Chapter 16. The Timeline

“So, Mike, take us back,” said Ollie, “to the Thursday six weeks ago when you learned about the patch.”

“Sure,” said Mike. “It was a dark and stormy night, and suddenly my BlackBerry started to vibrate ominously with news of an emergency security patch from our networking vendor. I reviewed the release notes, and it did seem pretty urgent. If left unpatched, an attacker could penetrate our network and view or modify any network traffic. This wasn’t in the notes, but I heard through the grapevine that this vulnerability was recently used to steal customer information at the headquarters of Castle-Mart.”

“So it seemed reasonable that we would want to apply this patch as soon as possible?”

“Yes. All financial institutions are targets for all kinds of attacks, so we have to take potential security risks seriously.”

“How often do you apply security patches like these?”

“Pretty routinely. I’d say there’s at least one security patch a quarter, sometimes more frequently than that.”

“At the same time,” said Bill, “you were being quite thorough—you didn’t deploy the patch directly to production without testing.”

“Objection, your honor!” said Ollie. “That’s a counterfactual!”

“Wait, what?” asked Bill. “I thought I was commenting on Mike’s thoroughness.”

“You were,” Ollie replied. “But Mike didn’t deploy directly to production. It’s not what happened, and therefore a counterfactual.”

Bill chuckled. “Man! This is going to be tough. OK, instead of using a counterfactual—and ...