[Info-vax] VAX VMS going forward

David Goodwin dgsoftnz at gmail.com
Mon Aug 3 20:24:43 EDT 2020 

On Tuesday, August 4, 2020 at 12:03:11 PM UTC+12, Arne Vajhøj wrote:
> On 8/3/2020 5:03 PM, David Wade wrote:
> > On 03/08/2020 05:37, Simon Clubley wrote:
> >> I asked the question here at the time and got a lot of derision in
> >> response to the idea that people had found VMS vulnerabilities and
> >> used them instead of reporting them.
> >>
> >> I don't know if the people around here are right or if (more likely)
> >> some people can't accept that VMS was being exploited right at the
> >> same time they were going around talking about how secure it is.
> >>
> >> So let me ask the question again: do people around here think that
> >> people have looked for VMS vulnerabilities, found them and then
> >> hoarded them for their own use instead of reporting them ?
> 
> >     I doubt very much that folks are hording info for targetting VMS. 
> > There is so much low hanging fruit in the form of unpatched Wordpress, 
> > Drupal or Joomla sites, or out of date Apache or IIS servers that can be 
> > found and exploited by simple scripts that can be bought and run cheaply.
> > 
> >    Why go to a load of trouble to develop tools for VMS when most folks 
> > have removed any VMS server from facing the internet.
> > 
> > I note that OpenVMS does not even feature here:-
> > 
> > https://w3techs.com/technologies/overview/operating_system
> > 
> > I guess that there are servers out there, but how many?
> 
> It seems highly unlikely that the average mass web hacker
> would spend time on VMS. Too few servers for the effort.
> 
> Someone with lots of resources and a specific target
> would do it if their specific target was running VMS. And
> those guys would not tell anybody. And not being on the
> internet does not prevent vulnerabilities from being
> exploited - it just make it harder because it needs
> to go through some other systems.
> 
> Has it happened? By definition nobody knows whether
> non-disclosed attacks has happened. I would consider
> the probability low.
> 
> But the bottom line is still that if you have a system
> that really needs to be secure, then:
> * not a common OS
> * not on the internet
> is not enough. Far from.

Stuxnet is a good example of this. It used *four* undisclosed security vulnerabilities in windows plus driver signing keys stolen from two well known hardware companies plus an undisclosed security vulnerability in the Siemens WinCC SCADA software.

Reminds me of the Mossad/Not Mossad threat model James Mickens wrote in one of his essays: https://www.usenix.org/system/files/1401_08-12_mickens.pdf (very funny)

More information about the Info-vax mailing list