RE: Gates: 'You don't need perfect code' for good security

[james <hackerwacker () cybermesa com>]

On Fri, 2003-10-31 at 16:50, Beaty, Bryan wrote:
> Correct me if I am wrong but...

I'll be glad to.

> I believe every worm listed below could have been prevented had everyone
> patched their systems.

> I would like the security community to take more responsibility for
> their own (in)actions. If you were hit by Blaster then you failed to
> enforce a good patch management policy. Who's fault is that? Patch
> management is boring and so we often ignore it. Hackers and worms simply
> take advantage of our laziness. I guess blaster could be a form of
> social engineering. "I know admins don't patch so I can write a worm and
> kill the world." 


Since you directed this to the "security community" it seems you
are speaking to IT folk and not end users. I **cannot** apply
MS patches till they go through quite a bit of testing. I have been 
bitten with production boxes that are rendered unusable after a round 
of MS patches. We are a BSD/Linux shop with just a few MS boxes but it
still takes a lot of time to make sure the patch(es) will work with
various configurations and applications. I **shudder** to think what
orgs that are all MS have to do to deploy patches.

Who's fault is that?







_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html