Re: Heroku early upgrade is raising serious questions
| От | Josh Berkus |
|---|---|
| Тема | Re: Heroku early upgrade is raising serious questions |
| Дата | |
| Msg-id | 516858D5.7060707@agliodbs.com обсуждение исходный текст |
| Ответ на | Re: Heroku early upgrade is raising serious questions ("Joshua D. Drake" <jd@commandprompt.com>) |
| Список | pgsql-advocacy |
>> Perhaps not, but I feel we can, and should, do our best to try and get >> everyone updated before giving attackers the information they need to >> exploit people. > > Well I certainly agree with that. ... which was the goal in doing early notification of the cloud providers. They were indisputably the biggest potential targets for the recent vulnerability. And they *didn't* get hacked, so the strategy was materially successful. Whether or not a different approach would have been equally/more successful is, at this point, "monday morning quarterbacking" as we say in the 'States. I'm a pragmatist. I'm looking for the policy which protects the most users from script kiddies. If that policy is fair and democratic that's also good, but less important than preventing people from being hacked. This is where I, personally, am coming from. The problem with early notification from this perspective is that the more organizations receiving early notification, the greater the chance of a leak, at which point you've done the opposite of protecting users. On the other hand, the problem with no notification is that you create a race between black hats and admins as to who can deploy the fix vs. the exploit faster, which isn't good either. I don't know that any organization has a clear answer to this year, including large commercial software vendors. -- Josh Berkus PostgreSQL Experts Inc. http://pgexperts.com
В списке pgsql-advocacy по дате отправления: