That's mostly the result of the calamitous failure in vulnerability
release methodology, not Operator stupidity.
-M<
marty,
> rolling out magic code because your
> vendor tells you to is a bad idea;That's mostly the result of the calamitous failure in vulnerability
release methodology, not Operator stupidity.
totally agreed. vendors c, j and several others should be *ashamed*
of the way that they handled and continue to handle this issue: they
have yet to admit that they raised a panic (in secret, with no facts,
so that they could not be refuted) over a basic fact of the way tcp
works, creating outages and instability to fix a non-problem.
operators in those circumstances had little choice but to roll out
"critical security fixes", but i think we all deserve an apology, an
explanation and a commitment to do better in the future.
t
marty,
> > rolling out magic code because your
> > vendor tells you to is a bad idea;
>
> That's mostly the result of the calamitous failure in vulnerability
> release methodology, not Operator stupidity.totally agreed. vendors c, j and several others should be *ashamed*
of the way that they handled and continue to handle this issue: they
Hmm, Do you mean NISCC? I think they were
driving the issue:
http://www.uniras.gov.uk/niscc/docs/al-20040420-00199.html?lang=en
have yet to admit that they raised a panic (in secret, with no facts,
so that they could not be refuted) over a basic fact of the way tcp
works, creating outages and instability to fix a non-problem.operators in those circumstances had little choice but to roll out
"critical security fixes", but i think we all deserve an apology, an
explanation and a commitment to do better in the future.
Come on folks, this was over a year ago, we've all grown
some (well, at least older) and hopefully wiser in how to handle
these situations as they come up.
I suspect the vendors, NISCC/UNIRAS, and various global CERTs
have been learning from these events, but it was awhile ago so take
the lesson and move on.
- Jared