lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: A.J.Caines at halplant.com (Andrew J Caines)
Subject: SSH Exploit Request

Robert,

> I do apologize for assuming those that do not do the appropriate research
> and patching in a timely manner lazy, whereas its possibly the suits and
> policy writers that are definitely more to blame. IMO, I would do the
> patching as soon as I found the patched service suitable, and if I lost my
> job, at least I know that's one more machine that was secure under my
> control.

This illustrates the conflict of being a systems and security professional
and being an employed systems/security administrator/engineer/whatever.
Your instinct to do what you know is in the best interests of protecting
the resources (systems, applications, data) under your control is natural
and certainly a necessary and admirable quality, however there is one
critical overriding detail:

		You do not own the system. They do.

Unless you define policy, own the systems, pay the bills or whatever gives
you the real authority, the best you can do is to work to make sure that
they are able to make the best, most informed decisions possible based on
your expert advice. This includes details of systems security and threats,
as well as policy and process. Try to improve the system from within - use
the change control process, document issues, make sure you address your
audiences in terms appropriate to them (which does not mean to "dumb
down", but to accurately convey information which they can understand well
enough to make decisions based in it).

In the end, if you cannot accept the decisions made by them after you have
made a genuine effort to address what you consider to be the serious
issues affecting your duties and responsibilities, then you have the
authority to find a better job.

Either way, the reward in the end is when you get regularly asked, "What
do you suggest?".

> I'd rather tell a prospective employer that I was canned for taking
> security precaustions then canned for having a critical machine comprimised.

Presuming s/then/than/, the potential employer will be happier to hear
that on more than one occasion you advised your management of the threat,
provided solutions, worked with management to fix them problem then
resigned after the systems were compromised because you felt your
professional expertise was not being valued or used.


-Andrew-
-- 
 _______________________________________________________________________
| -Andrew J. Caines-   Unix Systems Engineer   A.J.Caines@...plant.com  |
| "They that can give up essential liberty to obtain a little temporary |
|  safety deserve neither liberty nor safety" - Benjamin Franklin, 1759 |

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ