Re: Getting Off the Patch

["Cal Leeming [Simplicity Media Ltd]" <cal.leeming () simplicitymedialtd co uk>]

In that case, my two cents on the matter would be that the thought process
behind this "no patch method" has come from someone with very little
development and/or security background.

On Wed, Jan 19, 2011 at 9:16 AM, Christian Sciberras <uuf6429 () gmail com>wrote:

> Ah, but that is YOUR argument. They don't seem to agree with it.
>
> Heck if they did, every single word so far would have been completely
> unnecessary, since layering security is what we've done ever since the first
> knife was invented!
>
>
>
>
>
>
>
>
> On Wed, Jan 19, 2011 at 10:13 AM, Cal Leeming [Simplicity Media Ltd] <
> cal.leeming () simplicitymedialtd co uk> wrote:
>
> > Christian,
> >
> > There is no 'direct alternative' as we have already established that there
> > is no "be all and end all" for security, it's when you layer these factors
> > on top of each other that it becomes more effective.
> >
> > On Tue, Jan 18, 2011 at 11:45 PM, Christian Sciberras <uuf6429 () gmail com>wrote:
> >
> > > I'm getting a bit annoyed reading over and over arguments which I've
> > > highlighted some time ago anyway (
> > > http://www.mail-archive.com/full-disclosure () lists grok org uk/msg44454.html
> > > ).
> > >
> > > The real question, what is the *direct* alternative to patching?
> > >
> > > Don't say "sandboxing" because it doesn't always work.
> > > And don't tell me about only installing the system critical issues only -
> > > that's called "update by priority".
> > > Also, please remember that we are talking against patching, not
> > > discussing where patching works(/ is better) or not so I would expect any
> > > serious arguments to completely exclude patching.
> > >
> > > Regards,
> > > Chris.
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Tue, Jan 18, 2011 at 9:05 PM, coderman <coderman () gmail com> wrote:
> > >
> > > > On Tue, Jan 18, 2011 at 11:43 AM, phocean <0x90 () phocean net> wrote:
> > > > > ... how is this new ? It has been the best
> > > > > practice of good system/security administrators for years.
> > > > >
> > > > > And it doesn't look like a "no patching" policy yet...
> > > >
> > > >
> > > > sure, .. though you've made me sad considering how few organizations
> > > > do "best practice, good system/security administration".
> > > >
> > > > not new, still difficult?   (~_~;)
> > > >
> > > >
> > > >  that leaves consensus:
> > > >    "no patching" elusive, yet to be observed in real-world. (e.g.
> > > > yeti or bigfeets)
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/