[Info-vax] OpenVMS in the future, Open sourced or Closed? Intent is to keep it...

Sun May 3 03:59:58 EDT 2015

On Saturday, May 2, 2015 at 9:44:26 PM UTC-5, David Froble wrote:
> 
> > In short, the current efforts trying to water down VMS to the point
> > it is just as worthless as everything else out there are completely
> > misguided and highly destructive.
> 
> Now, I have no idea where this claim is coming from.  VSI hasn't 
> mentioned "watering down VMS".  I think the people involved know what 
> they have, and appreciate it.

It is the ground swell of people both trying to load VMS systems up with OpenSource security-breach-in-a-box and those trying to OpenSource VMS. Yee-gads! Just look at the Bash bug!

http://www.usatoday.com/story/tech/2014/09/25/bash-bug-computer-security-shellshocked/16203647/

> > 
> > Before anyone goes whining about "can't fight the system", people
> > said that EXACT same thing when it came to changing who had to eat
> > the cost of credit card fraud. "Oh, the credit card companies pay to
> > many bribes and have to many lobbyists." Well guess what? It
> > happened.
> 
> No it didn't.  Ever hear of PCI compliance?  It's the credit card 
> companies way of "passing the buck".  The credit card companies don't 
> give a rat's ass about security.  They only care about who gets the 
> blame and who pays, as long as it's not them.
> 
> Now, the companies are saying that in order to accept credit cards, your 
> software must be certified PCI compliant, and last I heard, that will 
> cost you maybe $16K, or more, and then you got to do it every year, and 
> then you got to do it every time you make a change to your software.  At 
> least that's the rumors I've heard.  I try to stay as far away from it 
> as I can.
> 

Those rumors don't seem to completely jive with the news.

http://www.creditcards.com/credit-card-news/us-slowly-rolls-out-emv_chip-technology-1276.php

====
Concern about the upswing in credit card fraud is one reason U.S.-based card issuers, financial institutions and retailers have set a deadline of October 2015 to put an EMV payment system in place. That's when liability for counterfeit fraud shifts from the issuers to merchants and their acquirers if their equipment does not support EMV.

====

> 
> > Before we went down this "open" path starting in the 90s, data and
> > comm were both secure. You had to get proprietary equipment which was
> > registered at point of sale and had IDs burned in. The communications
> > packets themselves were also proprietary.
> > 
> > At some point, possibly after my death, governments around the world
> > will realize you can never ever under any circumstances make "open"
> > secure. The "open" portion must be from the Web page out and
> > everything from the Web server back MUST BE PROPRIETARY.
> 
> I don't agree.  What I see as a large part of the problem is the use of 
> generic tools and the assumption that they give you security.  For 
> example, SSL2, SSL3, TLS 1.0, TLS 1.1 are all now considered vulnerable. 
>   But you tell someone you use SSL and they assume you're secure.

tomato/tomato

The vast majority of those "generic tools" are "generic" because they are OpenSource.

> 
> > Yes, I remember the dark days when people tried to use knock-off nic
> > cards with Netware servers. It was a PITA. That PITA also made things
> > more secure.