lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: futureshoks at hushmail.com (futureshoks@...hmail.com)
Subject: The worm author finally revealed!

-----BEGIN PGP SIGNED MESSAGE-----

Fair comment and you are entiled to your opinion. However much we 'Helpdesk' (as Pipes puts it) people who have to manage actual live systems would like to secure our systems we are still driven by the management.

Yes it would be nice to have a management structure that recognised the value to infosec. Yes it would be nice if development would commit resources to updating code in the light to patches/upgrades/etc, Yes it would be nice if we could control the network with an iron fist. Yes it would be nice... but in the end we are driven by the bottom line, especially in the current economic climate. If the CEO says that the new product deadline is more important than fixing the code for SQL SP3 then that's what we have to deal with. Tough.

So saying that there is no excuse to patch blah blah blah doesn't hold true. We have to work within logistical boundaries and do what we can. What do you do if patching isn't viable, the systems have to stay up and development/test resources can't be commited to fixes? In this instance you block port 1434 if you can and hope to God that nothing bad happens.

What I am trying to say is that it is easy for security researchers, software vendors, anonymous people on mailing lists, etc. to say "patch your systems or you've only yourself to blame". But when people say things like "so yes, you proberly could get away with unplugging servers." in response it goes to show that they don't understand the political and logistical factors in running a real live secure system that generates revenue.

Just imagine you pulled the plug on your company's webserver because they were running an un-patched IIS (and you're running IIS because some development manager decided it was The Right Thing). Your CEO comes storming down saying they are loosing business and the reputation of the company is being damaged. What do you do? Retort with "well a hacked webserver would be more damaging". What do you think (s)he'll say? "Oh OK then, I see your point. Keep the servers down until its patched and thankyou for your proactive stance". Or more likely "get the servers back on-line or you are fired".

I'm not making personal attacks here: everyone should be free to have their own opinion and I'm willing to admit that I might be wrong. I just get narked by this whole attitude of security is the primary focus of everything. In the Real World I've found that money is the primary focus and security is protection of investment that sometimes has to be compromised - however much we know/insist that this shouldn't be the case.


On Thu, 2003-01-30 at 13:08, Pipes Cuchifrito wrote:
> >With regards patching systems: have you ever worked in a *real* operations post? Have you ever had developers of your main product say to you "no you can't upgrade to SP6a as it's break the main engine". No matter how much you beg and plead to get this fixed they don't have the resources. What you gonna say? "Fuck you then I'm unplugging the Live servers"?
>
Yet another clueless twit.

- --
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmAEARECACAFAj46ckoZHGZ1dHVyZXNob2tzQGh1c2htYWlsLmNvbQAKCRCz85xsvW2z
xSxHAJ9FlbbdLhnOnSHCVNTg7BrtFEh9SACeODydxbVxVLjkjNbGcqZ63J4IH+0=
=blOf
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists