[Info-vax] VAX VMS going forward

[Arne Vajhøj]

On 8/3/2020 5:03 PM, David Wade wrote:
> On 03/08/2020 05:37, Simon Clubley wrote:
>> I asked the question here at the time and got a lot of derision in
>> response to the idea that people had found VMS vulnerabilities and
>> used them instead of reporting them.
>>
>> I don't know if the people around here are right or if (more likely)
>> some people can't accept that VMS was being exploited right at the
>> same time they were going around talking about how secure it is.
>>
>> So let me ask the question again: do people around here think that
>> people have looked for VMS vulnerabilities, found them and then
>> hoarded them for their own use instead of reporting them ?

>     I doubt very much that folks are hording info for targetting VMS. 
> There is so much low hanging fruit in the form of unpatched Wordpress, 
> Drupal or Joomla sites, or out of date Apache or IIS servers that can be 
> found and exploited by simple scripts that can be bought and run cheaply.
> 
>    Why go to a load of trouble to develop tools for VMS when most folks 
> have removed any VMS server from facing the internet.
> 
> I note that OpenVMS does not even feature here:-
> 
> https://w3techs.com/technologies/overview/operating_system
> 
> I guess that there are servers out there, but how many?

It seems highly unlikely that the average mass web hacker
would spend time on VMS. Too few servers for the effort.

Someone with lots of resources and a specific target
would do it if their specific target was running VMS. And
those guys would not tell anybody. And not being on the
internet does not prevent vulnerabilities from being
exploited - it just make it harder because it needs
to go through some other systems.

Has it happened? By definition nobody knows whether
non-disclosed attacks has happened. I would consider
the probability low.

But the bottom line is still that if you have a system
that really needs to be secure, then:
* not a common OS
* not on the internet
is not enough. Far from.

Arne