On Mon, Oct 28, 2002 at 04:34:38PM -0500, Paul Smith wrote:
> %% Dave Sherohman <[EMAIL PROTECTED]> writes:
> ds> Quick and easy way to convince them: "Really? How's about I stand
> ds> here and watch you exploit it." Shouldn't take more than 5-10
> ds> minutes of banging their head against your server to realize that
> ds> no, it's not vulnerable.
>
> You obviously don't understand the corporate IT mindset :)--it's not up
> to them to prove your system is vulnerable, it's up to _you_ to prove
> that it isn't.
>
> If they think it's vulnerable or don't believe you they'll just
> blacklist it from the network and you're SOL. They have all the power,
> because they control the network (routers/switches/firewalls/etc.)
No, I just missed that it was the IS department claiming to have
found a vulnerability and assumed it was an outside vendor. ("You
want me to buy your services to fix the problem? OK, but first prove
that there is a problem to fix.") I agree that this technique
wouldn't work in the case you're talking about.
--
When we reduce our own liberties to stop terrorism, the terrorists
have already won. - reverius
Innocence is no protection when governments go bad. - Tom Swiss
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
