Re: HP's security stance (was Re: UnixWare)

[spaf () cs purdue edu (Gene Spafford)]

> > 2) HP does not have a member or liason in FIRST, nor have they had
> > any presence at any of the incident response workshops.
>
> Considering CERT's amazing lack of contribution to improving security, I
> consider this a sign of HP's good faith. Some folks want to see security
> bugs fixed, not lovingly preserved for the amusement of future generations.

This not only evidences ignorance of what FIRST is all about, but
is insulting to the two dozen+ other groups in the organization.

It also display ignorance about CERT's mission, and about the
contributions that they actually have made to security.  (Although
people conveniently forget them.)

Many of us in FIRST groups (myself included) disagree with the way
CERT handles some things.  But we are all committed to improving the
security posture of our constituents.  Sun, DEC, Motorola, Apple and
Honeywell are all FIRST members, for instance, and I think that is a
display of concern for their customers and users.  Why aren't HP, SGI
and IBM in that list?  I doubt it has anything to do with "good
faith".

--spaf