• Subject: Re: AS400 user password
  • From: "William Washington III" <w.washington@xxxxxxxx>
  • Date: Tue, 13 Jun 2000 21:27:33 -0500

I tend to agree that we shouldn't "broadcast" a vulnerability, but I also
strongly feel that if a vulnerability exists, responsible people should know
about it so thay can take precautions.

This security lapse should never have made it to the AS/400... My take on it
is IBM wasn't quick on the response.  The hardware has been out for 12
years!  Only when the breech was published did they take action.

William

----- Original Message -----
From: "Jim Franz" <franz400@triad.rr.com>
To: <MIDRANGE-L@midrange.com>
Sent: Tuesday, June 13, 2000 8:45 PM
Subject: Re: AS400 user password


> My wife describes pgmrs as some of the most unethical people around,
> slightly better than management, salesmen, & lawyers. We have no "code of
> conduct/ethics" to live by. The reporting argument has been around a long
> time. Was a bystander at Common years ago when IBM and the Common Security
> Task Force went at it. Boy, was that fun! Learned more about security in 2
> hours of yelling than in previous 15 years.
> IMHO, we should be ethical, never broadcast a vulnerability without proper
> reporting, and the vendor has a fix (as long as the vendor is responsible
> and makes a reasonably quick response). Every shop with a pgmr (not the
> secofr) on this list became "more" vulnerable with the posting. This time,
> IBM made a quick response. IBM does need a clearly stated method of
> reporting (is it the 800-237-5511 Software Support? and clearly identify
it
> as a Security Issue). Put this on the website!
> Long ago, in November 1991 was published the guidelines for being
> responsible on the Internet, "Guidelines for the Secure Operation of the
> Internet" (RFC1281)
> http://info.internet.isi.edu/in-notes/rfc/files/rfc1281.txt
> It requires that users be responsible, and vendors be responsible. This is
> worth reading for both sides, and it's only a few pages. I still think, if
> we want the AS/400 to live with the "big boys" of net computing, CERT
> reporting is the way to go.  www.cert.org
> Jim Franz
>
> ----- Original Message -----
> From: "Leif Svalgaard" <leif@leif.org>
> To: <MIDRANGE-L@midrange.com>
> Sent: Tuesday, June 13, 2000 9:22 AM
> Subject: Re: AS400 user password
>
>
> > > Gene Gaunt is a talented programmer and writes some great stuff and I
> don't
> > wish
> > > to bash him, but IMHO it was a mistake to post the code the way he
did.
> I
> > would
> > > think that a genuine concern for security would dictate that an
Securty
> > APAR
> > > would be opened prior to posting this very serious exposure publicly
> (And
> > as a
> > > programmer, wouldn't you rather be told personally about your bugs
> before
> > they
> > > get posted on an internet forum?).  During the time that it took IBM
to
> > respond,
> > > we were all hanging out there with our passwords available to anyone
> with
> > > programmer abilities and a subscription to the MI list.
> >
> > I fully agree that IBM should be commended on their responsiveness on
> > this, but one could speculate how long this would have taken, had Gene
> > NOT published his code first.
> >
> >
> >
> > +---
> > | This is the Midrange System Mailing List!
> > | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> > | To unsubscribe from this list send email to
> MIDRANGE-L-UNSUB@midrange.com.
> > | Questions should be directed to the list owner/operator:
> david@midrange.com
> > +---
>
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
david@midrange.com
> +---
>

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.