lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <004001c260d7$e79ac430$1e01320a@drizzt>
From: nexus at patrol.i-way.co.uk (Nexus)
Subject: Re: MS-02-052

----- Original Message -----
From: "Steve" <steve@...eogroup.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Friday, September 20, 2002 5:59 PM
Subject: Re: [Full-Disclosure] Re: MS-02-052


> Hehe, right you are.
>
> But we've got more valuable things to do with our time than chasing
> patches that will never fully come through anyway.

Fair one, but you can also remove unused functionality - that would have
stopped CR for example, without even a patch.

> which generates income. You may see that as an irrational
> shut-everything-down approach, which is your prerogative.

As it is yours - you just seemed irrational in your post, Mea Culpa ;-)

> To be specific it's not MY shit to sort out. If I'm dumb enough to use
> MS then I would HAVE to sort out their shit. Nice stab though...

It wasn't a stab, merely an observation - I dislike the [percieved] attitude
that X is bad and Y is good without looking at the ethos of the vendor and
to what extent what functionality is installed Out Of Box.   Microsoft ship
their stuff with all bells and whistles enabled be default.   They have done
this for a long time and should be no surprise to anyone, so the first act
should be to remove all said bells and whistles you don't use.   Yes that's
an admin overhead unless you invested time in an automated secure build
policy, but if that's what it takes, then it needs to be done.   I did the
BOFH thing for long enough to know that.
You can lock down box A just as well as box B regardless of OS or
application, was my point.
Sometimes it takes a bit longer and maybe a bit more work and dependant on
what skills you or your team have, that may or may not be viable.   That's
just mitigation of risk which to a large extent is technology independant.

Cheers.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ