LISTSERV - HP3000-L Archives

HP3000-L Archives

March 1995, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L March 1995, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security reply
From:	Jim Wowchuk <[log in to unmask]>
Reply To:	Jim Wowchuk <[log in to unmask]>
Date:	Mon, 27 Mar 1995 16:25:45 +1000
Content-Type:	text/plain
Parts/Attachments:	text/plain (54 lines)

At 03:22 PM 26/3/95 -0500, Tony B. Shepherd wrote:
>IMNSHO HP should publicly admit a problem exists, privately disclose
>details of the problem (including proposed solutions) to customers,
>and let the customer choose what (if anything) to do.  And in my
>opinion, the solution should NOT require an MPE upgrade.  If it does,
>HP should pay for non-prime time RC support if the customer's normal
>operations would suffer doing the upgrade in prime time.

Another point to consider is those sites not currently on a support contract
with HP.  Sure its easy to say, "Well get supported or get lost!", but is
this unfair competition?  Imagine if the car manufacturers said, "Yes we
know there's a potential brake failure problem in our model XYZ, but we'll
only fix it for those customers who paid for an extended warranty".
Fortunately car manufacturers are governed by special recall laws;
unfortunately these laws don't apply to computer systems.  Yes, there is a
magnitude of difference between risk to life and risk to commercial
operation, but the loss of a corporate computer system can be more harmful
to a company's existence than say the loss (by accident) of its CEO in an
auto accident.

Unfair competition?  Well considering that a vendor *could* (though not
necessarily do) say, "Well computer software systems are complex things, and
we won't guarantee there aren't serious security holes in your system unless
you maintain a contract with us.".  The possibility would exist that an
unscrupulous company (not HP) could deliberately introduce time bomb bugs
for the sole purpose of ensuring systems stayed on contract.  The purchaser
can do nothing to prevent this on their part.  Nor could any 3rd party, I
suspect, provide the same service without violating some confidentiality
agreement with the vendor.  After all the bugs would not be common knowledge
(but the effects may be), and the specific nature of them would need to be
protected. There would also be a question of licensing regulations if the
code was modified by someone else.  The Microsoft AARD saga probably best
describes it all (See Dr. Dobbs Journal, Dec 1993).

$DREAM ON

My desire would be that patches or workarounds should be freely available
for any site affected by known problems that affect either security or
operational reliability.  HP should charge a reasonable fee for distribution
or installation for those sites not on support contract, but that fee should
reflect the actual distribution costs involved, not a cost recovery against
overheads.

$DREAM OFF

----
Jim "seMPEr" Wowchuk           Internet:    [log in to unmask]
Vanguard Computer Services     Compu$erve:  100036,106
 _--_|\                        Post:        PO Box 18, North Ryde, NSW 2113
/      \                       Phone:       +61 (2) 888-9688
\.--.__/ <---Sydney NSW        Fax:         +61 (2) 888-3056
      v      Australia

ATOM RSS1 RSS2

RAVEN.UTC.EDU