lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <408F2096.9030003@onryou.com>
From: lists2 at onryou.com (Cael Abal)
Subject: AW: no more public exploits

Baum, Stefan wrote:
> IMHO, no sysadmin taking his work seriously, will wait patching the systems
> until an exploit is available throughout the internet.
> 
> Stefan
> (I AM A SYSADMIN)

Cripes, this is the thread that never ends.

What if there were two patches fixing vulnerabilities of equal severity, 
one with a known, published exploit and one without?  Would you give one 
priority (considering that rolling out a patch involves significant 
testing)?  You do perform regression testing, right?

What if you were juggling a slew of very high priority tasks and a patch 
was made available?  Would you drop everything (including those mission 
critical jobs your boss' boss asked you to handle by days end) in order 
to push that patch out the door immediately?

Part of being a good sysadmin (really, being a good /anything/) involves 
being able to perform on-the-fly cost/benefit analyses.  Realistically, 
the lack of a widespread published exploit means an attack on any given 
machine is less likely.  An admin who chooses to ignore these 
probabilities isn't looking at their job with the right perspective.

Take care,

Cael


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ