lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <43BDBAD7.10605@pacbell.net>
Date: Thu, 05 Jan 2006 16:33:27 -0800
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@...bell.net>
To: Gadi Evron <ge@...uxbox.org>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: Re: what we REALLY learned from WMF


As I'm not a coder.. I don't have the technical information to answer 
that one authoritatively.  The WMF issue has taught me ...if you aren't 
an authority on the issue....shut up!  :-)

Gadi Evron wrote:

> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
>
>> It's easy for us on this side to Monday morning quarterback and say 
>> "oh make it so".  There are times too that I go...okay ...come on 
>> ...how many days has it taken for that to get fixed?  But then again, 
>> I don't write code, I don't track back dependencies, I don't ensure 
>> umpteem languages still work and all the other interconnectivity 
>> between programs and code still function.
>>
>> It's easy to say this stuff on this side.... but understand that the 
>> mere release of a beta patch puts in jeopardy all of the consumer 
>> home machines and small businesses that have no admin to protect them 
>> and take mitigation measures.
>>
>> What "I" really learned from this is to decide my "OWN" risk 
>> tolerance and stop listening to all the sites and blogs and news 
>> reports and what not that spread a lot of FUD and misinformation and 
>> used this many times as a PR vehicle.  Only I know what risk I will 
>> tolerate.  That's what I learned from this.
>
>
> And only you can decide your own risk vs. gain.
>
> Question is though, as I agree with you about BETA patches (although 
> you don't have to use them), is if RELEASE patches can be released a 
> lot faster?
>
> This is what this case taught me.
>
>     Gadi.
>

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ