lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: kenng at (Ng, Kenneth (US))
Subject: AW: no more public exploits

The military does have a lot of rules, some are followed more than others.
A friend got about 20 copies of the Melissa email worm on a computer that
was on a network that was supposed to be completely isolated from the
outside.  How much you wanna bet someone decided to save a few dollars by
dual honing a few pc's?  Heck, I've seen someone dual hone a NT4 box with
every service known to man turned on, zero patches, TO THE INTERNET.  Thank
god he didn't have the right default route.

-----Original Message-----
[]On Behalf Of Bernard J.
Sent: Wednesday, April 28, 2004 3:38 PM
Subject: Re: AW: [Full-Disclosure] no more public exploits

Are you saying that the military has standardized best practices that
mandate the immediate installation of vendor OS patches? If they do, I
highly doubt that such policies are widely adhered to.

The fact is, quickly released security patches can and often do break
applications, particularly when the system configuration is less
common. Ask any Windows NT administrator about that.

I would venture to guess that you would not be a happy camper if the
IT organization supporting the systems that process your payroll or
banking applied code fixes without a robust testing procedure.

Bernard Duffy

On Wed, 28 Apr 2004 13:13:04 +0800,
<> wrote:
> Cael Abal said:
> >Realistically,the lack of a widespread published exploit means an
> >attack on any given machine is less likely.  An admin who chooses
> >to ignore these probabilities isn't looking at their job with the right
> perspective.
> You missed the "IMHO".
> In the Military your generalisation is probably not a self evident truth.
> To quote another posters sig. "Knowing what you don't know is more
> important
> than knowing what you know." and I would add that that's because what you
> do know you can try to deal with.
> Enough of the philosophy class.
> Regards,
> tom.
> Tom Cleary - Security Architect
> "In IT, acceptable solutions depend upon humans - Computers don't
> negotiate."
> This is a PRIVATE message. If you are not the intended recipient, please
> delete without copying and kindly advise us by e-mail of the mistake in
> delivery. NOTE: Regardless of content, this e-mail shall not operate to
> bind CSC to any order or other contract unless pursuant to explicit
> written agreement or government initiative expressly permitting the use of
> e-mail for such purpose.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:

Full-Disclosure - We believe in it.

The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.         

Powered by blists - more mailing lists