lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 19 Jan 2011 13:25:23 +0100
From: "Cor Rosielle" <cor@...post24.com>
To: <noloader@...il.com>,
	<full-disclosure@...ts.grok.org.uk>
Subject: Re: Getting Off the Patch

I would like to emphasize I was not telling not to patch at all. I said:
"Sometimes patching is the right solution, often it is not.". However, I did
not explicitly tell I was trying to protect our own data/assets and not
someone else's.

So when your data is housed elsewhere, then what? Well, in that case you
don't have to think about patching yourself. Your provider has to.
And since the provider does not have to protect his own data, he can afford
to make different considerations. He doesn't have to focus how his
operations are best controlled, because he is not his own operations. So in
his case, I would patch. Just to cover my ass. I would even state in my
terms and agreements I would patch, so nobody could blame me that I do. 

I wouldn't envy my customers, because they can not fully control all parts
of their own operations in this scenario. They simply have to trust me as a
provider and I will prove to be trustworthy and keep up to the contract. 

So if something breaks then after patching, they can blame ... well, I
actually don't know who they can blame. They can't blame me, because I did
what I promised. It is not sure they can blame the vendor, because the patch
was tested and proved to work for the majority in the world. Do they need to
blame themselves? Nahh. Of course they don't blame themselves. If they can
not blame anyone, it's just a case of bad luck. But it's definitely not
their fault.

Cor Rosielle
Chief Technology Officer



> -----Original Message-----
> From: Jeffrey Walton [mailto:noloader@...il.com]
> Sent: woensdag 19 januari 2011 12:26
> To: Cor Rosielle
> Cc: full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] Getting Off the Patch
> 
> Sorry about the top post - just one comment....
> 
> > Bottom line is that patching interferes operations and therefore,
> Its a sad state of affairs when folks put other endeavors, such as
> uptime, above security.
> 
> I can't speak for others but I hope my data is not housed at such a
> shop. If my data went out the e-door of such a shop, and the shop was
> not patching, then I would consider the shop's practices grossly
> negligent. It would be irrelevant to me who claimed it was OK for
> whatever reason.
> 
> Jeff
... snip ...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists