EVERHART%ARISIA@rca.COM.UUCP (06/09/87)
The Digital people I have had contact with, and those who have given the patch out, have generally been anxious to have the patch distributed quickly and widely. Given the wide publicity about the bug, having DEC put it out as a mandatory patch to support sites was the least they could do, and I note the patch is NOT copyrighted (and adding a copyright would make it fail the checksum...). Thus I am pleased the patch has been generally posted. The more general issue is that Digital needs to do better getting security fixes into our hands. I noted a security patch mentioned by number in the National Computer Security Center's report, which evaluated VMS 4.3 WITH this patch. To avoid LOTS of controversy I won't mention the number on this list, but that article is public domain and THAT bug too could be widely known. Likewise others. I am somewhat unhappy with the notion that various "in the know" groups have access to these bits and pieces of information and the general system manager community has NOT. I'd prefer that some mechanism to obtain security fixes be in place with security identified as a category (at least fo for folks on maintenance, but redistributable to others), just as patches that fix file system integrity problems (for example) are identified as such. There also needs to be a bit less of the "VMS is positively absolutely SECURE" philosophy and more of the old "DEC software does not operate in a hostile environment" flavor. VMS is much safer in hostile environments than, say, RSX11D V4 was. It is not absolutely secure, though, and might be less useful if it were. System managers and others need to realize that only relative safety is achievable and that continual watching and monitoring is an essential part of seeing that your system is safe. Also it should be remembered that the more your users run into walls, the more tempted they are to try to blow holes in them; a little flexibility can reduce the level of headaches in system maintenance. flame off... Glenn Everhart Everhart%Arisia@rca.com