[Info-vax] CVE counts, was: Re: VMS Software needs to port VAX DIBOL to OpenVMS X86 p

[John Dallman]

In article <rrib93$ar2$1 at dont-email.me>,
clubley at remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

> On 2020-12-17, John Dallman <jgd at cix.co.uk> wrote:
> > But when VMS can be run in VMs on commodity x86-64 hardware, 
> > attacking it becomes possible for anyone. Claiming it is 
> > "the most secure operating system on the planet" gives 
> > attackers extra motivation. 

> Thank you for the last sentence (seriously). Take note everyone, 
> it's not just me saying these things. VSI are painting a huge 
> target on the backs of the VMS community if a researcher notices 
> the idiotic things that VSI are saying. This is something the 
> VMS community is ill prepared for.

A bit more on security researchers might help. They are usually
individuals, or very small organisations. A few large and wealthy
software companies (notably Google) do this work on a large scale, but
most of them see it as expenditure with uncertain returns, and don't
bother. 

So the people who are doing the security research often have quite
personal motives. Proving extravagant claims wrong is something many of
them will positively enjoy, so some of them will find VMS worth attacking
if VSI carries on making such claims. 

They could work on Windows, or any of the Linuxes, or BSD, or any other
OS that they can run in VMs on x86-64. That includes VMS, and while it
may take them a day or two to port their tools to it, it isn't that
different from more mainstream OSes at the function-call level. 

This is part of the price of being in the software business these days.
One has to accept it and deal with it. Denial is useless. 

John