non-disclosure of infrastructure problem a management issue?

Thomas Cameron thomas.cameron at camerontech.com
Mon Aug 25 13:57:13 UTC 2008 


On Sun, 2008-08-24 at 16:55 -0500, Bruno Wolff III wrote:
> On Sun, Aug 24, 2008 at 12:46:59 -0500,
>   Thomas Cameron <thomas.cameron at camerontech.com> wrote:
> >
> > is foolish and irresponsible to announce anything about that breach. Had 
> > Paul said "Hey all, we've gotten hacked and we don't know how badly or 
> > how they got in or what the damage is" he'd have been eaten alive, and 
> > rightly so.  Instead he took a very reasonable approach, apparently  
> 
> In your opinion? It seems like many of the people in this thread would
> have liked him to have said something to that effect in the first
> message. That was not going to damage any ongoing investigation 

Prove it.  Tell me about *your* experience recovering from security
breached.  Tell me about how *you've* interfaced with law enforcement in
those cases.  Tell me about *your* experience with corporate
requirements for recovery from such a breach.  Tell me about *your*
process and how it has been vetted by *your* legal department so that
all interests - corporate, law enforcement and lastly community - are
protected.  Now take all of that and throw it away, because the vetting
process that the Fedora project has to go through is more than likely
very different from yours.

> as shutting
> down the servers was going to tip their hand in any case. It would have
> given the community some information to act (or not) on.

In this case, the desires (and these are simply desires, not needs) of
the community are rightly secondary to the legal requirements of the
Fedora project, a project funded by a US corporation.

The folks who spew about "woulda shoulda coulda" are in pretty much
every case showing their asses here.  It's painfully obvious that
they've never been through this kind of exercise.  I have.  I understand
that the path to recovery from this kind of breach is incredibly
painful, and there are numerous folks managing that recovery.
Satisfying all of the stakeholders is pretty much impossible.  To
blithely coach and criticize from your armchair is the height of hubris.

Leave it to the professionals who run the Fedora infrastructure, they
actually know what they are doing.

-- 
Thomas

More information about the users mailing list