Re: The Register: OpenVMS among most-secure of operating systems

• Previous message: Bob Koehler: "Re: Faced with flagging PC sales, HPand others are pushing aggressively"
• In reply to: Mark Berryman: "Re: The Register: OpenVMS among most-secure of operating systems"
• Next in thread: Andrew Harrison SUNUK Consultancy: "Re: The Register: OpenVMS among most-secure of operating systems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 14 Jan 2004 18:03:33 +0000

Mark Berryman wrote:
> Andrew Harrison SUNUK Consultancy wrote:
>
>> Bob Koehler wrote:
>>
>>> In article <bu12iq$qi9$1@new-usenet.uk.sun.com>, Andrew Harrison
>>> SUNUK Consultancy <Andrew_No.Harrison_No@nospamn.sun.com> writes:
>>>
>>>
>>>> Ohhh yessssss yooou are.
>>>
>>>
>>>
>>>
>>> Care to speculate as to which one of us has access to the source
>>> listings and NDA info?
>>>
>>> I have no reason to BS you, Andrew. When I say I'm not guessing
>>> its a fact. Not a boast, a fact.
>>>
>>
>> Well lets just examine the external evidence shall we rather than
>> your rahter laughable secret squirrel response.
>>
>> Even CERT which is a highly unreliable source puts OpenVMS way
>> ahead of VMS for vunerabilities. There was the DECnet Worm
>> and thats just about it.
>>
>> On the other had the current OS has SSH, Bind, and a number of
>> other advisories posted for it.
>>
>> Security through obscurity cuts both ways because it removes
>> your ability to prove your point while I at least have
>> collateral to support mine.
>>
>> So Ohhh Yesss You Arrr untill that is you can prove you
>> arn't
>
>
> But I have proven it. Unfortunately, for whatever reason, you have not
> been able to accept (or perhaps understand) the proof. It probably
> isn't worth it but I will try again.
>
> I have SSH on my VMS system. It is NOT openssh. Are you aware of any
> advisories against it? I can state that my VMS system has never been in
> any sort of security or DoS danger because of SSH.
>

> I have BIND on my system. None of the vulnerabilities posted for BIND
> have ever been able to impact my VMS version of BIND and I test every
> one. So, how does the fact that I run BIND impact the level of security
> of my VMS system?
>

There are only two ways this claim could be true.

1. You are using a non commercial version of
        Bind, all the commercial versions have had
        CERT advisories (or patches relating to CERT
        advisories) posted for them.

2. You installed bind after the fixes.

> You have tried to claim the certain patches to VMS layered products
> should have been reported to CERT (if CERT was to be used as a valid
> metric) because they addressed security issues. However, when I
> followed up on the ones you claimed, that claim turned out to be
> specious (the patches were not, in fact, fixing any kind of security
> issue).

Not true sorry, there is for example a patch for teardrop.
There are patches for Bind, POP, SSH etc all of which
are security patches.

>
> So, let's get specific. You say the CERT advisories aren't valid as a
> metric because too many security issues in VMS don't get reported to
> CERT. Let's start there. Name some. I'll follow up and verify your
> accuracy. Remember, it has to be something that impacts the security or
> stability of VMS.
>

Where would you like me to start.

VAXDWMOTMUP01_073 DECwindows MUP, No CERT advisory.

ALPSMUP01_070 No CERT advisory.

> Step two. Name any opensource product that is now available on VMS for
> which an exploit was discovered that could be used to compromise a VMS
> system (or even provide a means to make a DoS attack against it). I am
> aware of one, but that was in a product that no one concerned about
> security would ever run. Remember, the fact that an exploit was
> discovered does NOT necesarily mean that the exploit could actually be
> used against a VMS system.
>
> I'm calling you on your bluff. You claim the security concerns with VMS
> tend to get obfuscated. Trot 'em out and show 'em to us.
>
> Mark Berryman
>

• Previous message: Bob Koehler: "Re: Faced with flagging PC sales, HPand others are pushing aggressively"
• In reply to: Mark Berryman: "Re: The Register: OpenVMS among most-secure of operating systems"
• Next in thread: Andrew Harrison SUNUK Consultancy: "Re: The Register: OpenVMS among most-secure of operating systems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]