Re: Rewarding Challenge AS/400 -- MIDRANGE-L

I agree with the comments below. We are trying to help our customers
improving security on their boxes (with or without help from IBM). If anybody
has the notion that our tools are 'hacker tools' they are WAY off base.
So, as these issues are VERY sensitive, I think we should all
take a deep breath. I see no reason, f.ex., to confront IBM with this
at COMMON. They are not likely to have a reasonable answer, and
the whole atmosphere could easily turn ugly. What we need to do is
to quietly work to improve security on the box without panicking our
customers. I might even have said too much in this forum. Although,
with our press release the cat is already somewhat out of the bag.
Let me reiterate: we are not selling a tool to crack passwords;
we are selling a tools to check if your installation have passwords
that are easily guessed with the goal of forcing the users to use
stronger passwords, thus strengthening security.

----- Original Message -----
From: V. Leveque <vleveque@earthlink.net>
To: <MIDRANGE-L@midrange.com>
Sent: Tuesday, September 28, 1999 8:04 PM
Subject: Re: Rewarding Challenge AS/400


This issue was raised a few years back with the COMMON Security Task Force.
I can't recall exactly why CERT isn't used ( a combination of things no
doubt) but the need was definitely stated especially for secure confidential
channels in reporting problems and in notifying system administrators of
fixes.

COMMON did produce a report where this issue and others were addressed.  I'm
not sure what has come of the recommendations -- aside from the fact IBM did
work to close some of the then-stated vulnerabilities and now offers some
features that were then discussed (i.e. Security Wizard).

In theory COMMON would be the perfect forum to get this rolling.  In actual
practice there may be certain organizational impediments.

(boy do I sound like a bureacrat! Gotta always be diplomatic..)

At 06:31 PM 9/28/99 -0500, you wrote:
>see below.
>    Someone has raised the point about the publication & response by IBM to
security exposures. I have often wondered why the notification services like
CERT, never report AS/400 problems. They certainly do report http, java,
WebSphere , SQL and other problems, all of which OS/400 works with. But the
reports are always about WinXX, Linux, Unix, NT, Sun, and a few others.
(Actually I do know why - most of the universe doesn't know or understand
what an AS/400 is). BTW, CERT is a good place to get free info on security
exposures, and a free e-mail alert service. Our government at work. CERT�
Coordination Center
>
>  ----------------------------------
>
>  When we first told IBM about our findings, there response was some like
>  this (I can't remember the exact words - because it was always verbal):
>
>  If you go public with this we will cut you off (we are a business partner
of IBM).
>  We will bury you. We will make sure you go out of business. Don't rock
>  the boat.
>
>  ----------------------------------------
>
>  how is that for irresponsibility ???
>
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
><HTML><HEAD>
><META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
><META content="MSHTML 5.00.2014.210" name=GENERATOR>
><STYLE></STYLE>
></HEAD>
><BODY bgColor=#ffffff>
><DIV><FONT size=2>see below.</FONT></DIV>
><BLOCKQUOTE
>style="BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px;
PADDING-LEFT: 5px; PADDING-RIGHT: 0px">
>  <DIV>&nbsp; Someone has raised the point about the publication &amp;
response
>  by IBM to security exposures. I have often wondered why the notification
>  services like CERT, never report AS/400 problems. They certainly do report
>  http, java, WebSphere , SQL and other problems, all of which OS/400 works
>  with. But the reports are always about WinXX, Linux, Unix, NT, Sun, and a
few
>  others. (Actually I do know why - most of the universe doesn't know or
>  understand what an AS/400 is). BTW, CERT is a good place to get free info
on
>  security exposures, and a free e-mail alert service. Our government at
work.
>  <A href="http://www.cert.org">CERT� Coordination Center</A> <BR></DIV>
>  <DIV><FONT size=2>----------------------------------</FONT></DIV>
>  <DIV>&nbsp;</DIV>
>  <DIV><FONT size=2>When we first told IBM about our findings, there
response
>  was some like</FONT></DIV>
>  <DIV><FONT size=2>this (I can't remember the exact words - because it was
>  always verbal):</FONT></DIV>
>  <DIV>&nbsp;</DIV>
>  <DIV><FONT size=2>If you go public with this we will cut you off (we are a
>  business partner of IBM).</FONT></DIV>
>  <DIV><FONT size=2>We will bury you. We will make sure you go out of
business.
>  Don't rock</FONT></DIV>
>  <DIV><FONT size=2>the boat.</FONT></DIV>
>  <DIV>&nbsp;</DIV>
>  <DIV><FONT size=2>----------------------------------------</FONT></DIV>
>  <DIV>&nbsp;</DIV>
>  <DIV><FONT size=2>how is that for irresponsibility ???</FONT></DIV>
>  <DIV>&nbsp;</DIV></BLOCKQUOTE></BODY></HTML>
>

     |----------------------------|  "Outside of a dog, a book is a man's
     |\  /         |    \  /      |  best companion.  Inside of a dog,
     | \/ INCENT   |__E  \/EQUE   |  it's too dark to read."
     |----------------------------|        -- Groucho Marx

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---