The following are my opinions and do not necessarily reflect the opinions of 
my employer.

Sorry...finger check on the last post...the last paragraph is completed 
here:

In my opinion, a security expert should:

   - Verify that they understand the entire nature of a suspected 
   exposure before putting anything in the public domain. Preferably through 
   the vendor and and through a knowledgable, independent, third-party if the 
   vendor is reluctant -- just because a vendor won't acknowlege you (for 
   whatever reason) doesn't prove your allegations are accuarate or not. 
   Publishing them without verificaiton is irresponsible. I can only assume 
   this particular posting was not independently verified by an expert on 
   OS400. An OS400 expert should have been able to easily verify that the 
   alleged exposure was a behavior of the system and not one introduced by 
   LDAP. An independent expert would have been able to help you communicate the 
   appropriate and accurate information to IBM or at least in your public 
   posting.
    - Test all products for which an exposure exists and avoid publicly 
   mentioning vendors and products that have not been explicitly tested by the 
   security expert or verified by the vendor or knowledgable third-party. 
    - Ensue the vendor is aware of the alleged exposure and that there is 
   no agreeable work-around or mitigating factor that would change the nature 
   or the potential seriousness of the alleged exposure. I personally don't 
   understand why a security expert that participates in this forum would 
   report soemthing via CERT or bugtraq without trying to get verification and 
   input from this forum first -- a forum where many IBMers are known to lurk.
    - Post security related information to the appropriate forums. An 
   inherent security exposure of a system which is likely to affect all users 
   of the system is appropriate fodder for CERT or bugtraq -- assuming that the 
   alleged exposure is understood and verified before posting. I happen to 
   prefer CERT because they don't blindly publish everything anyone sends them. 
   They actually have procedures that ensure the vendor has had an opportunity 
   to become aware of the issue.
    
Finally, being asked to commit a cybercrime in no way establishes one as a 
security expert. For example, a company that is expert at destroying 
buildings cannot also be assumed to be expert in building buildings that are 
hard to destroy. Finding problems requires a whole different skill set than 
is required to avoid them in the first place. I suspect most security 
experts would agree on this.

Again, I apologize for the finger check on the previous post.
On 4/25/05, Botz <pcbotz@xxxxxxxxx> wrote:

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.