funsec mailing list archives
Re[5]: www.hexblog.com down?
From: Pierre Vandevenne <pierre () datarescue com>
Date: Wed, 4 Jan 2006 23:07:30 +0100
Good Day, Wednesday, January 4, 2006, 10:49:33 PM, you wrote: SD> to a blissfully unaware accountant surfing the web with a vulnerable SD> system?" And your proposed response. Best attempt given a level of knowledge at any given time. SD> People often state a threat as justification to do something. But my I do not use that threat as a justification to do "something" in general. I do use the threat as a justification to react to the specific threat. There is a huge difference. SD> Are there other alternatives to address your stated threat? Probably. Should I lose days investigating them? Are there holes in your proposed solution? Probably? Should I lose days investigating them? Added direct costs? Added indirect annoyances? Hire a consultant who'd suggest I implement a solution that is invulnerable... as far as the consultant knows? SD> Could you implement a control for your accountant to surf the web using a browser SD> with RunAs limited priviliges, I was never hacked using telnet. It could have happened. It never did. I was hacked by a zero day exploit using SSH (and I was aware of the rumour, I just had problems with linux libraries that prevented an easy fix and went home to sleep that day). See the point? You are using YOUR knowledge to suggest/implement solutions in your realm of expertise. Great. Are you willing to bet your life on your level of expertise being the final word against unknown zero day exploits? Reducing your argument to its lowest rethorical components "you can't know everything, therefore acting upon what you know is useless. I know other ways which are better" Great. Fine. Maybe. But regardless of the solution you are proposing, the same logical summary applies to it. I hate overloaded analogies but: if you see a dying homeless child on the side of the road, will you just walk by thinking "giving to charity is a better fundamental solution"? Maybe, but then you have the problem of dealing of corruption at the level of charity administration... You are invoking the "unknown thing" argument to attack my position. Fair enough. But the "unknown thing" argument applies to all positions. That's why it is useless imho. -- Best regards, Pierre mailto:pierre () datarescue com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: www.hexblog.com down?, (continued)
- RE: www.hexblog.com down? Larry Seltzer (Jan 03)
- Re[2]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
- Re: Re[2]: www.hexblog.com down? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 03)
- Re[4]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
- Re: Re[2]: www.hexblog.com down? nodialtone (Jan 03)
- Re[3]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
- Re[4]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
- Re[3]: www.hexblog.com down? Sean Donelan (Jan 04)
- Re[4]: www.hexblog.com down? Pierre Vandevenne (Jan 04)
- Re[4]: www.hexblog.com down? Sean Donelan (Jan 04)
- Re[5]: www.hexblog.com down? Pierre Vandevenne (Jan 04)
- Re[5]: www.hexblog.com down? Sean Donelan (Jan 04)
- Re[6]: www.hexblog.com down? Pierre Vandevenne (Jan 04)
- Re[2]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
- RE: www.hexblog.com down? Larry Seltzer (Jan 03)
- Re: www.hexblog.com down? Gadi Evron (Jan 03)
- Re[2]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
- Re: www.hexblog.com down? nodialtone (Jan 03)
- RE: www.hexblog.com down? Gary Funck (Jan 03)