Subject: | |
From: | |
Reply To: | Tony B. Shepherd |
Date: | Sat, 1 Apr 1995 20:29:06 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
In article <[log in to unmask]>,
Michael I Yawn <[log in to unmask]> wrote (with many omissions):
] Subject: Re: Security reply
] Joe CAMPBELL ([log in to unmask]) wrote:
] : Every SM needs to assess for their own shop what the level of risk is to
] : their environment. Again, that is for each SM to decide, not HP.
] I agree. You have been told what the risks are: users may get additional
] capabilities, for example. You have to decide what the impact would be
] to your operation should this happen. The exact mechanism by which this
] might happen does not affect the potential damage at your site if it were
] to happen. Depending on the type of data
] you have on the system, who has logon access to your system, etc., you
] may or may not be concerned about the potential breach.
{ Sorry - in one sentence you say 'SM has to decide', and then refuse to
present the facts on which to base an intelligent decision. For example,
if <ctrl>-y in the Cobol compiler gives the user PM, is a non-Cobol shop
at risk? SM's don't need to know all the gory details - but they do need
to have enough information to make an informed decision.
] : I want to be told specifically what the security holes are, so I can make
] : this assessment myself.
{ I agree completely - to a reasonable level of detail.
] I cannot imagine a more irresponsible behavior on HP's part. To the best
{ If an SM lets HP spend overtime and other resources for him, they
would not be doing their job. And if HP uses lack of information to bully
users into an upgrade, well . . . at the least it would hurt confidence.
] : Quite frankly, how can I be sure that this isn't some
] : ploy on HP's part to scare their customer base over to MPE/iX 5.0? Call
{ Can't buy that - but squelching the necessary information could have
the same effect - see above.
] You can choose not to move to 5.0, and to install patches instead.
] Admittedly, either choice involves a non-trivial amount of work.
] I'm sure that you could make a more informed decision about the
] exact risks to your installation if you had more details, but there
{ Key point - 'more' <> 'all' --------------^^^^
] : Withholding information and perpetuating ignorance is not a good
] : solution (IMHO), nor is it a policy that HP should formally adopt.
{ I agree.
--
Regards -- Tony B. Shepherd -- [log in to unmask]
|
|
|