[Info-vax] (Hypothetical only) Major new security issue for VAX/Alpha. What do you do ?

[IanD]

On Sunday, September 25, 2016 at 4:44:52 AM UTC+10, Simon Clubley wrote:

<snip>

> This is a hypothetical discussion prompted by Ian's discussion of
> emulated VAX/Alpha environments and my ongoing concerns that VMS
> on x86-64 will put it into the hands of a larger range of security
> researchers who might discover new VMS security related bugs (and
> maybe even new classes of VMS security bugs).
> 

This certainly has me worried

More from the point that OpenVMS is trying to get going again and that any negative security press on the road to recovery will scuttle us I think almost irreversibly. Really? That bad? Yes, because hanging on OpenVMS is the age old mantle of it being a secure OS (I'm not debating the validity of that status)

I know it's not possible to create a 100% bulletproof OpenVMS but I do fear that should OpenVMS start to rise in the ranks again, that someone out there, whether a competitor or a fanatic or someone with a grudge or a criminal organisation with funds to suit could focus on OpenVMS and bring it down in public view

The need to have a security framework for all aspects of OpenVMS, from bug reporting, to testing to wider involvement and publications is as important as getting OpenVMS over to x86 IMO. 
To wait until later I think would be a grave error, It could very well bring all that awesome work that's been done so far to nought if we get caught with our security pants down

People will tolerate machines crashes and/or stumbles along the way to getting onto x86, what they will not tolerate however is security vulnerabilities, especially if they are seen as items that should have been repaired long ago and/or common methods of attack / exploitation - like what was revealed at that Defcon gathering a few years back - that was seriously embarrassing

Unfortunately, legal sits at the top of the tree in most western societies. This means than any vulnerability found needs to be acted upon or you run the risk of compensation being sought should you choose not to act and act quickly on security issues - what company knowing about an issue on their system, where external customers data / businesses are directly influenced by an OpenVMS system will choose to do nothing about a major security issue? Hiding under a rock is not an option here.

If a major issue in security was exposed on the old Alpha systems I look after (Ignore the fact that they are replacing the systems anyhow), then we would be forced to look at patching and if that was not available, the systems would be earmarked for replacement. 

We could simply not afford to put ourselves in a position to cop legal action from our customers should the system be trashed / compromised through a security flaw. customers these days will not cop it on the chin anymore, they have costs associated with a system being offline these days and write SLA's with hefty penalty clauses to make sure that any downtime is adequately recompensed for

Will we see OpenVMS bring in an auto-feedback mechanism like Windows has? That simple bit of functionality must have helped windows immensely over the years in terms of helping refine the OS over time as well as scanning for updates versus the chronic situation for OpenVMS patching that we have to day (point secures patch analyser goes part of the way but this should be coming from VSI going forward).

I hope VSI give patch access when they get their hobbyist program running. I'd be happy to provide running system feedback data and/or participate in security analysis scanning as a way of giving back towards the upkeep of a hobbyist program - maybe that's how VSI could involve a larger sample group by asking for something back in return for a full patch access hobbyist program?