Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!spool.mu.edu!uunet!mcsun!ukc!strath-cs!baird!jim From: jim@cs.strath.ac.uk (Jim Reid) Newsgroups: comp.sys.hp Subject: Re: Security hole in HP-UX Message-ID: Date: 21 Feb 91 12:46:15 GMT References: <1581@gufalet.let.rug.nl> Sender: jim@cs.strath.ac.uk Organization: Computer Science Dept., Strathclyde Univ., Glasgow, Scotland. Lines: 51 In-reply-to: ton@let.rug.nl's message of 20 Feb 91 13:57:33 GMT In article <1581@gufalet.let.rug.nl> ton@let.rug.nl (Ton Roovers) writes: "I expect to be warned by Hewlett-Packard for possible security problems in my HP-systems just like I expect the manufacturer of my car to warn me if the brakes are not safe." This is rather naive. Most computer companies (and HP in particular) will not discuss security problems with their software or notify their customers when security holes/bugs are found. In most cases, they hide behind the feeble excuse of "company policy". This also lets the company get away with doing nothing - what customers don't know about can't worry them. It also means the company decides what security problems you need to know about, regardless of whether they are important to you or not. Mr. Computer Vendor knows what's best for you so just trust him.... What makes things worse is the double standards that apply when a customer finds a problem: the company expect you to tell them everything about it (without knowing who you're talking to or if they can be trusted), but the person you speak to won't trust you enough to discuss security matters with you. [I can understand that companies won't want that sort of information getting into the wrong hands - imagine the lawsuits if somebody damages a computer using a security hole told to them by a vendor's employee. However, that is no excuse for saying absolutely nothing and treating customers with contempt.] Some years ago, we had a security problem with HP-UX. After a lot of complaining, HP sent their "security expert" to check out the system and run an audit script which ostensibly checked permissions, looked for non-standard setuid-root files, inspected the version numbers of some bits of software and so on. This checked out OK (surprise, surprise!) and the security expert said there were no problems or holes on the system that he was aware of. About a month later an update tape arrived from HP. The date on the covering letter was well BEFORE the visit of the security person. The update letter explained that this was to fix some security holes in sendmail - no surprises there - and some other networking utilities. It didn't say what the holes were, so the customer was to blindly do the upgrade without knowing what holes were being fixed (or left unfixed). The important thing here is that HP knew there was a problem but wouldn't tell the customer - instead they implied there wasn't a problem. In fact, they misled us by telling us something that the company knew was untrue. Of course, we're not gullible enough to believe that computer support people tell customers the truth, the whole truth and nothing but the truth. However this shows what can happen when a company policy of silence is followed. The whole escapade has irreversibly damaged the image and reputation of HP for me. Jim Brought to you by Super Global Mega Corp .com