[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press again... decisions



On Mon, 29 Aug 2005, Paul Gear wrote:

... [ prev procss/proceedure snipped ]
 
> What makes you think that this didn't occur?

sounds like a normal thing .. good 

> > joey and crew can't possibly examine, review, fix, verify all bugs
> > no matter how good of an expert security coder they were
> 
> My point exactly.  Which is why i can't understand why he'd even bother
> to question whether there was a vulnerability.

what one person or a group might consider high-priority vulnerability may
not be a high-priority vulnerability to another

coders get tons of bug reports from tons of people ..
	- you have to have a process to filter thru all the reports
	and work on them in a productive way ...

eg.... personally, ( it's just me ), i'd throw out all local exploits
	simply because to me, that is a very low priority

	- the most "trivial local exploit" is pull the power cord
	(or the ethernet cable) which is very very common problem and
	occurance

	- when the secretary/ceo/cfo comes in at 8am, and find out
	their pc doesnt work, i dont want that "8am" phone call
	that their pc died overnight ( due to the janitor )
	which is more likely to happen than an outside cracker
	breaking in to become root ( which already is aproblem,
	regardless of they can become root once they are in,
	the fact that they got in is the problem... not the escalation )

	- it's my view of how to deal with "local exploits" vs
	other security issues, policy, proceedures, process, 
	verification, bug fixes, manpower, budgets, etc, etc, etc

	- security to me is: "can the cfo/ceo/theBoss keep working"
	while the security crew is sleeping or in meetings

- there's probably 1,000 reported pending vulnerabilities eacn day...
	( wild guess at some crazy numbers to deal with daily )

	- prioritize it somehow, and unfortunately, some prioritization
	will include how thorough the vulnerability and example
	exploit code is and who reported it

- none of this is a "debian security issue" or "joey-n-crew"

c ya
alvin



Reply to: