On 2017-05-04 00:44:37 +0000, David Froble said:
> Stephen Hoffman wrote:
>> On 2017-05-02 19:58:46 +0000, David Froble said:
>>
>>>> Hoff has posted a list of several not so good things security wise
>>>> several times.
>>>
>>> Yes, he has. But I don't recall any being part of the OS.
>>
>> Is there a salient difference between getting owned by an OS-level flaw
>> — which do exist, and have been discussed here, BTW — and getting owned
>> by a network service?
>
> From the perspective of being hacked, no.
From most any perspective. Attackers don't care where the hole is.
> From the perspective of what allowed it to happen, yes, there is a big
> difference. For one thing, it points to what needs some attention.
Ayup. Why do you think I've been grumbling about ftp, telnet and
DECnet available in the default configuration, too? When the easy
stuff is wide open and when the users are not guided to more secure
configurations, expending much development effort on ASLR and
execute-disable support is wasted. Fixing the simple holes. As for
remedial and refactoring work on the platform itself, bug counts are
useful metrics for scheduling remedial work, but not so useful for
scheduling security work. Not unless the testing folks involved have
some experience cracking systems and are correspondingly ruthless about
finding and logging security bugs, and get the time to run API and
protocol and file-format fuzzers and network protocol analysis tools
and simulated attacks against... everything. Again, defenders get to
try to find and plug all the holes.
No, I don't believe that all OpenVMS servers will always have skilled
teams managing and tracking the security, nor security-focused
developers working to update and securing the applications. Look
around for how many servers have telnet and ftp configured, after all.
Look around at how many developers either have code in production that
is — given a little thought — known to be insecure, or that haven't
even had the time to consider application security, for that matter.
> I've basically stopped doing any work on network communications until
> VSI has their IP product and SSL product available. I'm hoping that
> will be a huge improvement.
There's already a VSI TLS kit around, though we'll see what the VSI IP
and the sockets and TLS and certificates APIs look like. The current
"design" of these areas and APIs is... problematic. This as anybody
that's actually used what's available and has tried to implement
certificate chains and pinning and revocation handling can certainly
attest. Heaps and heaps of glue code, and more than a few
opportunities for vulnerabilities, and the available example code is...
lacking.