lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <58DB1B68E62B9F448DF1A276B0886DF16EBD6C3E@EX2010.hammerofgod.com>
Date: Wed, 19 Jan 2011 20:01:01 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: "cpolish@...ewest.net" <cpolish@...ewest.net>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"'Cor Rosielle (cor@...post24.nl)'" <cor@...post24.nl>
Subject: Re: Getting Off the Patch

When the OP can't even support his own idea, it's probably time for this thread to die.  However, I thought about what you said, and it actually serves as an excellent example of why engaging in conversation around this sort of thing is important.


>Cor Rosielle wrote:
<snip>
> I did not know about the OSSTMM in those days. If I did, I could have
> explained why patching is not always the best solution: it interferes
> with your operations. 
</snip>

And thus lies the core purpose of this sort of "open standard." You would have liked for the OSSTMM to exist back then NOT because there was value in their approach to security, but because it would give you justification for not doing what you were already not doing.  You made a conscious decision not to patch a Windows 2000 box with IIS5 on it even though the radio listed off your company name (about that, what, what is Wikileaks Radio or something?).  There is justification now because you say the box never got hacked.  Of course, you don't know that, and can never know that.  Pursuant to that, put that box up on the internet in the same configuration it was in and post the IP here.  I guarantee that you'll only need an egg timer, if that. 

Since you already had a clear position of not caring about patching, there would be no need for the OSSTMM to exist for you at all.  And as you have stated, if it DID exist, you would have used it purely for justifying your actions.  When a CTO assumes that position and identifies the value of that organization to provide a straw-man standard, that is when people who have a better understanding of what security is should speak up. 

t



 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ