openssl exploit code (e-secure-it owned)

[hellnbak () nmrc org (hellNbak)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 18 Sep 2002, Andrew Thomas wrote:

> Firstly, Erik has a point with regards to securing your own boxes. If
> they're not secured tightly, why should a company trust information
> proporting to come from you?

Agreed.  If the boxes have been compromised how are we able to trust any
of the data coming from those boxes?

> Secondly, I had a look at the business proposition that Arjen's group is now
> following. I though it was a valuable service and I still believe it is a
> valuable service.

It depends, if they are simply taking the data from various sources and
organizing it to me there is no value.  If they are taking the information
validating it and adding their own value add stuff then it could be a
value if its done right.

I'll use the (a bit biased) example of eSecurity Online.  It is a pay
service much like what Security Focus, these guys from NZ, and even the
free ISIS initiative offers but with a ton of value add that makes it
worthwhile to pay for.  Take away many of the value add stuff and you have
a worthless service that isn't worth paying for.

> Time=money, and perhaps you might be willing to take on an admin job that
> requires +-8 hours a day, plus spend an additional 2-3 hours a day keeping
> up with mailing lists in your own time, but not all are.

I agree, but there are free alternatives.  Why should anyone pay for
someone elses work?  What you should be paying for is the extra stuff that
your team would have to do with the free stuff anyways.

> Or maybe you'd be willing to pay for another admin to work half-day to keep
> up with the lists. Again, I wouldn't. I'd rather split the costs with
> several other companies and keep my admin up to date with information
> relevant to our internal architecture. I don't want to pay for my staff to
> spend hours a day staying current with vulnerability information on
> AIX/HPUX/Linux, when we're running a FreeBSD/Solaris shop.

Some companies do exactly this.  It depends on your organization size and
security budget.  If the "service" is going to cost you an arm and a leg
to implement and use is it not worth it to hire a junior security resource
instead?

> Or what am I missing here?

There are free alternatives to giving these guys your money.


- -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak () nmrc org
http://www.nmrc.org/~hellnbak

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9iJyYueD73xSa+/ARAnasAJ9V5T4sp2oRqnWyjiF2GCvPeu3OMACcCHRe
UtarGOr6spR9+RHGHKYbieA=
=bPGJ
-----END PGP SIGNATURE-----