Re: [Full-disclosure] Getting Off the Patch

["Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>]

>On Mon, 17 Jan 2011 22:29:13 GMT, "Cal Leeming [Simplicity Media Ltd]" said:
>
>> Most people wouldn't rely solely on patch day to protect their
>> systems/network
>
>You're in for a surprise.

One, as Cal pointed out, you cut out the context of what he said/meant.  And 
two, so what if they do?  At least they are patching.   If security is the 
goal, then advocate for security in depth.  From a security standpoint, 
patching is better than not patching.  Period.  If you have controls in place 
to mitigate exposure, then they should be combined with patching.  Are you 
taking the position that the level of "being surprised" at the number of people 
who only patch dictates that they stop patching and try to successfully 
implement other controls so they don't have to patch?

Playing "whack a mole" was entertaining, but in all seriousness, your responses 
to this thread have been confusing to me.   Any security model that not only 
advocates non-patching, but that is designed with the intent of not patching is 
completely retarded.  I defy anyone to provide verifiable evidence to the 
contrary that is not based on a server and a couple of workstations.  Even the 
self-proclaimed "marketing" guy who admitted he didn't know how to patch 
couldn't come up with a single shred of substantiating research to support 
anything different.   Comparing his "research" to Einstein and general 
relativity is a level of ass-hattery that rivals some of the worst on the list.

So when I see you apparently supporting the idea, as someone who normally 
provides some sort of empirical backing to his statements, I become interested 
in what factors lead you to that conclusion.  

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/