[Info-vax] Questions and observations about OpenVMS

Dave Froble davef at tsoft-inc.com
Sun Mar 7 12:33:57 EST 2021 

I'm in a rather good mood today, cause that damn nerve in my lower back 
may be considering to give me a break, and stop being inflamed.  So, you 
got to put up with my good humor.

:-)

On 3/7/2021 11:47 AM, Simon Clubley wrote:
> On 2021-03-07, abrsvc <dansabrservices at yahoo.com> wrote:
>>>>
>>>> Oh, give me a break! How long are you going to polish that particular
>>>> apple? It was a bug in a utility, which has been fixed.
>>>>
>>> Actually, I had decided to let it rest as mentioned the last time
>>> I pushed it. I only mentioned it again due to the OP's comments and
>>> his rather naive take on the state of VMS security.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> As mentioned above, and in the previous discussion, I had already decided
> to let it rest. If one of the regulars had said something like that these
> days, I would have just told them to stop being a twit and left it at that.
>
> But the OP clearly knows none of this so it's something that needs pointing
> out to him so he can understand how things have changed but how VMS has
> stood still when it comes to security.

I have reconsidered.  Perhaps it's good you keep mentioning "your VMS 
bug".  As long as that's all you can mention, that says some good things 
about VMS.  Right?

:-)

>>
>> Let me address 2 items here:
>>
>> 1) DECnet - It has been said in the past that this is NOT a secure
>> mechanism and in reality its use has been discouraged.  The cases where it
>> is currently used (for my clients anyway) are only where there are networks
>> that are NOT connected to the outside world.  In these cases, security is
>> not as necessary as there is a gap to the outside world.  Here, the
>> connections for applications are through known pathways using the OpenVMS
>> systems as backends.  No direct "user" access other than the
>> administrators.
>>
>
> That works great until the local network gets compromised.

There are no guarantees.  One can never consider a system secure. 
That's how one gets unpleasant surprises.

DECnet is a communication protocol that does not include any encryption. 
  Fine, neither does my vacuum cleaner.  The final decisions are made by 
humans.  If encryption is essential, then use it.  If one, after 
consideration, determines DECnet will do the job, that is no fault of 
DECnet.  That is the environment designer's decision, and responsibility.

>> 2) DCL bug that you seem to target anytime there is a discussion here:
>> Yes there was a bug, yes it was fixed, get over it!  You should also
>> differentiate between bugs that allow access to the system vs. bugs that
>> allow more access once you have it.  I would argue that OpenVMS is just as
>> secure (ifnot more so) than Windows for example.  how many times have you
>> seen people access an OpenVMS system externally?  Once you gain access to
>> an account, that provides a different scenerio.  Do you see virus attacks
>> on OpenVMS?  Do you see "programs" executed by opening an Email on OpenVMS
>> systems?
>
> On the last one, actually maybe.
>
> VMS Mail got altered a decade or two back to stop displaying some escape
> sequences in an email to stop them causing abuse. I don't know the details
> as they were never published in the notice I remember seeing.
>
> The DEFCON 16 researchers found a problem in finger which involved a
> user's plan file IIRC. A plan file is most certainly also a
> user-controlled document.
>
> Document handling on VMS is very primitive, so I don't remember seeing
> the kinds of attacks you are talking about. Even so, those are two issues
> that I do remember.
>
> To go back to the remote access to VMS, you should also consider the
> possibility that there might be vulnerabilities in the actual network
> stacks themselves that are enabled on a VMS system.
>
> Actual login access to a VMS system might not be required if a user
> can get to the network protocols enabled on a VMS system and find a
> vulnerability.
>
> BTW, Stephen pointed out that I am not the only person to ever find a
> vulnerability on VMS. He's right about that, but also think about what
> that means when considering if there are any more vulnerabilities
> waiting to be found by other people who do this for a living instead
> of just doing the one-off piece of research I did.

There are no guarantees.

"People who do this for a living".  You referring to the chicom hackers 
working for the chicom government.  Or for the towel heads in Iran? 
Even the Russians.  It's an unfriendly world out there.  Buyer beware.

What the responsibility comes down to is knowledgeable people designing 
systems and using proper (whatever that is) care.


-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list