Re: Back Doors (was: EXCP with a DEB)
- From: ibmmain@xxxxxxxxxxxx (Arthur T.)
- Date: 20 Aug 2006 07:45:13 -0700
On 19 Aug 2006 09:37:29 -0700, in bit.listserv.ibm-main (Message-ID:<200608191637.k7JGbJQ07617@sanitas>) gilmap@xxxxxxxxxxxx wrote:
If you are aware of further ways that "would be APARable", I'll
suggest that it's your ethical responsibility, not to disclose
them or even hint of their existence in a pubic forum, but to
initiate the APAR
The first thing to do upon finding a security hole is to notify the vendor.
IBM will generally understand the hole, and fix it within a reasonable time. Other vendors are not so complaisant.
When a company willfully ignores or willfully refuses to fix such holes, the best thing to do is to go public with the information. If you found the hole, so might someone else. Said someone else might use the security hole maliciously, possibly against you. It is unfortunate, but true, that some vendors *will not* fix security holes until forced to.
The above is not just my own opinion:
"The argument that secrecy is good for security is naive, and always worth rebutting. Secrecy is only beneficial to security in limited circumstances, and certainly not with respect to vulnerability or reliability information. Secrets are fragile; once they're lost they're lost forever. [...] Trying to base security on secrecy is just plain bad design." - Bruce Schneier in http://www.schneier.com/crypto-gram-0410.html
"That's the other fallacy with the secrecy argument: the assumption that secrecy works. Do we really think that the physical weak points of networks are such a mystery to the bad guys? Do we really think that the hacker underground never discovers vulnerabilities?" - ibid
"This Article asks the question: When does disclosure actually help security? The discussion begins with a paradox. Most experts in computer and network security are familiar with the slogan that there is no security through obscurity." - PETER P. SWIRE in http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782
Article on "Full Disclosure and the Window of Exposure" -
True story about an unnamed product from an unnamed vendor:
There was a mainframe product which sent some information one system to another. The recipient could display the userid and password that the user used on his sending system. It took more than 4 months of phone calls to get the vendor to agree that this was a security hole. Once they agreed, they said it would take them a year to fix it. My company would not allow me to do any of: Threaten to take the hole public; send the hole to CERT <http://www.cert.org/>; or otherwise publicize the hole. I do not know if this security hole has yet been fixed.
I cannot receive mail at the address this was sent from.
To reply directly, send to ar23hur "at" intergate "dot" com
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
- Prev by Date: Re: Back Doors
- Next by Date: Re: IBM-MAIN Digest - 18 Aug 2006 to 19 Aug 2006 (#2006-232)
- Previous by thread: Re: Back Doors (was: EXCP with a DEB)
- Next by thread: Re: z/OS security (was RE: EXCP with a DEB)