| |||||||||||||
|
| |||||||||||||
The Fedora-Red Hat Crisis (Datamation)The Fedora-Red Hat Crisis (Datamation)Posted Sep 10, 2008 22:09 UTC (Wed) by smoogen (subscriber, #97)In reply to: The Fedora-Red Hat Crisis (Datamation) by BrucePerens Parent article: The Fedora-Red Hat Crisis (Datamation)
Actually in the investigations I have dealt with, we were not able to even say we were working with law enforcement until they approved it. They instead told us we could say we had an issue and then later when they decided it would not interfere with their investigation we were able to say "we were working with law enforcement." [By the way, I have no knowledge if Red Hat contacted law enforcement or not.. ]
The difference I am trying to make between the SSL code and the Red Hat issue is that the SSL was a coding error with security implications, and the other was a criminal issue with security implications.
It would be better to compare how the 2006 break-in was dealt with (when was it reported to authorities, did the authorities believe the damage affect national security, stockholders, etc. When was the full-disclosure of the event made in comparison to the detection? etc). In that case RH/Fedora probably comes up wanting again.. but it is a better apples to apples.
(Log in to post comments)
The Fedora-Red Hat Crisis (Datamation) Posted Sep 10, 2008 22:40 UTC (Wed) by rahvin (subscriber, #16953) [Link]
It would be HIGHLY unusual if the FBI wasn't involved. They would be risking serious class action shareholder lawsuits if they didn't call the FBI immediately after discovering the breach. RedHat likely has software in some top government agencies, including the NSA, DOD and CIA. Because of this the breach is probably being treated just like a breach at Microsoft would be treated. A full criminal investigation has probably already begun and everyone is gagged because as you said the FBI arrests and prosecutes people that reveal information before they have completed their investigation.
Frankly RedHat's behavior indicates to me that the FBI is involved. The press release reads just like some FBI agent scrubbed it of every single detail that wasn't directly relevant to notifying customers of issues that will affect them. In time we will know what happened, but we need to give them time for the FBI to relax the restrictions. I would say that if we don't have at least a mostly complete release of details in 6 months that it's probably time to start saying they aren't doing things the way they should. Otherwise like I said before I think the author and others are jumping the gun on putting RedHat's feet to the fire. And I think we should at least accept that RedHat has always had pretty good judgement and that if there was anything that directly affects customer security it has been released and the remainder is just details of how the break in occurred which don't necessarily have an impact on customer security.
And Bruce, there is a significant difference between a non-profit corporation who misconfigured software and a publicly traded company dealing with felony computer crimes. RedHat has numerous restrictions and obligations as a result of being publicly traded that Debian doesn't have to deal with. And those restrictions aren't just financial, they deal directly with what shareholders are told, how they are told and how criminal behavior is handled. Making a misstep could cost RedHat millions in SEC fines or shareholder lawsuits whereas there were no such implications to Debian.
The Fedora-Red Hat Crisis (Datamation) Posted Sep 10, 2008 23:05 UTC (Wed) by BrucePerens (subscriber, #2510) [Link] To compare apples to apples, you can see Debian's 2006 server compromise, which occurred to a system in the bastion (outside of the corporate firewall) at HP Fort Collins. They handled it much more openly than Red Hat.The restrictions on publicly traded companies really act both ways. Destroying customer confidence by quashing discussion of a security issue will get you sued just as readily as saying too much about it. Perhaps the bottom line here is that Fedora isn't as good a structure as Debian for maintaining the core of a Linux distribution, because Fedora is too close to the publicly-traded corporation to have freedom of action. Good engineering gets done when you have that freedom.
The Fedora-Red Hat Crisis (Datamation) Posted Sep 11, 2008 0:04 UTC (Thu) by smoogen (subscriber, #97) [Link]
Yes, customer confidence is all a company selling/distributing Linux for the enterprise trades on. The questions I have from the Debian break-in that I could not see were:
My biggest problem with your comments is that you are taking advantage of a person who can't speak for your public schadenfreude. I expected better of you versus cloning ESR. I expected you to write up a treatise of how a public group should handle security incidents.
Instead you seem intent on making non-Debian's regret defending Debian against a-holes who posted "oh what a bunch of dorks" when the SSL issue or the Debian 2006 breach occurred.
The Fedora-Red Hat Crisis (Datamation) Posted Sep 11, 2008 0:17 UTC (Thu) by BrucePerens (subscriber, #2510) [Link] I don't know what Debian's interaction with the police was.Their take on it is public knowledge, just use google. I have seen HP handle a security issue horribly, and did my best to correct the problem while I was at HP. I can't take responsibility for how they behave today, except to note that I was really glad I didn't work there any longer the day their general counsel took the 5th in front of Congress and on national TV. Red Hat is eminently able to speak for itself. They choose not to. I have been making it clear that the Debian way was the prototype for a public group handling security incidents. And hold the ESR insults, please. Debian took its knocks standing up, and IMO that particular incident was dorky, and they owned up to it publicly and then went on with their lives. IMO that was honorable and you were quite right to defend them. What RH is doing today is very different.
|
|
||||||||||||