lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <405998A8.18745.6275BE5@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Re: Microsoft Security, baby steps ?

"Geo." <geoincidents@...info.org> wrote:

> It doesn't address the issue. The requirement is that some MS customers need
> to patch without putting the machine on the internet. For whatever reasons.

Absolutely.

Much _worse_ though, is that _FAR TOO FEW_ MS customers actually seem 
to practice something like that.  In a corporate environment I woud 
expect to see that as a very widespread requirement (though maybe those 
who do it have most of the the small-ish pool of really clueful Windows 
techs who know what a slipstreamed install point is and so on, so 
_they_ do not see any major problems there...).

> Is that such an unreasonable request?

No, it's not, but it may be the case that MS thinks it has such 
requirements pretty well covered.  Perhaps MS should be doing a lot 
more/better work educating its (medium to large) customers how to do 
system design, testing and rollout?  Focussing on patch management (as 
it is somewhat at the moment) kinda assumes that there is a "system" 
worth patching, but if that has not been well-designed from the outset, 
in most cases you are better off re-doing the base OS implementation, 
rolling that out _then_ dealing with patching, which will be much 
better designed into a system spec'ed and implemented today than the 
existing one from several years back (assuming it was ever actually 
"designed" -- Ghost, et al. are cool, but they aren't much as system 
management tools _per se_).


Regards,

Nick FitzGerald


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ