I recently got a call from a security journalist who wanted my recommendations for the “Best Practices” in system patching. I explained patiently to Prince Wu, uh, urr, the journalist, that I don’t patch my systems at all. My home file server is still running OpenBSD from 5 years ago (and it works fine) and my Solaris machine is running some ancient version that is compatible with some of the development software I rely on. I pretty much set my network up, and don’t screw with it. In return, it pretty much just works unless a cable jiggles loose or the dogs chew on something.
-Marcus J. Ranum
This is one of the best ideas in computer security that I’ve heard in ages. It’s true that while continuously patching your programs allows you to have the latest technology, using older versions gives you better stability. Patching is an expensive and painful process. And besides, this is also one of the reasons why computers are getting out of the programmers’ control. We do not know our own systems anymore. At least not the same way that our predecessors do. What we really need is not what the market claim to be the latest and, I strongly doubt, the greatest softwares available. Patches are just proof of inperfection, which is, thinking about it, brought by patching in the first place. If we know our systems very well, we will be able to come up with better codes.
There is a reason why MJR is one of the top specialist in this field. Because he knows that the when developing a software you just have to “write it and forget it”.