Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!lll-winken!elroy.jpl.nasa.gov!sdd.hp.com!hplabs!hpda!hpcuhc!mck From: mck@hpcuhc.cup.hp.com (Doug McKenzie) Newsgroups: comp.sys.hp Subject: Re: Security hole in HP-UX Message-ID: <530029@hpcuhc.cup.hp.com> Date: 27 Feb 91 19:28:47 GMT References: <1581@gufalet.let.rug.nl> Organization: Hewlett Packard, Cupertino Lines: 58 Ton writes: > "I expect to be warned by Hewlett-Packard for possible security problems > in my HP-systems just like I expect the manufacturer of my car to warn > me if the brakes are not safe." Jim responds: > This is rather naive. Most computer companies (and HP in particular) > will not discuss security problems with their software or notify their > customers when security holes/bugs are found. In most cases, they hide > behind the feeble excuse of "company policy". This also lets the > company get away with doing nothing - what customers don't know > about can't worry them. It also means the company decides what > security problems you need to know about, regardless of whether they > are important to you or not. Mr. Computer Vendor knows what's best for > you so just trust him.... Edwin responds: > Ok, how to distribute the bad news?? Well, first of all, details > shouldn't be spread of course. A simple message like: ``There is a > serious problem with this_and_that on systems X, Y and Z, running > AA-BB p.qy and higher. We urge you to contact your local CRC for further > information''. Warning of security holes is tricky. Our "policy" is to look at each problem separately -- there is no algorithm. We generally try to correlate the announcement of a security hole to the size of the hole. If it's an extreme corner case, then we make no mention. If it seems likely to occur more frequently, we publicize it. The problem is, just mentioning that there is a problem causes people to look. Let me try another car analogy: if Porsche discovered that certain Toyota ignition keys would work on the Porsche, what should Porsche do? If they announce, "please contact your dealer", and the dealer tells everyone of the problem, it would be public knowledge within hours and far more people would be at risk. Is everyone who hears the broadcast entitled to full information? I'd be hesitant to install a patch unless I knew why I needed it. Patches cannot receive the full amount of interoperability testing that the original release does, because it's not possible to test all the combinations of patches for untoward interactions. By the way, the problem Ton refers to *was* publicized, because it seemed it might not be such a rare occurrence. It's KPR number 1650126268, which appears in the SSB dated 16 Dec 90. I'm a little hesitant to mention this, as there is more detail than I would have liked in the SR. (And now having mentioned my hesitation, some people might look it up who otherwise might not care.) It's been fixed in 8.0 of course. No company wants to broadcast that their systems have a security problem. But it's more than image manipulation; customers can also suffer from the broadcast. Ton, I'm sorry for the trouble it caused you. Doug McKenzie S800 HP-UX Support mck@cup.hp.com or ...hplabs!hpda!mck Disclaimer: I do not speak officially for HP.