lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000101c29d3c$c7c0dfe0$2300a8c0@fujilap>
From: steve at entrenchtech.com (Steve W. Manzuik)
Subject: RE: Full-Disclosure digest, Vol 1 #433 - 4 msgs

> You seem to have missed the diagram for your proposed 
> solution. Without it your post appears like just another 
> rant, which surely it can't possibly be?

I took the Sockz post as a rant but as a rant that made some good points
and asked some good questions.

> You make some sweeping statements, like a sys admin can only 
> patch one system. I myself patch more than one system on a 
> regular basis. Your statement is now null and void, since 
> I've given a counter-example. Sorry about that.

You sir, are in the minority.  I have around 12 years of IT and IT
security experience and I can speak for the fact that most admins do not
patch boxes.  Not out of ignorance but out of time and resource
limitations.  Perhaps the next 10 years of my life will teach me better
but I doubt it.

I have yet, as a security consultant, do a "pen-test" that has been
unsuccessful.  What does that tell you about the state of IT today?  It
says nothing about my skills, there are far better men than me around
but it speaks volumes about the state of the industry and the so called
value in a pen-test.  Shit, instead of buying a pen-test why not
purchase this lovely bridge I have at eBay on sale.

> From what I can gather you are proposing a block on the kinds 
> of information that can be made public, which is on the face 
> of it an excellent idea. 

I personally DON'T think that blocking the information is the answer.
Controlling it a bit better is.  But as I said in my reply to Sockz --
there is no practical way to do this so for the time being we are stuck
with what we have.

> However, we live in the real world 
> (or at least most of us do), where we have little control 
> over what the citizens of other countries do. 

Good point.  That is what I was trying to get across.  The Sockz
solution is assuming that all people are ethical and good.  Maybe I am
cynical but I don't believe this.

> country, unless you can create some kind of International law 
> to prevent this. However, this law would override the 
> constitutional powers of most countries so is unlikely to be 
> passed. That is to say, neither the EU or the USA would 
> accept any wide-ranging restrictions on the freedom of 
> speech. 

Ummm, actually if you take a look at some of the pending legislation in
the USA, Canada, Japan, Australia and the EU this is exactly what is
going to happen.  I myself think that this is unfortunate.  In a perfect
world the internet would police itself -- but as you said that is
relying on everyone to act in ethical good faith. 

> case of the "Washington sniper" saw more journalists involved 
> in the case than police, and they came very close to wrecking 
> the investigation. In that case, should the journalists have 
> been restricted in their reporting, and if so, how?

Of course they should have in this case.  They almost fucked up (for
lack of a better Jack Daniels induced phrase) an important
investigation.  I have a short list of journalists who I consider real
journalists.  I don't need to name them here but they are the voices of
reason in the world today.  Half the so called "journalists" involved in
the sniper case wanted nothing more than the "latest scoop" to get their
asses on TV and gain more publicity.  It is unfortunate but journalism
today has turned into nothing more than media whoring.  We are lucky to
have the few (minority) true journalists that we have today.  Hmmmm,
this sounds a lot like the security industry............

I am in complete favor of the police randomly shooting journalists that
ask stupid questions.  In fact, we should put it on pay per view.  I
know my journalist friends would never get shot.  :-)

> Connecting anything to the Internet is a risky business. Like 
> all things in life, it has its benefits and pitfalls.

Of course, just in this case there happens to be a few of us who want to
make the pitfalls a bit smaller.  And while you understand the risks
many others do not.  This is the problem.  Unfortunately, the problem
feeds itself in creating the snake oil we see today.

Not sure if this makes sense, nor do I care.............whiskey in the
jar oh oh oh.......  :-)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ