[Info-vax] Questions and observations about OpenVMS

Sun Mar 7 09:07:48 EST 2021

> >
> Just because something _appears_ to still work, it doesn't mean that 
> a better way hasn't been invented in the mean time.
> >> For example, DECnet Phase IV is totally unsuited 
> >> for today's world, but VSI has already been forced to port it to x86-64 
> >> VMS, even with other work outstanding, because it is still used by so 
> >> many people. 
> > 
> > Since humans haven't yet come up with "counter-grav", the wheel is still 
> > in use, and will be for the foreseeable future. 
> >
> But humans _have_ come up with the networking protocol versions of future 
> technology (future been defined as when DECnet Phase IV was invented) which 
> are much more secure than DECnet Phase IV.
> >> As for VMS not been hacked, you really, really should not have gone there. :-) 
> >> 
> >> VMS has the dubious honour of hosting one of the world's longest 
> >> surviving operating system vulnerabilities (it survived for 33 years 
> >> before it was discovered). It was confirmed to be exploitable on 
> >> both VAX and Alpha and it is an open question whether someone familiar 
> >> with the Itanium environment could have created a variant of the exploit 
> >> to do something bad there. 
> > 
> > Oh, give me a break! How long are you going to polish that particular 
> > apple? It was a bug in a utility, which has been fixed. 
> >
> Actually, I had decided to let it rest as mentioned the last time 
> I pushed it. I only mentioned it again due to the OP's comments and 
> his rather naive take on the state of VMS security. 
> 
> BTW, it was ultimately a bug in DCL itself.
> >> Supervisor mode shells (ie: DCL) have access to the privileges of 
> >> the programs they run. This is not a good thing. 
> > 
> > So use one that doesn't .... 
> >
> Yes, I agree. :-) It would indeed be nice if supervisor mode shells 
> were not a thing on VMS. Unfortunately, that is not going to happen 
> any time in the near future.
> Simon. 
> 

Let me address 2 items here:

1) DECnet - It has been said in the past that this is NOT a secure mechanism and in reality its use has been discouraged.  The cases where it is currently used (for my clients anyway) are only where there are networks that are NOT connected to the outside world.  In these cases, security is not as necessary as there is a gap to the outside world.  Here, the connections for applications are through known pathways using the OpenVMS systems as backends.  No direct "user" access other than the administrators.

2) DCL bug that you seem to target anytime there is a discussion here:  Yes there was a bug, yes it was fixed, get over it!  You should also differentiate between bugs that allow access to the system vs. bugs that allow more access once you have it.  I would argue that OpenVMS is just as secure (ifnot more so) than Windows for example.  how many times have you seen people access an OpenVMS system externally?  Once you gain access to an account, that provides a different scenerio.  Do you see virus attacks on OpenVMS?  Do you see "programs" executed by opening an Email on OpenVMS systems?