On 19 Aug 2006 09:37:29 -0700, in bit.listserv.ibm-main
(Message-ID:<[EMAIL PROTECTED]>)
[EMAIL PROTECTED] wrote:
If you are aware of further ways that "would be APARable", I'll
suggest that it's your ethical responsibility, not to disclose
them or even hint of their existence in a pubic forum, but to
initiate the APAR
The first thing to do upon finding a security hole is
to notify the vendor.
IBM will generally understand the hole, and fix it
within a reasonable time. Other vendors are not so complaisant.
When a company willfully ignores or willfully refuses
to fix such holes, the best thing to do is to go public
with the information. If you found the hole, so might
someone else. Said someone else might use the security
hole maliciously, possibly against you. It is unfortunate,
but true, that some vendors *will not* fix security holes
until forced to.
The above is not just my own opinion:
"The argument that secrecy is good for security is naive,
and always worth rebutting. Secrecy is only beneficial to
security in limited circumstances, and certainly not with
respect to vulnerability or reliability information.
Secrets are fragile; once they're lost they're lost
forever. [...] Trying to base security on secrecy is just
plain bad design." - Bruce Schneier in
http://www.schneier.com/crypto-gram-0410.html
"That's the other fallacy with the secrecy argument: the
assumption that secrecy works. Do we really think that the
physical weak points of networks are such a mystery to the
bad guys? Do we really think that the hacker underground
never discovers vulnerabilities?" - ibid
"This Article asks the question: When does disclosure
actually help security? The discussion begins with a
paradox. Most experts in computer and network security are
familiar with the slogan that there is no security through
obscurity." - PETER P. SWIRE in
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782
Article on "Full Disclosure and the Window of Exposure" -
http://www.schneier.com/crypto-gram-0009.html#1
True story about an unnamed product from an unnamed vendor:
There was a mainframe product which sent some
information one system to another. The recipient could
display the userid and password that the user used on his
sending system. It took more than 4 months of phone calls
to get the vendor to agree that this was a security
hole. Once they agreed, they said it would take them a
year to fix it. My company would not allow me to do any
of: Threaten to take the hole public; send the hole to
CERT <http://www.cert.org/>; or otherwise publicize the
hole. I do not know if this security hole has yet been fixed.
--
I cannot receive mail at the address this was sent from.
To reply directly, send to ar23hur "at" intergate "dot" com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
