[Info-vax] DCL vulnerability write up on The Register

Kerry Main kemain.nospam at gmail.com
Sat Feb 10 11:43:35 EST 2018 

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf Of Bill
> Gunshannon via Info-vax
> Sent: February 10, 2018 10:03 AM
> To: info-vax at rbnsn.com
> Cc: Bill Gunshannon <bill.gunshannon at gmail.com>
> Subject: Re: [Info-vax] DCL vulnerability write up on The Register
> 
> On 02/10/2018 08:25 AM, Kerry Main wrote:
> >> -----Original Message-----
> >> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf Of
> Bill
> >> Gunshannon via Info-vax
> >> Sent: February 10, 2018 7:31 AM
> >> To: info-vax at rbnsn.com
> >> Cc: Bill Gunshannon <bill.gunshannon at gmail.com>
> >> Subject: Re: [Info-vax] DCL vulnerability write up on The Register
> >>
> >> On 02/09/2018 10:31 PM, Kerry Main wrote:
> >>>> -----Original Message-----
> >>>> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf
> Of
> >>>> DaveFroble via Info-vax
> >>>> Sent: February 9, 2018 1:50 AM
> >>>> To: info-vax at rbnsn.com
> >>>> Cc: DaveFroble <davef at tsoft-inc.com>
> >>>> Subject: Re: [Info-vax] DCL vulnerability write up on The Register
> >>>>
> >>>> terry-groups at glaver.org wrote:
> >>>>> On Thursday, February 8, 2018 at 12:29:52 PM UTC-5, Stephen
> >> Hoffman
> >>>> wrote:
> >>>>>> HPE transitioned OpenVMS Alpha into mature support — that's
> >> HPE-
> >>>> speak
> >>>>>> for "no patches" — over a year ago.
> >>>>>
> >>>>> If I were paying HPE for support, I'd really have to question what
> >> type
> >>>> of "support" they were providing if they declined to produce a
> patch
> >> for
> >>>> a known CVE, particularly when they seem to know what the fix
> >> entails.
> >>>> Perhaps HPE "support" just means access to the library of out-of-
> >> date,
> >>>> no-longer updated patches, plus occasional "reading service" to tell
> >> the
> >>>> user that something is in the manual? Perhaps they should reduce
> >> their
> >>>> support pricing to reflect the reality of the "support" they are
> >> providing...
> >>>>
> >>>> If you were paying HPE for VMS support on Alpha, you'd be an
> idiot,
> >> or
> >>>> worse.  I
> >>>> certainly hope nobody fits into this catagory.
> >>>>
> >>>
> >>> Lets not forget that some larger companies have policies that state
> ALL
> >> servers (esp. prod) MUST have support contracts in place. It is a risk
> >> mitigation strategy i.e. a single throat to choke.
> >>>
> >>> In the big scheme of Operations support contracts, I highly doubt
> that
> >> even over priced Alpha support contracts is barely even a rounding
> error
> >> compared to what most companies pay annually in support contracts
> to
> >> Red Hat, Microsoft and/or Oracle.
> >>>
> >>
> >> Yes, but they actually get something for their money from them.
> >> Any CIO who pays for support for a system the vendor says they will
> >> not support should be fired for incompetence.
> >>
> >> bill
> >
> > You obviously have much higher view of support from companies like
> Oracle than I do.
> 
> As compared to HPE who sells support contracts for systems they openly
> advertise that they do not support.
> 

All large vendors have statements of support that they advertise for various versions of products. This typically includes end of life statements as well.

Having stated this, if a Customer is willing to pay huge $'s for a custom support agreement, then the vendor may often agree to do a custom agreement that usually means limited support.

Case in point - Microsoft and its Windows 98 support agreements long after Windows 98 was officially declared end of life.

> >
> > At a prior site I was at, the DBA's logging a call with Oracle was a last
> resort to get a log number and keep their senior mgrs. off their back.
> However, the local DBA's rarely received what they were looking for.
> 
> Would need a lot more information on the case to decide if there really
> was a problem that was Oracles or something else.
> 
> Reminds me of a problem from my Primos days.  Complaint was that
> Fortran programs comparing two real numbers were never found to
> be equal.
> 
>     R1 = 1.2345 + 5.4321
>     R2 = 4.4444 + 2.2222
> 
>     IF (R1 .EQ. R2) THEN
>        was never true....
> 
> The reason is you can't compare real numbers for equality.  You
> would have thought mathematicians would have known that, but no.
> The fix was to put a message int he compiler stating "Real numbers
> can not be compared for equality."
> 
> So, what wold yo consider this?  The customer did not receive what
> they wanted. But the problem was solved.
> 

I am not talking about specific cases.  This Customer's DBA's had a long history of dealing with Oracle support issues.

> >
> > I am sure the same could be stated for many Customers view of MS
> support. Have not really dealt with RH, so cant say about them.
> 
> Never had a problem with MS support.  But then I never went to them
> with
> a stupid request.  I, too, have never used RH support as I am more than
> qualified myself to handle any Unix problems.
> 
> >
> > Certainly not trying to defend HPE's patch policies, but the hidden
> nugget is that if HPE patches get further and further behind, it will be
> more incentive for those Customers to jump to VSI.
> >
> 
> But using the logic presented in this group, regardless of how bad the
> support is you should never consider changing anything.
> 
> bill

What many in this group are stating is that upgrading via "rip-n-replace" strategies just because a technology is cool today without a good understanding of the challenges of replacing 15+ years of heavily customized business logic and work flows that are integrated into the deep bowels of the current architecture is a recipe for disaster.

Unless there is no such option (vendor out of business?), a much better go forward strategy is not "rip-n-replace", but rather "upgrade-n-integrate".

In addition, its very hard to justify spending millions of $'s to do a rip-n-replace strategy when the current solution has been rock solid with no issues.  Especially when the re-testing, re-certification may be just as costly (usually much more) as the IT components upgrade costs. Not to mention, essentially putting on hold planned new functionality requested by the Business.

Staff resources - you can get a couple of OpenVMS support resources (local or remote) for perhaps $150K-$200k per year. Or you can get a remote support agreement with a company like SCI - reference: 
< http://www.sciinc.com/>

These types of environments often mitigate their older server HW risks with local service contracts or by having multiple servers available on the shelf to act as spare parts.
As an example - perhaps a company has a few business application running on Alpha 1000's. They can pick up complete spare Alpha 1000's on ebay for USD $1500. A rounding error. 

Reference:
<https://www.ebay.com/itm/AlphaServer-1000A-5-333-PB76B-FA-DEC-Alpha-NICE-DEAL-/291725305745>

Or $40 9GB drives:
< https://www.ebay.com/itm/Compaq-DS-RZ1DA-VW-W-9-1GB-HDD-Wide-ultra2-SCSI-Alpha-Server-1200-4100-etc/262258287340?hash=item3d0fcfe2ec:g:XlMAAOSwa-dWpa0c>

Regards,

Kerry Main
Kerry dot main at starkgaming dot com

More information about the Info-vax mailing list