted and use a smart fishnet as it were to capture possible issues without cutting our circulation off and only delaying and not being able to adjust to issues because we are so out of touch in our own little sanitized (where we still miss things) world. We are so blocked off these days we can't do mission or interact well with others. Fail/fail rather than win/win or Mitigated win/win.
-----Original Message-----
From: fed-talk-bounces+paul.a.villano.civ=email@hidden [mailto:fed-talk-bounces+paul.a.villano.civ=email@hidden] On Behalf Of Eric Eskam - QTGBBA
Sent: Tuesday, October 22, 2013 12:08 PM
To: Beatty, Daniel D CIV (US)
Cc: email@hidden
Subject: Re: [Fed-Talk] Apple security update policy, Java
On Thu, Oct 17, 2013 at 1:16 PM, Beatty, Daniel D CIV NAVAIR, 474300D <email@hidden> wrote:
Hi gang,
So do the user's get a vote? If they are the ones paying for it and the IT professionals for that matter, then how does one justify such discussion? The developers will certainly defend their product. If the product has been tested and passed, then what?
While I generally agree with you that is very easy for IT to get caught up in it's own bubble and forget that the purpose of IT is to support the mission of the organization, a sound security principle is minimizing the threat profile, when practical. If you don't really need Java, and with it being the current exploit path of choice, eliminating it when possible is a viable strategy. Not the end all be all - when enough people do it the malware will move to other paths. But just because it may be inconvenient or ineffective in the future doesn't mean it can't be part of an effective strategy today.
I see the real fuss over Java and Adobe as the issue of it being installed when not needed. If it's truly a mistake on Apple's part, that just adds insult to injury when the very mechanism that's there to help reduce the amount of Java that is installed is instead making it many times worse.
As you point out, to be really effective and add value these decisions need to be about balance - so I think you do raise a significant point in reminding us about the users.
From a developer's and scientist's perspective, I find that egoless development is a useful tool in helping to crack down on such defects. Blames can circulate like a mean girls brew, and produce just about as devastating effects. Thus, what are we left with? I can only hope that the development processes have not devolved to such a low level.
Again, I agree more than I disagree - the real catch is achieving truly "egoless development". When people go through a lot of effort to learn something they tend to defend it - rationally or irrationally. I love the blame statement and phrasing - I'm going to save that one to reuse in future discussions!
Eric
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
References: | |
| >[Fed-Talk] Apple security update policy, Java (From: Todd Heberlein <email@hidden>) |
| >Re: [Fed-Talk] Apple security update policy, Java (From: William Cerniuk <email@hidden>) |
| >Re: [Fed-Talk] Apple security update policy, Java (From: Ron Colvin <email@hidden>) |
| >Re: [Fed-Talk] Apple security update policy, Java (From: "Inati, Souheil (NIH/NIMH) [E]" <email@hidden>) |
| >Re: [Fed-Talk] Apple security update policy, Java (From: "Neely, Lee" <email@hidden>) |
| >Re: [Fed-Talk] Apple security update policy, Java (From: Eric Eskam - QTGBBA <email@hidden>) |
| >Re: [Fed-Talk] Apple security update policy, Java (From: "Beatty, Daniel D CIV NAVAIR, 474300D" <email@hidden>) |
| >Re: [Fed-Talk] Apple security update policy, Java (From: Eric Eskam - QTGBBA <email@hidden>) |