Jim Franz wrote:
So what (from IBM & other major software vendors)
I (a) don't know and (b) don't know if it matters.
AFAIK, TCP/IP itself runs in PASE. (I.e., in the foundation that
5722SS1 option 33 provides an interface for.) Who knows? I'm not
specifically aware of anything but would be interested in knowing.
Regardless, I actually believe that that's an element of Joe's
passion. He expects a significant degree of openness from IBM on
issues of security and regularly pushes for it by demanding evidence.
If such vulnerabilities exist and they're simply kept quiet, a
degree of risk keeps rising. The argument against 'security by
obscurity' is refuted many times over. Joe demands evidence because
(IMO) he intends to force any such vulnerabilities to be _fixed_ pronto.
If we don't know, if all we know is "Stuff has happened", then it's
impossible to know if you're properly protecting yourself.
If nothing else, from that standpoint Joe is right to push and keep
pushing. At the very least, he continually hammers out the message
that we have the best available. And when a vulnerability becomes
known, he'll be at the front of the line to demand its closure.
...assuming anything is known.