[Info-vax] VAX VMS going forward

[David Wade]

On 04/08/2020 05:51, Simon Clubley wrote:
> On 2020-08-03, David Wade <g4ugm at dave.invalid> wrote:
>> On 03/08/2020 05:37, Simon Clubley wrote:
>>>
>>> I thought exactly the same thing when I found it as it's one hell
>>> of a security vulnerability to have existed undiscovered for 33 years.
>>>
>>> I asked the question here at the time and got a lot of derision in
>>> response to the idea that people had found VMS vulnerabilities and
>>> used them instead of reporting them.
>>>
>>> I don't know if the people around here are right or if (more likely)
>>> some people can't accept that VMS was being exploited right at the
>>> same time they were going around talking about how secure it is.
>>>
>>> So let me ask the question again: do people around here think that
>>> people have looked for VMS vulnerabilities, found them and then
>>> hoarded them for their own use instead of reporting them ?
>>>
>>
>> Simon,
>>
>>      I doubt very much that folks are hording info for targetting VMS.
> 
> Today maybe (at least until x86-64 VMS becomes production ready), but
> what about 10 or 20 years ago ?
> 
> I was trying to establish how likely it was that someone had already
> found this at any time over the previous 33 years.
> 
> Simon.
> 
I would say thats an uknown unkown, but I would say "unlikely".

When I wrote networking software my team found a bug in the IBMs VM/CMS 
that allowed you to view other users terminal buffers.

It took ages to get it fixed, and lots of pushback such as "you 
shouldn't be doing that"  but you have been there and got the tea shirt...

... lets face it, years ago if you changed the password on the engineers 
account they were likely to cancel your contract. no need to look for 
security holes...

... Money drives the search for holes, and I think the untraceable 
nature of bit coin has done more to drive the search for security holes, 
by both bad and good, than any standard or mandate..


Dave