mailing list archives
Re: Getting Off the Patch
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Tue, 18 Jan 2011 18:39:24 +0000
On Mon, 17 Jan 2011 22:29:13 GMT, "Cal Leeming [Simplicity Media Ltd]" said:
Most people wouldn't rely solely on patch day to protect their
You're in for a surprise.
One, as Cal pointed out, you cut out the context of what he said/meant. And two, so what if they do? At least they
are patching. If security is the goal, then advocate for security in depth. From a security standpoint, patching is
better than not patching. Period. If you have controls in place to mitigate exposure, then they should be combined
with patching. Are you taking the position that the level of "being surprised" at the number of people who only patch
dictates that they stop patching and try to successfully implement other controls so they don't have to patch?
Playing "whack a mole" was entertaining, but in all seriousness, your responses to this thread have been confusing to
me. Any security model that not only advocates non-patching, but that is designed with the intent of not patching is
completely retarded. I defy anyone to provide verifiable evidence to the contrary that is not based on a server and a
couple of workstations. Even the self-proclaimed "marketing" guy who admitted he didn't know how to patch couldn't
come up with a single shred of substantiating research to support anything different. Comparing his "research" to
Einstein and general relativity is a level of ass-hattery that rivals some of the worst on the list.
So when I see you apparently supporting the idea, as someone who normally provides some sort of empirical backing to
his statements, I become interested in what factors lead you to that conclusion.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/