Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Getting Off the Patch
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Mon, 17 Jan 2011 20:38:39 +0000

Now, what I did there was insulting, confrontational, and a general shitty
thing to do.

Expected. Nothing that I wouldn't put past you.

It wasn't for your benefit; it was to hopefully prepare PMs for the ensuing anal jihad they'll get from management if 
they present your idea without any facts and the illustration of their naiveté in regard to what happens when security 
analysts write checks that operations and management has to cash.  

You cannot use the "if you don't like my driving then stay off the
sidewalk" defense

Wow, you're still inferring a whole bunch of things there and even saying
things I didn't say. You are so taking this all out of context.

You said if one doesn't your emails, not to read them, and if we don't like your idea, don't do it.  The problem with 
this selfish logic is that when my company applies standards, policies, and requirements to data management and risk 
mitigation, but a vendor to whom I send data decides not to patch based on your idea, then it affects me and my 
customers, and as such, I simply asked for what are now tiny little shreds of any evidence you have outside of a couple 
of servers and workstations.   I think the scope of your research has qualified the level of consideration it should 

I chose that example specifically because it represented an unpatched

Sorry you were dissatisfied with the examples. I'll try harder for you
next time.

You really should.  Rather than providing a single suggestion on how your model would have protected 100% of this 
known-yet-unpatched vulnerability, you should have taken the opportunity to at least illustrate your assertion by way 
of example.   You have reduced the applicability of your model to instances where, as far as the most basic of network 
controls, "there are none."  There is no need for a "new model" here, and in fact, there is nothing new about it in the 
first place other than to think that when it has been illustrated that people can't deploy an ACL, that they will be 
successful in not patching. 

Your stating that "you think that op-controls can't protect where patches

Of course your argument is your opinion. One that can be surely backed
by many stats from many companies making money off that particular
model. And those stats also show it doesn't work consistently. Why not
try something different? I am presenting a different model is all.
Sorry you don't like it. It works for others that have tried.

Yet again, this was the purpose of my example.  What you consider "brainwashing" I view as "insight," which I believe 
is evident by my use of an example where I already calculated your responses beforehand. 

The impact of Slammer proved the state of system security at the time in a definitive manner.  No theory, not "what 
would have happened if your model was in place," and how basic principles of least privilege and security in depth were 
not applied.   While it doesn't take an Einstein to predict the obvious (oh, btw, your relativity example was a 
complete fail) I would like to point out statements of security in depth here:
- and where I not only predicted slammer and warned against it before writing the article, but covered your "new" model 
about 8 years ago (even though I'm "brainwashed") here:

You might offer models based on presumed benefits with inferred value unsubstantiated by research or cost analysis, but 
I have illustrated a real-life, what-actually-happened, non-theoretical, KNOWN vulnerability that had a massive impact 
on the global internet.  And to prevent it, all someone had to do was to install the patch.

For what my position is worth, I totally support you and your research organization pushing the age-old model of 
security in depth and least privilege, but I would recommend that you do so with the "don't patch" nonsense removed.

I'm more than happy to continue this exchange, but please excuse me if I fail to reply to responses empty of substance. 

So, "ttyl," or "thanks, it's been interesting."  


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]