On Mon, Aug 25, 2008 at 08:57:13 -0500, Thomas Cameron <thomas.cameron@xxxxxxxxxxxxxxx> wrote: > > Prove it. Tell me about *your* experience recovering from security > breached. Tell me about how *you've* interfaced with law enforcement in I used to be our infragard rep and helped put some of our server admins in contact with someone at the FBI after an incident cost us a lot of people time rebuilding the machines. The FBI took the information and it was probably included in their aggregate stats, but that's all that came of that. (And that's what they told us was most likely to be the result up front.) Before that I used to deal with end user shell accounts getting hacked, but those were usually not a big deal because they would only get end user access. Also we had a hole in an identd server cause us problems about 10 years ago. In that case we didn't end up rebuilding the whole server. > those cases. Tell me about *your* experience with corporate > requirements for recovery from such a breach. Tell me about *your* I work for an educational institution. Also the event happened about 5 years ago and the climate, server usage and laws were different then. Today the same kind of event on the follow on to the system would cause us a lot more grief. > process and how it has been vetted by *your* legal department so that I wasn't involved in the discussions between upper management and legal for that incident, but I believe there were some. > all interests - corporate, law enforcement and lastly community - are > protected. Now take all of that and throw it away, because the vetting > process that the Fedora project has to go through is more than likely > very different from yours. Much different. > > as shutting > > down the servers was going to tip their hand in any case. It would have > > given the community some information to act (or not) on. > > In this case, the desires (and these are simply desires, not needs) of > the community are rightly secondary to the legal requirements of the > Fedora project, a project funded by a US corporation. I disagree here. That may have been necessary in this case (we don't know yet if it was law or policy blocking communication), but I do not think it is right. > The folks who spew about "woulda shoulda coulda" are in pretty much > every case showing their asses here. It's painfully obvious that > they've never been through this kind of exercise. I have. I understand > that the path to recovery from this kind of breach is incredibly > painful, and there are numerous folks managing that recovery. Those aren't the people being complained about. The infrastructure people appear to have stepped up to try and get this cleaned up as fast as possible. > Satisfying all of the stakeholders is pretty much impossible. To > blithely coach and criticize from your armchair is the height of hubris. I am a stake holder and I don't see any problem stating that my interests weren't properly protected. With Fedora's stances on openness, I believed they extended to security breaches as well. If they intend to act this way to future incidents that is going to affect how I value participating in this project. It may not be enough of a negative to switch, as Fedora is a very good fit in other areas. > Leave it to the professionals who run the Fedora infrastructure, they > actually know what they are doing. Again the infrastructure people aren't the ones being complained about. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list