[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Getting Off the Patch

To: "Valdis.Kletnieks@xxxxxx" <Valdis.Kletnieks@xxxxxx>
Subject: Re: [Full-disclosure] Getting Off the Patch
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Date: Tue, 18 Jan 2011 23:49:22 +0000

>No, I'm taking the position that "most people" are in fact solely relying
>on patching because they are clueless and they wouldn't even be patching at
>all if auto-update wasn't turned on. (And Cal caught on what I meant in his
>reply - that there's two very disjoint communities).
>
>And that changes the calculus of "best practices" - what's "best" at a shop
>that has thousands of managed nodes and a staff of dozens of experienced
>sysadmins is different from a shop that has dozens of machines and one
>semi-clued guy with a McSE. (We'll leave home machines out of the equation
>for now - it's safe to assume that *those* machines the operating system
>has to take steps to protect itself, including auto-patching, because the
>user won't do it).

My mistake then - I shouldn't have inferred your position from previous thread 
subject matter. 


>And that's something I've noticed is lacking from much of the discussion -
>the business case for deploying something.  Sure, something might well be
>more secure, but unless the added security is worth more than the added
>cost, time, and effort, it's actually a bad idea to deploy.

This is precisely what I asked for several times and never received.  When the 
idea was presented, it indicated a serious deficiency of any depth of knowledge 
just around security and engineering, not to mention the requirements for dev, 
legal and compliance.  Being the kind-hearted and generous type of person I am, 
I assumed that I was missing something, and that there would be an opportunity 
to review some sort of qualifying data.  There isn't any, so I reverted back to 
my original position. 

I don't always agree with your viewpoints, but I know that there is always 
merit to your position that I should take into account.  Not that you care or 
need my approval or agreement, but thanks for the clarification.

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog
- Re: [Full-disclosure] Getting Off the Patch
  - From: Zach C
- Re: [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog
- Re: [Full-disclosure] Getting Off the Patch
  - From: phocean
- Re: [Full-disclosure] Getting Off the Patch
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] Getting Off the Patch
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog
- Re: [Full-disclosure] Getting Off the Patch
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Getting Off the Patch
  - From: Zach C
- Re: [Full-disclosure] Getting Off the Patch
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog
- Re: [Full-disclosure] Getting Off the Patch
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Getting Off the Patch
  - From: Pete Herzog
- Re: [Full-disclosure] Getting Off the Patch
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Getting Off the Patch
  - From: Cal Leeming [Simplicity Media Ltd]
- Re: [Full-disclosure] Getting Off the Patch
  - From: Cal Leeming [Simplicity Media Ltd]
- Re: [Full-disclosure] Getting Off the Patch
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] Getting Off the Patch
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Getting Off the Patch
  - From: Valdis . Kletnieks

Prev by Date: Re: [Full-disclosure] Getting Off the Patch
Next by Date: Re: [Full-disclosure] Path to IT Security
Previous by thread: Re: [Full-disclosure] Getting Off the Patch
Next by thread: Re: [Full-disclosure] Getting Off the Patch
Index(es):
- Date
- Thread