LISTSERV - HP3000-L Archives

HP3000-L Archives

March 1995, Week 5

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L March 1995, Week 5

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security reply
From:	Joe CAMPBELL <[log in to unmask]>
Reply To:	Joe CAMPBELL <[log in to unmask]>
Date:	Fri, 31 Mar 1995 03:44:00 EST
Content-Type:	text/plain
Parts/Attachments:	text/plain (54 lines)

------------------------------------------------------------------------------
                      Expanded/Local Distribution Header
Sender     :  Joe CAMPBELL
Subject    :  Security reply
From       : "Joe CAMPBELL"
To         : "HP300L"
------------------------------------------------------------------------------
 
> I think you have just insulted every member of this discussion group!
> Shame, Shame, Shame, Shame, Shame, Shame, Shame, Shame .... on YOU.
 
>>No I didn't, if you review my original message I stated with all due respect
>>to the members of this group a different opinion.  If we can not openly
>>discuss differing points of view without geting down to name calling and
>>taking it personally, then it's a loss for all of us!!!
 
I'd hardly call "Shaming you..." as name-calling (it could have been much
worse), but your correct that differing points of view do need to be shared
in an open and non-hostile environment.   I probably should have just
stated that I simply disagreed with your opinion and left it at that.
It's important we don't lose sight of the issue and that is HP and their
policy concerning the communication of known security problems.
 
 
> HP has open the floodgates with the disclosure of security problems.  They
> owe it to every single System Manager to reveal the details.  How they do
> that is up to them, as long as they do it quickly.
 
>>Joe I'm sure you realize there is different levels of problems and NDA sty of
>>information.  Even with the level of NDAs I have, I know HP is not tellinge
>>everything, even when it effects me and my site.  I ask for you to considethis
>>one issue, what would be your response to a site who had their security brched
>>due to the fact that this information somehow got public???  Also look at
>>internally within HP, they are not even providing the information to otherreas
>>of the lab.
 
 
IMHO, HP has a responsibility to its customers to come clean with them on
known security problems and quickly communicate this information to its
installed customer base (again, how they choose to do that is up to them).
Every SM needs to assess for their own shop what the level of risk is to
their environment.  Again, that is for each SM to decide, not HP.  I want
to be told specifically what the security holes are, so I can make this
assessment myself.   Quite frankly, how can I be sure that this isn't some
ploy on HP's part to scare their customer base over to MPE/iX 5.0?   Call
me a "doubting Thomas" if you will, but do you see my point?  In my opinion,
the problems need to be verifiable, because the move to 5.0 may involve
a lot of effort on our part.  If customers understand the severity of the
problem and know what the remedies are, its up to them to take what ever
action they deem is appropriate.  It is the customer's problem, if they
choose to remain in an environment that would permit a security breech to
occur.  Withholding information and perpetuating ignorance is not a good
solution (IMHO), nor is it a policy that HP should formally adopt.

ATOM RSS1 RSS2

RAVEN.UTC.EDU