Full Disclosure mailing list archives
Re: Expired certificate
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Wed, 04 Aug 2010 09:44:29 -0500
--On Monday, August 02, 2010 12:36:37 -0400 Elazar Broad <elazar () hushmail com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 <snip> Can't you? The world is full of unpatched systems. You can even find systems where patches are not installed because it is running a piece of mission critical software and they would lose support if they installed any patches (I am not making this up). </snip> Spot on. I know of one large accounting/ERP system(which shall remain nameless, though I am sure there are those out there who have come across it) that checked the SQL version, including the revision number at runtime, which made patching SQL impossible.
In those cases where there are such systems, there should be mitigating controls around them that increase the difficulty of break-in. Otherwise the IT department is negligent. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Expired certificate Pavel Kankovsky (Aug 01)
- <Possible follow-ups>
- Re: Expired certificate Elazar Broad (Aug 02)
- Re: Expired certificate Paul Schmehl (Aug 04)
- Re: Expired certificate Marsh Ray (Aug 04)
- Re: Expired certificate Charles Morris (Aug 04)
- Re: Expired certificate Paul Schmehl (Aug 04)
- Re: Expired certificate Leif Nixon (Aug 31)