[Info-vax] WHY IS VSI REQUIRING A HYPERVISOR FOR X86 OPENVMS?

[Arne Vajhøj]

On 1/14/2021 1:00 PM, Mark Berryman wrote:
> On 1/12/21 6:42 AM, Simon Clubley wrote:
>> On 2021-01-11, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
>>> On 2021-01-11 19:16:05 +0000, Dave Froble said:
>>>> Just because you found a flaw, in no way means that there are other 
>>>> flaws.
>>>
>>> There are other flaws, David.
>>
>> And until VMS gets the same level of probing as other operating systems,
>> we don't know how many are just waiting to be found.
> 
> And what makes you think it hasn't been?

Given the number of Linux & Windows systems out there and the number
of VMS systems out there, then it seems pretty logical to expect
more probing of Linux & Windows than VMS. It would not make sense
for neither white hats or black hats at average to spend the same effort
on VMS as the more widely used OS.

> If you take TCPIP Services out of the picture and use a different IP 
> stack, I have never heard of a VMS system being externally compromised 
> from the Internet.  Have you?  I know we weren't able to do it after 
> extensive testing.  I've had reason to put multiple VMS systems directly 
> on the internet.  They were extensively probed but never penetrated (and 
> yes, they were closely monitored).  I'll stack that record up against 
> any other platform.

I have not heard of such breaches either, but that does not
guarantee that it did not happen. In fact I find it most likely
that some VMS systems has been breached. Systems get breached
all the time.

And despite that some people like to focus on OS when talking
about breaches, then the majority of breaches are not due to
OS vulnerabilities or web server vulnerabilities - they are
due to application vulnerabilities.

If a PHP application is vulnerable to SQL injection, then
it does not matter whether it runs on Linux or VMS.

> For those of you who have been around for awhile, the DECnet issues of 
> the 80's don't count.  If you configured your systems according to the 
> manual, instead of simply taking the obviously bad defaults, you were 
> immune.  I had several systems on one of the national DECnet networks at 
> the time and the DECnet worms hit every one of them but failed to get 
> into any of them.  There was nothing special about those systems.  We 
> simply read the instructions while configuring them and ignored the 
> (eventually fixed) default answers.

I hear you.

But the vast majority of breaches could have been prevented by
following proper recommendations.

If the C programmer had prevented that buffer overrun. If the PHP
programmer had used mysqli prepare instead of mysql with string
concat. If ...

Arne