| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: madsaxon at direcway.com (madsaxon) Subject: The worm author finally revealed! >Backing the patches out didn't do a thing, so now we have to return all >the way to SP2, reinstall HEAT and then patch back to the level right >*before* the one that took it down. You can just imagine how thrilled >the admins are to have to do that - and the next time they have to patch >that box, they'll be real leery about doing it. And these are admins >who are *very* conscientious about patching and *very* aware of security >issues. That happens where I work, too. Every new patch breaks something else, and since a fair amount of our software is custom-designed, we have to get the vendors to rush out and figure out how to patch their stuff to be compatible with the new patch. That costs beaucoup bucks, and meanwhile our clients are screaming because their application is down. The next time a patch comes out, management is very reluctant to allow us to install it, so we have to do a cost-benefit analysis on which would be the greater evil: leaving the vulnerability unpatched or pissing off our clients with yet another period of downtime. If we don't patch, we get called "irresponsible" and "lazy." If we do patch, we further erode client confidence in our ability to maintain quality of service. I personally argued strongly against Microsoft servers in the first place, but of course that was pooh-poohed as just sour grapes from an old Unix fossil. This is not a black and white issue with cut and dried solutions. That's not to say, however, that we shouldn't nevertheless continue looking for them. m5x
Powered by blists - more mailing lists