[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] SSH Exploit Request

To: <Valdis.Kletnieks@vt.edu>
Subject: RE: [Full-Disclosure] SSH Exploit Request
From: "Robert Davies" <phantasm@textbox.net>
Date: Thu, 13 Nov 2003 15:45:33 -0500

 

> -----Original Message-----
**snip**
> Actually, the *original* problem was that the OP *wanted* to 
> apply the patch to fix a flawed service, but was prevented 
> from doing so by a flawed policy.
> 
> Now tell me - would *you* install the patch anyhow, knowing 
> that (possibly) doing so without all the change-control 
> paperwork being done correctly would mean your ass would be 
> canned and you'd be looking for another job?

That is dependant on the seriousness taken to network security. I for one
feel that the less time a vulnerable service is open, the less time someone
can move in and exploit it.

I know, I may sound like a dick, but when it comes down to it, after testing
the patch on a non-production machine and verification that the service is
working properly, that is all the time needed to patch a flawed service.

Maybe in large corporate environments, all the restrictions and flawed
policies cause more problems then needed, but in that case, I really would
not want to see them cry that they have been comprimised because they take
their time with paperwork. 

I feel I would rather justify downing a service for one minute then having
to explain why the system has to be taken offline for a few days while the
drive is cloned and an attack is researched. 

I do apologize for assuming those that do not do the appropriate research
and patching in a timely manner lazy, whereas its possibly the suits and
policy writers that are definitely more to blame. IMO, I would do the
patching as soon as I found the patched service suitable, and if I lost my
job, at least I know that's one more machine that was secure under my
control. I'd rather tell a prospective employer that I was canned for taking
security precaustions then canned for having a critical machine comprimised.

Once again, my apologies for getting all worked up over this, I just hate to
see when suits slow down proper and prompt security precautions and then cry
about being comprimised before they cut through the red tape.

RKD

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] SSH Exploit Request
  - From: Andrew J Caines <A.J.Caines@halplant.com>

References:
- Re: [Full-Disclosure] SSH Exploit Request
  - From: Valdis.Kletnieks@vt.edu

Prev by Date: Re: [Full-Disclosure] PGP signed mail? Has to be spam!
Next by Date: Re: [Full-Disclosure] SSH Exploit Request
Previous by thread: Re: [Full-Disclosure] SSH Exploit Request
Next by thread: Re: [Full-Disclosure] SSH Exploit Request
Index(es):
- Date
- Thread