[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh broadcasts package name???

On Mon, Oct 28, 2002 at 04:34:38PM -0500, Paul Smith wrote:
> %% Dave Sherohman <esper@sherohman.org> writes:
>   ds> Quick and easy way to convince them: "Really?  How's about I stand
>   ds> here and watch you exploit it."  Shouldn't take more than 5-10
>   ds> minutes of banging their head against your server to realize that
>   ds> no, it's not vulnerable.
> 
> You obviously don't understand the corporate IT mindset :)--it's not up
> to them to prove your system is vulnerable, it's up to _you_ to prove
> that it isn't.
> 
> If they think it's vulnerable or don't believe you they'll just
> blacklist it from the network and you're SOL.  They have all the power,
> because they control the network (routers/switches/firewalls/etc.)

No, I just missed that it was the IS department claiming to have
found a vulnerability and assumed it was an outside vendor.  ("You
want me to buy your services to fix the problem?  OK, but first prove
that there is a problem to fix.")  I agree that this technique
wouldn't work in the case you're talking about.

-- 
When we reduce our own liberties to stop terrorism, the terrorists
have already won. - reverius

Innocence is no protection when governments go bad. - Tom Swiss
Reply to: