[Info-vax] x86 Update 4/22/19

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Mon Apr 29 15:09:54 EDT 2019 

On 2019-04-29 18:35:42 +0000, Dave Froble said:

> On 4/29/2019 1:09 PM, Stephen Hoffman wrote:
> 
>> Pragmatically, one needs better ways to deal with the inevitable.  Apps 
>> and systems *will* get more complex.  Dependencies *will* increase. 
>> Constituent libraries and apps *will* need patches.  Apps *will* be 
>> found vulnerable.  Patches and updates *will* need to be deployed 
>> faster.  Apps and patches *will* need better and faster and 
>> increasingly automated deployments.  Because even if "one needs to find 
>> a balance", there's a very clear trend where one and all are headed, 
>> and one and all may not be (are not at all?) prepared for that trend 
>> with the present state of OpenVMS and its features, and of the designs 
>> and assumptions typical of the VSI and ISV and end-user developers 
>> involved.
> 
> All of the above is most likely valid.  Still, I'm not ready to rush 
> into such things.  For example:
> 
> What if the bad guys get into the "patch process"?

VSI is a large and ripe target, yes.

As for the patch distribution and patch installation process, that's 
already fairly open.

> Do you really want your local nuclear power station to just 
> automatically apply patches?

If it's the patch or a known exploit, I'll take the patch.

> "Fast" and "accurate" don't co-exist very well in patches and such.

As the good folks from Equifax reportedly discovered, neither too does 
ignoring patches.

> Apps should not be more complex than required.

Laudable goal.

As the numbers of dependencies and the interconnections is only 
increasing, that ship sailed.

Which means dealing with the problems we have, not with the problems we 
want to have.

> Yes, each day that goes by, we depend more and more on computers.  As 
> that dependency increases, so too do the ramifications of errors and 
> such.  "Proven" but with known errors is to be desired over "unproven 
> and who knows what the hell it's going to do".

Alas, vulnerabilities are a class of bugs that tends to increase in 
scope and scale and usage and damage over time.

> Just another perspective.

Reverse the whole question and ask yourself if you want a critical 
system to maintain a known vulnerability, and for how long.

We're all getting dragged forward here.

Old apps?  Yeah.  They'll be problematic forever, or until the apps 
and/or the vendor and/or the customers get owned.

How can we get apps that are being maintained and updated and servers 
that are being maintained and updated to be more secure?

I'd prefer to see steps taken to harden apps, even if some sites will 
find reasons not to.


-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list