[Info-vax] OpenVMS books

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Mon Jul 31 13:12:37 EDT 2017 

On 2017-07-30 00:48:38 +0000, Kerry Main said:

>> 
>> -----Original Message-----
>> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf Of
>> Simon Clubley via Info-vax
>> Sent: July 25, 2017 2:20 PM
>> To: info-vax at rbnsn.com
>> Cc: Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP>
>> Subject: Re: [Info-vax] OpenVMS books
>> 
>> As soon as some security researchers spent the time to find out a 
>> little _something_ about VMS internals, they discovered pure VMS 
>> vulnerabilities (ie: SMG) which the earlier researchers had missed.
>> 
>> The low figures could simply mean that to date no-one has been 
>> motiviated enough recently to learn enough about VMS internals in order 
>> to be able to probe it for vulnerabilities using modern probing 
>> techniques.
> 
> Or.. since we doing the "lets do some pure 100% speculating", the 
> alternate speculating might be that the security researchers tried to 
> hack recent (not 15+ year old UCX bugs) versions of OpenVMS and they 
> gave up trying


I have accrued a list of several hundred CVEs that I suspect or that I 
know apply to OpenVMS and various LPs.    I track security 
notifications as part of helping me understand attacks and to help 
customers manage their servers.  (A number of these CVEs were acquired 
from lists of Linux CVEs that have been occasionally referenced here in 
comp.os.vms, too.)

But for many of these sites, there's little point in the effort when 
the operating system still offers and many folks are still using 
telnet, FTP and DECnet with OpenVMS, too.

VSI is moving forward on some of the security issues that have been 
reported here, and VSI IP will certainly address a number of CVEs, 
though there are other issues discussed here that are more involved and 
far more complex to resolve.   Downside is that this security treadmill 
doesn't ever end.   As one popular comment goes: "servers are 'secured' 
like lawns are 'mowed'".

VSI clearly has a whole lot on their plans and their development 
schedules, too.    Security is one part of that plan and those 
schedules, but there's other fundamental work that is necessary for 
OpenVMS and not the least of which is the x86-64 port.   In the 
interim, some of the security work can continue to be deferred by 
informing folks to isolate certain traffic on private networks for 
OpenVMS servers or other similar remediations, though that sort of 
server and network isolation is increasingly difficult to sustain.





-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list