cogNiTioN wrote:
Isn't it the SysAdmin's job (among others) to be quick in responding to security announcements?
Sure is, but smaller companies cannot afford ~6 sysadmins needed for the 24/7/365...
So what's the option? Only release security announcements during working hours? Working hours in which time zone? A report released at 5pm Friday, may not be read until 9am Monday (or Tues if it happens to be a
That's why we should first release update (possibly binary) and after 24 hours (or next monday) release source code patch and detailed information about the bug. I'm viewing it from statistical point of view. Let's say that 10 crackers know about the vulnerability (if we don't announce it to whole world), it's not very likely that YOUR system gets hacked. But if we announce it, then about 1000 or 10000 crackers will know about it. Now it's much more likely that YOUR system gets hacked? Something like your password. You can't make it absolutely secure (even with biometrics), but it's darn bad luck if someone guesses it. - Jussi Laako -- PGP key fingerprint: 161D 6FED 6A92 39E2 EB5B 39DD A4DE 63EB C216 1E4B Available at: ldap://certserver.pgp.com, http://keys.pgp.com:11371