Full Disclosure mailing list archives
RE: No Subject (re: openssh exploit code?)
From: Montana Tenor <montanatenor () yahoo com>
Date: Tue, 21 Oct 2003 13:04:58 -0700 (PDT)
I agree with Mitch. Lets say you get an advisory that a severe thunderstorm may be coming your way. Do you wait until the wind and rain are blowing inside your house to close the windows and doors. Do you allow the kids to keep playing outside? You do the prudent thing. Instead of trying to brute-force Mitch into this, think about why doing the right thing to protect the long term interests of your business is the RIGHT thing to do. The problem is solved by a refusing to allow a superior, most likely one ignorant to security concerns, to make the ultimate decision about security issues. Come on, thats why he/she hired you in the first place. To come to the decision that there is/may be a problem and to fix or mitigate it, unless your an MCSE, than your job is simply being a patch drone. ( sorry couldnt refuse that jab :) ). Doing the prudent thing is almost always the best approach. If you see a CERT advisory, I would say its prudent to patch. Even if the language is vague and you see no proof. Do you have to be lifted up into the tornado before seeking shelter? If, in the corporate world, your downtime to patch means lost income, then perhaps you need to allow for such loses in your business model/plan. Its part of doing business, and thats not my opinion, its fact. Either you put the money in(via lost revenue in downtime) now, or you lose more money later when you get sucked into the tornado. I am sorry, but when a customer calls me today because I have taken his box offline to apply a patch, I explain to the customer that doing so is the prudent thing to do, and the atmosphere turns from a bitching customer to one that respects the fact that I am so proactive in securing their machine and thier interests. Its a trade off, pay me now..or pay me more later, its never that you dont pay, unless its fraud, and its better to apply a patch that may not be doing more than printf'ing "hello world" than to not and be owned. People seem to forget that corporations need to think in terms of what is best for their long term futures. If you find your losses are increasing beyond what your company can absorb, perhaps you should look at switching to a more stable environment. Or realise that doing business in the sector means incurring some losses, and if your revenue cannot match the losses, perhaps your business plan needs to be altered. Anyone that disagrees with me can do a simple test. Next time the CEO says it is not acceptable, ask the CEO how important to you is our largest customer, because they will be the first to leave us when things go horribly wrong. You see, big corporations know that software has bugs, people make mistakes, it is the manner that you deal with those issues and with your customers that determines how well you will do in this arena. Cheers, Matt PS: sorry for the long response __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: No Subject (re: openssh exploit code?), (continued)
- Re: No Subject (re: openssh exploit code?) Jason Coombs (Oct 21)
- Re: No Subject (re: openssh exploit code?) morning_wood (Oct 21)
- Re: No Subject (re: openssh exploit code?) Jason Coombs (Oct 21)
- Re: No Subject (re: openssh exploit code?) Valdis . Kletnieks (Oct 21)
- Re: No Subject (re: openssh exploit code?) Peter Busser (Oct 22)
- Re: No Subject (re: openssh exploit code?) Jason Coombs (Oct 21)
- RE: No Subject (re: openssh exploit code?) Schmehl, Paul L (Oct 21)
- RE: No Subject (re: openssh exploit code?) Schmehl, Paul L (Oct 21)
- RE: No Subject (re: openssh exploit code?) Brent J. Nordquist (Oct 21)
- RE: No Subject (re: openssh exploit code?) mitch_hurrison (Oct 21)
- RE: No Subject (re: openssh exploit code?) Schmehl, Paul L (Oct 21)
- RE: No Subject (re: openssh exploit code?) Montana Tenor (Oct 21)
- RE: No Subject (re: openssh exploit code?) Ted Unangst (Oct 21)
- Re: No Subject (re: openssh exploit code?) Benjamin Krueger (Oct 21)
- Re: No Subject (re: openssh exploit code?) Shawn McMahon (Oct 22)
- RE: No Subject (re: openssh exploit code?) Montana Tenor (Oct 21)
- Re: No Subject (re: openssh exploit code?) mitch_hurrison (Oct 21)
- Re: No Subject (re: openssh exploit code?) Blue Boar (Oct 21)
- RE: No Subject (re: openssh exploit code?) Bassett, Mark (Oct 21)
- Re: No Subject (re: openssh exploit code?) Richard Massa (Oct 21)
- RE: No Subject (re: openssh exploit code?) Ron DuFresne (Oct 22)
- No Subject (re: openssh exploit code?) mitch_hurrison (Oct 21)
- Re: No Subject (re: openssh exploit code?) Dan Wilder (Oct 21)
(Thread continues...)