[Info-vax] VMS and MFA?

[Arne Vajhøj]

On 8/20/2020 9:54 PM, Dave Froble wrote:
> On 8/20/2020 6:22 PM, geze... at rlgsc.com wrote:
>> The OS security mechanisms are outside of the applications control. If 
>> set properly, applications have no choice. An application bug in a 
>> non-privileged, user state application cannot cause a cascading 
>> security hazard.
>>
>> In effect, bounds checking and applications-resident security is the 
>> equivalent of instructing your 3-year old "Do not touch the stove.". 
>> OS security measures are putting a card key lock on the door to the 
>> kitchen. Whether the toddler adheres to the instruction or not, they 
>> are not getting into the kitchen without the card key.
> 
> It's all design and programming.  Why give greater trust to something 
> included in an OS?  That's a false trust.
> 
> Software not part of an OS distribution can be every bit as secure, and 
> sometimes more so.  It is quite often more useful.
> 
> I sense bigotry.  That's Ok, if one wishes to place their trust in that 
> manner.  But I will suggest that it may be more work, and significantly 
> less useful than software designed and implemented for specific needs.

It is mostly a matter about specialization.

The OS vendor may have 1 person working full time on this specific
security aspect.

The 10000 ISV's supporting the OS may each have 1 person working mostly
on the business application and 20 hours per year on the security
aspect.

In most cases the dedicated specialist will do better.

> I can state that in over 40 years of users, not once has my menu 
> software had security violations.  Not saying it cannot, just that it 
> has not.  It also does a rather good job meeting the requirements.

Strictly speaking you only know that nobody has been caught
breaking the system or has found a way and told you.

:-)

Arne