[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: Password reset red flags?
From:       Tony Harminc <tzha1 () ATTGLOBAL ! NET>
Date:       2007-08-30 22:58:07
Message-ID: a3a2b85f0708301558s2d4d61f2g70205887db130faf () mail ! gmail ! com
[Download RAW message or body]

On 30/08/2007, Stu Henderson <stuhenderson@verizon.net> wrote:

> Tim,   One way to approach this is to request from any vendor of
> software that needs User SVCs (or any other means of obtaining
> supervisor state) a software integrity statement comparable to IBM's
> (stating that, properly installed, the software product won't make it
> possible for unauthorized programs or users to obtain supervisor
> state).  Ask for it on company letterhead, signed by a senior
> executive.  Most won't sign it without advice from a lawyer, who
> won't bless it without talking to the developer.  Some vendors have
> re-written user SVCs to be safe, in order to be able to provide an
> integrity statement comparable to IBM's.

I agree! Though it's worth noting that even IBM's statement doesn't
claim that it's impossible; it just claims that if you find an exploit
they will "accept as valid" an APAR describing the problem.

> If they won't give you an integrity statement on company letterhead,
> then why would you be willing to install their software on the
> computer you pay IBM millions of dollars for,  for which IBM does
> give you an integrity statement?

Not all IBM products come with such a statement either. But I agree
the direction is good, and IBM was *way* ahead of the rest of the
world in recognizing and accepting the whole concept. To this day the
original set of conceptual exploits they described in 1974 covers
everything, to the best of my knowledge.

Tony H.
[prev in list] [next in list] [prev in thread] [next in thread]