LISTSERV - HP3000-L Archives

HP3000-L Archives

April 1995, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L April 1995, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security reply
From:	"Tony B. Shepherd" <[log in to unmask]>
Reply To:	Tony B. Shepherd
Date:	Sat, 1 Apr 1995 20:29:06 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (46 lines)

In article <[log in to unmask]>,
  Michael I Yawn <[log in to unmask]> wrote (with many omissions):
] Subject:      Re: Security reply
] Joe CAMPBELL ([log in to unmask]) wrote:
] : Every SM needs to assess for their own shop what the level of risk is to
] : their environment.  Again, that is for each SM to decide, not HP.
] I agree.  You have been told what the risks are: users may get additional
] capabilities, for example.  You have to decide what the impact would be
] to your operation should this happen.  The exact mechanism by which this
] might happen does not affect the potential damage at your site if it were
] to happen.  Depending on the type of data
] you have on the system, who has logon access to your system, etc., you
] may or may not be concerned about the potential breach.
  { Sorry - in one sentence you say 'SM has to decide', and then refuse to
    present the facts on which to base an intelligent decision.  For example,
    if <ctrl>-y in the Cobol compiler gives the user PM, is a non-Cobol shop
    at risk?  SM's don't need to know all the gory details - but they do need
    to have enough information to make an informed decision.
 
] : I want to be told specifically what the security holes are, so I can make
] : this assessment myself.
  { I agree completely - to a reasonable level of detail.
 
] I cannot imagine a more irresponsible behavior on HP's part.  To the best
  { If an SM lets HP spend overtime and other resources for him, they
    would not be doing their job.  And if HP uses lack of information to bully
    users into an upgrade, well . . .  at the least it would hurt confidence.
 
] : Quite frankly, how can I be sure that this isn't some
] : ploy on HP's part to scare their customer base over to MPE/iX 5.0?   Call
  { Can't buy that - but squelching the necessary information could have
    the same effect - see above.
 
] You can choose not to move to 5.0, and to install patches instead.
] Admittedly, either choice involves a non-trivial amount of work.
] I'm sure that you could make a more informed decision about the
] exact risks to your installation if you had more details, but there
  { Key point - 'more' <> 'all' --------------^^^^
 
] : Withholding information and perpetuating ignorance is not a good
] : solution (IMHO), nor is it a policy that HP should formally adopt.
  { I agree.
 
--
Regards  --  Tony B. Shepherd  --  [log in to unmask]

ATOM RSS1 RSS2

RAVEN.UTC.EDU