Re: non-disclosure of infrastructure problem a management issue?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Rahul Sundaram quoted Paul W. Frields:
> "If you've ever been involved in a security investigation, you already
> know that facts emerge over time.  With every disclosure there's a risk
> of getting those facts wrong,

If you don't know yet, then simply say that you don't know yet.

> or having to issue retractions. 

What about the announcement that no tampered packages were built for Fedora? 
Isn't that a retraction of the recommendation not to install packages? And 
what's wrong with that?

> Disclosure at an inappropriate time gives people the mistaken impression
> one is not being truthful, when that's not the case.

The first announcement gave me the impression that there was a technical 
problem, such as overloaded web servers or a crashed database or something. 
In retrospect it's obvious that when that announcement was written they 
already knew or at least suspected that there had been an intrusion. This 
gives me the impression that Paul W. Frields was not being truthful. He lied 
by telling half the truth.

"The closer to the truth, the better the lie, and the truth itself, when it 
can be used, is the best lie." – Preem Palver (Isaac Asimov)

> The disclosures we've made up to and including this point have been
> factual,

but misleading

> in the interest of protecting the security of our millions of 
> users,

You don't protect users' security by concealing a security issue as a 
technical problem. That's security by obscurity. Tell us that the issue has 
to do with security so that we have something to base our judgments on!

> and in the further interest of allowing proper investigation and 
> analysis of an ongoing matter.

And how exactly would investigation and analysis have been hindered if we had 
been told what kind of issue it was?

> As I stated in the announcement, I'll continue to provide information as
> it becomes available."

Did it really take a week before the information that the issue was related to 
security became available?

Björn Persson

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux