LISTSERV - HP3000-L Archives

HP3000-L Archives

March 1995, Week 5

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L March 1995, Week 5

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: Security reply (170+ lines)
From:	"Tony B. Shepherd" <[log in to unmask]>
Reply To:	Tony B. Shepherd
Date:	Tue, 28 Mar 1995 07:52:05 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (161 lines)
Please excuse the perhaps extensive quoting - I'm trying to respond to
several posts here concerning security issues.  Text re-formatted in spots.
 
In article <[log in to unmask]>,
  Isaac Blake <[log in to unmask]> wrote:
] Poster:       Isaac Blake <[log in to unmask]>
] Subject:      Re: Security reply
]
] > IMHO Joe was under the impression that Isaac was saying that if SM's
] > were told privately by HP, they would discuss it on HP3000-L.  Again
] > IMHO, Isaac was saying HP3000-L should not be the notification means.
] >
] > IMNSHO HP should publicly admit a problem exists, privately disclose
] > details of the problem (including proposed solutions) to customers,
] > and let the customer choose what (if anything) to do.  And in my
] > opinion, the solution should NOT require an MPE upgrade.  If it does,
] > HP should pay for non-prime time RC support if the customer's normal
] > operations would suffer doing the upgrade in prime time.
]
] Interesting points Tony!!!  See my reply regarding the first paragraph...
 
  Thanks.  I did - did I totally miss the boat?  And two comments about
that reply (your response to Joe):
 
] > Isaac have you every heard of a non-disclosure agreement??   I'm sure you
] > signed one to get the password to the MPE diagnostics.. didn't you?
] I have so many NDAs the simplest way for me to handle them was a blanket
] NDA and beta test agreedment.  Yes, I signed the one for the diagnostics,
] in fact I was one of the first.
 
I wandered into this group about the time diagnostic passwords was a hot
topic last year (3rd quarter?).  This isn't an insult: I had a little
trouble figuring out who you were - some of your posts sounded (to me)
like they could have been written by an HP employee defending policy.  And
this really isn't unnatural: while road-testing a new feature, it can be
hard to suppress all enthusiasm about it.  Add to that your other "outside
of the job" duties and interests, and I'm sure it is hard to walk the
line.  IMHO you are fulfilling the letter of the NDA's but are still
coming across (to me at least) as a proponent of (almost) every HP decision.
This distracts me when I read some of your posts - sorry - I have to ask
myself 'why did he say' before 'does this make sense to me'.
 
] > And I'm also sure you wouldn't open up your mouth and blab this, would
] > you?  I thought not.
] Sure I haven't opened my mouth, but I personally know of others who have and
] even given third-parties access to the diagnostics in direct violation of
] the NDA.  Remember I'm also a Reserve Police Sergeant and I've seen this
] too many times, especially when the press gets "interested" in the topic.
 
Unless you are prepared to name names (preferably somewhere else), can we
polish our halos elsewhere?  I believe the topic was security problems.
 
] Regarding the second, I'll ask the same question (or close to it) I posted to
] Joe.  What will be your response to a site who has their security breeched
] due to the disclosure of this information???  Secondly, how would you defend
] the actions of HP providing this information, and for us demanding this
] information???
 
At the risk of trivializing the problem, let's say we have bought some
vending machines (candy), and the manufacturer has learned that a good kick
on the back panel down low turns the coin changer on, dispensing money.
An extra brace needs to be welded to the frame.
 
Speaking as a customer, my thoughts go along these lines.
 
I need to trust my vendor to advise me of problems with their product
after the sale.  I don't want to discover this coin changer problem by
reading a soft-drink trade journal.
 
I need my vendor to advise me that there is a problem in a way that works
without drawing (much) attention to the fact there is a problem.  Sure
don't want an 'If You Kick It Here' article in the WSJ, but an announcement
of a recall for product XYZ and a phone number for further information
would be acceptable.  Notification by my sales rep (phone call), mail or
other means is fine - but discretion counts.
 
I need to be able to get full details of the problem and solution - after
all it's my money in the machine, and my risk if I do nothing.  I need to
trust my vendor enough to know that Crowbar Clyde didn't get copies of the
details from the manufacturer.  If he got them from my competitor's trash
(he buys the same machines) - well, not much I can do but grit my teeth.
 
Now I need to decide what to do.  I have several machines, and each has to
be evaluated differently.  Those bolted to the floor in an alcove get an
internal tag that says "fix when replaced" - there is no access to the
back panel and hence no threat.
 
The ones in the stadium have no physical access except on game days - I
stock them at 6 am and unload them at 6 pm. Games are on Saturdays. My
vendor has agreed to fix the machines under their usual 8-5 M-F hours at
no additional charge.  I would expect the vendor to help on these stadium
machines.  The vendor normally charges double for Saturday work ($500/dy).
 
I would expect the vendor to realize that while the customer is at risk
and is the decision-maker, the vendor is responsible for the creation of
the dilemma.  The vendor might offer to waive charges for this machine
because of the access restrictions or work out some other arrangement.  A
vendor who did not recognize this responsibility (it seems to me) would
not be helping their reputation or sales.
 
From some other posts:
} Poster:       Mike Paivinen <[log in to unmask]>
} Jim Wowchuk ([log in to unmask]) wrote: Another point to consider is those
} :sites not currently on a support contract with HP.
} Actually, security bulletins are available at no charge to customers
} whether they have System Support contracts or not.  . . .  In the case
} of this security notification, customers without System Support contracts
} can order the security patches at no charge.
  { But some of these require _upgrading_ to 5.0 - no charge?
 
} Poster:       Ron Seybold <[log in to unmask]>
} There are rules for all this, and they stand on ethics. If I use
} information someone tells me, and I don't know it's NDA information, I'm
} not responsible for the violation of the NDA. That's the responsibility of
} the person who agreed to the NDA.
  { Nothing personal, but if you didn't _know_ it was NDA info, but common
  { sense told you it _should_ be NDA info, what happens?
} Reporters and editors now sign NDAs on occasion. When I have, I honor
} mine. I wouldn't want HP or any other industry firm to think otherwise.
  { Bravo! IMHO many 'reporters' re-word PR material.  A little insider
  { information early gives you a chance to do your homework.  We all win.
 
} Poster:       Guy Smith <[log in to unmask]>
} Forgive my flippant ways, but I have had the unpleasent repeat experience
} of calling HP, and other vendors, after a data trashing problem has
} occurred only to be told "Oh, that's a known problem that we have had a
} patch for for several months.  Would you like a copy?"
} The SSB is *not* what I'm looking for.  It is neither timely or summarized
} in a usable form.
  { Been there, done that, got the scars.  Don't want to do it with
  { security issues too.  And I agree: the SSB is a freight train - is my
  { suitcase on it?  Never mind.
 
To reiterate your questions:
] What will be your response to a site who has their security breeched due to
] the disclosure of this information???  Secondly, how would you defend the
] actions of HP providing this information, and for us demanding this
] information???
 
There is no single correct answer that I know of.  We are, however,
blessed (or cursed) by history.  An obvious place to look is in the HP9000
part of the world (perhaps some cross-posting may be in order?)  One thing
that comes to mind is a similar uproar over the publication of weaknesses
in MPE some time ago.  Examples were published of how to gain priv-mode,
overall approaches to breaking security, and other "shocking" topics.
Very noisy at the time, as I recall.  HP fixed the vulnerabilities (some
of which they were rumored to have known of for some time), and MPE was
better for it.  I _myself_ know of no site that suffered damage (other
than ulcers and sleepless nights).  And Eugene went on to other things.
 
] Regards,
] /isaac
 
Me too - and when we meet, I'll buy the first round :-)
 
--
Regards  --  Tony B. Shepherd  --  [log in to unmask]
 
This opinion is worth what you paid for it, and if it proves to be wrong,
all monies paid will be cheerfully refunded upon presentation of receipt.
ATOM RSS1 RSS2
RAVEN.UTC.EDU