Date: 27 Jun 2002 02:27:19 -0400 From: Petr Swedock <petr@blade-runner.mit.edu> To: Dave <dave@mu.org> Cc: freebsd-security@FreeBSD.ORG Subject: Meta (was Re: Wow) Message-ID: <86it45z16g.fsf_-_@blade-runner.mit.edu> In-Reply-To: Dave's message of Wed, 26 Jun 2002 15:39:19 -0700 References: <20020626121754.F8071@mail.seattleFenix.net> <200206261919.g5QJJLLI018466@cvs.openbsd.org> <20020626202057.GA7152@zot.electricrain.com> <20020626223919.GA31673@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Dave <dave@mu.org> writes:
>
> To whom it may concern on the list,
>
> Shut the fuck up, you bunch of belligerent, whiney dorks.
> No one gives a rat's ass if you get hacked. Actually, I
I need this list to be useful. I daresay others
here feel the same way. The last few days
have raised some concerns for me, about the
usefulness of this list.
With that thought in mind, here's a stack of
what is of concern to me. I present it to
the list as some points for a meta-discussion of
policy, disclosure, list use and risk-assessment.
1.) Crying wolf
Theo is not vindicated by the
absence of compromised machines.
His actions were wrong, overwrought
patronizing and ultimately unhelpful.
He cried wolf. Fine. He's forgiven,
absolved and, one hopes, suitably
chastened enough not to do it again.
But if the list is to operate free of
such cruft we should recognize it and
work together to provide some context
by which threats are identified and
assessed cogently and coherently.
2.) Hysteria
One person screams -- many people jump.
That's not a good security posture.
If this list is to be of any use at all,
then hysteria must be kept to a minimum.
FreeBSD (to me) is about taking the right
things seriously and about refusing
to take the wrong things seriously. I
don't think that happened here.
3.) Disclosure and risk assesment.
Theo knows nothing of me, or my job.
Nor should he. Therefor, he should
not be in the business of risk
assesment for my job. Nobody but
I should do that job. My sense is
that Theo is in earnest, with a
genuine desire to prevent breakins.
Fine. If he wants to be helpful, he
can practice some of the generally
accepted models of disclosure and
feedback in the open source community.
That's the only way I can think of
that will allow me to best assess the
risk to my machines and users (short of
hiring Theo to work for me). This
list is (should be) an excellent
forum for that disclosure and feedback.
So those are my concerns. I'm interested to know
if others share these concerns and what we can
do about them.
Peace,
Petr
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86it45z16g.fsf_-_>