HP3000-L Archives

March 1995, Week 5

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Security reply (170+ lines)
From:
Isaac Blake <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Tue, 28 Mar 1995 11:12:04 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (106 lines) 
Item Subject: Message text
> Please excuse the perhaps extensive quoting - I'm trying to respond to
> several posts here concerning security issues.  Text re-formatted in spots.
 
Sometimes it's needed to pull things together...
 
> ] Interesting points Tony!!!  See my reply regarding the first paragraph...
>
>   Thanks.  I did - did I totally miss the boat?  And two comments about
> that reply (your response to Joe):
 
Not really, you were on track for most of it...
 
> I wandered into this group about the time diagnostic passwords was a hot
> topic last year (3rd quarter?).  This isn't an insult: I had a little
> trouble figuring out who you were - some of your posts sounded (to me)
> like they could have been written by an HP employee defending policy.  And
> this really isn't unnatural: while road-testing a new feature, it can be
> hard to suppress all enthusiasm about it.  Add to that your other "outside
> of the job" duties and interests, and I'm sure it is hard to walk the
> line.  IMHO you are fulfilling the letter of the NDA's but are still
> coming across (to me at least) as a proponent of (almost) every HP decision.
> This distracts me when I read some of your posts - sorry - I have to ask
> myself 'why did he say' before 'does this make sense to me'.
 
I'm sure there is a long list of people within HP which would disagree with your
statements!!! :-)  Sometimes I agree with HP, other times I don't.  But what I
do try to achieve in every case is to give my honest opinion on the topic.
Remember I've been working on HP equipment since 1972, and have worked on both
sides of the fence, so I am a little sensitive towards the different sides.
 
As far as me being a proponent of (almost) every HP decision, too bad you
weren't around for the MPE/iX 4.5 debate!!!  Also you have to respect addressing
issues at different levels and formats, you'd be surprised at some of the phone
calls and meetings I've had.
 
> Unless you are prepared to name names (preferably somewhere else), can we
> polish our halos elsewhere?  I believe the topic was security problems.
 
Agreed, but as part of the topic was the concern over making public the specific
details of the security problems.
 
> At the risk of trivializing the problem, let's say we have bought some
> vending machines (candy), and the manufacturer has learned that a good kick
> on the back panel down low turns the coin changer on, dispensing money.
> An extra brace needs to be welded to the frame.
 
[sniping good points/examples for space consideration]
 
Believe it or not, I agree with virtually everthing you stated!!!  Guess the
approach is slightly different.  For example what happens if the vendor
contacted you and stated:
 
"We have discovered a problem which can cause the coin changer to dispense money
by accident.  To correct this problem you need to weld an extra brace to the
frame".
 
Another point to consider is the global (and I mean the worldwide) issues of
notification, delivering the fix, and the time/effort to implement the fix.  In
otherwords (and it's happened before) where the information was available before
the fix was available.  This list is a good example, we are constantly aware of
things prior to many others.
 
> From some other posts:
 
These are good questions which we need to work with HP on resolving!!!  Perhaps
this is yet another issue for SIGSYSMAN to embrace.
 
> To reiterate your questions:
> ] What will be your response to a site who has their security breeched due to
> ] the disclosure of this information???  Secondly, how would you defend the
> ] actions of HP providing this information, and for us demanding this
> ] information???
>
> There is no single correct answer that I know of.  We are, however,
> blessed (or cursed) by history.  An obvious place to look is in the HP9000
> part of the world (perhaps some cross-posting may be in order?)  One thing
> that comes to mind is a similar uproar over the publication of weaknesses
> in MPE some time ago.  Examples were published of how to gain priv-mode,
> overall approaches to breaking security, and other "shocking" topics.
> Very noisy at the time, as I recall.  HP fixed the vulnerabilities (some
> of which they were rumored to have known of for some time), and MPE was
> better for it.  I _myself_ know of no site that suffered damage (other
> than ulcers and sleepless nights).  And Eugene went on to other things.
 
HP has a fundamental responsibility to insure that MPE is security, and as
security problems come to light, correct them.  I'm not talking about any
improvements which are more an enhancement request, but legimite holes as you
described.  I'm aware of the example you are talking about above, but you have
to recognized that CSY has gone through changes and is more customer focused
than before.  Hense why I complimented HP for their approach in this matter.
 
Guess part of the question for any of us, is how do you truly address a
situation like this taking into consideration all the factors.  It reminds me of
a debate in college long ago about how to handle criticism in a public format.
As you mentioned Tony, there appears to be no single correct answer...
 
Like you and others, I am very curious about the specifics of these problems,
and I'm grateful I'm on 5.0.  But if I was on 4.0 then I would of already got
the patch from HP and would be on my way to installing it on all my systems.
 
> Me too - and when we meet, I'll buy the first round :-)
 
And I'll buy the second... :-)
/isaac

ATOM RSS1 RSS2