Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!dev8n.mdcbbs.com!campbell From: campbell@dev8n.mdcbbs.com (Tim Campbell) Newsgroups: comp.sys.hp Subject: Re: Security hole in HP-UX Message-ID: <1991Feb25.132419.1@dev8n.mdcbbs.com> Date: 25 Feb 91 13:24:19 GMT References: <1581@gufalet.let.rug.nl> Organization: McDonnell Douglas M&E, Cypress CA Lines: 80 Nntp-Posting-Host: dev8n Nntp-Posting-User: campbell In article , jim@cs.strath.ac.uk (Jim Reid) writes: > In article <1581@gufalet.let.rug.nl> ton@let.rug.nl (Ton Roovers) writes: > > "I expect to be warned by Hewlett-Packard for possible security problems > in my HP-systems just like I expect the manufacturer of my car to warn > me if the brakes are not safe." > > This is rather naive. Most computer companies (and HP in particular) > will not discuss security problems with their software or notify their > customers when security holes/bugs are found. In most cases, they hide > behind the feeble excuse of "company policy". This also lets the > company get away with doing nothing - what customers don't know > about can't worry them. It also means the company decides what > security problems you need to know about, regardless of whether they > are important to you or not. Mr. Computer Vendor knows what's best for > you so just trust him.... That's taking an awful big risk. Can you imagine the lawsuits resulting if some unscrupulous employee of HP decided to use this information to his advantage and attack vulnerable unsuspecting customers. It's an awful big risk to take. With (to name competition) Sun, you can be put on the "customer distributed buglist" - they don't actually send patches for everything, just a summary of the known bugs, fixes, and/or workarounds. I don't know as much about HP, perhaps they have a similar list. [stuff deleted] > [I can understand that companies won't want that sort of information > getting into the wrong hands - imagine the lawsuits if somebody > damages a computer using a security hole told to them by a vendor's > employee. However, that is no excuse for saying absolutely nothing and > treating customers with contempt.] At least YOU would have the opportunity to be informed and take action. The scenario previously mentioned leaves you vulnerable. Obviously SOMEBODY knows that the bugs exist - and it's up to their own discretion as to who they want to let in on the secret. I imagine most people prefer that nobody should know "except me". > Some years ago, we had a security problem with HP-UX. After a lot of > complaining, HP sent their "security expert" to check out the system > and run an audit script which ostensibly checked permissions, looked > for non-standard setuid-root files, inspected the version numbers of > some bits of software and so on. This checked out OK (surprise, > surprise!) and the security expert said there were no problems or > holes on the system that he was aware of. About a month later an > update tape arrived from HP. The date on the covering letter was well > BEFORE the visit of the security person. The update letter explained > that this was to fix some security holes in sendmail - no surprises > there - and some other networking utilities. It didn't say what the > holes were, so the customer was to blindly do the upgrade without > knowing what holes were being fixed (or left unfixed). The important > thing here is that HP knew there was a problem but wouldn't tell the > customer - instead they implied there wasn't a problem. In fact, they > misled us by telling us something that the company knew was untrue. Of > course, we're not gullible enough to believe that computer support > people tell customers the truth, the whole truth and nothing but the > truth. However this shows what can happen when a company policy of > silence is followed. The whole escapade has irreversibly damaged the > image and reputation of HP for me. This really sounds like they gave you the security fix for the famous internet worm. When they checked out your system - all the files were correct. You *DID* in fact have the standard sendmail program shipped with the system and nobody tampered with anything. Unfortunately, that sendmail daemon wasn't really very secure. > > Jim -- -Tim --------------------------------------------------------------------------- In real life: Tim Campbell - Electronic Data Systems Corp. Usenet: campbell@dev8.mdcbbs.com @ McDonnell Douglas M&E - Cypress, CA also: tcampbel@einstein.eds.com @ EDS - Troy, MI CompuServe: 71631,654 Prodigy: MPTX77A P.S. If anyone asks, just remember, you never saw any of this -- in fact, I wasn't even here. Brought to you by Super Global Mega Corp .com