[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: More hacked servers?

More or less.. I agree on allmost every point you have made.
The extensive explanation you gave should however been clear
when you tried pointing out the issue.. then the reaction 
wouldn't be so hostile (towards you).

Although I agree on the open response that is needed to reasure the
media/users/admins (but most of all) the managers that push the
administrators to the limit; most of the managers that have agreed on
implementing Debian into their so beloved (or hated) IT environment need
besides the soothing words of their trustees (administrators) the media to
back their own "good"feeling about their choises.

If this is accomplished by beeing as open as possible, making the full audit
public to everyone on a large scale so that everybody can be amazed how much
we can absorb when it comes to tech-info, I'm not sure.

The information, the indepth information, should always be stacked in a
place where only the people that need the information can get it.
Hence the importance of the communication skills a system administrator 
needs. To much info can kill a conversation and/or even more.

It is up to the security team whom have the last say in this, to decide
what is going to be public. It's their, and our, responsibility to use that
information for the good of the Debian community, and our own situation
(buissness, private, education.. you name it).

If I wasn't intressted, I wouldn't read all the information provided.. 
If I lack the knoledge to understand the information that is given to me, 
I would ask somebody that does know to explain it to me, or educate 
myself by reading to figure it out.


On Wed, Nov 26, 2003 at 02:13:22AM -0500, Jim Hubbard wrote:
> First of all, there's no need to be defensive.  I'm on your side!  I
> certainly didn't mean to suggest that anything would be hidden - why would
> it?  I only meant to suggest that the details of this incident (once they
> are all known) need to be made very public rather than being buried in a
> mailing list where only us geeks will see it.  In fact, it needs to be even
> more public than the report of the break in was.  Why?  Because the last
> news Joe Necktie heard about Debian is that it got hacked.  Now I know
> Debian doesn't own the media, but as Debian users, I think we can all help
> by pointing out the explanation, once it's given, to every geek news site we
> can find.
> Another poster asked why my confidence was shaken.  It's shaken because I
> guess I thought of kernel.org and debian.org to be among the last places
> anyone would ever successfully break into, even if that is a tad naive.
> Linus I think did a fairly decent job of explaining why the kernel.org break
> in didn't hurt anything, and I believe him, but personally I'd prefer more
> detail.  Debian has said that nothing was damaged here either, and I believe
> them too, but that's not the question.  The question is, does Joe Necktie
> believe them?  I think what would really be reassuring would be a nice
> report, or audit, or something describing how security works, and have that
> be a very prominent feature of every open source site.  The more people that
> put their faith in open source software, the more people are going to want
> to understand how open source sites make sure that open source code is
> protected from damage.
> -Jim
> ----- Original Message ----- 
> From: "Michael Stone" <mstone@debian.org>
> To: "Jim Hubbard" <jimh@xlproject.com>
> Cc: <debian-security@lists.debian.org>
> Sent: Tuesday, November 25, 2003 9:01 AM
> Subject: Re: More hacked servers?
> > On Sun, Nov 23, 2003 at 01:09:27AM -0500, Jim Hubbard wrote:
> > >After the Linux kernel server got hacked a few weeks ago, and now this
> > >successful attack at Debian, my confidence is shaken.  I hope we'll see
> full
> > >disclosure about exactly what happened and what's being done to prevent
> it.
> >
> > We were up-front in reporting the problem, so why would you suggest we
> > would hide things later?
> >
> > Mike Stone
> >
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: