[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Learn from history?

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] Learn from history?
From: "Serge van Ginderachter (svgn)" <svgn@xxxxxxxx>
Date: Thu, 6 May 2004 11:12:24 +0200





> 1.  Microsoft already provides that feature

Sure. Yo have no problem about running it automatically?

> 2.  As soon as possible for "you"

No. As soon as the customer phones asking you to drop by. Meanin: when it's
too late.
 
> >> 2. If a patch cannot be installed, find workarounds
> >That does not work with the workarounds customer need to facilitate
> >life (security <> easy of use, remember)

> And the computers/networks will be so easy to use when lines 
> are saturated,
>  file systems are corrupted or data are stolen

That's the problem they are prepared to deal with at the moment it comes.
They think it's cheaper.
 
> >> 3. If it is a port-related threat, find out if such ports are 
> >> in use, and if not, make sure they are closed. 
> >Once the virus is on the LAN it can do whatever it wants.
> 
> Hello!  Block the ports BEFORE they hit the LAN.  Proactive security.
> Also, do us a favor and don't propogate the shit!

Well of course they are blocked. But there are other means of coming in you
know.

> >> Some of the comments overheard this week regarding Sasser:
> >I did propose some firewall, but they feel it's too much EUREUREUREUR
> 
> And you provided some sort of analysis showing potential losses due to
> the lack of a security infrastructure, right?  

Well indeed of course not. Customer is not prepared to pay for that kind of
analysis. 
 
> >> Will they learn from history? Only history will tell.
> >I'm pretty sure they won't. Even most tech guys don't have a clue.
> 
> Evidently, thanks for your example.

There's no reason to get personal here. Don't judge me on such a restraint
discusion.
My only point is, SMB businesses are not prepared to pay for advanced
security, which you say I should provide, and to whick I totally agree. 

Maybe my boss does not have the right business plan and marketing to 'sell'
security. Probably.


Serge

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] Learn from history?
  - From: Alerta Redsegura

Prev by Date: RE: [Full-Disclosure] Consistent browser crash on standard site?
Next by Date: Re: [Full-Disclosure] UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : apache multiple vulnerabilities, upgraded to apache-1.3.29
Previous by thread: Re: [Full-Disclosure] Learn from history?
Next by thread: RE: [Full-Disclosure] Learn from history?
Index(es):
- Date
- Thread