lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1068758377.11682.20.camel@Star.BerthoudWireless.net>
From: security at 303underground.com (Scott Taylor)
Subject: SSH Exploit Request

On Thu, 2003-11-13 at 13:19, Valdis.Kletnieks@...edu wrote:
> On Thu, 13 Nov 2003 12:08:41 EST, Robert Davies <phantasm@...tbox.net>  said:
> 
> > I am quite bothered out the ass by well paid admins that are too damn lazy
> > to spend the few minutes it takes to repair a flawed service. Either start
> > doing your job, or get the hell out of the way for those of us that want to
> > do the job required properly!
> 
> Actually, the *original* problem was that the OP *wanted* to apply the patch
> to fix a flawed service, but was prevented from doing so by a flawed policy.
> 
> Now tell me - would *you* install the patch anyhow, knowing that (possibly)
> doing so without all the change-control paperwork being done correctly
> would mean your ass would be canned and you'd be looking for another job?

"Change Control" paperwork is the bane of security folks. I have most
often been on the network/firewall side of things and  had been expected
to block access at the network level to make up for slow  patching from
the sysadmin side. I was at least lucky enough to have a management
chain that understood the importance of security enough to verbally
approve any reasonable requests from our team on short notice.

There is definitely a need for change control and regression testing.
Especially when microsoft servers are concerned. Who hasn't seen a site
go down or a computer bluescreen or something equally fatal to the
system after a microsoft patch was applied? They obviously can't be
bothered to test their software, so its up to users concerned with
uptime to test it themselves before applying patches to production
servers.

But it really does take both sides to keep systems safe. Not everything
can be filtered at the network level, and threats are not exclusively
from "the internet". Unhappy employees or otherwise compromised machines
can further exploit the internal network. 

--
Scott Taylor - <security@...underground.com> 

BOFH Excuse #209:

Only people with names beginning with 'A' are getting mail this week (a la Microsoft)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ