-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lucian Pintilie writes:
> You keep talking about 1.5 years and a simple measure you
> know for correcting the problem. That doesn't put you in
> a good position either [...]
Yes, you are right. And it's even worse: Not only did I
completely fail to realize this is a problem, I even got
paid as a _security consultant_ to help setting up secure
servers. And I recommended Gentoo. And took money for it.
And for all we know, these servers belong to the NSA by now.
Which means that I have totally fucked up the job my clients
trusted me to do and when the details of this problem reach
the consciousness of the "general public", there will be
questions asked and I will look like an idiot to my clients,
not like a hero who "blew the whistle". Because they
couldn't care less about technical details, they only care
about security.
Note, however, that I spoke up and raised all hell the
_minute_ I learned about this problem. Perhaps those people
who are questioning my motivations and my integrity as a
human being should consider that before judging what I am
trying to do here.
And while I am at it, I'd also like to point out that those
people who have said that this latest revival of the thread
was a pointless waste of time that only served to annoy
people and didn't help matters at all ... were right, too.
Because several _hours_ before I started the latest little
flame fest here on the list, Kurt had already sent me an
e-mail and explained what he thought would be best to do and
ask whether I would help. For some weird chance, though, my
spam filter decided that this would be a good time to
produce the first false-positive in MONTHS and sorted the
e-mail into the spam folder, not into my regular mailbox. So
I didn't see it and all the while Kurt was waiting for me to
reply to him, I was posting and posting on this list
shouting and screaming why nothing was being done.
Rather cool, isn't it?
And now check this out: No matter how much I feel this was
not my fault, no matter how much I believe it was an honest
mistake that I couldn't have prevented, it won't change the
fact that I fucked up again and uselessly wasted bandwidth,
people's time, and did not help matters at all because the
answer to all questions was readily waiting in my mailbox
already.
I admit it, I regret it, and I apologize.
Peter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iQEVAwUBQZItBUG8KP6ZCJ1yAQL6gwf/Wa4twpkg6rVi4re3Ei+FB8grpPi616Wx
zmgQCizI7YLeNVgKBJhvkOjdw4FcOVgt3qcrxK5gquUr6DKBQKUhNv9AM0iz2JPR
9fJbKglXy/bwf82uilkNyQ70vuGrIN1ixGYH4x0BqeTBjJvN797RRju4YGcz+2gp
0vmyCi9NfdZv/GOUO7viaWJGb6XNcRhZaD5gI4+Tx6wcxNIYds/zG1KTFsQJR1Y4
Xij61+RnatFZ2qpapqq6nnbLD9xmVSm1ubpV98307UM+5oY40zmxRGGqCf1bBZVr
BnRYo9wLOHzutHJ15j2y6Wf5J32x/oKV81zq6TIeRTG8WHm/TMCTww==
=izHL
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Hash: SHA1
Lucian Pintilie writes:
> You keep talking about 1.5 years and a simple measure you
> know for correcting the problem. That doesn't put you in
> a good position either [...]
Yes, you are right. And it's even worse: Not only did I
completely fail to realize this is a problem, I even got
paid as a _security consultant_ to help setting up secure
servers. And I recommended Gentoo. And took money for it.
And for all we know, these servers belong to the NSA by now.
Which means that I have totally fucked up the job my clients
trusted me to do and when the details of this problem reach
the consciousness of the "general public", there will be
questions asked and I will look like an idiot to my clients,
not like a hero who "blew the whistle". Because they
couldn't care less about technical details, they only care
about security.
Note, however, that I spoke up and raised all hell the
_minute_ I learned about this problem. Perhaps those people
who are questioning my motivations and my integrity as a
human being should consider that before judging what I am
trying to do here.
And while I am at it, I'd also like to point out that those
people who have said that this latest revival of the thread
was a pointless waste of time that only served to annoy
people and didn't help matters at all ... were right, too.
Because several _hours_ before I started the latest little
flame fest here on the list, Kurt had already sent me an
e-mail and explained what he thought would be best to do and
ask whether I would help. For some weird chance, though, my
spam filter decided that this would be a good time to
produce the first false-positive in MONTHS and sorted the
e-mail into the spam folder, not into my regular mailbox. So
I didn't see it and all the while Kurt was waiting for me to
reply to him, I was posting and posting on this list
shouting and screaming why nothing was being done.
Rather cool, isn't it?
And now check this out: No matter how much I feel this was
not my fault, no matter how much I believe it was an honest
mistake that I couldn't have prevented, it won't change the
fact that I fucked up again and uselessly wasted bandwidth,
people's time, and did not help matters at all because the
answer to all questions was readily waiting in my mailbox
already.
I admit it, I regret it, and I apologize.
Peter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iQEVAwUBQZItBUG8KP6ZCJ1yAQL6gwf/Wa4twpkg6rVi4re3Ei+FB8grpPi616Wx
zmgQCizI7YLeNVgKBJhvkOjdw4FcOVgt3qcrxK5gquUr6DKBQKUhNv9AM0iz2JPR
9fJbKglXy/bwf82uilkNyQ70vuGrIN1ixGYH4x0BqeTBjJvN797RRju4YGcz+2gp
0vmyCi9NfdZv/GOUO7viaWJGb6XNcRhZaD5gI4+Tx6wcxNIYds/zG1KTFsQJR1Y4
Xij61+RnatFZ2qpapqq6nnbLD9xmVSm1ubpV98307UM+5oY40zmxRGGqCf1bBZVr
BnRYo9wLOHzutHJ15j2y6Wf5J32x/oKV81zq6TIeRTG8WHm/TMCTww==
=izHL
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list