North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: WMF patch

  • From: Valdis.Kletnieks
  • Date: Wed Jan 04 17:59:26 2006

On Wed, 04 Jan 2006 13:36:53 PST, Fred Heutte said:

> In my reading this is a serious vulnerability, but the self-
> inflating agitation in the "security community" has reached 
> a highly annoying level.  I'm in the FTDT (fix the damn thing)
> school; let's deal with it and get on with it.  Every cycle spent 
> moaning about the faults of Microsoft is a lost opportunity 
> for something more productive.

How many times do you propose we FTDT before we get fed up and ask upper
management to authorize a migration to some other software with a better
record? And how many more FTDT's do we need to tolerate while we wait for
upper management to authorize a migration?

Or to put it differently - if you discovered that your router vendor was
vulnerable because they had a proprietary BGP extension *designed* to deliver
arbitrary code for execution, would you FTDT, or would you be on the phone
with your vendor venting your outrage?  And what if it wasn't the first, but
more like the 10th year in a row that a similar design issue had surfaced?

Would you still just FTDT?

And while you're trying to figure out how to roll out a patch to 200 routers
that are totally under your control, keep in mind that a *small* organization
can have 30K PCs, not always totally managed.

Still feel like just FTDT?

Attachment: pgp00000.pgp
Description: PGP signature