lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <D54AB2ADB72C164B8251422DE1D3234222AC92@srv900045>
From: svgn at orbid.be (Serge van Ginderachter (svgn))
Subject: Learn from history?





> 1.  Microsoft already provides that feature

Sure. Yo have no problem about running it automatically?

> 2.  As soon as possible for "you"

No. As soon as the customer phones asking you to drop by. Meanin: when it's
too late.
 
> >> 2. If a patch cannot be installed, find workarounds
> >That does not work with the workarounds customer need to facilitate
> >life (security <> easy of use, remember)

> And the computers/networks will be so easy to use when lines 
> are saturated,
>  file systems are corrupted or data are stolen

That's the problem they are prepared to deal with at the moment it comes.
They think it's cheaper.
 
> >> 3. If it is a port-related threat, find out if such ports are 
> >> in use, and if not, make sure they are closed. 
> >Once the virus is on the LAN it can do whatever it wants.
> 
> Hello!  Block the ports BEFORE they hit the LAN.  Proactive security.
> Also, do us a favor and don't propogate the shit!

Well of course they are blocked. But there are other means of coming in you
know.

> >> Some of the comments overheard this week regarding Sasser:
> >I did propose some firewall, but they feel it's too much EUREUREUREUR
> 
> And you provided some sort of analysis showing potential losses due to
> the lack of a security infrastructure, right?  

Well indeed of course not. Customer is not prepared to pay for that kind of
analysis. 
 
> >> Will they learn from history? Only history will tell.
> >I'm pretty sure they won't. Even most tech guys don't have a clue.
> 
> Evidently, thanks for your example.

There's no reason to get personal here. Don't judge me on such a restraint
discusion.
My only point is, SMB businesses are not prepared to pay for advanced
security, which you say I should provide, and to whick I totally agree. 

Maybe my boss does not have the right business plan and marketing to 'sell'
security. Probably.


Serge

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ