[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)

Hash: SHA1


Am Di den 27. Mai 2008 um  1:09 schrieb Colin Watson:
> On Thu, May 15, 2008 at 09:15:57AM -0700, Mike Bird wrote:
> > The rollout of information and updates was appalling - even adding in
> > the material from Ubuntu the information was piecemeal and inadequate
> > to properly secure systems within the limited time before crackers
> > might be expected to have exploits.
> I think part of the problem here was that the coordinated release date
> for the advisory was simply too soon after the relevant parties were
> notified.

Ehem, is it your idea of security to make it secret (like Microsoft do
often)? It is never ever a good idea to make security issues secret or
protracting it.

And in this special case it was easy to fix the problem very fast when
the advisory cames out.

> but I think an extra day or two on the embargo period would very
> likely have produced a better result.

It is never a good idea to set a embargo period for a security issue.
This is more valid for the scope of this big security problem!

All together I must say it was very professional and fast how the debian
security team and other had done the treatment of the problem. Don't
lower them by arguing with snakeoil about that the reaction was to fast!
It can never be fast enough.

   Klaus Ethgen
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
Version: GnuPG v1.4.6 (GNU/Linux)


Reply to: