lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <81591D9C-D35F-11D7-85CA-0030656A784C@mirrorshades.net>
From: bda at mirrorshades.net (Bryan Allen)
Subject: Administrivia: Testing Emergency Virus Filter..

On Wednesday, August 20, 2003, at 4:37 PM, Gary E. Miller wrote:

> Yo Paul!
>
> On Wed, 20 Aug 2003, Schmehl, Paul L wrote:
>
>> Have you asked them when the last time that they updated was?  A 
>> remote
>> hole in Mac OS X was announced just last week (the realpath problem).
>> I'll bet most of them don't even know about it.
>
> All OSes have problems getting users to update.  The old saying "If it
> ain't broke don't fix it" will be with us a long time.   At least if
> the user is using an OS with halfway decent priviledge separtion there
> will probably be more limited damage when unpatched bugs are exploited.

Also keeping in mind that Software Update is on by default, and forces 
a user to reboot if it's required (no closing the window a la Windows).

In theory, if a user isn't clueful enough to know about security 
updates, it's *relatively* unlikely that they'll have turned it off, or 
will do so. (The same goes for Windows Update, only I have yet to hear 
that when you install an OS X patch, it tells you it's installed the 
update, only it hasn't, unlike some other package update mechanisms I 
suppose we could mention. ;-)

Panther (OS X.3) will have reboot-less updates, apparently.

Also, the "OMFG THAT OS HAD A VULNERABILITY OMFG WTF" is rather silly. 
Applications have bugs. Patches get written. Hopefully they get 
applied.

How many Linux users are still running a ptrace-vulnerable kernel? Or 
how many FreeBSD users haven't cvsup'd up and rebuilt their kernel? How 
many never got the vuln reports in the first place?

Users are users.

So it goes.
--
bda
Cyberpunk is dead.  Long live cyberpunk.
http://mirrorshades.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ