lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5.0.0.25.2.20030131134203.055e3e80@pop3.direcway.com>
From: madsaxon at direcway.com (madsaxon)
Subject: The worm author finally revealed!

>Backing the patches out didn't do a thing, so now we have to return all
>the way to SP2, reinstall HEAT and then patch back to the level right
>*before* the one that took it down.  You can just imagine how thrilled
>the admins are to have to do that - and the next time they have to patch
>that box, they'll be real leery about doing it.  And these are admins
>who are *very* conscientious about patching and *very* aware of security
>issues.

That happens where I work, too.  Every new patch breaks something else,
and since a fair amount of our software is custom-designed, we have to
get the vendors to rush out and figure out how to patch their stuff to
be compatible with the new patch.  That costs beaucoup bucks, and meanwhile
our clients are screaming because their application is down.  The next
time a patch comes out, management is very reluctant to allow us to install
it, so we have to do a cost-benefit analysis on which would be the greater
evil: leaving the vulnerability unpatched or pissing off our clients with 
yet another
period of downtime.  If we don't patch, we get called "irresponsible" and 
"lazy."
If we do patch, we further erode client confidence in our ability to maintain
quality of service.

I personally argued strongly against Microsoft servers in the first place,
but of course that was pooh-poohed as just sour grapes from an old Unix 
fossil.

This is not a black and white issue with cut and dried solutions.  That's not
to say, however, that we shouldn't nevertheless continue looking for them.

m5x

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ