Told you so: SP2 on campus

Looks like college campuses are facing serious problems with the horrible timing of SP2:

Windows XP SP2 Upgrade Causing Campus Headaches

This is exactly the problem I started to predict over a week ago:

Desperately Seeking SP2
Microsoft redeems itself…a little

While I can say “told you so,” it’s still going to suck for university IT workers everywhere. Especially considering Microsoft is only giving universities one CD for every 50 students and won’t let universities make their own copies for distribution. An average undergraduate dorm at Stanford has about 100 students, so that’s only 2 CDs per dorm. (We actually have a different deal, but let’s go with this basic deal.) Assuming that the average time to install SP2 is about 30 minutes to an hour (calculating in time between passing off the Microsoft-pressed CD to the next person, variable computer speed and performance, etc.) and that you could probably get people patching for a total of 8 hours spread throughout the day, you could get about 16 people upgraded a day. So, it would take about six or seven days to upgrade an entire dorm. Of course, this is a very optimistic estimate– calculate in the time that somebody just isn’t around for a few days and doesn’t pass on the CD in a timely manner or somebody’s computer is slow and it just takes a long time or somebody just loses the damn CD. It could be upwards of two to three weeks before everyone gets SP2 installed and that’s a lot of time during which a vulnerability and exploit can come out and wreak havoc.

The point is that schools will have to institute a mixed model of distributing CDs and installing over the network. But how do you do that when students are more preoccupied with meeting friends and roommates, buying books, picking and registering for classes, paying bills, going to Target to buy some extra-long twin sheets, etc.? Not to mention all of the community building activities Stanford’s Residential Education program pushes. How do you encourage students in a way that will a) get them to install an important security update in a timely manner and b) do it in a way that is evenly distributed over multiple channels? On one hand, you’ll have students who try to get the CD as soon as possible so that they can be patched and secure. Okay, in a dorm of 100 students, after the first two grab those CDs, what about the other 98? Well, they’re busy and they’ve got to go run errands and meet up with friends and talk to professors and whatever else they have to do, so they don’t have time to be waiting around to meet up with Joe down the hall so that they can get the CD. They’ll either run Windows Update themselves or wait until Automatic Update happens or never get patched at all. That’s not very good distribution.

Last year, before RPC hell and back, Stanford’s IT organization decided to cut back on costs and not distribute an Essential Stanford Software CD, a CD which, among other things, included anti-virus software and was traditionally given to all new students when they came to campus. But come late July, the RPC exploits began to hit and suddenly, everyone realized that the CD was a pretty good idea and that it would be the perfect way to get people patched before they got onto the network. So then, there was a mad rush to get CDs pressed and distributed to not just new students, but all 10,000 students living on campus. I wonder what will happen if an exploit hits around September 1 and suddenly it becomes critical to get students patched with SP2 before they connect to the network. Will Microsoft be willing to allow us to copy and distribute CDs then? Or will universities have to bear the burden of whatever new exploit as they are asked to pay for more CDs and wait for Microsoft to press and ship them out?

Who knows what will happen? I think many of us are just simply going to get the CDs out there and hold our breath, hoping that a new vulnerability and/or exploit doesn’t come out, that SP2 won’t break too many computers, and that it won’t make our networks not only sluggish, but just completely roll over during this important period where students– and university staff– are trying to get the school year started, a process of which the Internet has become a critical part. We have seen how much network usage and hits to central campus servers spike during this period and we’ve seen our mail servers slow to a crawl. We’ve seen how much network traffic is hit already with email and file-sharing viruses and spyware. We’ve seen the Windows Update site fail under the burden of users trying to patch their computers. I guess we’ll just have to see what happens when they are all put together.