PDreyer@HI-MULTICS.ARPA (Phil Dreyer) (06/16/87)
I would rather have something mentioned in this mailing list than nothing at all. We have been spending BIG bucks for maintenance from dec and WE did not hear about this security fix. Then to find out that they have published the fact that there is a security publically before I hear about it. That's insulting. you would think that DEC would at least make a better effort in notifying their customers of a problem. Even if they do not have an immediate fix it is nice to know what is happening. As for publishing a fix for sites here, why not. If it is not copyrighted then send it out. They Do have some sort of responsiblity to their customers maintenance contract or not. **** Flame on **** To quote from Michael Vizard's article in the June 1, 1987 issue of Digital Review: "Mention the word 'security' around any DEC representative pushing the VMS operating system and you're sure to elicit a stony silence. The reason? More and more enterprising VMS users are finding it possible to 'hack' their way to full system priviliges despite the operating system's security provisions. In fact, DEC officials refused to discuss VMS security issues at the April DECUS symposium in Nashville." How true, how true. When you talk about VMS you should not say the word security in the same breath. Any Operating system that has this many holes in it should be sent back to the drawing board. The problem is the system came out before the idea of security did. Now they spend a lot of time trying to bend and twist the system into some sort of secure system. Try putting a user into a limited command environment some time. The book says you should do this with a command file. What a joke. To further quote: "Ironically, late last year VMS was one of the first commercial operatings systems to win a security rating from the US Governments National Computer Security center." Whoopie "C2" security rating. All that means is that VMS is finally in the game and on the charts. No big accomplishment. let me know when/IF you manage to get a "B2" security rating someday, and i mean IF. I have worked with a true secure system "B2" rated and I tell you it would run rings around VMS. The system of which I speak is Multics... **** Flame off **** That felt better. Don't get me wrong, VAX/VMS has it's place as does every computer that exists. It just gets under my skin when I have so many problems with the VAX/VMS system after working with a system such as Multics.
klb@philabs.Philips.Com (Ken Bourque) (06/19/87)
In article <870616182113.552077@HI-MULTICS.ARPA> PDreyer@HI-MULTICS.ARPA (Phil Dreyer) writes: >When you talk about VMS you should not say the word >security in the same breath. Any Operating system that has this many >holes in it should be sent back to the drawing board. Would you care to elaborate? The current security bug and the one in V4.2 concerning the system logical name table are the only two I have heard of.