We use CA products here. I would want to be informed by letter from CA if they discovered any security holes, and given the opportunity to fix it. Security by obscurity does not work. If you found the hole, then someone else who may be less honourable will too.
Thinking about it a little more, I am inclined to insist that CA inform me of security fixes. I think if CA refuses to inform customers about this security issue, that you should let the list know what product is affected, and the fix number. Details about the problem beyond that are not required. Peter Uno viso, omnia visa sunt. -----Original Message----- From: VM/ESA and z/VM Discussions [mailto:[EMAIL PROTECTED] On Behalf Of Romanowski, John (OFT) Sent: October 28, 2005 14:12 To: [email protected] Subject: How to handle security hole? I alerted Computer Associates (CA) to a security hole in one of their VM products that let's any VM userid control a VM system that runs this product. CA wrote a fix. If your VM system's running this product without the fix then it has this security hole active now. The security hole is installed by default and there's no product installation step or configuration parameter that closes the hole. CA and I have agreed to disagree on how well they alert their customers to the existence of security-related fixes for VM products. My question to all is would you rather CA labeled VM product fixes as security-related or not? Is security thru obscurity better? -------------------------------------------------------- This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon, this information by persons or entities other than the intended recipient or delegate is strictly prohibited. If you received this in error, please contact the sender and delete the material from any computer. The integrity and security of this message cannot by guaranteed on the Internet. The Sender accepts no liability for the content of this e-mail, or for the consequences of any actions taken on basis of the information provided. The recipient should check this e-mail and any attachments for the presence of viruses. The sender accepts no liability for any damage caused by any virus transmitted by this e-mail. This disclaimer is the property of the TTC and must not be altered or circumvented in any manner.
