|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: CONTENT DECISION: Presence of Services or Applications (SA)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I agree with these comments as well! Unless there is an actual vulnerability related to one of these services, don't see them as being CVE material just by running. This becomes a "best practice" or company policy decision rather than a vulnerability. - -mike - -----Original Message----- From: Aleph One [mailto:aleph1@UNDERGROUND.ORG] Sent: Tuesday, August 03, 1999 11:28 PM To: spaf@CS.PURDUE.EDU; Steven M. Christey Cc: cve-editorial-board-list@lists.mitre.org Subject: Re: CONTENT DECISION: Presence of Services or Applications (SA) On Tue, Aug 03, 1999 at 08:52:05PM -0500, Gene Spafford wrote: > I really do not like the idea behind this category. We might as > well include most MS-based protocols, and most TCP services. The > fact that a service is present and has a history of being a point of > entry on some systems is not a vulnerability. That's like saying > that the presence of computers tends to enable hacking -- take away > the computers, and you no longer have break-ins! Hear, hear! > > --spaf > - -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBN6icChIUaHPadf5hEQKcXQCeLV1N+HvP5CI0sbF6uqQKUr9sGxAAniSb p9tQHBJ8rez6PabZ8uj6kIja =rBM6 -----END PGP SIGNATURE-----
|
||||
