Viewing a single comment thread. View all comments

HeyaShinyObject t1_jdzvxgm wrote

I understand how ntp and timezone files work. I know most people won't have an issue, or maybe their lights won't come on at the right time because their automation hub didn't update, but no big deal. In commercial environments, often with thousands of devices, automatic updates are often disabled. Updates are tested in a lab, then a QA environment, then rolled out to production servers in phases. In regulated industries like healthcare and finance, there is typically more process. Every change is documented, scheduled, authorized and verified. The actual change might only take a couple days to roll out, but it's not like companies have people sitting around waiting to do this, they have day to day business to take care of as well.

−1

swatlord t1_jdzykji wrote

Yep, I'm one of those people who works in said environments. I can say, with confidence, that with automation available at the orgs you mention (Commonly MECM, Intune, or GPO for Windows and Ansible for Linux/anything else SSH) this change would be pretty dang trivial.

Windows Registry example (likely delivered through GPO, MECM, or Intune) - This would cover most use-cases for the environments you mention.

To add, I also work in one of those "regulated industries" (government/defense). There are specific processes for stuff like this that requires quick action and to bypass normal CCBs. An example for the gov/mil side is when 0-days are discovered (think SolarWinds and Log4J). Do they want to spend months testing and approving? Hell no! While flipping a time-zone config isn't exactly the same as remediating a vulnerability, fixing it would be important to business continuity to justify some expedited changes.

> The actual change might only take a couple days to roll out, but it's not like companies have people sitting around waiting to do this, they have day to day business to take care of as well.

Most of the companies you mentioned in regulated industries do have folks that spend their work day doing this. People like ISSOs/ISSMs, change/config managers, automation engineers just to name a few. It is their business to stay abreast of upcoming changes and respond.

2

HeyaShinyObject t1_jdzzp82 wrote

The company I must recently worked at would turn a zero day around essentially overnight as well. But we didn't like it, because something else got pushed aside for it. This will be somewhat more than a typical zero day because it will affect every class of device, whereas most zero days only affect certain classes or versions of devices. The original point was that you don't want to turn something like this into a last minute emergency by passing legislation that doesn't allow industry time to deal with it.

1

swatlord t1_je019j9 wrote

Yep, and my rebuttal was that if it passed now (or even in the next few months) i believe orgs would have plenty of time to implement the change before the next clock change in the fall.

1

HeyaShinyObject t1_je02r69 wrote

Realistically, it won't pass for months. My bet is it will take effect next year, if at all.

Interestingly, CT tried to pass a bill last year, but broadcasters opposed it and it never got passed. Apparently Congress has to approve the change as well.

CT 's bill would have been contingent on MA, NY, and RI also adopting AST.

1

swatlord t1_je03msv wrote

Oh yeah, no argument there. While we have the technology to implement something like this pretty quickly, the legislature does not move as fast.

1