[Info-vax] Next release of OpenVMS x86

[Simon Clubley]

On 2020-07-18, David Turner <dturner- at -islandco.com> wrote:
> Of course people are forgetting that most people that run OpenVMS are 
> retiring or, god forbid, buried.
>
> I talk to many people who have never heard of OpenVMS
> Then, even if they have heard of it, they know nothing about it.
> Above and beyond that, they would need quite a few years of experience 
> as a system manager to have an in-depth knowledge, then go off sideways 
> to become a hacker. Then they would have to scour the OS for any 
> possible flaws or vulernabilities.
>
> THEREFORE, OPENVMS IS A VERY SECURE OS .
>
> I THINK YOU GUYS GIVE HACKERS WAY TOO MUCH CREDIT
>
> ;0)
>

The DEFCON 16 researchers didn't need years of VMS experience to find
a flaw in the SMG$ library.

You would need more VMS experience and knowledge of VMS internals to find
and exploit what I did with DCL, but OTOH, you would need far less
knowledge to attack industry-standard components such as the TCP/IP
stack where a whole range of tools and widespread general knowledge exists.

IOW, probably the only reason why the DECnet Phase IV stack (for example)
hasn't been completely shredded to pieces by now is that no-one has bothered
to invest the effort in creating the tools to probe it for vulnerabilities.

Given the probing the TCP/IP stack gets in general in other operating
systems, how long do you think the DECnet Phase IV stack is likely to
survive similar probing ?

No, VMS is not a very secure operating system (at least by today's
standards) and security by obscurity is not real security even if it
allows some people to temporarily delude themselves into thinking it is.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.