[Mailman-Users] any info on this reported exploit?

Brad Knowles brad at stop.mail-abuse.org
Fri Jan 27 21:55:18 CET 2006

At 3:41 PM -0500 2006-01-27, Jim Popovitch wrote:

>>  5.  Security patches are asynchronous, like earthquakes, they happen
>>   when they happen.
>  Very bad analogy.  Hurricanes would be better.  There is plenty of
>  potential for user-base warning before a patch is to be released.

	No, Stephen was right -- the model is Earthquakes.  We never know 
when we'll get a "security" announcement created by someone we've 
never heard of before, and where everyone has to stop everything 
they're doing (like their real job), to work 24x7 on figuring out 
what is actually happening, and then work to create a patch.  Then 
you have to test the patch and make sure it works as intended.

>  Your daughter would presumably rather know on Tuesday that her Friday
>  dinner with dad is canceled.

	That assumes that the boss doesn't tell Dad at 4:45pm on Friday 
afternoon that they just got a new security announcement dumped on 
them by an organization which no one had ever heard of before.

	That's what happens to us.

>                                That way she could make other plans, etc.
>    Change "daughter" to "wife" and ask yourself how long your wife would
>  remain if you kept canceling Friday dinner at the last minute.

	Right.  Now imagine the problem that Barry, Tokio, Mark, and 
others have when they get a new security announcement dumped on them.

>  No one is advocating that more info means more security.

	I violently disagree with the concept of security through 
obscurity.  That is one of my biggest hot buttons.

	However, there is a limit to how much information we can provide 
when we don't have the information ourselves.  And there is a limit 
to how fast we can provide what information we do have.

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <http://www.lopsa.org/>.

More information about the Mailman-Users mailing list