non-disclosure of infrastructure problem a management issue?

Mon Aug 25 14:46:29 UTC 2008

On Mon, Aug 25, 2008 at 08:57:13 -0500,
  Thomas Cameron <thomas.cameron at camerontech.com> wrote:
> 
> Prove it.  Tell me about *your* experience recovering from security
> breached.  Tell me about how *you've* interfaced with law enforcement in

I used to be our infragard rep and helped put some of our server admins in
contact with someone at the FBI after an incident cost us a lot of people
time rebuilding the machines. The FBI took the information and it was probably
included in their aggregate stats, but that's all that came of that. (And
that's what they told us was most likely to be the result up front.)
Before that I used to deal with end user shell accounts getting hacked,
but those were usually not a big deal because they would only get end user
access. Also we had a hole in an identd server cause us problems about
10 years ago. In that case we didn't end up rebuilding the whole server.

> those cases.  Tell me about *your* experience with corporate
> requirements for recovery from such a breach.  Tell me about *your*

I work for an educational institution. Also the event happened about 5 years
ago and the climate, server usage and laws were different then. Today the
same kind of event on the follow on to the system would cause us a lot more
grief.

> process and how it has been vetted by *your* legal department so that

I wasn't involved in the discussions between upper management and legal
for that incident, but I believe there were some.

> all interests - corporate, law enforcement and lastly community - are
> protected.  Now take all of that and throw it away, because the vetting
> process that the Fedora project has to go through is more than likely
> very different from yours.

Much different.

> > as shutting
> > down the servers was going to tip their hand in any case. It would have
> > given the community some information to act (or not) on.
> 
> In this case, the desires (and these are simply desires, not needs) of
> the community are rightly secondary to the legal requirements of the
> Fedora project, a project funded by a US corporation.

I disagree here. That may have been necessary in this case (we don't know
yet if it was law or policy blocking communication), but I do not think
it is right.

> The folks who spew about "woulda shoulda coulda" are in pretty much
> every case showing their asses here.  It's painfully obvious that
> they've never been through this kind of exercise.  I have.  I understand
> that the path to recovery from this kind of breach is incredibly
> painful, and there are numerous folks managing that recovery.

Those aren't the people being complained about. The infrastructure people
appear to have stepped up to try and get this cleaned up as fast as possible.

> Satisfying all of the stakeholders is pretty much impossible.  To
> blithely coach and criticize from your armchair is the height of hubris.

I am a stake holder and I don't see any problem stating that my interests
weren't properly protected. With Fedora's stances on openness, I believed
they extended to security breaches as well. If they intend to act this way
to future incidents that is going to affect how I value participating in this
project. It may not be enough of a negative to switch, as Fedora is a very
good fit in other areas.

> Leave it to the professionals who run the Fedora infrastructure, they
> actually know what they are doing.

Again the infrastructure people aren't the ones being complained about.