----- Original Message ----- From: "Steve" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 20, 2002 5:59 PM Subject: Re: [Full-Disclosure] Re: MS-02-052
> Hehe, right you are. > > But we've got more valuable things to do with our time than chasing > patches that will never fully come through anyway. Fair one, but you can also remove unused functionality - that would have stopped CR for example, without even a patch. > which generates income. You may see that as an irrational > shut-everything-down approach, which is your prerogative. As it is yours - you just seemed irrational in your post, Mea Culpa ;-) > To be specific it's not MY shit to sort out. If I'm dumb enough to use > MS then I would HAVE to sort out their shit. Nice stab though... It wasn't a stab, merely an observation - I dislike the [percieved] attitude that X is bad and Y is good without looking at the ethos of the vendor and to what extent what functionality is installed Out Of Box. Microsoft ship their stuff with all bells and whistles enabled be default. They have done this for a long time and should be no surprise to anyone, so the first act should be to remove all said bells and whistles you don't use. Yes that's an admin overhead unless you invested time in an automated secure build policy, but if that's what it takes, then it needs to be done. I did the BOFH thing for long enough to know that. You can lock down box A just as well as box B regardless of OS or application, was my point. Sometimes it takes a bit longer and maybe a bit more work and dependant on what skills you or your team have, that may or may not be viable. That's just mitigation of risk which to a large extent is technology independant. Cheers. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
