[Info-vax] OpenVMS versus Windows/GE Telemetry Control Systems.
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Tue Jan 15 15:25:20 EST 2013
On 2013-01-15 20:09:40 +0000, Simon Clubley said:
> On 2013-01-15, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
>> On 2013-01-15 18:46:39 +0000, John Wallace said:
>>
>>> Stuxnet was quietly working its way around Window boxes for a long
>>> while (maybe a year?) before it got serious attention. Ignorance is
>>> not necessarily bliss. If folks haven't yet looked into Stuxnet or its
>>> successors (eg Duqu), there's no time like the present, and the
>>> Wikipedia article on Stuxnet isn't a bad start, although for further
>>> reading I'd recommend Ralph Langner and maybe Symantec.
>>
>> Red October, most recently. Also Flame, which shares features with
>> Stuxnet and Duqu.[1]
>>
>> VMS is lacking defensive features such as address space layout
>> randomization[2], execution disable, lacks various safer C calls
>> (strcpy_r and other parts of C11 aren't available, and strnlen, strlcpy
>> and strlcat and similar calls are lacking), lacks compiler flagging for
>> what are now increasingly deprecated calls (e.g. everybody's favorite
>> example being gets), and lacks sandboxing.
>>
>
> You missed out VMS not supporting Mandatory Access Control based
> security. :-)
OpenVMS used to support MAC security with SEVMS, but that's fodder for
another time.
I haven't (recently) tried turning on the latent parts of SEVMS to see
what might happen.
> It's enabled on every Internet facing Linux box, both client and server,
> that I am responsible for, both at home and work. It's only one tool in
> a list of tools, but I consider it to be a very important one to be used
> whenever available.
I'm rather more fond of sandboxing than of MAC, but you can get to the
same general place with either.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list