lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: purdy at tecman.com (Curt Purdy)
Subject: [inbox] Re: CyberInsecurity: The cost of Monopoly

NT4 SP2 was a nightmare.  Luckily I heard about it in the newsgroups the day
I planned on installing it on my ISP boxes (yes I run IIS, locked down, in
addition to Apache).  That taught me a lesson, and I now wait 48-72 hours
after release before installing any Microsoft service pack or hotfix, while
I observe Uncle Bill's guinea-pigs.

One of the things I love about *NIX is the stability.  FreeBSD 5.1 (I run on
my desktop) is more stable than any Microsoft .1 product ever hoped to be,
but the FreeBSD crew is still classifying 4.8 the production version (I run
on my servers).

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity zar Richard Clarke


-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Rodrigo
Barbosa
Sent: Tuesday, September 30, 2003 2:01 AM
To: full-disclosure@...ts.netsys.com
Subject: Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of
Monopoly


On Mon, Sep 29, 2003 at 11:51:03PM -0500, Paul Schmehl wrote:
> >As some may recall, my original statement was an answer to someone that
> >was points that Unix is more secure then Windows (I agree up to this
> >point), and gave and example telling that there are still several codered
> >vulnerable machine around. This is the point I was commenting about. And
> >you do have to agree that is a machine, today, is still vulnerable to
> >Codered, it is mostly due to a fault of the administrator.
> >
> I'm going to pick one small nit with you.  There is another possible
guilty
> party.  In some cases, at least in edu and medical centers (that's what
I'm
> familiar with) the *vendor* is at fault.  Some vendors will not certify
> their scientific instruments with the latest Service Packs and patches,
> leaving the admins no other choice but to find some other way to protect
> the machine.  (Hell, we sometimes have trouble getting vendors of
> *security* devices to support their products with the latest SPs and
> patches.  (Which is another reason that I dislike putting security-related
> software on Windows boxes, but sometimes you simply have no choice.)

I stand corrected.

I kind of remember something about a friend of mine (Win admin) installing
NT SP2 and it breaking MS-SQL server.

And yes, you are correct about vendors too.

So, simply put, we are doomed :)

- When the software gets a bugfix released, you can't install it because
of the vendor
- When you can install it regardless of the vendor, the net admin forgets
to install it
- When the net admin remembers to install it, the users mess up
- When the user don't mess up, the cleaning lady pulls the plug

Talk about trustworthy computing :)

[]s

--
Rodrigo Barbosa <rodrigob@...spammers.org>
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ