stokes%cmc.cdn%ubc.CSNET@CSNET-RELAY.ARPA (Peter Stokes) (11/13/85)
If one can assume that the great majority of 'hackers' do not have access to the DEC SPR service, then why not to be shared amongst vax users related to security bugs:
stokes%cmc.cdn%ubc.CSNET@CSNET-RELAY.ARPA (Peter Stokes) (11/13/85)
If one can assume that the great majority of 'hackers' do not have access to the DEC SPR service, then why not make it a rule of thumb to send all system security bugs etc.. to the SPR service and nothing at all to info- vax. Even if some hackers do make it into the SPR service, it is still overall better than posting messages on info-vax. Peter
YD14@BR1.THDNET (11/14/85)
Include this in your SYSTARTUP: $ SET ACL /OBJ=LOG LNM$SYSTEM_TABLE /ACL=(IDENTIFIER=*,ACCESS=READ) $ SET ACL /OBJ=LOG LNM$SYSTEM_DIRECTORY /ACL=(IDENTIFIER=*,ACCESS=READ) Or are there any more tables to be protected ???? Or is it possible to disable any ACLling ???? Reinhard Goeth Arpanet address: #D14%DDATHD21.BITNET@WISCVM.WISC.EDU (bwotnsiipomui)
YD14@BR1.THDNET (11/15/85)
I've talked yesterday with the TSC Munich about the CONTROL/U bugcheck. They'll test it and call me back within a week. Probably they forward the problem to the European TSC Center and they'll also test it. Some weeks laters the problem after a lot of forwarding within DEC will reach the VMS people (f.e. Andy Goldstein). Someone else asked the TSC about the ACL problem with logical name tables. They told him to set a protection on the tables. But I don't think the TSC has forwared this problem. So we've to write one of the old fashioned SPRs. And then we have to wait patiently for some months to get an answer for such a severe problem. There should be an INFO-VAX-SECURITY list. But it should not be on the Arpanet, it should rather be on the internal DEC engineering net. Reinhard Goeth Arpanet: #D14%DDATHD21.BITNET@WISCVM.WISC.EDU
sasaki@HARVARD.HARVARD.EDU (Marty Sasaki) (11/16/85)
The problem with SPR's and Software dispatches, and the TSC is that you have to pay for all of these things. At times I find it enraging to have to pay money to tell DEC that there is a bug in a system that I (or my company) have (has) already paid lots of money for. The TSC has only been useful to me once. This mailing list is useful to me at least once a week. I still don't feel very good about having a separate security list. Like I said before, I don't read this list from a VMS system but from a (relatively flakey) UNIX system. I wouldn't trust secure mail into this system. I feel even worse about having security holes published to this list. I still think that there is a dilemma. Marty Sasaki
GEOFFRIL@UNION.BITNET.UUCP (02/20/87)
RE: ESJ@ufl's suggestion that students should not see security info since they might know more than the administrators. We take precisely the opposite perspective. To begin with, you can assume a priori that students know more about your system than you do. If nothing else, they have far more time to experiment than the rest of us. We cope by stressing that students are colleaguues -- not opponents. Indeed, students have been our best "eyes and ears" when others are abusing the system. Indeed, I've often challenged them to find the holes in a program or security technique. They enjoy the challenge and have spotted subtleties that escaped more conventional analysis. The bottom line... If you fight your students, you are outnumbered by, typically 1000 to 1. If you work with them, you have a tremendous team of allies. Leo geoffrion, Skidmore GEOFFRIL@UNION.BITNET