On Sat, 3 Apr 2010 23:06:57 -0400, John P. Baker <john.ba...@hfdtechs.com> wrote:
>I can understand IBM not wanting to make integrity APAR documentation >generally available. > >>IBM does not and cannot know when an individual customer may apply the >associated PTF, so publicly detailing the nature of the exposure can place >customer installations at risk. > >>At the same time, the installation of a PTF of minimal description is >disconcerting. > >>How about IBM providing a channel through which integrity APAR documentation >can be obtained subject to a nondisclosure agreement? > >>Such an approach would seem to meet the needs of both IBM and its customers. > First, I am told by those whom I trust that appropriate levels of management at IBM's larger customers have told us very clearly that they like the secrecy, and do not want us to disclose details of any integrity problems. For some possible reasons for this position, please consider that: (a) it is believed by many that insiders perpetrate a significant number of attacks. (b) even someone you trust today can become disgruntled. (c) if someone is willing to attack a system, an NDA probably won't stop him. (d) if we tell someone at company A what the exposure is, he may leave and go to company B. In case (d), company A's decision that they trust a particular person has now potentially put company B at risk if they hire that person. Or if he's willing to disclose the vulnerability to someone else at company B (in case (c) above). So, telling anyone can in theory put everyone at risk. I'm not sure if you've thought about the scenario where you're company B rather than company A. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
