non-disclosure of infrastructure problem a management issue?

max maximilianbianco at gmail.com
Sun Aug 24 16:55:54 UTC 2008 

Les Mikesell wrote:
> max wrote:
>>
>> You call it paranoia, I call it common sense. Do the math, I did. I 
>> felt that if it was anything but a security issue then they'd have 
>> come right out and said so. The only reason not to come out and say so 
>> boiled down to a handful of things.
> 
> But doesn't a security issue usually imply that everyone else running 
> the same software is vulnerable to the same intrusion?  That is, the 
maybe but we don't know yet what exactly happened. My issue is not with 
saying it was handled badly. I would have preferred that  more 
information was provided. That isn't what happened though and ultimately 
it comes down to a matter of trust. Second guessing the man on the 
ground is popular but  unwise, people only assume they would have done 
better in the same situation but that is by no means certain. Your on 
the scene, you make a judgement call based on what you know and what you 
think best at the moment. Hindsight is always 20/20, having to make the 
call is harder by far and I think accusing Paul Frields of intentionally 
deceiving us is going to far, especially without all the facts. This 
didn't happen last year, its on going, taking place over the course of a 
couple of weeks and its only fair to allow time for a proper assesment 
of the situation. How many complaints would we have seen if it turned 
out to be a false alarm? How many would have blown away their systems 
and then cried that nothing should have been said until they were 
certain what had transpired?

> last thing you want to do is keep running with no updates.
> 
>> The only thing that's been made clear is that the Fedora Project has a 
>> number of users who take it for granted.
> 
> Do we know yet how the initial access to the machine was obtained?  Ssh 
> password-guessing or a more fundamental software problem that may still 
> be a danger for others?
> 
That is precisely the point , we don't know much. If users don't trust 
the Fedora Project then they should go elsewhere but I doubt they'll do 
any better. Some organizations won't even give a vague warning, never 
mind admit they've been cracked.


-- 
Fortune favors the BOLD

More information about the fedora-list mailing list