[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Getting Off the Patch

To: "lists@xxxxxxxxxx" <lists@xxxxxxxxxx>
Subject: Re: [Full-disclosure] Getting Off the Patch
From: Zach C <fxchip@xxxxxxxxx>
Date: Tue, 11 Jan 2011 05:53:44 -0800

Hmm. So you propose other measures of security as a way of circumventing the 
requirement of patching vulnerable software. That's nice, but it occurs to me 
that the vulnerable software is still vulnerable, and sandboxing (as you 
mentioned in an example) isn't always possible or feasible -- maybe it requires 
a code change, who knows. I see you mention the time it takes to test patches 
and their effect on your workflow, but I would figure an equal or greater 
amount of time would then need to be spent on other solutions as well -- and 
even when those other solutions are implemented, the software that you're doing 
all this to is still vulnerable, and likely in a way that such measures can't 
really prevent all that well (code theft, etc).

Am I mistaken? I thought I got all that right. I haven't read the OSSTMM 3 yet, 
granted (it's on my to-do list), but I would think that it's still worth doing 
all that -- just that disregarding patches entirely in favor of this isn't the 
solution either, which is probably not what you're saying. :) 

On Jan 10, 2011, at 11:41 AM, Pete Herzog <lists@xxxxxxxxxx> wrote:

> Hi,
> 
> Here's a new article on how and why you may want to stop patching your 
> software and take a new approach to your security.
> 
> "So if patching is a tactic towards a particular security strategy, 
> how can that be bad? I never said it was all bad. There are reasons 
> where patching makes sense just like there are reasons to get a kick 
> from a cup of coffee, get kicked by a shot of tequila, or spray stuff 
> up your nose to breathe easier for 1.5 seconds. Yes, for the record, I 
> am comparing patching to nasal spray."
> 
> Read it here:
> 
> https://www.infosecisland.com/blogview/10813-Getting-Off-the-Patch.html
> 
> Sincerely,
> -pete.
> 
> -- 
> Pete Herzog - Managing Director - pete@xxxxxxxxxx
> ISECOM - Institute for Security and Open Methodologies
> www.isecom.org - www.osstmm.org
> www.hackerhighschool.org - www.badpeopleproject.org
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Getting Off the Patch
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog

References:
- [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog

Prev by Date: [Full-disclosure] List Charter
Next by Date: Re: [Full-disclosure] Getting Off the Patch
Previous by thread: [Full-disclosure] Getting Off the Patch
Next by thread: Re: [Full-disclosure] Getting Off the Patch
Index(es):
- Date
- Thread