On Dec 30, 2011, at 8:24 AM, Lamar Owen wrote: > On Tuesday, December 27, 2011 10:13:12 PM Bennett Haselton wrote: >> Roughly what percent of the time is there such an unpatched exploit in the >> wild, so that the machine can be hacked by someone keeping up with the >> exploits? > > While I did reply elsewhere in the thread, I want to address this > specifically. > > I can give you a percentage number very easily. The answer is 100%. There > is always an unpatched exploit in the wild; just because it's not been found > by the upstream vendor (and by extension the CentOS project) doesn't mean > it's not being used in the wild. I would hazard to say the risk from an > unknown, but used, exploit is far greater than the 'window of opportunity' > exploits you seem to be targeting. > > I would also hazard to say that it would be similar in risk to 'window of > opportunity' exploit timing in the Windows world; not because the OS's are > similar in terms of security but because 'window of opportunity' exploit > timing is the same regardless of the general security of the OS. And I think > studies of 'window of opportunity' exploits have been done and are publicly > available. > > I say this after having performing a risk assessment of our infrastructure > myself, incidentally. It's not a matter of 'if' you will be hacked, but > 'when,' and this is being acknowledged in high-level security circles. > > So you plan your high-availability solution accordingly, and plan for outages > due to security issues just like you'd plan for network or power outages. > This is becoming standard operating procedure in many places. ---- to reiterate my thoughts... I still don't understand the logic of the list indulging the OP's rampant speculation of various causes when his first action was to eliminate all possibility to find out what actually happened.
An apt analogy is to find out that your horses have been stolen so you burn down the barn where they were kept, drag the ground to remove all evidence of footprints & tire tracks and then decide that you want to figure out how the thieves got in and made away with your horses. Craig _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
