Re: The Register: OpenVMS among most-secure of operating systems
From: Andrew Harrison SUNUK Consultancy (Andrew_No.Harrison_No_at_nospamn.sun.com)
Date: 01/14/04
- Next message: Andrew Harrison SUNUK Consultancy: "Re: 500.000 AMD64's shipped..."
- Previous message: Rick Jones: "Re: 500.000 AMD64's shipped..."
- In reply to: Mark Berryman: "Re: The Register: OpenVMS among most-secure of operating systems"
- Next in thread: Mark Berryman: "Re: The Register: OpenVMS among most-secure of operating systems"
- Reply: Mark Berryman: "Re: The Register: OpenVMS among most-secure of operating systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 14 Jan 2004 18:57:07 +0000
Mark Berryman wrote:
> Andrew Harrison SUNUK Consultancy wrote:
>
>> Bob Koehler wrote:
>>
>>> In article <bu12iq$qi9$1@new-usenet.uk.sun.com>, Andrew Harrison
>>> SUNUK Consultancy <Andrew_No.Harrison_No@nospamn.sun.com> writes:
>>>
>>>
>>>> Ohhh yessssss yooou are.
>>>
>>>
>>>
>>>
>>> Care to speculate as to which one of us has access to the source
>>> listings and NDA info?
>>>
>>> I have no reason to BS you, Andrew. When I say I'm not guessing
>>> its a fact. Not a boast, a fact.
>>>
>>
>> Well lets just examine the external evidence shall we rather than
>> your rahter laughable secret squirrel response.
>>
>> Even CERT which is a highly unreliable source puts OpenVMS way
>> ahead of VMS for vunerabilities. There was the DECnet Worm
>> and thats just about it.
>>
>> On the other had the current OS has SSH, Bind, and a number of
>> other advisories posted for it.
>>
>> Security through obscurity cuts both ways because it removes
>> your ability to prove your point while I at least have
>> collateral to support mine.
>>
>> So Ohhh Yesss You Arrr untill that is you can prove you
>> arn't
>
>
> But I have proven it. Unfortunately, for whatever reason, you have not
> been able to accept (or perhaps understand) the proof. It probably
> isn't worth it but I will try again.
>
> I have SSH on my VMS system. It is NOT openssh. Are you aware of any
> advisories against it? I can state that my VMS system has never been in
> any sort of security or DoS danger because of SSH.
>
> I have BIND on my system. None of the vulnerabilities posted for BIND
> have ever been able to impact my VMS version of BIND and I test every
> one. So, how does the fact that I run BIND impact the level of security
> of my VMS system?
>
There is only 2 reasons why you claim could be true.
1. You arn't running a commecial version of bind on OpenVMS
all the commercial versions either have CERT advisories
for them or patches for cert advisories (if you understand
the sorry state of OpenVMS CERT reporting you will know
what this means).
2. You have installed a version more recent than the advisories
anything else and you are at odds with reality.
> You have tried to claim the certain patches to VMS layered products
> should have been reported to CERT (if CERT was to be used as a valid
> metric) because they addressed security issues. However, when I
> followed up on the ones you claimed, that claim turned out to be
> specious (the patches were not, in fact, fixing any kind of security
> issue).
>
Rubbish, Teardrop, Bind, SSH all require patches and the information
for this is either in the CERT advisory or in the case of Teardrop
available from HP.
> So, let's get specific. You say the CERT advisories aren't valid as a
> metric because too many security issues in VMS don't get reported to
> CERT. Let's start there. Name some. I'll follow up and verify your
> accuracy. Remember, it has to be something that impacts the security or
> stability of VMS.
VMS722_DW_MOT_MUP-V0100 DECWindows MUP, No CERT Advisory.
ACMS_U2_043, ACMS security hole No CERT Advisory.
ALPSMUP01_070 No CERT Advisory (Know what a SMUPis)
DCE_030_SSRT3608-V0100 COM/DCE Denial of Service no CERT
I can provide more if you are interested but to be
honest your just lost the argument so lets not
rub salt in your wounds.
And just to illustrate that 3rd party layered products
are just as bad or put another way more OpenVMS CERT
BS gets trashed.
http://www.multinet.process.com/scripts/eco/eco_tlb.com?FTP-053_A044
Look for mandatory security update.
Now wouldn't it be nice to know what that was, again no CERT.
http://www.multinet.process.com/scripts/eco/eco_tlb.com?NAMED-011_A044
No reference to which CERT advisories they are fixing and of
course no response in the Vendor section of the CERT advisories.
http://www.multinet.process.com/scripts/eco/eco_tlb.com?SMTP-030_A044
Mandatory Security Update
Again no CERT advisory.
>
> Step two. Name any opensource product that is now available on VMS for
> which an exploit was discovered that could be used to compromise a VMS
> system (or even provide a means to make a DoS attack against it). I am
> aware of one, but that was in a product that no one concerned about
> security would ever run. Remember, the fact that an exploit was
> discovered does NOT necesarily mean that the exploit could actually be
> used against a VMS system.
>
Why should I bother with OpenSource closed source is good
enough.
> I'm calling you on your bluff. You claim the security concerns with VMS
> tend to get obfuscated. Trot 'em out and show 'em to us.
>
I guess that you now regret even posting but thanks
for being a very usefull fall guy.
Regards
Andrew Harrison
- Next message: Andrew Harrison SUNUK Consultancy: "Re: 500.000 AMD64's shipped..."
- Previous message: Rick Jones: "Re: 500.000 AMD64's shipped..."
- In reply to: Mark Berryman: "Re: The Register: OpenVMS among most-secure of operating systems"
- Next in thread: Mark Berryman: "Re: The Register: OpenVMS among most-secure of operating systems"
- Reply: Mark Berryman: "Re: The Register: OpenVMS among most-secure of operating systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
