[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Getting Off the Patch
- To: Christian Sciberras <uuf6429@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Getting Off the Patch
- From: "Cal Leeming [Simplicity Media Ltd]" <cal.leeming@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 19 Jan 2011 09:20:27 +0000
In that case, my two cents on the matter would be that the thought process
behind this "no patch method" has come from someone with very little
development and/or security background.
On Wed, Jan 19, 2011 at 9:16 AM, Christian Sciberras <uuf6429@xxxxxxxxx>wrote:
> Ah, but that is YOUR argument. They don't seem to agree with it.
>
> Heck if they did, every single word so far would have been completely
> unnecessary, since layering security is what we've done ever since the first
> knife was invented!
>
>
>
>
>
>
>
>
> On Wed, Jan 19, 2011 at 10:13 AM, Cal Leeming [Simplicity Media Ltd] <
> cal.leeming@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
>> Christian,
>>
>> There is no 'direct alternative' as we have already established that there
>> is no "be all and end all" for security, it's when you layer these factors
>> on top of each other that it becomes more effective.
>>
>> On Tue, Jan 18, 2011 at 11:45 PM, Christian Sciberras
>> <uuf6429@xxxxxxxxx>wrote:
>>
>>> I'm getting a bit annoyed reading over and over arguments which I've
>>> highlighted some time ago anyway (
>>> http://www.mail-archive.com/full-disclosure@xxxxxxxxxxxxxxxxx/msg44454.html
>>> ).
>>>
>>> The real question, what is the *direct* alternative to patching?
>>>
>>> Don't say "sandboxing" because it doesn't always work.
>>> And don't tell me about only installing the system critical issues only -
>>> that's called "update by priority".
>>> Also, please remember that we are talking against patching, not
>>> discussing where patching works(/ is better) or not so I would expect any
>>> serious arguments to completely exclude patching.
>>>
>>> Regards,
>>> Chris.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Jan 18, 2011 at 9:05 PM, coderman <coderman@xxxxxxxxx> wrote:
>>>
>>>> On Tue, Jan 18, 2011 at 11:43 AM, phocean <0x90@xxxxxxxxxxx> wrote:
>>>> > ... how is this new ? It has been the best
>>>> > practice of good system/security administrators for years.
>>>> >
>>>> > And it doesn't look like a "no patching" policy yet...
>>>>
>>>>
>>>> sure, .. though you've made me sad considering how few organizations
>>>> do "best practice, good system/security administration".
>>>>
>>>> not new, still difficult? (~_~;)
>>>>
>>>>
>>>> that leaves consensus:
>>>> "no patching" elusive, yet to be observed in real-world. (e.g.
>>>> yeti or bigfeets)
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/