Attackers can be clever, too. They can discover integrity problems without help from IBM. For the clever attacker, it is to his advantage for those integrity issues to NOT be discussed. The question becomes which is more dangerous -- the average attacker who needs help in designing his attack, or the clever attacker who really what to stay hidden for as long as possible?
Customers who run unsupported software are almost by definition taking a risk. Customers who do not keep their system up-to-date are at risk. While they may have good reasons for not upgrading, none-the-less, they are still at risk. Who should be responsible for any damage that occurs due to not upgrading? IBM or the customer? I think that neither of those questions have a clearly right or wrong answer. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Jim Mulder Sent: Saturday, April 03, 2010 12:41 AM To: [email protected] Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use > And this whole idea of trying to hide "Integrity" APARs has outlived its > usefulness. If it ever had any. > I have no gripe with fixing the hole then letting the cat out of the > bag, but never doing it ?. Don't vendors ever learn ?. > I also wonder about Brians assertion of: > <quote>The (fortunately) rare "integrity" flag</quote> > How the hell are we supposed to be able to tell how rare it is. And if > IBM doesn't have the confidence that they can talk about fixing these > exposures, what are we to think of the rest of the codebase ?. Is it > (supposedly) secure only until exposed/compromised ?. Excuse my lack of > confidence. We have no way of knowing when all customers have applied a System Integrity fix to all systems, so that there are no longer any exposed systems anywhere in the world. Discussions right here on IBM-MAIN suggest that some customers run releases which are no longer supported, and a fix will never be available for those unsupported releases. As a courtesy to customers with exposed systems, we do not discuss the nature of System Integrity APARs, since understanding an exposure is one of the steps towards formulating a method of attack on an exposed system. Naturally, you may be curious about the nature of an exposure, and of course, we would love to show off how clever we were in discovering an exposure by telling you all about it. However, we feel that your curiosity and our desire to show off are overridden by the need to avoid unnecessarily assisting potential attackers. Jim Mulder z/OS System Test IBM Corp. Poughkeepsie, NY ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
