The events of the past week and a striking headline on The Resister caught the attention of a few people on a discussion group. After the standard comments that centered around the cluelessness of using Windows in a critical application, the conversation turned to why people don't keep their machines up to date with the latest patches from Microsoft.
It is fairly easy to understand in the consumer world - many of the users treat their machines as a somewhat dangerous blackbox (I've seen statistics that a huge number of people never install software themselves - it might break the machine ... they have it done when they buy it, or later have "professionals" or friends do it for them).
In the corporate world a more interesting signal emerges ... some MIS types want to maintain a stable system that doesn't change over time.
from the discussion threads ...
ExxonMobil is still using WinNT 4.0, I believe SP5. They almost never release any patches for anything. They have a set of machines specifically set up for testing updates and a team allocated to do it. This is also just at the Clinton site - Mama Exxon has their own set of overriding rules (think of it as state vs. Federal law). The most you'll see is virus data file updates, and those are applied automatically on login (that's why MIS people ask you to log in/out every day).
My understanding is that ExxonMobil is more the middle of the bell curve on this rather than an outlier. Pretty much the same at Bloomberg as well.
I was talking with a guy who does contract MIS work through IBM (he was once with Bell Labs, but their division was sold to IBM who then made them contract employees to IBM). He noted that about 1/10 of MS patches have unintended consequences on the systems he deals has to deal with - some of these have been very serious. He generally has a few systems reserved for testing nothing but patches ... usually he waits about a month before releasing something into the company. There are often bizarre problems related to the order that patches are installed -- if you don't install in order a-b-c-d things can blow up. So if a big news item hits and a user installs c, when a is installed the user's computer can be very unstable.
He notes that so many patches are coming out these days that some larger companies have teams that do nothing but test patches.
I asked about TCO calculations ... he said that MIS folks avoid them like the plague and no one counts downtime due to patching or worms - "if a company totally lost a week to problems, the lost business would not be considered part of the cost of ownership..."
The MIS guy who supports our radiology practice tries patches for several months before releasing them. The local area network does not have a connection to the Internet. We have a machine that talks to the outside world for insurance and the like, but it is not connected to the rest of our network. Floppies of patient data are hand carried from the internal network to the connected machine and are destroyed after use so they can't go the other way. We haven't had any real problems, but the operation isn't as smooth as I would like. Given the two days of computerless operation that the oncology practice down the hall had a few months ago, I will put up with our inefficiency.
I should add that our MIS guy does not allow any of us to attach our laptops to the internal network.
Ah the costs of participating in a computational monoculture - I wonder what would happen if CTOs, CIOs and CFOs had to warn investors about the potential consequences of their platform choice in their Form 10-Qs --- monoculture related disasters seem more likely than earthquakes (which are frequently noted).
People love analogies to the Internet. If the frequency and severity of attacks on the monoculture continue one wonders if Microsoft products will be viewed in the same light as huge American cars were during the oil shortages in the 70s ...
By the way, if you perpetuate the monoculture at home, several friends note that Ad-aware is absolutely essential for a different class of problem.