lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 19 Jan 2011 22:42:31 -0500
From: "Phil" <phil@...ea.net>
To: "'Pete Smith'" <seclists@...apitate.us>
Cc: 'Cor Rosielle' <cor@...post24.nl>, full-disclosure@...ts.grok.org.uk
Subject: Re: Getting Off the Patch

It’s too easy to update server OS, that’s the problem for why everyone just
talk about server OS. 

Like for cisco gear, the client need to know that he’s unsecure and he need
someone registered on cisco web site in its IT team to have access to the
patch... For hp gear I updated you need a tftp or a serial cable with a
equipement near... heh, thats really complicated to update...... (harder
than clicking next.. haha) 

In windows, the magic update service automatically flag the admin so it’s
stupid proof. And if you fear to install any patch, then you can even go
virtual and snapshot your server before. (now it’s really zombie proof)

A luck that SOX 404 exist for security consultant

 

 

De : full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] De la part de Pete Smith
Envoyé : 19 janvier 2011 21:06
À : Thor (Hammer of God)
Cc : Cor Rosielle (cor@...post24.nl); full-disclosure@...ts.grok.org.uk
Objet : Re: [Full-disclosure] Getting Off the Patch

 

All,

I agree with most of the stuff that Thor has been saying and from what I
have read this has mostly been centred around patching software on servers.
However most large companies take the don't patch or patch infrequently
stance when it comes to network infrastructure, Cisco, Juniper, 3COM, HP and
other large network infrastructure companies by no means have a clean record
when it comes to vulnerabilities in their software but yet businesses will
often not patch even in environments that are highly redundant and can be
rebooted with no or little impact.

Can anyone seriously say that they patch every time Cisco releases a new
version of IOS?




Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ