Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Getting Off the Patch
From: Cor Rosielle <cor () outpost24 com>
Date: Thu, 20 Jan 2011 00:07:08 +0100


Just a small response to make sure I'm not misunderstood.

In 2001 I was working with a telecom and internet provider, a large
company, and responsible for their internal systems and networks. I was
not a CTO in those days. Today I'm a CTO, but in another company, doing
security consultancy.

I'm pretty sure (OK, call me arrogant) that if the box ever was hacked,
it was not because of this bug that was reported unpatched.

And finally, perhaps in those days I would have seen the OSSTMM as
support for my decision (actually ours, because the security manager
decided this together). Knowing the OSSTMM today helps me understand why
the approach back then actually worked. That was no coincidence, it fits
in a model. Therefore, today I meant it as an example to explain there
are different solutions for a problem. Sometimes it involves sticking
out your neck and doing something different than the majority of your
peers do. That isn't bad just because it's different. 

Also, because the OSSTMM approaches security different from most
compliancy regulations, it is not bad. The OSSTMM is not a static holy
book or a religious kind of conviction. It is a live and dynamic manual.
Release 3 is finally there, but next month there will be a discussion
about what to change and add in version 4. (If you want to join, check
http://www.securityfocus.com/archive/101/515776/30/0/threaded for more
details. You can meet me there in real life as well).

Cor Rosielle

On Wed, 2011-01-19 at 20:01 +0000, Thor (Hammer of God) wrote:
When the OP can't even support his own idea, it's probably time for this thread to die.  However, I thought about 
what you said, and it actually serves as an excellent example of why engaging in conversation around this sort of 
thing is important.

Cor Rosielle wrote:
I did not know about the OSSTMM in those days. If I did, I could have
explained why patching is not always the best solution: it interferes
with your operations. 

And thus lies the core purpose of this sort of "open standard." You would have liked for the OSSTMM to exist back 
then NOT because there was value in their approach to security, but because it would give you justification for not 
doing what you were already not doing.  You made a conscious decision not to patch a Windows 2000 box with IIS5 on it 
even though the radio listed off your company name (about that, what, what is Wikileaks Radio or something?).  There 
is justification now because you say the box never got hacked.  Of course, you don't know that, and can never know 
that.  Pursuant to that, put that box up on the internet in the same configuration it was in and post the IP here.  I 
guarantee that you'll only need an egg timer, if that. 

Since you already had a clear position of not caring about patching, there would be no need for the OSSTMM to exist 
for you at all.  And as you have stated, if it DID exist, you would have used it purely for justifying your actions.  
When a CTO assumes that position and identifies the value of that organization to provide a straw-man standard, that 
is when people who have a better understanding of what security is should speak up. 



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]