[Info-vax] One possible market for VMS: secure credit card

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Tue Mar 24 11:55:21 EDT 2015 

On 2015-03-24 14:11:55 +0000, David Froble said:

> This topic isn't about users.  This topic is about VMS possibly 
> providing a better environment for security.  That shirley is a techie 
> issue.

Surprisingly to those in the security world, usually not.  Most folks 
don't really care about security.  Usually right up until they are 
breached.  Most folks care far more about getting something done, and 
in a reasonably low-hassle and cost-effective way, and heading off to 
do something else.  Security and passwords and the rest?  That's 
insurance, as far as most folks are concerned.

If you want to look at security in the current environment, OpenVMS 
arguably needs some substantial upgrades to deal with more modern 
attacks — if folks are unfamiliar with "W^X", "ROP", "canaries" or 
"ASLR" jargon in this context, see the URLs below.   Put another way, 
the security attacks have changed a whole lot in recent years.   I'd 
expect OpenVMS would need to migrate to encrypted and authenticated 
transports everywhere, which likely means that DECnet, VPM, SYSMAN, 
NISCS and FTP are overhauled and/or disappear from the baseline 
configurations, SMH gets gone over, OpenSSL gets updated to 1.0.2 
current and/or maybe replaced with LibreSSL, CDSA probably gets 
replaced and which might mean more kit-signing work and potentially 
also authenticated and encrypted patch server access, SYSUAF and 
$hash_password get reworked to add support modern cryptographic hashes, 
certificate stores and IPSec and VPNs get added, internet-facing pieces 
such as the lack of encrypted POP and IMAP transports and the rest of 
the IP-related tools and packages get overhauled, ACME LOGINOUT becomes 
the default, and among a number of other changes that would be 
somewhere between desirable and necessary.

<https://en.wikipedia.org/wiki/W%5EX>
<https://en.wikipedia.org/wiki/Return-oriented_programming>
<https://en.wikipedia.org/wiki/Address_space_layout_randomization>
<https://en.wikipedia.org/wiki/Stack_buffer_overflow>

-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list