Forwarded from: Aj Effin Reznor <ajat_private> "InfoSec News was known to say....." > Regarding the disclosure issue...MS released/disclosed a patch on 24 > July 02...a fact conveniently missing from the article. Rather than > an issue of how much is too much to disclose, why not address the > real issue...the products in question should never have been exposed > to the Internet. The issue was only an exploitable vulnerability if > it could be executed...and as yet, there hasn't been a valid > business case presented for exposing that port for that application > to the Internet. Without questioning the integrity of the original article (one could bore the ISN subscribership with that in an entirely different email), perhaps we should point out that some patches, particularly SQL ones, are "difficult" to apply. Or, may be applied but not "take effect", not even after a reboot. Here's an idea. Stop writing code that allows this to happen, rather than issuing a patch after the fact? In a day when "good code" equates to "compiles without errors", what can we expect from computed attempts to be trustworthy. That this appeared the day after Gates' spam on secured computing is coincidal at best, but still beautiful. As for exposing the affected port to the internet, so what, who cares, etc. I'm all for running the smallest amount of services possible, and also for good neighbor-ism on the net, but if someone wants or, by their own questionable biz model, "needs" to expose a port, they should be able to do so. I'm no more going to tell people what they cannot do than accept being told what I cannot do. If they want/"need" to expose ports, they should be able to do so **safely**. Ask MS why they can't do it safely rather than demanding a valid reason why the given port was exposed at all. Just like parents today, chasing down every societal ill rather than just raising their children properly (like the Drunk Dude that was upset that his children had to read my F*CK REDHAT shirt at a restaurant the other night). Don't worry about the port, worry about the poorly coded app that can't be hung out in the wind. -aj. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 01:33:01 PST