Re: Heroku early upgrade is raising serious questions

From: Josh Berkus <josh(at)agliodbs(dot)com>
To: "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, Michael Meskes <meskes(at)postgresql(dot)org>, Dave Page <dpage(at)pgadmin(dot)org>, Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com>, damien clochard <damien(at)dalibo(dot)info>, "Jonathan S(dot) Katz" <jonathan(dot)katz(at)excoventures(dot)com>, PostgreSQL Advocacy <pgsql-advocacy(at)postgresql(dot)org>
Subject: Re: Heroku early upgrade is raising serious questions
Date: 2013-04-12 18:56:21
Message-ID: 516858D5.7060707@agliodbs.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-advocacy


>> Perhaps not, but I feel we can, and should, do our best to try and get
>> everyone updated before giving attackers the information they need to
>> exploit people.
>
> Well I certainly agree with that.

... which was the goal in doing early notification of the cloud
providers. They were indisputably the biggest potential targets for the
recent vulnerability. And they *didn't* get hacked, so the strategy was
materially successful. Whether or not a different approach would have
been equally/more successful is, at this point, "monday morning
quarterbacking" as we say in the 'States.

I'm a pragmatist. I'm looking for the policy which protects the most
users from script kiddies. If that policy is fair and democratic that's
also good, but less important than preventing people from being hacked.
This is where I, personally, am coming from.

The problem with early notification from this perspective is that the
more organizations receiving early notification, the greater the chance
of a leak, at which point you've done the opposite of protecting users.
On the other hand, the problem with no notification is that you create
a race between black hats and admins as to who can deploy the fix vs.
the exploit faster, which isn't good either. I don't know that any
organization has a clear answer to this year, including large commercial
software vendors.

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com

In response to

Browse pgsql-advocacy by date

  From Date Subject
Next Message Jean-Paul Argudo 2013-04-15 07:42:57 Re: Heroku early upgrade is raising serious questions
Previous Message Josh Berkus 2013-04-12 18:21:19 Re: Heroku early upgrade is raising serious questions