non-disclosure of infrastructure problem a management issue?

Björn Persson bjorn at xn--rombobjrn-67a.se
Sat Aug 23 16:57:04 UTC 2008 

Rahul Sundaram quoted Paul W. Frields:
> "If you've ever been involved in a security investigation, you already
> know that facts emerge over time.  With every disclosure there's a risk
> of getting those facts wrong,

If you don't know yet, then simply say that you don't know yet.

> or having to issue retractions. 

What about the announcement that no tampered packages were built for Fedora? 
Isn't that a retraction of the recommendation not to install packages? And 
what's wrong with that?

> Disclosure at an inappropriate time gives people the mistaken impression
> one is not being truthful, when that's not the case.

The first announcement gave me the impression that there was a technical 
problem, such as overloaded web servers or a crashed database or something. 
In retrospect it's obvious that when that announcement was written they 
already knew or at least suspected that there had been an intrusion. This 
gives me the impression that Paul W. Frields was not being truthful. He lied 
by telling half the truth.

"The closer to the truth, the better the lie, and the truth itself, when it 
can be used, is the best lie." – Preem Palver (Isaac Asimov)

> The disclosures we've made up to and including this point have been
> factual,

but misleading

> in the interest of protecting the security of our millions of 
> users,

You don't protect users' security by concealing a security issue as a 
technical problem. That's security by obscurity. Tell us that the issue has 
to do with security so that we have something to base our judgments on!

> and in the further interest of allowing proper investigation and 
> analysis of an ongoing matter.

And how exactly would investigation and analysis have been hindered if we had 
been told what kind of issue it was?

> As I stated in the announcement, I'll continue to provide information as
> it becomes available."

Did it really take a week before the information that the issue was related to 
security became available?

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080823/62f1bf14/attachment-0001.sig>

More information about the fedora-list mailing list