Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.3 4.3bsd-beta 6/6/85; site ucbvax.BERKELEY.EDU Path: utzoo!watmath!clyde!cbosgd!ihnp4!ucbvax!galaxy.DEC!goldstein From: goldstein@GALAXY.DEC (Andy Goldstein) Newsgroups: mod.computers.vax Subject: Publishing Security Holes on INFO-VAX Message-ID: <8511121745.AA08383@decwrl.DEC.COM> Date: Tue, 12-Nov-85 12:44:01 EST Article-I.D.: decwrl.8511121745.AA08383 Posted: Tue Nov 12 12:44:01 1985 Date-Received: Wed, 13-Nov-85 08:18:44 EST Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 27 Approved: info-vax@ucbvax.berkeley.edu In the past week several system crasher / security hole type problems in VMS have been published in INFO-VAX. I would like to question the wisdom of these actions. Surely it is a great way to get DEC's attention (as witness this reply). However, you will also get a lot of unwanted attention as well. It is safe to say that anything of sufficient interest published in INFO-VAX will find its way very quickly onto the hacker's bulletin boards. VMS system managers who are trying to run a secure shop ought to be dismayed at finding the vulnerabilities of their systems so openly published. Serious system security problems reported through DEC's normal service channels (SPR's and the telephone support centers) receive prompt attention. Publishing such problems is a disservice to other users in that it publicizes a vulnerability when no correction is available. DEC has an obvious corporate interest in not having weaknesses in VMS published which you must discount in reacting to this message. In addition, one could argue that publishing vulnerabilities serves some purpose in making system owners at least aware of them. I would like to hear arguments, pro and con, from others on INFO-VAX on whether or not security problems should be published, and I would like to see INFO-VAX adopt a policy based on the resulting feedback. Please send responses to INFO-VAX (I get enough mail as it is). - Andy Goldstein, DEC