Re: Debian Investigation Report after Server Compromises

To: D-U List <debian-user@lists.debian.org>
Subject: Re: Debian Investigation Report after Server Compromises
From: "Robert L. Harris" <Robert.L.Harris@rdlg.net>
Date: Wed, 3 Dec 2003 08:42:07 -0500
Message-id: <[🔎] 20031203134207.GA25189@rdlg.net>
Mail-followup-to: D-U List <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20031203070449.GL25739@ursine.ca>
References: <[🔎] 1070381336.21297.11.camel@king.gregfolkert.net> <[🔎] 1070386267.21296.16.camel@king.gregfolkert.net> <[🔎] 1070392359.18618.2.camel@Thief> <[🔎] 1070401275.1455.51.camel@linda.lfix.co.uk> <[🔎] 20031203070449.GL25739@ursine.ca>

  Hmmm.  A friend of mine works at a company with over 500 machines in the
field.  Many of them are customer facing.  There are more than 1
configuration on the servers.  He has to compile each config and run it
through a dev/test and a full regression before he can update any
production machines int he field.  Has he started the upgrade?  yes, 2
of the kernels are in test now, 1 is in regression already.  It's likely
to be a month or so before all the kernels are ready, upgraded and
reboot time scheduled for maintenance windows.  And yes he's very
bothered by this.

  We talked about it and agree that it's much preferable that those who
might want to screw with his machines might have 1 less attack
available.  What would telling the world accomplish?  Would that make
the world a safer place?  Would holding the information back keep one or
more pissants at bay a while longer?

Your argument sounds like my 6yr old doing a "I want it now, I don't
care what your reasons are!!!!" soon followed by a temper tantrum.

Thus spake Paul Johnson (baloo@ursine.ca):

> On Tue, Dec 02, 2003 at 09:41:15PM +0000, Oliver Elphick wrote:
> > Because there will be lots of people who haven't yet had the chance to
> > upgrade.  They won't thank us for making an exploit available to every 
> > would-be cracker.
> 
> Why should we cater to people who can't be bothered to help
> themselves?  Leaving readily compromisable systems out there does the
> net a disservice.
> 
> -- 
>  .''`.     Paul Johnson <baloo@ursine.ca>
> : :'  :    
> `. `'`     proud Debian admin and user
>   `-  Debian - when you have better things to do than fix a system
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

:wq!
---------------------------------------------------------------------------
Robert L. Harris                     | GPG Key ID: E344DA3B
                                         @ x-hkp://pgp.mit.edu
DISCLAIMER:
      These are MY OPINIONS ALONE.  I speak for no-one else.

Life is not a destination, it's a journey.
  Microsoft produces 15 car pileups on the highway.
    Don't stop traffic to stand and gawk at the tragedy.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- fun - Re: Debian Investigation Report after Server Compromises
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>

References:
- Debian Investigation Report after Server Compromises
  - From: Greg Folkert <greg@gregfolkert.net>
- Re: Debian Investigation Report after Server Compromises
  - From: Greg Folkert <greg@gregfolkert.net>
- Re: Debian Investigation Report after Server Compromises
  - From: Alex Malinovich <demonbane@the-love-shack.net>
- Re: Debian Investigation Report after Server Compromises
  - From: Oliver Elphick <olly@lfix.co.uk>
- Re: Debian Investigation Report after Server Compromises
  - From: Paul Johnson <baloo@ursine.ca>

Prev by Date: wl/bl/sl maintenance scripts (was: Re: Newsreader-like killfiling in email?)
Next by Date: LILO and bootloaders (was Re: unchecked 31 times)
Previous by thread: Re: Debian Investigation Report after Server Compromises
Next by thread: fun - Re: Debian Investigation Report after Server Compromises
Index(es):
- Date
- Thread