Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Getting Off the Patch
From: "Cor Rosielle" <cor () outpost24 com>
Date: Wed, 19 Jan 2011 13:25:23 +0100

I would like to emphasize I was not telling not to patch at all. I said:
"Sometimes patching is the right solution, often it is not.". However, I did
not explicitly tell I was trying to protect our own data/assets and not
someone else's.

So when your data is housed elsewhere, then what? Well, in that case you
don't have to think about patching yourself. Your provider has to.
And since the provider does not have to protect his own data, he can afford
to make different considerations. He doesn't have to focus how his
operations are best controlled, because he is not his own operations. So in
his case, I would patch. Just to cover my ass. I would even state in my
terms and agreements I would patch, so nobody could blame me that I do. 

I wouldn't envy my customers, because they can not fully control all parts
of their own operations in this scenario. They simply have to trust me as a
provider and I will prove to be trustworthy and keep up to the contract. 

So if something breaks then after patching, they can blame ... well, I
actually don't know who they can blame. They can't blame me, because I did
what I promised. It is not sure they can blame the vendor, because the patch
was tested and proved to work for the majority in the world. Do they need to
blame themselves? Nahh. Of course they don't blame themselves. If they can
not blame anyone, it's just a case of bad luck. But it's definitely not
their fault.

Cor Rosielle
Chief Technology Officer

-----Original Message-----
From: Jeffrey Walton [mailto:noloader () gmail com]
Sent: woensdag 19 januari 2011 12:26
To: Cor Rosielle
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Getting Off the Patch

Sorry about the top post - just one comment....

Bottom line is that patching interferes operations and therefore,
Its a sad state of affairs when folks put other endeavors, such as
uptime, above security.

I can't speak for others but I hope my data is not housed at such a
shop. If my data went out the e-door of such a shop, and the shop was
not patching, then I would consider the shop's practices grossly
negligent. It would be irrelevant to me who claimed it was OK for
whatever reason.

... snip ...

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]