[Info-vax] VMS and MFA?

Dave Froble davef at tsoft-inc.com
Fri Aug 21 19:00:26 EDT 2020 

On 8/21/2020 5:29 PM, Arne Vajhøj wrote:
> On 8/20/2020 9:54 PM, Dave Froble wrote:
>> On 8/20/2020 6:22 PM, geze... at rlgsc.com wrote:
>>> The OS security mechanisms are outside of the applications control.
>>> If set properly, applications have no choice. An application bug in a
>>> non-privileged, user state application cannot cause a cascading
>>> security hazard.
>>>
>>> In effect, bounds checking and applications-resident security is the
>>> equivalent of instructing your 3-year old "Do not touch the stove.".
>>> OS security measures are putting a card key lock on the door to the
>>> kitchen. Whether the toddler adheres to the instruction or not, they
>>> are not getting into the kitchen without the card key.
>>
>> It's all design and programming.  Why give greater trust to something
>> included in an OS?  That's a false trust.
>>
>> Software not part of an OS distribution can be every bit as secure,
>> and sometimes more so.  It is quite often more useful.
>>
>> I sense bigotry.  That's Ok, if one wishes to place their trust in
>> that manner.  But I will suggest that it may be more work, and
>> significantly less useful than software designed and implemented for
>> specific needs.
>
> It is mostly a matter about specialization.
>
> The OS vendor may have 1 person working full time on this specific
> security aspect.
>
> The 10000 ISV's supporting the OS may each have 1 person working mostly
> on the business application and 20 hours per year on the security
> aspect.
>
> In most cases the dedicated specialist will do better.
>
>> I can state that in over 40 years of users, not once has my menu
>> software had security violations.  Not saying it cannot, just that it
>> has not.  It also does a rather good job meeting the requirements.
>
> Strictly speaking you only know that nobody has been caught
> breaking the system or has found a way and told you.

Unless you have come up with a method to defeat the VMS captive account, 
then no, it has not happened.  The logging of activity would have showed 
something.  Never has.  It is monitored.

Do note, the menu utility was never intended as a security tool, just a 
method of putting users where they needed to be, and keep them there.

-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list