Dailydave mailing list archives
Re: Speculation
From: "Thomas Ptacek" <tqbf () matasano com>
Date: Sat, 19 Jul 2008 21:27:00 -0500
I am drunk off my ass at the moment, as today is block party today, and my ultraliberal neighbor Linda fed me 6 consecutive shots of tequila. My guests at the party are not drunk, but cannot be attributed. Find attached their verbatim response to this mail. --- Here's the problem. I thought about this alot. The people responsible for the problem should not be singly responsible for making sure the fix is the appropriate fix. Because, I mean, we gave them our trust. THEY FAILED. Why should we trust them solely in a non-open approach to determine the appropriate solution. By the way, they didn't talk to everyone. There are many production DNS deployments today that cannot be patched, because the vendor is not issuing a patch. --- VP, Internet Security, Global Banking Organization On 7/19/08, Paul Vixie <vixie () isc org> wrote:
Those of us outside the research community who have to advise management> cannot tell our executives "trust Dan." We have to be able to weigh > costs vs benefits, implementation details, and the like. I'm glad people > here and elsewhere have tried to figure this out, since it gives details > to guide my recommendations. would you have preferred that the attack vector be completely published on day 1, rather than a cert advisory with details to follow a month later at defcon, so that your recommendations could be completely informed? note that in that case it would also go in the wild before you could patch. is that what you want the next discoverer to do for you? note, it's not just "trust dan." dan looped in a powerful group of dns folks, each of whom was heard to speak the words "oh, shit!" and we have been making the rounds, lending our names to this. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Speculation, (continued)
- Re: Speculation Paul Vixie (Jul 18)
- Re: Speculation Thomas Ptacek (Jul 19)
- Re: Speculation Paul Vixie (Jul 19)
- Re: Speculation Thomas Ptacek (Jul 19)
- Message not available
- Re: Speculation Thomas Ptacek (Jul 19)
- Re: Speculation Paul Vixie (Jul 18)
- Re: Speculation Alexander Sotirov (Jul 24)
- Re: Speculation Paul Vixie (Jul 19)
- Re: Speculation Paul Melson (Jul 20)
- Re: Speculation Thomas Ptacek (Jul 20)