[Full-Disclosure] SSH Exploit Request

Schmehl, Paul L pauls at utdallas.edu
Thu Nov 13 22:08:51 GMT 2003 

> -----Original Message-----
> From: full-disclosure-admin at lists.netsys.com 
> [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of 
> Robert Davies
> Sent: Thursday, November 13, 2003 2:46 PM
> To: Valdis.Kletnieks at vt.edu
> Cc: full-disclosure at lists.netsys.com
> Subject: RE: [Full-Disclosure] SSH Exploit Request 
> 
> I do apologize for assuming those that do not do the 
> appropriate research and patching in a timely manner lazy, 
> whereas its possibly the suits and policy writers that are 
> definitely more to blame. IMO, I would do the patching as 
> soon as I found the patched service suitable, and if I lost 
> my job, at least I know that's one more machine that was 
> secure under my control. I'd rather tell a prospective 
> employer that I was canned for taking security precaustions 
> then canned for having a critical machine comprimised.
>
Your heart's in the right place, Robert, but you would have been canned
for insubordination, *not* for taking security precautions, and any
interviewer worth his salt would understand that as soon as you
explained why you were fired.
 
> Once again, my apologies for getting all worked up over this, 
> I just hate to see when suits slow down proper and prompt 
> security precautions and then cry about being comprimised 
> before they cut through the red tape.
>
They don't cry about it.  They fire the very security people that were
screaming at them for not patching in a timely manner, blaming them for
not protecting the organization.  And once in a great and wonderful
while, they say, "You were right.  How long did you say it would take to
implement that solution?"

Such is life in never-never land.

If you *really* want to make a difference in security, you stay where
you are, work within the rules and fight like a banshee for what you
know is right.  Then, when they finally "get it", you're a hero, because
you've been saying "I told you so" for a very long time.  Nothing worth
having ever comes easy, and seldom is anything easy to get worth having.
 
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

Full-Disclosure is hosted and sponsored by Secunia.