[Mailman-Users] any info on this reported exploit?
brad at stop.mail-abuse.org
Fri Jan 27 21:55:18 CET 2006
At 3:41 PM -0500 2006-01-27, Jim Popovitch wrote:
>> 5. Security patches are asynchronous, like earthquakes, they happen
>> when they happen.
> Very bad analogy. Hurricanes would be better. There is plenty of
> potential for user-base warning before a patch is to be released.
No, Stephen was right -- the model is Earthquakes. We never know
when we'll get a "security" announcement created by someone we've
never heard of before, and where everyone has to stop everything
they're doing (like their real job), to work 24x7 on figuring out
what is actually happening, and then work to create a patch. Then
you have to test the patch and make sure it works as intended.
> Your daughter would presumably rather know on Tuesday that her Friday
> dinner with dad is canceled.
That assumes that the boss doesn't tell Dad at 4:45pm on Friday
afternoon that they just got a new security announcement dumped on
them by an organization which no one had ever heard of before.
That's what happens to us.
> That way she could make other plans, etc.
> Change "daughter" to "wife" and ask yourself how long your wife would
> remain if you kept canceling Friday dinner at the last minute.
Right. Now imagine the problem that Barry, Tokio, Mark, and
others have when they get a new security announcement dumped on them.
> No one is advocating that more info means more security.
I violently disagree with the concept of security through
obscurity. That is one of my biggest hot buttons.
However, there is a limit to how much information we can provide
when we don't have the information ourselves. And there is a limit
to how fast we can provide what information we do have.
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the Mailman-Users