FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 08-24-2008, 03:59 AM
max
 
Default non-disclosure of infrastructure problem a management issue?

Björn Persson wrote:

Anders Karlsson wrote:

* Björn Persson <bjorn@rombobjörn.se> [20080823 18:57]:

The first announcement gave me the impression that there was a technical
problem, such as overloaded web servers or a crashed database or
something. In retrospect it's obvious that when that announcement was
written they already knew or at least suspected that there had been an
intrusion. This gives me the impression that Paul W. Frields was not
being truthful. He lied by telling half the truth.

That is a pretty strong statement to make. Not telling everything does
not equate lying - especially when what you are telling (or can tell)
is true. And if all you have is an impression that he is not truthful,
you conceed that you have no evidence to the contrary as well.

I think you owe Paul Frields an apology.


It would be possible to convince me that he didn't mean to deceive. It would
take an honest-sounding statement that he thought that everybody would
understand that installing packages might be not only unsafe but actually
insecure, and also a very good explanation of why he – or someone giving him
orders – thought it was absolutely necessary to be so cryptic. It would be


You do not have the all the facts yet you feel free to pass judgement.
Calling Paul Frields a liar is out of line and you know it, we have no
idea what constraints he may be operating under. Your statement above
strikes me as naive and dishonest. You had no idea there was a security
issue? It was the first thing to cross my mind when I first saw the
announcement. What else could it have been? Why else the cryptic
message? No, it strikes me that you are being dishonest with yourself
first and foremost. From what little I can glean from mail sent to this
list you do not strike me as a fool, is it just frustration at the
situation? This is understandable but it does not give you leave to
accuse people of being deceitful.



dishonest to apologize before I'm convinced.

Björn Persson


--
Fortune favors the BOLD

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-24-2008, 04:11 AM
Tim
 
Default non-disclosure of infrastructure problem a management issue?

Tim:
>> I still don't see why they couldn't have said that it would be *unsafe*
>> to install packages, without saying specifically why. As opposed to

Rui Miguel Silva Seabra:
> You still don't see because you don't want to.

No, I didn't see because it didn't say.

I saw the original posting, and it was wide open to interpretation. It
didn't spell out anything clearly. It could well have meant that there
was a system failure, and if you started updating/installing you could
get stuck with a broken system.

At first glance, that's how it reads. Only suspicion and paranoia leads
one to think it meant more than that. We cannot read between the lines
and know what the message actually meant. It's only by guessing at
things that we'd become alarmed about the message. Whoever wrote that
did a very poor job of it.

--
[tim@localhost ~]$ uname -r
2.6.25.14-108.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-24-2008, 07:55 AM
Nifty Fedora Mitch
 
Default non-disclosure of infrastructure problem a management issue?

On Sat, Aug 23, 2008 at 11:44:15PM +0200, =?ISO-8859-1?Q?Bj=F8rn_Tore_Sund_ wrote:
> Nifty Fedora Mitch chose attack as the best defense:
> > On Fri, Aug 22, 2008 at 10:36:21AM +1200, Clint Dilks wrote:
> >> Bjoern Tore Sund wrote:
> >>> It has now been a full week since the first announcement that Fedora
> >>> had "infrastructure problems" and to stop updating systems. Since
> >>> then there has been two updates to the announcement, none of which
> >>> have modified the "don't update" advice and noen of which has been
> >>> specific as to the exact nature of the problems. At one point we
> >>> received a list of servers, but not services, which were back up and
> >>> running.
> >>>
> >>> The University of Bergen has 500 linux clients running Fedora. We
> >>> average one reinstall/fresh install per day, often doing quite a lot
> >>> more. Installs and reinstalls has had to stop completely, nightly
> >>> updates have stopped, and until the nature of the problem is revealed
> >>> we don't even know for certain whether it is safe for our IT staff to
> >>> type admin passwords to our (RHEL-based, for the most part) servers
> >>> from these work stations.
> >
> >With 500 clients ?
>
> So far. Got about 250 laptops coming into the system this autumn, as soon
> as we have the setup and config regime properly structured and able to
> handle it. Should be ready sometime in September.
>
> >Are you pulling updated from the internet or are
> >you pulling from a local cache of "tested" updates.
>
> I have often wished we had the manpower to do the latter. Unfortunately, we
> don't, so the local mirror is exactly that, a mirror. One thing this
> incident has taught us is to take regular backups of that mirror so that we
> can roll back to a non-suspect version of the Fedora updates. Didn't have
> that before, really missed it the last couple of weeks.

Thank you for the reply.

Your site setup sounds very well managed and I now
understand your concern and original post much better.
Other readers of this list should take a lesson
on how to manage a large community of machines and users.

This event does present the community with some eye opening perspectives
with regard to the chain of resources that we depend on.

For example using 'rsync' for mirror management could quickly and
silently update the global set of mirrors with bad files almost overnight.
If keys were hacked and hosts near the tip of tree silently compromised it might
go undetected for some time.

Weeks ago I would have suggested running a mirror without the --delete flag
as the only 'special flag' not in common use. Now it appears that some
sort of way to freeze packages once they have been pulled makes sense.

One quick local action is to have a local check sum file set that can be
used to verify that 'old' packages do not change in the local mirror.
rsync and friends could then be enhanced to understand a 'gold frozen' list.

As I ponder an 'rsync' tree of mirrors I continue to think that RH did the correct thing.

Still, having said that, I too would have liked more information. But, In my
limited experience with law enforcement and security groups the rule seems
to be to say nothing which is exactly what happened. Sadly the Linux
community is not without its bad actors as we in the SF Bay area learned
with the recent conviction of HR.

Interesting stuff....


--
T o m M i t c h e l l
Got a great hat... now what.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-24-2008, 08:11 AM
Anders Karlsson
 
Default non-disclosure of infrastructure problem a management issue?

* Björn Persson <bjorn@rombobjörn.se> [20080824 01:38]:
> Anders Karlsson wrote:
[snip]
> > That is a pretty strong statement to make. Not telling everything does
> > not equate lying - especially when what you are telling (or can tell)
> > is true. And if all you have is an impression that he is not truthful,
> > you conceed that you have no evidence to the contrary as well.
> >
> > I think you owe Paul Frields an apology.
>
> It would be possible to convince me that he didn't mean to deceive. It would
> take an honest-sounding statement that he thought that everybody would
> understand that installing packages might be not only unsafe but actually
> insecure, and also a very good explanation of why he – or someone giving him
> orders – thought it was absolutely necessary to be so cryptic. It would be
> dishonest to apologize before I'm convinced.

Again you are making the assumption that the intent was to deceive or
to not tell the truth. Paul Frields actions speaks louder than words
and I have utmost respect for him.

I stand by my previous e-mail, you owe Paul an apology (granted, take
your time coughing it up) and you should read the book I pointed you
at so you realise what these investigations entail.

/Anders



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-24-2008, 08:34 AM
Rui Miguel Silva Seabra
 
Default non-disclosure of infrastructure problem a management issue?

On Sun, Aug 24, 2008 at 08:35:39AM +0900, Joel Rees wrote:
> It's one of the costs (and, actually, one of the benefits) of working
> with open source. With "Proprietary" you have "guarantees". When they
> fall down on the job, or when other bad stuff happens, you can
> theoretically get some sort of compensation. But when you look at the
> record, the compensation you get isn't worth it.

I think your view ignores the fact that you *only* get "guarantees" on
software if you make a contract for such, and even so they are called
Service Level Agreements (SLAs).

Software is copyright, so demanding "guarantees" is like demanding
guarantees from a book. It can't be done.

Now since SLAs may be bought regardless of the software license, you get
SLAs with any company which is willing to sell them.

Red Hat, for instance, is quite happy (I imagine) to sell you support
with an SLA.

> With opensource, you have both the responsibility and the privilege to
> run your own install servers and backups. And you don't have the
> guarantees that seem to fool the bean counters.

No, that's merely Free Software without commercial support. You get to
depend on your knowledge and the community's alone.

The nicest thing about Free Software is that this pretty much works
quite well, generally, and in special cases you can usually buy some
commercial support from someone.

With proprietary software you usually only get the commercial support
(and frequently it sucks) and there's little community (if at all).

I'm pretty much opposed to the concept of guarantees on software in a
general way, for it only favours proprietary software.

Free Software would have to certify any change in order to provide
guarantees, and that would kill the development model.

Rui

--
Fnord.
Today is Sweetmorn, the 17th day of Bureaucracy in the YOLD 3174
+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-24-2008, 01:20 PM
Bjrn Tore Sund
 
Default non-disclosure of infrastructure problem a management issue?

Bjrn Persson asked:

> Bjrn Tore Sund wrote:
>> One thing this
>> incident has taught us is to take regular backups of that mirror so that we
>> can roll back to a non-suspect version of the Fedora updates. *Didn't have
>> that before, really missed it the last couple of weeks.
>
> How far would you have rolled it back? During the whole time that the Fedora
> repositories were suspect there was no information whatsoever on how old
> packages would have to be to be non-suspect. And while the infrastructure
> team either knew or suspected the whole time that the issue they were
> investigating was an intrusion, it probably did take some time before they
> knew how long the intrusion had been going on.

Sometimes you have all necessary information and can reach a well-founded
conclusion. Sometimes you have to guess and hope for the best. When I have
to guess because others are keeping information I need from me I'll postpone
the guessing while I attempt to persuade said other of the error of their
ways. But I'll still make that guess when all else fails.

-BT
--
Bjrn Tore Sund Phone: 555-84894 Email: bjorn.sund@it.uib.no
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-24-2008, 02:10 PM
Bjrn Persson
 
Default non-disclosure of infrastructure problem a management issue?

max wrote:
> You had no idea there was a security
> issue? It was the first thing to cross my mind when I first saw the
> announcement. What else could it have been? Why else the cryptic
> message?

You're lucky to be that paranoid. Many people would call me paranoid if they
knew what kind of security measures I take with my home computers, but
apparently I'm not paranoid enough yet.

Can you answer the opposite question: Why the cryptic message? Can you think
of a rational reason to avoid the word "security"? Something more concrete
than just "legal issues"?

Bjrn Persson
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-24-2008, 03:15 PM
max
 
Default non-disclosure of infrastructure problem a management issue?

Bjrn Persson wrote:

max wrote:

You had no idea there was a security
issue? It was the first thing to cross my mind when I first saw the
announcement. What else could it have been? Why else the cryptic
message?


You're lucky to be that paranoid. Many people would call me paranoid if they
You call it paranoia, I call it common sense. Do the math, I did. I felt
that if it was anything but a security issue then they'd have come right
out and said so. The only reason not to come out and say so boiled down
to a handful of things. An ongoing investigation and/or uncertainty
about what had happened. If you and others want to insist that it was
just not wanting to own up to the incident then I have to assume you
don't trust the Fedora Project. If you don't trust it then why use the
product of its labor? All this talk of obscurity is a bunch of bullshit
when anyone with a grain of common sense would have come to the proper
conclusion or suspicion, if you like, and done what needed doing at
their end. The message set off the warning bells for me precisely
because it avoided stating that it wasn't a security issue, others read
it the same way. All things considered its been handled to my
satisfaction. The only thing that's been made clear is that the Fedora
Project has a number of users who take it for granted.


knew what kind of security measures I take with my home computers, but
apparently I'm not paranoid enough yet.


Can you answer the opposite question: Why the cryptic message? Can you think
of a rational reason to avoid the word "security"? Something more concrete
than just "legal issues"?


Once again we don't know the constraints imposed on them. Some are
certainly caused by legal issues and what remains an on going
investigation. Your opinion of US law is irrelevant, I've had my issues
with it before as well but the law is the law. The point is that we
don't have all the facts. The more important point is that you have used
half the facts to indict Paul Frields. I am willing to concede that you
might even be right Bjorn, but you have rushed to judgement before a
reasonable amount of time has been given to carry out the investigation.
Your being unfair.


--
"Every form of addiction is bad, no matter whether the narcotic be
alcohol, morphine or idealism." --Carl Jung


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-24-2008, 04:08 PM
Bruno Wolff III
 
Default non-disclosure of infrastructure problem a management issue?

On Sun, Aug 24, 2008 at 11:15:26 -0400,
max <maximilianbianco@gmail.com> wrote:
> out and said so. The only reason not to come out and say so boiled down
> to a handful of things. An ongoing investigation and/or uncertainty
> about what had happened. If you and others want to insist that it was

And neither of those two reason provide good cause as to not notifying
the community that there was an intrusion, that the extent of the damage
was unknown, that the extent of the damage was being investigated and that
until further information becomes available it would be prudent not to
updates packages without good cause.

> just not wanting to own up to the incident then I have to assume you
> don't trust the Fedora Project. If you don't trust it then why use the

The way the incident was handled doesn't inspire trust. Lot's of other things
the project does though.

> satisfaction. The only thing that's been made clear is that the Fedora
> Project has a number of users who take it for granted.

Or, alternatively a project that takes its community for granted.

> Once again we don't know the constraints imposed on them. Some are
> certainly caused by legal issues and what remains an on going

If they had legal constraints on them for some reason, then I would expect
that later they would explain what those constraints were and what they
were going to do to make sure they weren't under them in the future.

> don't have all the facts. The more important point is that you have used
> half the facts to indict Paul Frields. I am willing to concede that you

Even if Paul could not have done more in this case, because he was legally
handcuffed, there is still a problem. This is supposed to be a community
distribution and there should have been more information provided to
the community in a timely manner. This should be fixed for the next time
something like this happens.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 08-24-2008, 04:43 PM
Les Mikesell
 
Default non-disclosure of infrastructure problem a management issue?

max wrote:


You call it paranoia, I call it common sense. Do the math, I did. I felt
that if it was anything but a security issue then they'd have come right
out and said so. The only reason not to come out and say so boiled down
to a handful of things.


But doesn't a security issue usually imply that everyone else running
the same software is vulnerable to the same intrusion? That is, the
last thing you want to do is keep running with no updates.


The only thing that's been made clear is that the Fedora
Project has a number of users who take it for granted.


Do we know yet how the initial access to the machine was obtained? Ssh
password-guessing or a more fundamental software problem that may still
be a danger for others?


--
Les Mikesell
lesmikesell@gmail.com



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 08:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org