lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040513200953.39724.qmail@web41603.mail.yahoo.com>
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: Support the Sasser-author fund started

Micah,

> I wonder if people forget the liability that any
> organization inherits if
> they do NOT maintain a above standard protection
> scheme for their network/hosts. 

What kind of liability are you talking about?  Social?
 I'm not aware of any legal liability that's been
tested here in the US.  

For example, are you aware of any cases in which
Company A has sustained damage (loss of revenue in
production time, data, or stock dropping due to drop
in customer confidence...) b/c a bad guy broke into
Company B, and used those systems as stepping stones
into Company A?  

> Misconfiguration of network hosts/machines after
> being
> NOTIFIED of a OS flaw or other should deem that
> organization responsible.

Ah...there's the key..."should".  Unfortunately, it
just isn't the case.

> Maybe companies should start hiring
> clueful people that care about not only their
> internal infrastructure but
> the last mile facing their own customers. 

At what level?  I just left a company where the CIO
had the *only* security type doing clerical work.  The
security weenie was knowledgeable enough and
consciencious enough...but was too busy to even review
IIS logs.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ