« Radioconnect for Lotus Sametime | Main| Google now has ActiveSync »

IBM has posted a support note regarding my blog entry about Sametime Plug-ins and passwords.

Category

You can read it here
http://www-10.lotus.com/ldd/nflsblog.nsf/dx/response-to-plug-in-security

Posted by Carl Tyler On 02/06/2009 | | del.icio.us  Technorati  Digg This 

Comments

Gravatar Image1 - Feeble double-talk in that blog posting. If they took security as seriously as they are claiming, the API call to retrieve a password in clear text would be disabled in a hotfix. At a minimum, there should be an option to disable that specific API call (via an admin policy). As mentioned in their post, other mechanisms are available to avoid repeated login requests, so there's no legitimate reason to have the password retrievable in clear text. As for the upcoming technotes aimed at describing the other mechanisms in more detail, those will do nothing to close this gaping hole.

As it stands today, there's no way to know whether a 3rd party plug-in utilizes and/or abuses the Sametime API call to retrieve a password in clear text. None. Consequently, we cannot trust any 3rd party Sametime plug-ins. Signed or not, they can't be trusted. What am I missing? I'm completely appalled at their lack of urgency over this matter.

From everything in that blog posting, IBM still doesn't see the problem. Wow. Astoundingly inept doesn't begin to describe their reaction to what you've outlined Carl. Essentially they've said, something else is insecure too, so we're OK. That's just dumb.

Someone, please, tell me I'm misreading their blog post. Then again, that's probably the response Carl's been fed for months now...

Posted by Rod Stauffer At 05:20:04 PM On 02/06/2009 | - Website - |


Gravatar Image2 - Rod

As you noted in the IBM posting there is more information to come on this topic. It was considered better to get an initial statement of intent out rather than remaining silent for longer.

I can assure you that it is being treated very urgently and your suggestions are being read. Making any change, such as those you have suggested here, have to go though a careful review to understand all the possible implications. Many customers and partners could be impacted.

I'm sure you may not believe me if I told you there has been and continues to be lots of focus on this, so lets leave it at that for now.

Rob Ingram, Lotus Sametime Product Mgt

Posted by Rob Ingram At 06:56:56 PM On 02/06/2009 | - Website - |


Gravatar Image3 - Rob, thanks for the update.

@1 I'm looking forward to read IBM's complete technote. Maybe we'll discover something new on how to secure sametime.


Posted by Daniele Vistalli At 02:29:08 AM On 02/07/2009 | - Website - |


Gravatar Image4 - @2: Fair comments Rob, which probably wasn't easy given the rather invective tone I set.

Thanks for responding here. My read of the blog posting was that IBM had not changed their stance (IBM's previous response to Carl that it's not an issue). I appreciate hearing otherwise, and I look forward to a real solution.

Posted by Rod Stauffer At 04:21:10 PM On 02/07/2009 | - Website - |


Gravatar Image5 - IBM just had massive layoffs in Lotus including more then half of their security team so it is safe to assume this is not a priority for them. Emoticon

Posted by Bubba At 11:59:00 AM On 02/09/2009 | - Website - |


Post A Comment

:-D:-o:-p:-x:-(:-):-\:angry::cool::cry::emb::grin::huh::laugh::rolleyes:;-)