[Info-vax] Creating an open source version of VMS, was: Re: OpenVMS Hobbyist Notification

[Simon Clubley]

On 2020-03-11, Dave Froble <davef at tsoft-inc.com> wrote:
> On 3/11/2020 9:38 AM, Simon Clubley wrote:
>> Supervisor mode, as implemented in VMS, is responsible for giving VMS
>> the dubious honour of having what is probably the longest undiscovered
>> vulnerability in the history of operating systems.
>>
>> (Unless anyone else knows of another operating system in active use
>> that has a vulnerability which lasted for at least 33 years until it
>> was finally discovered ?)
>
> I fail to see where this is such a bad thing.  Would you rather that 
> vulnerabilities be discover and exploited more quickly?  At least there 
> was 33 years of no exploits.  For that matter, has there been any 
> exploits since your discovery?
>

How do you know that it hasn't been found and exploited multiple times
by people over the last 33 years and never reported to the vendor ?

Undiscovered in this case only means until either the vendor finds it
or a third party finds it and reports it to the vendor so it can be fixed.

You will have to ask VSI if they have had any security issues reported
to them recently but don't forget that just because something hasn't been
reported it doesn't mean there isn't something to find if people start
looking hard enough.

BTW, to bring this back to the discussion, security is also one of
the things which could be improved in a modern VMS. For example, you
could have mandatory access controls or Stephen's preferred approach
of using jails, and both could be done without breaking normal application
level compatibility.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.