>Date: Mon, 11 Apr 94 14:35:44 -0400
>From: Mark Moraes <Mark-Moraes @
>However, grotesquely buggy software is a separate can of worms. The last
>time I heard a software vendor talk about security, they (as always)
>focused on password aging schemes, C2 level security, etc. Absolutely
>nothing about fixing many well-known problems (we had already documented
>those problems) in existing daemons, vetting the systems for basic
>security and code quality. Sorry, to me, the latter is part of general
>operating system support.
Quite true -- but here, you're bringing up the issue of system
"integrity" -- which is different from, but closely related to,
security. Indeed, I think of them as two side of the same coin: you
can't have one without the other.
There are some vendors (I *hope* the plural is justified!) who take
"integrity" seriously. (I've spent the previous 12 years as an IBM
mainframe (MVS) systems programmer; defending IBM isn't something that
comes very natural to me.... :-} Nevertheless, based on the system
maintenance that I did during that time, as well as converstaions with
IBMers & other systems folk, I got the distinct impression that IBM
treated "system integrity" as an extremely important issue. This is
one respect in which I believe that IBM has had a good approach to such
things. Of course, different parts of IBM may well treat such things
differently -- and the changes within IBM of late are certain to have
externaly visible changes, some of which may affect all of this. Your
mileage may vary; void where prohibited, etc., etc.)
In any case, if there is a hole in the system integrity, there is
certainly the possiblity of a hole in its security... and vice versa.
We need to make sure that both vendors *and* the folks spending the
money are aware of the importance of both issues -- and that trying to
address one without the other is a lost cause... and certainly ought to
result in a lost sale.
Yours for trying to keep the vendors honest,
David H. Wolfskill david @