Re: The Register: OpenVMS among most-secure of operating systems

• Previous message: Keith A. Lewis: "Re: Moderate this group (was: HTML posting)"
• Next in thread: Andrew Harrison SUNUK Consultancy: "Re: The Register: OpenVMS among most-secure of operating systems"
• Maybe reply: Andrew Harrison SUNUK Consultancy: "Re: The Register: OpenVMS among most-secure of operating systems"
• Maybe reply: Bob Koehler: "Re: The Register: OpenVMS among most-secure of operating systems"
• Maybe reply: david20_at_alpha2.mdx.ac.uk: "Re: The Register: OpenVMS among most-secure of operating systems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Mon, 02 Feb 2004 18:07:21 GMT

On Thu, 29 Jan 2004 17:19:58 +0000, Andrew Harrison SUNUK Consultancy
<Andrew_No.Harrison_No@nospamn.sun.com> wrote:

>jlsue wrote:

>
>Since SunOS 4.x is out of support the answer is no. Similar
>story with out of support versions of VMS/OpenVMS as well.
>
>Take LAND there is no CERT advisory for LAND refering to
>OpenVMS or any other Compaq/HP layered product. We know
>however that there was a vunerability not from a patch
>report but from an ask the wizard answer.
>
>We also know that this vunerability is fixed in a later
>release of the IP stack we also know that the version
>of the IP stack that you need to upgrade from was the
>one that was current when LAND was first reported.

But the question is, then, how can you say that it wasn't patched when it
was - albeit as a new version.? (I'm assuming that this was a point release
update, if not, then this question doesn't apply).

>> You can check google yourself (get it? That's one of YOUR argument
>> techniques). Check responses from icerq4a, hoff, Killgallen, etc. They've
>> tried (to no avail) to explain reality to you, but it's obviously a waste
>> of time.
>>
>
>Really perhaps you should check again rather more carefully.
>Remember that you and google have never really got on.

I don't actually need to check google on this as the posts are still on my
hard drive (I'm using Agent). They have responded to most of the actual
CERT advisories that you've continued on about. I have not seen any
substantive reply on your part that addresses their posts.

>
>
>>>Nor am I, outlandish claims would be ones that have no supporting
>>>data to back them up. You forget that I have provided supporting
>>>data.
>>
>>
>> That makes no sense. You've made no claims, but yet you've provided
>> supporting data? The only claim made was by one (or two) individuals tying
>> CERT to some kind of nonsense conclusion. Almost everyone else in here has
>> agreed that CERT is not, in itself, worthy of being called "proof" of
>> secuity. However, others' who actually KNOW the source code, and also who
>> have reviewed the advisories that you've presented as "supporting data"
>> have shown the errors or weaknesses in your arguments. You
>> counter-argument technique consists of this engaging tactic:
>>
>
>Do you have a comprehension problem ?????????????

No, I understand perfectly. You have claimed that CERT advisory counts is
not a good measure of the relative security of a system. And I have agreed
with your point in this matter. What's the problem?

>>
>> Well, you haven't proven whether it is providing an unsecure one yet. You
>> have shown that, at one time, some software stacks were vulnerable, and
>> this has been subsequently dropped as a product. And in more recent ones,
>> not all of the "fixes" patch actual vulnerabilities that affect the
>> security of the platform.
>>
>
>What utter BS, POP, LAND, TearDrop they were all holes and there
>are loads more BIND, SSH etc etc.
>
>Pay attention you seem to think that simply saying they don't
>exist can conterweight your documentation, 3rd party reports
>and the responses of your own engineers.

I'm paying attention fine. You've shown that there are advisories out for
these problems, but you haven't shown whether there is actually an
exploitable vulnerability. That's all I'm saying. The existence of a
patch does not prove that there was a security vulnerability.

>
>I have seen you post some unmitigated BS in the past but
>this takes the biscuit.

I find it telling that it is apparently impossible for you to respond to
questions about your logic and reasoning without resorting to immature
tactics, such as name calling, personal attacks, etc.

>No I havn't its the responsibility of the corporation that
>you work for. Who does it is irrelevant providing its actually
>done. However what is most revealing is that no-one seems to want
>to coordinate the different engineering teams into providing a
>response for the platform as a whole.
>
>What an idiotic point.
>> It's completely separate argument as to whether HP is responsible for
>> releasing fixes for problems. But once again, we're back to whether you're
>> talking about a real problem in a currently-existing product.

Well, your reading comprehension of this part of the discussion has veered
it off into the weeds so far it's impossible to get you back ontrack.

You have no point here that anyone can actually address because you're just
thrashing about in an anit-hp rant.

>>
>>>Someone has to have the responsibility for reporting
>>>vunerabiliites to CERT (assuming you are going to bother)
>>>if you don't want to report layered product vunerabilites
>>>as part of the OS well fine but you have to report them
>>>somewhere, currently they are entirely absent.
>>
>>
>> Ah, is there an RFC converning this? I just want to make sure we're
>> covering all our bases.
>>
>
>Does that imply that you only fix security holes in
>OpenVMS if they are covered by an RFC.

And you're the one making comments about reading comprehension problems of
others?

The point is that you, personally, do not dictate how all companies are
supposed to use or not use CERT. So, whatever you believe (quoted in your
">>>" paragraph above) is immaterial. You may have some valid points, but
there's no industry-wide agreement on this.

So your spouting on-and-on is pointless.

>> But talk about yer spin.. now you're changing your original argument from
>> one that states it MUST appear as an OS vulnerability. This ENTIRE
>> discussion came about converning relative vulnerabilities in OSes, and
>> OpenVMS in particular. So if you are changing your stance, please at least
>> admit that somewhere first, and then we can discuss the new stance. I'm
>> not saying I even disagree with it, but I don't know what it is yet.
>>
>
>Ditto

Yeah. It's much easier to NOT commit to making a point. Then you don't
have to defend it.

>>
>> Just to be sure. Are POD and LAND vulnerabilities in the CURRENT IP stack
>> (e.g., TCP/IP services)? Or is this only applicable to the one that was
>> dropped some 4 or 5 years - and several software release versions - ago?
>>
>
>Ditto

How do you determine that this question is not a valid one? Merely because
it paints you into a corner? The fact is that the current owner of
OpenVMS, TCP/IP services, et. al. can only be concerned with those versions
that are currently supported. To belabor any kind of "security" argument
about an older, unsupported version will only declare open season on all
older versions of your own OS that have very big, and unpatched security
holes.

>> If the latter, just let me know what the official ruling on how long all
>> vendors are supposed to provide this kind of patch support for outdated,
>> and even *unsupported* software. Is Sun following the same guidelines in
>> all of it's products?
>>
>
>Ditto

Of course you want to claim it invalid. All hail Emperor Andrew! He had
declared that everyone, except his favorite employer, must conform to his
own ever-changing opinion on what's valid in the realm of CERT advisories
and responses.

>
>>
>>
>>>And I always laugh at OpenVMS security BS merchants who are happy
>>>to tout the number of CERTS for OpenVMS around while being unhapppy
>>>to allow the layered products to be included.
>>
>>
>> Again, this is a position that is based on completely false premises. Only
>> one (or two) troll(s) are making any statements wrt to CERTS and relative
>> OS comparisons. Nobody else in here has backed up their silliness.
>>
>>
>
>Wrong, Keith started this particular thread so I assume this means
>that you think he is a troll as well.

He started this thread with an article. If you want to debunk something in
the article, have at it. But right now you're so far off the original mark
that it's just a bunch of your own personal diatribes scribbling bits
around the world.

>
>Fantastic set of points BTW you really scraped the bottom of the barrel
>and thats saying something in your case.
>

Whatever. When you get me all the security patches for my Sun v1.0
systems, then we'll talk.

--- jls
The preceding message was personal opinion only.
I do not speak in any authorized capacity for anyone,
and certainly not my employer.
(get rid of the xxxz in my address to e-mail)

• Previous message: Keith A. Lewis: "Re: Moderate this group (was: HTML posting)"
• Next in thread: Andrew Harrison SUNUK Consultancy: "Re: The Register: OpenVMS among most-secure of operating systems"
• Maybe reply: Andrew Harrison SUNUK Consultancy: "Re: The Register: OpenVMS among most-secure of operating systems"
• Maybe reply: Bob Koehler: "Re: The Register: OpenVMS among most-secure of operating systems"
• Maybe reply: david20_at_alpha2.mdx.ac.uk: "Re: The Register: OpenVMS among most-secure of operating systems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]