lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: DARREN.L.BENNETT at saic.com (Darren Bennett)
Subject: "MS Blast" Win2000 Patch Download

"Piss poor application written by a programmer who should know
better"... I.E. Windows/Microsoft?

	-DB

On Thu, 2003-08-14 at 10:15, James Patterson Wicks wrote:
> I manage a national enterprise and we block port 135 on all external firewall interfaces.  There is scant reason why this port needs to be open from external IP's.  If an application requires open access to port 135 over the Internet, it's a piss poor application written by a programmer who should know better.  When our company started out, had one vendor who though it would be cool to allow all of it's Exchange customers to use the full Outlook client from anywhere, including from home, without using a VPN tunnel.  Needless to say that they are nearly out of business now.  The real solution to the real problem is not working with crappy vendors, stop treating the security policy like toilet paper and create network environments that can be secured against known threats and set to monitor for the unknown threats.  If your political environment at work is such that creating such an environment is impossible, then it is up to you whether you want to continue working there.  Th!
>  e only thing that you can do is advise the executive staff of the risk that they take when implementing poor security and hope that they take your advice seriously.  If they don't give you the money to implement the necessary security, implement the best security that you can and DOCUMENT your actions and the risks associated with it.  If the environment is so bad that you cannot even do that, then you should be surfing Monster.com for a new job rather than ranting at people on this forum for offering sound suggestions to combat the problem.
> 
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Brad Bemis
> Sent: Thursday, August 14, 2003 12:22 PM
> To: Ed Carp; Anjan Dave; full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] "MS Blast" Win2000 Patch Download
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > It's probably worth mentioning even more that if you have 
> > port 135 bocked on your firewall, you wouldn't have to worry 
> > about it :(
> 
> Personally I am getting tired of people making these kinds of comments.  It
> is obvious that these people have never had responsibility for a
> large-scale, multi-national enterprise environment that touches so many
> different organizations world-wide that it is nearly impossible to account
> for every single Internet access point (not to mention remote access and
> mobile computers).  While it may be true that blocking port 135 at the
> firewall would work in an ideal environment, very few of us that deal with
> security matters in the real world have anything that even begins to
> approach an ideal environment.  We need to be discussing real solutions to
> real problems, not verbalizing a continued ignorance of reality.  Sorry for
> the rant, but this topic is getting old quickly!     
> 
> Thank you for your time and attention,
> 
> ========================
> Brad Bemis
> ========================
> 
> 
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQA/AwUBPzu3JJDnOfS48mrdEQJ1GACg984qft3Pbr5v2SXbG2Yi72T65rYAoMeH
> N6LbpR3GXG27Dx19DEthJP0N
> =GRs4
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> This e-mail is the property of Oxygen Media, LLC.  It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to postmaster@...gen.com and destroy all electronic and paper copies of this e-mail.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 
-----------------------------------------------
Darren Bennett 
CISSP, Certified Unix Admin., MCSE, MCSA, MCP +I
Sr. Systems Administrator/Manager
Science Applications International Corporation
Advanced Systems Development and Integration
-----------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ