[Info-vax] What to do with my VAX.....
seasoned_geek
roland at logikalsolutions.com
Fri Nov 20 11:14:21 EST 2020
On Friday, November 20, 2020 at 7:37:25 AM UTC-6, Simon Clubley wrote:
> On 2020-11-20, seasoned_geek <rol... at logikalsolutions.com> wrote:
> > On Wednesday, November 11, 2020 at 12:43:47 PM UTC-6, Simon Clubley wrote:
> >> On 2020-11-11, seasoned_geek <rol... at logikalsolutions.com> wrote:
> >> >
> >> > Like the Bash security breach exploited for ~25 years before being outted in public?
> >> >
> >> I noticed you never replied to my response to this.
> >>
> >> Is that because I pointed out a very inconvenient truth that you
> >> would prefer to ignore ?
> >
> > No. I didn't see a question requiring a response. The Bash comment was pointing out how a terminal shell thought to be "secure" with so many chanting the mantra "no known security vulnerabilities" had one that was exploited for over two decades.
> >
> And how is that any different from DCL where people said the same thing
> about VMS and DCL until I came along and found that DCL had a vulnerability
> which allowed non-privileged people to compromise VAX/VMS and later Alpha
> VMS on VMS versions spanning a 33 year period ?
I didn't say it was and yes, I've seen you break your arm patting yourself on the back for quite some time now. <Grin>
> > Korn Shell has had numerous long term security issues as well. Here's one first recorded in 1998.
> > https://www.cvedetails.com/cve/CVE-1999-1114/
> That sounds very similar to DCL (in concept and vulnerability scope at least).
> > God only knows how long it was actually in the wild.
> >
> In the case of DCL, it was in the wild for 33 years. I doubt the Korn
> shell existed in 1966 (1999 - 33). :-)
My needing to know that was not the point of the statement.
>
> What people like you and Phillip need to understand is that vulnerabilities
> exist everywhere and the less popular the OS, the more likely they are to
> be silently exploited until a security researcher finally invests the time
> to probe the OS.
>
To some extent this is true.
To a much broader extent though, competent system managers never connected VMS directly to the Internet. There was always something like Websphere or some other sacrificial system out there, converting insecure highly risky Internet traffic into fixed field with fixed length messages and placing them on message queues. It was not a firewall, it was a sacrificial computer on a completely different network with a different protocol. Believe it or not, OS/2 is back from the grave
https://www.logikalsolutions.com/wordpress/information-technology/os2-back-from-the-grave/
because there are too many banks/ATMs/other financial institutions still using it and the protocols kids today won't bother to read even if the documentation is free online.
Phillip is also correct that Ease plays a big roll in choosing financial targets. There is no up-side for a CC theft ring in breaching a steel mill and that would be assuming a steel mill put its VMS system on the Internet. As far as I can tell, most of the Credit Unions that ran VMS back in the day didn't connect those systems to the Internet either.
Wow!
I forgot just how long this has been popping up on my radar.
https://www.logikalsolutions.com/wordpress/information-technology/so-secure-you-are-insecure/
https://www.logikalsolutions.com/wordpress/information-technology/a-tcp-up-software-appliance/
https://www.logikalsolutions.com/wordpress/information-technology/you-are-the-security-breach/
Some early musings before I came to the concept of each SALT value having its own table. It was only about two hours of effort though. I knew I wasn't going to have time to work on it and wanted it some place I could easily find.
https://www.logikalsolutions.com/wordpress/information-technology/breaching-tls-ssl/
There is also an essay in my new book: https://www.barnesandnoble.com/w/the-minimum-you-need-to-know-about-the-phallus-of-agile-roland-hughes/1137960971?ean=9781939732095
"Security Via Obsolescence"
Just how many places are left that can read 8-inch floppies? 6250 tapes? Probably more for the tapes than the 8-inch floppies. Bulletin board systems, once all of the rage, long since faded, are now the secure way to communicate predominately because next to nobody has a modem and a cheap laptop has more horsepower than we ever had to run them back in the day.
More information about the Info-vax
mailing list