[Info-vax] VAX VMS going forward

[David Goodwin]

On Saturday, August 1, 2020 at 7:51:37 AM UTC+12, John Dallman wrote:
> In article <rfrqpc$1vee$1 at gioia.aioe.org>, Arne Vajhøj
> wrote:
> 
> > And in this particular case we actually know that the code do have 
> > value - some of the VMS VAX code is used in VMS Alpha, Itanium and 
> > x86-64.
> 
> And there are almost certainly security bugs in VAX VMS that have been
> inherited by x86-64. Releasing the source makes it easier for bad actors
> to find them; this is a significant worry with products transitioning
> from closed to open source. 

Yeah, but that's really just security through obscurity.

Take, for example, that security bug Simon Clubley found back in 2017. The one that's been in VMS since version 4.0. Was Simon really the first person to discover this security bug in 33 years? Or was he simply the first person to report it? For we know this bug was independently discovered several times decades ago and kept quiet because a privilege escalation security vulnerability that affects so many versions of OpenVMS is useful to some people.

Like how the NSA was hoarding unreported security vulnerabilities in Windows so their hacking tools would work against fully patched systems. Hacking tools that subsequently escaped some how and ended up being used in that global ransomware attack back in 2017.

If there is a security bug, especially a remotely exploitable one, it really needs to be found and fixed ASAP. Thinking no one will notice simply because its proprietary software didn't work for Windows and it won't work for VMS. If having the source code available exposes these security bugs sooner and gets fixes built faster then ideally that's what would be done.