Forwarded from: Kurt Seifried <listuserat_private> > I don't think you're being rude at all, just misguided. [mass snippage] So you guys audited all the code and fixed all the recent problems found in libc, apache, openssl, openssh, etc, etc in the last 2 months? This is why I'm not a huge fan of the various "secure" linux distros. Typically something is bolted on to a relatively insecure system to try and make it secure. These after the fact components (post factory mods? something like that =) sometimes work, and sometimes do not work. Case exmaple: Argus Pitbull on solaris, a fine piece of software, a hacking contest goes by, no-one can break Argus Pitbull on Solaris. Well except for this guy who finds a kernel flaw on Solaris and manages to circumvent it. What has this got to do with you? The more security flaws you leave unsolved (even if they do not "directly affect" your users) the more likely some combination of bugs will occur that does allow an attacker in. Can you offer me some form of "proof" that your customers are NOT affected by these vulnerabilities? No. You can only say "well, from what little we know about vulnerability X LIDS seems to stop this specific attack example". Personally I believe in erring on the side of caution, i.e. shipping/installing security updates even if I am not directly affected. There are degrees of risk. Not shipping security updates to close potential holes in a system increases this risk. > Dave Wreski > Corporate Manager Guardian Digital, Inc. > (201) 934-9230 Pioneering. Open Source. Security. > daveat_private http://www.guardiandigital.com Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 05:12:35 PDT