|
Gee, Jim, how did your wife come to form such an opinion? Anybody she knows? <gdr> The big piece of the puzzle that's missing here is the timeline of the events. And even I acknowledged that everything I repeated from others was hearsay. You're right that the vendor (IBM) should be given a reasonable opportunity to fix a problem like this before telling the whole world about it. Far be it for me to say how long it should take to correct a bug of this nature, although the MI400 guys seemed to have had their own fix for it within a matter of a day. There was a lot more being said, accusing IBM of not even responding to reports of security problems. Were they submitted through the proper channels? I don't know. (Another reason for CERT?) But I would say this. The average Joe Programmer doesn't have the authority to submit problem reports to IBM. Is he or she going to bother the boss about it? Maybe or maybe not; I told my supervisor about this issue. The IBM lurkers on this list have chosen not to respond to the charges of being slow to action, the lone exception being Ed Fishel, who responded to my post on the responsiveness issues (thank you, Ed). Ed reported that IBM had only been aware of this particular problem for a week. Those who have implied otherwise have not responded to Ed's assertion. Oh, and on the ethics argument, if IBM *is*, in fact, not responding to reports of a security exposure, is it still unethical to post the bug for the world to see as a means to force IBM's hand? If it is, I would argue that IBM is being more unethical by ignoring the problem. (Remember, I said "if"). - Dan Bale > -----Original Message----- > From: Jim Franz [SMTP:franz400@triad.rr.com] > Sent: Tuesday, June 13, 2000 9:46 PM > To: MIDRANGE-L@midrange.com > Subject: Re: AS400 user password > > My wife describes pgmrs as some of the most unethical people around, > slightly better than management, salesmen, & lawyers. We have no "code of > conduct/ethics" to live by. The reporting argument has been around a long > time. Was a bystander at Common years ago when IBM and the Common Security > Task Force went at it. Boy, was that fun! Learned more about security in 2 > hours of yelling than in previous 15 years. > IMHO, we should be ethical, never broadcast a vulnerability without proper > reporting, and the vendor has a fix (as long as the vendor is responsible > and makes a reasonably quick response). Every shop with a pgmr (not the > secofr) on this list became "more" vulnerable with the posting. This time, > IBM made a quick response. IBM does need a clearly stated method of > reporting (is it the 800-237-5511 Software Support? and clearly identify > it > as a Security Issue). Put this on the website! > Long ago, in November 1991 was published the guidelines for being > responsible on the Internet, "Guidelines for the Secure Operation of the > Internet" (RFC1281) > http://info.internet.isi.edu/in-notes/rfc/files/rfc1281.txt > It requires that users be responsible, and vendors be responsible. This is > worth reading for both sides, and it's only a few pages. I still think, if > we want the AS/400 to live with the "big boys" of net computing, CERT > reporting is the way to go. www.cert.org > Jim Franz > > ----- Original Message ----- > From: "Leif Svalgaard" <leif@leif.org> > To: <MIDRANGE-L@midrange.com> > Sent: Tuesday, June 13, 2000 9:22 AM > Subject: Re: AS400 user password > > > > > Gene Gaunt is a talented programmer and writes some great stuff and I > don't > > wish > > > to bash him, but IMHO it was a mistake to post the code the way he > did. > I > > would > > > think that a genuine concern for security would dictate that an > Securty > > APAR > > > would be opened prior to posting this very serious exposure publicly > (And > > as a > > > programmer, wouldn't you rather be told personally about your bugs > before > > they > > > get posted on an internet forum?). During the time that it took IBM > to > > respond, > > > we were all hanging out there with our passwords available to anyone > with > > > programmer abilities and a subscription to the MI list. > > > > I fully agree that IBM should be commended on their responsiveness on > > this, but one could speculate how long this would have taken, had Gene > > NOT published his code first. +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.