×
The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.
I think it is being framed incorrectly here.
Suppose IBM has code in one of their ciphers that is in error. This
error is causing the the output of that to be incorrect. This is a 'bug'
and as such IBM would fix that in i 7.1. The existing ciphers need to be
working correctly and I think we agree on this.
This compares for example to a seat-belt in a car. If the seat-belt does
not lock in an accident you could be severely hurt. If the manufacturer
knows this they will recall your car to correct the seat-belt flaw. They
will however not ADD an air-bag to your car.
Now Suppose there is a missing cipher in i 7.1 that you need. The ones
it does have are now declared to be no longer safe, if not in practice
at least in theory. You are told you need to use this new cipher so you
must now choose to:
A) Stop communicating
C) Continue with the outdated and theoretically insecure cipher
D) Upgrade to a newer release with the new ciphers.
This compares to the air-bag in a car. It has been determined that
seat-belts on their own are no longer safe enough. In a collision you
could be hurt or worse even with a seat-belt. Air-bags are now a
requirement. The manufacturers will not recall a seat-belt only car and
add air-bags. While theoretically possible it would be a fantastic work
effort and expense and since there are already new cars with air-bags
available and the existing car is getting older there are now choices to
be made.
A) Stop Driving.
B) Continue to drive with seat-belts only. After all if you do not get
into an accident then you will never need an airbag. It's a chance you
take.
C) Acquire a new car with air-bags.
Like theoretically vulnerable ciphers for me this air-bag stuff is only
theory. I have been in several accidents with seat-belts only and have
never been hurt. Yet today all my vehicles have air-bags. (and yes I do
ALWAYS wear my seat-belt!)
So I think we need to get past 'it's broken' and up to 'needs new
capability' and then we will realize that IBM *IS* doing the right thing
by suggesting an upgrade as the correct path.
- Larry "DrFranken" Bolhuis
www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.
On 7/11/2017 10:29 AM, John Yeung wrote:
On Tue, Jul 11, 2017 at 8:43 AM, DrFranken <midrange@xxxxxxxxxxxx> wrote:
b. IBM does do hiper and maintenance fixes for 7.1 - it's just that IBM is
more selective about what they will fix.
If it's broken they fix it. But adding new ciphers isn't really 'broken'
it's enhancing. They are no longer enhancing i 7.1 and said that a year ago.
Larry, I understand your (and IBM's) position, but it is not helpful
or convincing to frame it in this manner.
In the security world, if something becomes insecure just because the
technology of potential attackers has improved, then the old system
*has* become broken. For IBM to *call* plugging security holes an
"enhancement" rather than a "security fix" only makes IBM sound like
they are not serious about security.
Please understand, I am not saying that IBM is unjustified for not
providing a fix in this case. I am saying they should absolutely not
use *that* particular terminology-based argument to justify this
position. Because it comes across (to anyone outside the choir) as
disingenuous.
They absolutely can and absolutely should emphasize the technical
issues instead (saying things like the scope of the patch would be
impractically large, would incur cost they can't afford, etc).
Honestly, I would be less put off if IBM merely said "sorry, but we
have always reserved the right to not do any work, for any reason, and
this is one case where we are exercising that right" and leave it at
that.
John Y.
midrange.com
