[Info-vax] OpenVMS in the future, Open sourced or Closed? Intent is to keep it...

David Froble davef at tsoft-inc.com
Sat May 2 22:44:51 EDT 2015 

seasoned_geek wrote:
> On Saturday, May 2, 2015 at 11:50:15 AM UTC-5, Stephen Hoffman wrote:
> 
>> Ayup.  Who is going to have the time and skills and servers and build 
>> environment and the funding to work on the code, too.   Linux started 
>> out and built a base in another era.
>>
>> What would attract developers to OpenVMS?
>>
> 
> Well said Hoff.
> 
> Here is the reality, VMS serves a market which cannot use bottom feeding systems.

I'm not sure which are the "bottom feeding systems" ?

Would not the usage of a system have some bearing on such a tag?  For 
example, some prior versions of weendoze provided a decent user 
interface.  But I'm not in favor of using them in a serious server 
environment.  Yeah Dave, what's your definition of "serious"?

> The simple truth is many/most companies currently using bottom
> feeding systems are only doing so because governments haven't held
> them accountable for massive identity thefts, data breaches, etc. We
> in the U.S. are all getting chipped cards because the government
> finally passed some laws changing who had to eat the cost of credit
> card fraud. Until that law changed rolling out chipped cards to stop
> credit card fraud was "too expensive."

I will agree that the problem is not being addressed properly.  People 
want to blame the hackers, while continuing to use the same old systems 
the hackers broke into so easily.

I will never forget the meeting where I told a client that he could not 
keep people's credit card and banking information on an IIS server, 
connected to the internet, and in plain text.  The response, "everyone 
else is doing it".

It's like the banks storing their money on the curb, crying when someone 
picks it up, and then continue to tore their money on the curb.

Hackers should be considered assets that show weaknesses, and the 
weaknesses fixed.

> There has been a movement for a while, and with an election coming up
> it may gain a lot of traction, to make the CEO, CIO, CFO and entire
> board of directors criminally liable for identity theft, data
> breaches, etc. By criminally liable I mean actual prison time, no
> more skating by with a token few months of "free credit monitoring."

Well, I agree, but we aren't the ones with the money to pay lobbyists to 
influence the politicians.

> In short, the current efforts trying to water down VMS to the point
> it is just as worthless as everything else out there are completely
> misguided and highly destructive.

Now, I have no idea where this claim is coming from.  VSI hasn't 
mentioned "watering down VMS".  I think the people involved know what 
they have, and appreciate it.

> Those efforts need to be directed
> at the real problem. Wal-mart quality systems being used WHERE THEY
> SHOULD NOT LEGALLY BE ALLOWED.
> 
> Before anyone goes whining about "can't fight the system", people
> said that EXACT same thing when it came to changing who had to eat
> the cost of credit card fraud. "Oh, the credit card companies pay to
> many bribes and have to many lobbyists." Well guess what? It
> happened.

No it didn't.  Ever hear of PCI compliance?  It's the credit card 
companies way of "passing the buck".  The credit card companies don't 
give a rat's ass about security.  They only care about who gets the 
blame and who pays, as long as it's not them.

Now, the companies are saying that in order to accept credit cards, your 
software must be certified PCI compliant, and last I heard, that will 
cost you maybe $16K, or more, and then you got to do it every year, and 
then you got to do it every time you make a change to your software.  At 
least that's the rumors I've heard.  I try to stay as far away from it 
as I can.

So, every time you run EDT, the compiler, and the linker, ka-ching, 
somebody's cousin is making a pile of money.

> The same thing is on course to happen for identity theft/data
> breaches. 60 Minutes and other news agencies have been gearing up
> running identity theft research pieces. More will come as the
> election gets closer.
> 
> I have said it before and I will say it again. The day the CEO, CIO,
> CFO and entire board of directors are looking at a 6 month mandatory
> minimum for identity theft data breach Z/OS and VMS proprietary
> platforms won't be able to ship fast enough.

Breaking into the OS isn't the only way to steal information.  But it is 
one way, and the amount of data can be rather large ....

> Before we went down this "open" path starting in the 90s, data and
> comm were both secure. You had to get proprietary equipment which was
> registered at point of sale and had IDs burned in. The communications
> packets themselves were also proprietary.
> 
> At some point, possibly after my death, governments around the world
> will realize you can never ever under any circumstances make "open"
> secure. The "open" portion must be from the Web page out and
> everything from the Web server back MUST BE PROPRIETARY.

I don't agree.  What I see as a large part of the problem is the use of 
generic tools and the assumption that they give you security.  For 
example, SSL2, SSL3, TLS 1.0, TLS 1.1 are all now considered vulnerable. 
  But you tell someone you use SSL and they assume you're secure.

> Yes, I remember the dark days when people tried to use knock-off nic
> cards with Netware servers. It was a PITA. That PITA also made things
> more secure.

More information about the Info-vax mailing list