lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 14 Jan 2011 15:54:08 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Christian Sciberras <uuf6429@...il.com>
Cc: C <fxchip@...il.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"lists@...com.org" <lists@...com.org>, Zach@...ts.grok.org.uk
Subject: Re: Getting Off the Patch

I'm sure it will all be cleared up when we see the reporting...

t

From: Christian Sciberras [mailto:uuf6429@...il.com]
Sent: Friday, January 14, 2011 7:45 AM
To: Thor (Hammer of God)
Cc: lists@...com.org; phocean; full-disclosure@...ts.grok.org.uk; Zach C
Subject: Re: [Full-disclosure] Getting Off the Patch

Thought I should point out that they seem to have forgotten the main function in mass/distributed computer control and management.
What otherwise would be a "huge" waste, it's done in little time and tested reliable in as much little time. According to the reliability of the patch, one would also assume that worst case scenarios involve *just* rolling back changes, again, not really loosing anything at all.


On Fri, Jan 14, 2011 at 4:39 PM, Thor (Hammer of God) <thor@...merofgod.com<mailto:thor@...merofgod.com>> wrote:
>We disagree. Patches changes code which has already been operationally and
>functionally tested. This requires additional testing for each update and patch
>and that takes time, money, and other resources away from other things.
>Therefore no wonder when operations scale upward, the cost of security
>goes exponential. It's because of all the waste.
Please share the research you have that backs up this statement.  I would be very interested in knowing the details that that provide the foundation for this argument.  I'm particularly interested in the cost points and identification of the exponential cost of security from patching and the money saved by not patching in your environment.

I presume that you have empirical evidence of the vast savings based on concurrent operational models in an enterprise environment, so I'm curious as to how many thousands of servers you are operationally responsible for, because that information is not only critical, but required for this model to be considered.  IOW, if you could share the analysis you presented to management that they bought off on, that would extremely helpful.

Thanks!

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ