Full Disclosure mailing list archives

Re: Getting Off the Patch

From: Zach C <fxchip () gmail com>
Date: Tue, 11 Jan 2011 05:53:44 -0800

Hmm. So you propose other measures of security as a way of circumventing the requirement of patching vulnerable 
software. That's nice, but it occurs to me that the vulnerable software is still vulnerable, and sandboxing (as you 
mentioned in an example) isn't always possible or feasible -- maybe it requires a code change, who knows. I see you 
mention the time it takes to test patches and their effect on your workflow, but I would figure an equal or greater 
amount of time would then need to be spent on other solutions as well -- and even when those other solutions are 
implemented, the software that you're doing all this to is still vulnerable, and likely in a way that such measures 
can't really prevent all that well (code theft, etc).

Am I mistaken? I thought I got all that right. I haven't read the OSSTMM 3 yet, granted (it's on my to-do list), but I 
would think that it's still worth doing all that -- just that disregarding patches entirely in favor of this isn't the 
solution either, which is probably not what you're saying. :) 

On Jan 10, 2011, at 11:41 AM, Pete Herzog <lists () isecom org> wrote:

Hi,

Here's a new article on how and why you may want to stop patching your 
software and take a new approach to your security.

"So if patching is a tactic towards a particular security strategy, 
how can that be bad? I never said it was all bad. There are reasons 
where patching makes sense just like there are reasons to get a kick 
from a cup of coffee, get kicked by a shot of tequila, or spray stuff 
up your nose to breathe easier for 1.5 seconds. Yes, for the record, I 
am comparing patching to nasal spray."

Read it here:

https://www.infosecisland.com/blogview/10813-Getting-Off-the-Patch.html

Sincerely,
-pete.

-- 
Pete Herzog - Managing Director - pete () isecom org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Getting Off the Patch Pete Herzog (Jan 11)
- Re: Getting Off the Patch Zach C (Jan 11)
  - Re: Getting Off the Patch Valdis . Kletnieks (Jan 11)
    - Re: Getting Off the Patch Tim (Jan 11)
    - Re: Getting Off the Patch Pete Herzog (Jan 13)
    - Re: Getting Off the Patch Tim (Jan 14)
  - Re: Getting Off the Patch Pete Herzog (Jan 13)
    - Re: Getting Off the Patch Zach C (Jan 13)
    - Re: Getting Off the Patch Pete Herzog (Jan 14)
    - Re: Getting Off the Patch Valdis . Kletnieks (Jan 14)
    - Re: Getting Off the Patch phocean (Jan 14)
    - Re: Getting Off the Patch Pete Herzog (Jan 14)

(Thread continues...)