On Mon, 5 Jul 1999, Darren Reed wrote: > > But as somone else pointed out in this very same list, it's not always > > possible to determine whether there is a problem or not in another way > > than actually testing the flaw (intusion tests are an exemple) > > So everyone who has IIS4.0 should test the for the flaw first before > installing the patch? I don't think that's the right methodology. > When I apply patches, security or otherwise, I don't necessarily want > to test the problem first and nor should I need to. You don't need to, because you know you have not applied the patch yet, so you know that you are vulnerable. Now, suppose that in two months you are given the administration of 20 IIS servers in asia, each located in separate office. Will you spend your day going from one office to another, just checking for this flaw ? > I should get all > the information I need to correctly apply the patch with the patch > itself. [snip] > than running intrusion tests. Those tests should be the mechanism by > which you go from a state of having a collection of hosts about which > you know nothing about to a state where you know what needs to be done > (if anything) in order to minimise the risk of an intrusion and from > there can implement a plan of action that keeps them in a state of > minimal risk. I agree at 100%. If you probe these hosts and if no security flaw is reported at all, whereas some flaws are reported on other servers, then you'll first upgrade those servers, right ? Not the one reported as 'safe'. however, those 'safe' hosts may have the IIS security flaw which may be more important than the flaws on the other hosts. > [...] > > but the domain microsoft.com has been number one in terms of download and > > site frequentation at nessus.org :) During a time, they were downloading [snip] > You're assuming that suck access is in-line with a policy of "do not use > the internet for non-work related things", which I'm sure is enforced the > same everywhere :) > I know of people who work at Microsoft who do so only as their `day job'. Yeah. This was just a funny thing I noted. Not directly related to this suject (I didn't meant : 'they should have given me the info since they are using my tool' --- just because there are too many employees) > Or maybe what they saw in Nessus was enough to persuade them that going > to ICSA was the right thing to do? What did they saw according to you ? > > > Now you're catching on. Security is a market of some value, today, not > > > like it was back in the early 90's when things like FWTK/Satan were written > > > and given away. > > > > I disagree with that too. I'm not the only weirdo on this planet who is > > giving away security tools. Just think about Nmap, Trinux, SAINT, ipchains > > and many more. > > I give one away too, in case you weren't aware of that. But I'm not > arguing that there isn't any free security software or new projects > don't happen, just that there is an increased value on such knowledge > (of bugs and processes) today and hence less incentive to give such > knowledge away. and this is a shame anyway. As I wrote, making some benefit of the bugs they make is not normal. I think that I'll write a mail server of my own, don't release the source, include 30 security holes, and start to sell them one after the other. Sounds like a good get-rich-quick scheme, doesn't it ? > I'd like to point out that your list does not mention any free knowledge > bases or data wharehouses which contain information on security > vulnerabilities. This will be corrected as soon as I find the time to take care of it, but this is beyond the scope of the project. -- Renaud -- Renaud Deraison <deraisonat_private> The Nessus Project -- http://www.nessus.org
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:32 PDT