Full Disclosure mailing list archives
Re: SSH Exploit Request
From: Andrew J Caines <A.J.Caines () halplant com>
Date: Thu, 13 Nov 2003 17:30:57 -0500
Robert,
I do apologize for assuming those that do not do the appropriate research and patching in a timely manner lazy, whereas its possibly the suits and policy writers that are definitely more to blame. IMO, I would do the patching as soon as I found the patched service suitable, and if I lost my job, at least I know that's one more machine that was secure under my control.
This illustrates the conflict of being a systems and security professional and being an employed systems/security administrator/engineer/whatever. Your instinct to do what you know is in the best interests of protecting the resources (systems, applications, data) under your control is natural and certainly a necessary and admirable quality, however there is one critical overriding detail: You do not own the system. They do. Unless you define policy, own the systems, pay the bills or whatever gives you the real authority, the best you can do is to work to make sure that they are able to make the best, most informed decisions possible based on your expert advice. This includes details of systems security and threats, as well as policy and process. Try to improve the system from within - use the change control process, document issues, make sure you address your audiences in terms appropriate to them (which does not mean to "dumb down", but to accurately convey information which they can understand well enough to make decisions based in it). In the end, if you cannot accept the decisions made by them after you have made a genuine effort to address what you consider to be the serious issues affecting your duties and responsibilities, then you have the authority to find a better job. Either way, the reward in the end is when you get regularly asked, "What do you suggest?".
I'd rather tell a prospective employer that I was canned for taking security precaustions then canned for having a critical machine comprimised.
Presuming s/then/than/, the potential employer will be happier to hear that on more than one occasion you advised your management of the threat, provided solutions, worked with management to fix them problem then resigned after the systems were compromised because you felt your professional expertise was not being valued or used. -Andrew- -- _______________________________________________________________________ | -Andrew J. Caines- Unix Systems Engineer A.J.Caines () halplant com | | "They that can give up essential liberty to obtain a little temporary | | safety deserve neither liberty nor safety" - Benjamin Franklin, 1759 | _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- SSH Exploit Request Jack Chum (Nov 12)
- Re: SSH Exploit Request Florian Weimer (Nov 13)
- Re: SSH Exploit Request Jeremiah Cornelius (Nov 13)
- Re: SSH Exploit Request Valdis . Kletnieks (Nov 13)
- RE: SSH Exploit Request Robert Davies (Nov 13)
- Re: SSH Exploit Request Blue Boar (Nov 13)
- RE: SSH Exploit Request Poof (Nov 13)
- Re: SSH Exploit Request Valdis . Kletnieks (Nov 13)
- Re: SSH Exploit Request Scott Taylor (Nov 13)
- RE: SSH Exploit Request Robert Davies (Nov 13)
- Re: SSH Exploit Request Andrew J Caines (Nov 13)
- Re: SSH Exploit Request Jeremiah Cornelius (Nov 13)
- Re: SSH Exploit Request Florian Weimer (Nov 13)
- Re: SSH Exploit Request Florian Weimer (Nov 13)
- RE: SSH Exploit Request g0d (Nov 14)
- Re: SSH Exploit Request Vladimir Parkhaev (Nov 14)
- Re: SSH Exploit Request g0d (Nov 14)
- Re: SSH Exploit Request Valdis . Kletnieks (Nov 14)
- Re: SSH Exploit Request Paul Schmehl (Nov 14)
- Re: SSH Exploit Request Valdis . Kletnieks (Nov 14)
- Re: SSH Exploit Request Paul Schmehl (Nov 14)
- Re: SSH Exploit Request madsaxon (Nov 14)
- Re: SSH Exploit Request Jeremiah Cornelius (Nov 14)