[Info-vax] (Hypothetical only) Major new security issue for VAX/Alpha. What do you do ?

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Tue Sep 27 14:09:37 EDT 2016 

On 2016-09-25, IanD <iloveopenvms at gmail.com> wrote:
> On Sunday, September 25, 2016 at 4:44:52 AM UTC+10, Simon Clubley wrote:
>
><snip>
>
>> This is a hypothetical discussion prompted by Ian's discussion of
>> emulated VAX/Alpha environments and my ongoing concerns that VMS
>> on x86-64 will put it into the hands of a larger range of security
>> researchers who might discover new VMS security related bugs (and
>> maybe even new classes of VMS security bugs).
>> 
>
> This certainly has me worried
>

I hope it gets discussed at the Bootcamp because right now I get
the feeling that VSI are burying their heads in the sand and are
in a "we will deal with it when it happens" mindset which is _way_
too late.

For goodness sake, VSI _still_ don't even have a secure method on
their website for a third party security researcher to report a
security issue along with any sensitive supporting material.

Even HP has a way for security researchers to securely provide that
information to them. :-(

> More from the point that OpenVMS is trying to get going again and
> that any negative security press on the road to recovery will scuttle
> us I think almost irreversibly. Really? That bad? Yes, because hanging
> on OpenVMS is the age old mantle of it being a secure OS (I'm not
> debating the validity of that status)
>

I think VMS will survive some initial security issues provided they
are not too obvious and provided they are handled correctly.

That latter point is exactly why VSI needs to be proactive instead of
reactive, especially when VSI are saying how secure VMS is compared
to the competition in their press releases.

> I know it's not possible to create a 100% bulletproof OpenVMS but I
> do fear that should OpenVMS start to rise in the ranks again, that
> someone out there, whether a competitor or a fanatic or someone with a
> grudge or a criminal organisation with funds to suit could focus on
> OpenVMS and bring it down in public view
>

Or it could simply be a security researcher who sees the "VMS is really
secure" stuff in the VSI press releases and goes "woah, major challenge
here (and challenge accepted!)". That could go bad for VSI very quickly
if not handled correctly.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

More information about the Info-vax mailing list