From: Jan van Hoek (NL) 

>> How do you know none have been hacked
>> like keeps happening with the Linux community?

SUS is not intended as an automagic mechanism, and certainly not meant to
spread unmitigated evil and despair through our company.

Everything that SUS offers is quarantined and tested first in our testing
environment for correct working. Alas, those tests are largely functional,
and are not designed to reveal hidden "features", like the ones
you are referring to. If (I say IF) such backdoors come to light during
functional testing, it will be just by accident. An other possible means of
discovery is the parallel reading of security advisories that some
technically oriented employees (like myself) do on a regular basis.

Anyway, whatever its drawbacks are, SUS is always 500% better than having
everyone running Windows Update on their own devices. Firstly, no regular
user has the necessary permissions to download and install patches,
whatever the source. Secondly, you cannot trust all users to religuously
check the Windows Update website on a regular basis. Thirdly, you cannot
teach them to understand what HAS to be installed (roughly: all critical
patches), versus what is nice-to-have and can better be left where it is
(e.g. the latest DirectX). Fourthly, it happens many times that the stuff
that is being downloaded by Windows Update, is UNSIGNED and pops up a
warning message saying how useful is to install only signed software and
keep away from unsigned stuff(:-((

To conclude: I agree with the underlying risks that you mention. But as
long as we don't have something better, we have to cope...
--
-- Jan van Hoek (NL)
-- Thu 5 Feb 2004 13:52 CET

--- BBBS/NT v4.01 Flag-5