Re: non-disclosure of infrastructure problem a management issue?
2008/8/24 Frank Cox [EMAIL PROTECTED]: Disclosure doesn't sabotage forensic evidence. I can tell you that there is blood on this shoe without having any effect at all on the blood that's on the shoe. Actually there is a long history of police forces withholding vital details of a crime in order to, say, detect whether a person is: - a fraud, because they don't know some detail that the perpetrator of the crime alone would likely know - guilty, because they inadvertently reveal a detail that the perpetrator of the crime alone would likely know -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Frank Cox wrote: On Mon, 25 Aug 2008 13:08:21 +0800 Ed Greshko [EMAIL PROTECTED] wrote: Nobody here wishes Fedora any ill. If we did, we wouldn't be here. You can't assume that... I sincerely hope that I can, Ed. Starry-eyed as it may sound, I always try to think the best of people. Really. Remind me not to recommend you for any position related to security. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
I think most of us were more peeved about not getting a *clear* warning, promptly, and wanting to know whether it really was a safety issue (do not download) or just broken servers (downloads may fail). They didn't say hardware, they didn't say source code control or other distribution software, they didn't say specific packages or distros, they didn't run around screaming, Chicken Little was right! The sky is falling. RUN FOR THE HILLS So we should have assumed that there was some ambiguous state typical of a breach discovered in the early stages. From the information so far, that's what it was, and the post-mortem in such cases does take time. Joel Rees -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Mon, 2008-08-25 at 03:11 -0700, Craig White wrote: I fully expect that the reason that they took the system off-line 10 days ago was a clear indication of their doubt of the sanctity of the packages and they didn't put it back online until they felt that they felt that they knew the extent of the compromise. We're were all guessing about that sort of thing, because we had to. But a wonky system would be just as likely explanation for why a server was offline, even for a prolonged period. Yes, I know there's other risks, etc., but that warning was just bad. Put the shoe on the other foot. The infrastructure could have had a plain old fault and gone off-line, and we could have been speculating all over the place about security breaches, hacks, and been completely wrong. Heck, my ISP's file server has been rather ill over the last few days, their mail server has always been. There's no security reasons behind it that any of us are aware of, just bad management. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Jeff Spaleta: communication problems are not equivalent to trust issues. Tim: To many, they are. Jeff Spaleta: Those people are wrong In your opinion... I say that you're quite wrong about trying to disassociate the two of them. Being upfront and honest is what engenders trust. Being cagey, even if not being dishonest, breeds distrust. Seriously, people do not trust someone who keeps things from them. Why do you find that hard to understand? -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
* Les Mikesell [EMAIL PROTECTED] [20080825 03:08]: Jeff Spaleta wrote: Did we have a communication problem? Maybe. You make it sound like it was something in the past. I'd say a week and a half ago fits squarely in the definition of past. Does anyone know yet whether or not the intrusion was due to a software vulnerability in code we are all running? You *assume* that this may be the case. You are aware that social engineering is one of the most common entry vectors, right? Not saying that is what it was, just pointing out that when you start making assumptions based on not knowing where you are, or where you are going, you're likely going to end up more lost than when you started. More relevant, does someone know this when the rest of us still don't? And your point being? Those investigating the incident are likely going to know most (besides the perpetrator) and there will likely be legal constraints on what they can and can not say. (Or they'd have said something by now.) Law's a bitch like that you know. The majority of us just live with it. You may want to write your congress representative to have the law changed so it's not considered interfering with ongoing investigations, divulging random things to a select few loudmouths shouting Open Source! Community! Just a thought... /Anders -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 23:07 -0600, Frank Cox wrote: Nobody can take any protective measures short of switching everything to another distribution entirely without that sort of information in hand. Are protective measures even required? We don't know that either. To be blunt, you don't even know if switching distros would fix the problem. If the fault lay with software common to both, you wouldn't improve your situation. You'd need to know where the vulnerability lays to make that sort of decision. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
* Jeff Spaleta [EMAIL PROTECTED] [20080825 05:53]: On Sun, Aug 24, 2008 at 7:39 PM, Frank Cox [EMAIL PROTECTED] wrote: On Sun, 24 Aug 2008 19:37:02 -0800 Jeff Spaleta [EMAIL PROTECTED] wrote: Unfortunately, while a policy for future incidents would be nice, I don't set it as a priority item at this time. When your house is burning down, you don't send out a rfq for fire sprinkler systems. Oh you've taken Apocolaptic Allogories 101? I took advanced Rhetorical Rhetoric. This should be fun. I also do not stand in the way of the fire fighters and asking them questions as to what's happening while they are putting the fire out. What Frank is after is more akin to standing in the way of the fire fighters, demanding to know what they are going to do about the house burning to the ground behind his back and tell him *immediately* why the house is on fire! The worrying part is Frank's total lack of understanding about the nature of the issue and frightening inability to understand the explanations given to him. Nor do I do it to the fire investigators who poke around in the ashes trying to figure out whats wrong. And last time I set a house on fire, it took weeks for the fire department to confidently determine that it was arson...and that was just a house fire.When I blew up that chemical plant that one time, it took months to finally determine the cause. Don't worry Jeff, Frank will totally ignore you here, or miss the point you are making. If he actually gets it this time, I owe you a beer. /Anders -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Mon, 25 Aug 2008 18:42:03 +0930, Tim wrote: On Mon, 2008-08-25 at 03:11 -0700, Craig White wrote: I fully expect that the reason that they took the system off-line 10 days ago was a clear indication of their doubt of the sanctity of the packages and they didn't put it back online until they felt that they felt that they knew the extent of the compromise. We're were all guessing about that sort of thing, because we had to. But a wonky system would be just as likely explanation for why a server was offline, even for a prolonged period. Yes, I know there's other risks, etc., but that warning was just bad. Put the shoe on the other foot. The infrastructure could have had a plain old fault and gone off-line, and we could have been speculating all over the place about security breaches, hacks, and been completely wrong. In one of the announcements (or a reply to it) a detailed time line of the incident was promised. Let's wait for the details! Fact is, however, they discovered something -- they called it issues unfortunately -- and decided it to be severe enough to take offline several servers. Most interesting will be to learn what exactly they discovered and in which order (at Fedora *and* Red Hat, either at once or independent from eachother, but in the same week). What evidence lead to the decision to switch off essential servers, but refer to it as just issues? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Mon, Aug 25, 2008 at 6:46 AM, Bruno Wolff III [EMAIL PROTECTED] wrote: I am a stake holder and I don't see any problem stating that my interests weren't properly protected. With Fedora's stances on openness, I believed they extended to security breaches as well. You have just stated an uncommunicated expectation on performance. That belief needs to be part of a guiding process document that all the stakeholders can agree to abide by. If they intend to act this way to future incidents that is going to affect how I value participating in this project. If the community doesn't do the work to put a Fedora specific incident reporting policy in place that meets its own needs.. then this could very well happen again and be handled in a way that community didn't expect. There's no guarantee that this will happen again when the same individuals are in place to remember any personal lessons learned from this one. I sure as hell hope to not be 'in pocket' the next time something like this happens. Without a policy document in place, we run the risk of different people blamelessly repeating history they personally did not live. Can't really expect people to have read the specific griping in this thread, several years later. The expectation on incident reporting performance must be documented and agreed to as part of a workable process for the Project. If that doesn't happen, if you don't help make that happen, then there's no justifiable reason to expect things to be different next time. Voicing a concern in meandering mailinglist thread is not crafting sustainable project policy. -jef -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Anders Karlsson wrote: * Les Mikesell [EMAIL PROTECTED] [20080825 16:06]: Thomas Cameron wrote: I understand that the path to recovery from this kind of breach is incredibly painful, and there are numerous folks managing that recovery. Knowing that, doesn't it bother you that your system is very likely vulnerable to the same exploit - and that there are people who know how to do it? You are making assumptions Les. You don't know how the perpetrator gained access. (Well, I am assuming you don't, but if you do, feel free to enlighten the rest of us.) Agreed - I don't know. And that's a problem when someone else does know how to break into our systems - or we haven't been told that it was an inside job. Until it's disclosed how (and where, when and why) - getting worked up over it is wasted energy. So is pretending that there is no reason to be concerned. Congratulations on the very selective quoting as well. It doesn't make any sense to point out how serious a problem a breakin is and then say everyone should just ignore it and go about their business. -- Les Mikesell [EMAIL PROTECTED] -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Mon, Aug 25, 2008 at 07:57:34 -0800, Jeff Spaleta [EMAIL PROTECTED] wrote: Without a policy document in place, we run the risk of different people blamelessly repeating history they personally did not live. Can't really expect people to have read the specific griping in this thread, several years later. The expectation on incident reporting performance must be documented and agreed to as part of a workable process for the Project. If that doesn't happen, if you don't help make that happen, then there's no justifiable reason to expect things to be different next time. Voicing a concern in meandering mailinglist thread is not crafting sustainable project policy. Do you think you could get a copy of the process document that was used in this incident (or perhaps a redacted version of it) that we could use as a starting point? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Mon, Aug 25, 2008 at 9:40 AM, Bruno Wolff III [EMAIL PROTECTED] wrote: Do you think you could get a copy of the process document that was used in this incident (or perhaps a redacted version of it) that we could use as a starting point? I know of no Fedora specific process document. I very much doubt that I can reach into Red Hat and pull the corporate policy as a reference. I don't even have confirmation that we were following Red Hat's policy as written. As far as I know what happened was a best effort compromise at community disclosure that even Red Hat's policy doesn't cover specifically. Just assume we are starting from scratch because how to handle this in a community sensitive way has never come up for serious discussion. -jef -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
* Les Mikesell [EMAIL PROTECTED] [20080825 19:39]: Anders Karlsson wrote: You are making assumptions Les. You don't know how the perpetrator gained access. (Well, I am assuming you don't, but if you do, feel free to enlighten the rest of us.) Agreed - I don't know. And that's a problem when someone else does know how to break into our systems - or we haven't been told that it was an inside job. But that is pretty much the normal state of affairs! Any given OS have vulnerabilities (and if you argue that one - I'll be very surprised). There will be someone somewhere that works out how to exploit one of the vulnerabilities - and I can pretty much guarantee that the person ain't you. So the de-facto state of affairs is: * Someone else knows how to break in to your system Now - are you a big enough and prestigious enough target? Is there financial gain in attacking you? Is it easy enough to gain access to your systems to add them to a botnet? If you take reasonable and sensible precautions (i.e. make yourself a hard enough target to break in to) then you will be quite safe. This is standard practice. According to statistics, the majority of security breaches (I've heard numbers saying 80% - but I have no way to verify them) are inside jobs. Social engineering to gain access is also a common method, as it's an easy way to break in (look at Kevin Mitnick). If you are panicking over the current situation - you should have been in a state of panic six months ago, and still be in a state of panic in another six months. Until it's disclosed how (and where, when and why) - getting worked up over it is wasted energy. So is pretending that there is no reason to be concerned. Yes - so keep your pants on and await further details before working yourself up. Now is the time to perhaps be a little more alert (the world need more lerts) than normal, and just have patience to await further news. Congratulations on the very selective quoting as well. It doesn't make any sense to point out how serious a problem a breakin is and then say everyone should just ignore it and go about their business. Actually, I think it does. Nothing has been said about how the perpetrator got in, and I expect that to remain under wraps for some time to come. There is an investigation ongoing. That unauthorised access was had is pretty serious. So read something like cert.org to see if there are things to worry about. That's where all the disclosed vulnerabilities usually end up. If by ignore it you infer that we're saying pretend it didn't happen, you have not understood what's been said. Do I want to know what happened - yes. Will I harrass the investigators to find out - no. (Hell, I'm still waiting to find out who shot JFK...) /Anders -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sat, Aug 23, 2008 at 11:44:15PM +0200, =?ISO-8859-1?Q?Bj=F8rn_Tore_Sund_ wrote: Nifty Fedora Mitch chose attack as the best defense: On Fri, Aug 22, 2008 at 10:36:21AM +1200, Clint Dilks wrote: Bjoern Tore Sund wrote: It has now been a full week since the first announcement that Fedora had infrastructure problems and to stop updating systems. Since then there has been two updates to the announcement, none of which have modified the don't update advice and noen of which has been specific as to the exact nature of the problems. At one point we received a list of servers, but not services, which were back up and running. The University of Bergen has 500 linux clients running Fedora. We average one reinstall/fresh install per day, often doing quite a lot more. Installs and reinstalls has had to stop completely, nightly updates have stopped, and until the nature of the problem is revealed we don't even know for certain whether it is safe for our IT staff to type admin passwords to our (RHEL-based, for the most part) servers from these work stations. With 500 clients ? So far. Got about 250 laptops coming into the system this autumn, as soon as we have the setup and config regime properly structured and able to handle it. Should be ready sometime in September. Are you pulling updated from the internet or are you pulling from a local cache of tested updates. I have often wished we had the manpower to do the latter. Unfortunately, we don't, so the local mirror is exactly that, a mirror. One thing this incident has taught us is to take regular backups of that mirror so that we can roll back to a non-suspect version of the Fedora updates. Didn't have that before, really missed it the last couple of weeks. Thank you for the reply. Your site setup sounds very well managed and I now understand your concern and original post much better. Other readers of this list should take a lesson on how to manage a large community of machines and users. This event does present the community with some eye opening perspectives with regard to the chain of resources that we depend on. For example using 'rsync' for mirror management could quickly and silently update the global set of mirrors with bad files almost overnight. If keys were hacked and hosts near the tip of tree silently compromised it might go undetected for some time. Weeks ago I would have suggested running a mirror without the --delete flag as the only 'special flag' not in common use. Now it appears that some sort of way to freeze packages once they have been pulled makes sense. One quick local action is to have a local check sum file set that can be used to verify that 'old' packages do not change in the local mirror. rsync and friends could then be enhanced to understand a 'gold frozen' list. As I ponder an 'rsync' tree of mirrors I continue to think that RH did the correct thing. Still, having said that, I too would have liked more information. But, In my limited experience with law enforcement and security groups the rule seems to be to say nothing which is exactly what happened.Sadly the Linux community is not without its bad actors as we in the SF Bay area learned with the recent conviction of HR. Interesting stuff -- T o m M i t c h e l l Got a great hat... now what. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
* Björn Persson [EMAIL PROTECTED] [20080824 01:38]: Anders Karlsson wrote: [snip] That is a pretty strong statement to make. Not telling everything does not equate lying - especially when what you are telling (or can tell) is true. And if all you have is an impression that he is not truthful, you conceed that you have no evidence to the contrary as well. I think you owe Paul Frields an apology. It would be possible to convince me that he didn't mean to deceive. It would take an honest-sounding statement that he thought that everybody would understand that installing packages might be not only unsafe but actually insecure, and also a very good explanation of why he – or someone giving him orders – thought it was absolutely necessary to be so cryptic. It would be dishonest to apologize before I'm convinced. Again you are making the assumption that the intent was to deceive or to not tell the truth. Paul Frields actions speaks louder than words and I have utmost respect for him. I stand by my previous e-mail, you owe Paul an apology (granted, take your time coughing it up) and you should read the book I pointed you at so you realise what these investigations entail. /Anders -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 08:35:39AM +0900, Joel Rees wrote: It's one of the costs (and, actually, one of the benefits) of working with open source. With Proprietary you have guarantees. When they fall down on the job, or when other bad stuff happens, you can theoretically get some sort of compensation. But when you look at the record, the compensation you get isn't worth it. I think your view ignores the fact that you *only* get guarantees on software if you make a contract for such, and even so they are called Service Level Agreements (SLAs). Software is copyright, so demanding guarantees is like demanding guarantees from a book. It can't be done. Now since SLAs may be bought regardless of the software license, you get SLAs with any company which is willing to sell them. Red Hat, for instance, is quite happy (I imagine) to sell you support with an SLA. With opensource, you have both the responsibility and the privilege to run your own install servers and backups. And you don't have the guarantees that seem to fool the bean counters. No, that's merely Free Software without commercial support. You get to depend on your knowledge and the community's alone. The nicest thing about Free Software is that this pretty much works quite well, generally, and in special cases you can usually buy some commercial support from someone. With proprietary software you usually only get the commercial support (and frequently it sucks) and there's little community (if at all). I'm pretty much opposed to the concept of guarantees on software in a general way, for it only favours proprietary software. Free Software would have to certify any change in order to provide guarantees, and that would kill the development model. Rui -- Fnord. Today is Sweetmorn, the 17th day of Bureaucracy in the YOLD 3174 + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Björn Persson asked: Bjørn Tore Sund wrote: One thing this incident has taught us is to take regular backups of that mirror so that we can roll back to a non-suspect version of the Fedora updates. Didn't have that before, really missed it the last couple of weeks. How far would you have rolled it back? During the whole time that the Fedora repositories were suspect there was no information whatsoever on how old packages would have to be to be non-suspect. And while the infrastructure team either knew or suspected the whole time that the issue they were investigating was an intrusion, it probably did take some time before they knew how long the intrusion had been going on. Sometimes you have all necessary information and can reach a well-founded conclusion. Sometimes you have to guess and hope for the best. When I have to guess because others are keeping information I need from me I'll postpone the guessing while I attempt to persuade said other of the error of their ways. But I'll still make that guess when all else fails. -BT -- Bjørn Tore Sund Phone: 555-84894 Email: [EMAIL PROTECTED] IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
max wrote: You had no idea there was a security issue? It was the first thing to cross my mind when I first saw the announcement. What else could it have been? Why else the cryptic message? You're lucky to be that paranoid. Many people would call me paranoid if they knew what kind of security measures I take with my home computers, but apparently I'm not paranoid enough yet. Can you answer the opposite question: Why the cryptic message? Can you think of a rational reason to avoid the word security? Something more concrete than just legal issues? Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Björn Persson wrote: max wrote: You had no idea there was a security issue? It was the first thing to cross my mind when I first saw the announcement. What else could it have been? Why else the cryptic message? You're lucky to be that paranoid. Many people would call me paranoid if they You call it paranoia, I call it common sense. Do the math, I did. I felt that if it was anything but a security issue then they'd have come right out and said so. The only reason not to come out and say so boiled down to a handful of things. An ongoing investigation and/or uncertainty about what had happened. If you and others want to insist that it was just not wanting to own up to the incident then I have to assume you don't trust the Fedora Project. If you don't trust it then why use the product of its labor? All this talk of obscurity is a bunch of bullshit when anyone with a grain of common sense would have come to the proper conclusion or suspicion, if you like, and done what needed doing at their end. The message set off the warning bells for me precisely because it avoided stating that it wasn't a security issue, others read it the same way. All things considered its been handled to my satisfaction. The only thing that's been made clear is that the Fedora Project has a number of users who take it for granted. knew what kind of security measures I take with my home computers, but apparently I'm not paranoid enough yet. Can you answer the opposite question: Why the cryptic message? Can you think of a rational reason to avoid the word security? Something more concrete than just legal issues? Once again we don't know the constraints imposed on them. Some are certainly caused by legal issues and what remains an on going investigation. Your opinion of US law is irrelevant, I've had my issues with it before as well but the law is the law. The point is that we don't have all the facts. The more important point is that you have used half the facts to indict Paul Frields. I am willing to concede that you might even be right Bjorn, but you have rushed to judgement before a reasonable amount of time has been given to carry out the investigation. Your being unfair. -- Every form of addiction is bad, no matter whether the narcotic be alcohol, morphine or idealism. --Carl Jung -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 11:15:26 -0400, max [EMAIL PROTECTED] wrote: out and said so. The only reason not to come out and say so boiled down to a handful of things. An ongoing investigation and/or uncertainty about what had happened. If you and others want to insist that it was And neither of those two reason provide good cause as to not notifying the community that there was an intrusion, that the extent of the damage was unknown, that the extent of the damage was being investigated and that until further information becomes available it would be prudent not to updates packages without good cause. just not wanting to own up to the incident then I have to assume you don't trust the Fedora Project. If you don't trust it then why use the The way the incident was handled doesn't inspire trust. Lot's of other things the project does though. satisfaction. The only thing that's been made clear is that the Fedora Project has a number of users who take it for granted. Or, alternatively a project that takes its community for granted. Once again we don't know the constraints imposed on them. Some are certainly caused by legal issues and what remains an on going If they had legal constraints on them for some reason, then I would expect that later they would explain what those constraints were and what they were going to do to make sure they weren't under them in the future. don't have all the facts. The more important point is that you have used half the facts to indict Paul Frields. I am willing to concede that you Even if Paul could not have done more in this case, because he was legally handcuffed, there is still a problem. This is supposed to be a community distribution and there should have been more information provided to the community in a timely manner. This should be fixed for the next time something like this happens. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
max wrote: You call it paranoia, I call it common sense. Do the math, I did. I felt that if it was anything but a security issue then they'd have come right out and said so. The only reason not to come out and say so boiled down to a handful of things. But doesn't a security issue usually imply that everyone else running the same software is vulnerable to the same intrusion? That is, the last thing you want to do is keep running with no updates. The only thing that's been made clear is that the Fedora Project has a number of users who take it for granted. Do we know yet how the initial access to the machine was obtained? Ssh password-guessing or a more fundamental software problem that may still be a danger for others? -- Les Mikesell [EMAIL PROTECTED] -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Les Mikesell wrote: max wrote: You call it paranoia, I call it common sense. Do the math, I did. I felt that if it was anything but a security issue then they'd have come right out and said so. The only reason not to come out and say so boiled down to a handful of things. But doesn't a security issue usually imply that everyone else running the same software is vulnerable to the same intrusion? That is, the maybe but we don't know yet what exactly happened. My issue is not with saying it was handled badly. I would have preferred that more information was provided. That isn't what happened though and ultimately it comes down to a matter of trust. Second guessing the man on the ground is popular but unwise, people only assume they would have done better in the same situation but that is by no means certain. Your on the scene, you make a judgement call based on what you know and what you think best at the moment. Hindsight is always 20/20, having to make the call is harder by far and I think accusing Paul Frields of intentionally deceiving us is going to far, especially without all the facts. This didn't happen last year, its on going, taking place over the course of a couple of weeks and its only fair to allow time for a proper assesment of the situation. How many complaints would we have seen if it turned out to be a false alarm? How many would have blown away their systems and then cried that nothing should have been said until they were certain what had transpired? last thing you want to do is keep running with no updates. The only thing that's been made clear is that the Fedora Project has a number of users who take it for granted. Do we know yet how the initial access to the machine was obtained? Ssh password-guessing or a more fundamental software problem that may still be a danger for others? That is precisely the point , we don't know much. If users don't trust the Fedora Project then they should go elsewhere but I doubt they'll do any better. Some organizations won't even give a vague warning, never mind admit they've been cracked. -- Fortune favors the BOLD -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Anders Karlsson wrote: * Björn Persson [EMAIL PROTECTED] [20080823 18:57]: Rahul Sundaram quoted Paul W. Frields: [snip] Disclosure at an inappropriate time gives people the mistaken impression one is not being truthful, when that's not the case. The first announcement gave me the impression that there was a technical problem, such as overloaded web servers or a crashed database or something. In retrospect it's obvious that when that announcement was written they already knew or at least suspected that there had been an intrusion. This gives me the impression that Paul W. Frields was not being truthful. He lied by telling half the truth. That is a pretty strong statement to make. Not telling everything does not equate lying - especially when what you are telling (or can tell) is true. And if all you have is an impression that he is not truthful, you conceed that you have no evidence to the contrary as well. I think you owe Paul Frields an apology. It'll never happen, although I agree completely that it's due. The nay-sayers and gloom-speakers on this list are *much* more interested in bitching and moaning about how things have been handled wrong and they've been treated badly than actually being good members of the community. It makes me sick when I see this spew, and I want to (virtually) throttle these jackasses. [snip] As I stated in the announcement, I'll continue to provide information as it becomes available. Did it really take a week before the information that the issue was related to security became available? I think you ought to read the book The Cuckoo's Egg by Clifford Stoll. Once you have read it and understood it, feel free to comment again on the issue at hand here. See, there's the thing - the ones who bitch the loudest are usually the ones who understand the least. To actually encourage them to remedy their ignorance is just a waste of electrons. They seem to be happy in their wallow. -- Thomas signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Björn Persson wrote: max wrote: You had no idea there was a security issue? It was the first thing to cross my mind when I first saw the announcement. What else could it have been? Why else the cryptic message? You're lucky to be that paranoid. Many people would call me paranoid if they knew what kind of security measures I take with my home computers, but apparently I'm not paranoid enough yet. Can you answer the opposite question: Why the cryptic message? Can you think of a rational reason to avoid the word security? Something more concrete than just legal issues? The whole point is that no one on this list except possibly Red Hat employees or Fedora board members can answer that. These are not stupid people. These are not dishonest people. They're not devious folks. These are the same folks from whom you consume a distribution, people who devote their careers to making OSS, specifically Fedora, work as well as it does. They do a really hard, mostly thankless job. Recovery from a security is *very* hard work. You need to determine the attack vector, the extent of the breach, remediate the breach, rebuild damaged servers, restore data and services, notify anyone whose information might have been compromised, forensically analyze the systems, etc., etc., etc. All while trying to preserve any evidence which might be needed by any law enforcement agencies which have been involved. Oh, and until the full extent of the breach is determined, it is foolish and irresponsible to announce anything about that breach. Had Paul said Hey all, we've gotten hacked and we don't know how badly or how they got in or what the damage is he'd have been eaten alive, and rightly so. Instead he took a very reasonable approach, apparently disclosed as much as he could at the time, and warned folks as soon as he could to not trust updates. But here you come from the outside and publicly call the head of the project a liar when you *clearly* do not have all the information. What arrogance. Congratulations, you've just landed at the top of the Asshole of the Year list. Welcome to my killfile, Björn. -- Thomas signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
max wrote: If you and others want to insist that it was just not wanting to own up to the incident It doesn't seem likely that that was the reason. If they didn't want to admit that there had been an intrusion, then I don't think they would have sent out any warning at all. They did try to get a warning out, but they didn't want to say that it was about security. I don't know if they thought that everybody would be able to read between the lines, or if they thought that people wouldn't understand but would stop updating without knowing why, but either way I don't understand why they didn't tell us clearly what it was they were trying to warn us about. then I have to assume you don't trust the Fedora Project. I did trust the Fedora project. Now I'm not so sure anymore. The only thing that's been made clear is that the Fedora Project has a number of users who take it for granted. Take what for granted? The Fedora project's existence? Its security? Its openness? Yes, maybe I did take its openness for granted. There's been a lot of talk about openness and having the community involved on equal terms. I guess I believed it. Can you answer the opposite question: Why the cryptic message? Can you think of a rational reason to avoid the word security? Something more concrete than just legal issues? Once again we don't know the constraints imposed on them. Some are certainly caused by legal issues and what remains an on going investigation. Your opinion of US law is irrelevant, I've had my issues with it before as well but the law is the law. The point is that we don't have all the facts. In other words, no, you can't think of a plausible reason either. The more important point is that you have used half the facts to indict Paul Frields. I have not accused Paul Frields of a crime. I pointed out that the extreme vagueness of his announcements, which he claimed had the purpose of avoiding the impression that he wasn't truthful, actually had the opposite effect on me. That's a failure to some degree if his intentions were honest. It's not a crime. I have also left the possibility open that someone else may have given him orders. I didn't use anywhere near half the facts. I used two facts: That the issue was a security issue, and that this was not clearly stated in the first announcement. you have rushed to judgement before a reasonable amount of time has been given to carry out the investigation. This is not about how long the investigation takes. It's about the lack of the word security in the first announcement. I fully understand that the investigation takes time. It did not, however, take this long to find out that the issue was a security issue. If you think I'm complaining that the investigation takes too long, then you haven't read what I've written. Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
2008/8/24 Björn Persson [EMAIL PROTECTED]: max wrote: If you and others want to insist that it was just not wanting to own up to the incident It doesn't seem likely that that was the reason. If they didn't want to admit that there had been an intrusion, then I don't think they would have sent out any warning at all. They did try to get a warning out, but they didn't want to say that it was about security. I don't know if they thought that everybody would be able to read between the lines, or if they thought that people wouldn't understand but would stop updating without knowing why, but either way I don't understand why they didn't tell us clearly what it was they were trying to warn us about. then I have to assume you don't trust the Fedora Project. I did trust the Fedora project. Now I'm not so sure anymore. The only thing that's been made clear is that the Fedora Project has a number of users who take it for granted. Take what for granted? The Fedora project's existence? Its security? Its openness? Yes, maybe I did take its openness for granted. There's been a lot of talk about openness and having the community involved on equal terms. I guess I believed it. Can you answer the opposite question: Why the cryptic message? Can you think of a rational reason to avoid the word security? Something more concrete than just legal issues? Once again we don't know the constraints imposed on them. Some are certainly caused by legal issues and what remains an on going investigation. Your opinion of US law is irrelevant, I've had my issues with it before as well but the law is the law. The point is that we don't have all the facts. In other words, no, you can't think of a plausible reason either. and I have the sense not to speculate without the full facts. Why is giving Fedora the benefit of the doubt so hard? The more important point is that you have used half the facts to indict Paul Frields. I have not accused Paul Frields of a crime. I pointed out that the extreme you called him a liar. Laws can be silly and violating a silly law , if it is in fact silly, is still a crime officially. Calling someone a liar isn't a crime but its worse than withholding information, especially when you don't know what he is or isn't at liberty to discuss. This also involves Red Hat and not the Fedora Project alone. vagueness of his announcements, which he claimed had the purpose of avoiding the impression that he wasn't truthful, actually had the opposite effect on me. That's a failure to some degree if his intentions were honest. It's not a crime. I have also left the possibility open that someone else may have given him orders. You called him a liar I didn't use anywhere near half the facts. I used two facts: That the issue was a security issue, and that this was not clearly stated in the first announcement. Your right I gave you too much credit when I said half the facts. you have rushed to judgement before a reasonable amount of time has been given to carry out the investigation. This is not about how long the investigation takes. It's about the lack of the word security in the first announcement. I fully understand that the investigation takes time. It did not, however, take this long to find out that the issue was a security issue. If you think I'm complaining that the investigation takes too long, then you haven't read what I've written. The only issue I have with anything you've said is your assertion that Paul Frields intentionally deceived us. You made this statement without being fully acquainted with the facts, we still do not have them all. If you think I have no issues with how this was handled then how about I accuse you of being obtuse. i have no interest in debating it further, say what you will, you made an error in judgment. -- Sometimes I wonder if God has a sense of humor.then I see the coverage of the 2008 campaign and I know for sure God has a great sense of humor!! -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 9:20 AM, Bruno Wolff III [EMAIL PROTECTED] wrote: The way the recent compromise was handled was not a good example of how a truly open project should have handled such an incident. It took a week before a statement was issued admitting a compromise. That should have been part of the very first announcement. You want it handled better in the future? Then write a draft process that will withstand the scrutiny of legal on how to handle situations such as this as transparently as possible. Its easy to look back at this specific incident and second guess how it was handled. But that's not good enough to do that.. not even close. We aren't going to build a policy around the chatter over this one incident. If you want to see sensitive issues handled better in the future, than stand up a strawman for a transparent process that can be generally applied to sensitive issues. A transparent process that deals with legal issues must balance caution with disclosure. I believe that an incident response process itself can be transparent, even if the full details can not be publicly disclosed instantaneously due to legal constraint And rest assured that whatever process that is will never satisfy all disclosure demands. But if we as a community haven't put in the work to build a process that guides the actions taken in a crisis situation that meets legal constraints, then we as a community, have no right to sit back and second guess the actions of any individuals who have to stand in the middle of a crisis and make a judgement call. You want things to be better? You want to have the right to hold up the actions of our leadership to your opinions on how things should be done? Then create the process document which is meant to guide their actions before they have to step in and take action. If that process document doesn't meet legal scrutiny... then you get to do it again and again and again..until it does. I don't expect the first such draft to meet the necessary legal scrutiny. I expect that this will take non-trivial effort and a few rounds of dialogue to get legal and community on the same page as to what is achievable as a transparent process that doesn't trip over a legal landmine. And while I haven't talked to Paul personally about this, I'm pretty sure that he is between a rock and a hard place when it comes to satisfying both the perceived needs of community and the strictures of legal constraints in this matter. So are the other people who have been working on the infrastructure to resolve the issue. And we as a community are only going to make it easier for Paul or other leadership if we find a way to get a process document into the hands of Legal and start hammering how to handle this sort of crap with more transparency moving forward. To expect any individual to make a judgement call in the time of need that attempt to infer the consensous opinion of the larger community is ridiculous. Such consensus opinion must be formed and communicated before the need for action occurs. And if this community moves forward and starts to put a process document together, then those of you in the community who have had to deal with situations like this in the past, need to be involved..to educated those other people in the community who do not comprehend the nature of the legal constraints. I'm going to strongly suggest that if the first draft of such a transparent process document doesn't attempt to address the community's perception of what the legal constraints are..but instead reads as a bald demand for instant disclosure. Then you haven't done your jobs at creating an useful starting point for a dialogue on the issue.. and you'll have squandered an opportunity to increase process transparency. -jef -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 11:27:47 -0800 Jeff Spaleta [EMAIL PROTECTED] wrote: the full details can not be publicly disclosed instantaneously due to legal constraint This I simply don't understand. If I am minding my own business and walking to the post office, and Joe Bloggs walks up to me and punches me in the nose, I think I'm perfectly within my rights to tell my friends and everyone else who wants to listen that Joe Bloggs punched me in the nose. On the other hand, if I want to date Joe Bloggs' sister I might tell people who ask me how I got a broken nose that I can't tell them. But that's not legal reasons, that's simply my personal choice to keep quiet about it. Why should this be any different? Either something happened, or it did not. If something happened, then the facts will either be released, or not. I don't see how vague, unspecified legal reasons could stop anyone from discussing their involvement unless there is some contractual issue involved, in which case the person(s) involved in enforcing the contract are the ones who are in a position to provide the facts. I realize that this contract says that I'm not supposed to talk about this, but in these circumstances perhaps we should make an exception. I agree. Here is a written waiver of the relevant contact provisions. Problem solved. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
* Frank Cox [EMAIL PROTECTED] [20080824 21:42]: On Sun, 24 Aug 2008 11:27:47 -0800 Jeff Spaleta [EMAIL PROTECTED] wrote: the full details can not be publicly disclosed instantaneously due to legal constraint This I simply don't understand. You do not need to understand, you just need to accept that this is the case. You may not like it (I don't particularly, but I realise the need for it), and you are within your right to voice your opinion. If I am minding my own business and walking to the post office, and Joe Bloggs walks up to me and punches me in the nose, I think I'm perfectly within my rights to tell my friends and everyone else who wants to listen that Joe Bloggs punched me in the nose. On the other hand, if I want to date Joe Bloggs' sister I might tell people who ask me how I got a broken nose that I can't tell them. But that's not legal reasons, that's simply my personal choice to keep quiet about it. You are describing two situations that are worlds apart. Comparing apples and oranges is not going to all of a sudden make you right. Why should this be any different? Either something happened, or it did not. If something happened, then the facts will either be released, or not. In due time. Patience is a virtue and all that. In another post, Paul Frields pointed at a thread that explains the situation. I don't see how vague, unspecified legal reasons could stop anyone from discussing their involvement unless there is some contractual issue involved, in which case the person(s) involved in enforcing the contract are the ones who are in a position to provide the facts. I realize that this contract says that I'm not supposed to talk about this, but in these circumstances perhaps we should make an exception. I agree. Here is a written waiver of the relevant contact provisions. Problem solved. If you are volunteering to spend all the years in jail on behalf of those involved in the investigation that you are asking to interfere in a criminal investigation - I guess that some sort of deal can be accommodated with the courts. (And yes, I'm taking the piss now as the discussion is beyond farcical.) Facts - not petty demands or ludicrous speculation - will emerge in due time and when appropriate, and I still think that The Cuckoo's Egg should be a mandatory read before people start demanding instant disclosure. /Anders -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 13:41 -0600, Frank Cox wrote: On Sun, 24 Aug 2008 11:27:47 -0800 Jeff Spaleta [EMAIL PROTECTED] wrote: the full details can not be publicly disclosed instantaneously due to legal constraint This I simply don't understand. Anybody who has had extensive dealings with lawyers knows that they tend to err on the side of caution at any time. When a publicly traded company is involved, that's even more true. Whether Red Hat and Fedora could have acted differently is a debatable point. But that Red Hat acted as it did is not surprising. Just because a corporation is open source, it doesn't stop being a corporation. -- Bruce Byfield 604-421-7177 Burnaby, BC, Canada web: http://members.axion.net/~bbyfield blog: http://brucebyfield.wordpress.com/ -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 22:09:09 +0200 Anders Karlsson [EMAIL PROTECTED] wrote: * Frank Cox [EMAIL PROTECTED] [20080824 21:42]: On Sun, 24 Aug 2008 11:27:47 -0800 Jeff Spaleta [EMAIL PROTECTED] wrote: the full details can not be publicly disclosed instantaneously due to legal constraint This I simply don't understand. You do not need to understand, you just need to accept that this is the case. You may not like it (I don't particularly, but I realise the need for it), and you are within your right to voice your opinion. If I simply need to accept, then it's not open and saying that this is an open process or a community is merely pretty window-dressing. If I am minding my own business and walking to the post office, and Joe Bloggs walks up to me and punches me in the nose, I think I'm perfectly within my rights to tell my friends and everyone else who wants to listen that Joe Bloggs punched me in the nose. On the other hand, if I want to date Joe Bloggs' sister I might tell people who ask me how I got a broken nose that I can't tell them. But that's not legal reasons, that's simply my personal choice to keep quiet about it. You are describing two situations that are worlds apart. Comparing apples and oranges is not going to all of a sudden make you right. They are both a crime. One affects me, and one affects many people around the globe, in ways that we still are unaware of due to a lack of factual disclosure. I'd say that the second situation is even more worthy of open discussion and full disclosure than the first. Why should this be any different? Either something happened, or it did not. If something happened, then the facts will either be released, or not. In due time. Patience is a virtue and all that. Unfortunately, there are many people who have systems that may or may not be affected by this issue and many of those systems do important stuff. At least, stuff that's important to their owners and that's the part that counts. My house might be burning down. We'll call the fire department to check it out in due time. Patience is a virtue. In another post, Paul Frields pointed at a thread that explains the situation. We aren't going to tell you because we aren't telling you yet isn't an explanation. It's a tautology. If you are volunteering to spend all the years in jail I couldn't volunteer even if I wanted to. I don't have the facts, and I have no way to obtain them. So that's not even a choice that's on the table. Accordingly, it's an irrelevant point. Facts - not petty demands or ludicrous speculation - will emerge in due time and when appropriate Now would be past time. Last week would be an appropriate time. , and I still think that The Cuckoo's Egg should be a mandatory read before people start demanding instant disclosure. Shall I recommend a few good books for you to read before you call that fire truck as well? I have a fairly extensive library and I'm sure I can find something for you -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 15:04 -0600, Frank Cox wrote: Why should this be any different? Either something happened, or it did not. If something happened, then the facts will either be released, or not. In due time. Patience is a virtue and all that. Unfortunately, there are many people who have systems that may or may not be affected by this issue and many of those systems do important stuff. At least, stuff that's important to their owners and that's the part that counts. just curious Frank...if you don't trust Fedora Project people to do the right thing, why are you installing it on any of your computers? Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 13:19:03 -0700 Bruce Byfield [EMAIL PROTECTED] wrote: On Sun, 2008-08-24 at 13:41 -0600, Frank Cox wrote: On Sun, 24 Aug 2008 11:27:47 -0800 Jeff Spaleta [EMAIL PROTECTED] wrote: the full details can not be publicly disclosed instantaneously due to legal constraint This I simply don't understand. Anybody who has had extensive dealings with lawyers knows that they tend to err on the side of caution at any time. When a publicly traded company is involved, that's even more true. In this case, I think err is an appropriate word. Whether Red Hat and Fedora could have acted differently is a debatable point. And we're debating it. But that Red Hat acted as it did is not surprising. Just because a corporation is open source, it doesn't stop being a corporation. But when a corporation claims to be host to a community, they need to be called on the carpet by that community when they fail to act appropriately. Ultimately, of course, there isn't much the so-called community or its members can do other than either abandon the corporation and go its (their, or his) own way, but less drastic action like a public ass-kicking can sometimes have a beneficial effect too. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
* Frank Cox [EMAIL PROTECTED] [20080824 23:11]: On Sun, 24 Aug 2008 13:19:03 -0700 Bruce Byfield [EMAIL PROTECTED] wrote: On Sun, 2008-08-24 at 13:41 -0600, Frank Cox wrote: On Sun, 24 Aug 2008 11:27:47 -0800 Jeff Spaleta [EMAIL PROTECTED] wrote: the full details can not be publicly disclosed instantaneously due to legal constraint This I simply don't understand. Anybody who has had extensive dealings with lawyers knows that they tend to err on the side of caution at any time. When a publicly traded company is involved, that's even more true. In this case, I think err is an appropriate word. If you are suggesting err as in fail, you're the one failing IMHO. Whether Red Hat and Fedora could have acted differently is a debatable point. And we're debating it. Flogging a dead horse is more like it. But that Red Hat acted as it did is not surprising. Just because a corporation is open source, it doesn't stop being a corporation. But when a corporation claims to be host to a community, they need to be called on the carpet by that community when they fail to act appropriately. Ultimately, of course, there isn't much the so-called community or its members can do other than either abandon the corporation and go its (their, or his) own way, but less drastic action like a public ass-kicking can sometimes have a beneficial effect too. Please define act appropriately. I think you'll be hard pushed to find *real* lawyers (instead of the IANAL variant that seems to be thirteen to the dozen around here) claiming that Red Hat has acted inappropriately in this instance. If you however by appropriately mean - before we know anything, we'll trample all over evidence, disclose anything and everything, totally sabotaging any forensic and/or criminal investigation, then I guess you may be right. When disclosure does happen, I'll be delighted to see a similar public arse-kicking of the ones that were all for breaking process (legal or sensible). /Anders -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 15:15 -0600, Frank Cox wrote: On Sun, 24 Aug 2008 14:09:53 -0700 Craig White [EMAIL PROTECTED] wrote: just curious Frank...if you don't trust Fedora Project people to do the right thing, why are you installing it on any of your computers? I've been using it for some time and it generally works quite well. I'm currently engaged in a debate regarding the appropriate level of disclosure that should be undertaken in view of an apparent security breach. My hope is that my contribution to this debate will be beneficial and help to provide guidance to the community when formulating an appropriate response to the current and any future situations. Thanks for asking. There are circles where my opinion doesn't count and undoubtedly, this is one of them. Given that Fedora relies upon Red Hat servers for these things, it's not completely a community issue - in fact, it's clear that Red Hat has their own interests which trump Fedora's interests. Of course the Fedora Project board members are the first line of thought/responsibility for Fedora Project interests and there is a symbiotic relationship with Red Hat. I suppose you can drive the debate as long or as far as you wish but as someone who once had some boxes compromised (a long time ago before I fully understood firewalls), there's a lot of things to deal with and informing clients - especially when the full extent is unknown is not a terribly attractive prospect and definitely lower on the priority scale than auditing the problem and obviously fixing the problem. Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 23:34:38 +0200 Anders Karlsson [EMAIL PROTECTED] wrote: Please define act appropriately. act appropriately in this particular situation means this: We have an open process here, and this matter may have an effect on the community members. Therefore we will provide all the facts to the community as we discover them and we will insure that the community is at least as well informed about the issue as we are in-house. I think you'll be hard pushed to find *real* lawyers (instead of the IANAL variant that seems to be thirteen to the dozen around here) claiming that Red Hat has acted inappropriately in this instance. The first reaction to anything bad happening is I'd better call my lawyer? That's sad. If you however by appropriately mean - before we know anything, we'll trample all over evidence, disclose anything and everything, totally sabotaging any forensic and/or criminal investigation, then I guess you may be right. Disclosure doesn't sabotage forensic evidence. I can tell you that there is blood on this shoe without having any effect at all on the blood that's on the shoe. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 11:38 PM, Craig White [EMAIL PROTECTED] wrote: On Sun, 2008-08-24 at 15:15 -0600, Frank Cox wrote: On Sun, 24 Aug 2008 14:09:53 -0700 Craig White [EMAIL PROTECTED] wrote: just curious Frank...if you don't trust Fedora Project people to do the right thing, why are you installing it on any of your computers? I've been using it for some time and it generally works quite well. I'm currently engaged in a debate regarding the appropriate level of disclosure that should be undertaken in view of an apparent security breach. My hope is that my contribution to this debate will be beneficial and help to provide guidance to the community when formulating an appropriate response to the current and any future situations. Thanks for asking. There are circles where my opinion doesn't count and undoubtedly, this is one of them. Given that Fedora relies upon Red Hat servers for these things, it's not completely a community issue - in fact, it's clear that Red Hat has their own interests which trump Fedora's interests. Took awhile to degenerate down to pure RedHat bashing. Not that there is any evidence to support what you're saying here. What a lot of people seem to not get is that of course their opinion counts, but when you present your opinion in a way that seems like purely complaints, it hard to make use of it. -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 16:44:08 -0500, Arthur Pemberton [EMAIL PROTECTED] wrote: Took awhile to degenerate down to pure RedHat bashing. Not that there is any evidence to support what you're saying here. Saying Fedora's involvement with Redhat might be tied up with why information was not released to the Fedora community in a timely manner, isn't Redhat bashing. What a lot of people seem to not get is that of course their opinion counts, but when you present your opinion in a way that seems like purely complaints, it hard to make use of it. Well right now we aren't being told exactly why we aren't be given appropiate information so it is hard to add more than say what kind of information we expect to be getting. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 21:38:18 -0700 Craig White [EMAIL PROTECTED] wrote: there's a lot of things to deal with and informing clients - especially when the full extent is unknown is not a terribly attractive prospect and definitely lower on the priority scale But you weren't standing on a soapbox labelled community when this happened. A community leader has different and more extensive responsibilities than an individual or someone who is the leader of a strictly private enterprise. Those responsibilities are to the members of the community. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 12:46:59 -0500, Thomas Cameron [EMAIL PROTECTED] wrote: is foolish and irresponsible to announce anything about that breach. Had Paul said Hey all, we've gotten hacked and we don't know how badly or how they got in or what the damage is he'd have been eaten alive, and rightly so. Instead he took a very reasonable approach, apparently In your opinion? It seems like many of the people in this thread would have liked him to have said something to that effect in the first message. That was not going to damage any ongoing investigation as shutting down the servers was going to tip their hand in any case. It would have given the community some information to act (or not) on. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 22:09:09 +0200, Anders Karlsson [EMAIL PROTECTED] wrote: You do not need to understand, you just need to accept that this is the case. In theory at least, Fedora is an open project and we don't have to just accept the status quo. If it isn't actually an open project then it would be nice to know that to as accurate information will help people make better decisions on whether or not to participate in the project. If you are volunteering to spend all the years in jail on behalf of those involved in the investigation that you are asking to interfere in a criminal investigation - I guess that some sort of deal can be accommodated with the courts. (And yes, I'm taking the piss now as the discussion is beyond farcical.) Any criminal investigation is unlikely to produce anything worthwhile. While it is probably too late (and because Redhat was involved it might not have been an option) I would have preferred they ditch any criminal investigation in preference to keeping the community informed about what was going on with minimal lag time. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 15:11 -0600, Frank Cox wrote: On Sun, 24 Aug 2008 13:19:03 -0700 Bruce Byfield [EMAIL PROTECTED] wrote: But that Red Hat acted as it did is not surprising. Just because a corporation is open source, it doesn't stop being a corporation. But when a corporation claims to be host to a community, they need to be called on the carpet by that community when they fail to act appropriately. Ultimately, of course, there isn't much the so-called community or its members can do other than either abandon the corporation and go its (their, or his) own way, but less drastic action like a public ass-kicking can sometimes have a beneficial effect too. My point is, you can hardly expect a corporation to act as anything except a corporation. Open source corporations exist, but open source being used as a qualifier suggests that they are an exception, not the norm, just as compassionate conservatism does. Expecting a corporation to act like a community project is simply unrealistic, even when the corporation hosts a community. If, say, Debian acted as Red Hat did, I would be deeply disappointed, because it is completely community-based. The combination of corporation and community embodied in Red Hat/Fedora often works very well on a daily basis, but it's not really surprising that interests should conflict occasionally -- or that, in these circumstances, that actions should be based primarily on corporate needs. As for a public ass-kicking, if you really want to do something effective (as opposed to indulging in self-righteousness), I suggest you contact Red Hat and Fedora officials directly, not merely vent in forums. -- Bruce Byfield 604-421-7177 Burnaby, BC, Canada web: http://members.axion.net/~bbyfield blog: http://brucebyfield.wordpress.com/ -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 11:27:47 -0800, Jeff Spaleta [EMAIL PROTECTED] wrote: I'm going to strongly suggest that if the first draft of such a transparent process document doesn't attempt to address the community's perception of what the legal constraints are..but instead reads as a bald demand for instant disclosure. Then you haven't done your jobs at creating an useful starting point for a dialogue on the issue.. and you'll have squandered an opportunity to increase process transparency. Maybe we need to do something to reduce the legal constraints on the process. At some point perhaps the leadership will be able to explain how legal considerations got entangled with the Fedora part of the breach and we can make some changes to avoid that entanglement in the future. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 16:05:11 -0700 Bruce Byfield [EMAIL PROTECTED] wrote: it's not really surprising that interests should conflict occasionally -- or that, in these circumstances, that actions should be based primarily on corporate needs. And it shouldn't be surprising that they are being called on it. As for a public ass-kicking, if you really want to do something effective (as opposed to indulging in self-righteousness), I suggest you contact Red Hat and Fedora officials directly, not merely vent in forums. That's what the Fedora Board (or whatever its official name is) is for. They should be front-and-center right now handling the public ass-kicking on behalf of the community. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 15:42 -0600, Frank Cox wrote: The first reaction to anything bad happening is I'd better call my lawyer? That's sad. If you look into American law, you'll see that, as a publicly traded company, Red Hat is required to act in certain ways. So what is sad (or surprising) that, faced with a crisis, the company should call in its lawyers? Its executives hardly want to make the situation worse by neglecting something that they can be held legally liable for later on. In situations like this, you can't really think in terms of how an individual might act. Although the legal fiction is that corporations are people, practically speaking they clearly are not. -- Bruce Byfield 604-421-7177 Burnaby, BC, Canada web: http://members.axion.net/~bbyfield blog: http://brucebyfield.wordpress.com/ -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Bruce Byfield wrote: As for a public ass-kicking, if you really want to do something effective (as opposed to indulging in self-righteousness), I suggest you contact Red Hat and Fedora officials directly, not merely vent in forums. Actually, that's not a bad idea. The company I work for has paid subscriptions with RedHat, and we're considering buying a few more for another product that could be lucrative for them. I don't think an inquiry about their security practices are out of line. I'll ping our account rep. tomorrow. --Russell -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 16:13:17 -0700 Bruce Byfield [EMAIL PROTECTED] wrote: If you look into American law, you'll see that, as a publicly traded company, Red Hat is required to act in certain ways. Perhaps a long-term solution would be for Fedora servers to be managed by a non-profit corporation that's incorporated in a country other than the US. Where, what and exactly how is left as an exercise for the reader. But there was a call for suggestions and in the absence of real information about the exact nature of the problem, a suggestion as vague as the above is about as good as it's going to get. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 2:23 PM, Russell Miller [EMAIL PROTECTED] wrote: I think (and it's just my opinion) that most here would simmer down and be content if they were at least sure that RedHat had taken the community into consideration and that there were valid concerns that trumped that. And how exactly do you propose as a mechanism to 'to be sure' that community was considered? What is it gonna take, having a randomly selected user shadow the CEO every day making sure he's not penning an internal memo that specifically reads everyone, think of 10 ways to screw the Fedora users today..and have the lists on my desk by 5 pm sharp or you will get docked an hour's pay. The fact that Paul was hired out of the at-large community specifically to be the FPL lead, because he was active in the community, instead of shuffling the deckchairs inside Red Hat doesn't say enough about Red Hat's commitment to community consideration? Paul suddenly became the enemy of community when before he was hired he was its champion? Honestly I don't know of anything more significant than that that a corporate entity can do to show they are committed to the community. There is absolutely no question in my mind that Red Hat thinks about community when its making decisions which impact Fedora. None. Call me a shill if you like. But I'm sitting here outside the fenceline and I'm not going to walk away over this. Did we have a communication problem? Maybe. But communication problems are not equivalent to trust issues.But considering that was a first of its kind event for us as a project, I don't think its necessarily unexpected to see some miscommunication. I don't think any of us, either inside Red Hat or outside had talked through how this sort of thing should be handled. I don't remember a serious public discussion about how to deal with communication of an event like this before having an event like this. And I'm not going to let the assumption stand that to do things differently should have been obvious to those in a position to deal with the information. We aren't going to get anywhere by wringing our hands at how this specific was (mis)handled. Certainly attempting to assign blame towards someone as to miscommunication isn't going to help with the dialogue that should happen to prevent future miscommunication. If people want things to be better, if god forbid something like this happens again, then a serious effort to write a communication process has to be written up and it must be agreeable to legal as a workable process that won't set off any legal liability landmines. -jefI keep coming back to thinking of Fedora project as a marriage between Red Hat and the community... and in that light comparing it to the day to day workings of my own marriage. Miscommunications happen. What is obvious to one spouse, isn't so to the other. But when I am miscommunicated to, I don't assume it was done out of malice or neglect or a disregard for my feelings. Miscommunications happen because different people have different priorities and thus see things in different ways, its as simple as that. But when it happens, and when its over something that is important to me..which truthfully is pretty much every little thing...then I make the effort to better communicate my own point of view and expectations in a way that is attempts to show sincere interest in better communication. Instead of in a way that is biased with frustration, anger or entitlement...instead of assuming that the other person in the partnership should just automatically know where I'm coming from. In that way I don't think its fair to automatically assume that everyone who Paul has to deal with inside Red Hat automatically 'gets it' when it comes to the needs of the community. Not because they don't believe in the community..but because they focus primarily on the needs of the corporation and so prioritize things differently. And its not going to help Paul make his case if we hammer at this issue from the community side with frustration, anger and entitlement. We have to find a more sincere positive voice to communicate the process we'd like to see, and we have to communicate a process that addresses what we perceive are the roadblocks to disclosure from the corporate point of view. spaleta -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 17:05 -0600, Frank Cox wrote: On Sun, 24 Aug 2008 16:05:11 -0700 Bruce Byfield [EMAIL PROTECTED] wrote: it's not really surprising that interests should conflict occasionally -- or that, in these circumstances, that actions should be based primarily on corporate needs. And it shouldn't be surprising that they are being called on it. As for a public ass-kicking, if you really want to do something effective (as opposed to indulging in self-righteousness), I suggest you contact Red Hat and Fedora officials directly, not merely vent in forums. That's what the Fedora Board (or whatever its official name is) is for. They should be front-and-center right now handling the public ass-kicking on behalf of the community. your perception doesn't match mine as I don't see any public ass-kicking...I see a few people speculating about what has occurred and they are projecting their expectations but that doesn't make them meaningful and in fact looks sloppy at this point. Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
security blankets (was Re: non-disclosure of infrastructure problem a management issue?)
then I have to assume you don't trust the Fedora Project. I did trust the Fedora project. Now I'm not so sure anymore. Then who are you going to trust? Uhm, no, I guess that's not the right question, it only reminds us that we want to stay with F/OSS. Let me suggest to anyone who is still hot under the collar about the current situation, two things: One, if you want to understand the appropriate level of paranoia, go spend a day working backwards through the openbsd archives. Try http://marc.info/?l=openbsd-misc That will be plenty interesting. Two, if you've been paying attention to the news from more than a month ago, you should at least know there are active DNS exploits in the wild. ACTIVE DNS EXPLOITS IN THE WILD They haven't been shouting because it shouldn't be necessary. Under the circumstances, we should be significantly more paranoid and more cautious than we usually should be. The original announcement should have been enough, even if it wasn't perfect. Joel Rees -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 23:14:40 -0700 Craig White [EMAIL PROTECTED] wrote: On Sun, 2008-08-24 at 17:05 -0600, Frank Cox wrote: On Sun, 24 Aug 2008 16:05:11 -0700 Bruce Byfield [EMAIL PROTECTED] wrote: it's not really surprising that interests should conflict occasionally -- or that, in these circumstances, that actions should be based primarily on corporate needs. And it shouldn't be surprising that they are being called on it. As for a public ass-kicking, if you really want to do something effective (as opposed to indulging in self-righteousness), I suggest you contact Red Hat and Fedora officials directly, not merely vent in forums. That's what the Fedora Board (or whatever its official name is) is for. They should be front-and-center right now handling the public ass-kicking on behalf of the community. your perception doesn't match mine as I don't see any public ass-kicking... Indeed. That may be part of the problem at the moment. Lack of official advocacy at the highest levels, for lack of a better description. I see a few people speculating about what has occurred and they are projecting their expectations but that doesn't make them meaningful and in fact looks sloppy at this point. Jeff has been promoting the idea that this issue arose due to a mis-communication. I see it more as a lack of communication. Something bad happened, let's tell everyone the minimum that we think we can get away with is not a community process. And that's the point. Fedora is not MS Windows. It's not even RHEL. So why is there an apparent expectation and acceptance of Caesar shall decide what the plebians shall be told? -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 17:05 -0600, Frank Cox wrote: On Sun, 24 Aug 2008 16:05:11 -0700 Bruce Byfield [EMAIL PROTECTED] wrote: it's not really surprising that interests should conflict occasionally -- or that, in these circumstances, that actions should be based primarily on corporate needs. And it shouldn't be surprising that they are being called on it. Actually, it is. While you may not be too happy with the situation, you also need to be realistic. As for a public ass-kicking, if you really want to do something effective (as opposed to indulging in self-righteousness), I suggest you contact Red Hat and Fedora officials directly, not merely vent in forums. That's what the Fedora Board (or whatever its official name is) is for. So write the board. Don't waste time here. They should be front-and-center right now handling the public ass-kicking on behalf of the community. Why? Because you want them to be? Anyway, they've been dealing with a difficult situation for a week. Possibly, they mishandled it, but I don't begrudge them a day or two to recuperate before plunging back into the action. -- Bruce Byfield 604-421-7177 Burnaby, BC, Canada web: http://members.axion.net/~bbyfield blog: http://brucebyfield.wordpress.com/ -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 16:11 -0700, Russell Miller wrote: Bruce Byfield wrote: As for a public ass-kicking, if you really want to do something effective (as opposed to indulging in self-righteousness), I suggest you contact Red Hat and Fedora officials directly, not merely vent in forums. Actually, that's not a bad idea. The company I work for has paid subscriptions with RedHat, and we're considering buying a few more for another product that could be lucrative for them. I don't think an inquiry about their security practices are out of line. I'll ping our account rep. tomorrow. Good for you! I'm sure a post-mortem is part of what is happening at Red Hat right now, so this is a good time for clients to influence Red Hat's policy. -- Bruce Byfield 604-421-7177 Burnaby, BC, Canada web: http://members.axion.net/~bbyfield blog: http://brucebyfield.wordpress.com/ -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 16:54:28 -0700 Bruce Byfield [EMAIL PROTECTED] wrote: That's what the Fedora Board (or whatever its official name is) is for. So write the board. Don't waste time here. They should be monitoring this mailing list and taking action based on the wishes of the community. That's what community representatives do. Represent the community's views. They should be front-and-center right now handling the public ass-kicking on behalf of the community. Why? Because you want them to be? See the preceding paragraph. That's their role. Anyway, they've been dealing with a difficult situation for a week. Possibly, they mishandled it, but I don't begrudge them a day or two to recuperate before plunging back into the action. Well, it's been a week. How much more time should be allowed before someone says Hey guys, let's roll it? -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 19:17:33 -0500 Rex Dieter [EMAIL PROTECTED] wrote: Been there done that, tried and failed. Read up on Fedora Foundation. Maybe it's time to kick that cat again. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Frank Cox wrote: On Sun, 24 Aug 2008 19:17:33 -0500 Rex Dieter [EMAIL PROTECTED] wrote: Been there done that, tried and failed. Read up on Fedora Foundation. Maybe it's time to kick that cat again. And what? have history repeat itself? -- Rex -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 19:32:29 -0500 Rex Dieter [EMAIL PROTECTED] wrote: And what? have history repeat itself? Possibly. Or maybe now there is more of an incentive or imperative with a real-life example to point to. Or again, not. On the other hand, there may easily be better solutions available to solve this problem. Unfortunately, nobody has suggested one as far as I'm aware. It seems that we don't even have a consensus that there is a problem. That should probably be dealt with as a first step. 1. Determine that there is a problem. 2. Define the problem. 3. Solve the problem. We appear to be somewhere around step 1 at the moment, and it's now a full week (plus) after the event. This alone indicates that there's a problem. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Frank Cox wrote: On Sun, 24 Aug 2008 19:32:29 -0500 Rex Dieter [EMAIL PROTECTED] wrote: And what? have history repeat itself? Possibly. OMG. Please read about the history there, before posting uninformed followup comments. Please. Srsly. -- Rex -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 19:52:07 -0500 Rex Dieter [EMAIL PROTECTED] wrote: OMG. Please read about the history there, before posting uninformed followup comments. Please. Srsly. Ok... if that's out, what's your suggested solution? That was the best idea that I could come up with in the current vacuum and I haven't seen a better one so far, as I said. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Frank Cox wrote: On Sun, 24 Aug 2008 19:52:07 -0500 Rex Dieter [EMAIL PROTECTED] wrote: OMG. Please read about the history there, before posting uninformed followup comments. Please. Srsly. Ok... if that's out, what's your suggested solution? A solution implies there's a problem, for which, imo, there isn't one. ymmv. My best take/advice: Legal issues simply suck. That's life. deal. -- Rex -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Jeff Spaleta wrote: Did we have a communication problem? Maybe. You make it sound like it was something in the past. Does anyone know yet whether or not the intrusion was due to a software vulnerability in code we are all running? More relevant, does someone know this when the rest of us still don't? -- Les Mikesell [EMAIL PROTECTED] -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 4:23 PM, Frank Cox [EMAIL PROTECTED] wrote: On Sun, 24 Aug 2008 19:17:33 -0500 Rex Dieter [EMAIL PROTECTED] wrote: Been there done that, tried and failed. Read up on Fedora Foundation. Maybe it's time to kick that cat again. No... as a sitting community elected board member. I am not going to waste time into looking into the Foundation again. Max Spevack did a complete summary as to why the Foundation structure won't work for the day to day operation of Fedora in 2006. Any credible discussion would have to address the issues communicated then. From my point of view nothing material have changed since 2006. If you want to waste your time talking about it... feel free... but don't expect me or any sitting Board member to pay much attention to simple opinionating, after a significant amount of legwork was done to prepare for a Foundation structure only to discover the legal requirements for certify non-profit status would be quite difficult to meet for this project. -jef -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 17:08:42 -0800 Jeff Spaleta [EMAIL PROTECTED] wrote: as a sitting community elected board member. As a sitting community representative, what action, other than sitting, have you taken to deal with the current lack of information distribution? The community is still largely in the dark, as you are well aware. Have you been raising this issue at the highest levels (raising the issue, raising hell, raising cain) and getting things done? What representations have you made on behalf of the Fedora community with regard to this matter? With whom? With what results? What's your next step? The step after that? Where do you see things going from here? Are further meeting planned? When? What's on the agenda? There are other highly relevant questions that could also be asked, but these will provide a starting point for further discussion. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 21:38 -0700, Craig White wrote: there's a lot of things to deal with and informing clients - especially when the full extent is unknown is not a terribly attractive prospect and definitely lower on the priority scale than auditing the problem and obviously fixing the problem. I think most of us were more peeved about not getting a *clear* warning, promptly, and wanting to know whether it really was a safety issue (do not download) or just broken servers (downloads may fail). The how and what actually happened could have come out later on. If it turned out that *because* of a lack of good warning, when a good warning could have been given out, that boxes got compromised all over the planet, you'd find users really pissed off and leaving in droves, and Red Hat and Fedora with a shattered reputation. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 20:48:13 -0600 Frank Cox [EMAIL PROTECTED] wrote: On Sun, 24 Aug 2008 17:08:42 -0800 Jeff Spaleta [EMAIL PROTECTED] wrote: as a sitting community elected board member. As a sitting community representative, I see that this sounds a bit hostile and I had not intended it to be. I think it's definitely in order that, in the absence of other information, the community representative provide a comprehensive report to the community regarding the current situation with all relevant information, and his role in it to date, as well as his future plans in that regard. That would provide an opportunity for the community (that would be the rest of us here) to give him guidance as to where we wish to go from here. That's my point. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 15:13 -0800, Jeff Spaleta wrote: communication problems are not equivalent to trust issues. To many, they are. considering that was a first of its kind event for us as a project, I don't think its necessarily unexpected to see some miscommunication. I don't think any of us, either inside Red Hat or outside had talked through how this sort of thing should be handled. I seem to remember the documentation that came with Red Hat Linux having a whole section dedicated to risk management and planning a policy for it. I can well imagine a bunch of Fedora volunteers might have been unprepared for disaster management, but the commercial side of Red Hat certainly shouldn't be. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Mon, 2008-08-25 at 12:30 +0930, Tim wrote: On Sun, 2008-08-24 at 21:38 -0700, Craig White wrote: there's a lot of things to deal with and informing clients - especially when the full extent is unknown is not a terribly attractive prospect and definitely lower on the priority scale than auditing the problem and obviously fixing the problem. I think most of us were more peeved about not getting a *clear* warning, promptly, and wanting to know whether it really was a safety issue (do not download) or just broken servers (downloads may fail). The how and what actually happened could have come out later on. If it turned out that *because* of a lack of good warning, when a good warning could have been given out, that boxes got compromised all over the planet, you'd find users really pissed off and leaving in droves, and Red Hat and Fedora with a shattered reputation. I fully expect that the reason that they took the system off-line 10 days ago was a clear indication of their doubt of the sanctity of the packages and they didn't put it back online until they felt that they felt that they knew the extent of the compromise. Let's be real here...there have been instances when viruses and other compromised code has been distributed, even in shrink wrapped proprietary software and we all have expectations of best efforts and if someone feels that best efforts aren't being given, then they should find another Linux distribution. Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 2008-08-24 at 21:03 -0600, Frank Cox wrote: On Sun, 24 Aug 2008 20:48:13 -0600 Frank Cox [EMAIL PROTECTED] wrote: On Sun, 24 Aug 2008 17:08:42 -0800 Jeff Spaleta [EMAIL PROTECTED] wrote: as a sitting community elected board member. As a sitting community representative, I see that this sounds a bit hostile and I had not intended it to be. I think that you are coming off as petulant but Jeff can defend himself. Craig -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Mon, 25 Aug 2008 03:14:16 -0700 Craig White [EMAIL PROTECTED] wrote: I think that you are coming off as petulant but Jeff can defend himself. And therefore your purpose in writing this to was... ? (Sorry, but I really don't understand the point you're attempting to make here. It seems internally inconsistent, and it's only one sentence long.) -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 7:04 PM, Tim [EMAIL PROTECTED] wrote: On Sun, 2008-08-24 at 15:13 -0800, Jeff Spaleta wrote: communication problems are not equivalent to trust issues. To many, they are. Those people are wrong, and will be utterly useless in any process which aims to correct miscommunication in the future. If you are anyone else is intent on equating miscommunication with mistrust then you need to refrain from participating in whatever process develops to address that miscommunication. We are not going to have a successful dialogue over the issue of adequate disclosure if the people coming to the table mistrust each other. If the communication process can be improved by bridging the gap between corporate and community priorities its only going to be done by people who can sit down and trust and listen to what the other people are saying. -jef -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, Aug 24, 2008 at 7:39 PM, Frank Cox [EMAIL PROTECTED] wrote: On Sun, 24 Aug 2008 19:37:02 -0800 Jeff Spaleta [EMAIL PROTECTED] wrote: Unfortunately, while a policy for future incidents would be nice, I don't set it as a priority item at this time. When your house is burning down, you don't send out a rfq for fire sprinkler systems. Oh you've taken Apocolaptic Allogories 101? I took advanced Rhetorical Rhetoric. This should be fun. I also do not stand in the way of the fire fighters and asking them questions as to what's happening while they are putting the fire out. Nor do I do it to the fire investigators who poke around in the ashes trying to figure out whats wrong. And last time I set a house on fire, it took weeks for the fire department to confidently determine that it was arson...and that was just a house fire.When I blew up that chemical plant that one time, it took months to finally determine the cause. I doubt there's much here for me to add. I do not have any details as to the current sutation. I am not one of the fire fighters nor am I one of the fire investigators. I am just one of the City Council members who need to make sure the fire fighters and fire investigators are following documented procedures with regard to how to communicate to the public. And if they don't have those procedures, I back their asses up when they have to make a judgement call. I've pointed where I think constructive conversation should go. If you don't want to be a part of that conversation, that's perfectly okay with me. In fact I'm thrilled by the fact that you don't see the policy need as a priority. Hopefully that means you'll keep your noise out of it while more experienced people work on it. -jef -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 23:25:18 -0500 Bruno Wolff III [EMAIL PROTECTED] wrote: Redhat is going to want to handle incidents like this differently than what I expect Fedora to do. I suspect that Redhat's procedure is what was used in this case. I think it is beyond question that Fedora's reputation (if nothing else) has been damaged by this incident. Red Hat's response has not done much to mitigate that damage and may have actually increased it. Regardless of whether you are in favour of their response or opposed to it, or even somewhere in between, the mere fact that this debate is being held makes that point self-evident. This needs to be brought home to the Red Hat management, and that's where the community representative's role comes in. We're here debating this issue. How many others are reading about this issue and saying, I'll look elsewhere. It's unfortunate and much of this fallout was actually avoidable. Nobody here wishes Fedora any ill. If we did, we wouldn't be here. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sun, 24 Aug 2008 19:52:56 -0800 Jeff Spaleta [EMAIL PROTECTED] wrote: On Sun, Aug 24, 2008 at 7:39 PM, Frank Cox [EMAIL PROTECTED] wrote: On Sun, 24 Aug 2008 19:37:02 -0800 Jeff Spaleta [EMAIL PROTECTED] wrote: Unfortunately, while a policy for future incidents would be nice, I don't set it as a priority item at this time. When your house is burning down, you don't send out a rfq for fire sprinkler systems. Oh you've taken Apocolaptic Allogories 101? I took advanced Rhetorical Rhetoric. This should be fun. I also do not stand in the way of the fire fighters and asking them questions as to what's happening while they are putting the fire out. Nor do I do it to the fire investigators who poke around in the ashes trying to figure out whats wrong. You should be asking questions if you have another identical house across the street that faces the same risk factors. And you should be demanding some pretty fast answers. And if they don't have those procedures, I back their asses up when they have to make a judgement call. And you should be taking them to task when their judgement is wrong and getting the situation corrected. Not just we'll try to do better next time; that doesn't solve the current problems. Hopefully that means you'll keep your noise out of it while more experienced people work on it. If I have something to say, you will hear it and I will expect a reasonable response in return. I expect nothing less from the community representative. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Mon, 25 Aug 2008 13:08:21 +0800 Ed Greshko [EMAIL PROTECTED] wrote: Nobody here wishes Fedora any ill. If we did, we wouldn't be here. You can't assume that... I sincerely hope that I can, Ed. Starry-eyed as it may sound, I always try to think the best of people. Really. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Frank Cox wrote: I sincerely hope that I can, Ed. Starry-eyed as it may sound, I always try to think the best of people. Really. Which is a really poor trait for a security analyst, and perhaps one reason why you are not understanding where they are coming from. Food for thought. --Russell -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Am Samstag, den 23.08.2008, 01:00 +0200 schrieb Björn Persson: fredagen den 22 augusti 2008 skrev Tim: On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: There was an intrusion, and it affected the server which signs packages, hence the warning to hold off until tests had been done. They really should have said something more like that, first off. I agree. I can't see any reason why they couldn't have said the following a week ago: .. Beeing honest you might concede that there is not one best single solution in such an event. There are several possibilities with their own pros and cons. But you have to make a decission immediately, perhaps without properly knowing all the details you would wish to know. I think Fedora and RH made reasonable decisions. Peter -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sat, 2008-08-23 at 07:24 +0530, Rahul Sundaram wrote: If you've ever been involved in a security investigation, you already know that facts emerge over time. With every disclosure there's a risk of getting those facts wrong, or having to issue retractions. Disclosure at an inappropriate time gives people the mistaken impression one is not being truthful, when that's not the case. The disclosures we've made up to and including this point have been factual, in the interest of protecting the security of our millions of users, and in the further interest of allowing proper investigation and analysis of an ongoing matter. I still don't see why they couldn't have said that it would be *unsafe* to install packages, without saying specifically why. As opposed to them wording it as if there were just unreliable services. The original posting just seems to suggest that the services may be wonky. It also makes one think they they ought to (a) off-line the source servers, *and* (b) have some way to make the mirrors go off-line, too, with some form of prolonged downtime expected error message. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sat, Aug 23, 2008 at 05:38:02PM +0930, Tim wrote: On Sat, 2008-08-23 at 07:24 +0530, Rahul Sundaram wrote: I still don't see why they couldn't have said that it would be *unsafe* to install packages, without saying specifically why. As opposed to You still don't see because you don't want to. The first message... https://www.redhat.com/archives/fedora-announce-list/2008-August/msg8.html ... said: We're still assessing the end-user impact of the situation, but as a precaution, we recommend you not download or update any additional packages on your Fedora systems. This spells *unsafe* to install packages, without saying specifically why to me, what about you? :) Rui -- Pzat! Today is Setting Orange, the 16th day of Bureaucracy in the YOLD 3174 + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Rahul Sundaram quoted Paul W. Frields: If you've ever been involved in a security investigation, you already know that facts emerge over time. With every disclosure there's a risk of getting those facts wrong, If you don't know yet, then simply say that you don't know yet. or having to issue retractions. What about the announcement that no tampered packages were built for Fedora? Isn't that a retraction of the recommendation not to install packages? And what's wrong with that? Disclosure at an inappropriate time gives people the mistaken impression one is not being truthful, when that's not the case. The first announcement gave me the impression that there was a technical problem, such as overloaded web servers or a crashed database or something. In retrospect it's obvious that when that announcement was written they already knew or at least suspected that there had been an intrusion. This gives me the impression that Paul W. Frields was not being truthful. He lied by telling half the truth. The closer to the truth, the better the lie, and the truth itself, when it can be used, is the best lie. – Preem Palver (Isaac Asimov) The disclosures we've made up to and including this point have been factual, but misleading in the interest of protecting the security of our millions of users, You don't protect users' security by concealing a security issue as a technical problem. That's security by obscurity. Tell us that the issue has to do with security so that we have something to base our judgments on! and in the further interest of allowing proper investigation and analysis of an ongoing matter. And how exactly would investigation and analysis have been hindered if we had been told what kind of issue it was? As I stated in the announcement, I'll continue to provide information as it becomes available. Did it really take a week before the information that the issue was related to security became available? Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Rui Miguel Silva Seabra wrote: The first message... https://www.redhat.com/archives/fedora-announce-list/2008-August/msg8.h tml ... said: We're still assessing the end-user impact of the situation, but as a precaution, we recommend you not download or update any additional packages on your Fedora systems. This spells *unsafe* to install packages, without saying specifically why to me, what about you? :) To me it looked like there was a problem with the performance or availability of the servers, and they didn't know how much downtime there would be or how bad the response times would be, and they wanted us to avoid updating to ease the load on the servers until they could fix the problem. That wouldn't make it unsafe to install packages although it might be difficult to download them. I can also imagine that such a recommendation would be issued if a bug in the build system had caused corrupted packages or incorrect dependencies. In that case it could be said that it would be unsafe to install packages, but I might still choose to update some after ensuring that I could revert to an older version if necessary. It wasn't until I saw the speculations here in fedora-list that I understood that there might be a risk that I would get backdoors installed if I updated. It's mostly by chance that I'm currently reading fedora-list. If I were only reading fedora-announce-list I might not have understood that there was a security risk until yesterday's announcement, and then I would probably have chosen to install some important security updates despite the recommendation. It's simple, really: People won't follow instructions if you don't tell them why the instructions are important. Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
* Björn Persson [EMAIL PROTECTED] [20080823 18:57]: Rahul Sundaram quoted Paul W. Frields: [snip] Disclosure at an inappropriate time gives people the mistaken impression one is not being truthful, when that's not the case. The first announcement gave me the impression that there was a technical problem, such as overloaded web servers or a crashed database or something. In retrospect it's obvious that when that announcement was written they already knew or at least suspected that there had been an intrusion. This gives me the impression that Paul W. Frields was not being truthful. He lied by telling half the truth. That is a pretty strong statement to make. Not telling everything does not equate lying - especially when what you are telling (or can tell) is true. And if all you have is an impression that he is not truthful, you conceed that you have no evidence to the contrary as well. I think you owe Paul Frields an apology. [snip] As I stated in the announcement, I'll continue to provide information as it becomes available. Did it really take a week before the information that the issue was related to security became available? I think you ought to read the book The Cuckoo's Egg by Clifford Stoll. Once you have read it and understood it, feel free to comment again on the issue at hand here. /Anders -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Nifty Fedora Mitch chose attack as the best defense: On Fri, Aug 22, 2008 at 10:36:21AM +1200, Clint Dilks wrote: Bjoern Tore Sund wrote: It has now been a full week since the first announcement that Fedora had infrastructure problems and to stop updating systems. Since then there has been two updates to the announcement, none of which have modified the don't update advice and noen of which has been specific as to the exact nature of the problems. At one point we received a list of servers, but not services, which were back up and running. The University of Bergen has 500 linux clients running Fedora. We average one reinstall/fresh install per day, often doing quite a lot more. Installs and reinstalls has had to stop completely, nightly updates have stopped, and until the nature of the problem is revealed we don't even know for certain whether it is safe for our IT staff to type admin passwords to our (RHEL-based, for the most part) servers from these work stations. With 500 clients ? So far. Got about 250 laptops coming into the system this autumn, as soon as we have the setup and config regime properly structured and able to handle it. Should be ready sometime in September. Are you pulling updated from the internet or are you pulling from a local cache of tested updates. I have often wished we had the manpower to do the latter. Unfortunately, we don't, so the local mirror is exactly that, a mirror. One thing this incident has taught us is to take regular backups of that mirror so that we can roll back to a non-suspect version of the Fedora updates. Didn't have that before, really missed it the last couple of weeks. Are you using site specific kickstart config files that install local yum config files, ssh keys, sendmail setup and sudo config files so your admins can access the hosts without typing pass words? Yes, to all. Unfortunately that regime isn't 100% adhered to, which is something we work on. Equally unfortunately, we have had to give the footwork guys sudo access to a limited set off commands. Sudo with or without passwords have different security implications, we've landed on with. What revision control of the config files? Subversion. Some distributed through nightly scripts using wget, some through a commercial software package for server administration. I can see that the lack of updates would prove disconcerting but the inability to maintain day to day, another one just like yesterdays install seems fragile. I'm sorry, but my English isn't good enough to parse that sentence sufficiently to guess what you're trying to express. In business school there is a strategy of owning your own dependencies. The long term success stories in business include strong control of resources that they depend on. It is possible to manage yum and friends to allow only update packages resigned by your group at Bergan after testing them. Indeed this is possible. Unfortunately, we don't have the resources so we are dependent on our Linux distro having those resources. If I had unlimited resources, this is not the only thing I would do differently. My last question -- what is the University of Bergin's written policy for this type and other risks. Does university policy mandate the disclosure that you expect from RedHat. It does, and we have. Both when it has implicated our own users and when we have uncovered compromised servers on our site being used for attacks against other sites. I'm sure your questions were part of a point you were making. I trust that you are happy with that point. Me, I'm relieved that I finally have concrete information on what has been happening and how it affects us. In the end I'm now more unhappy with RedHat than I am with Fedora - but that is not a topic for this list. At least Fedora told us _something_ was wrong. -BT -- Bjørn Tore Sund Phone: 555-84894 Email: [EMAIL PROTECTED] IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sat, Aug 23, 2008 at 4:44 PM, Bjørn Tore Sund [EMAIL PROTECTED] wrote: Are you pulling updated from the internet or are you pulling from a local cache of tested updates. I have often wished we had the manpower to do the latter. Unfortunately, we don't, so the local mirror is exactly that, a mirror. One thing this incident has taught us is to take regular backups of that mirror so that we can roll back to a non-suspect version of the Fedora updates. Didn't have that before, really missed it the last couple of weeks. The cheap way is to start the mirror script manually, as opposed to on a time. So first thing the morning, check the internets for possible issues, if non found. Start the script. -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
I don't mean to be rude, but, ... [...] One thing this incident has taught us is to take regular backups of that mirror so that we can roll back to a non-suspect version of the Fedora updates. Didn't have that before, really missed it the last couple of weeks. Consider that a lesson well learned. And, while it may not have been the most convenient time to learn it, things could have been much worse. It's one of the costs (and, actually, one of the benefits) of working with open source. With Proprietary you have guarantees. When they fall down on the job, or when other bad stuff happens, you can theoretically get some sort of compensation. But when you look at the record, the compensation you get isn't worth it. With opensource, you have both the responsibility and the privilege to run your own install servers and backups. And you don't have the guarantees that seem to fool the bean counters. Are you using site specific kickstart config files that install local yum config files, ssh keys, sendmail setup and sudo config files so your admins can access the hosts without typing pass words? Yes, to all. Unfortunately that regime isn't 100% adhered to, which is something we work on. Equally unfortunately, we have had to give the footwork guys sudo access to a limited set off commands. Sudo with or without passwords have different security implications, we've landed on with. With is not a bad alternative. Balancing resources is always a problem. No matter how you choose, sometimes bad stuff happens. Again, if accounting or management is coming after you, point to the actual results (not the promises and fudged guarantees) that could be obtained from the proprietary alternatives. F/OSS, while better than the alternatives, is not some magic utopia. Now, I think they're handling this pretty well so far. I'm considering things from the overall perspective. A certain Proprietary vendor has put the entire world's infrastructure at risk, and they've managed to delay things with weird legal and political games for more than ten years, putting society at further risk. What we hear in public is not the worst that could happen (or is happening, really), and anyone whose infrastructure is dependent on that Proprietary vendor, is basically living on borrowed time and illusions. It's definitely time to run a tight ship now. [...] Joel Rees -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Anders Karlsson wrote: * Björn Persson [EMAIL PROTECTED] [20080823 18:57]: The first announcement gave me the impression that there was a technical problem, such as overloaded web servers or a crashed database or something. In retrospect it's obvious that when that announcement was written they already knew or at least suspected that there had been an intrusion. This gives me the impression that Paul W. Frields was not being truthful. He lied by telling half the truth. That is a pretty strong statement to make. Not telling everything does not equate lying - especially when what you are telling (or can tell) is true. And if all you have is an impression that he is not truthful, you conceed that you have no evidence to the contrary as well. I think you owe Paul Frields an apology. It would be possible to convince me that he didn't mean to deceive. It would take an honest-sounding statement that he thought that everybody would understand that installing packages might be not only unsafe but actually insecure, and also a very good explanation of why he – or someone giving him orders – thought it was absolutely necessary to be so cryptic. It would be dishonest to apologize before I'm convinced. Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Bjørn Tore Sund wrote: One thing this incident has taught us is to take regular backups of that mirror so that we can roll back to a non-suspect version of the Fedora updates. Didn't have that before, really missed it the last couple of weeks. How far would you have rolled it back? During the whole time that the Fedora repositories were suspect there was no information whatsoever on how old packages would have to be to be non-suspect. And while the infrastructure team either knew or suspected the whole time that the issue they were investigating was an intrusion, it probably did take some time before they knew how long the intrusion had been going on. Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Björn Persson wrote: Anders Karlsson wrote: * Björn Persson [EMAIL PROTECTED] [20080823 18:57]: The first announcement gave me the impression that there was a technical problem, such as overloaded web servers or a crashed database or something. In retrospect it's obvious that when that announcement was written they already knew or at least suspected that there had been an intrusion. This gives me the impression that Paul W. Frields was not being truthful. He lied by telling half the truth. That is a pretty strong statement to make. Not telling everything does not equate lying - especially when what you are telling (or can tell) is true. And if all you have is an impression that he is not truthful, you conceed that you have no evidence to the contrary as well. I think you owe Paul Frields an apology. It would be possible to convince me that he didn't mean to deceive. It would take an honest-sounding statement that he thought that everybody would understand that installing packages might be not only unsafe but actually insecure, and also a very good explanation of why he – or someone giving him orders – thought it was absolutely necessary to be so cryptic. It would be You do not have the all the facts yet you feel free to pass judgement. Calling Paul Frields a liar is out of line and you know it, we have no idea what constraints he may be operating under. Your statement above strikes me as naive and dishonest. You had no idea there was a security issue? It was the first thing to cross my mind when I first saw the announcement. What else could it have been? Why else the cryptic message? No, it strikes me that you are being dishonest with yourself first and foremost. From what little I can glean from mail sent to this list you do not strike me as a fool, is it just frustration at the situation? This is understandable but it does not give you leave to accuse people of being deceitful. dishonest to apologize before I'm convinced. Björn Persson -- Fortune favors the BOLD -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Tim: I still don't see why they couldn't have said that it would be *unsafe* to install packages, without saying specifically why. As opposed to Rui Miguel Silva Seabra: You still don't see because you don't want to. No, I didn't see because it didn't say. I saw the original posting, and it was wide open to interpretation. It didn't spell out anything clearly. It could well have meant that there was a system failure, and if you started updating/installing you could get stuck with a broken system. At first glance, that's how it reads. Only suspicion and paranoia leads one to think it meant more than that. We cannot read between the lines and know what the message actually meant. It's only by guessing at things that we'd become alarmed about the message. Whoever wrote that did a very poor job of it. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Friday 22 August 2008 00:28:51 Nifty Fedora Mitch wrote: Just guessing, This smells like a hacker was detected or a hack was discovered. As readers of this list will note the historic resolution for a hacked system has been to do a full reload which takes time. Ssh key management may also be at issue given the key generation flaw known as the Debian SSH key attacks. In some cases a key can be recovered in 20 min... In this case the issue might be poor keys generated outside of RH and not a flaw in RH process or tools. If it had been a blown disk farm we would have more info already. The more I read about the SSH key attacks the more convinced I am that there is a need to update my set of keys for me and my systems. In time they will tell. Today's announcement is pretty clear. There was an intrusion, and it affected the server which signs packages, hence the warning to hold off until tests had been done. All the evidence is that the key passphrase was not successfully hacked, so it's unlikely that we have any corrupt packages if we only accept signed ones. New signatures are to play safe, and it is now safe to resume normal working practices. I still think that the very low-volume announce list is essential for all Fedora users. Anne signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anne Wilson wrote: On Friday 22 August 2008 00:28:51 Nifty Fedora Mitch wrote: Just guessing, This smells like a hacker was detected or a hack was discovered. As readers of this list will note the historic resolution for a hacked system has been to do a full reload which takes time. Ssh key management may also be at issue given the key generation flaw known as the Debian SSH key attacks. In some cases a key can be recovered in 20 min... In this case the issue might be poor keys generated outside of RH and not a flaw in RH process or tools. If it had been a blown disk farm we would have more info already. The more I read about the SSH key attacks the more convinced I am that there is a need to update my set of keys for me and my systems. In time they will tell. Today's announcement is pretty clear. There was an intrusion, and it affected the server which signs packages, hence the warning to hold off until tests had been done. All the evidence is that the key passphrase was not successfully hacked, so it's unlikely that we have any corrupt packages if we only accept signed ones. New signatures are to play safe, and it is now safe to resume normal working practices. I still think that the very low-volume announce list is essential for all Fedora users. At the very least it should be suggested, recommended, or maybe an 'auto signup' when signing up for any other of the 'public type' lists. For them, the newer users, because it is important. Those of us with experience know, or should know, enough to do that. It is very low volume list so even those with 'limits' should see the value. Perhaps an 'opt-out' to avoid the 'you are forcing me' whines but then the 'I didn't know' whines should stop because of the 'opt-out'. Those that opt-out, and whine, should be ignored. ;-) - -- David -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkiu6+0ACgkQAO0wNI1X4QGKOQCgsmU7E9k59W2oE2GGMlFIJeZV yH0AmQH2R9cQj22OUGgRfbw7J9D+Hd69 =AQyj -END PGP SIGNATURE- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: There was an intrusion, and it affected the server which signs packages, hence the warning to hold off until tests had been done. They really should have said something more like that, first off. Sure, they didn't want to play their hand, but the hacker would have known they'd been rumbled by the first announcement. -- [EMAIL PROTECTED] ~]$ uname -r 2.6.25.14-108.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Sat, Aug 23, 2008 at 02:11:31AM +0930, Tim wrote: On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: There was an intrusion, and it affected the server which signs packages, hence the warning to hold off until tests had been done. They really should have said something more like that, first off. Sure, they didn't want to play their hand, but the hacker would have known they'd been rumbled by the first announcement. Yes the specific hacker would have but how that hacker hacked their way in would not have been obvious to RH and perhaps the hacker community. I am very pleased with the way RH acted and how quickly they slammed the door shut. -- T o m M i t c h e l l Got a great hat... now what. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Fri, Aug 22, 2008 at 10:36:21AM +1200, Clint Dilks wrote: Bjoern Tore Sund wrote: It has now been a full week since the first announcement that Fedora had infrastructure problems and to stop updating systems. Since then there has been two updates to the announcement, none of which have modified the don't update advice and noen of which has been specific as to the exact nature of the problems. At one point we received a list of servers, but not services, which were back up and running. The University of Bergen has 500 linux clients running Fedora. We average one reinstall/fresh install per day, often doing quite a lot more. Installs and reinstalls has had to stop completely, nightly updates have stopped, and until the nature of the problem is revealed we don't even know for certain whether it is safe for our IT staff to type admin passwords to our (RHEL-based, for the most part) servers from these work stations. With 500 clients ? Are you pulling updated from the internet or are you pulling from a local cache of tested updates. Are you using site specific kickstart config files that install local yum config files, ssh keys, sendmail setup and sudo config files so your admins can access the hosts without typing pass words? What revision control of the config files? I can see that the lack of updates would prove disconcerting but the inability to maintain day to day, another one just like yesterdays install seems fragile. In business school there is a strategy of owning your own dependencies. The long term success stories in business include strong control of resources that they depend on. It is possible to manage yum and friends to allow only update packages resigned by your group at Bergan after testing them. My last question -- what is the University of Bergin's written policy for this type and other risks. Does university policy mandate the disclosure that you expect from RedHat. In possible defense of RH does anyone know what restrictions the US Department of Homeland Security might impose? If I was RH I would have promptly called in the authorities. Then with the conflict between Georgia and Russia catching headlines who knows how cautious and SLOW RH+DHS+FBI were. I do not expect an answer.and just because some are paranoid, RH did get hacked -- T o m M i t c h e l l Got a great hat... now what. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Friday 22 August 2008 17:41:31 Tim wrote: On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: There was an intrusion, and it affected the server which signs packages, hence the warning to hold off until tests had been done. They really should have said something more like that, first off. Sure, they didn't want to play their hand, but the hacker would have known they'd been rumbled by the first announcement. But think what fun the FUD-spreaders would have missed :-) Anne signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
fredagen den 22 augusti 2008 skrev Tim: On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: There was an intrusion, and it affected the server which signs packages, hence the warning to hold off until tests had been done. They really should have said something more like that, first off. I agree. I can't see any reason why they couldn't have said the following a week ago: We suspect that some Fedora servers may have been illegally accessed. We are working to analyze the intrusion and the extent of the compromise. Right now we can't rule out the possibility that there may be tampered packages on the mirrors, so as a precaution we recommend you not download or update any additional packages on your Fedora systems. The investigation may result in service outages, for which we apologize in advance. Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Björn Persson wrote: fredagen den 22 augusti 2008 skrev Tim: On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: There was an intrusion, and it affected the server which signs packages, hence the warning to hold off until tests had been done. They really should have said something more like that, first off. I agree. I can't see any reason why they couldn't have said the following a week ago: We suspect that some Fedora servers may have been illegally accessed. We are working to analyze the intrusion and the extent of the compromise. Right now we can't rule out the possibility that there may be tampered packages on the mirrors, so as a precaution we recommend you not download or update any additional packages on your Fedora systems. The investigation may result in service outages, for which we apologize in advance. https://www.redhat.com/archives/fedora-advisory-board/2008-August/msg00088.html Rahul -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
2008/8/22 Björn Persson [EMAIL PROTECTED]: fredagen den 22 augusti 2008 skrev Tim: On Fri, 2008-08-22 at 16:08 +0100, Anne Wilson wrote: There was an intrusion, and it affected the server which signs packages, hence the warning to hold off until tests had been done. They really should have said something more like that, first off. I agree. I can't see any reason why they couldn't have said the following a week ago: Legal issues? the word was used in the first sentence. -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
On Fri, Aug 22, 2008 at 11:40 AM, David [EMAIL PROTECTED] wrote: At the very least it should be suggested, recommended, or maybe an 'auto signup' when signing up for any other of the 'public type' lists. For them, the newer users, because it is important. Those of us with experience know, or should know, enough to do that. It is suggested... on the communication page.. one click from the fedoraproject home page. All the lists are public. All of them are archived. How is it so important that Fedora must do it for everyone, but people can't do it for themselves? Why must I be subjected to something that I don't want (if that's the case) instead of you getting to choose what you do want? You all make it sound like the fedora announce list was some secret list, or that there were no expectations that there would be important announcements about fedora on the fedora-announce-list. I find this deeply irrational and it frustrates me trying to understand this position some of you have taken. Not only is it on http://fedoraproject.org/wiki/Communicate#User_Mailing_Lists, it's the first one listed (due to alphabetical order) -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Re: non-disclosure of infrastructure problem a management issue?
Rahul Sundaram wrote: https://www.redhat.com/archives/fedora-advisory-board/2008-August/msg00088. html Interfering with an investigation? Bullshit! I suppose it's also illegal to stop the intruder until the investigation is done, then? You have to let him continue causing damage, reading your secrets and covering his tracks, because if you stop him he'll know he's been discovered and then you've interfered with the investigation, right? I knew the legal system in the USA was crazy but I really didn't think it was *that* insane. When you discover an intrusion, the *first* thing you should do is yank the network cable out. An inevitable side effect of this is that the intruder finds out that he's been discovered. Warning others who may also be affected doesn't help the intruder get away better when he already knows he's been discovered. Björn Persson signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list