funsec mailing list archives

Re[5]: www.hexblog.com down?

From: Pierre Vandevenne <pierre () datarescue com>
Date: Wed, 4 Jan 2006 23:07:30 +0100

Good Day,

Wednesday, January 4, 2006, 10:49:33 PM, you wrote:

SD> to a blissfully unaware accountant surfing the web with a vulnerable
SD> system?"  And your proposed response.

Best attempt given a level of knowledge at any given time.

SD> People often state a threat as justification to do something.  But my

I do not use that threat as a justification to do "something" in
general. I do use the threat as a justification to react to the
specific threat. There is a huge difference.

SD> Are there other alternatives to address your stated threat?

Probably. Should I lose days investigating them? Are there holes in
your proposed solution? Probably? Should I lose days investigating them?
Added direct costs? Added indirect annoyances?

Hire a consultant who'd suggest I implement a solution that is
invulnerable... as far as the consultant knows?

SD> Could you implement a control for your accountant to surf the web using a browser
SD> with RunAs limited priviliges,

I was never hacked using telnet. It could have happened. It never did.
I was hacked by a zero day exploit using SSH (and I was aware of the
rumour, I just had problems with linux libraries that prevented an
easy fix and went home to sleep that day).

See the point?

You are using YOUR knowledge to suggest/implement solutions in your
realm of expertise. Great. Are you willing to bet your life on your
level of expertise being the final word against unknown zero day
exploits?

Reducing your argument to its lowest rethorical components

"you can't know everything, therefore acting upon what you know is
useless. I know other ways which are better"

Great. Fine. Maybe. But regardless of the solution you are proposing,
the same logical summary applies to it.

I hate overloaded analogies but: if you see a dying homeless child on
the side of the road, will you just walk by thinking "giving to
charity is a better fundamental solution"? Maybe, but then you have
the problem of dealing of corruption at the level of charity
administration...

You are invoking the "unknown thing" argument to attack my position.
Fair enough. But the "unknown thing" argument applies to all
positions. That's why it is useless imho.

-- 
Best regards,
 Pierre                            mailto:pierre () datarescue com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

RE: www.hexblog.com down?, (continued)
- RE: www.hexblog.com down? Larry Seltzer (Jan 03)
  - Re[2]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
    - Re: Re[2]: www.hexblog.com down? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 03)
    - Re[4]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
    - Re: Re[2]: www.hexblog.com down? nodialtone (Jan 03)
    - Re[3]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
    - Re[4]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
    - Re[3]: www.hexblog.com down? Sean Donelan (Jan 04)
    - Re[4]: www.hexblog.com down? Pierre Vandevenne (Jan 04)
    - Re[4]: www.hexblog.com down? Sean Donelan (Jan 04)
    - Re[5]: www.hexblog.com down? Pierre Vandevenne (Jan 04)
    - Re[5]: www.hexblog.com down? Sean Donelan (Jan 04)
    - Re[6]: www.hexblog.com down? Pierre Vandevenne (Jan 04)
- Re: www.hexblog.com down? Pierre Vandevenne (Jan 03)
  - Re: www.hexblog.com down? Gadi Evron (Jan 03)
    - Re[2]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
- Re: www.hexblog.com down? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 03)
- Re: Re[2]: www.hexblog.com down? Fergie (Jan 03)
- Re: www.hexblog.com down? Fergie (Jan 03)
  - Re: www.hexblog.com down? nodialtone (Jan 03)
    - RE: www.hexblog.com down? Gary Funck (Jan 03)

(Thread continues...)