[Info-vax] IS everyone waiting?

[David Froble]

Craig A. Berry wrote:
> On 10/20/16 4:57 PM, David Froble wrote:
>> Simon Clubley wrote:
>>> On 2016-10-20, David Froble <davef at tsoft-inc.com> wrote:
>>>> Simon Clubley wrote:
>>>>> What if a security issue is discovered next year which affects
>>>>> Alpha VMS as well ?
>>>> Hmmm ....  "discovered" sort of implies that it's always been there,
>>>> and is now "discovered".  I'm guessing that regardless, the Alphas
>>>> and VMS will still do what they did pre-discovery?
> 
> And if a new lock-picking technique is discovered, the lock on your
> front door will still do what it always did: protect against the old
> lock-picking techniques that no one is using anymore because there is
> now a better one available that people who haven't upgraded cannot
> defend against.
> 
>>>> Perhaps remedial
>>>> steps could be taken to avoid discovered security issues?
> 
> Mitigations and workarounds are sometimes possible. Usually with some
> disruption of service. Always with huge infusions of emergency staff
> time, disrupting whatever else those people were working on.
> 
>>> Situation 1:
>>>
>>> A flaw is discovered in a network stack (whether it's TCP/IP, LAT or
>>> DECnet doesn't matter) which allows someone to take down a VMS system
>>> remotely at will by exploiting this flaw in the stack without requiring
>>> any authentication. This network stack is required for your production
>>> operations however and cannot be disabled.
>>>
>>> What do you do ?
>>
>> I'll adopt Jan-Erik's attitude, first, let's see such a flaw.
> 
> At which point you are in your back yard, locked out of your house, with
> your pants down, while the bad guys are helping themselves to whatever
> is inside. If you can't tell whether "inside" refers to "your house" or
> "your pants," that's an indication of how vulnerable you are.
> 
>> Note, not all internal networks need to be accessible from the internet.
> 
> Not usually necessary for most modern exploits as long as it's connected
> to a network where other systems have internet access (or physical
> access of course).
> 
>> Frankly, I'm sure I'd devise some way to keep the bad guys away from
>> that system.
> 
> Shutting it off generally works, yes. Sometimes internal zoned firewalls
> can help.
> 
>> And, if you have HP support, are you confident they could fix the
>> problem?  Or are you just looking for someone to sue?
>>
>>> Situation 2:
>>>
>>> A flaw is discovered within the VMS kernel or privileged utilities which
>>> allows a local unprivileged user to elevate their privileges at will.
>>>
>>> What do you do ?
>>
>> If I cannot trust my employees, assuming that's who might be interactive
>> users on the system, then I got a bigger problem.  And any employees who
>> do something they shouldn't are out the door, immediately.
> 
> So if one of the thousands of peecees on the network gets hacked and
> executes a secondary exploit on your VMS system, you fire the employee
> who sits in front of that peecee? On the one hand, too little, too late.
> On the other hand, very likely just blaming the victim and adding
> self-inflicted damage to the damage you've already suffered.
> 
>> Again, if you have HP support, are you confident they could fix the
>> problem?
> 
> HPE is a huge company with lots of capable people and the wherewithal to
> do the right thing whenever it chooses to. It may not choose to as often
> as we would like, but getting help on unsupported software is a lot less
> likely than getting help on supported software.

Wow!  Maybe Simon's clone?

:-)

I'm not claiming that you haven't mentioned some potentially serious problems. 
You have.  But overall, I doubt things would get quite so bad.

No, I'm not about to suggest shutting down the company and going out of 
business.  That's not going to happen.  So, you address problems as 
appropriately as possible, that's what we do.

We do have some safeguards and logging in place.  Not going to get into details.

I do have a bias.  I would not trust HP to "do the right thing".  Their track 
record sort of shows that.  Nor do I need any more trash from India.  Do I need 
to mention more than SSL1, which I can get to work VMS to VMS, but not VMS to 
anything else.  It's probably my fault, not too proud to admit that.

Nor am I into punishing the innocent ....

So, what's your VMS software support contract with HP really worth?