× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



I think it is being framed incorrectly here.

Suppose IBM has code in one of their ciphers that is in error. This error is causing the the output of that to be incorrect. This is a 'bug' and as such IBM would fix that in i 7.1. The existing ciphers need to be working correctly and I think we agree on this.

This compares for example to a seat-belt in a car. If the seat-belt does not lock in an accident you could be severely hurt. If the manufacturer knows this they will recall your car to correct the seat-belt flaw. They will however not ADD an air-bag to your car.

Now Suppose there is a missing cipher in i 7.1 that you need. The ones it does have are now declared to be no longer safe, if not in practice at least in theory. You are told you need to use this new cipher so you must now choose to:
A) Stop communicating
C) Continue with the outdated and theoretically insecure cipher
D) Upgrade to a newer release with the new ciphers.

This compares to the air-bag in a car. It has been determined that seat-belts on their own are no longer safe enough. In a collision you could be hurt or worse even with a seat-belt. Air-bags are now a requirement. The manufacturers will not recall a seat-belt only car and add air-bags. While theoretically possible it would be a fantastic work effort and expense and since there are already new cars with air-bags available and the existing car is getting older there are now choices to be made.
A) Stop Driving.
B) Continue to drive with seat-belts only. After all if you do not get into an accident then you will never need an airbag. It's a chance you take.
C) Acquire a new car with air-bags.

Like theoretically vulnerable ciphers for me this air-bag stuff is only theory. I have been in several accidents with seat-belts only and have never been hurt. Yet today all my vehicles have air-bags. (and yes I do ALWAYS wear my seat-belt!)

So I think we need to get past 'it's broken' and up to 'needs new capability' and then we will realize that IBM *IS* doing the right thing by suggesting an upgrade as the correct path.

- Larry "DrFranken" Bolhuis

www.Frankeni.com
www.iDevCloud.com - Personal Development IBM i timeshare service.
www.iInTheCloud.com - Commercial IBM i Cloud Hosting.

On 7/11/2017 10:29 AM, John Yeung wrote:
On Tue, Jul 11, 2017 at 8:43 AM, DrFranken <midrange@xxxxxxxxxxxx> wrote:
b. IBM does do hiper and maintenance fixes for 7.1 - it's just that IBM is
more selective about what they will fix.

If it's broken they fix it. But adding new ciphers isn't really 'broken'
it's enhancing. They are no longer enhancing i 7.1 and said that a year ago.

Larry, I understand your (and IBM's) position, but it is not helpful
or convincing to frame it in this manner.

In the security world, if something becomes insecure just because the
technology of potential attackers has improved, then the old system
*has* become broken. For IBM to *call* plugging security holes an
"enhancement" rather than a "security fix" only makes IBM sound like
they are not serious about security.

Please understand, I am not saying that IBM is unjustified for not
providing a fix in this case. I am saying they should absolutely not
use *that* particular terminology-based argument to justify this
position. Because it comes across (to anyone outside the choir) as
disingenuous.

They absolutely can and absolutely should emphasize the technical
issues instead (saying things like the scope of the patch would be
impractically large, would incur cost they can't afford, etc).

Honestly, I would be less put off if IBM merely said "sorry, but we
have always reserved the right to not do any work, for any reason, and
this is one case where we are exercising that right" and leave it at
that.

John Y.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.