Re: Getting Off the Patch

["Thor (Hammer of God)" <thor () hammerofgod com>]

> On Mon, 17 Jan 2011 22:29:13 GMT, "Cal Leeming [Simplicity Media Ltd]" said:
>
> > Most people wouldn't rely solely on patch day to protect their
> > systems/network
>
> You're in for a surprise.

One, as Cal pointed out, you cut out the context of what he said/meant.  And two, so what if they do?  At least they 
are patching.   If security is the goal, then advocate for security in depth.  From a security standpoint, patching is 
better than not patching.  Period.  If you have controls in place to mitigate exposure, then they should be combined 
with patching.  Are you taking the position that the level of "being surprised" at the number of people who only patch 
dictates that they stop patching and try to successfully implement other controls so they don't have to patch?

Playing "whack a mole" was entertaining, but in all seriousness, your responses to this thread have been confusing to 
me.   Any security model that not only advocates non-patching, but that is designed with the intent of not patching is 
completely retarded.  I defy anyone to provide verifiable evidence to the contrary that is not based on a server and a 
couple of workstations.  Even the self-proclaimed "marketing" guy who admitted he didn't know how to patch couldn't 
come up with a single shred of substantiating research to support anything different.   Comparing his "research" to 
Einstein and general relativity is a level of ass-hattery that rivals some of the worst on the list.

So when I see you apparently supporting the idea, as someone who normally provides some sort of empirical backing to 
his statements, I become interested in what factors lead you to that conclusion.  

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/