[Info-vax] VAX VMS going forward

Bill Gunshannon bill.gunshannon at gmail.com
Mon Aug 3 18:05:21 EDT 2020 

On 8/3/20 5:03 PM, David Wade wrote:
> On 03/08/2020 05:37, Simon Clubley wrote:
>> On 2020-07-31, David Goodwin <dgsoftnz at gmail.com> wrote:
>>> On Saturday, August 1, 2020 at 7:51:37 AM UTC+12, John Dallman wrote:
>>>>
>>>> And there are almost certainly security bugs in VAX VMS that have been
>>>> inherited by x86-64. Releasing the source makes it easier for bad 
>>>> actors
>>>> to find them; this is a significant worry with products transitioning
>>>> from closed to open source.
>>>
>>> Yeah, but that's really just security through obscurity.
>>>
>>> Take, for example, that security bug Simon Clubley found back in 
>>> 2017. The one that's been in VMS since version 4.0. Was Simon really 
>>> the first person to discover this security bug in 33 years? Or was he 
>>> simply the first person to report it? For we know this bug was 
>>> independently discovered several times decades ago and kept quiet 
>>> because a privilege escalation security vulnerability that affects so 
>>> many versions of OpenVMS is useful to some people.
>>>
>>
>> I thought exactly the same thing when I found it as it's one hell
>> of a security vulnerability to have existed undiscovered for 33 years.
>>
>> I asked the question here at the time and got a lot of derision in
>> response to the idea that people had found VMS vulnerabilities and
>> used them instead of reporting them.
>>
>> I don't know if the people around here are right or if (more likely)
>> some people can't accept that VMS was being exploited right at the
>> same time they were going around talking about how secure it is.
>>
>> So let me ask the question again: do people around here think that
>> people have looked for VMS vulnerabilities, found them and then
>> hoarded them for their own use instead of reporting them ?
>>
>> Simon.
>>
> 
> Simon,
> 
>     I doubt very much that folks are hording info for targetting VMS. 
> There is so much low hanging fruit in the form of unpatched Wordpress, 
> Drupal or Joomla sites, or out of date Apache or IIS servers that can be 
> found and exploited by simple scripts that can be bought and run cheaply.
> 
>    Why go to a load of trouble to develop tools for VMS when most folks 
> have removed any VMS server from facing the internet.
> 
> I note that OpenVMS does not even feature here:-
> 
> https://w3techs.com/technologies/overview/operating_system

DISA gave up on VMS back in 2009 when I volunteered to update the
STIG and SRR and was told "Thanks, but no thanks."  For those who
don't know, DISA is the IT watchdog for the group that was probably
the largest body of VMS users in the government.

> 
> I guess that there are servers out there, but how many?

Quite.

bill

More information about the Info-vax mailing list