RE: [Full-Disclosure] No Subject (re: openssh exploit code?)

["Robert Ahnemann" <rahnemann@affinity-mortgage.com>]

> -----Original Message-----
> From: Montana Tenor [mailto:montanatenor@yahoo.com]
> Sent: Tuesday, October 21, 2003 3:05 PM
> To: Schmehl, Paul L
> Cc: mitch_hurrison@ziplip.com; full-disclosure@lists.netsys.com
> Subject: RE: [Full-Disclosure] No Subject (re: openssh exploit code?)
> 
> I agree with Mitch.  Lets say you get an advisory that
> a severe thunderstorm may be coming your way.  Do you
> wait until the wind and rain are blowing inside your
> house to close the windows and doors.  Do you allow
> the kids to keep playing outside?  You do the prudent
> thing.  Instead of trying to brute-force Mitch into
> this, think about why doing the right thing to protect
> the long term interests of your business is the RIGHT
> thing to do.


I flip to the local radar and get some sort of proof that there might be
a thunderstorm coming.  Talk is cheap (as was said), so its up to the
admin to verify if A) there is a real threat B) the threat applies to
your systems C) the threat damage is worth the damage of 'unscheduled
downtime'

(for the analogy challenged:  radar = some sort of proof of concept or
something of the likes)

Of course, I'm just a silly win2k Admin on a 50 pc network which don't
run more than a couple uptime sensitive apps, but I think I have the
basics down as far as some of this stuff goes.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html