lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 17 Jan 2011 13:51:04 +0100
From: Pete Herzog <lists@...com.org>
To: phocean <0x90@...cean.net>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Getting Off the Patch

Phocean,

> I can't leave that one. Seriously and with all the respect I have for
> you, have you ever worked for a large company ?

Of course.

>
> First, there are ALWAYS (we are talking about scaling organisations,
> right, not about startups) SEVERAL environments for critical
> applications. Not for patching, but for coding, testing, validating and
> producing. Each platform can be used for testing the patches. Patch
> management doesn't involve additional cost here. It is just the way
> production environments work.

I agree that patching is not the largest part of an infrastructure but 
unfortunately, it's one that many organizations rely on for security. 
You can't deny that. I'm glad yours doesn't so maybe it doesn't matter 
to you. And what about the smaller organizations that don't have 
multiple environments or do their own coding? The article was written 
to a broad audience. Like many are. How many times have you read an 
article and realized it doesn't apply to you or someone in your 
situation? Do you go on the attack for all of them? We both know that 
there are situations where patching is the means of security for many 
organizations. I want to see that changed and one of the things they 
hate is the chore of patching and patch remediation.

>
> Second, companies using critical applications and serious about their
> users and environments don't care about the cost of a few more servers
> if ever it was required.

That's a fallacious argument because there's no win. If I prove 
otherwise you tell me their not "serious".

>
> I am aware one can find tons of counter examples of big companies
> failing in having such processes, but it is an organization problem. Not
> a patch management one.

Sorry if me trying to help find solutions for those companies bothers 
you so much. Please feel free to ignore my future posts and future 
work then so as not to waste your time.

Sincerely,
-pete.

-- 
Pete Herzog - Managing Director - pete@...com.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ