Hi Guys. I would like to bounce an idea off the list which I think would be of value. I propose that SuSE setup a suse-security-announce-pending mailing list where SuSE would officially notify of Pending problems in SuSE packages. Like most of you I recieve alot of email every day, (Bugtraq, CERT, SuSE-Security, SAGE-AU, SLUG, and a dozen other application specific mailing lists, plus of course my normal work and personal correspondence). Now of course I run _plenty_ of filters and everything is reasonably manageable, however as I am in the nice position that _every_ single piece of infrastructure I have under my control (with the exception of my routers, Sat Equipment, Load Balancers and 1 of my firewall levels) is SuSE Linux. To put it another way, every listening port on my network is on a SuSE box. Now I may be at the far end of the scale regarding SuSE's customers in this regard, but it would be very usefull to me if I only _had_ to keep track of one mailing list to know if I have to disable some service or other until a fix comes out. Now, I know that this is not too much extra work because invariably whenever something new hits BugTraq that affects SuSE, a question gets sent to SuSE-Security to ask if this affects SuSE or not. Take the current outstanding issue with ucsnmpd for instance. The question has already been asked (and answered by Roman) as to whether SuSE is vulnerable or not. So as the time was take by Roman to do this, (and say that there is an update pending) i think this info should be sent to an announcement list as a matter of course as soon as an issue breaks (If SuSE already has a patch ready due to coordination with other vendors etc, then it becomes unnecessary) As it was I had already read about the SNMPD problem (and disabled it on servers where it could conceviably cause a problem) on 4 other mailing lists before the response from Roman. As far as I'm concerned, the speed of _notification_ is more important than the speed at which a patch is released. I am quite comfortable disabling a service for days if necessary if I know there is a problem coming. Unfortunately to have this choice I currently have to wade through BugTraq etc every morning rather than just keeping an eye on a single low traffic SuSE maillist and leaving my bugtraq reading until lunchtime/weekends etc.. This idea is obviously of less use to people who run more hetrogenous networks than I do, but as I'm sure SuSE would love to have more companies in my situation, this is something that should be looked at. Any comments? -- Viel Spaß Peter Nixon - nix@susesecurity.com SuSE Security FAQ Maintainer http://www.susesecurity.com/faq/ "If you think cryptography will solve the problem, then you don't understand cryptography and you don't understand your problem."
* Peter Nixon;
Hi Guys.
This idea is obviously of less use to people who run more hetrogenous networks than I do, but as I'm sure SuSE would love to have more companies in my situation, this is something that should be looked at.
100 % supported -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hi Peter! On Wed, 13 Feb 2002, Peter Nixon wrote:
Hi Guys.
[snip...]
Any comments?
Couldn't agree more. Ciao, Roland main(int k,char**p){char*q=p[2];float i,j,r,x,y,a=*q++/4;for(y=a;--y>- a;puts(""))for(x=0;x++<*q;putchar(p[1][k%9]))for(i=k=r=0;j=r*r-i*i+(x/ *q*q[2]-q[1])/40,i=2*r*i+y/q[3],j*j+i*i<11&&++k<99;r=j);}
On Wednesday 13 February 2002 14:50, Peter Nixon wrote:
I would like to bounce an idea off the list which I think would be of value. I propose that SuSE setup a suse-security-announce-pending mailing list where SuSE would officially notify of Pending problems in SuSE packages. Like most of you I recieve alot of email every day, (Bugtraq, CERT, SuSE-Security, SAGE-AU, SLUG, and a dozen other application specific mailing lists, plus of course my normal work and personal correspondence). <snip> Now, I know that this is not too much extra work because invariably whenever something new hits BugTraq that affects SuSE, a question gets sent to SuSE-Security to ask if this affects SuSE or not. Any comments?
Rather than yet another list however, I wonder if security-announce couldn't be used where some installations might take precautions, if a work round exists, before rpm updates are finished. IIRC some info has already been issued in past in this way. The difficulty is however that folk will expect Roman and team to be on ball 24/7 and also someone is bound to ask questions on this list, before any time has elapsed to allow a response to be cleared. Rob
Hi list, I am administering ~25 machines running SuSE and most of them are connected to the internet in one way or the other. Peter's suggestions makes alot of sense to me - wading through several security mailinglists every morning slowly becomes a full time job (and I can't spend that much time just on security issues). Anyway, I like the idea of a suse-security-announce-pending mailinglist. I am aware of the fact that this means extra work to someone at SuSE but at least you guys have a bigger team than me ;-) I am convinced that such a list will make life for many customers easier. Peter Nixon wrote:
Hi Guys.
I would like to bounce an idea off the list which I think would be of value. I propose that SuSE setup a suse-security-announce-pending mailing list where SuSE would officially notify of Pending problems in SuSE packages. Like most of you I recieve alot of email every day, (Bugtraq, CERT, SuSE-Security, SAGE-AU, SLUG, and a dozen other application specific mailing lists, plus of course my normal work and personal correspondence).
[....rest deleted .....]
Any comments?
Yes, I like the idea and I hope others will comment on it too ;-) Erwin -- Erwin Zierler | web- / host- / postmaster - stubainet.at | erwin.zierler@stubainet.at / webmaster@stubainet.at | Tel.: 0 5225 - 64325 Fax 99 Mobil: 0664 - 130 67 91
Peter, You are right about the problem, but personally I think a new mailing list would be a using a sledgehammer to crack a walnut. The existing suse-security-announce list is very low traffic and would still be low traffic if once a week or so there were a summary of outstanding problems. The summary should also be put on the web site with the security alerts. I also think SuSE should consider finding someone less technical to do this. Roman and colleagues do a fantastic job preparing the updates but I get the impression they are sometimes too busy with the next burning issue to finish off the boring publicity work for the last problem. Ideally there should be someone with technical writing skills who knows how to install a system who has the responsibility of making sure customers get the information they need on security matters. That person would for example make sure that every security update had an associated announcement (which sadly does not always happen at the moment). I know...such people are like gold dust and SuSE have to save money like everyone else. But there's no harm in asking... Bob On Wed, 13 Feb 2002, Peter Nixon wrote:
Hi Guys.
I would like to bounce an idea off the list which I think would be of value. I propose that SuSE setup a suse-security-announce-pending mailing list where SuSE would officially notify of Pending problems in SuSE packages. Like most of you I recieve alot of email every day, (Bugtraq, CERT, SuSE-Security, SAGE-AU, SLUG, and a dozen other application specific mailing lists, plus of course my normal work and personal correspondence). Now of course I run _plenty_ of filters and everything is reasonably manageable, however as I am in the nice position that _every_ single piece of infrastructure I have under my control (with the exception of my routers, Sat Equipment, Load Balancers and 1 of my firewall levels) is SuSE Linux. To put it another way, every listening port on my network is on a SuSE box. Now I may be at the far end of the scale regarding SuSE's customers in this regard, but it would be very usefull to me if I only _had_ to keep track of one mailing list to know if I have to disable some service or other until a fix comes out.
Now, I know that this is not too much extra work because invariably whenever something new hits BugTraq that affects SuSE, a question gets sent to SuSE-Security to ask if this affects SuSE or not.
Take the current outstanding issue with ucsnmpd for instance. The question has already been asked (and answered by Roman) as to whether SuSE is vulnerable or not. So as the time was take by Roman to do this, (and say that there is an update pending) i think this info should be sent to an announcement list as a matter of course as soon as an issue breaks (If SuSE already has a patch ready due to coordination with other vendors etc, then it becomes unnecessary)
As it was I had already read about the SNMPD problem (and disabled it on servers where it could conceviably cause a problem) on 4 other mailing lists before the response from Roman.
As far as I'm concerned, the speed of _notification_ is more important than the speed at which a patch is released. I am quite comfortable disabling a service for days if necessary if I know there is a problem coming. Unfortunately to have this choice I currently have to wade through BugTraq etc every morning rather than just keeping an eye on a single low traffic SuSE maillist and leaving my bugtraq reading until lunchtime/weekends etc..
This idea is obviously of less use to people who run more hetrogenous networks than I do, but as I'm sure SuSE would love to have more companies in my situation, this is something that should be looked at.
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Peter,
You are right about the problem, but personally I think a new mailing list would be a using a sledgehammer to crack a walnut. The existing suse-security-announce list is very low traffic and would still be low traffic if once a week or so there were a summary of outstanding problems. The summary should also be put on the web site with the security alerts.
I also think SuSE should consider finding someone less technical to do this. Roman and colleagues do a fantastic job preparing the updates but I get the impression they are sometimes too busy with the next burning issue to finish off the boring publicity work for the last problem. Ideally there should be someone with technical writing skills who knows how to install a system who has the responsibility of making sure customers get the information they need on security matters. That person would for example make sure that every security update had an associated announcement (which sadly does not always happen at the moment).
I know...such people are like gold dust and SuSE have to save money like everyone else. But there's no harm in asking...
Actually, all members of the SuSE security team know exactly that all good
security work requires publicity, and we do not consider this an overhead,
more a necessary thing to do. And, for my side, I kindof like the contact
with the people, which is also why I am present on this list, catching up
ideas, wishes and suggestions of all kind, hoping to be able to improve
the processes in general.
I have been following the thread and thought about it for a while, and I
think it is a very beautiful idea. There's just some little things that
keep us from doing it: Time and money. You can't hire a person in charge
for publicity work and then feed him all day with stuff that needs to be
published - the overhead is too much since that person must know her way
around not only in security, operating system design, deep insights in the
SuSE products, but also proper language usage (communication skills). I
think with the current setup, we (Thomas, Sebastian, Marc and myself) have
these capabilities and we can do that on our own, because we keep track of
what's going on in the security field (which is extremely busy these days,
unfortunately). Since this is a very time consuming at best, our current
resource situation does not allow for such a publishing effort.
While we are constantly improving our internal processes, we will have
this idea in mind, and I am confident that there will be a solution for
it. For the time being, I am sorry to say that such a service might not be
affordable for SuSE without this thing becoming a subscription service
that customers pay for. Security processes are expensive if you buy them
in the industry, because the people providing the service have high
expenses as well. The price of a sole SuSE Linux product such as SuSE
Linux 7.3 will not be enough.
As I said, we are thinking about it, communicating it internally.
Thanks for the discussion!
Roman.
--
- -
| Roman Drahtmüller
participants (7)
-
Bob Vickers -
Erwin Zierler - stubainet.at -
Peter Nixon -
Robert Davies -
Roland Kuhn -
Roman Drahtmueller -
Togan Muftuoglu