jimr@maths.su.oz.au (Jim Richardson) (08/16/90)
I'd like to draw the attention of HP/Apollo customers to an article titled "Sun's new customer warning system" (<PH.90Aug15160445@taos.cert.sei.cmu.edu> in alt.security and alt.sys.sun), where J. Paul Holbrook of CERT posts a message from Sun Microsystem's Software Security Product Manager Beverly Ulbrich describing a new system for security incident handling. The message begins: >In order to best serve our customers' service needs, Sun has established a >Customer Warning System (CWS) for handling security incidents. This is a >formal process which includes: > - Having a well advertised point of contact in Sun for reporting > security problems. > - Pro-actively alerting customers of worms, viruses or other security > holes that could affect their systems. > - Distributing the patch (and/or work-around) to our customers as > quickly as possible. It goes on to advertise an email address, security-alert@sun.com, to which security problems may be reported. It also invites customers and Sun field offices to nominate a "Security Contact" for Sun to communiate with in the case of new security problems. To nominate such a contact, one sends email to the security-alert address, specifying the contact details, including postal and email addresses and phone and FAX numbers, and the preferred medium of contact for Sun to use. Note how Sun is making full use of the Internet by facilitating two-way contact via electronic mail. I feel HP needs to set up something along similar lines. Recent alarms over security problems in Domain/OS have demonstrated the necessity for a formal structure for transmitting security alerts to customers. Use of the Internet as one of the possible channels for such information is definitely the right way to go. Perhaps people planning to send copies of the Open Letter to HP would consider enclosing a printout of the above-mentioned article, and/or advocating a similar policy from HP in a covering letter. -- Jim Richardson Department of Pure Mathematics, University of Sydney, NSW 2006, Australia Internet: jimr@maths.su.oz.au Phone: +61 2 692 2232 FAX: +61 2 692 4534 -- Please send any further Open Letter signatures to netpower@maths.su.oz.au.
krowitz@RICHTER.MIT.EDU (David Krowitz) (08/16/90)
Not only is Sun advertizing their "customer warning system", but they are actively using it. MIT maintains a MIT-campus networking issues mailing list which forwards all CERT security messages to campus system admins. We just got a message from CERT concerning the nature and fix for a loophole in Sunview yesterday. It can be done. -- David Krowitz krowitz@richter.mit.edu (18.83.0.109) krowitz%richter.mit.edu@eddie.mit.edu krowitz%richter.mit.edu@mitvma.bitnet (in order of decreasing preference)