2008/7/14 Edward Jaffe <[EMAIL PROTECTED]>: > Identifying integrity exposures is a double-edged sword. Everyone agrees > that such exposures must be identified and fixed. But, the real-world risk > posed by any such exposure is proportional to the amount of attention you > draw to it.
Well, maybe. Bruce Schneier put it well eight years ago when he wrote of a "window of exposure". http://www.schneier.com/crypto-gram-0009.html#1 Our aim as security conscious programmers and administrators is to reduce the "area under the curve". How best to do that is the issue. > Things will work fine "forever" so long as exposures are not recognized. > But, once people know about -- and might try to exploit -- an integrity > exposure, it becomes a high-priority item that must be taken seriously. Exactly. > Every time Sam K. or anyone else raises public awareness about specific, > existing integrity exposures, the chances for industrial sabotage to the > world's largest production z/OS installations increase dramatically. A > "bull's eye" is painted; a challenge is presented; illegal money-making > opportunities abound. And pressure on the software vendors to fix the problem increases. > This is why IBM integrity APARs never appear in public APAR data bases. > (It's also why Micro$oft Windows vulnerabilities are not publicized until > after a fix has been developed.) Well, in Microsoft's case it's far from clear that that's the main reason. > The best opportunity for IBM and ISV developers to fix these integrity > issues was in the ten-year period after the IgvNoUserKeyCsa DIAG TRAP came > out with OS/390 V2R6 (September 1997) and before the AllowUserKeyCsa option > became available with z/OS 1.8 (September 2007). Conscientious developers > took full advantage of that ten-year opportunity. The lazy or arrogant ones > did not. Indeed. Though in fairness, it must be pointed out that not every use of user key CSA is a security or integrity exposure. Distinguishing the many cases that are from those that are not is so difficult, though, that disallowing it by default is certainly the right thing to do. > IgvNoUserKeyCsa was discussed at SHARE by Bob Shannon many years ago. (A > "Bit Bucket" presentation IIRC.) Users could have helped to identify > exposures by enabling the TRAP on test/sandbox systems. Some did. Most did > not. > > In any case, it should be obvious that the best policy, when dealing with > potentially serious integrity exposures, is secrecy. I'd say it's far from obvious. Intelligent and informed people differ on this topic, and there is no consensus. Schneier has written at some length on this, and there is a good if oldish summary at http://www.schneier.com/crypto-gram-0111.html#1 that expands on his earlier article, and has a bibliography. Certainly it can be argued that many millions of Windows desktops under the control [sic] of their individual and largely unqualified users is a very different situation from that of some thousands of z/OS systems under the control of professionals. But that doesn't automatically make security by obscurity the Right Thing. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
