[Info-vax] VAX VMS going forward

[Simon Clubley]

On 2020-07-31, David Goodwin <dgsoftnz at gmail.com> wrote:
> On Saturday, August 1, 2020 at 7:51:37 AM UTC+12, John Dallman wrote:
>> 
>> And there are almost certainly security bugs in VAX VMS that have been
>> inherited by x86-64. Releasing the source makes it easier for bad actors
>> to find them; this is a significant worry with products transitioning
>> from closed to open source. 
>
> Yeah, but that's really just security through obscurity.
>
> Take, for example, that security bug Simon Clubley found back in 2017. The one that's been in VMS since version 4.0. Was Simon really the first person to discover this security bug in 33 years? Or was he simply the first person to report it? For we know this bug was independently discovered several times decades ago and kept quiet because a privilege escalation security vulnerability that affects so many versions of OpenVMS is useful to some people.
>

I thought exactly the same thing when I found it as it's one hell
of a security vulnerability to have existed undiscovered for 33 years.

I asked the question here at the time and got a lot of derision in
response to the idea that people had found VMS vulnerabilities and
used them instead of reporting them.

I don't know if the people around here are right or if (more likely)
some people can't accept that VMS was being exploited right at the
same time they were going around talking about how secure it is.

So let me ask the question again: do people around here think that
people have looked for VMS vulnerabilities, found them and then
hoarded them for their own use instead of reporting them ?

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.