On Thu, 4 Dec 2003, Dave wrote: > On Thu, 04 Dec 2003 20:20:21 +0100, Terry Hancock > <[EMAIL PROTECTED]> wrote: > [...] > >There is also the point that *somebody* found this bug. Just not the > >folks we were hoping would. ;-) Letting real crackers hammer your > >system is another way to find bugs, although we hope it's a last resort. > > You missed my point. I think this *is* a fire drill! I think this > break-in was done by the best folks we could ever hope for. > > Consider this: The attacker chose a system that was heavily guarded and > would generate a quick response from the people who could distribute a fix > most quickly. He or she had intimate knowledge of the various Debian > servers. And no damage was done. > > Can you hope for a better hacker than this? Do you think he could have had > the same impact by merely announcing that he *could* break into a system if > he wanted? > > The real question now is "How many similar exploits exist, and are being > kept quiet for use in a real situation." We can only hope it's the good > guys who have these secrets.
anytime you dont lose data ... consider yourself lucky ... and learn from it and tighten the boat some - i'm assuming the debian boat is tightened ?? ( more staging machines and key checking ? ) -- you can always simulate a firedrill ... at any random time ... and work out additional security policies accordingly c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]