[Info-vax] OpenVMS books

[Kerry Main]

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf Of
> Simon Clubley via Info-vax
> Sent: July 25, 2017 2:20 PM
> To: info-vax at rbnsn.com
> Cc: Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP>
> Subject: Re: [Info-vax] OpenVMS books
> 
> On 2017-07-25, seasoned_geek <roland at logikalsolutions.com> wrote:
> >
> > https://www.sans.org/reading-room/whitepapers/infosec/primer-
> openvms-vms-security-604
> >
> 
> According to the footer line in the document, it was written in 2002
> which was 6 years before the 2008 DEFCON revelations about VMS
> vulnerabilities.
> 
> As soon as some security researchers spent the time to find out
> a little _something_ about VMS internals, they discovered pure VMS
> vulnerabilities (ie: SMG) which the earlier researchers had missed.
> 
> The low figures could simply mean that to date no-one has been
> motiviated
> enough recently to learn enough about VMS internals in order to be
able
> to probe it for vulnerabilities using modern probing techniques.
> 

Or.. since we doing the "lets do some pure 100% speculating", the
alternate speculating might be that the security researchers tried to
hack recent (not 15+ year old UCX bugs) versions of OpenVMS and they
gave up trying.

Since neither of us know which scenario is true, then either one of us
could be right.

Especially when the value of security bugs that can crack a platform
that runs stock exchanges, banks, lotteries, nuclear stations, power
utilities would likely go for a very high price in the bad guy world.

Btw - while the finger bug was something that needed fixing, one should
remember that the service is disabled by default and I have never known
any OpenVMS system that even uses finger. It was/is a service that came
from the UNIX based code that was ported to OpenVMS as UCX.

Question - does anyone here have the finger service enabled on their
OpenVMS system?

Regards,

Kerry Main
Kerry dot main at starkgaming dot com