• Subject: Re: Rewarding Challenge AS/400
  • From: "V. Leveque" <vleveque@xxxxxxxxxxxxx>
  • Date: Tue, 28 Sep 1999 18:04:14 -0700

This issue was raised a few years back with the COMMON Security Task Force.
I can't recall exactly why CERT isn't used ( a combination of things no
doubt) but the need was definitely stated especially for secure confidential
channels in reporting problems and in notifying system administrators of fixes.

COMMON did produce a report where this issue and others were addressed.  I'm
not sure what has come of the recommendations -- aside from the fact IBM did
work to close some of the then-stated vulnerabilities and now offers some
features that were then discussed (i.e. Security Wizard).

In theory COMMON would be the perfect forum to get this rolling.  In actual
practice there may be certain organizational impediments.

(boy do I sound like a bureacrat! Gotta always be diplomatic..)

At 06:31 PM 9/28/99 -0500, you wrote:
>see below.
>    Someone has raised the point about the publication & response by IBM to
security exposures. I have often wondered why the notification services like
CERT, never report AS/400 problems. They certainly do report http, java,
WebSphere , SQL and other problems, all of which OS/400 works with. But the
reports are always about WinXX, Linux, Unix, NT, Sun, and a few others.
(Actually I do know why - most of the universe doesn't know or understand
what an AS/400 is). BTW, CERT is a good place to get free info on security
exposures, and a free e-mail alert service. Our government at work. CERTŪ
Coordination Center 
>
>  ----------------------------------
>
>  When we first told IBM about our findings, there response was some like
>  this (I can't remember the exact words - because it was always verbal):
>
>  If you go public with this we will cut you off (we are a business partner
of IBM).
>  We will bury you. We will make sure you go out of business. Don't rock
>  the boat.
>
>  ----------------------------------------
>
>  how is that for irresponsibility ???
>
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
><HTML><HEAD>
><META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
><META content="MSHTML 5.00.2014.210" name=GENERATOR>
><STYLE></STYLE>
></HEAD>
><BODY bgColor=#ffffff>
><DIV><FONT size=2>see below.</FONT></DIV>
><BLOCKQUOTE 
>style="BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px;
PADDING-LEFT: 5px; PADDING-RIGHT: 0px">
>  <DIV>&nbsp; Someone has raised the point about the publication &amp;
response 
>  by IBM to security exposures. I have often wondered why the notification 
>  services like CERT, never report AS/400 problems. They certainly do report 
>  http, java, WebSphere , SQL and other problems, all of which OS/400 works 
>  with. But the reports are always about WinXX, Linux, Unix, NT, Sun, and a
few 
>  others. (Actually I do know why - most of the universe doesn't know or 
>  understand what an AS/400 is). BTW, CERT is a good place to get free info on 
>  security exposures, and a free e-mail alert service. Our government at work. 
>  <A href="http://www.cert.org">CERTŪ Coordination Center</A> <BR></DIV>
>  <DIV><FONT size=2>----------------------------------</FONT></DIV>
>  <DIV>&nbsp;</DIV>
>  <DIV><FONT size=2>When we first told IBM about our findings, there response 
>  was some like</FONT></DIV>
>  <DIV><FONT size=2>this (I can't remember the exact words - because it was 
>  always verbal):</FONT></DIV>
>  <DIV>&nbsp;</DIV>
>  <DIV><FONT size=2>If you go public with this we will cut you off (we are a 
>  business partner of IBM).</FONT></DIV>
>  <DIV><FONT size=2>We will bury you. We will make sure you go out of
business. 
>  Don't rock</FONT></DIV>
>  <DIV><FONT size=2>the boat.</FONT></DIV>
>  <DIV>&nbsp;</DIV>
>  <DIV><FONT size=2>----------------------------------------</FONT></DIV>
>  <DIV>&nbsp;</DIV>
>  <DIV><FONT size=2>how is that for irresponsibility ???</FONT></DIV>
>  <DIV>&nbsp;</DIV></BLOCKQUOTE></BODY></HTML>
>

     |----------------------------|  "Outside of a dog, a book is a man's
     |\  /         |    \  /      |  best companion.  Inside of a dog,
     | \/ INCENT   |__E  \/EQUE   |  it's too dark to read."  
     |----------------------------|        -- Groucho Marx 

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.