[87692] in North American Network Operators' Group
Re: WMF patch
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Jan 4 17:58:45 2006
To: Fred Heutte <aoxomoxoa@sunlightdata.com>
Cc: nanog@nanog.org
In-Reply-To: Your message of "Wed, 04 Jan 2006 13:36:53 PST."
<200601042137.k04Lb6v14625@broadway.hevanet.com>
From: Valdis.Kletnieks@vt.edu
Date: Wed, 04 Jan 2006 17:58:16 -0500
Errors-To: owner-nanog@merit.edu
--==_Exmh_1136415495_2666P
Content-Type: text/plain; charset=us-ascii
On Wed, 04 Jan 2006 13:36:53 PST, Fred Heutte said:
> In my reading this is a serious vulnerability, but the self-
> inflating agitation in the "security community" has reached
> a highly annoying level. I'm in the FTDT (fix the damn thing)
> school; let's deal with it and get on with it. Every cycle spent
> moaning about the faults of Microsoft is a lost opportunity
> for something more productive.
How many times do you propose we FTDT before we get fed up and ask upper
management to authorize a migration to some other software with a better
record? And how many more FTDT's do we need to tolerate while we wait for
upper management to authorize a migration?
Or to put it differently - if you discovered that your router vendor was
vulnerable because they had a proprietary BGP extension *designed* to deliver
arbitrary code for execution, would you FTDT, or would you be on the phone
with your vendor venting your outrage? And what if it wasn't the first, but
more like the 10th year in a row that a similar design issue had surfaced?
Would you still just FTDT?
And while you're trying to figure out how to roll out a patch to 200 routers
that are totally under your control, keep in mind that a *small* organization
can have 30K PCs, not always totally managed.
Still feel like just FTDT?
--==_Exmh_1136415495_2666P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFDvFMHcC3lWbTT17ARAlmGAKCNZnUzB0yEEnUkYiiuzZGNbdHU4gCgzeTW
TwJMck+CULoUrBCY4TDNXi8=
=qfFB
-----END PGP SIGNATURE-----
--==_Exmh_1136415495_2666P--
