On 2 Apr 2010 21:41:10 -0700, in bit.listserv.ibm-main
(Message-ID:<ofa817fc6f.38ddd672-on852576fa.0017ea06-852576fa.0019b...@us.ibm.com>)
[email protected] (Jim Mulder) wrote:
And this whole idea of trying to hide "Integrity" APARs
has outlived its
usefulness. If it ever had any.
I have no gripe with fixing the hole then letting the
cat out of the
bag, but never doing it ?. Don't vendors ever learn ?.
We have no way of knowing when all customers have
applied a
System Integrity fix to all systems, so that there are no
longer any exposed systems anywhere in the
world. Discussions right here on IBM-MAIN suggest that
some customers run releases
which are no longer supported, and a fix will never be
available for those unsupported releases. As a courtesy
to customers with exposed systems, we do not discuss the
nature
of System Integrity APARs, since understanding an exposure
is one of the steps towards formulating a method of attack
on
an exposed system. Naturally, you may be curious about
the nature of an exposure, and of course, we would love to
show off how clever we were in discovering an exposure by
telling you all about it. However, we feel that your
curiosity and our desire to show off are overridden by the
need to avoid unnecessarily assisting potential attackers.
This particular fix, though, requires each company's
security department to define who can use SMP/E and in what
way. Without knowing what the security hole is, how can
they know how to assign access?
--
I cannot receive mail at the address this was sent from.
To reply directly, send to ar23hur "at" pobox "dot" com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
