Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.3 4.3bsd-beta 6/6/85; site ucbvax.BERKELEY.EDU
Path: utzoo!watmath!clyde!cbosgd!ihnp4!ucbvax!galaxy.DEC!goldstein
From: goldstein@GALAXY.DEC (Andy Goldstein)
Newsgroups: mod.computers.vax
Subject: Publishing Security Holes on INFO-VAX
Message-ID: <8511121745.AA08383@decwrl.DEC.COM>
Date: Tue, 12-Nov-85 12:44:01 EST
Article-I.D.: decwrl.8511121745.AA08383
Posted: Tue Nov 12 12:44:01 1985
Date-Received: Wed, 13-Nov-85 08:18:44 EST
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The ARPA Internet
Lines: 27
Approved: info-vax@ucbvax.berkeley.edu


In the past week several system crasher / security hole type problems
in VMS have been published in INFO-VAX. I would like to question the
wisdom of these actions. Surely it is a great way to get DEC's
attention (as witness this reply). However, you will also get a lot
of unwanted attention as well. It is safe to say that anything of
sufficient interest published in INFO-VAX will find its way very
quickly onto the hacker's bulletin boards. VMS system managers who
are trying to run a secure shop ought to be dismayed at finding the
vulnerabilities of their systems so openly published.

Serious system security problems reported through DEC's normal service
channels (SPR's and the telephone support centers) receive prompt
attention. Publishing such problems is a disservice to other users in
that it publicizes a vulnerability when no correction is available.

DEC has an obvious corporate interest in not having weaknesses in VMS
published which you must discount in reacting to this message. In
addition, one could argue that publishing vulnerabilities serves some
purpose in making system owners at least aware of them. I would like
to hear arguments, pro and con, from others on INFO-VAX on whether or
not security problems should be published, and I would like to see
INFO-VAX adopt a policy based on the resulting feedback. Please send
responses to INFO-VAX (I get enough mail as it is).


					- Andy Goldstein, DEC