Re: Bad press again... decisions
On Mon, 29 Aug 2005, Paul Gear wrote:
... [ prev procss/proceedure snipped ]
> What makes you think that this didn't occur?
sounds like a normal thing .. good
> > joey and crew can't possibly examine, review, fix, verify all bugs
> > no matter how good of an expert security coder they were
>
> My point exactly. Which is why i can't understand why he'd even bother
> to question whether there was a vulnerability.
what one person or a group might consider high-priority vulnerability may
not be a high-priority vulnerability to another
coders get tons of bug reports from tons of people ..
- you have to have a process to filter thru all the reports
and work on them in a productive way ...
eg.... personally, ( it's just me ), i'd throw out all local exploits
simply because to me, that is a very low priority
- the most "trivial local exploit" is pull the power cord
(or the ethernet cable) which is very very common problem and
occurance
- when the secretary/ceo/cfo comes in at 8am, and find out
their pc doesnt work, i dont want that "8am" phone call
that their pc died overnight ( due to the janitor )
which is more likely to happen than an outside cracker
breaking in to become root ( which already is aproblem,
regardless of they can become root once they are in,
the fact that they got in is the problem... not the escalation )
- it's my view of how to deal with "local exploits" vs
other security issues, policy, proceedures, process,
verification, bug fixes, manpower, budgets, etc, etc, etc
- security to me is: "can the cfo/ceo/theBoss keep working"
while the security crew is sleeping or in meetings
- there's probably 1,000 reported pending vulnerabilities eacn day...
( wild guess at some crazy numbers to deal with daily )
- prioritize it somehow, and unfortunately, some prioritization
will include how thorough the vulnerability and example
exploit code is and who reported it
- none of this is a "debian security issue" or "joey-n-crew"
c ya
alvin
Reply to: