Full Disclosure mailing list archives
openssl exploit code (e-secure-it owned)
From: hellnbak () nmrc org (hellNbak)
Date: Wed, 18 Sep 2002 11:32:37 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 18 Sep 2002, Andrew Thomas wrote:
Firstly, Erik has a point with regards to securing your own boxes. If they're not secured tightly, why should a company trust information proporting to come from you?
Agreed. If the boxes have been compromised how are we able to trust any of the data coming from those boxes?
Secondly, I had a look at the business proposition that Arjen's group is now following. I though it was a valuable service and I still believe it is a valuable service.
It depends, if they are simply taking the data from various sources and organizing it to me there is no value. If they are taking the information validating it and adding their own value add stuff then it could be a value if its done right. I'll use the (a bit biased) example of eSecurity Online. It is a pay service much like what Security Focus, these guys from NZ, and even the free ISIS initiative offers but with a ton of value add that makes it worthwhile to pay for. Take away many of the value add stuff and you have a worthless service that isn't worth paying for.
Time=money, and perhaps you might be willing to take on an admin job that requires +-8 hours a day, plus spend an additional 2-3 hours a day keeping up with mailing lists in your own time, but not all are.
I agree, but there are free alternatives. Why should anyone pay for someone elses work? What you should be paying for is the extra stuff that your team would have to do with the free stuff anyways.
Or maybe you'd be willing to pay for another admin to work half-day to keep up with the lists. Again, I wouldn't. I'd rather split the costs with several other companies and keep my admin up to date with information relevant to our internal architecture. I don't want to pay for my staff to spend hours a day staying current with vulnerability information on AIX/HPUX/Linux, when we're running a FreeBSD/Solaris shop.
Some companies do exactly this. It depends on your organization size and security budget. If the "service" is going to cost you an arm and a leg to implement and use is it not worth it to hire a junior security resource instead?
Or what am I missing here?
There are free alternatives to giving these guys your money. - -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak () nmrc org http://www.nmrc.org/~hellnbak - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9iJyYueD73xSa+/ARAnasAJ9V5T4sp2oRqnWyjiF2GCvPeu3OMACcCHRe UtarGOr6spR9+RHGHKYbieA= =bPGJ -----END PGP SIGNATURE-----
Current thread:
- openssl exploit code (e-secure-it owned) Andrew Thomas (Sep 18)
- openssl exploit code (e-secure-it owned) hellNbak (Sep 18)
- openssl exploit code (e-secure-it owned) Charles Stevenson (Sep 18)
- openssl exploit code (e-secure-it owned) Andrew Thomas (Sep 18)
- <Possible follow-ups>
- openssl exploit code (e-secure-it owned) Arjen De Landgraaf (Sep 19)
- openssl exploit code (e-secure-it owned) hellNbak (Sep 19)
- openssl exploit code (e-secure-it owned) Nexus (Sep 19)
- openssl exploit code (e-secure-it owned) Isaak Bloodlore (Sep 19)
- openssl exploit code (e-secure-it owned) hellNbak (Sep 19)
- openssl exploit code (e-secure-it owned) hellNbak (Sep 18)