[Info-vax] New VSI Roadmap (yipee!)

Mon Mar 2 05:08:56 EST 2015

On Sat, 28 Feb 2015 21:55:26 +0000
Kerry Main via Info-vax <info-vax at rbnsn.com> wrote:

> > -----Original Message-----
> > From: Info-vax [mailto:info-vax-bounces at info-vax.com] On Behalf Of
> > Stephen Hoffman
> > Sent: 28-Feb-15 3:39 PM
> > To: info-vax at info-vax.com
> > Subject: Re: [New Info-vax] New VSI Roadmap (yipee!)
> > 
> > On 2015-02-28 19:22:36 +0000, Kerry Main said:
> > 
> > > OpenVMS is still a very secure, very
> > >
> > > stable environment that hackers have avoided because imho, there
> > >
> > > are far easier commodity OS targets to go after ..
> > >
> > 
> > The bulk of the attackers haven't (openly) targeted VMS because —
> > unless you're aiming at a very specific target that's running VMS — VMS
> > effectively doesn't exist in the IT market.   Until there are enough
> > VMS boxes to become a botnet or until there's a sufficiently valuable
> > bug bounty program, there's little incentive for most attackers to look
> > for vulnerabilities, much less to expose any previously-unknown
> > vulnerabilities; to burn zero-days.
> > 
> 
> Let's be realistic here - 98% of the hackers of the world understand 
> *NIX and/or Windows and to a much lesser degree MAC OS's. 

I would put *NIX far below Windoze in that list.

> OpenVMS has had its days of being the big guy in town and it did 
> have a few hacks .. however, even at its height of popularity, it did
> not have the 10-40+ security vulnerabilities each and every month that 
> exist today on commodity OS's.

Those vulnerabilities are mostly because of two things: the C Programming
Language and the crapware written in it. Intel "architecture" is a big
enabler there too. As soon as you get off the main highway your chances of
being hijacked go way down.

If they ever commoditize VMS and make it into a playground for C coders
with more free time than brains and discipline you'll be happy to have a
month that goes by where the list is 10-40. Intel support is going to bring
more problems than it solves. There was never an example where it didn't.
And C will be the icing on that cake. Two major examples of the highest
order of POS technology that were never designed at all, they just expanded
to fill all the available space like beer farts at a board meeting.

> > or merely expect that as a cost of doing IT.    OpenBSD
> > <http://www.openbsd.org> claims only two remote exploits in the base
> > install "in a heck of a long time", though has certainly had its share
> > of security bugs in various components over the years.

This is good example of what I just wrote above. OpenBSD is an OS where
able people care and there is peer review and not a little pressure to
create good code and fix bad code quickly. But they have very little
control over all the crapware written outside the project that people want
to run on that OS. And that is the part that breaks.

> Could it be that the 98% (my guess) of hackers only know *NIX and / 
> or Windows and they tend to go where they have a much easier 
> chance of success?

99% know Windows, the vast majority of UNIX hacks are really attacks on
crapware running on UNIX, or Java, or browser plugins or database stuff.
They're very seldom attacks on UNIX.

The main problem with Windoze aside from it being its own worst enemy with
more code spying on the user than actually performing useful work is the
vast majority of Windoze victims are idiots and fall for every social
engineering hack there is. The more the user pays attention the less likely
99% of the "attacks" are to succeed. Windoze victims are so used to blindly
responding OK to every popup they really don't have a chance.

Put a person behind the keyboard who is somewhat clueful and many attacks
are non starters.