|
 |
somebody <x### [at] y com> wrote:
> > A security hole report does not cause waking up the sysadmin in the
> > middle of the night and paying overtime wages or taking the system
> offline.
> Really? If I send you an e-mail listing all your financial and confidential
> information, won't you
No, because I don't read my email in the middle of the night, while
sleeping.
> be wasting the rest of your day frantically calling
> every bank, agency, government institution, and business to inform them to
> disable your cards, change numbers, accounts... etc? In the meantime, you
> won't have access to those things. Now consider confidential information of
> thousands of students and do the math. Everything has a cost. Even if fixing
> the system doesn't cost money (hah, in a dream world!), major damage is done
> with any such reckless act.
So basically if the sysadmin is kept ignorant of the security hole,
no extra money is wasted and everybody is happy (but the security hole
goes unnoticed and unfixed). Apparently this is the desirable thing,
according to you.
> > It causes the sysadmin to send a report to the software house with which
> > they have a software license so that they will fix the security hole. At
> > regular working hours.
> Not all systems are such turnkey operations, and the vendor won't himself
> have a fix for every type of security breach even if they were.
And thus it's better for the sysadmins *not* knowing about the security
hole?
--
- Warp
Post a reply to this message
|
|
