Full Disclosure mailing list archives

Re: SSH Exploit Request

From: Scott Taylor <security () 303underground com>
Date: Thu, 13 Nov 2003 14:19:40 -0700

On Thu, 2003-11-13 at 13:19, Valdis.Kletnieks () vt edu wrote:

On Thu, 13 Nov 2003 12:08:41 EST, Robert Davies <phantasm () textbox net>  said:

I am quite bothered out the ass by well paid admins that are too damn lazy
to spend the few minutes it takes to repair a flawed service. Either start
doing your job, or get the hell out of the way for those of us that want to
do the job required properly!


Actually, the *original* problem was that the OP *wanted* to apply the patch
to fix a flawed service, but was prevented from doing so by a flawed policy.

Now tell me - would *you* install the patch anyhow, knowing that (possibly)
doing so without all the change-control paperwork being done correctly
would mean your ass would be canned and you'd be looking for another job?


"Change Control" paperwork is the bane of security folks. I have most
often been on the network/firewall side of things and  had been expected
to block access at the network level to make up for slow  patching from
the sysadmin side. I was at least lucky enough to have a management
chain that understood the importance of security enough to verbally
approve any reasonable requests from our team on short notice.

There is definitely a need for change control and regression testing.
Especially when microsoft servers are concerned. Who hasn't seen a site
go down or a computer bluescreen or something equally fatal to the
system after a microsoft patch was applied? They obviously can't be
bothered to test their software, so its up to users concerned with
uptime to test it themselves before applying patches to production
servers.

But it really does take both sides to keep systems safe. Not everything
can be filtered at the network level, and threats are not exclusively
from "the internet". Unhappy employees or otherwise compromised machines
can further exploit the internal network. 

--
Scott Taylor - <security () 303underground com> 

BOFH Excuse #209:

Only people with names beginning with 'A' are getting mail this week (a la Microsoft)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

SSH Exploit Request Jack Chum (Nov 12)
- Re: SSH Exploit Request Florian Weimer (Nov 13)
  - Re: SSH Exploit Request Jeremiah Cornelius (Nov 13)
    - Re: SSH Exploit Request Valdis . Kletnieks (Nov 13)
    - RE: SSH Exploit Request Robert Davies (Nov 13)
    - Re: SSH Exploit Request Blue Boar (Nov 13)
    - RE: SSH Exploit Request Poof (Nov 13)
    - Re: SSH Exploit Request Valdis . Kletnieks (Nov 13)
    - Re: SSH Exploit Request Scott Taylor (Nov 13)
    - RE: SSH Exploit Request Robert Davies (Nov 13)
    - Re: SSH Exploit Request Andrew J Caines (Nov 13)
    - Re: SSH Exploit Request Florian Weimer (Nov 13)
    - RE: SSH Exploit Request g0d (Nov 14)
    - Re: SSH Exploit Request Vladimir Parkhaev (Nov 14)
    - Re: SSH Exploit Request g0d (Nov 14)
    - Re: SSH Exploit Request Valdis . Kletnieks (Nov 14)
    - Re: SSH Exploit Request Paul Schmehl (Nov 14)
    - Re: SSH Exploit Request Valdis . Kletnieks (Nov 14)
    - Re: SSH Exploit Request Paul Schmehl (Nov 14)

(Thread continues...)