In some mail from Renaud Deraison, sie said: > > On Mon, 5 Jul 1999, Darren Reed wrote: > > > > What comes to my mind, is that the Microsoft is giving the scoop of the > > > test of the vulnerability to the ISCA's IDC members. > > > > And the problem with that is? What should be important is that the > > information about the problem became public, allowing people to become > > aware of the problem and how to fix it. > > But as somone else pointed out in this very same list, it's not always > possible to determine whether there is a problem or not in another way > than actually testing the flaw (intusion tests are an exemple) So everyone who has IIS4.0 should test the for the flaw first before installing the patch? I don't think that's the right methodology. When I apply patches, security or otherwise, I don't necessarily want to test the problem first and nor should I need to. I should get all the information I need to correctly apply the patch with the patch itself. Intrusion tests should not be the basis for applying patches. If that is actually the case then procedures which involve the administration of the machine(s) need to be re-examined. That said, I'd argue that keeping a machine up to date with patches is just as, if not more important than running intrusion tests. Those tests should be the mechanism by which you go from a state of having a collection of hosts about which you know nothing about to a state where you know what needs to be done (if anything) in order to minimise the risk of an intrusion and from there can implement a plan of action that keeps them in a state of minimal risk. [...] > but the domain microsoft.com has been number one in terms of download and > site frequentation at nessus.org :) During a time, they were downloading > each new version of the product and coming back very frequently. Now, I > can not say whether they were actually using Nessus or not, but well, I > think that they were not storing their downloads in /dev/null ;)) You're assuming that suck access is in-line with a policy of "do not use the internet for non-work related things", which I'm sure is enforced the same everywhere :) I know of people who work at Microsoft who do so only as their `day job'. Or maybe what they saw in Nessus was enough to persuade them that going to ICSA was the right thing to do? [...] > > > This attitude shows the lack of ethic of several companies which claim > > > they are interested in security. Because no matter how knowledgeable you > > > are, you will have to pay to determine if you are vulnerable or not. > > > > Now you're catching on. Security is a market of some value, today, not > > like it was back in the early 90's when things like FWTK/Satan were written > > and given away. > > I disagree with that too. I'm not the only weirdo on this planet who is > giving away security tools. Just think about Nmap, Trinux, SAINT, ipchains > and many more. I give one away too, in case you weren't aware of that. But I'm not arguing that there isn't any free security software or new projects don't happen, just that there is an increased value on such knowledge (of bugs and processes) today and hence less incentive to give such knowledge away. I'd like to point out that your list does not mention any free knowledge bases or data wharehouses which contain information on security vulnerabilities. Sure there are web sites with exploits for many different security holes but that's not quite the same sort of resource that some will provide for a fee. Darren
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:32 PDT