[Info-vax] VAX VMS going forward

David Wade g4ugm at dave.invalid
Mon Aug 3 17:03:38 EDT 2020 

On 03/08/2020 05:37, Simon Clubley wrote:
> On 2020-07-31, David Goodwin <dgsoftnz at gmail.com> wrote:
>> On Saturday, August 1, 2020 at 7:51:37 AM UTC+12, John Dallman wrote:
>>>
>>> And there are almost certainly security bugs in VAX VMS that have been
>>> inherited by x86-64. Releasing the source makes it easier for bad actors
>>> to find them; this is a significant worry with products transitioning
>>> from closed to open source.
>>
>> Yeah, but that's really just security through obscurity.
>>
>> Take, for example, that security bug Simon Clubley found back in 2017. The one that's been in VMS since version 4.0. Was Simon really the first person to discover this security bug in 33 years? Or was he simply the first person to report it? For we know this bug was independently discovered several times decades ago and kept quiet because a privilege escalation security vulnerability that affects so many versions of OpenVMS is useful to some people.
>>
> 
> I thought exactly the same thing when I found it as it's one hell
> of a security vulnerability to have existed undiscovered for 33 years.
> 
> I asked the question here at the time and got a lot of derision in
> response to the idea that people had found VMS vulnerabilities and
> used them instead of reporting them.
> 
> I don't know if the people around here are right or if (more likely)
> some people can't accept that VMS was being exploited right at the
> same time they were going around talking about how secure it is.
> 
> So let me ask the question again: do people around here think that
> people have looked for VMS vulnerabilities, found them and then
> hoarded them for their own use instead of reporting them ?
> 
> Simon.
> 

Simon,

    I doubt very much that folks are hording info for targetting VMS. 
There is so much low hanging fruit in the form of unpatched Wordpress, 
Drupal or Joomla sites, or out of date Apache or IIS servers that can be 
found and exploited by simple scripts that can be bought and run cheaply.

   Why go to a load of trouble to develop tools for VMS when most folks 
have removed any VMS server from facing the internet.

I note that OpenVMS does not even feature here:-

https://w3techs.com/technologies/overview/operating_system

I guess that there are servers out there, but how many?

Dave

More information about the Info-vax mailing list