|
I tend to agree that we shouldn't "broadcast" a vulnerability, but I also strongly feel that if a vulnerability exists, responsible people should know about it so thay can take precautions. This security lapse should never have made it to the AS/400... My take on it is IBM wasn't quick on the response. The hardware has been out for 12 years! Only when the breech was published did they take action. William ----- Original Message ----- From: "Jim Franz" <franz400@triad.rr.com> To: <MIDRANGE-L@midrange.com> Sent: Tuesday, June 13, 2000 8:45 PM Subject: Re: AS400 user password > My wife describes pgmrs as some of the most unethical people around, > slightly better than management, salesmen, & lawyers. We have no "code of > conduct/ethics" to live by. The reporting argument has been around a long > time. Was a bystander at Common years ago when IBM and the Common Security > Task Force went at it. Boy, was that fun! Learned more about security in 2 > hours of yelling than in previous 15 years. > IMHO, we should be ethical, never broadcast a vulnerability without proper > reporting, and the vendor has a fix (as long as the vendor is responsible > and makes a reasonably quick response). Every shop with a pgmr (not the > secofr) on this list became "more" vulnerable with the posting. This time, > IBM made a quick response. IBM does need a clearly stated method of > reporting (is it the 800-237-5511 Software Support? and clearly identify it > as a Security Issue). Put this on the website! > Long ago, in November 1991 was published the guidelines for being > responsible on the Internet, "Guidelines for the Secure Operation of the > Internet" (RFC1281) > http://info.internet.isi.edu/in-notes/rfc/files/rfc1281.txt > It requires that users be responsible, and vendors be responsible. This is > worth reading for both sides, and it's only a few pages. I still think, if > we want the AS/400 to live with the "big boys" of net computing, CERT > reporting is the way to go. www.cert.org > Jim Franz > > ----- Original Message ----- > From: "Leif Svalgaard" <leif@leif.org> > To: <MIDRANGE-L@midrange.com> > Sent: Tuesday, June 13, 2000 9:22 AM > Subject: Re: AS400 user password > > > > > Gene Gaunt is a talented programmer and writes some great stuff and I > don't > > wish > > > to bash him, but IMHO it was a mistake to post the code the way he did. > I > > would > > > think that a genuine concern for security would dictate that an Securty > > APAR > > > would be opened prior to posting this very serious exposure publicly > (And > > as a > > > programmer, wouldn't you rather be told personally about your bugs > before > > they > > > get posted on an internet forum?). During the time that it took IBM to > > respond, > > > we were all hanging out there with our passwords available to anyone > with > > > programmer abilities and a subscription to the MI list. > > > > I fully agree that IBM should be commended on their responsiveness on > > this, but one could speculate how long this would have taken, had Gene > > NOT published his code first. > > > > > > > > +--- > > | This is the Midrange System Mailing List! > > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > > | To unsubscribe from this list send email to > MIDRANGE-L-UNSUB@midrange.com. > > | Questions should be directed to the list owner/operator: > david@midrange.com > > +--- > > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- > +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.