LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

August 2013

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS August 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Bug in yum-autoupdate
From:	Vincent Liggio <[log in to unmask]>
Reply To:	Vincent Liggio <[log in to unmask]>
Date:	Thu, 1 Aug 2013 09:16:22 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (40 lines)

I disagree. In the old days, yeah, I used to blindly patch everything.
That's fine when you have a small setup with few interdependencies. Try
thousands of systems, hundreds of applications, multiple hardware vendors.

Systems on the Internet should be behind firewalls, and strong ones at
that. The best way to be secure is to not be connected (of course that's
not practical). And in reality, the greatest risk to most companies
comes from within, not from outside.

A recent study showed that the majority (over 90%) of problem software
are enterprise apps that can be compromised.

And you're just fooling yourself if you think a system on the Internet
is secure if it's patched. An interview I read last month with a black
hat underscored the level of risk - he said there's literally thousands
of zero day bugs that could be taken advantage of. Yeah, patching will
get you protected from the script kiddies. But you're fooling yourself
to think that being patched means being protected.

Vince

On 08/01/2013 09:02 AM, Andras Horvath wrote:
> Could you kindly provide an alternate solution? How can one patch the
> system not "blindly"? How to test the services in not production with
> production-like usage? IMHO we all must rely on upstream's QA.
> 
> Patching the system is supposed to fix known bugs and security flaws
> and may also bring unknown ones too. But the huge difference is that
> when a fix is released for a particular problem, then everybody gets
> to know about it at the very moment, hence the unpatched systems can
> be attacked much more this way. While the unknown bugs brought by the
> fixes may surely not be known by the wide audience. Therefore the
> latter is better for systems reachable through the internet.
> 
> I believe we must distinguish between systems with highly critical
> services on the LAN or systems on the internet. While it can be
> understandable to prefer not to patch the former ones at once, it is
> a better choice to patch the latter. So there is no good default
> setting. It always depends on the kind of usage.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV