Hi ,
Panic and gossip/rumours are bad advisors, especially when it comes to
security incidents. It was possible from the very beginning to contact
directly the user involved through well known and established channels,
which would have cleared the issue immediately. That course of action
was not taken , and the result was this thread, letting people
speculate and trying to guess about what was going on,and taking actions
that did not really address any real problem. Disclosure should
be made in a responsible way.
Another issue that resurfaced is what purpose the dteam VO serves and
who can be its members. It is the VO for use by a site management team ,
ok so far , but what kind of people exactly can be described by the term
"site managers". And what can those people run as dteam members, can
they do development , investigate security issues , do
research/scientific work? That needs to be cleared. Also there are tools
like glogin that can be used to provide "shell" access to every cluster
, and can easily be considered that bypass authorization policies.There
is no clear answer if they are "good" or "bad" things , since it would
depend on the usage.
All other issues aside ,George's work disclosed a weakness in our
infastructure , which is a good thing since we can now take steps to
address it. Such contributions are needed and I think should be welcomed.
Best regards ,
--
============================================================================
Dimitris Zilaskos
Department of Physics @ Aristotle University of Thessaloniki , Greece
PGP key : http://tassadar.physics.auth.gr/~dzila/pgp_public_key.asc
http://egnatia.ee.auth.gr/~dzila/pgp_public_key.asc
MD5sum : de2bd8f73d545f0e4caf3096894ad83f pgp_public_key.asc
============================================================================
|