non-disclosure of infrastructure problem a management issue?
Nifty Fedora Mitch
niftyfedora at niftyegg.com
Thu Aug 21 23:28:51 UTC 2008
On Fri, Aug 22, 2008 at 10:36:21AM +1200, Clint Dilks wrote:
> Bjoern Tore Sund wrote:
>> It has now been a full week since the first announcement that Fedora
>> had "infrastructure problems" and to stop updating systems.
>
> Hi, I work in an environment very similar to yours a University in New
> Zealand. And while I understand your frustration and agree that this
> situation and the communication surrounding it have been managed poorly
> I will say that we as administrators can not blame Fedora if we make
> their infrastructure to critical to our own systems. For example we can
> make our own local repositories and we can control / test updates to try
> and minimize the risks from events such as this.
Just guessing,
This smells like a hacker was detected or a hack was discovered.
As readers of this list will note the historic resolution for a
hacked system has been to do a full reload which takes time.
Ssh key management may also be at issue given the key generation flaw known
as the Debian SSH key attacks. In some cases a key can be recovered in
20 min... In this case the issue might be poor keys generated outside
of RH and not a flaw in RH process or tools.
If it had been a blown disk farm we would have more info already.
The more I read about the SSH key attacks the more convinced
I am that there is a need to update my set of keys for me and my systems.
In time they will tell.
--
T o m M i t c h e l l
Got a great hat... now what.
More information about the fedora-list
mailing list