[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Getting Off the Patch

To: "lists@xxxxxxxxxx" <lists@xxxxxxxxxx>
Subject: Re: [Full-disclosure] Getting Off the Patch
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Date: Mon, 17 Jan 2011 20:38:39 +0000


>> Now, what I did there was insulting, confrontational, and a general shitty
>thing to do.
>
>Expected. Nothing that I wouldn't put past you.

It wasn't for your benefit; it was to hopefully prepare PMs for the ensuing 
anal jihad they'll get from management if they present your idea without any 
facts and the illustration of their naiveté in regard to what happens when 
security analysts write checks that operations and management has to cash.  

>> You cannot use the "if you don't like my driving then stay off the
>> sidewalk" defense
>
>Wow, you're still inferring a whole bunch of things there and even saying
>things I didn't say. You are so taking this all out of context.

You said if one doesn't your emails, not to read them, and if we don't like 
your idea, don't do it.  The problem with this selfish logic is that when my 
company applies standards, policies, and requirements to data management and 
risk mitigation, but a vendor to whom I send data decides not to patch based on 
your idea, then it affects me and my customers, and as such, I simply asked for 
what are now tiny little shreds of any evidence you have outside of a couple of 
servers and workstations.   I think the scope of your research has qualified 
the level of consideration it should receive. 

>> I chose that example specifically because it represented an unpatched
>environment
>
>Sorry you were dissatisfied with the examples. I'll try harder for you
>next time.

You really should.  Rather than providing a single suggestion on how your model 
would have protected 100% of this known-yet-unpatched vulnerability, you should 
have taken the opportunity to at least illustrate your assertion by way of 
example.   You have reduced the applicability of your model to instances where, 
as far as the most basic of network controls, "there are none."  There is no 
need for a "new model" here, and in fact, there is nothing new about it in the 
first place other than to think that when it has been illustrated that people 
can't deploy an ACL, that they will be successful in not patching. 

>> Your stating that "you think that op-controls can't protect where patches
>
>Of course your argument is your opinion. One that can be surely backed
>by many stats from many companies making money off that particular
>model. And those stats also show it doesn't work consistently. Why not
>try something different? I am presenting a different model is all.
>Sorry you don't like it. It works for others that have tried.

Yet again, this was the purpose of my example.  What you consider 
"brainwashing" I view as "insight," which I believe is evident by my use of an 
example where I already calculated your responses beforehand. 

The impact of Slammer proved the state of system security at the time in a 
definitive manner.  No theory, not "what would have happened if your model was 
in place," and how basic principles of least privilege and security in depth 
were not applied.   While it doesn't take an Einstein to predict the obvious 
(oh, btw, your relativity example was a complete fail) I would like to point 
out statements of security in depth here:
http://www.securityfocus.com/columnists/174
- and where I not only predicted slammer and warned against it before writing 
the article, but covered your "new" model about 8 years ago (even though I'm 
"brainwashed") here:
http://www.securityfocus.com/columnists/139

You might offer models based on presumed benefits with inferred value 
unsubstantiated by research or cost analysis, but I have illustrated a 
real-life, what-actually-happened, non-theoretical, KNOWN vulnerability that 
had a massive impact on the global internet.  And to prevent it, all someone 
had to do was to install the patch.

For what my position is worth, I totally support you and your research 
organization pushing the age-old model of security in depth and least 
privilege, but I would recommend that you do so with the "don't patch" nonsense 
removed.

I'm more than happy to continue this exchange, but please excuse me if I fail 
to reply to responses empty of substance. 

So, "ttyl," or "thanks, it's been interesting."  

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Getting Off the Patch
  - From: Cal Leeming [Simplicity Media Ltd]

References:
- [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog
- Re: [Full-disclosure] Getting Off the Patch
  - From: Zach C
- Re: [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog
- Re: [Full-disclosure] Getting Off the Patch
  - From: phocean
- Re: [Full-disclosure] Getting Off the Patch
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] Getting Off the Patch
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog
- Re: [Full-disclosure] Getting Off the Patch
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Getting Off the Patch
  - From: Zach C
- Re: [Full-disclosure] Getting Off the Patch
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog
- Re: [Full-disclosure] Getting Off the Patch
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog

Prev by Date: [Full-disclosure] [ MDVSA-2011:012 ] mysql
Next by Date: Re: [Full-disclosure] Getting Off the Patch
Previous by thread: Re: [Full-disclosure] Getting Off the Patch
Next by thread: Re: [Full-disclosure] Getting Off the Patch
Index(es):
- Date
- Thread