IBM has posted a support note regarding my blog entry about Sametime Plug-ins and passwords.
Category Password Security
You can read it here
http://www-10.lotus.com/ldd/nflsblog.nsf/dx/response-to-plug-in-security
You can read it here
http://www-10.lotus.com/ldd/nflsblog.nsf/dx/response-to-plug-in-security
Comments
As it stands today, there's no way to know whether a 3rd party plug-in utilizes and/or abuses the Sametime API call to retrieve a password in clear text. None. Consequently, we cannot trust any 3rd party Sametime plug-ins. Signed or not, they can't be trusted. What am I missing? I'm completely appalled at their lack of urgency over this matter.
From everything in that blog posting, IBM still doesn't see the problem. Wow. Astoundingly inept doesn't begin to describe their reaction to what you've outlined Carl. Essentially they've said, something else is insecure too, so we're OK. That's just dumb.
Someone, please, tell me I'm misreading their blog post. Then again, that's probably the response Carl's been fed for months now...
Posted by Rod Stauffer At 05:20:04 PM On 02/06/2009 | - Website - |
As you noted in the IBM posting there is more information to come on this topic. It was considered better to get an initial statement of intent out rather than remaining silent for longer.
I can assure you that it is being treated very urgently and your suggestions are being read. Making any change, such as those you have suggested here, have to go though a careful review to understand all the possible implications. Many customers and partners could be impacted.
I'm sure you may not believe me if I told you there has been and continues to be lots of focus on this, so lets leave it at that for now.
Rob Ingram, Lotus Sametime Product Mgt
Posted by Rob Ingram At 06:56:56 PM On 02/06/2009 | - Website - |
@1 I'm looking forward to read IBM's complete technote. Maybe we'll discover something new on how to secure sametime.
Posted by Daniele Vistalli At 02:29:08 AM On 02/07/2009 | - Website - |
Thanks for responding here. My read of the blog posting was that IBM had not changed their stance (IBM's previous response to Carl that it's not an issue). I appreciate hearing otherwise, and I look forward to a real solution.
Posted by Rod Stauffer At 04:21:10 PM On 02/07/2009 | - Website - |
Posted by Bubba At 11:59:00 AM On 02/09/2009 | - Website - |