From: Chuck Yerkes To: Alex Holst Date: Thu, 1 Aug 2002 13:27:48 -0700 Subject: Re: openssh trojaned.. Message-ID: <20020801132748.B30940@snew.com> User-Agent: Mutt/1.2.5i Quoting Alex Holst (a@mongers.org): > Quoting Jan Wildeboer (jan.wildeboer@gmx.de): > > I would expect an immediate response of the OpenSSH people. > > I would expect you to shut the fuck up and wait for the people to handle > this. > > The only thing worse than having to handle an incident is having muppets > screaming and yelling, making demands for "progress reports" while > you're trying to concentrate on solving a puzzle. > > Makes incident handlers want to kill. > > Now shut up. No, the reasonable response would be letting people know RIGHT NOW as soon as they have confirmed it. Your attitude indicates a certain newness to the real world of computing and business, so go back to your nintendo and try to kill the evil turtle. My GirlF's site (wht several thousands terrabytes of data) just upgraded OpenSSH 3.4 packages (a better build for them). When it his slashdot, they killed OpenSSH and she drove 20 miles (60 minutes) to the Santa Clara datacenter to deal with the machines they can't trust. She's installing from old sources they CAN trust. Just one company. When the lack of information costs several thousands of dollars in productivity and uptime (far more if they have to validate all the data), then yeah, being forthcoming would be good. A trojan indicates an existing way to exploit it.