|
I agree with the comments below. We are trying to help our customers improving security on their boxes (with or without help from IBM). If anybody has the notion that our tools are 'hacker tools' they are WAY off base. So, as these issues are VERY sensitive, I think we should all take a deep breath. I see no reason, f.ex., to confront IBM with this at COMMON. They are not likely to have a reasonable answer, and the whole atmosphere could easily turn ugly. What we need to do is to quietly work to improve security on the box without panicking our customers. I might even have said too much in this forum. Although, with our press release the cat is already somewhat out of the bag. Let me reiterate: we are not selling a tool to crack passwords; we are selling a tools to check if your installation have passwords that are easily guessed with the goal of forcing the users to use stronger passwords, thus strengthening security. ----- Original Message ----- From: V. Leveque <vleveque@earthlink.net> To: <MIDRANGE-L@midrange.com> Sent: Tuesday, September 28, 1999 8:04 PM Subject: Re: Rewarding Challenge AS/400 This issue was raised a few years back with the COMMON Security Task Force. I can't recall exactly why CERT isn't used ( a combination of things no doubt) but the need was definitely stated especially for secure confidential channels in reporting problems and in notifying system administrators of fixes. COMMON did produce a report where this issue and others were addressed. I'm not sure what has come of the recommendations -- aside from the fact IBM did work to close some of the then-stated vulnerabilities and now offers some features that were then discussed (i.e. Security Wizard). In theory COMMON would be the perfect forum to get this rolling. In actual practice there may be certain organizational impediments. (boy do I sound like a bureacrat! Gotta always be diplomatic..) At 06:31 PM 9/28/99 -0500, you wrote: >see below. > Someone has raised the point about the publication & response by IBM to security exposures. I have often wondered why the notification services like CERT, never report AS/400 problems. They certainly do report http, java, WebSphere , SQL and other problems, all of which OS/400 works with. But the reports are always about WinXX, Linux, Unix, NT, Sun, and a few others. (Actually I do know why - most of the universe doesn't know or understand what an AS/400 is). BTW, CERT is a good place to get free info on security exposures, and a free e-mail alert service. Our government at work. CERTŪ Coordination Center > > ---------------------------------- > > When we first told IBM about our findings, there response was some like > this (I can't remember the exact words - because it was always verbal): > > If you go public with this we will cut you off (we are a business partner of IBM). > We will bury you. We will make sure you go out of business. Don't rock > the boat. > > ---------------------------------------- > > how is that for irresponsibility ??? > ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> ><HTML><HEAD> ><META content="text/html; charset=iso-8859-1" http-equiv=Content-Type> ><META content="MSHTML 5.00.2014.210" name=GENERATOR> ><STYLE></STYLE> ></HEAD> ><BODY bgColor=#ffffff> ><DIV><FONT size=2>see below.</FONT></DIV> ><BLOCKQUOTE >style="BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px; PADDING-RIGHT: 0px"> > <DIV> Someone has raised the point about the publication & response > by IBM to security exposures. I have often wondered why the notification > services like CERT, never report AS/400 problems. They certainly do report > http, java, WebSphere , SQL and other problems, all of which OS/400 works > with. But the reports are always about WinXX, Linux, Unix, NT, Sun, and a few > others. (Actually I do know why - most of the universe doesn't know or > understand what an AS/400 is). BTW, CERT is a good place to get free info on > security exposures, and a free e-mail alert service. Our government at work. > <A href="http://www.cert.org">CERTŪ Coordination Center</A> <BR></DIV> > <DIV><FONT size=2>----------------------------------</FONT></DIV> > <DIV> </DIV> > <DIV><FONT size=2>When we first told IBM about our findings, there response > was some like</FONT></DIV> > <DIV><FONT size=2>this (I can't remember the exact words - because it was > always verbal):</FONT></DIV> > <DIV> </DIV> > <DIV><FONT size=2>If you go public with this we will cut you off (we are a > business partner of IBM).</FONT></DIV> > <DIV><FONT size=2>We will bury you. We will make sure you go out of business. > Don't rock</FONT></DIV> > <DIV><FONT size=2>the boat.</FONT></DIV> > <DIV> </DIV> > <DIV><FONT size=2>----------------------------------------</FONT></DIV> > <DIV> </DIV> > <DIV><FONT size=2>how is that for irresponsibility ???</FONT></DIV> > <DIV> </DIV></BLOCKQUOTE></BODY></HTML> > |----------------------------| "Outside of a dog, a book is a man's |\ / | \ / | best companion. Inside of a dog, | \/ INCENT |__E \/EQUE | it's too dark to read." |----------------------------| -- Groucho Marx +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +--- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.