Joe CAMPBELL <[log in to unmask]> wrote:
 
<snip>
 
>IMHO, HP has a responsibility to its customers to come clean with them on
>known security problems and quickly communicate this information to its
>installed customer base (again, how they choose to do that is up to them).
>Every SM needs to assess for their own shop what the level of risk is to
>their environment.  Again, that is for each SM to decide, not HP.  I want
>to be told specifically what the security holes are, so I can make this
>assessment myself.
 
<snip>
 
As yet I've not decided either way on whether HP should come clean with the
details; having said that, Joe Campbell's statement quoted above struck a
chord in me.  It's my impression that the participant in this discussion
thread have all been professional sys admins (at the very least they are all
data processing professionals) and perhaps it *is* appropriate for HP to
divulge the details of the security holes to that audience.
 
However there's another audience to consider as well: the very much part
time sys admins -- those who aren't data processing professionals.  There
are plenty of HP3000 sites where the system manager is a controller, or
accounting clerk or whatever.  Were HP to divulge the details in this matter
they must do so in a way that accounts for the needs of both the
"professional" and "non-professional" audiences.
 
 -- Evan