[Info-vax] DCL vulnerability write up on The Register

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Wed Feb 7 09:08:15 EST 2018 

On 2018-02-06, IanD <iloveopenvms at gmail.com> wrote:
> Oh dear...
>
> This isn't going to win any OpenVMS friends or win over people who were fence
> sitting wondering if they should stay with the platform or move on
>
> Fair enough that an exploit was found, harsh that it's being exposed at a
> time when OpenVMS is trying to make a comeback
>

What does that have to do with anything other than it was VSI's public
statements that motivated me to go probing VMS in order to try and see
what the truth about VMS's security really was ?

My goal here is to do what is best for the existing VMS user community
as they are the ones who are vulnerable to any VMS security issues.

It is not to do what is best for VSI if that is in conflict with what
is best for the user community (especially since VSI's public language
may be motivating people to go probing VMS and some of those people may
not have the same altruistic motives that I do).

I should also point out that I have been _extremely_ flexible about how
I have responded to this. People said a couple of months ago that enough
time had not yet elapsed because it takes a long time for VMS sites to
patch their systems.

Instead of just saying that your vendor (VSI) has been making statements
about how VMS is the most secure operating system on the planet and how
I was merely holding them to their public standards, I instead said that
I would holdoff for another 3 months before releasing the details.

I doubt you will find many third party researchers who would be willing
to do that in light of VSI's public language.

Even now, I was careful about what I released so that more people now
know about this before March (and can do something about it) but without
telling them the full details.

IOW, if you can't handle what I am doing, then you most certainly will
not be able to handle what third party researchers will do if they become
motivated by the language on the VSI website to go probing VMS.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

More information about the Info-vax mailing list