Full Disclosure mailing list archives
RE: SSH Exploit Request
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Thu, 13 Nov 2003 16:08:51 -0600
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Robert Davies Sent: Thursday, November 13, 2003 2:46 PM To: Valdis.Kletnieks () vt edu Cc: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] SSH Exploit Request I do apologize for assuming those that do not do the appropriate research and patching in a timely manner lazy, whereas its possibly the suits and policy writers that are definitely more to blame. IMO, I would do the patching as soon as I found the patched service suitable, and if I lost my job, at least I know that's one more machine that was secure under my control. I'd rather tell a prospective employer that I was canned for taking security precaustions then canned for having a critical machine comprimised.
Your heart's in the right place, Robert, but you would have been canned for insubordination, *not* for taking security precautions, and any interviewer worth his salt would understand that as soon as you explained why you were fired.
Once again, my apologies for getting all worked up over this, I just hate to see when suits slow down proper and prompt security precautions and then cry about being comprimised before they cut through the red tape.
They don't cry about it. They fire the very security people that were screaming at them for not patching in a timely manner, blaming them for not protecting the organization. And once in a great and wonderful while, they say, "You were right. How long did you say it would take to implement that solution?" Such is life in never-never land. If you *really* want to make a difference in security, you stay where you are, work within the rules and fight like a banshee for what you know is right. Then, when they finally "get it", you're a hero, because you've been saying "I told you so" for a very long time. Nothing worth having ever comes easy, and seldom is anything easy to get worth having. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: SSH Exploit Request, (continued)
- Re: SSH Exploit Request Jonathan A. Zdziarski (Nov 16)
- spoofing sir kaber (Nov 16)
- Re: SSH Exploit Request Ron DuFresne (Nov 16)
- Re: SSH Exploit Request KF (Nov 14)
- Re: SSH Exploit Request Jeremiah Cornelius (Nov 13)
- Re: SSH Exploit Request Adam (Nov 13)
- Re: SSH Exploit Request Ron DuFresne (Nov 13)
- Re: SSH Exploit Request Florian Weimer (Nov 13)
- Re: SSH Exploit Request Damian Gerow (Nov 13)