[Info-vax] IS everyone waiting?

[Craig A. Berry]

On 10/20/16 4:57 PM, David Froble wrote:
> Simon Clubley wrote:
>> On 2016-10-20, David Froble <davef at tsoft-inc.com> wrote:
>>> Simon Clubley wrote:
>>>> What if a security issue is discovered next year which affects
>>>> Alpha VMS as well ?
>>> Hmmm ....  "discovered" sort of implies that it's always been there,
>>> and is now "discovered".  I'm guessing that regardless, the Alphas
>>> and VMS will still do what they did pre-discovery?

And if a new lock-picking technique is discovered, the lock on your
front door will still do what it always did: protect against the old
lock-picking techniques that no one is using anymore because there is
now a better one available that people who haven't upgraded cannot
defend against.

>>> Perhaps remedial
>>> steps could be taken to avoid discovered security issues?

Mitigations and workarounds are sometimes possible. Usually with some
disruption of service. Always with huge infusions of emergency staff
time, disrupting whatever else those people were working on.

>> Situation 1:
>>
>> A flaw is discovered in a network stack (whether it's TCP/IP, LAT or
>> DECnet doesn't matter) which allows someone to take down a VMS system
>> remotely at will by exploiting this flaw in the stack without requiring
>> any authentication. This network stack is required for your production
>> operations however and cannot be disabled.
>>
>> What do you do ?
>
> I'll adopt Jan-Erik's attitude, first, let's see such a flaw.

At which point you are in your back yard, locked out of your house, with
your pants down, while the bad guys are helping themselves to whatever
is inside. If you can't tell whether "inside" refers to "your house" or
"your pants," that's an indication of how vulnerable you are.

> Note, not all internal networks need to be accessible from the internet.

Not usually necessary for most modern exploits as long as it's connected
to a network where other systems have internet access (or physical
access of course).

> Frankly, I'm sure I'd devise some way to keep the bad guys away from
> that system.

Shutting it off generally works, yes. Sometimes internal zoned firewalls
can help.

> And, if you have HP support, are you confident they could fix the
> problem?  Or are you just looking for someone to sue?
>
>> Situation 2:
>>
>> A flaw is discovered within the VMS kernel or privileged utilities which
>> allows a local unprivileged user to elevate their privileges at will.
>>
>> What do you do ?
>
> If I cannot trust my employees, assuming that's who might be interactive
> users on the system, then I got a bigger problem.  And any employees who
> do something they shouldn't are out the door, immediately.

So if one of the thousands of peecees on the network gets hacked and
executes a secondary exploit on your VMS system, you fire the employee
who sits in front of that peecee? On the one hand, too little, too late.
On the other hand, very likely just blaming the victim and adding
self-inflicted damage to the damage you've already suffered.

> Again, if you have HP support, are you confident they could fix the
> problem?

HPE is a huge company with lots of capable people and the wherewithal to
do the right thing whenever it chooses to. It may not choose to as often
as we would like, but getting help on unsupported software is a lot less
likely than getting help on supported software.