Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] Security announcements
  • From: Jussi Laako <jussi@xxxxxxxxxxxx>
  • Date: Mon, 06 Mar 2000 01:01:34 +0200
  • Message-id: <38C2E74E.45F095DC@xxxxxxxxxxxx>
cogNiTioN wrote:
>
> Isn't it the SysAdmin's job (among others) to be quick in responding to
> security announcements?

Sure is, but smaller companies cannot afford ~6 sysadmins needed for the
24/7/365...

> So what's the option? Only release security announcements during working
> hours? Working hours in which time zone? A report released at 5pm
> Friday, may not be read until 9am Monday (or Tues if it happens to be a

That's why we should first release update (possibly binary) and after 24
hours (or next monday) release source code patch and detailed information
about the bug.

I'm viewing it from statistical point of view. Let's say that 10 crackers
know about the vulnerability (if we don't announce it to whole world), it's
not very likely that YOUR system gets hacked. But if we announce it, then
about 1000 or 10000 crackers will know about it. Now it's much more likely
that YOUR system gets hacked?

Something like your password. You can't make it absolutely secure (even with
biometrics), but it's darn bad luck if someone guesses it.

- Jussi Laako

--
PGP key fingerprint: 161D 6FED 6A92 39E2 EB5B 39DD A4DE 63EB C216 1E4B
Available at: ldap://certserver.pgp.com, http://keys.pgp.com:11371

< Previous Next >
List Navigation
Follow Ups
References