Full Disclosure mailing list archives

RE: SSH Exploit Request

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Thu, 13 Nov 2003 16:08:51 -0600

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
Robert Davies
Sent: Thursday, November 13, 2003 2:46 PM
To: Valdis.Kletnieks () vt edu
Cc: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] SSH Exploit Request 

I do apologize for assuming those that do not do the 
appropriate research and patching in a timely manner lazy, 
whereas its possibly the suits and policy writers that are 
definitely more to blame. IMO, I would do the patching as 
soon as I found the patched service suitable, and if I lost 
my job, at least I know that's one more machine that was 
secure under my control. I'd rather tell a prospective 
employer that I was canned for taking security precaustions 
then canned for having a critical machine comprimised.

Your heart's in the right place, Robert, but you would have been canned
for insubordination, *not* for taking security precautions, and any
interviewer worth his salt would understand that as soon as you
explained why you were fired.

Once again, my apologies for getting all worked up over this, 
I just hate to see when suits slow down proper and prompt 
security precautions and then cry about being comprimised 
before they cut through the red tape.

They don't cry about it.  They fire the very security people that were
screaming at them for not patching in a timely manner, blaming them for
not protecting the organization.  And once in a great and wonderful
while, they say, "You were right.  How long did you say it would take to
implement that solution?"

Such is life in never-never land.

If you *really* want to make a difference in security, you stay where
you are, work within the rules and fight like a banshee for what you
know is right.  Then, when they finally "get it", you're a hero, because
you've been saying "I told you so" for a very long time.  Nothing worth
having ever comes easy, and seldom is anything easy to get worth having.
 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: SSH Exploit Request, (continued)
- - - Re: SSH Exploit Request Jonathan A. Zdziarski (Nov 16)
    - spoofing sir kaber (Nov 16)
    - Re: SSH Exploit Request Ron DuFresne (Nov 16)
    - Re: SSH Exploit Request KF (Nov 14)
    - Re: SSH Exploit Request Jeremiah Cornelius (Nov 13)
    - Re: SSH Exploit Request Adam (Nov 13)
    - Re: SSH Exploit Request Ron DuFresne (Nov 13)
    - Re: SSH Exploit Request Florian Weimer (Nov 13)
    - Re: SSH Exploit Request Damian Gerow (Nov 13)
- RE: SSH Exploit Request Schmehl, Paul L (Nov 13)
- RE: SSH Exploit Request Schmehl, Paul L (Nov 13)