Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watmath!clyde!cbosgd!ihnp4!ptsfa!ames!ll-xn!husc6!cmcl2!acf4!tihor
From: tihor@acf4.UUCP
Newsgroups: comp.os.vms
Subject: Re: posting security patch
Message-ID: <14960002@acf4.UUCP>
Date: Mon, 15-Jun-87 12:05:00 EDT
Article-I.D.: acf4.14960002
Posted: Mon Jun 15 12:05:00 1987
Date-Received: Wed, 17-Jun-87 01:30:40 EDT
References: <8706080744.AA11345@ucbvax.Berkeley.EDU>
Organization: New York University
Lines: 18

Actually Mitch the problem is that if you do not have a software
service contract (at least at self-maintenace level) its hard for DEC
to find out who you are. AWith this problem as with a few mandatory
hardware FCOs in the past DEC is trying to reach all customers
regardless of maintenace contract status for precisely these reasons.

I would not be suprised if the publicity surrounding the patch was part
of the reason for its wide distribution.

A car manufacturer with the lock problem you mentioned, even on 1% of
its cars could reach everyone by telling the media, but would probably
go bankrupt from people sueing them because their cars were stolen
after the announcement.

Also if a DEC Salesman told you VMS 4.4 or 4.5 was "Secure" in the
C2-rating style they were wrong and you should tell their boss and have
them fired, or at least reassigned.  They might have made a reasonable
presumption but they failed.