[Info-vax] VMS First-Boot on x86 Contest
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Thu Feb 15 08:33:28 EST 2018
On 2018-02-15, Phillip Helbig (undress to reply) <helbig at asclothestro.multivax.de> wrote:
> In article <34bgle-m3a2.ln1 at news2.chingola.ch>, Paul Sture
><nospam at sture.ch> writes:
>
>> > Hopefully VSI will change things so that a new VMS installation
>> > installs EVERYTHING. Disks are cheap. Really cheap. If necessary,
>> > some functionality could be restricted via licensing.
>>
>> No, we don't want EVERYTHING, we only want the components needed for
>> this instance's requirements. The attack surface area should be
>> kept to the minimum.
>
> We are talking 20 cents per GB or whatever. Is the effort to reduce the
> footprint really worth it?
>
Phillip, we are talking about standard security procedures here.
You do _NOT_ install something if it is not required in production.
What you _do_ however is to provide everything on the installation
media and then provide logical groups of packages so you can easily
install those groups, and only those groups, you require.
How would you feel if one of those unused packages was used to compromise
your system ? (And please don't dismiss that question out of hand because
you never know where the next security issue is coming from.)
To take a couple of VMS examples:
A couple of years ago, the idea that you could inject code into DCL
itself and then use it to totally compromise your VMS systems would
have been met with utter derision. No-one is saying that any more.
Likewise, how do you know that there isn't some huge hole within the
DECnet Phase IV code (for example) which is just waiting to be discovered
and which could be used to crash or compromise your VMS systems ?
How do you explain to your boss that DECnet Phase IV was used to
compromise your system and then it was discovered that you don't
even use DECnet Phase IV but you installed it anyway ?
BTW, I'm not talking about packet sniffing here. I'm talking about
some buffer overflow (for example) in the VMS DECnet Phase IV code
which could allow a system crash or an actual exploit.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list