Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] Security announcements
  • From: cogNiTioN <cognition@xxxxxxxxxxx>
  • Date: Mon, 6 Mar 2000 00:25:19 +0000 (GMT)
  • Message-id: <Pine.LNX.4.10.10003060010210.3066-100000@xxxxxxxxxxxxxxxxx>
On Mon, 6 Mar 2000, Jussi Laako wrote:
> cogNiTioN wrote:
> > Isn't it the SysAdmin's job (among others) to be quick in responding to
> > security announcements?
>
> Sure is, but smaller companies cannot afford ~6 sysadmins needed for the
> 24/7/365...

Small companies need 6 admins? How small are these companies? I
admin/co-admin 3 servers in my spare time, in addition to lots of theatre
work and full time college. How many small companies have more than 3
servers (running different linux distros, and soon different OS's)
connected to the .net 24/7? It doesn't take 6 admins to look after a
server 24/7/365, a server doesn't need to be monitored 24hours every day,
just at reasonable time intervals. It only takes one admin with a
reasonable amount of interest in the job. Not someone who treats it as any
other 9-5 job.

> > So what's the option? Only release security announcements during working
> > hours? Working hours in which time zone? A report released at 5pm
> > Friday, may not be read until 9am Monday (or Tues if it happens to be a
>
> That's why we should first release update (possibly binary) and after 24
> hours (or next monday) release source code patch and detailed information
> about the bug.

The above was ment as sarcasm, I believe a system admin shouldn't treat
the job as a 9-5 one. You don't treat the security of your building as a
9-5 job, so why should you treat a computer any differently. When you
leave your building for the night/weekend, it has video cameras that
record and store information. You don't go in on monday, review the
contents of Friday's video and workout that the place got broken into, or
less maliciously, a lighting short circuit burnt the place down. You
install burglar alarms and smoke detectors, most likely connected to the
police or fire station.

> I'm viewing it from statistical point of view. Let's say that 10 crackers
> know about the vulnerability (if we don't announce it to whole world), it's
> not very likely that YOUR system gets hacked. But if we announce it, then
> about 1000 or 10000 crackers will know about it. Now it's much more likely
> that YOUR system gets hacked?
>
> Something like your password. You can't make it absolutely secure (even with
> biometrics), but it's darn bad luck if someone guesses it.

Passwords aren't secure. They're a trade off between ease and security.
You could run dental/fingerprint/DNA checks on everyone who uses your
system, but that would be inpracticle. I don't believe these proposals are
inpracticle.

/cog


< Previous Next >
List Navigation
Follow Ups
References