RE: [Full-Disclosure] no more public exploits and general PoC gui de lines
From: Ng, Kenneth (US) (kenng_at_kpmg.com)
Date: 04/28/04
- Previous message: Henrik Persson: "Re: [Full-Disclosure] mozilla firefox 0.8 - linux (probably mozilla too) cut/paste (semi) vulnerability"
- Maybe in reply to: Harlan Carvey: "RE: [Full-Disclosure] no more public exploits and general PoC gui de lines"
- Reply: Gary E. Miller: "RE: [Full-Disclosure] no more public exploits and general PoC gui de lines"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Eric LeBlanc'" <inouk@igt.net>, full-disclosure@lists.netsys.com Date: Wed, 28 Apr 2004 13:33:45 -0400
Its not my boss, but in conversations with many people that span many
companies, the general line of thought seems to be "until there is an active
exploit that is blowing away machines on my network, we will do nothing.
After all, not every vulnerability that is published is followed by a bad
exploit. And not every bad exploit manages to get inside. Your asking me
to spend real money on a theoritical problem. Remember: IT is a cost
center, something where you do everything possible to reduce costs and
expendatures."
The above are not my thoughts, they are a condensed version of many
conversations. Do I think it is penny wise and pound foolish? Yes. Do I
think these people are not seeing the big picture? Yes. But, I'm just an
advisor.
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of Eric LeBlanc
Sent: Wednesday, April 28, 2004 9:36 AM
To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] no more public exploits and general PoC
gui de lines
On Tue, 27 Apr 2004, Jedi/Sector One wrote:
> On Tue, Apr 27, 2004 at 04:05:13PM -0400, kquest@toplayer.com wrote:
> > Are you saying that unless there's an exploit
> > that gives you access to the target machine
> > your company wouldn't patch
>
> It's a matter of priority.
>
> For most PHBs, proactive security must be very low priority because
> keeping systems up to date doesn't bring any money to the company.
>
Just to tell your boss that the
worm/DoS/exploit/wathever-that-will-cause-a-severe-damage-on-machines-and-ne
twork
will cost them more than keeping their system up to date (with proof).
It's enough to convince them that the patching will save them a *LOT* of
money and time (if the patch don't broke the system of course, especially
with microsoft patches).
If they don't want to understand it.. Well, I want to be there when their
system will have a virus/wathever just to see their face :-) Oh, it's
possible that the VP of company will tell to you that it's YOUR fault...
E.
-- Eric LeBlanc inouk@igt.net -------------------------------------------------- UNIX is user friendly. It's just selective about who its friends are. ================================================== _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ***************************************************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Henrik Persson: "Re: [Full-Disclosure] mozilla firefox 0.8 - linux (probably mozilla too) cut/paste (semi) vulnerability"
- Maybe in reply to: Harlan Carvey: "RE: [Full-Disclosure] no more public exploits and general PoC gui de lines"
- Reply: Gary E. Miller: "RE: [Full-Disclosure] no more public exploits and general PoC gui de lines"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
