Hacker News new | ask | show | jobs
by duey 4709 days ago
Having out of date packages on production servers is also dangerous. It really depends what you consider your biggest risk to be: downtime vs getting hacked due to an out-of-date packages? I personally would take downtime, but every place is different.
2 comments
nknighthb 4709 days ago
A check for necessary updates should simply be part of someone's regular, preferably daily, routine. It's a basic cost of doing business.

The manpower necessary is not enormous. Any particular security update has a relatively small chance of requiring prompt installation on a particular production service. On the unusual day you're struck by lightning, you pull out the relevant emergency plan and begin executing it.

link
jiggy2011 4709 days ago
Remember that a lot of small to medium sized websites are maintained by part time freelancers and don't have anything resembling an ops team, there's nobody being paid to do the day to day running of the servers.

In such a situation it's probably safer to at least have automatic scheduled patching against deadly vulnerabilities and accept that occasionally that might break something.

Of course that wouldn't apply in apple's case.

link
nknighthb 4709 days ago
You're positing a scenario that shouldn't occur in the first place. Such a website should be on a shared or managed hosting service, or alternatively, there are companies that will, for a reasonable monthly fee, perform basic routine maintenance such as this on your servers.

If you want to completely mismanage a server you depend on for your livelihood, I can't stop you. All I can say is you're doing it wrong.

link
jiggy2011 4708 days ago
Running on shared hosting doesn't solve this and introduces a bunch of other issues, you still have to worry about wordpress installs or whatever.

There are a lot of poorly managed VPS out there, these would be better served applying security fixes automatically.

link
kisielk 4709 days ago
I'm sure Apple has the resources to hire enough sysadmins to keep their systems up to date. The question is why it isn't happening.
link
czhiddy 4709 days ago
It looks like the exploit used a vulnerability in Apache Struts that was revealed on 7/16 : https://news.ycombinator.com/item?id=6081428

Given that, your question of "how can we completely avoid zero-day attacks" is nonsensical.

link