LISTSERV - HP3000-L Archives

HP3000-L Archives

March 1995, Week 5

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L March 1995, Week 5

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security reply (170+ lines) (120+ now)
From:	"Tony B. Shepherd" <[log in to unmask]>
Reply To:	Tony B. Shepherd
Date:	Wed, 29 Mar 1995 08:33:09 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (104 lines)

I love this bunch!  Honest!  It would have been so easy for Isaac to take my
prior post as an insult, and turn an intense discussion into just another
petty name-calling contest.  Thanks - I love hanging out here!
 
Again, text re-formatted in spots (and most scissor marks removed).
 
In article <[log in to unmask]>,
  Isaac Blake <[log in to unmask]> wrote:
] Subject: Re: Security reply (170+ lines)
] I'm sure there is a long list of people within HP which would disagree with
] your statements!!!:-) Sometimes I agree with HP,other times I don't. But what
] I do try to achieve in every case is to give my honest opinion on the topic.
 
Can't ask for better.  Opinions tend to be biased - just human nature. I
think I've figured out how to interpret yours. (No hidden message in that
last sentence either - I just feel you're not as much a stranger as last
year :-)
 
] As far as me being a proponent of (almost) every HP decision, too bad you
] weren't around for the MPE/iX 4.5 debate!!!
 
Glad I missed it.
 
] Believe it or not, I agree with virtually everthing you stated!!!  Guess the
] approach is slightly different.  For example what happens if the vendor
] contacted you and stated:
]
] "We have discovered a problem which can cause the coin changer to dispense
] money by accident.  To correct this problem you need to weld an extra brace
] to the frame".
 
To requote my own post (emphasis on CAPS):
}I need to trust my vendor to advise me of problems with their product
}after the sale.  I DON'T WANT TO DISCOVER this coin changer problem by
}reading a soft-drink trade journal.
 
}I need my vendor to advise me that there is a problem in a way that works
}WITHOUT DRAWING (much) ATTENTION to the fact there is a problem.  Sure
}don't want an 'If You Kick It Here' article in the WSJ, but an announcement
}of a recall for product XYZ and a phone number for further information
}would be acceptable.  Notification by my sales rep (phone call), mail or
}other means is fine - but DISCRETION COUNTS.
 
}I need to be ABLE to get FULL DETAILS of the problem and solution - after
}all it's my money in the machine, and MY RISK if I do nothing.  I need to
}trust my vendor enough to know that Crowbar Clyde didn't get copies of the
}details from the manufacturer.  If he got them from my competitor's trash
}(he buys the same machines) - well, not much I can do but grit my teeth.
 
To answer your question, where is Crowbar Clyde when this is said?
 
] Another point to consider is the global (and I mean the worldwide) issues of
] notification,delivering the fix,and the time/effort to implement the fix. In
] otherwords (and it's happened before) where the information was available
] before the fix was available. This list is a good example, we are constantly
] aware of things prior to many others.
 
Again, DISCRETION COUNTS.  If HP doesn't know their customers, they should
get out and meet them.  I can accept encrypted e-mail.  You may have a fax
machine in a secure location.  Some military sites might not be able to do
either one of these.  And if secure communication doesn't look that
feasible, HP should consider the personal touch.  Visit the customer.
 
And discretion counts the other way too.  We should refrain from detailed
discussion in an open forum of any security fault method.  It is possible
to be vague (did you fix that problem about copying files?) instead of
open (did you fix that problem in XYZ that allows :ALTUSER CAP=SM?) and
still communicate.
 
If I communicated openly with you and the information caused an Australian
site to be broken, I would feel terrible.  And I would hope that other
folks on the list would bring such a transgression to my attention, by
e-mail, so further attention would not be drawn to my carelessness.
 
] HP has a fundamental responsibility to insure that MPE is security, and as
] security problems come to light, correct them. I'm not talking about any
] improvements which are more an enhancement request,but legimite holes as you
  { snip }
] Guess part of the question for any of us, is how do you truly address a
] situation like this taking into consideration all the factors.It reminds me
] of a debate in college long ago about how to handle criticism in a public
] format.As you mentioned Tony,there appears to be no single correct answer...
]
] Like you and others, I am very curious about the specifics of these problems,
] and I'm grateful I'm on 5.0. But if I was on 4.0 then I would of already got
] the patch from HP and would be on my way to installing it on all my systems.
  { And if you weren't on a support contract, but were on 4.0? }
 
An off-color reference, perhaps, but it strikes me that this situation
can be looked at the same way as people who are diagnosed with a terminal
disease.  Some don't want to know - the truth is unbearable and cannot be
faced.  Someone else will have to make their decisions, and the patient
will be glad not to be involved.  I want copies of the x-rays and video
tapes - the more details the better.  HP is in the role of the doctor -
they have to understand and address our individual preferences and needs.
 
] > Me too - and when we meet, I'll buy the first round:-)
] ] And I'll buy the second...:-)
 
Sounds like a night we may not remember!
 
--
Regards  --  Tony B. Shepherd  --  [log in to unmask]

ATOM RSS1 RSS2

RAVEN.UTC.EDU