Re: Microsoft-IIS/6.0 serves up Debian... WTF!
On Sun, Jun 8, 2008 at 7:00 PM, Jacob Appelbaum <jacob@appelbaum.net> wrote:
> Your thoughts on this subject are really fascinating. Because while I
> agree that the idea of "security by obscurity" as the only line of
> defense is flawed, you're making assumptions and value judgments that
> seem beyond your abilities. I question your security knowledge and
> capabilities.
Yeah, yeah. Whatever dude.
> [snip, snip]
> Have you found some actual security issue with the mirror? Are the
> packages tampered with? Are the signatures invalid?
No, I haven't found an actual security issue with the mirror. And I
don't believe in waiting for someone to raise a security issue to
determine the actual security of a system. Surely you would agree
that there are acceptable minimums. I do think that it would be
prudent for the Debian Security and Mirror teams to know the specifics
about their mirror ops. And I say that as former v.d.o mirror op,
where my experience revealed little concern over mirror operators.
The mirror in this instance seems to fall into one of two cases:
1) Security by Obscurity plus possible unknown foo.
2) Bored opers having fun.
I would think that neither of those cases immediately passes muster
with concerned security minded folks. And, just because you are OK
with it, it doesn't mean I have to be. ;-)
-Jim P.
Reply to: