Re: OSVDB 72183

[Karl Schmidt <karl@xtronics.com>]

On 04/10/2013 11:04 AM, Michael Gilbert wrote:
> The companies that do this kind of of analysis really need to get
> their act together.  If you're paying them for this service, you
> should really question whether you're getting any value.

For the record, the company is Trustwave. These scans are required by PCI these days - not sure I 
have any choice. Every month I go through a long list of mostly the same set of false positives - 
dispute them as such - until last month they would all reappear the next month. Mostly a huge waste 
of time.

Most are listed with a CVE-yyyy-nnnn number - and easy to find via Debian - this was the first OSVDB 
listed - I couldn't find anything connected to Debian and misread the "not". Now that it is listed 
here, at least others can find it via Google.

Such scanning service would be much more valuable if it was tailored for a specific OS. I think the 
only issue I've been alerted to over several years was I needed to remove some ciphers from apache.


--------------------------------------------------------------------------------
Karl Schmidt                                  EMail Karl@xtronics.com
Transtronics, Inc.                              WEB http://secure.transtronics.com
3209 West 9th Street                             Ph (785) 841-3089
Lawrence, KS 66049                              FAX (785) 841-0434

Truth is mighty and will prevail.
There is nothing wrong with this,
except that it ain't so.
--Mark Twain

--------------------------------------------------------------------------------