| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <405998A8.18745.6275BE5@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Re: Microsoft Security, baby steps ? "Geo." <geoincidents@...info.org> wrote: > It doesn't address the issue. The requirement is that some MS customers need > to patch without putting the machine on the internet. For whatever reasons. Absolutely. Much _worse_ though, is that _FAR TOO FEW_ MS customers actually seem to practice something like that. In a corporate environment I woud expect to see that as a very widespread requirement (though maybe those who do it have most of the the small-ish pool of really clueful Windows techs who know what a slipstreamed install point is and so on, so _they_ do not see any major problems there...). > Is that such an unreasonable request? No, it's not, but it may be the case that MS thinks it has such requirements pretty well covered. Perhaps MS should be doing a lot more/better work educating its (medium to large) customers how to do system design, testing and rollout? Focussing on patch management (as it is somewhat at the moment) kinda assumes that there is a "system" worth patching, but if that has not been well-designed from the outset, in most cases you are better off re-doing the base OS implementation, rolling that out _then_ dealing with patching, which will be much better designed into a system spec'ed and implemented today than the existing one from several years back (assuming it was ever actually "designed" -- Ghost, et al. are cool, but they aren't much as system management tools _per se_). Regards, Nick FitzGerald
Powered by blists - more mailing lists