[Info-vax] The new world that VMS will be living in

[Mark Berryman]

On 12/7/20 6:40 PM, Arne Vajhøj wrote:
> On 12/7/2020 8:25 PM, Mark Berryman wrote:
>>                                          For me, the real issue is the 
>> number of instances (that have been reported) of the major cloud 
>> vendors saying "oops, we accidentally leaked this customer's data".  
>> AWS is the vendor I've seen this happen to the most.
> 
> It has happened and it has gotten some press.
> 
> An example is the Capital One AWS leak in 2019.
> 
> But if you look at what was the problem then it was two
> specific problems:
> * a mis-configured web application firewall
> * the web application firewall having too many permissions
> 
> That is bad.
> 
> But it is not really cloud specific.
> 
> If someone put a VMS system in the cloud (when VMS x86-64 is
> ready), allows telnet/ssh from anywhere and make the
> SYSTEM password SYSTEM, then it will get hacked. But I will
> not blame cloud for that.

 From an article in The Register in August of this year:

"Misconfigured AWS S3 storage buckets exposing massive amounts of data 
to the internet are like an unexploded bomb just waiting to go off, say 
experts.

The team at Truffle Security said its automated search tools were able 
to stumble across some 4,000 open Amazon-hosted S3 buckets that included 
data companies would not want public – things like login credentials, 
security keys, and API keys."

Setting aside for the moment whether these issues are the fault of 
Amazon or the fault of the customer, I look at it this way:

If people in my organization misconfigure systems such that their data 
is exposed, it is exposed only within my network (my border security is 
run by people who know what they are doing, the same can't be said for 
the various system admins).  However, if I give my data to a cloud 
vendor and something happens to expose the data, it is exposed to the 
entire internet.  Big difference.

Mark Berryman