[Info-vax] (Hypothetical only) Major new security issue for VAX/Alpha. What do you do ?

Sat Sep 24 15:57:28 EDT 2016

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf
> Of Simon Clubley via Info-vax
> Sent: 24-Sep-16 2:45 PM
> To: info-vax at rbnsn.com
> Cc: Simon Clubley <clubley at remove_me.eisner.decus.org-
> Earth.UFP>
> Subject: [Info-vax] (Hypothetical only) Major new security
issue
> for VAX/Alpha. What do you do ?
> 
> [I added the hypothetical to the title line to avoid giving
people
> here a heart attack while browsing the newsgroup thread titles.
:-
> )]
> 
> This is a hypothetical discussion prompted by Ian's discussion
of
> emulated VAX/Alpha environments and my ongoing concerns
> that VMS on x86-64 will put it into the hands of a larger range
of
> security researchers who might discover new VMS security
> related bugs (and maybe even new classes of VMS security
> bugs).
> 
> Scenario:
> 
> Suppose someone discovers a major security issue in VMS for
> IA64 or x86-64 and it turns out to be a common mode
> vulnerability that causes VMS on all architectures (from VAX
> onwards) to be vulnerable.
> 
> Now suppose you have some of these vulnerable VAX or Alpha
> systems in production use (maybe in an emulated environment
> so you can continue to run them as-is without any hardware
> failure concerns).
> 
> Questions:
> 
> What would you do to tackle the problem that your old system,
> which is long off software support, now has a major new
> potential security hole in it ?
> 
> HP can't give you a patch for VAX and as I understand it, they
> won't be able to give you one for Alpha from the end of this
year.
> [*]
> 

[snip..]

Never say never .. there is a difference between "won't" and
"can't". The EOL dates are arbitrary to force Cust's to plan to
move to a supported version by a designated date. It does not
mean source code could not be pulled out of HPE backups if it was
required. 

Technical side - The VAX/Alpha code is more than likely still
available (HPE backups or offsite storage) and depending on the
nature and risk of the hypothetical security issue, HPE could
always resurrect it and a fix created. If the resource who needed
to fix it was at VSI (historical?) then HPE could negotiate this
with VSI.

Business side - depending on the nature and risk of the
hypothetical VAX/Alpha security issue, HPE may decide to offer
the fix available on the net, or only to Cust's under support or
if not under support via some onetime payment or likely other
options as well.

There are always options. 

For those willing to pay really(!) big $'s for post EOL support
for a Alpha/VAX version, there may also be that option as well
from HPE.

Good example - MS still has Cust's paying big $'s for Windows XP
support.

Regards,

Kerry Main
Kerry dot main at starkgaming dot com