l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2002 Sep 15 20:48

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Apache OpenSSL worm passing around the internet...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Apache OpenSSL worm passing around the internet...



[Cross-posts snipped.]

Quoting ME (dugan@passwall.com):

> Now is a good time to subscribe to bugtraq! You get notices such as this
> about possible risks in security.

A couple of interesting issues have come up, over the last year, about
Bugtraq.

1.  Its sponsoring firm, security--management firm SecurityFocus, was
recently bought up by Symantec.  Much virtual ink was then spilled over
loss of editorial independence -- but this is probably an issue, if at
all, only concerning viruses and anti-viral software.

2.  Disclosure policy.  Oh my, what a political football has been!  A
succession of crybaby organisations lead by -- yep -- Microsoft
Corporation keep screaming to high heaven about Bugtraq's policy of
allowing posting to include full technical details of vulnerabilities,
including exploits.  Elias Levy and the rest of the SecurityFocus staff
have stuck to their guns on this one, even after the Symantec
acquisition.  (Symantec's own policy is to withhold details for a 30-day
"grace period".)

It's largely _because_ of its full-disclosure policy that Bugtraq is so
very useful -- arguably essential.  Alternatives such as CERT advisories
tend toward the useless end of the spectrum, for lack of that policy.

If you're running production servers, the timeliness of Bugtraq
vulnerability postings can matter.  In fact, a former colleague used to
autofeed the incoming message stream through pattern-matching filters,
attempting to trap urgent-for-his-network posts and notify him via
text pager.  This paid off in spades, as his network (a gay-oriented 
ISP) was under attack pretty much all the time, and sometimes he was
able to sidestep new exploits by mere minutes.

-- 
Cheers,               "That article and its poster have been cancelled." 
Rick Moen                   -- David B. O'Donnel, sysadmin for America Online
rick@linuxmafia.com
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!