Full Disclosure mailing list archives
RE: SSH Exploit Request
From: "Robert Davies" <phantasm () textbox net>
Date: Thu, 13 Nov 2003 15:45:33 -0500
-----Original Message-----
**snip**
Actually, the *original* problem was that the OP *wanted* to apply the patch to fix a flawed service, but was prevented from doing so by a flawed policy. Now tell me - would *you* install the patch anyhow, knowing that (possibly) doing so without all the change-control paperwork being done correctly would mean your ass would be canned and you'd be looking for another job?
That is dependant on the seriousness taken to network security. I for one feel that the less time a vulnerable service is open, the less time someone can move in and exploit it. I know, I may sound like a dick, but when it comes down to it, after testing the patch on a non-production machine and verification that the service is working properly, that is all the time needed to patch a flawed service. Maybe in large corporate environments, all the restrictions and flawed policies cause more problems then needed, but in that case, I really would not want to see them cry that they have been comprimised because they take their time with paperwork. I feel I would rather justify downing a service for one minute then having to explain why the system has to be taken offline for a few days while the drive is cloned and an attack is researched. I do apologize for assuming those that do not do the appropriate research and patching in a timely manner lazy, whereas its possibly the suits and policy writers that are definitely more to blame. IMO, I would do the patching as soon as I found the patched service suitable, and if I lost my job, at least I know that's one more machine that was secure under my control. I'd rather tell a prospective employer that I was canned for taking security precaustions then canned for having a critical machine comprimised. Once again, my apologies for getting all worked up over this, I just hate to see when suits slow down proper and prompt security precautions and then cry about being comprimised before they cut through the red tape. RKD _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- SSH Exploit Request Jack Chum (Nov 12)
- Re: SSH Exploit Request Florian Weimer (Nov 13)
- Re: SSH Exploit Request Jeremiah Cornelius (Nov 13)
- Re: SSH Exploit Request Valdis . Kletnieks (Nov 13)
- RE: SSH Exploit Request Robert Davies (Nov 13)
- Re: SSH Exploit Request Blue Boar (Nov 13)
- RE: SSH Exploit Request Poof (Nov 13)
- Re: SSH Exploit Request Valdis . Kletnieks (Nov 13)
- Re: SSH Exploit Request Scott Taylor (Nov 13)
- RE: SSH Exploit Request Robert Davies (Nov 13)
- Re: SSH Exploit Request Andrew J Caines (Nov 13)
- Re: SSH Exploit Request Jeremiah Cornelius (Nov 13)
- Re: SSH Exploit Request Florian Weimer (Nov 13)
- Re: SSH Exploit Request Florian Weimer (Nov 13)
- RE: SSH Exploit Request g0d (Nov 14)
- Re: SSH Exploit Request Vladimir Parkhaev (Nov 14)
- Re: SSH Exploit Request g0d (Nov 14)
- Re: SSH Exploit Request Valdis . Kletnieks (Nov 14)
- Re: SSH Exploit Request Paul Schmehl (Nov 14)
- Re: SSH Exploit Request Valdis . Kletnieks (Nov 14)
- Re: SSH Exploit Request Paul Schmehl (Nov 14)
- Re: SSH Exploit Request madsaxon (Nov 14)