[Info-vax] IS everyone waiting?

[David Froble]

Simon Clubley wrote:
> On 2016-10-20, David Froble <davef at tsoft-inc.com> wrote:
>> Simon Clubley wrote:
>>> Situation 1:
>>>
>>> A flaw is discovered in a network stack (whether it's TCP/IP, LAT or
>>> DECnet doesn't matter) which allows someone to take down a VMS system
>>> remotely at will by exploiting this flaw in the stack without requiring
>>> any authentication. This network stack is required for your production
>>> operations however and cannot be disabled.
>>>
>>> What do you do ?
>> I'll adopt Jan-Erik's attitude, first, let's see such a flaw.
>>
> 
> Wait-and-see (and do nothing in the mean time) is certainly an option
> open to you, but have you considered how little time you may have to
> react once an exploit becomes public ?
> 
> What you have to understand is that in today's world, the security
> researcher, and not the vendor, is the one in charge of the
> disclosure timeline and hence is the one who gets to decide when
> details of a vulnerability will be released.
> 
> Fortunately, the responsible disclosure protocol also gives the
> vendor a reasonable amount of time to create patches before the
> researcher makes the vulnerability details public.
> 
> Like it or not (and I know you don't) that's the world as it exists
> today (and for _very_ good reasons) and it's the world that VSI
> voluntarily joined when VSI started writing the stuff they did on
> their own website.
> 
> An example vulnerability workflow might go something like this:
> 
> 1) The researcher will contact the vendor with details of the
> vulnerability and give them, for example, 2 months to fix it before
> announcing the vulnerability details. This might be extended a bit
> if the vendor requests more time to fix the problem but that's up
> to the researcher to decide.
> 
> During this time, you, the owner of the software in question, will
> know nothing about this vulnerability and hence cannot do any planning.
> 
> 2) After a couple of months (or earlier if the patches are released
> sooner) the top level details of the vulnerability will become public
> knowledge. At this point one of two things will happen:
> 
> 2a) The security researcher chooses to give the user community some
> time to apply the patches before releasing the details. This extra
> time might be in the 1-2 months timeframe so this gives you 1-2 months
> to decide what you are going to do if you don't have a supported
> system.
> 
> or
> 
> 2b) The security researcher chooses to release the exploit details,
> along with example code, right away. If you don't have a supported
> system, you now have a system with a vulnerability which has now
> suddenly become public knowledge without any chance for you to prepare.
> 
>> Note, not all internal networks need to be accessible from the internet.
>>
>> Frankly, I'm sure I'd devise some way to keep the bad guys away from that system.
>>
>> And, if you have HP support, are you confident they could fix the problem?  Or 
>> are you just looking for someone to sue?
>>
> 
> Suing people seems to be _your_ obsession David, not mine. :-)

No, but I got eyes, and ears, and can see and hear what's happening ...

> No, my goal here is simple: to make people consider various things
> instead of just allowing them to stick their head in the sand.
> 
> As for the HPE question, no, it's actually a concern of mine about
> whether HPE would be able to respond in the timeframe required
> when third party researchers start getting involved in probing
> VMS security.
> 
> However, if you have a support contract, and if your systems are
> running a supported VMS version, then you are still going to be
> better off than if you are running without support on an old VMS
> version.

Just to set the record straight, I've always advocated using the latest version 
of VMS.  The sole exception was V8.4, for obvious reasons, and with what was 
distributed, I think my fears were justified.

I've got the VSI Alpha V8.4-2 evaluation stuff running on one of my systems. 
And I'll use the production version, if it becomes available.