Re: UnixWare

[spaf () cs purdue edu (Gene Spafford)]

> I do not see any major advantage of being in FIRST, other than for namesake.

As someone inside a FIRST group, I can tell you there is an advantage
for our organization.  That may not be true for every group.

> I have e-mailed a couple FIRST contacts on a couple of occasions with dismal
> response.

Have you e-mailed it to a FIRST address, or to a group that is a FIRST
member?  I don't recall seeing mail from you on any actual FIRST
mailing list.  If you mailed it to a FIRST-member group, they would
have handled it internally according to their own policy -- that may
have included not forwarding it on, especially if you were not a
member of their defined constituency.  For that matter, are you sure
you mailed it to an official address for those teams?

Mail to all FIRST teams can be sent to first-teams () first org  If you
report a bug there, you will be sure of getting attention paid to it
by *lots* of people.

> Anyways, my point is that just because a corporation is not in FIRST
> make it not security conscience with its customers.    

That was not my point.  It's a matter of on-going awareness of what
the rest of the community is doing, and with having good
communications with other security specialists.  The fact that some
companies don't seem to even be aware of attempts to form a coherent
front in this regard is the problem.

Anyhow, conversation with some people at HP (as a result of this
thread) indicate that they will have personnel attending the FIRST
workshop in July, and they are considering joining.  That's wonderful.
What's more, they responded to me because they got a copy of my
comments posted to this list.  That's a really good sign too.

I have also learned as a result of this thread that HP has made some
major changes in the last few months as regards their customer support
and response.  That's great -- we need participation of the big
vendors in the community.  Now if we could get that kind of organized
response from some of the others...

This all got started because I tried to remind people that
CERT/CIAC/NASIRC/ASSIST/Santa Claus is not why we have problems; they
didn't put the bugs in your systems, and they aren't responsible for
fixing them.  The bugs came from your vendors, and it is up to those
vendors to provide working fixes.  That is where we need to focus our
attention. 

This is a whole new arena.  There are growing pains involved in
finding the most effective and least damaging ways to spread security
fixes and information on the Net.  This list is one aspect of this
change. 

In any event, this is all farther and farther afield from the central
focus of bugtraq as I understand it.  If someone wants to know more
about my views on response teams, attend the July workshop, listen to
my keynote talk, then buy me a beer to talk it over. :-) Meanwhile,
let's let this list go back to the other petty squabbles about smtp,
screend, etc. :-)

--spaf










> May no longer be true?  I am not even an HP customer and I can get their
> patches.   Read my FAQ for more information.  I post it on the security
> newsgroups monthly.
>
> Subject: computer-security/vendor-contacts FAQ
> Newsgroups: alt.security,comp.security.misc,comp.security.unix,comp.unix.admin,comp.answers,news.answers,alt.answers
> Followup-To: poster
> Reply-To: cklaus () shadow net
> Organization: ISS, Inc.
> Distribution: world
> Keywords: security contact vendor
>
> Archive-name: computer-security/vendor-contacts 
> Posting-frequency: monthly
> Last-modified: 1994/04/04
> Version: 1.4
>
> "It [Vendor Security Contact FAQ] is the kind of thing that makes you look
> good at work when your boss decides he's joe security and wants a patch (for
> like rdist - duh!) yesterday..." -- Tim Scanlon, System Analyst
>
>
>
>       Vendor Security Contacts: Reporting Vulnerabilities 
>       and Obtaining New Patches
>
>
>       The following FAQ is a list of security contacts to reach at various
> vendors for reporting security vulnerabilities and obtaining new security
> related patches.  
>       With the rising number of people and hosts gaining access to the
> Internet, the basic integrity of the Net needs to be maintained.  Many of
> security incidents that happen on Internet could have been avoided by
> installing security patches that are available by vendors.  It is important
> to get the recent patches and ensure that your systems are configured
> properly.  With intruders and their underground network having quick access
> to security vulnerabilities, it is important that administrators have
> security information available and not rely on just One organization.
>
>       Here are the security contacts that information is available for:
> A/UX, Cray, Dec, HP, IBM, Next, SCO, SGI, and Sun.  
>
>       When reporting a new security bug, try to be as specific as
> possible about how to reproduce it, which OS release (uname -a), and any
> other release numbers of software that are involved.
>
>
>
>
> A/UX
>
> Contact information for A/UX as follows:
>
> Send security related information to the following people:
>       Erik E. Fair fair () apple com
>       and CC: staff () apple com
>
>       antonio () aux support apple com (A/UX support person).
>
>
>
>
> Cray
>
> Contact information for Cray as follows:
>
> Cray Research customers should first direct questions and concerns to on-site
> support personnel (if provided by their service contract).  Other contacts
> should be made through the
>
>   Technical Service Center
>   Cray Research, Inc.
>   655F Lone Oak Drive
>   Eagan MN 55121 
>   USA
>
>   tel. +1-612-683-5600
>   email. support () cray com
>
>
>
> Dec
>
> Contact information for Dec as follows:
>
> Send security related information to the following people:
>
> Reid, Brian K.  (BKR)  reid () PA DEC COM (415) 688-1307
> Peck, Joseph R.  (JRP50)  peck () PA DEC COM (415) 688-1341
> Rich Boren rich.boren () cxo mts dec com (719) 592-4689
>         
> Security patches are issued by Customer Support Centers.
>
>
>
>
> HP
>
> Contact information for HP as follows:
>
>         
>       For security concerns, questions, or problems, you can contact:
>         
>         security-alert () hp com
>
>       
> Obtaining Patches:
>
> The HP SupportLine mail service is available to anyone who can send electronic
> mail via the Internet.
>
> If you have access to the Internet or can send electronic mail via an Internet
> mail forwarder, you can use the HP SupportLine mail service.
>
>
> ********************************************************************************
> *                How do I access the HP SupportLine mail service?              *
> ********************************************************************************
>
>
> o  To obtain a copy of the HP SupportLine mail service user's guide, send the
> following in the TEXT PORTION OF THE MESSAGE to support () support mayfield hp com
> (no Subject is required):
>
>    send guide
>
> Note: The HP SupportLine mail service user's guide is formatted using nroff. If
> you would like an ASCII version of the user's guide or if you are utilizing a
> non-UNIX mail reader, replace "send guide" with "send guide.txt".
>
> o  Once your request is received, the HP SupportLine mail service will send you
> a copy of the user's guide.
>
> o  If you encounter any problems using the HP SupportLine mail service, report
> them to support-feedback () support mayfield hp com
>
> ********************************************************************************
> *                     What mailing lists are available?                        *
> ********************************************************************************
>
> The following is a list of all mailing lists available via the HP SupportLine
> mail service:
>
> mailing_list_name    Description
> -----------------    -----------
> hpux_all_patch       weekly digest of all new hp-ux patches
> hpux_300_patch       weekly digest of all new hp-ux s300_400 patches
> hpux_700_patch       weekly digest of all new hp-ux s700 patches
> hpux_800_patch       weekly digest of all new hp-ux s800 patches
>
> dom_all_patch        weekly digest of all new domain patches
> dom_m68k_patch       weekly digest of all new domain m68k patches
> dom_a88k_patch       weekly digest of all new domain a88k patches
>
> technical_tips       weekly digest of new HP Technical Tips
> existing_news        monthly digest of new Existing Product News
> general_news         monthly digest of new HP General News
> new_products         monthly digest of new HP Product Information
> security_info        Latest digest of new HP Security Bulletins
> security_info_list   Index of available HP Security Bulletins
>
>
> o  To subscribe to an  HP SupportLine mail service mailing list, send the
> following in the TEXT PORTION OF THE MESSAGE to support () support mayfield hp com
> (no Subject is required):
>
>    subscribe mailing_list_name  (i.e. subscribe hpux_all_patch)
>
> On a weekly or monthly basis, the HP SupportLine mail service will create and
> distribute the requested mailing_list_name digest directly to your mailbox.
>
>
> ********************************************************************************
> *                     How do i get a Patch from HP?                            *
> ********************************************************************************
>
> If you know the name of the patch needed, Email to:
>
> support () support mayfield hp com 
>
> with the body of the message stated as:
>
> "send PHKL_9999"
>
> The patch will automatically be mailed back to you with a mail unpacker 
> script (patch_maker).
>
> If you just want the README for the patch, Email a message to:
>
> support () support mayfield hp com
>
> with the body of the message stated as:
>
> "send doc PHKL_9999"
>
> The patch README will be mailed back to you.
>
>        
>       Response Center Customers: 1-800-633-3600
>         BasicLine Customers:  1-415-691-3888
>         Also try email to bkelley () cup hp com
>
>         Outside the U.S., contact your local Response Center.
>
>
>
>
> IBM
>
> Contact information for IBM as follows:
>
>
>   IBM support @ 1-800 237-5511
>   Email to services () austin ibm com 
>        
>
>   Send security related information to Nick Trio (nrt () watson ibm com,
> a.k.a. postmaster () ibm com) Unix person on IBM's Computer Emergency Response
> Team) and Alan Fedeli (fedeli () vnet ibm com).
>
>   There are some security patches on anonymous FTP software.watson.ibm.com
> in pub/aix3 for AIX.
>
> Security patches are issued through your IBM sales office.
>
> Some of the following patches that are available are:
> Patch: ix22628   Fix: Corrects TFTP from allowing people to grab /etc/passwd.
>
>
>
> Next
>
> Contact information for Next as follows:
>
> Technical Support at "ask_next () next com"   
> Phone number: 800.848.6398.
>
> Address is 900 Chesapeake Drive; Redwood City, CA; 94063.
>
>
>
> SCO
>
> Contact information for The Santa Cruz Operation (SCO):
>
> Send security related information to:
>
>   security-alert () sco com
>
> Security patches are issued on an as-needed basis and will be available
> at ftp.sco.com and its mirrors.
>
> When submitting information about a security problem, please include
> output of the following commands:
>
>   uname -X
>   swconfig
>   hwconfig -h        (if hardware-related)
>
> and as much detail about the problem as you can muster.
>
>
>
> SGI
>
> Contact information for SGI as follows:
>  
> Send security related information to:
>
>   security-alert () sgi com
>
> If there is no response, try Dave Olson olson () anchor esd sgi com.
>
>       Support line 1-800-800-4SGI and ask what patches are available.
>       
>       There are some security patches on anonymous FTP sgi.com in
> directory sgi/IRIX4.0 (or 5.0 if the system is IRIX5).
>
> Security patches are issued through your SGI sales office.
>
>
>
> Sun
>
> Contact information for Sun as follows:
>
>   email: security-alert () sun com
>   phone: 415-688-9081
>   Fax:   415-688-9101
>
> postal:
>   Sun Security Coordinator
>   MS MPK2-04
>   2550 Garcia Avenue
>   Mountain View, CA 94043-1100
>
> Sun produces "Sun Security Bulletin" - ask security coordinator for it.
>
>
> Other Resources
>
>    The CERT (Computer Emergency Response Team) advisory mailing list.  Send
> e-mail to cert () cert org, and ask to be placed on their mailing list.  Past
> advisories and other information related to computer security are available
> for anonymous FTP from cert.org (192.88.209.5).
>
>    The CIAC (Computer Incident Advisory Capability) of DoE.  To report a
> vulnerability, call CIAC at (510) 422-8193 or send e-mail to ciac () llnl gov.
> Previous CIAC bulletins and other information is available via anonymous
> ftp from irbis.llnl.gov (ip address 128.115.19.60).  
>
>
> Standard Form From CERT
>
> Here is the form CERT provides for reporting new vulnerabilities found
> in Unix platforms.
>
>                       CERT Coordination Center
>               Product Vulnerability Reporting Form
>
>
>                        Reporter Information
>
> Reporter name                 : 
> Reporter e-mail                       : 
> Reporter phone / fax          :
> Reporter affiliation and address: 
>
> Reported to vendor: Y/N
>       Date of report          : 
>       Vendor contact name     : 
>       Vendor contact phone    :
>       Vendor contact e-mail   : 
>       Vendor reference number : 
>               
>
> ===============================================================================
>                            Policy Info
>
> Reporter Considerations
>       Pass name to vendor?    : 
>       Use name in advisory?   : 
>
> Special considerations (e.g. restrictions on dissemination): 
>
> ===============================================================================
>                           Technical Info
>
> Vulnerability number (after assigned by CERT) : 
>
> Problem Description: 
>
> Impact: 
>
> Currently being exploited?    : Y/N
>
> Exploitation: 
>
> Systems and/or configurations vulnerable
>       System          : 
>       OS version      : 
>       Verified/Guessed: 
>
> Workarounds and/or fixes: 
>
> Problem Analysis: 
>
> Source code, logs, or other supporting technical info: 
>
>
>
> Acknowledgements
>
> Thanks Dave Millar for helping provide a portion of the information.
>
>
> Copyright
>
> This paper is Copyright (c) 1994 by Christopher Klaus
>
>       Permission is hereby granted to give away free copies.  You may 
> distribute, transfer, or spread this paper.  You may not to pretend that
> you wrote it.  This copyright notice must be maintained in any copy made.  
>
>
> Disclaimer
>
>       The information within this paper may change without notice. Use of
> this information constitutes acceptance for use in an AS IS condition.
> There are NO warranties with regard to this information. In no event shall
> the author be liable for any damages whatsoever arising out of or in
> connection with the use or spread of this information.  Any use of this
> information is at the user's own risk.
>
>
>
> Address of Author
>
>       Please send suggestions, updates, and comments to:      
>  
>       Christopher Klaus <cklaus () shadow net>
>
>
>
>
>
> -- 
> Christopher William Klaus  Email: cklaus () shadow net  Author:Inet Sec. Scanner
> 2209 Summit Place Drive,Dunwoody, GA 30350-2430. (404)998-5871.