lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <54439.1279373015@localhost>
Date: Sat, 17 Jul 2010 09:23:35 -0400
From: Valdis.Kletnieks@...edu
To: Sandeep Sengupta <sandeep.sengupta@...il.com>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Two biggest Indian University Websites are
	vulnerable

On Sat, 17 Jul 2010 17:33:44 +0530, Sandeep Sengupta said:
> 1. we spoke to Univ system admin over the phone yesterday. They are
> aware of the problem. Now upto them how much time they will take to
> rectify it. We hope they atleast have the wisdom to bring the site
> down till it is debugged.

That turns out to often be a harder decision than it looks.  Taking the
website down has its own costs - nobody can do any of the things the website
supports.  If you have good web logs and are fairly confident that you will
be able to detect and deal with any actual malicious activity, it may actually
make sense to keep the website up.  It's tradeoffs - which costs more, the
possible damage done by an attack, or the *known* damage caused by an outage?

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ