[Info-vax] Any PDP-11 RSX-11 fans looking to be horribly underpaid

Johnny Billquist bqt at softjar.se
Tue Jan 16 16:19:40 EST 2018 

On 2018-01-14 19:49, Simon Clubley wrote:
> On 2018-01-14, Scott Dorsey <kludge at panix.com> wrote:
>> Simon Clubley  <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote:
>>>
>>> While it's not exactly a great situation to be in, it is manageable
>>> in some environments to some extent provided you take the proper
>>> precautions and provided you realise that your old systems are
>>> hopelessly insecure.
>>
>> Please stop calling these systems insecure.
>>
> 
> My comment was in response to Terry's comments about the VMS security
> discussion on another thread.
> 
> I am willing to give PDP-11 systems a lot more leeway because they have
> never been sold as high security systems. There's also a higher chance
> that normal operation generally means privileged console access for
> the PDP-11.

If you have console access, it's a totally different story, for most any 
system.

>> Is a can-opener insecure?  Anyone who can get into your house and grab it
>> can use it.  But does that make it insecure in any way?
>>
>> Just because the system is openly accessable to anyone with physical access
>> does not make it insecure.  It seems you have a very very narrow view of the
>> concept of "security."
> 
> Maybe. Maybe not.
> 
> When I say hopelessly insecure, I have never said that it only applies
> to people who have physical access to the server hardware or the
> operator console. Most systems would be "hopelessly insecure" in that
> situation.

Right.

> No, I am talking about normal unprivileged users, especially those with
> DCL access, who can come up with various ways to compromise those systems.
> 
> In my own exploit, a non-privileged DCL user can totally compromise
> a VAX or Alpha system and that vulnerability has been in VMS since
> the mid 1980s. What about all the vulnerabilities which have been quietly
> fixed in recent versions without all the fuss that I am deliberately
> making about this one ?

Same story for any OS. I don't know how many vulnerabilities have been 
found and fixed in Unix over the years which allows normal users to gain 
root access. There still pops up several a year even today.

And this is really a perspective we should put this in. The number of 
exploits in well known, and commonly used systems, outrun VMS by 
ridiculous numbers.

Now, if VMS would get some more attention, I'm sure we would find more 
problems there too. But your one exploit is not really raising my 
eyebrow much.

> All that quietly fixing vulnerabilities does is to give people a false
> sense of security.

All sense of security is false.

   Johnny

-- 
Johnny Billquist                  || "I'm on a bus
                                   ||  on a psychedelic trip
email: bqt at softjar.se             ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol

More information about the Info-vax mailing list