[Info-vax] DECnet Phase IV and VMS code comments

Mon Nov 28 02:26:48 EST 2016

Simon Clubley wrote:
> On 2016-11-26, Kerry Main <kemain.nospam at gmail.com> wrote:
>> [snip..]
>>
>> Regardless of the company logo, my experience (including often
>> working closely with CSSE - WW interface for DEC Field Services
>> to Engineering) with the culture in OpenVMS engineering was/is
>> that security was always a top priority. If the issue was OpenVMS
>> related, I highly doubt the statement "the security issue is
>> their problem" ever came up. 
>>
> 
> The problem Kerry is that VSI still seem to be stuck in the old
> mindset of how things were done in the old days of the 1980s/1990s
> and don't seem to have adapted to how security issues are handled
> in today's environment.

I think what Kerry has stated is that DEC never took security lightly.  No, they 
didn't see problems back then that are seen today.  But if DEC was still around 
today, it's my guess they would be above average in being aware of security.

As for VSI, you have no idea what they will be doing in the future, and they are 
too new and small to have already done everything everyone is expecting.  Now, 
if you have some things you want them to concentrate upon, well, I think it's 
been well stated that takes approaching them with some cash ....

> A really simple example: VSI _still_ didn't have a secure security
> vulnerability reporting mechanism established the last time I checked
> their website; they seem to be completely dismissing the possibility
> that security issues may be reported by unrelated third parties who
> may expect things to be done in a certain industry established way.

Ya know, before you mentioned it, I was unaware that "security researcher" was a 
profession.  I'm still a bit skeptical.  "Industry established way", hmmm, 
another declaration of standards I'm unaware of.  Guess I REALLY don't get out 
much ....

> Another example; Do VSI have any plans in place to do coordinated
> releases of patches with HP if a security vulnerability is found which
> requires a patch to be created and released ? This coordination is
> absolutely standard these days, but I've yet to hear VSI say anything
> about this.

What's standard for VSI is whatever they say is standard for VSI.

>> Re: DECnet Phase IV - Hindsight is always 20-20. 
>>
>> However, it's fair to say that those who developed a new
>> networking architecture 35+ years ago (when the design started -
>> not when it was released) had no idea of the chaotic world
>> networks would evolve into today.
>>
> 
> It's not really to do with hindsight - IP and friends have also had
> to adapt to the changing security world as well, both in terms of
> protocol changes and in terms of changes to the various code bases.
> 
> The question you should be asking is: is there anything in DECnet
> Phase IV (or the other DEC network protocols) which require similar
> changes and have those changes been implemented over the years or not ?

As a product, DECnet is no longer being developed.  If some can make use of it, 
as it is now, fine, but, don't expect anything new.  Or, approach VSI with some 
cash.