lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 19 Jan 2011 09:20:27 +0000
From: "Cal Leeming [Simplicity Media Ltd]"
	<cal.leeming@...plicitymedialtd.co.uk>
To: Christian Sciberras <uuf6429@...il.com>
Cc: "Valdis.Kletnieks@...edu" <Valdis.Kletnieks@...edu>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Getting Off the Patch

In that case, my two cents on the matter would be that the thought process
behind this "no patch method" has come from someone with very little
development and/or security background.

On Wed, Jan 19, 2011 at 9:16 AM, Christian Sciberras <uuf6429@...il.com>wrote:

> Ah, but that is YOUR argument. They don't seem to agree with it.
>
> Heck if they did, every single word so far would have been completely
> unnecessary, since layering security is what we've done ever since the first
> knife was invented!
>
>
>
>
>
>
>
>
> On Wed, Jan 19, 2011 at 10:13 AM, Cal Leeming [Simplicity Media Ltd] <
> cal.leeming@...plicitymedialtd.co.uk> wrote:
>
>> Christian,
>>
>> There is no 'direct alternative' as we have already established that there
>> is no "be all and end all" for security, it's when you layer these factors
>> on top of each other that it becomes more effective.
>>
>> On Tue, Jan 18, 2011 at 11:45 PM, Christian Sciberras <uuf6429@...il.com>wrote:
>>
>>> I'm getting a bit annoyed reading over and over arguments which I've
>>> highlighted some time ago anyway (
>>> http://www.mail-archive.com/full-disclosure@lists.grok.org.uk/msg44454.html
>>> ).
>>>
>>> The real question, what is the *direct* alternative to patching?
>>>
>>> Don't say "sandboxing" because it doesn't always work.
>>> And don't tell me about only installing the system critical issues only -
>>> that's called "update by priority".
>>> Also, please remember that we are talking against patching, not
>>> discussing where patching works(/ is better) or not so I would expect any
>>> serious arguments to completely exclude patching.
>>>
>>> Regards,
>>> Chris.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Jan 18, 2011 at 9:05 PM, coderman <coderman@...il.com> wrote:
>>>
>>>> On Tue, Jan 18, 2011 at 11:43 AM, phocean <0x90@...cean.net> wrote:
>>>> > ... how is this new ? It has been the best
>>>> > practice of good system/security administrators for years.
>>>> >
>>>> > And it doesn't look like a "no patching" policy yet...
>>>>
>>>>
>>>> sure, .. though you've made me sad considering how few organizations
>>>> do "best practice, good system/security administration".
>>>>
>>>> not new, still difficult?   (~_~;)
>>>>
>>>>
>>>>  that leaves consensus:
>>>>    "no patching" elusive, yet to be observed in real-world. (e.g.
>>>> yeti or bigfeets)
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ