[Info-vax] Questions and observations about OpenVMS

[jimc...@gmail.com]

On Sunday, March 7, 2021 at 5:25:29 PM UTC-8, Stephen Hoffman wrote:
> Modern networks best assume compromise.

Modern *products* best assume compromise.  We know that state and private actors are now executing skilled supply-chain attacks on software and hardware companies both.  The ongoing fiasco around Solarwinds shows just how effective they can be -- if the nefarious actors have managed to install their attack systems in the very hardware and software you rely on for security, or even to get your work done, how do you protect your customers?

Lots of work on a "zero-trust" security model is necessary as a result -- https://www.crowdstrike.com/cybersecurity-101/zero-trust-security/

We should keep in mind that the ancient vulnerability Simon points out is not just a single bug, but highlighted a number of the architectural vulnerabilities that he, Stephen, and others have pointed out multiple times in OpenVMS.  And that many of the same engineers who designed and implemented those vulnerabilities went on to develop the OS architecture for Windows NT.

Are VSI's engineering practices up to snuff with zero-trust?  Can we be confident that malicious actors aren't already inside their network, with the capability to touch their source and engineering systems, as they have been with pretty much every other product in the world?  The obscurity of OpenVMS and lack of expertise in the research community is likely helpful here, but as VSI modernizes the product, that obscurity will continue to fade.

As an aside, there was some language in the thread earlier that doesn't bear repeating about Iran and Chinese nation-state attackers.  One key part of making OpenVMS vital again will be to eliminate that sort of old-school racism from its technical community.