goldstein@GALAXY.DEC (Andy Goldstein) (11/12/85)
In the past week several system crasher / security hole type problems in VMS have been published in INFO-VAX. I would like to question the wisdom of these actions. Surely it is a great way to get DEC's attention (as witness this reply). However, you will also get a lot of unwanted attention as well. It is safe to say that anything of sufficient interest published in INFO-VAX will find its way very quickly onto the hacker's bulletin boards. VMS system managers who are trying to run a secure shop ought to be dismayed at finding the vulnerabilities of their systems so openly published. Serious system security problems reported through DEC's normal service channels (SPR's and the telephone support centers) receive prompt attention. Publishing such problems is a disservice to other users in that it publicizes a vulnerability when no correction is available. DEC has an obvious corporate interest in not having weaknesses in VMS published which you must discount in reacting to this message. In addition, one could argue that publishing vulnerabilities serves some purpose in making system owners at least aware of them. I would like to hear arguments, pro and con, from others on INFO-VAX on whether or not security problems should be published, and I would like to see INFO-VAX adopt a policy based on the resulting feedback. Please send responses to INFO-VAX (I get enough mail as it is). - Andy Goldstein, DEC
Tli@USC-ECLB.ARPA (Tony Li) (11/12/85)
On the other hand, a lot of systems managers would never find out about the security problems of VMS unless they read it in INFO-VAX or got bit by it. I prefer to know about the boojums before they get me. ;-)
MHJohnson@HI-MULTICS.ARPA (Mark Johnson) (11/15/85)
I would like to see security problem messages to continue. The reasons include: 1) I read INFO-VAX on a regular basis & read hacker's bulletin boards not at all. Please give me a chance to fix up my system before the problem people have a chance to trash it up. 2)It gives me a reason to continue to read INFO-VAX & other mailing lists even though it costs my company $$ to move the mail around. 3) Publicity tends to make fixes come more quickly from vendors (not just DEC), & makes the system better for everyone. Now about the logical name table problem... does this mean I have to add to my SYSTARTUP file something on the order of: $ SET ACL/OBJ=LOG/ACL=(ID=*,ACCESS=READ) LNM$SYSTEM_DIRECTORY -- ditto for LNM$SYSTEM_TABLE, LNM$GROUP_000001, LNM$GROUP_*, PSI* -- That is a lot of tables. Note that for the group tables, you need to create them first (except for _000001). Perhaps Andy (or someone else at DEC) could give us (& DSIN) a real work-around for this problem that covers all of the bases. About INFO-VAX-SECURITY (or whatever), I don't want to see it there since you will have problems validating me, a VMS system manager accessing the network through a Multics system. --Mark Johnson <MHJohnson @ HI-MULTICS>