[Dailydave] Speculation

Thomas Ptacek tqbf at matasano.com
Sat Jul 19 22:27:00 EDT 2008 

I am drunk off my ass at the moment, as today is block party today,
and my ultraliberal neighbor Linda fed me 6 consecutive shots of
tequila. My guests at the party are not drunk, but cannot be
attributed. Find attached their verbatim response to this mail.

---

Here's the problem. I thought about this alot. The people responsible
for the problem should not be singly responsible for making sure the
fix is the appropriate fix. Because, I mean, we gave them our trust.
THEY FAILED. Why should we trust them solely in a non-open approach to
determine the appropriate solution.

By the way, they didn't talk to everyone. There are many production
DNS deployments today that cannot be patched, because the vendor is
not issuing a patch.

--- VP, Internet Security, Global Banking Organization

On 7/19/08, Paul Vixie <vixie at isc.org> wrote:
> > Those of us outside the research community who have to advise management
>  > cannot tell our executives "trust Dan."  We have to be able to weigh
>  > costs vs benefits, implementation details, and the like.  I'm glad people
>  > here and elsewhere have tried to figure this out, since it gives details
>  > to guide my recommendations.
>
>
> would you have preferred that the attack vector be completely published on
>  day 1, rather than a cert advisory with details to follow a month later at
>  defcon, so that your recommendations could be completely informed?  note
>  that in that case it would also go in the wild before you could patch.  is
>  that what you want the next discoverer to do for you?
>
>  note, it's not just "trust dan."  dan looped in a powerful group of dns
>  folks, each of whom was heard to speak the words "oh, shit!" and we have
>  been making the rounds, lending our names to this.
>
>
>  --
>
> This message has been scanned for viruses and
>  dangerous content by MailScanner, and is
>  believed to be clean.
>
>
> _______________________________________________
>  Dailydave mailing list
>  Dailydave at lists.immunitysec.com
>  http://lists.immunitysec.com/mailman/listinfo/dailydave
>


-- 
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log

More information about the Dailydave mailing list